cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict BTP HTML5 Application access to non sub-account users

TheVivekGowda
Explorer

on ‎10-06-2021 12:40 PM

0 Kudos

HTML5 application deployed in a neo subaccount is accessible for any user who have access to BTP. They don't need to be part of same global account, subaccount or any relation at all.

One of the way to restrict is using application permissions. But this will introduce lot of maintenance. Every time there is a new user, that needs to be updated in BTP. This solution is not feasible in our case.

Basically we need to deploy a HTML5 application which should be accessible only for people who are part of same account. We don't ant to introduce new roles and permissions. Is there any way to handle these kind scenarios? I always assumed this is how it was by default but now realized that I am wrong.

I am hoping there will be something in neo-app.json which would help us to do this. Any help on this topic is appreciated. Thanks.

Show replies
Show replies
TheVivekGowda
Explorer
‎10-07-2021 1:22 PM
0 Kudos

c3d1947136cd4c748a7aa794001af496 mariusobert kiril.gavrailov pars.man muralidaran.shanmugham2

Sorry about spamming. But it would be great to know if any of you guys faced similar issues and found any fixes? Thanks in advance.

Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

lucasvaccaro
Product and Topic Expert
Product and Topic Expert
‎10-08-2021 8:49 PM
0 Kudos

Besides Marius' answer, I'd like to comment on the following:

"Every time there is a new user, that needs to be updated in BTP."

If you use a custom IdP, this problem can be solved with Default Groups or Assertion-Based Groups. See the step 6 here.

Show replies
Show replies
mariusobert
Developer Advocate
Developer Advocate
‎10-07-2021 5:25 PM
0 Kudos

Hi,

In the approuter, you can only differentiate between "none" authentication or "xsuaa". And as you don't want to go for the public option, you need to choose xsuaa which means all users need to be registered in the IdP. And I think this is the right way to go here.

I understand that it might mean some extra steps as a developer but allowing access to all users of the subaccount seems wrong to me (or even a potential security risk). If we're talking about large number of users, I'm sure there are IdP systems that allow batch entries as well (but this is not my area of expertise and I'm just guessing on the last point).

Show replies
Show replies
TheVivekGowda
Explorer
‎10-08-2021 6:42 AM
0 Kudos

Thanks for the suggestion.

Regarding approuter and xsuaa - i believe these things are related to cloud foundry deployment but not Neo. Anyhow we can almost do similar stuff from neo-app which will enable 'saml' authentication method.

About security risk, yes i feel the same. Giving access to all subaccount users is not good. But by default BTP is allowing access to every user even if they are not part of subaccount and global account. Not able to find any ways to restrict to global account or subaccount users. Going ahead with creating custom role and then applying application permission is only way to go then.

mariusobert
Developer Advocate
Developer Advocate
‎10-08-2021 8:55 AM

In my understanding, only technical users (developers, admins etc) should have access to global and sub accounts. Business users are best to be managed in a separate IdP that you then connect to your subaccount.

Ask a Question