- SAP Managed Tags:
In order to use the SAP Cloud Platform Backend service, your user needs to be configured with the required authorizations, i.e. roles.
This blog explains which steps need to be done.
This blog is part of a series of tutorials explaining the usage of SAP Cloud Platform Backend service in detail.
The SAP Cloud Platform Backend service has to be subscribed
See here for guidance
Go to the Backend service overview page:
Log on to your trial account -> Cloud Foundry -> yourSubaccount -> "Subscriptions" -> click on Backend service tile
Once the overview - page is opened, expand "Security" on the left navigation pane and click on "Roles".
Here you can see that 2 default role instances are already generated for you:
"Admin" and "AllAccess"
So you don't need to do anything here.
You can see that the roles are based on templates.
So you can click on "Role Templates" to view the description.
Or, even better, you can read my own short explanation:
Admin
The good old Admin is the one who believes he is all-mighty.... but in fact, poor him, he is not.
The "Admin" role enables the user to access the Backend service cockpit and also to use it.
That means, he can create APIs and monitor their usage.
From my understanding, it is like a "developer" role, because the API is designed and created from scratch.
Anyways: he cannot access the APIs. Means, he cannot invoke the (OData) services
AllAccess
A user who has this role, is allowed to access the APIs, he is allowed to use the (OData) services.
All APIs.
But: he cannot create APIs
There's a third role for fine-granular assignment of authorizations, but we ignore it for now
OK, still nothing to do here.
Not here, but anywhere else?
Yes, somewhere you have to somehow assign both roles to you.
Yes, both roles because we need them in the tutorials.
I don't see any Role Collection
Yes, Role Collections are available for the whole Identity Zone, i.e. Subaccount:
So we have to go to the (BETA-enabled) Subaccount.
Still don't see
In the left navigation pane, expand “Security”: Here they are!
Click on “Role Collections”.
Create a Role Collection and give it a name of your choice
This creates an empty collection.
Click on the new role collection, in order to fill the collection with roles
In the role collection screen, click on “Add Role”
In the dialog, choose “Backend-service” as Identifier,
choose the “Admin” role template
and also the existing corresponding role “Admin”
After “Save”, repeat the procedure to add another role: “AllAccess”
Now that the role collection is created and configured, it needs to be used.
Again, in your Subaccount, expand the “Security” entry in the navigation pane on the left side and click on “Trust Configuration”
Then click on your identity provider, in most cases the “SAP ID Service”
This takes you to the "Role Collection Assignment" screen of the "Trust Configuration"
Enter your mail address (your Trial user) and press “Show Assignments
Result: nothing
BUT: the “Assign Role Collection” gets enabled.
So click it
The subsequent dialog offers your new role collection
Select it then press “Assign Role Collection” on the dialog
As a result, the role collection is assigned to your user (mail) which is maintained in your identity provider.
That’s it.
Now you can access the Backend service.
Go back to your "beta"-enabled Subaccount -> Subscriptions->Backend service->Go to Application
And log in
Note:
If you still get an error message telling that you don't have authorization:Try reloading your browser, i.e. close and reopen
If you still get anerrormessage, try to log off and log on again.
Ifyoustillgetanerrormessage,try a different browser, buy a new laptop, whatever, but don't believe the error message...
Maybe you only need to wait until the invalid JWT token, which reached the Backend service application, expires...
In this blog you've learned about the roles that are provided and required by the Backend service application.
In order to use Backend service, you have to assign these roles to your user
This is done by adding the roles to a role collection, then assigning the collection to your user
For more information and advanced power-user role configuration, see this blog
This blog explains which steps need to be done.
This blog is part of a series of tutorials explaining the usage of SAP Cloud Platform Backend service in detail.
Prerequisites
The SAP Cloud Platform Backend service has to be subscribed
See here for guidance
View the roles and role templates
Go to the Backend service overview page:
Log on to your trial account -> Cloud Foundry -> yourSubaccount -> "Subscriptions" -> click on Backend service tile
Once the overview - page is opened, expand "Security" on the left navigation pane and click on "Roles".
Here you can see that 2 default role instances are already generated for you:
"Admin" and "AllAccess"
So you don't need to do anything here.
You can see that the roles are based on templates.
So you can click on "Role Templates" to view the description.
Or, even better, you can read my own short explanation:
Admin
The good old Admin is the one who believes he is all-mighty.... but in fact, poor him, he is not.
The "Admin" role enables the user to access the Backend service cockpit and also to use it.
That means, he can create APIs and monitor their usage.
From my understanding, it is like a "developer" role, because the API is designed and created from scratch.
Anyways: he cannot access the APIs. Means, he cannot invoke the (OData) services
AllAccess
A user who has this role, is allowed to access the APIs, he is allowed to use the (OData) services.
All APIs.
But: he cannot create APIs
There's a third role for fine-granular assignment of authorizations, but we ignore it for now
OK, still nothing to do here.
Not here, but anywhere else?
Yes, somewhere you have to somehow assign both roles to you.
Yes, both roles because we need them in the tutorials.
Create and Configure Role Collection
I don't see any Role Collection
Yes, Role Collections are available for the whole Identity Zone, i.e. Subaccount:
So we have to go to the (BETA-enabled) Subaccount.
Still don't see
In the left navigation pane, expand “Security”: Here they are!
Click on “Role Collections”.
Create a Role Collection and give it a name of your choice
This creates an empty collection.
Click on the new role collection, in order to fill the collection with roles
In the role collection screen, click on “Add Role”
In the dialog, choose “Backend-service” as Identifier,
choose the “Admin” role template
and also the existing corresponding role “Admin”
After “Save”, repeat the procedure to add another role: “AllAccess”
Assign Role Collection
Now that the role collection is created and configured, it needs to be used.
Again, in your Subaccount, expand the “Security” entry in the navigation pane on the left side and click on “Trust Configuration”
Then click on your identity provider, in most cases the “SAP ID Service”
This takes you to the "Role Collection Assignment" screen of the "Trust Configuration"
Enter your mail address (your Trial user) and press “Show Assignments
Result: nothing
BUT: the “Assign Role Collection” gets enabled.
So click it
The subsequent dialog offers your new role collection
Select it then press “Assign Role Collection” on the dialog
As a result, the role collection is assigned to your user (mail) which is maintained in your identity provider.
That’s it.
Now you can access the Backend service.
Go back to your "beta"-enabled Subaccount -> Subscriptions->Backend service->Go to Application
And log in
Note:
If you still get an error message telling that you don't have authorization:Try reloading your browser, i.e. close and reopen
If you still get anerrormessage, try to log off and log on again.
Ifyoustillgetanerrormessage,try a different browser, buy a new laptop, whatever, but don't believe the error message...
Maybe you only need to wait until the invalid JWT token, which reached the Backend service application, expires...
Summary
In this blog you've learned about the roles that are provided and required by the Backend service application.
In order to use Backend service, you have to assign these roles to your user
This is done by adding the roles to a role collection, then assigning the collection to your user
For more information and advanced power-user role configuration, see this blog
