cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

CAP: Instance-based Authorization based on user attribute

Go to solution
former_member869401
Discoverer

on ‎2023 Jul 25 9:39 AM

0 Kudos
995

Hello experts,

in the last days I tried to implement the instance-based authorization into our CAP application by following this Capire information: Instance-Based Authorization

Our users have multiple attributes, by which the access is restricted.

Attributes defined in the xs-security.json file:

"attributes": [
    {
        "name": "Application",
        "description": "Application",
        "valueType": "string"
    },
    {
        "name": "CompanyCode",
        "description": "CompanyCode",
        "valueType": "string"
    },
    {
        "name": "RecordType",
        "description": "RecordType",
        "valueType": "string"
    }
]

Our entity is restricted as follows:

annotate srv.Application with @(restrict: [
    {
        grant: 'READ',
        to: ['Display'],
        where: 'application = $user.Application'
    }
]);

This restriction works fine. The users can only read the applications contained in the users Application attribute.

Now we have a new requirement: There should be a way for a user to be configured to get access to all applications. To do this, the Application attribute will get a special value (e.g. "ALL"). If a user has this value inside of their Application attribute, he should be able to see all applications.

To achieve this, we tried the following restriction:

annotate srv.Application with @(restrict: [<br>   {<br>       grant: 'READ',<br>       to: ['Display'],<br>       where: 'application = $user.Application or $user.Application = ALL'<br>   }<br>]);<br>

Unfortunatly, this did not work and produce the following error message upon reading the entity:

No CXN expression found for where condition 'application = $user.Application or $user.Application = ALL' used for instance-based authorization of entity 'srv.Application'<br>

We already looked at alternative ways of doing this:

  • Unrestricted user attributes: This is not suitable, because this way, every user who has not yet set their Application attribute would have access by default. We want to restrict access by default and explicitly allow the access via the ALL value
  • Separate roles for unrestricted access, like an "ApplicationALL" role: This does also not seem suitable, since this would be required for every attribute (currently we are at 3, but there might be more in the future) and make the restrict annotations very clustered and hard to manage.

Is there any way to achieve our goal using the posted restriction annotation? If not, what would be the best way to tackle this?

Thank you for your input.

Kind regards,
Philipp

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
former_member227670
Explorer
‎2023 Jul 25 12:13 PM

Constant values need quotes. Please retest with

[...]
where: 'application = $user.Application or $user.Application = `ALL`'
Show replies
Show replies
former_member869401
Discoverer
‎2023 Jul 25 1:48 PM
0 Kudos

Thank you Matthias!

The quotes did the trick.

Kind regards,
Philipp

Ask a Question