SAP CAPM Security Approaches Using XSUAA in Production

Ms.Kokila SS, SAP Integration Consultant, Smartsoft.

Here, I will discuss how to implement security in a CAPM project using the XSUAA service in a Node.js environment, deploying it as a Multi-Target Application (MTA).

Introduction to XSUAA

Extended Services – User Account and Authentication (XSUAA) service is an internal development from SAP BTP. If we develop an application to be deployed in the cloud foundry environment we can protect our application using the XSUAA. For this, we need to subscribe to the SAP Authorization and Trust Management Service in BTP. By using this we can,

  • Authenticate the user by email, userId, Firstname and Lastname
  • Authorize the user by the roles.


First, you need to add @sap/xssec to your project, in your package.json file.

Configuring Security with xs-security.json

The xs-security.json file is a security configuration for an application. This file is used for how it relates to scopes, roles, and the XSUAA service.

Multi-Target Application

In the multi-target application model, we use an mta.yaml descriptor file to deploy the application. It contains many modules,  each module will deploy as a separate application.

In our case,

  • A UI module developed in Fiori.
  • A database module using SAP HANA.
  • A service module using Node.js, which acts as the backend microservice.

To protect the entire application by the XSUAA service, we need to define it in the MTA descriptor and bind the service with the required modules.

Defining Resources in mta.yaml

Under the resources section, define the XSUAA service,

This configuration will bind the XSUAA service to the application and use the settings defined in the xs-security.json file.

Configuring Roles and OAuth2

In the xs-security.json file, configure the roles and other details

During login, the application redirects to the uaa service and gets the authentication and authorization details and redirects back to our application for that, we specify the redirect-uri in the configuration.

Using XSUAA as authentication, we can receive user details in every request through the req.user object. This object includes the user ID, user roles, and SAML attributes. The req.user.attr contains detailed attributes such as:

logonName, givenName, familyName and email.

Configuring the UI Entry Point

We use the UI part as the entry point of the application. Therefore  we need to configure the UI in the  xs-app.json file.

Here, the source and target path correspond to specified in the service.cds file. The UI sends the request to the endpoint matching with the target route, which is forward to the  backend system specified in destination, it will handle the request.


By the configurations we can secure the application with XSUAA Service.