SAP IoT Application Enablement Best Practices Authorization Guide

Similar documents
SAP Global Track and Trace Onboarding Guide

SAP Cloud Platform Configuration SAP Subscription Billing

SAP Analytics Cloud model maintenance Restoring invalid model data caused by hierarchy conflicts

FAQs OData Services SAP Hybris Cloud for Customer PUBLIC

Complementary Demo Guide

FAQs Data Cleansing SAP Hybris Cloud for Customer PUBLIC

UX402 SAP SAPUI5 Development

Device Operation Process Diagrams. SAP Mobile Secure rapid-deployment solution September 2014

SAP Business One Integration Framework

CLD100. Cloud for SAP COURSE OUTLINE. Course Version: 16 Course Duration: 2 Day(s)

SAP Hybris Billing, Pricing Simulation Extended Functions Release 2.0, SP03

HA215 SAP HANA Monitoring and Performance Analysis

CA611 Testing with ecatt

BOD410 SAP Lumira 2.0 Designer

SAP Single Sign-On 2.0 Overview Presentation

FAQs Facebook Integration with SAP Hybris Cloud for Customer SAP Hybris Cloud for Customer PUBLIC

Device Application Onboarding Process Diagrams. SAP Mobile Secure: SAP Afaria 7 SP5 September 2014

C4C30. SAP Cloud Applications Studio COURSE OUTLINE. Course Version: 21 Course Duration: 4 Day(s)

SAP HANA SPS 09 - What s New? SAP River

SAP 3D Visual Enterprise 9.0: Localization of Authoring Content

UX400. OpenUI5 Development Foundations COURSE OUTLINE. Course Version: 02 Course Duration: 5 Day(s)

SLT100. Real Time Replication with SAP LT Replication Server COURSE OUTLINE. Course Version: 13 Course Duration: 3 Day(s)

S4H410. SAP S/4HANA Embedded Analytics and Modeling with Core Data Services (CDS) Views COURSE OUTLINE. Course Version: 05 Course Duration: 2 Day(s)

Week 2 Unit 3: Creating a JDBC Application. January, 2015

S4H01. Introduction to SAP S/4HANA COURSE OUTLINE. Course Version: 04 Course Duration: 2 Day(s)

HA240 SAP HANA 2.0 SPS02

FAQs Data Sources SAP Hybris Cloud for Customer PUBLIC

FAQs Data Workbench SAP Hybris Cloud for Customer PUBLIC

UX300 SAP Screen Personas 3.0 Development

Week 2 Unit 1: Introduction and First Steps with EJB. January, 2015

BC403 Advanced ABAP Debugging

HA301. SAP HANA 2.0 SPS03 - Advanced Modeling COURSE OUTLINE. Course Version: 15 Course Duration:

SAP Fiori Launchpad Process Flow. SAP Fiori UX launchpad Configuration: End to End CEG: November 2014

HA355. SAP HANA Smart Data Integration COURSE OUTLINE. Course Version: 12 Course Duration: 3 Day(s)

Let s Exploit DITA: How to automate an App Catalog

HA 450. Application Development for SAP HANA COURSE OUTLINE. Course Version: 12 Course Duration:

BC404. ABAP Programming in Eclipse COURSE OUTLINE. Course Version: 16 Course Duration: 3 Day(s)

opensap How-to Guide for Exercise Instructor-Led Walkthrough of SAML2 Configuration (Week 4 Unit 5)

HA240 Authorization, Security and Scenarios

BC470. Form Printing with SAP Smart Forms COURSE OUTLINE. Course Version: 18 Course Duration:

BC414. Programming Database Updates COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

How-to Guide for Exercise Familiarize Yourself with SAP Fiori UX (Week 1, Unit 6, Part 2)

ADM505. Oracle Database Administration COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

HA100 SAP HANA Introduction

HA215 SAP HANA Monitoring and Performance Analysis

HA100 SAP HANA Introduction

HA300 SAP HANA Modeling

S4D430 Building Views in Core Data Services ABAP (CDS ABAP)

ADM110. Installing and Patching SAP S/4HANA and SAP Business Suite Systems COURSE OUTLINE. Course Version: 17 Course Duration: 4 Day(s)

