on 2024 Jul 13 8:35 PM
Good day to everyone,
I'm new to the CAPM world and have recently started learning its concepts. We've developed CAP services and now need to secure them by implementing authorization and authentication.
SAP provides XSUAA, which ensures that only authorized users can access endpoints by establishing a trusted connection with identity providers for user authentication. This concept works well from SAP's perspective.
However, in our scenario, we have developed CAPM services that are bound to a HANA Cloud Database (HDI Containers). Our database/schema contains a users table (ID, Name, Username, Password). We want to implement a system where authorization and authentication occur only if the user exists in our user table.
Instead of authenticating users against identity providers, I want to validate users against the records in our tables and generate a token if the records exist.
Is this approach correct? In ASP.NET Web API, we usually follow this practice.
Looking forward to your suggestions.
Best regards,
Rahul Jain
I would suggest to rethink this approach. The CAP framework relies on best practices for a lot of topics, including security. It uses BTP roles and HDI users to establish/govern access and connectivity to the service layer and database layer, and 'outsources' token handling to the XSUAA service.
If you want to use a custom list of users, I suggest to look at importing them to IAS so you can assign roles to them to access your application: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/import-or-update-users-for...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
61 | |
10 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.