The limitations in User Authentication within the event broker

swapnil_mahajan
swapnil_mahajan Member Posts: 51 ✭✭✭

The limitations in User Authentication within the event broker, specifically concerning the ability to restrict access to defined users. There is currently no option available to define granular access at the broker level.

Comments

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 644 admin

    Hi @swapnil_mahajan … I'm not sure what limitations you're referring to? The broker has lots of different ways of authenticating users?

    • basic username/password, stored internally on the broker
    • LDAP (ActiveDirectory) integration
    • RADIUS server integration
    • client certificates
    • Kerberos SSO
    • OAuth2

    currently no option available to define granular access at the broker level

    How do you mean? Granular access to messages/topics? That's what ACL profiles are for. Each username could have a unique set of topics they are authorized to publish and subscribe on.

  • swapnil_mahajan
    swapnil_mahajan Member Posts: 51 ✭✭✭
    edited November 13 #3

    Hey @Aaron I cannot give access to user for only one Event Broker. I dont see any configuration for the same.

    Currently, administrators lack the ability to configure authorization settings that allow the creation of roles, assign specific Event Brokers to these roles, and then allocate these roles to users. This creates a challenge in enforcing Role-Based Access Control (RBAC), as there is no mechanism to restrict users to specific Event Brokers. Implementing RBAC is essential to address this limitation, as I am currently encountering difficulties in restricting user access to designated Event Brokers.

  • swapnil_mahajan
    swapnil_mahajan Member Posts: 51 ✭✭✭

    @Aaron

    As an administrator managing multiple brokers with diverse user groups, it is challenging to provide consistent roles, especially when granting access to features such as Mission Control, Designer, and other tools within the PubSub+ Console.

  • swapnil_mahajan
    swapnil_mahajan Member Posts: 51 ✭✭✭

    @Aaron Any update here?

  • swapnil_mahajan
    swapnil_mahajan Member Posts: 51 ✭✭✭

    Do anyone have thoughts on this? It's an essential step to prevent authorization issues.

  • HariRangarajan
    HariRangarajan Member, Administrator, Employee Posts: 20 admin

    Hi @swapnil_mahajan ,

    My apologies for the delayed response.

    As you correctly noticed, we have this limitation with the role based access control in SAP BTP currently. We are currently working on the full platform integration for role and resource based authorization and is planned for the first half of next year for AEM.

    In the meanwhile, you can use OAuth profiles to control access to broker as per your requirements. More information is available over here :

    https://help.pubsub.em.services.cloud.sap/Cloud/enable-oauth-profiles-on-service.htm

    https://community.sap.com/t5/technology-blogs-by-sap/securing-advanced-event-mesh-comprehensive-guide-to-oauth-configuration-in/ba-p/13734268