D75AW. Delta ABAP Workbench SAP NetWeaver 7.0 to SAP NetWeaver 7.51 COURSE OUTLINE. Course Version: 18 Course Duration:

HA300 SAP HANA Modeling

BC401. ABAP Objects COURSE OUTLINE. Course Version: 18 Course Duration:

ADM110. Installing and Patching SAP S/4HANA and SAP Business Suite Systems COURSE OUTLINE. Course Version: 18 Course Duration: 4 Day(s)

Device Configuration Process Diagrams. SAP Mobile Secure: SAP Afaria 7 SP5 September 2014

SAP EarlyWatch Alert. SAP HANA Deployment Best Practices Active Global Support, SAP AG 2015

BOCRC. SAP Crystal Reports Compact Course COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

BW405. BW/4HANA Query Design and Analysis COURSE OUTLINE. Course Version: 14 Course Duration: 5 Day(s)

MDG100 Master Data Governance

ADM506. Database Administration Oracle II COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

HA150. SAP HANA 2.0 SPS03 - SQL and SQLScript for SAP HANA COURSE OUTLINE. Course Version: 15 Course Duration:

BW305. SAP Business Warehouse Query Design and Analysis COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

DS10. Data Services - Platform and Transforms COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

BC405 Programming ABAP Reports

How-to Guide for Exercise Access the Demo Appliance Landscape (Week 1, Unit 6, Part 1)

BW305H. Query Design and Analysis with SAP Business Warehouse Powered by SAP HANA COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

SCM380 SAP MII - Manufacturing Integration and Intelligence Fundamentals

SAP HANA SPS 08 - What s New? SAP HANA Interactive Education - SHINE (Delta from SPS 07 to SPS 08) SAP HANA Product Management May, 2014

Using SAP SuccessFactors Integration Center for generating exports on Interview Central. SAP SuccessFactors Recruiting Management

HA150. SAP HANA 2.0 SPS02 - SQL and SQLScript for SAP HANA COURSE OUTLINE. Course Version: 14 Course Duration: 3 Day(s)

opensap Extending SAP S/4HANA Cloud and SAP S/4HANA SAP S/4HANA UX Fundamentals PUBLIC

Getting Started with FPM BOPF Integration (FBI)

TADM51. SAP NetWeaver AS - DB Operation (Oracle) COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

UX125 SAP Fiori Elements. Public

BW350H. SAP BW Powered by SAP HANA - Data Acquisition COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

Transitioning from Migration Workbench to Data Workbench

SAP 3D Visual Enterprise 9.0: Identifiers in VDS Files

HA100 SAP HANA Introduction

HA150 SQL Basics for SAP HANA

SAP HANA SPS 08 - What s New? SAP HANA Web-based Development Workbench. (Delta from SPS 07 to SPS 08) SAP HANA Product Management May, 2014

SAP Security in a Hybrid World. Kiran Kola

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

SAP SMS 365 SAP Messaging Proxy 365 Product Description August 2016 Version 1.0

SAP IoT Application Enablement Reuse Components and Templates

HA100 SAP HANA Introduction

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

BIT660 Data Archiving

BW462 SAP BW/4HANA COURSE OUTLINE. Course Version: 16 Course Duration: 5 Day(s)

User Interface Layouts

HA400 ABAP Programming for SAP HANA

BOID10. SAP BusinessObjects Information Design Tool COURSE OUTLINE. Course Version: 17 Course Duration: 5 Day(s)

DBW4H. Data Warehousing with SAP BW/4HANA - Delta from SAP BW powered by SAP HANA COURSE OUTLINE. Course Version: 13 Course Duration: 2 Day(s)

Alert Consumption for Business Process Monitoring on MAI with SAP Solution Manager 7.1 SP12 Setup and features of notifications and incidents

FAQs Data Workbench SAP Hybris Cloud for Customer PUBLIC

Ariba Network Configuration Guide

Ariba Network Configuration Guide

Onboarding Guide THE BEST RUN. IMPLEMENTATION GUIDE PUBLIC Document Version:

BMW Group ebox Partner Archive Hotline

Software and Delivery Requirements

Customer Helpdesk User Manual

BW362. SAP BW Powered by SAP HANA COURSE OUTLINE. Course Version: 11 Course Duration: 5 Day(s)

