SAP Cloud Identity Services provide a robust framework for managing user identities and authorizations across various SAP applications. One of the key components of this framework is the Identity Authentication Service (IAS), which integrates seamlessly with the Authorization Management Service (AMS) and the Cloud Application Programming (CAP) model. This blog will guide you through the steps to enable authorization policies using these services.

Understanding the Components

1. Identity Authentication Service (IAS): IAS is a cloud service that provides secure authentication for users accessing SAP applications. It supports various authentication methods, including single sign-on (SSO), and integrates with other identity providers.

2. Authorization Management Service (AMS): AMS is a centralized service for managing authorizations across SAP applications. It allows administrators to define and enforce authorization policies, ensuring that users have the appropriate access rights.

3. Cloud Application Programming (CAP) Model: CAP is a framework for building enterprise-grade applications on SAP Business Technology Platform (BTP). It simplifies the development process by providing a set of tools and libraries for building, deploying, and managing applications.

Steps to Enable Authorization Policies

1. Access SAP IAS Admin Console:

   • Log in to the SAP IAS Admin console through the SAP BTP cockpit - SAP Cloud Identity Services.
   • Navigate to the “Application & Resources” and "Tenant Settings" section.
   • Follow the Screenshot 1

2. Enable Policy Based Authorization:

   • Click on Policy Based Authorizations and enable toggle button to activate the services
   • Follow the Screenshot 2

3. Validate Authorization Policies visible:

   • Navigate back to "Applications" and Search for "Admin"
   • Under "System Applications" - Click on Administration Console
   • Check you will see additional tab - "Authorization Policies"
   • Follow the Screenshot 3

Screenshot 1

Screenshot 2

Screenshot 3

Step 3: Integrate AMS with CAP Applications

1. Add AMS Dependencies:

   • In your CAP project, add the necessary AMS dependencies to your package.json or pom.xml file. For example:
     JSON

     "dependencies": {
       "@sap/ams-dev": "^2.0.0",
       "@sap/cds-dk": "^8.6.0"
     }
     

2. Configure Security in CAP:

   • Update your CAP application’s security configuration to integrate with AMS. This involves setting up JWT decoders and security filters to handle authorization tokens.
     Java

      

     @Configuration
     @EnableWebSecurity
     @Profile("cloud")
     @Order(1)
     public class SecurityConfig {
         @Autowired
         private JwtDecoder jwtDecoder;
     
         @Bean
         public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
             http.authorizeRequests()
                 .antMatchers("/public/**").permitAll()
                 .anyRequest().authenticated()
                 .and()
                 .oauth2ResourceServer()
                 .jwt()
                 .decoder(jwtDecoder);
             return http.build();
         }
     }

3. Deploy and Test:

   • Deploy your CAP application to SAP BTP and test the authorization policies. Ensure that users can only access the resources they are authorized to

Conclusion

By following these steps, you can effectively enable and manage authorization policies in SAP Cloud Identity Services using IAS, AMS, and the CAP model. This setup ensures secure and efficient access control across your SAP applications, enhancing both security and user experience.

Feel free to reach out if you have any questions or need further assistance with your SAP Cloud Identity Services setup!

I hope this blog helps you get started with enabling authorization policies in SAP Cloud Identity Services. If you have any specific questions or need further details, let me know!