Subject: SAP Business Application Studio (BAS)
Security is a crucial aspect of any enterprise application. When building cloud-native applications using the Cloud Application Programming Model (CAP) on SAP Business Technology Platform (BTP), implementing robust authorization and authentication mechanisms ensures that sensitive data is protected and users can only perform permitted actions.
This article explores how to implement authorization and authentication in CAP applications developed within SAP Business Application Studio (BAS), leveraging SAP BTP security services.
CAP applications typically rely on SAP BTP’s security infrastructure for these features, including:
xs-security.json file within your CAP project.Example xs-security.json:
{
"xsappname": "com.example.bookshop",
"tenant-mode": "dedicated",
"scopes": [
{
"name": "$XSAPPNAME.User",
"description": "User scope"
}
],
"role-templates": [
{
"name": "User",
"description": "User role",
"scope-references": [
"$XSAPPNAME.User"
]
}
]
}
xs-security.json file to your deployment descriptor (mta.yaml).CAP Node.js runtime automatically supports authentication via the @sap/cds module:
const cds = require('@sap/cds');
module.exports = cds.server; // automatically checks JWT tokens and user info
Use the @restrict annotation in your CDS model to specify access control rules based on roles or scopes.
Example:
entity Books @(restrict: [{ grant: 'READ', to: ['User'] }, { grant: 'WRITE', to: ['Admin'] }]) {
key ID : UUID;
title : String;
}
This means:
User role can read books.Admin role can write (create/update/delete).CAP enforces CDS authorization rules automatically. For custom logic, you can check user roles programmatically:
module.exports = cds.service.impl(function() {
this.before('CREATE', 'Books', async (req) => {
if (!req.user.is('Admin')) {
req.reject(403, 'Forbidden: Only Admin can create books.');
}
});
});
| Best Practice | Description |
|---|---|
| Use Role-Based Access Control (RBAC) | Clearly define user roles and permissions in xs-security.json and CDS models |
| Leverage CAP’s built-in Authorization | Use @restrict annotations for declarative security |
| Avoid Hardcoding Roles | Use dynamic role checks with req.user.is() |
| Secure All Service Endpoints | Protect all routes and data entities from unauthorized access |
| Test Security Thoroughly | Validate authentication and authorization in dev and production environments |
Implementing robust authentication and authorization in CAP applications is essential to safeguard enterprise data and enforce business policies. Using SAP Business Application Studio with CAP and SAP BTP’s XSUAA service offers a seamless and secure way to integrate identity and access management into your cloud applications.
By combining declarative CDS annotations with programmatic role checks, developers can build flexible and secure applications that meet enterprise compliance requirements.