Transcription:

SAP IoT Application Enablement Best Practices Authorization Guide

TABLE OF CONTENTS 1 INITIAL TENANT SETUP... 3 1.1 Configure Trust... 3 1.1.1 Technical Background... 6 1.2 Establish Trust... 6 1.3 Set Up Destinations for SAP Cloud Platform... 12 2 AUTHORIZATION IN SAP IOT APPLICATION ENABLEMENT... 13 2.1 Functional Authorization... 13 2.1.1 Example: Configuration User Administrator... 16 2.1.2 Example: Configuration Thing Engineer... 16 2.2 Instance Authorization... 17 3 CLOUD FOUNDRY USER ACCOUNT AND AUTHENTICATION SERVER... 18 3.1 User Authentication... 19 3.1.1 Application Authentication... 19 4 SAP CLOUD PLATFORM IDENTITY AUTHENTICATION SERVICE... 19 4.1 User... 19 4.2 User Groups... 19 5 USER PERSPECTIVES ON AUTHORIZATION... 19 5.1 Adding a New Object Authorization... 20 5.2 Adding a Custom Functional Authorization... 23 5.3 Result of the Authorization... 25 6 AUTHORIZATION ON API CALLS... 27 6.1 For Testing Purposes (with User Context)... 27 6.2 Calling an API from an App Deployed in Cloud Foundry (with User Context)... 27 6.3 Calling an API from SAP Cloud Platform Neo-Stack (with User Context)... 27 6.4 Calling an API from Another Cloud or App (Without User Context)... 27 2

This guide explains how to set up authorization and authentication of the SAP IoT Application Enablement toolkit to meet your business needs with focus on the software-as-a-service (SaaS) use case. The guide assumes you are familiar with the basic concepts of SAP IoT Application Enablement from the solution documentation. The guide starts with setting up and configuring the toolkit. Section 2 introduces the authorization concept used in SAP IoT Application Enablement. Section 3 discusses setting up authorization in the Cloud Foundry environment of SAP Cloud Platform. Section 4 focuses on the SAP Cloud Platform Identity Provisioning service. Section 5 provides an example, and the last section lists the API calls that can be used in a customdeveloped application. 1 Initial Tenant Setup The initial setup for the tenant is discussed in this section. Before we begin, here are some links that could be very useful to you. Please note that the links contain placeholders that can be customized per individual user or customer. SAP Cloud Platform Identity Provisioning service: https://<sci-tenant>.accounts400.ondemand.com/admin User account and authentication (UAA) server for SAP Cloud Platform: https://<iotae-tenant>.admin.cfapps.eu10.hana.ondemand.com/index.html Trust configuration for SAP Cloud Platform: https://account.hana.ondemand.com/cockpit#/acc/<sap CP ACCOUNT>/trust 1.1 Configure Trust This section explains how to configure trust between the Neo environment of SAP Cloud Platform and the Cloud Foundry environment of SAP Cloud Platform. The work is performed using the user account and authentication (UAA) configuration tool for SAML2 within SAP IoT Application Enablement. In the OAuth2 SAML bearer flow, the account in SAP Cloud Platform acts as an identity provider (IDP). The destination service for SAP Cloud Platform issues an SAML assertion for the logged-in user and assigns it as IDP using the private key of the account. For this to succeed, Cloud Foundry must be configured to trust this IDP. 1. To use the default IDP, set the trust configuration as shown below (see Figure 1). Save your entries. Figure 1: Configuring Trusted Identity Provider 3

2. Switch to Custom by selecting the configuration type. Then click Generate Key Pair. The following window appears (see Figure 2). Figure 2: Managing Local Provider Settings 3. From the SAP Cloud Platform cockpit, export the metadata from the Trust tab of the account on SAP Cloud Platform. To do so: Rename the local provider to a name less than 20 characters long using only letters and numbers. Set the Principal Propagation field to Enabled. Export it. 4. To enable an import to an IDP, you must convert the metadata from SP to IDP metadata. To do this: Replace all "SPSSO" strings with "IDPSSO. Insert an XML declaration at the top "<?xml version=1.0"?>"; the Cloud Foundry import tool requires this. 5. If you were using Default Trust, you need to restore it, but only partially. To do so: Switch Configuration Type to Default. Make sure Principal Propagation is set to Enabled. Make sure Force Authentication is set to Disabled. Click Save. 4

