Authentication and Authorization
Users must be authenticated and authorized to advanced event mesh for SAP Integration Suite to create event broker services, monitor event broker services, and design an event-driven architecture. The advanced event mesh's account and user management system allows you to efficiently manage user accounts and assign permissions using roles that allow users to access the different categories of services in advanced event mesh to manage your event-driven architecture (EDA). For more information, about user accounts and roles, see User-Centric and Role-Based Access.
In addition to users, client applications can be given access to perform management tasks. Authentication and authorization is handled using API tokens created by users in the Cloud Console. For more information, see API Tokens for Client Applications.
Authentication and authorization to access to event broker services is also configurable. You can also directly access event broker services from Broker Manager. For more information, see Accessing Broker Manager.
Client application access is handled separately and is configured at the granularity of an event broker service. For information about client authentication and authorization, see Client Application Connectivity and Security.
User-Centric and Role-Based Access
There are built-in roles that are available on accounts. The permissions and roles for a user are assigned on a per account (workspace) basis. The granularity of the permissions authorizes a user to perform specific actions in the account. These fine-grained permissions permit for authenticated users to:
- orchestrate and manage event broker services
- manage event meshes
- design your event-driven architecture (EDA),
- monitor your deployment of event broker service and access advanced monitoring capabilities
- modify billing for the account
- manage users, permissions, and account settings
For information about roles and permissions, see Roles and Permissions.
It is important to note that the Administrator role must be provided to at least one user in an account, which permits that user to manage access within the account. Users can have different permissions on different accounts. This allows the same user to have different access based on the account selected. .
For example, a single user account can be used to authenticate, but in one account that user may be authorized to create event broker services, but on another account, may not have that permission. For information about accounts, assigning roles, and setting permissions, see User Management .
Accessing Broker Manager
You can access event broker services directly using Broker Manager. For more information about Broker Manager, see Broker Manager.
Access to the event broker service is handled through credentials that are generated when an event broker service is created. By default, a user with the Administrator or the Cluster Manager role in the account is pre-authenticated to access event broker service through the Cloud Console. Pre-authenticated access to Broker Manager can be disabled for an entire account which forces users to enter the credentials manually. For more information, see Pre-Authentication for Broker Manager.
Regardless of whether you enable or disable Pre-authentication Security, if your event broker services are deployed in a private network [customer-controlled Virtual Private Cloud/Virtual Network (VPC/VNet)], it is possible that you can connect from a public IP address to the Cloud Console (outside of your private network) to create and configure event broker services, but cannot connect to Broker Manager.
The reason for this is because the ability to connect to Broker Manager depends on the networking configuration of your private network (i.e., most private networks use 10.x.y.z, 172.x.y.z, or 192.x.y.z as IP addresses which are not accessible from a public network). If your network configuration permits it, you may connect to Broker Manager when it's deployed in a private network if you:
- use a VPN connection such as a VPN client on your computer (or AWS VPN) to connect to the VPC/VNet
- have VNet peering (Azure) or VPC peering (AWS) configured between the network from where you're connected, to the private network where the event broker services are deployed
- have a DNS mapping from the event broker service to your private network. Contact SAP to configure this DNS mapping request
API Tokens for Client Applications
Client applications can be authenticated and authorized to perform management operations (e.g., create event broker services or for continuous integration and development (CI/CD) functions) via the advanced event mesh APIs. This capability is useful in large-scale deployments that require automation to obtain efficiencies and better integrations with other enterprise systems.
API key control for authentication and authorization to advanced event mesh is provided with API tokens. These API tokens that can be generated on an per account basis to authenticate and authorize client applications to perform management actions on an account.
Users can generate API tokens in the Cloud Console. The permissions that a user can assign to the generated API token is a subset of the permissions that they have in an account (Workspace). In other words, a user cannot create an API token with permissions over and beyond what they have been assigned.
The user can also revoke an API token at any time. These API tokens permit for finer-grained control of permissions for client applications than the roles assigned to a user profile. For more information about the permissions and API tokens, see Managing API Tokens.