Skip to content

Latest commit

 

History

History
80 lines (43 loc) · 3.26 KB

secure-access-745ca50.md

File metadata and controls

80 lines (43 loc) · 3.26 KB

Secure Access

The SAP Job Scheduling service provides options to secure job actions with action endpoints as well as to secure Cloud Foundry tasks.

Secure Job Actions with Action Endpoints

The SAP Authorization and Trust Management service is used to secure action endpoints in your application based on OAuth 2.0 authentication.

OAuth 2.0 Authentication

Prerequisites: The application is bound to an xsuaa service instance and a SAP Job Scheduling service instance.

  • SAP Job Scheduling service invokes the action endpoint, passing an access token obtained from UAA in the Authorization header.

    Note:

    Within the application which exposes an action endpoint that is called from the SAP Job Scheduling service, you can validate this token using the xsuaa instance bound to this application.

  • SAP Job Scheduling service caches the token for up to twelve hours.

    Note:

    Consequently, it may take some time until the updates made to the scopes already granted to the SAP Job Scheduling service take effect, for example, if the application changes the scope name in the xs-security.json security descriptor file. During this time, it's possible that a token with the old scope is sent to the application. This may lead to an error, if the application doesn't accept the older scope.

  • The application must grant a scope to the SAP Job Scheduling service instance.

    For this, in the xs-security.json security descriptor file that is used from the xsuaa service instance that is bound to the application, specify the following value for the grant-as-authority-to-apps property:

    $XSSERVICENAME(<jobscheduler instance name>)

    Note:

    $XSAPPNAME.<name>: A scope name consists of $XSAPPNAME. and a name you can choose, for example, <Jobs>.

    Add the following to the scopes section:

    {
    "xsappname": "<app name>",
    "scopes": [{
        "name": "$XSAPPNAME.Jobs",
        "description": "SAP Job Scheduling
                                service Scope",
        "grant-as-authority-to-apps": [
            "$XSSERVICENAME(<jobscheduler instance name>)"
            ]
    }]
}

Note:

SAP Job Scheduling service uses the content-type application/json for its requests and accepts the response Content-type application/json.

Secure Cloud Foundry Tasks

The XSUAA isn’t required as Cloud controller. The Cloud Foundry User Account and Authentication (CFUAA) is used for creating CF tasks.

Related Information

Credential Rotation

Define and Grant Scopes to SAP Job Scheduling Service

Web Access Control

Application Security Descriptor Configuration Syntax