cancel
Showing results for 
Search instead for 
Did you mean: 

Map ECC Roles to HCP Roles for Fiori Application

hegde_dhananjay
Explorer
0 Kudos

Hello All!

I have developed a custom Transactional Fiori application and this is my landscape -

- SAP ERP for business data

- SAP Netweaver Gateway to expose the data using OData services

- SAP HANA Cloud Platform where Fiori application is deployed

I want my application to be available to only a certain target users - say power users. Means, other users should not even find it in their catalog.

If I were to deploy the app on Frontend Gateway server, then I would follow this to enable app to only required target users - https://blogs.sap.com/2014/06/16/understanding-launchpad-object-relationship-with-screenshots/

But, in my case, as the application is deployed on HCP, I am stuck with providing app to only a set of users. I have checked these links already on help portal -

https://help.hana.ondemand.com/help/frameset.htm?d128e6796cf94bb187d4bbf69419e2f5.html

https://help.hana.ondemand.com/help/frameset.htm?a139548b21954e319a2a351e993bac40.html

I have added securityConstraints in neo-app.json file. I have created a role and a group in HCP and made the configuration as explained in the above links.

Power Users have a certain role assigned in backend ECC system. Now, my doubt is, how can I map these roles to roles created on HCP? I do not want to assign the roles manually on HCP.

I am not sure if I am on the right direction on this. Your help is much appreciated.

Thank you,

Dhananjay

PS: We have a SAML2.0 authentication based on a IdP.

Accepted Solutions (0)

Answers (1)

Answers (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Dhananjay,

The way this would work is by assigning a Portal role the Catalogs as you normally would do to give access to your power users the application they need. And on the IdP configuration, in the Cockpit, use the group mapping to automatically map users to groups according to some criteria (probably you would have to rely on LDAP group names).

Just open the IdP configuration and click on the tab "Groups" to create an Assertion-Based Group. This will take an attribute from the user's SAML token (use one of the attributes's names like urn:oid:xxxxx) and perform a regular expression on its contents.

For instance: If a user's attribute contains the name "GROUP_PWR" from your LDAP, SCP will automatically map the user to SCP's group "GRP_SCP_POWER_USERS".

AFAIK: You won't be able to re-use the ERP/GW roles for your Portal Service or map them accordingly to a Portal Role. Instead, you would need to make sure your power users belong both to a certain LDAP group and to the proper ERP/GW roles.

Best regards,
Ivan