To enforce authorization for an HTML5 application, permissions can be added to application paths.
SAP Business Technology Platform, Neo environment will sunset on December 31, 2028, subject to terms of customer or partner contracts.
For more information, see SAP Note 3351844.
This documentation refers to SAP Business Technology Platform, Neo environment. If you are looking for documentation about other environments, see SAP Business Technology Platform
↗️ .
In the cockpit, you can create custom roles and assign them to the defined permissions. If a user accesses an application path that starts with a path defined for a permission, the system checks if the current user is a member of the assigned role. If no role is assigned to a defined permission only subaccount members with developer permission or administrator permission have access to the protected resource.
Permissions are only effective for the active application version. To protect non-active application versions, the default permission NonActiveApplicationPermission is defined by the system for every HTML5 application. This default permission must not be defined in the neo-app.json file but is available automatically for each HTML5 application.
If only authentication is required for a path, but no authorization, a security constraint can be added without a permission.
A security constraint applies to the directory and its sub-directories defined in the protectedPaths field, except for paths that are explicitly excluded in the excludedPaths field. The excludedPath field supports pattern matching. If a path specified ends with a slash character (/) all resources in the given directory and its sub-directories are excluded. You can also specify the path to be excluded using wildcards, for example, the path **.html excludes all resources ending with .html from the security constraint.
To define a security constraint, use the following format in the neo-app.json file:
...
"securityConstraints": [
{
"permission": "<permission name>",
"description": "<permission description>",
"protectedPaths": [
"<path to be secured>"
],
"excludedPaths": [
"<path to be excluded>",
...
]
}
]
...
An example configuration that restricts a complete application to the
accessUserDatapermission, with the exception of all paths starting with"/logout", looks like this:... "securityConstraints": [ { "permission": "accessUserData", "description": "Access User Data", "protectedPaths": [ "/" ], "excludedPaths": [ "/logout/**" ] } ] ...
Related Information