cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Workflow user task giving authorization issues with Group; but works with individual user

Go to solution
karanbahl
Active Participant

on ‎12-02-2020 11:07 AM

0 Kudos

Hi All,

I am able to access the My Inbox, Monitor Workflows - Instances and Definition using the individual user. However; when I remove the user and assign an Active Directory group; the applications stop working and I get the following error in console; however I have assigned all the workflow roles to the group as to the individual users. Any suggestions archana.shukla tobias.breyer ?

The SAML Trace indicates that the group is being referred to.

Regards,

Karan

REST API call encountered an error of type 'error' with HTTP status code 403:
"{\"error\":{\"message\":\"User does not have sufficient privileges.\"}}"
Show replies
Show replies
drvup
Contributor
‎12-02-2020 11:16 AM

Hi Karan,

can you please tell us some more details about your environment, IDP set up and the federal trust you set up ?

I guess the error you attached is visible on the console of CF approuter?

Can you check the binding to the XSUAA application? Can you provide the routes of your approuter + xs-security ?

tobias_breyer
Contributor
‎12-02-2020 11:28 AM

Hi Karan,

Just changing the workflow content to reference user groups is usually not sufficient. You have to do additional IDP related configurations. Whether you can right away use Active Directory groups, I don't know. It might happen that you have to make them available to the CP IDP integration through some configuration.

In the following blog, I think the parts on general group configurations in Cockpit might give you an idea where to do this in CF. While the blog shows instance-related roles, which are checked on certain API calls if available on the instance, the roles of the current user are coming the same way (e. g. via the OAuth tokens in CF). So have a look at the Cockpit parts especially.

https://blogs.sap.com/2020/03/23/controlling-user-access-to-monitor-workflows-in-sap-cloud-platform/

For the overall idea, maybe the old blog on Neo also helps:

https://blogs.sap.com/2018/01/10/groups-in-sap-cloud-platform-workflow-part-1/

Regards,

Tobias

karanbahl
Active Participant
‎12-02-2020 12:00 PM
0 Kudos

Thanks cedvup and tobias.breyer for your responses. Below is the Role collection; Say Assurance created and Assurance is the AD Group Name created at the backend. Similarly; other role collections are also mapped to the AD groups.

I tried with lower case group name as well in my workflow in the Business Applications Studio.

If I assign the role collection directly to the user; the error goes away. I will go through the blogs once and check; if there is a missing step for Groups.

Custom IDP is being used.

Answer
View Entire Topic
karanbahl
Active Participant
‎12-03-2020 2:45 PM
0 Kudos

Issue is resolved; after Idp configuration and browser cache clean up.

Show replies
Show replies
Ask a Question