Update 27/02/2024: Please note that this workaround is not anymore possible with the latest releases of SAP Build Apps. The xsuaa instance allowing this workaround is not anymore created during the deployment. This is due to the new integration with SAP Build Workzone managed approuter. You can find more details in the dedicated blog post. I'll update asap the steps in this blog-post with the new approach once possible. You can also have a look to another workaround using CAP proposed by my colleague Dan in the comments (link here).
In this blog post, we will explore a workaround solution for using application roles in SAP Build Apps which is not supported so far. We will see an example of implementation that adapts UI components of a Web App based on the user role, thereby avoiding the need to create a separate Web App for each user role in SAP Build Apps.
In a previous post, we created a simple web app with SAP Build Apps, which connects to a REST API via a destination in the Business Technology Platform (BTP) to read and display records. The connected user can only see their data. However, our backend service supports two roles: a normal user that can only get their records, and an admin user that can retrieve records of all users.
Our goal now is to adjust the web app so that an admin user can choose to view all records. The web app should verify if the connected user has the application admin role and display the appropriate UI components accordingly.
We assume that we will be having two roles: Administrator and User. Here's how we adjusted the UI in SAP Build Apps:
Adding new REST API Integration in SAP Build Apps
SOME<scope>(systemVars.currentUser.scopes, CONTAINS(scope, "Administrator"))
Adjust UI component visibility based on user roles
SORT_BY_KEY( IF(pageVars.seeAll, data["All returns1"], data["My Returns1"]), "date","desc").
The deployment will create a UAA (Authorization and Trust Management service) instance that handles user authorizations for the web app. The created instance does not contain any scope or role, so we'll need to enhance it.
We've created an "xs-security.json" file in which we could define the scopes and roles for our UI app. For example, we defined two scopes: `Administrator` and `User`, and two corresponding role templates: `myPackAdmin` and `myPackUser`.
{ "xsappname": "appgyver-web-app-22991", "tenant-mode": "dedicated", "scopes" : [ { "name" : "$XSAPPNAME.User", "description" : "User" }, { "name" : "$XSAPPNAME.Administrator", "description" : "Administrator" } ], "role-templates": [ { "name" : "myPackUser", "description" : "User access", "scope-references" : [ "$XSAPPNAME.User" ] }, { "name" : "myPackAdmin", "description" : "Admin access", "scope-references" : [ "$XSAPPNAME.Administrator" ] } ] }
For your case, you can use the same file content and customize scopes and roles according to your requirements. Simply replace the xsappname property with your app name.
To locate the app name in the BTP cockpit after deployment, navigate to instances and subscriptions. Look for instances starting with appgyver-web-app-xx-uaa, and copy the name excluding the -uaa suffix.
Locate the created uaa instance for the web application
To update the existing "appgyver-web-app-xx-uaa" instance with our new configuration, we use the following command line in the terminal:
cf update-service appgyver-web-app-22991-uaa -p application -c xs-security.json.
For your application, you need to replace "appgyver-web-app-xx-uaa" with your UAA instance name and provide the correct directory path where you have created the xs-security.json file.
Cloud Foundry CLI must be installed to execute the command line.
To see the switch button, the admin role must be assigned to your user. To do this, we created a role collection and did assign it to the desired user from the subaccount in the BTP cockpit.
You can find the new roles under Security > Roles. We created a new role collection, such as "myPackAdmin," and included both the backend admin role and the new UI admin role. we assigned this role collection to the user.
New Role Collection creation from the SAP BTP Cockpit
Now, when you log in as an admin, you should see the switch button. You can switch it on to see all user records. You may need to logout and login again or test in a different browser so that the new role assignment is considered.
Remember, in preview mode, your user won't have the roles, so it will only work on the deployed version of the web app
Switch button appear for the connected admin user
And there you have it! A simple workaround to deal with different user roles in your SAP Build Apps until the feature becomes natively available. Hope you find this solution helpful in avoiding duplications in UI creation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
18 | |
11 | |
10 | |
10 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 |