on 08-17-2023 1:54 PM
Dear Community,
We have an application where the front-end is a SAPUI5 Freestyle application, with a standalone Approuter and a CAP service, consuming external service: SuccessFactors OData v2 API. Authentication flow: User logs in through idP, we decode the JWT token and using the custom attributes coming from IAS, through the application, like in $filter querys. We know the downside of storing these values on the backend in variables, which might get overwritten by an another user.
Now we have the requirements, some users needs to see only their data. But in some cases the application loads another user's data, using the application parallelly. We do not use any database instance to read data / perform any selection, we only have the connection to the external service.
Could you please advise, how to differentiate users and send back right data only for the right user?
Thank you in advance,
Gergő
Hi Gergo,
Have you implemented Principal Propagation such that the logged in user is passed as the user calling the SuccessFactors API, so that the data returned is only the data that the logged in user is authorised to see?
UPDATE: Thanks to martin.stenzig3's hint below, you may find the following blog posts helpful in resolving your issue. It does look like you need to implement principal propagation.
OAuth2SAMLBearerAssertion Flow with SAP BTP Destination Service. SuccessFactors.
How to troubleshoot SAP BTP OAuth2SAMLBearerAssertion destination with SuccessFactors?
Regards,
Mustafa.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi gperlaki90,
If I understand correctly from your comments, the original requirement has changed because now "some users needs to see only their data". In that case, I would recommend you change your implementation such that the Destination Service is configured for Principal Propagation as this is the appropriate way to restrict data to what the user is authorised to see in the source system. Use of a technical user is not appropriate here.
Regards,
Mustafa.
In the SF destination definition, regardless of whether or not you want to use a Technical User or not, you have to specify a "SystemUser". Usually SF destinations are using "OAuth2SAMLBearerAssertion".
User | Count |
---|---|
65 | |
8 | |
7 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.