Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Creating Role Collections in SAP BTP Using the New 'role-collections' Property

martin_blust
Advisor
Advisor
‎07-18-2019 12:15 PM
Setting up ready-to-use role collections in the Cloud Foundry environment of SAP Business Technology Platform is cumbersome.

I bet it bothered you that there is no quick way of creating role collections right away? It would be handy to push role collections directly into the SAP BTP cockpit. So, admins could immediately use them and assign them to users.

Good news: A quick shortcut is available now (Release Notes and Quick Start: Create Role Collections (with Predefined Roles)).

How do I do that?


You directly define the role collections in the xs-security.json using the new role-collections property.

These defined role collections reference role templates. The role templates can be in the same application or in other applications, but within the same subaccount. As soon as you've deployed your application, the SAP BTP cockpit displays the role collections. They contain the roles you predefined in the referenced role templates.

What you need to do?


1. Deploy an application you want to use for creating role collections.

2. Edit the xs-security.json file and add the role-collections property. For details see the role-collections section in Application Security Descriptor Syntax.
{

"role-templates": [

      {

        "name": "Viewer",

        "description": "View Users",

        "scope-references": [

          "$XSAPPNAME.Display"

        ]

      },

      {

        "name": "Manager",

        "description": "Maintain Users",

        "scope-references": [

          "$XSAPPNAME.Display",

          "$XSAPPNAME.Update"

        ]

     }

    ],

"role-collections": [

        {

        "name": "UserManagerRC",

        "description": "User Manager Role Collection",

        "role-template-references": [

          "$XSAPPNAME.Viewer",

          "$XSAPPNAME.Manager"

            ]

        }

    ]

  }



3. Go to the folder where the xs-security.json file is stored.

4. To deploy the security information, create a service using your xs.security.json file.
cf create-service xsuaa application <service_name> -c xs-security.json

Example:


cf create-service xsuaa application rolecoll-serv -c xs-security.json 

5. (If you do not use a manifest file) Bind your application to the service.
cf bind-service <application_name> <service_name>

Example:


cf bind-service rcpropertyapp rolecoll-serv

Now, you have created a role collection.

6. Log on to the SAP BTP cockpit.

7. Navigate to your subaccount. The Role Collections menu item displays the role collection you defined during this procedure. Admins can now log on to the SAP BTP cockpit and assign this role collection to users.



 

NOTE

There is a tutorial with an xs-security.json file that includes role collections. You may use this as an example.

You find the tutorial here: Tutorials for Authorization and Trust Management
13 Comments
former_member620294
Discoverer
‎07-19-2019 7:22 AM
0 Kudos
Very helpful blog ! The issue of not having a quick way of creating role collections right away was a huge obstacle. This really does simplify things.
martin_blust
Advisor
Advisor
‎09-04-2019 1:10 PM
0 Kudos
If you already have deployed an application and you only change the xs-security.json file, use “cf update-service” to make Cloud Foundry read the content of the changed xs-security.json file. See SAP Help Portal: Update Service Instance
Hilmar
Advisor
Advisor
‎03-18-2020 2:12 PM
Hi martin.blust

how can I avoid errors like "Bad Gateway: Service broker error: Service broker xsuaa failed with: org.springframework.cloud.servicebroker.exception.ServiceBrokerException: Role Collection XYZ already exists in this subaccount.", when I'm using the CF MTA Plugin for deployment of MTAR?

? live long and prosper

Hilmar
former_member194460
Participant
‎04-09-2020 9:31 AM
0 Kudos
Hi Martin,

we do have the same issue (Role Collection already exists).

If we built the role collectios already, the new deployment within a new space (Prod) will fail, because the role collections already exist.

Of course, I can remove the role-collections property from the xs-security file, but this is not at nice at all.

BR

Dirk

 

 
former_member194460
Participant
‎04-09-2020 2:21 PM
0 Kudos
And an other issue was that I was not able to assign the roles to this generated role collections.

In the end I had to create the role collections manually and could assign them to the roles.

BR

Dirk
ErikP
Explorer
‎03-04-2021 10:40 AM
0 Kudos
Hi Martin,

It would be great if you could also add the usergroup.
So the IDP en the usergroupname. Do you know if this is possible?

regards Erik
martin_blust
Advisor
Advisor
‎03-04-2021 1:02 PM
0 Kudos
Hello,

as far as I know it is only possible to include attributes that come with groups. See Application Security Descriptor Configuration Syntax. I guess this is not what you want to do.

To add user groups to role collection, use the SAP BTP cockpit. <global_account> -> <subaccount> -> Security -> Users brings you to the screen where you can manage users' permissions. See Working with Users.

Of course, you must have administrator rights to do so.
former_member719442
Discoverer
‎07-22-2021 7:02 PM
0 Kudos
Hi Martin,

 

Is there a way to move roles & roles collection between sub-accounts? How we can move roles without manually creating in every sub-account. Appreciate your reply.

 

 

Thanks

Harish
js2
Product and Topic Expert
Product and Topic Expert
‎05-09-2022 10:39 AM
0 Kudos
Is there a way to delete role collections that are created via the xs-security.json file?

The BTP cockpit greys out the delete button for these and says "You cant delete read-only role collections".

Maybe the only way is to delete the xsuaa instance or undeploy the mta...
js2
Product and Topic Expert
Product and Topic Expert
‎05-09-2022 10:40 AM
0 Kudos
Seems that simply removing the role collection from the xs-security.json and redeploying the mta is all you need to do...  😉
lakshmi_dileep
Member
‎10-06-2023 7:59 AM
0 Kudos
In thr terminal, you can run this command to delete the xsuaa instance:

cf delete-service SERVICE_INSTANCE

In this example, it will be cf delete-service rolecoll-serv
ruben_alvarez
Explorer
‎01-12-2024 12:39 PM
0 Kudos
Hi Martin,

Is it possible to deploy an application with role-collections in different spaces of the same sub-account?

this error occurs during deployment

Creating service "PeopleRequest-xsuaa-service" from MTA resource "people_request-uaa"...
Error monitoring creation or update of services: Error creating service "PeopleRequest-xsuaa-service" from offering "xsuaa" and plan "application": Service broker error: Service broker xsuaa failed with: Role Collection people_request_Admin already exists in this subaccount. Please choose a different name.

 

Regards

 

 
martin_blust
Advisor
Advisor
‎01-15-2024 7:17 AM
0 Kudos
I guess the xsappname must be unique, maybe even in the global account.
Labels in this area
Popular Blog Posts