The limitations in User Authentication within the event broker
The limitations in User Authentication within the event broker, specifically concerning the ability to restrict access to defined users. There is currently no option available to define granular access at the broker level.
Comments
-
Hi @swapnil_mahajan … I'm not sure what limitations you're referring to? The broker has lots of different ways of authenticating users?
- basic username/password, stored internally on the broker
- LDAP (ActiveDirectory) integration
- RADIUS server integration
- client certificates
- Kerberos SSO
- OAuth2
currently no option available to define granular access at the broker level
How do you mean? Granular access to messages/topics? That's what ACL profiles are for. Each username could have a unique set of topics they are authorized to publish and subscribe on.
0 -
Hey @Aaron I cannot give access to user for only one Event Broker. I dont see any configuration for the same.
Currently, administrators lack the ability to configure authorization settings that allow the creation of roles, assign specific Event Brokers to these roles, and then allocate these roles to users. This creates a challenge in enforcing Role-Based Access Control (RBAC), as there is no mechanism to restrict users to specific Event Brokers. Implementing RBAC is essential to address this limitation, as I am currently encountering difficulties in restricting user access to designated Event Brokers.
0 -
As an administrator managing multiple brokers with diverse user groups, it is challenging to provide consistent roles, especially when granting access to features such as Mission Control, Designer, and other tools within the PubSub+ Console.
0 -
@Aaron Any update here?
0 -
Do anyone have thoughts on this? It's an essential step to prevent authorization issues.
0 -
Hi @swapnil_mahajan ,
My apologies for the delayed response.
As you correctly noticed, we have this limitation with the role based access control in SAP BTP currently. We are currently working on the full platform integration for role and resource based authorization and is planned for the first half of next year for AEM.
In the meanwhile, you can use OAuth profiles to control access to broker as per your requirements. More information is available over here :
https://help.pubsub.em.services.cloud.sap/Cloud/enable-oauth-profiles-on-service.htm
0