You still have trust to the SAP ID service, but when you send outbound SAML assertions, the configured local provider will be used to sign them (see Figure 3). Figure 3: Configuring the Local Service Provider 6. Go to the UAA configuration tool for SAML2 using: https://<tenant-id>.admin.cfapps.eu10.hana.ondemand.com/index.html Administrative access is required (see Figure 4). 7. Create a new SAML identity provider, paste the metadata, and parse it. Set the state field to Inactive, and save the configuration. Note: Setting an additional IDP results in a confusing login screen for Cloud Foundry. It is advisable to enable only an additional IDP during testing and to give it a name that indicates it is not the central IDP. (You can specify the name in the UAA configuration tool within SAP IoT Application Enablement.) Figure 4: XS Advanced Error Message 5

1.1.1 Technical Background To summarize, the configured IDP authenticates user X for the account on SAP Cloud Platform as userx@idpneoaccount and calls the application running in SAP Cloud Platform. The app looks up an OAuth2SAMLBearer destination and makes a call through it. The destination assembles an SAML assertion using the local IDP configuration and sends it to the UAA service running in the Cloud Foundry landscape through the OAuth2 SAML bearer assertion flow. The UAA service must have been previously configured to trust the local IDP from the account on SAP Cloud Platform. It then responds with a Java Web toolkit access token that contains the authorized scopes for that user. The destination service calls the configured URL in the destination, providing the access token. This must be the URL to the app router. Upon receiving the access token, the app router validates it using the internally stored validation key. If the app router accepts it, it then checks to see if the scopes configured for a given route match the scopes from the assertion. Finally, it forwards the call to the back-end app as configured and delegates the access token. When the back-end app receives a call, it uses filters configured in the Spring Security framework from SpringSource Inc., where the token is checked again. If it matches the configuration, it lets the call pass through and calls the app. 1.2 Establish Trust In this phase of the work, you establish trust between the UAA component of SAP IoT Application Enablement and the SAP Cloud Platform Identity Authentication service. Before you begin, make sure you have the administrator privileges required to perform SAML configuration tasks in the relevant subaccount. They are XS_AUTHORIZATION_ADMIN, full access, no access restrictions. In the following steps, you assign the identity provider s metadata file and define attribute mappings. The attributes are included in the SAML 2.0 assertion and are used to assign UAA authorizations automatically based on information maintained in the identity provider. 6

1. Open the administration console of the SAP Cloud Platform Identity Authentication service. Example: https://company.accounts.ondemand.com/admin. 2. Add a new SAML 2.0 identity provider. To do so, click + Add in the Applications panel of Applications & Resources to create a new application (see Figure 5). Figure 5: Adding a New SAML 2.0 Identity Provider 3. Specify a name for the application that identifies it as your new identity provider. Save your changes (see Figure 6). Figure 6: Adding an Application 7

4. Choose SAML 2.0 Configuration and import the relevant metadata file. To do so, use the metadata file of your subaccount. The subdomain name is usually identical to the tenant name (see Figure 7). You can find the metadata file at https://<tenant_name>.authentication.eu10.hana.ondemand.com/saml/metadata. Figure 7: Importing the Metadata File 8

5. Choose Name ID Attribute (see Figure 8), select E-Mail as the unique attribute, and click Save (see Figure 9). Figure 8: Choosing the Name ID Attribute Figure 9: Selecting E-Mail As the Unique Attribute 9

6. Choose SAML Assertion Attributes (see Figures 10 and 11) and enter Groups (capitalized) in the Assertion Attribute field (see Figure 12). Save your changes. Figure 10: Choosing SAML Assertion Attributes Figure 11: Choosing Groups As an Assertion Attribute 10

