Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to manage authorization assigments in HANA Cloud using the Authorization Management REST API

maik_toth5
Employee
Employee
‎08-30-2016 3:13 PM

Maybe you have had already the chance to work with SAP HANA Cloud Platform and were asking yourself, how to manage users, roles and groups in a convenient automatic way rather than maintaining the users manually. I case you did, let me use the chance give you a small introduction how to use the Authorization Management REST API provided by SAP HANA Cloud Platform.

Let me clearly emphasis that this API can manage Predefined & Custom roles but not Account Member Roles

To consume this REST API, you need to obtain OAuth client credentials (client ID and secret) from your account in the SAP HANA Cloud Platform. For that, enable the Beta features in your account.


Once done you can generate a global Oauth Client for your account.

Remember the Client ID & Secret as you will need them in the next step to obtain the OAuth Access Token. The Client ID can be seen as an user id and the Client Secret is the password. There is quite a good documentation in place how to tackle the first hurdle, obtaining the OAuth access token. Refer to the official SAP HANA Cloud Documentation. I want to give you a brief overview how to manage that with an API Client test tool. The goal is to have a light weighted user life-cycle.

These are the steps we want to follow:
  1. Get a list of assigned roles
  2. assign the predefined role “Administrator” for the Java application “testd0xxxxxx”
  3. check the result on the HCP Account
  4. delete the role again
  5. check again the result on the HCP Account

Pretty straight forward and a common user life-cycle scenario, isn't it.

Retrieve an OAuth Access token

Assuming you have obtained the OAuth Client and Client Secret, we can start by Encoding those into a Base-64 encoded string.


POST https://api.<landscape_ host>/OAuth2/apitoken/v1?grant_type=client_credentials


Authenticate by Basis Authentication


Update the HTTP Headers Authorization:


Basic <Base-64 encoded <ClientID>:<ClientSecret>>










You receive a response like this:


{


"access_token": "b29c79e3859d25aa62c234494eda33b9",


"token_type": "Bearer",


"expires_in": 1500,


"scopes": [


          "hcp.manageAuthorizationSettings",


          "hcp.readAuthorizationSettings"


    ]


}










Eh voila, this is your OAuth Access token for the next 1500ms. The response is a JSON object, whose access_token value is the one which makes you happy.

Get a list of assigned roles

You received an access_token in the previous step. Use this token in all future request until the token expires.


<!-- HTTPS Request -->


GET https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/?userId=GOOFY


Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9










List of assigned roles for user Goofy


<!-- HTTPS response object as JSON Object-->


{  "roles": [


    {


          "name": "ProjectMember",


          "applicationName": "dispatcher",


          "providerAccount": "services"


    } ]


}










To confirm the result simply jump to your HCP Account.

Assign a role to the user

It's a bit hard to maintain the JSON String in the HTTP Body. You can also add the user to multiple roles, just enhance the JSON Array properly. If all is working fine you will receive an 200 response code as success message.


PUT https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/?userId=GOOFY


Headers:


Authorization: Bearer b29c79e3859d25aa62c234494eda33b9


Content-Type:application/json




{    "roles": [


    {


          "name": "Administrator",


          "applicationName":"testd0xxxxx",


          "providerAccount": "{accountName}"


    } ]


}










Let's check the assignment in the HCP Account again.

Delete a role to the user

The pitfall with this request was to get the correct roles concatenated. There are two sets of roles available in the HCP. These are roles defined using the Cockpit and roles defined in the web.xml of an application.

Provider Account Name
Application Name
Role
comment
ServicesdispatcherYourRoleroles defined using the Cockpit
yourAccountyourApplicationYourRoleroles defined in the web.xml of an application
d0xxxxxtrialtestd0xxxxxAdministratorrole is used for the current scenario
A role is defined by the role name and the application name for which it is defined separated by @ symbol. The application is defined by the provider account name and the application name separated with column (:) All details for the DELETE request can be found here.

DELETE https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/


?userId=GOOFY&roles=Administrator@d0xxxxxtrial:testd0xxxxx


Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9










Let's check again the user in the HCP Account again an cross fingers that the user is no longer assigned to the role.

Ok, that's nice but whats next? How can I use this API now for my daily work? Well, we developed an HCP connector to enable the internal SAP IdM doing the role provisioning with the same quality as for all on-prem system within the company.

Other scenarios would be using Apache and Java or make a fancy node.js application. It doesn't matter actually which technology you're using as long as OAuth and JSON is supported.
Do not forget the other options like Groups and Role Management which ist also supported by the API.

Have fun!

10 Comments
Labels in this area
Popular Blog Posts