SAP Fiori Launchpad on Cloud Foundry - Role Configuration Issues

1.1k views Asked by At

We have a range of apps deployed to our Fiori Launchpad (via an mta) file on Cloud Foundry.

I came across this blog that describes setting up role access on an app by app basis.

Configuring Roles – SAP Fiori Launchpad Cloudfoundry | SAP Blogs.

Firstly, I setup approuter/xs-app.json as follows. Note this has as single config_admin scope as opposed to the 2 (approver and user) in the blog. The reason for this is we only need a single configurable role at the moment, so I'm making the assumption we only need a single scope.

Does the below snippet look correct? I've used "srv_api" as the destination from the blog, but not sure If it needs to be something else.

{
    "authenticationMethod": "route",
    "welcomeFile": "/cp.portal",
    "routes": [
        {
            "source": "^/catalog(.*)$",
            "target": "/catalog$1",
            "destination": "srv_api",
            "authenticationType": "xsuaa",
            "scope": {
                "GET": ["$XSAPPNAME.config_admin"],
                "PATCH": ["$XSAPPNAME.config_admin"],
                "POST": ["$XSAPPNAME.config_admin"],
                "PUT": ["$XSAPPNAME.config_admin"],
                "DELETE": ["$XSAPPNAME.config_admin"],
                "default": ["$XSAPPNAME.config_admin"]
            }
        }
    ],
    "logout": {
        "logoutEndpoint": "/do/logout"
    }
}

Next up, xs-security.json in the project root.
{
    "xsappname": "demo",
    "tenant-mode": "dedicated",
    "description": "Security profile of called application",
    "scopes": [
        {
            "name": "uaa.user",
            "description": "UAA"
        },
        {
            "name": "$XSAPPNAME.config_admin",
            "description": "UAA configuration admin"
        }
    ],
    "role-templates": [
        {
            "name": "Token_Exchange",
            "description": "UAA",
            "scope-references": ["uaa.user"]
        },
        {
            "name": "ADMIN_USER",
            "description": "UAA ADMIN_USER",
            "scope-references": ["uaa.config_admin"]
        }
    ]
}

... and finally the manifest.json of the app I would like to apply the role to:

"sap.platform.cf": { "oAuthScopes": ["$XSAPPNAME.config_admin"] }

The app exists in a Group containing only that app.

When deployed to SAP Cloud Foundry, the Group and app are hidden. Fine I thought, just needs the role configured on the BTP side?

In BTP, I setup the role collection with my user, and the the two roles, ADMIN_USER and Token_Exchange, which were deployed correctly to BTP in the previous step.

However, the app and it's Catalog are still hidden from view on the Fiori Launchpad. The only apps that do appear are the one's without the "sap.platform.cf" manifest entry.

Am I approaching this the correct way? Have I missed something?

Or do I need to setup two separate scope, as in the guide, and include the relevant scope in each and every app?

*Note - I've tried setting up the user without the Token_Exhange role, with the same result.

1

There are 1 answers

0
Adam Harkus On

The answer is a typo in xs-security.json

Should be: "scope-references": ["$XSAPPNAME.config_admin"]