cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPUI5 & SAP CAP with Consume External Services - User management

GergoPerlaki
Explorer

on ‎08-17-2023 1:54 PM

0 Kudos

Dear Community,

We have an application where the front-end is a SAPUI5 Freestyle application, with a standalone Approuter and a CAP service, consuming external service: SuccessFactors OData v2 API. Authentication flow: User logs in through idP, we decode the JWT token and using the custom attributes coming from IAS, through the application, like in $filter querys. We know the downside of storing these values on the backend in variables, which might get overwritten by an another user.

Now we have the requirements, some users needs to see only their data. But in some cases the application loads another user's data, using the application parallelly. We do not use any database instance to read data / perform any selection, we only have the connection to the external service.

Could you please advise, how to differentiate users and send back right data only for the right user?

Thank you in advance,

Gergő

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

MustafaBensan
Active Contributor
‎08-17-2023 2:21 PM

Hi Gergo,

Have you implemented Principal Propagation such that the logged in user is passed as the user calling the SuccessFactors API, so that the data returned is only the data that the logged in user is authorised to see?

UPDATE: Thanks to martin.stenzig3's hint below, you may find the following blog posts helpful in resolving your issue. It does look like you need to implement principal propagation.

OAuth2SAMLBearerAssertion Flow with SAP BTP Destination Service. SuccessFactors.

How to troubleshoot SAP BTP OAuth2SAMLBearerAssertion destination with SuccessFactors?

Regards,

Mustafa.

Show replies
Show replies
GergoPerlaki
Explorer
‎08-17-2023 2:39 PM
0 Kudos

Hello Mustafa,

Thank you for your reply. the Destination Service using a Technical User in our case for accessing the API.

Regards,

Gergő

MustafaBensan
Active Contributor
‎08-17-2023 2:46 PM
0 Kudos

Hi gperlaki90,

Is there a reason why your Destination Service has not been configured for Principal Propagation?

Regards,

Mustafa.

GergoPerlaki
Explorer
‎08-17-2023 2:50 PM
0 Kudos

Hello mbensan,

The basic requirements not contained any user propagation, as this application was designed for fetching data from SuccessFactors through OData API and display to the users, independently from who the current user is.

Regards,

Gergő

MustafaBensan
Active Contributor
‎08-17-2023 3:05 PM

Hi gperlaki90,

If I understand correctly from your comments, the original requirement has changed because now "some users needs to see only their data". In that case, I would recommend you change your implementation such that the Destination Service is configured for Principal Propagation as this is the appropriate way to restrict data to what the user is authorised to see in the source system. Use of a technical user is not appropriate here.

Regards,

Mustafa.

martinstenzig
Contributor
‎08-17-2023 10:28 PM

In the SF destination definition, regardless of whether or not you want to use a Technical User or not, you have to specify a "SystemUser". Usually SF destinations are using "OAuth2SAMLBearerAssertion".

GergoPerlaki
Explorer
‎08-21-2023 1:29 PM
0 Kudos

Hello mbensan

I'd like to ask, if Principal propagation is enabled, how would you describe the authentication flow?

Thank you in advance,

Gergő

Ask a Question