Figure 12: Entering Groups in the Assertion Attributes Field 7. Test the SAML 2.0 configuration using the following URL: https://<tenant_name>.authentication.eu10.hana.ondemand.com/config?action=who You should see information output similar to the following: username john.doe@acme.com origin MySAML2IDP zoneid acme-saas SAML Issuer xs2security.accounts.ondemand.com currently resolved authorities [idps.write, xs_authorization.write, xs_authorization.read, idps.read] SAML groups [acme-saas-useradmin] email john.doe@acme.com userid 4e0efa4e-5e2f-3a1a-b070-69d7be1acdfb externalid john.doe@acme.com authorities [ idps.write, xs_authorization.write, xs_authorization.read, idps.read] 11

1.3 Set Up Destinations for SAP Cloud Platform After the identity tenant is configured, the tenant administrator for the SAP Cloud Platform Identity Authentication service receives an e-mail with login credentials. With the help of these credentials, the administrator must complete the configuration using the SAP Web IDE development environment. To do so: 1. Go to http://help.sap.com. At the Web site, search for SAP IoT Application Enablement and navigate to: SAP IoT Application Enablement Reuse Controls and Templates o IoT Application Projects in SAP Web IDE Developing IoT Applications Using the Storyboard Perspective Prerequisites for Creating Applications Using IoT Reuse Controls 2. Follow the instructions to configure the following destinations: - IOTAS - IOTAS-COMPOSITE-EVENTS-ODATA - IOTAS-DETAILS-THING-ODATA - IOTAS-FILEIMAGE - IOTAS-ADVANCEDLIST-THING-ODATA - IOTAS_CONTROLS - sapui52 You now have a working setup of SAP IoT Application Enablement, the SAP Cloud Platform Internet of Things service, and SAP Web IDE. 12

2 Authorization in SAP IoT Application Enablement The authorization concept of the SAP IoT Application Enablement toolkit includes the following components: The SAP Cloud Platform Identity Authentication service serves as an identity provider for creating users and user groups. For each customer (or tenant) using the platform services, there is a dedicated identity authentication instance. (See Section 4 for details.) The user account and authentication service from SAP is used as an authorization server. For each tenant, a dedicated UAA instance (or identity zone) is provided. SAP UAA assigns and checks functional authorizations (or UAA scopes). Functional authorizations determine whether a user has permission to start a given service. The authorizations are assigned to roles provided by the UAA service. For easier administration, the roles are bundled into UAA role collections, which in turn are assigned to user groups provided by the identity authentication service. (See Section 3 for details.) IoT business partner services are onboarding services that let you associate an employee of a platform customer with a user of the authentication service and to assign the employee to a user group of the service. IoT authorization services let an administrator define access rights for individual object instances. This authorization is used to filter access to single instances of application-specific objects managed in the SAP IoT Application Enablement toolkit. A prerequisite for calling application services is assignment of the functional authorizations to the user groups within the UAA role collections. This concept establishes a two-step process for checking whether a user has sufficient authorizations for a particular service request. It checks to see if the user is authorized for the desired activity (create, read, update, delete). If functional authorization is sufficient, it checks to see if the user is authorized to perform the desired activity for the given object. 2.1 Functional Authorization Figure 13 shows the dependencies of functional authorization. Functional authorization is handled by the application router of SAP IoT Application Enablement. Each application of the toolkit, for example, the thing modeler or person app, comes with predefined scopes. Scopes cover specific business scenarios and cannot be changed. Each scope is assigned to a role template, which is mapped to a user group within the Cloud Foundry UAA. (See Section 3 for details on UAA.) Figure 13: Dependencies of Functional Authorization 13

You can review the existing scopes within the tenant-specific UAA (see Figure 14). Currently, the following scopes are available. Figure 14: Reviewing Scopes Within the Tenant-Specific User Account and Authorization Each application in the user interface (UI) has its own scope. The next step is the preconfigured role templates (see Figure 15). Figure 15: Viewing Preconfigured Role Templates 14

An individual scope is enhanced by attributes, which allow a certain action to be performed within that scope, for example, read, create, update, or delete. These attributes are shown as scope references (see Figure 16). Figure 16: Viewing Scope References Each role is assigned a role template. Roles are cumulative within individual role collections. The collections are accessible through the UAA service. The role collection must be mapped to a user group within the identity provider. This is performed with the SAP Cloud Platform Identity Authentication service using assertions (see Figure 17). Figure 17: Viewing Assertion-Based Role Collections 15

