Setting up ready-to-use role collections in the Cloud Foundry environment of SAP Business Technology Platform is cumbersome.
I bet it bothered you that there is no quick way of creating role collections right away? It would be handy to push role collections directly into the SAP BTP cockpit. So, admins could immediately use them and assign them to users.
Good news: A quick shortcut is available now (
Release Notes and
Quick Start: Create Role Collections (with Predefined Roles)).
How do I do that?
You directly define the role collections in the
xs-security.json using the new
role-collections
property.
These defined role collections reference role templates. The role templates can be in the same application or in other applications, but within the same subaccount. As soon as you've deployed your application, the SAP BTP cockpit displays the role collections. They contain the roles you predefined in the referenced role templates.
What you need to do?
1. Deploy an application you want to use for creating role collections.
2. Edit the
xs-security.json file and add the
role-collections
property. For details see the
role-collections
section in
Application Security Descriptor Syntax.
{
"role-templates": [
{
"name": "Viewer",
"description": "View Users",
"scope-references": [
"$XSAPPNAME.Display"
]
},
{
"name": "Manager",
"description": "Maintain Users",
"scope-references": [
"$XSAPPNAME.Display",
"$XSAPPNAME.Update"
]
}
],
"role-collections": [
{
"name": "UserManagerRC",
"description": "User Manager Role Collection",
"role-template-references": [
"$XSAPPNAME.Viewer",
"$XSAPPNAME.Manager"
]
}
]
}
3. Go to the folder where the xs-security.json file is stored.
4. To deploy the security information, create a service using your
xs.security.json file.
cf create-service xsuaa application <service_name> -c xs-security.json
Example:
cf create-service xsuaa application rolecoll-serv -c xs-security.json
5. (If you do not use a manifest file) Bind your application to the service.
cf bind-service <application_name> <service_name>
Example:
cf bind-service rcpropertyapp rolecoll-serv
Now, you have created a role collection.
6. Log on to the SAP BTP cockpit.
7. Navigate to your subaccount. The
Role Collections menu item displays the role collection you defined during this procedure. Admins can now log on to the SAP BTP cockpit and assign this role collection to users.
NOTE
There is a tutorial with an
xs-security.json file that includes role collections. You may use this as an example.
You find the tutorial here:
Tutorials for Authorization and Trust Management