top of page
Search

SAP BTP CAPM Security: XSUAA vs. AMS Authorization Approaches Explained

  • Brijesh
  • Jun 13
  • 2 min read

Updated: Jun 21

ree

When building enterprise applications on SAP Business Technology Platform (BTP), securing your Cloud Application Programming Model (CAPM) services requires understanding two distinct authorization approaches: the established XSUAA method and the modern AMS-based architecture. Let's examine both with code examples and clear guidance for implementation decisions.


1. XSUAA-Based Security

Traditional AuthN/Z WorkhorseXSUAA (Authorization & Trust Management) has been CAPM's default security mechanism, handling both authentication and authorization through JWT tokens and OAuth2 flows

// xs-security.json

{

"scopes": [{

"name": "ProductManager",

"description": "Manage product catalog"

}],

"role-templates": [{

"name": "product_manager",

"scope-references": ["ProductManager"]

}]

}

Implementation Steps:

  1. Create XSUAA service instance

  2. Bind to CAPM app via mta.yaml

  3. Protect endpoints with CDS annotations:


service CatalogService @(requires: 'authenticated') {

entity Products @(requires: 'ProductManager') { /*...*/ }

}


Testing Flow:

cds bind -2 xsuaa-service # Local testing

cf create-service xsuaa application my-xsuaa-instance


2. AMS-Based Security

Modern AuthZ SpecializationAuthorization Management Service (AMS) separates concerns by integrating with Identity Authentication Service (IAS) for authentication while handling authorization through business roles


// ams-security.json

{

"roleCollections": [{

"name": "InventoryAdmin",

"roleReferences": ["manage_inventory"]

}]

}


Implementation Steps:

  1. Configure IAS tenant

  2. Create AMS instance

  3. Use CAP's AMS tooling:


cds add ams # Initializes AMS configuration


service InventoryService @(requires: 'ias-auth') {

@ams.check(roles: ['manage_inventory'])

entity StockLevels { /*...*/ }

}


3. Key Comparison

Criteria

XSUAA

AMS + IAS

Scope

Technical roles

Business-oriented roles

Token Handling

JWT with authZ claims

Decoupled authN/Z tokens

Tenancy

CF-space specific

Cross-tenant compatible

Migration Path

Legacy support

Future-proof

4. When to Use Which Approach

Choose XSUAA When:

  • Working with existing CAPM applications

  • Needing quick POC development

  • Using SAP SuccessFactors integration

Opt for AMS When:

  • Building new cloud-native apps

  • Requiring fine-grained business roles

  • Implementing multi-tenant solutions

  • Needing separation of authN/authZ concerns


Migration ConsiderationsFor existing XSUAA implementations transitioning to AMS:

  1. Audit current role definitions

  2. Map technical scopes to business roles

  3. Use CAP's dual-mode support:


Final RecommendationWhile XSUAA remains valid for existing implementations, new CAPM projects should adopt AMS for its clearer separation of duties and business-centric authorization model. The CAP documentation (cap.cloud.sap) provides updated guidance for both approaches, with AMS tooling now fully integrated as of CAP v676.

Always assess your identity provider requirements and regulatory constraints when choosing between these security models. Both approaches can coexist during transition periods, but AMS represents SAP's strategic direction for cloud-native authorization

 
 
 
bottom of page