2.1.1 Example: Configuration User Administrator Figure 18 shows the role collection useradmin and its assigned roles Location_Editor and Tenant_Administrator. Figure 18: The Role Collection useradmin To determine the individual scopes provided by the role collection useradmin, you must review the assigned role (Tenant_Administrator) and the template used (tenant_administrator), as well as the individual scopes. This reveals that a user assigned to the useradmin role collection is granted the following scopes: auth!t5.c,auth!t5.d,auth!t5.oga.c,auth!t5.oga.d,auth!t5.oga.r,auth!t5.oga.u,auth!t5.r,auth!t5.u,bp!t5.c,bp!t5.d,b p!t5.r,bp!t5.tenant.r,bp!t5.tenant.u,bp!t5.u,bp!t5.vh.r,iotas!t5.company.admin,iotas!t5.objectauthorization.ad min,iotas!t5.person.admin,iotas!t5.usergroup.admin,tenant!t5.org.c,tenant!t5.org.d,tenant!t5.org.r,tenant!t5.o rg.u,tenant!t5.pers.c,tenant!t5.pers.d,tenant!t5.pers.r,tenant!t5.pers.u. The user can perform every action within the person, companies, user groups, and object authorization applications. 2.1.2 Example: Configuration Thing Engineer The preconfigured role collection thingsuperuser is assigned these roles: Location_Editor ReuseUI_Viewer Thing_Engineer By way of an example, a Thing Engineer would be able to perform the following operations because all associated scopes are inherited by the role collection Thing_Engineer, which itself contains different roles. loc!t5.c,loc!t5.d,loc!t5.r,loc!t5.u advlist!t5.r,conf!t5.r,ctodata!t5.r,ctodata!t5.sysadmin,ct!t5.r,ct!t5.sysadmin,file!t5.r,pkg!t5.r,thingconf!t5.r,thin g!t5.r,thngdtl!t5.r advlist!t5.r,auth!t5.conf.c,auth!t5.conf.d,auth!t5.conf.r,auth!t5.oga.c,auth!t5.oga.d,auth!t5.oga.r,auth!t5.oga.u, auth!t5.r,bpanlyt!t5.r,bp!t5.conf.c,bp!t5.conf.d,bp!t5.conf.r,bp!t5.tenant.r,bp!t5.vh.r,conf!t5.c,conf!t5.d,conf!t5.r, iotas!t5.thingmodeler,iotas!t5.thingpackages,iotas!t5.thingpropertiescatalog,ohs!t5.c,ohs!t5.d,ohs!t5.r,ohs! t5.u,pkg!t5.c,pkg!t5.d,pkg!t5.r,pkg!t5.u,tde!t5.c,tde!t5.conf.c,tde!t5.conf.d,tde!t5.conf.r,tde!t5.d,tde!t5.r,tenant!t 5.pers.r,thingconf!t5.c,thingconf!t5.d,thingconf!t5.r,thingconf!t5.u,thing!t5.c,thing!t5.conf.c,thing!t5.conf.d,thing!t5.conf.r,thing!t5.d,thing!t5.Event.c,thing!t5.Event.d,thing!t5.Event.r,thing!t5.Event.u,thing!t5.r,thngdtl!t5.r,ths! t5.c,ths!t5.d,ths!t5.r,ths!t5.u 16

A user assigned as Thing Engineer would be able to work with the thing modeler application, create locations, add locations to things, and use the Reuse UIs provided through SAP Web IDE. For more information on functional authorization, go to the solution documentation for the SAP IoT Application Enablement toolkit and select Authorization > Functional Authorization. 2.2 Instance Authorization The instance authorization functionality is used to assign access rights to specific objects of a certain type that are managed within SAP IoT Application Enablement. Access rights are generally limited to objects within a particular tenant, which ensures that a user can access only the objects that belong to the same tenant to which he or she is assigned. An administrator uses the IoT authorization functionality to grant access authorizations on an object instance level to user groups within SAP Cloud Platform Identity Authentication. Instance authorizations are based on a hierarchy of authorization groups (see Figure 19). These authorization groups are represented by the ObjectGroup services offered by the platform. The system administrator grants permission to read, write, or delete objects of a given type to a user group. With that, users are able to access object instances of that type. Figure 19: Object Group Hierarchy To determine instance authorization, the starting point is Capability Types. These are associated with Applications. Capability type objects define a certain capability that can be granted to a user through specific objects. The relation between a capability type and a capability is similar to that between a class and an object. 17

