Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Integration Suite – Access Policies for Integration Packages

PeterGutsche
Associate
Associate
‎03-25-2024 5:55 PM

As of increment 2401 of SAP Integration Suite, you can define access policies for integration packages. This extension makes the lives of tenant administrators easier who need to manage large numbers of integration packages and selectively restrict access to integration content for  different user groups.

Short reminder of what Access Policies are:

With an access policy, you can protect groups of integration artifacts against undesired access. You define access policies as described in SAP Help Portal under Managing Access Policies | SAP Help Portal.

For example, you can define an access policy for all integration flows that fulfil the condition: name contains the string ‘Read’. As consequence, all integration flows that meet this condition are protected against unauthorized access.

Protection against unauthorized access covers:

  • All operations on the design time artifacts (such like editing, saving, or deploying an artifact, for example)
  • All operations on the deployed runtime artifacts (like restarting an artifact, for example)
  • Data that is processed or stored by the artifacts (like business data stored for monitoring purposes or stored by integration flows in local data stores or variables)

To enable dedicated users to access these protected artifacts, a role needs to be defined in SAP Business Technology Platform (SAP BTP) cockpit that is associated with the access policy (for more information, see the online documentation).

Access policies can be defined for all available integration artifact types such like integration flows, value mappings, and so forth.

Back to the new feature introduced with increment 2401.

When you open the access policy screen in the Monitor > Integrations and APIs section of SAP Integration Suite (Access Policies tile), you now notice that you can also select Integration Package as Type:

AccessPoliciesIntegrationPackage.png

Using this new option, you only need to specify one single artifact reference to protect all artifacts of an integration package. In the example above, an artifact reference for the integration package with the name My First Integration Package is defined.

You now also understand to what extent the extension makes the life of the tenant administrator easier, whom we talked about earlier:

If you like to protect all artifacts in a dedicated integration package, you can now define an access policy with one single artifact reference. Before this enhancement, you needed to create an individual artifact references for each integration artifact type separately.

Use Cases

You may be wondering in which cases it makes sense to define access policies for integration packages. Let me point out the following rule of thumb:

OptionUse Case
Define access policy for an integration package …If you like to protect all the artifacts of an integration package (including artifacts of all types).
Define access policy for individual artifact types (for example, integration flows and value mappings) …If you like to protect only few, but not all artifacts of the integration package.

Compatibility with Access Policies for Specific Artifact Types

As said, an access policy for an integration package affects the access to all artifact types contained in the package. However, you can still define access policies for individual artifact types. Now the following can happen: you may want to define an access policy for a specific integration package that contains artifacts for which other, artifact type-specific access policies exist already. What happens in such a case? The message at the top of the dialog provides a clue: for compatibility reasons, existing access policies for individual artifact types will remain intact when you define an access policy for an integration package. Access policies for dedicated artifact types co-exist with access policies on integration package level. Or, phrased differently: When you define an access policy for an integration package that contains artifacts that are also protected by another access policy (for example, by an access policy for a specific group of integration flows), the latter remain valid as well. The message prompts you to check if access policies have already been defined for specific artifacts in your package that you want to protect as a whole.

Let's see how the co-existence of access policies on integration package and on artifact level affects things in a specific example.

Let’s assume that an integration package is protected by one access policy. Furthermore, this integration package contains an integration flow that is protected by another access policy.

To walk you through the example step-by-step, the following two access policies are defined:

Access Policy NameProtects
PackageAccessArtifacts contained in the integration package with the name My First Integration Package
FlowAccessIntegration flows (across all integration packages) with a name that starts with the word Read (matches regular expression ^Read.*)

The tenant has two integration packages with the names My First Integration Package and My Second Integration Package. Both packages contain also integration flows protected by the artifact-related access policy (integration flows with a naming starting with Read).

As a result of this setup, the artifacts are now protected as shown in the following figure:

BLOG_AccessPolicie.png

As we said that access policies protect the specified artifacts – unless a user has a role assigned that is associated with the access policy – we can do the combinatorics with 4 fictitious users with different role assignments:

UserAssigned roleRole associated with access policy*Can access
User1

Role1

Role2

PackageAccess

FlowAccess		All artifacts in all shown integration packages
User2Role1PackageAccess
  • In the package My First Integration Package protected by the package-level access policy: All artifacts
  • In the non-protected package My Second Integration Package: all artifacts, unless they are protected by access policy FlowAccess (for which this user has no corresponding role assignment)
User3Role2FlowAccess
  • In the package My First Integration Package protected by the package-level access policy: integration flows that are protected by the access policy FlowAccess. All other artifacts are protected from this user through the package-level access policy PackageAccess.
  • In the non-protected package My Second Integration Package: All artifacts (because here, this user also can access the artifacts protected by the integration flow-related access policy FlowAccess)
User4(No role assigned)n.a.

Because this user does not have either of the roles, they are subject to the access restrictions defined by both access policies.

As a result, the only artifact they can access is the artifact that is covered by none of the access policies (the non-protected integration flow in the non-protected integration package).

*To be more precise: Role associated with an access policy means: For the Values attribute of the role a string is specified that matches the name of the access policy. For more information on this, check out the online documentation in SAP Help Portal under Creating Custom Roles for Access Policies | SAP Help Portal.

