Skip to content

Latest commit

 

History

History
87 lines (66 loc) · 4.69 KB

modeling-security-groups-and-role-assignments-e3a3854.md

File metadata and controls

87 lines (66 loc) · 4.69 KB

Modeling Security Groups and Role Assignments

To organize application security roles and to manage user access, you create authorization groups in SAP BTP.

Remember:

SAP Business Technology Platform, Neo environment will sunset on December 31, 2028, subject to terms of customer or partner contracts.

For more information, see SAP Note 3351844.

Tip:

This documentation refers to SAP Business Technology Platform, Neo environment. If you are looking for documentation about other environments, see SAP Business Technology Platform ↗️.

You model security groups in the MTA deployment descriptor using the module type com.sap.hcp.group. You can also assign any roles defined in a Java application to these authorization groups.

The following rules apply when you deploy a solution containing authorization groups:

  • If the group already exists, it is updated with the new roles assignment defined in the MTA deployment descriptor.
  • If you delete a solution, a group is not deleted, as it might be used by other applications.

Example:

We assume that you have defined as follows a set of security roles in the web.xml of your Java application.

<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
 
<web-app>
  <display-name>My Java Web Application</display-name>
  <security-role>
    <role-name>administrator</role-name>
  </security-role> 
</web-app>

For a complete list of the supported properties, see MTA Module Types, Resource Types, and Parameters for Applications in the Neo Environment.

The security roles can be assigned to a group modeled in the MTA deployment descriptor.

Example:

ID: com.sap.mta.demo
_schema-version: '2.1'

parameters:
  hcp-deployer-version: '1.1.0'

modules:
- name: administratorGroup
   parameters:
      name: &adminGroup AdministratorGroup
   type: com.sap.hcp.group
- name: demowebapp
   parameters:
      name: demowebapp
      title: Demo MTA Application
      runtime-version: '3'
      java-version: JRE 8
      roles:
       - name: administrator
         groups:
          - *adminGroup
   requires:
    - name: administratorGroup

When you deploy the above example, a new authorization group named AdministratorGroup is created, and the administrator application security role form the demowebapp is assigned to this group. In case the roles already exists, only the application security role is assigned to the existing group.

Related Information

Role Assignment of HTML 5 Roles to Security Groups

Role Assignment of Fiori Roles to Security Groups

Operating Solutions

The Multitarget Application Model v.2

The Multitarget Application Model v.3