The capability types currently delivered are Thing, Organization, and Person. Actions that can be assigned include Read, Write, and Delete. The capability types are instantiated to a capability, which is later associated with a user group. You can use Capability objects to specify a set of objects in the database on which users can perform actions defined by the capability type from which the capability has been derived. The most powerful feature defines a set of objects for which access is granted. A complex filter expression can be defined, which restricts access to objects of a particular type as well as to objects of a particular type with a particular value in one of its fields (or with a set of values in a number of its fields). This lets you define access rights on a highly detailed level. It in turn serves as a prerequisite for a clear segregation of duties, which is required to fulfill the data protection requirements for a multitenancy platform. Each individual object is assigned to an object group associated with a capability. 3 Cloud Foundry User Account and Authentication Server The primary role of the UAA is as an OAuth2 provider, issuing tokens for client apps to use when they act on behalf of Cloud Foundry users. In collaboration with the login server, the UAA can authenticate users with their Cloud Foundry credentials and can act as a single-sign-on (SSO) service using those, or other, credentials. The UAA has end points for managing user accounts and for registering OAuth2 clients, as well as various other management functions. The Cloud Foundry UAA service holds all application-related security entities and relations to user information. It stores the association between identity user group and role collection as well as the association between role collection and role (see Figure 20). These associations are separated by an identity zone, which allows individual per-tenant assignments within SAP IoT Application Enablement. Figure 20: The Cloud Foundry UAA Server 18

3.1 User Authentication When a user calls an API of SAP IoT Application Enablement, for example, to create a package within the package app, each HTTP request is sent to an application router. The application router: Checks the functional authorization of the user by identifying the user at the identity provider Checks the assigned user groups, role collections, and role with the Cloud Foundry UAA server to make sure they correspond to the application the user is calling Forwards the request to the application itself 3.1.1 Application Authentication For developing your application, refer to Section 6, which covers authentication for API calls. 4 SAP Cloud Platform Identity Authentication Service The SAP Cloud Platform Identity Authentication service is a cloud service that provides services for authentication, single sign-on, and user management in on-premise and cloud solutions from SAP. The service includes on-premise integration as well as user self-services, such as registration and password reset for employees, customer partners, and consumers. The identity authentication service provides security features for protecting access to applications. It covers the definition of risk-based authentication rules and two-factor authentication. It can delegate authentication to on-premise user stores and other identity providers. 4.1 User When SAP IoT Application Enablement manages users who interact with the IoT platform, all user-related actions including creating, importing, and updating users should be performed with the toolkit as well. The toolkit invokes APIs within the SAP Cloud Platform Identity Authentication service. If you create users within SAP Cloud Platform Identity Authentication, they can interact with the toolkit but are not visible within the user management applications the toolkit offers. 4.2 User Groups A user group is a collection of users who have something in common, for example, who work in the same department or have similar tasks in a company. When working with SAP IoT Application Enablement, you should work with user groups within the toolkit s authorization functionality. The roles you create there are recognized by the SAP Cloud Platform Identity Authentication service. Each user group can be assigned to Capabilities (the authorization instance) and to Role Collection (functional authorization) within the toolkit (see Section 2). 5 User Perspectives on Authorization This example shows how the authorization concept within SAP IoT Application Enablement works. The company Fresh Air Company wants to restrict access to the Things object by location and business user role. 19

5.1 Adding a New Object Authorization 1. Create an authorization group within the Object Authorizations functionality (see Figure 21). Figure 21: Creating an Authorization Group 20

2. Create a collection (see Figure 22) and assign authorization to the collection (see Figure 23). Figure 22: Creating a Collection Figure 23: Assigning Authorization to a Collection 21

3. Create a capability that restricts access to the Things object that belongs to the authorization group created earlier. Restrict user access to read only (see Figure 24). The object authorization is now set up. Figure 24: Creating a Capability and Restricting User Access 4. To assign the capability to a user group (see Figure 25) and open the user group app, create a user group and assign the capability to the user group. Figure 25: Assigning a Capability to a User Group Note: If a user belongs to only one user group, you must assign a functional authorization as well. 22