13 Comments
ChandraMahajan
Active Contributor
‎04-02-2024 12:28 PM
0 Kudos

Hello,

This will be very helpful feature. what is the timeline to get this feature in Integration suite?

Regards,

Chandra

PeterGutsche
Associate
Associate
‎04-07-2024 5:13 PM

hi Chandra,

this feature is already available as of increment 2401 of SAP Integration Suite. You can check out the release notes here:

What's New in SAP Integration Suite | SAP Help Portal

Thanks for asking!

Best regards

Peter

Brandt
Discoverer
‎04-08-2024 9:00 AM
0 Kudos

Hi,

is there a specific reason that the "Match" Operator cannot be used for Access Policies of Integration Packages? 
This kind of operator can be used in all other Access Policies! Based on this it's currently required to create for each package an individual Access Policy, what makes no sense from my point of view. 

Regards
Joern

PeterGutsche
Associate
Associate
‎04-08-2024 1:14 PM
0 Kudos

Hi Joern, 

thank you for your question!

Regular expressions were excluded for the Integration Packages feature to avoid conflicts with expressions defined at artifact level. As integration package- and artifact-level access policies co-exist, this limitation was introduced to avoid conflicting expressions.

I hope this helps to answer your question.

Best regards

Peter

 

Brandt
Discoverer
‎04-08-2024 1:54 PM
0 Kudos

Hi Peter, 

unfortunately in that case the long awaited feature is more or less useless for us, because teams on our platform have multiple packages with a dedicated prefix. So our hope was that we can have some restriction like "team1.*" and "team2.*" to distingluish between the team as we did for the artifacts. 

But does it not run into the same naming conflict if you have a access poliy with the same name for package and artifact!? 

Regards
Joern

PeterGutsche
Associate
Associate
‎04-08-2024 2:01 PM
0 Kudos

Hi Joern,

thanks for providing your detailed feedback! Let me forward the feedback and the additional question to the development team and get back to you as soon as possible here.

Best regards

Peter

chris_75
Explorer
3 weeks ago
0 Kudos

Hi Peter,
long-awaited expansion. Very helpful. However, we still cannot restrict read access to the artifacts with access policies. Is this expansion planned?

Thanks

Christian

PeterGutsche
Associate
Associate
3 weeks ago
0 Kudos

Hi Christian,

thank you for your question! I can't comment on planned features, but would like to point you to the following resources:

You can check out the Roadmap (search for SAP Integration Suite).

You can check out feature requests in the Influence Portal, vote for one if that fits to your idea, or create a new one.

Quickly checking both resources, I didn't find yet an entry that exactly fits to your request.

Best regards

Peter

ChandraMahajan
Active Contributor
2 weeks ago
0 Kudos

@PeterGutsche - I can see access policy feature at Integration package level. I have additional question. when I am trying to create service key for Process integration runtime with API as Plan, I am not able to see any custom roles. how can we add custom role (associated with access policy) via API access?  help docu (below snap) talks about API based access so I assume this should work with custom role while creating service key. Please let me know.

ChandraMahajan_0-1714141735448.png

 

PeterGutsche
Associate
Associate
2 weeks ago
0 Kudos

@ChandraMahajan,

Thank you for the question!

Yes, you noticed correctly: When defining a service instance with plan=api, you can’t assign any role that you have created based on the custom_role template (role associated with an access policy).

An API client that wants to access resources protected by an access policy using a technical user (defined through a service instance with OAuth client credentials grant) is inherently excluded from accessing those resources. For this OAuth grant type, you can’t assign the technical user a role that is defined to circumvent the access policy.

A workaround to bypass this situation would be to associate the API client with a user defined by an identity provider.

For this user, you can then define a role (based on the custom_role template) to be associated with the access policy as described in the documentation.

In principle, it would be possible to configure API access using OAuth Password Grant. However, I have not tested this myself and there is no detailed documentation available yet.

I hope I was still able to help you.

Best regards,

Peter

ChandraMahajan
Active Contributor
Monday
0 Kudos

@PeterGutsche  - Thanks for reply. 

A workaround to bypass this situation would be to associate the API client with a user defined by an identity provider. - Could you please elaborate more on associating API client with user? 

We are looking to enable feature where Service keys will be used within CI/CD pipeline and expecting that service key associated with particular package (and its owner) will be able to deploy/change iflows and restrictions will be applied via Access Policy etc.

 

 

ChandraMahajan
Active Contributor
Wednesday
0 Kudos

@PeterGutsche or other experts - Any updates on my question related to associating custom role with service key (or rather service instance)? 

PeterGutsche
Associate
Associate
Wednesday
0 Kudos

@ChandraMahajan,

when defining inbound authentication for API calls with client certificate or OAuth2 client credentials grant, you define a technical user based on a service instance with plan=api.

As said before, here, you can’t assign any role that you have created based on the custom_role template (role associated with an access policy).

I see a possible solution in doing the API call with a user defined in an identity provider (and define a role for this user based on the custom_role template). Such a scenario is documented, but only for the (unsecure) option basic authentication.

I am not sure yet if that was tested with a more secure authentication option, e.g. using an OAuth authentication flow. 

Therefore, I kindly ask for a little more patience. I haven't tested such a scenario myself yet.

Labels in this area
Popular Blog Posts