Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Attributes based on BTP roles for Instance-based authorization for a Capire application

former_member869401
Discoverer

on ‎2023 Jul 24 3:21 PM

0 Likes
792

Hello everyone,

we're developing a Capire application for the BTP for which we want to utilize the instance-based authorization as described in the Capire documentation:

https://cap.cloud.sap/docs/guides/authorization#instance-based-auth

We introduced the attributes "CompanyCode" and "RecordType", which we referenced in the scopes and role-templates of our xs-security.json file.

(stripped down to its essential parts)

{<br>    "xsappname": "myappname",<br>    "tenant-mode": "dedicated",<br>    "attributes" : [ {<br>        "name" : "CompanyCode",<br>        "description" : "CompanyCode",<br>        "valueType" : "string"<br>    },<br>    {<br>        "name" : "RecordType",<br>        "description" : "RecordType",<br>        "valueType" : "string"<br>    }],<br>    "role-templates": [<br>    {<br>        "name": "DisplayTemplate",<br>        "description": "Display",<br>        "scope-references": [<br>            "uaa.user",<br>            "$XSAPPNAME.Display"<br>        ],<br>        "attribute-references": [<br>            "CompanyCode",<br>            "RecordType"<br>        ]<br>    },<br>    {<br>        "name": "EditTemplate",<br>        "description": "Edit",<br>        "scope-references": [<br>            "uaa.user",<br>            "$XSAPPNAME.Display",<br>            "$XSAPPNAME.Edit"<br>        ],<br>        "attribute-references": [<br>            "CompanyCode",<br>            "RecordType"<br>        ]<br>    }]<br>}<br>

In our authorization definitions, we restrict the access to our entity as follows:

annotate srv.MyEntity with @(restrict: [{<br>        grant: 'READ',<br>        to: ['Display'],<br>        where: 'company_code = $user.CompanyCode and record_type = $user.RecordType'<br>    }, {<br>        grant: 'WRITE',<br>        to: ['Edit'],<br>        where: 'company_code = $user.CompanyCode and record_type = $user.RecordType'<br>    }<br>]);<br>

In the BTP we defined several roles with static values for the attributes "CompanyCode" and "RecordType".

Role1:
- CompanyCode: "A"
- RecordType: "1"

Role2:

- CompanyCode: "B"
- RecordType: "2"

If a user gets these roles, the attributes are aggregated. The attributes in the applications are evaluated to:

UserAttributes:
- CompanyCode: ["A", "B"],
- RecordType: ["1", "2"]

As per the capire documentation, those attributes are evaluated in any way. So if a record has the companyCode "A" and the recordType "2", the user will still be eligable to access this record (in our current configuration at least), althought the defined roles are intended to
only give the user access to the combinations
"A"+"1", and "B"+"2",
but not
"A"+"2" or "B"+"1".

Is there any way to model this scenario with the capire framework and the BTP? Or is it working as designed and this is not possible?

Thanks for your help in advance!

Kind regards,
Philipp Thiele

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (0)

Ask a Question