SAP BTP CAPM Security: XSUAA vs. AMS Authorization Approaches Explained
- Brijesh
- Jun 13
- 2 min read
Updated: Jun 21

When building enterprise applications on SAP Business Technology Platform (BTP), securing your Cloud Application Programming Model (CAPM) services requires understanding two distinct authorization approaches: the established XSUAA method and the modern AMS-based architecture. Let's examine both with code examples and clear guidance for implementation decisions.
1. XSUAA-Based Security
Traditional AuthN/Z WorkhorseXSUAA (Authorization & Trust Management) has been CAPM's default security mechanism, handling both authentication and authorization through JWT tokens and OAuth2 flows
// xs-security.json
{
"scopes": [{
"name": "ProductManager",
"description": "Manage product catalog"
}],
"role-templates": [{
"name": "product_manager",
"scope-references": ["ProductManager"]
}]
}
Implementation Steps:
Create XSUAA service instance
Bind to CAPM app via mta.yaml
Protect endpoints with CDS annotations:
service CatalogService @(requires: 'authenticated') {
entity Products @(requires: 'ProductManager') { /*...*/ }
}
Testing Flow:
cds bind -2 xsuaa-service # Local testing
cf create-service xsuaa application my-xsuaa-instance
2. AMS-Based Security
Modern AuthZ SpecializationAuthorization Management Service (AMS) separates concerns by integrating with Identity Authentication Service (IAS) for authentication while handling authorization through business roles
// ams-security.json
{
"roleCollections": [{
"name": "InventoryAdmin",
"roleReferences": ["manage_inventory"]
}]
}
Implementation Steps:
Configure IAS tenant
Create AMS instance
Use CAP's AMS tooling:
cds add ams # Initializes AMS configuration
service InventoryService @(requires: 'ias-auth') {
@ams.check(roles: ['manage_inventory'])
entity StockLevels { /*...*/ }
}
3. Key Comparison
Criteria | XSUAA | AMS + IAS |
Scope | Technical roles | Business-oriented roles |
Token Handling | JWT with authZ claims | Decoupled authN/Z tokens |
Tenancy | CF-space specific | Cross-tenant compatible |
Migration Path | Legacy support | Future-proof |
4. When to Use Which Approach
Choose XSUAA When:
Working with existing CAPM applications
Needing quick POC development
Using SAP SuccessFactors integration
Opt for AMS When:
Building new cloud-native apps
Requiring fine-grained business roles
Implementing multi-tenant solutions
Needing separation of authN/authZ concerns
Migration ConsiderationsFor existing XSUAA implementations transitioning to AMS:
Audit current role definitions
Map technical scopes to business roles
Use CAP's dual-mode support:
Final RecommendationWhile XSUAA remains valid for existing implementations, new CAPM projects should adopt AMS for its clearer separation of duties and business-centric authorization model. The CAP documentation (cap.cloud.sap) provides updated guidance for both approaches, with AMS tooling now fully integrated as of CAP v676.
Always assess your identity provider requirements and regulatory constraints when choosing between these security models. Both approaches can coexist during transition periods, but AMS represents SAP's strategic direction for cloud-native authorization