5.2 Adding a Custom Functional Authorization 1. Navigate to the application role builder functionality within the UAA service of Cloud Foundry (see Figure 26). Create a role collection. Figure 26: Navigating to Application Role Building Functionality 2. Assign the preconfigured ReuseUI_Viewer role to the role collection (see Figure 27). This ensures that the user works only with an IoT application that was created with an IoT template from SAP Web IDE. This completes the setup of the user account and authentication. Figure 27: Assigning a Role to a Role Collection 23

3. Assign the functional authorization to a user group in the user group app (see Figure 28). Figure 28: Assigning Functional Authorization to a User Group 4. Add the user group to a user within the Persons app of SAP IoT Application Enablement (see Figure 29). Figure 29: Adding the User Group to a User 24

5.3 Result of the Authorization When the fresh_air_company authorization group is assigned to a Things object, only users in the user group created above (see Adding a New Object Authorization ) are able to access the Things object. See Figure 30. Figure 30: A Finished Authorization All users assigned to a parent authorization group also have read access to the Things object. So a user administrator who has functional authorization for the Reuse Viewer role and is assigned to the parent authorization group will be able to see all Things objects in the IoT application within a given package. See Figure 31. Figure 31: Users Assigned to a Parent Authorization Group 25

The operator user will see only the Things objects in cases where the authorization group was changed to Fresh Air Company. See Figure 32. Figure 32: Effects for the Operator of an Authorization Group 26

6 Authorization on API Calls This section provides four scenarios for accessing the APIs of the SAP IoT Application Enablement toolkit. 6.1 For Testing Purposes (with User Context) The easiest way to access APIs of SAP IoT Application Enablement is to use postman with the interceptor plugin for the Google Chrome browser. To do so, simply log in to the launch page of SAP IoT Application Enablement using Google Chrome with the activated interceptor. Postman uses the established session to authenticate your requests. Requests that come from a browser always go through the app router (https://<tenant>.iot-sap.cfapps.eu10.hana.ondemand.com) with a specific route (for example, /appiot-mds or /business-partner) to the microservice required. 6.2 Calling an API from an App Deployed in Cloud Foundry (with User Context) It is assumed you already have a UI application running on SAP Cloud Platform in the Cloud Foundry environment and want to access the API of SAP IoT Application Enablement. To do so: Define the role templates in your xs-security.json for your XSUAA service instance with the scopes from SAP IoT Application Enablement that your application or requests require. To ensure SAP IoT Application Enablement trusts your application, specify which scopes are granted to your application. If the trust is set up properly and the scopes are defined in your role templates and assigned to the users, you can pass the Java Web token (JWT) created by the OAuth client of your app router. For UI consumption, you can add the routes to your app router to the microservices (back-end apps) of SAP IoT Application Enablement (forwarding JWT = true). Or you can send requests from your backend application to the microservices of SAP IoT Application Enablement. In neither case does the request go over the mentioned URL. You must call the back-end app URL directly, for example, https://appiot-mds.cfapps.eu10.hana.ondemand.com, for Thing services. 6.3 Calling an API from SAP Cloud Platform Neo-Stack (with User Context) If you have a Neo application and want to call an API of SAP IoT Application Enablement, you must create trust between your account on SAP Cloud Platform, your identity zone in XSUAA on Cloud Foundry, and your tenant in the SAP Cloud Platform Identity Authentication service. Once the trust is set up, you can create destinations to each microservice in the toolkit you want to use with the authentication type OAuth2SAMLBearerAssertion. All credentials and information needed are provided during the onboarding process of your tenant in the toolkit through e-mail. (This includes documentation for the destination setup.) 6.4 Calling an API from Another Cloud or App (Without User Context) If you have an application running in the cloud and want to push or pull data from the toolkit through a job, there is an OAuth client (iotas_consumer) that supports the OAuth client credential flow. The credentials are sent during the onboarding process of your tenant by e-mail. (See Section 6.3.) As the client credential flow has only scopes (functional authorizations) and no user context, the instance-based authorization will have no effect on requests. The requesting application must determine which users are authorized to see specific instances and which are not. 27

www.sap.com/contactsap 2017 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback