cancel
Showing results for 
Search instead for 
Did you mean: 

How to retrict access for the app published in Cloud Foundry

0 Kudos

In the NEO, i can manage groups and grant access as i want.

I am trying to do this in the Cloud Foundry...

I want to define access for a specific puser or suser.

Someone can tell me how can i do this?

in Trust Configuration? Roles? Manifest.yml?

I created one service application, and everyone with one suser or puser have access to it .

0 Kudos

adding more information...

I need to do this on the approuter example:

https://developers.sap.com/tutorials/cp-connectivity-consume-odata-service-approuter.html

Accepted Solutions (1)

Accepted Solutions (1)

Steven_UM
Contributor

Hi,

If I understoond you correctly and following on the link you gave:

You basically need to add a custom scope check and role collection to the xs-security.json file and deploy that with the UAA service.

And then in the app router you have to extend the route configuration indicating that you want authentication to happen via the UAA service and the particular scope that is required:

{
"routes": [
{
"source": "/",
"target": "/sap/opu/odata/sap/EPM_REF_APPS_PROD_MAN_SRV/Products",
"destination": "abapBackend1",
"authentication": "xsuaa",
"scope": "$XSAPPNAME.MyNewScopeToCheck"
}
]
}

That should do the trick. You will need to add the role collection to a role and link that with the users you want to have access.

0 Kudos

Thanks for the suggestion Steven!

I try it, and get this result.

First take a look at my xs-app.json:

{
"routes": [
	{
		"source": "^(.*)$",
		"target": "/sap/opu/odata/SAP/$1",
		"destination": "PiraEcc_DEV",
		"authentication": "xsuaa",
		"scope": "$XSAPPNAME.OdataAccess"
	}
]
}

and while push, show this error

"VError: xs-app.json/routes/0/authentication: Additional properties not allowed"

I will continue trying this way...

the correct property is authenticationType...

works this way:

{
"routes": [
	{
		"source": "^(.*)$",
		"target": "/sap/opu/odata/SAP/$1",
		"destination": "PiraEcc_DEV",
      "authenticationType": "xsuaa",
      "scope": "$XSAPPNAME.MyNewScopeToCheck",
      "csrfProtection": true
	}
]
}

Thank you very much ! !

Steven_UM
Contributor
0 Kudos

Hi Martins,

Ah glad you could solve it .. even with my lazy copy & paste skills ... 😛

It is indeed "authenticationType" ...

Steven

Answers (1)

Answers (1)

gregorw
Active Contributor

You have to define scopes and role templates in the xs-security.json. The scopes must be checked in your app. The role templates can be added to roles which then can be assigned to users.

0 Kudos

Thank´s for reply Gregor!

But i can´t imagine how to do this on this example:

https://developers.sap.com/tutorials/cp-connectivity-consume-odata-service-approuter.html

The final result of this approuter don´t have a .js for example to test the roles.

Now i am following this post.

https://blogs.sap.com/2019/04/02/a-do-it-yourself-at-home-guide-how-to-connect-a-node.js-app-on-sap-...

There have a change on the direct access of approuter/odata... maybe will solve my problem...