SAP Community - SAP BTP Security

SAP BTP Trial Account RAP application's preview feature is not work

2025-11-05T14:31:54.559000+01:00

Then this popup occurred

When I opened Inspect in the browser console, I found the following error:

Log-dbg.js:497 2025-11-05 18:51:11.574300 GET /sap/opu/odata4/sap/zas_ux/srvd/sap/zas_pd_service/0001/$metadata - Could not load metadata: 403 Forbidden sap.ui.model.odata.v4.lib._MetadataRequestor
u @ Log-dbg.js:497
2_Helper-dbg.js:617 Uncaught (in promise) Error: Could not load metadata: 403 Forbidden

When I test the API directly, it also throws an error.

Transport app to another BTP subaccount

2025-11-06T21:13:48.158000+01:00

Hi Community,
how can I transport an app (e.g. SAP IAS) from one BTP subaccount to another ?

Thanks for your help.

Best Regards

IAS-IPS (SAP Security)

2025-11-07T15:28:51.630000+01:00

IAS & IPS

Content :

SAP Identity Authentication Service (IAS)
SAP Identity Provisioning Service (IPS)
Real World Scenario

SAP Identity Authentication Service (IAS)

IAS is SAP’s cloud-based authentication service.

Its core job is to make sure “the right user logs in securely to the right SAP application.”

Think of IAS as the gatekeeper.

What IAS Does

Authenticates Users (Login / Sign-in)

IAS verifies user identity when they try to log in to:

SAP BTP
SAP SuccessFactors
SAP Ariba
SAP Analytics Cloud
SAP S/4HANA Cloud
Any custom application connected to IAS

It checks:

Username + Password
Multi-Factor Authentication (OTP, SMS, Email, Authenticator App)
Certificates
Biometrics (via device IdP)

Single Sign-On (SSO)

IAS supports:

SAML 2.0
OAuth 2.0
OpenID Connect (OIDC)

So your users log in once and access all SAP apps without logging in again.

Acts as an Identity Provider (IdP)

IAS can serve as

Primary IdP

IAS handles authentication directly

Proxy IdP

IAS redirects authentication to:

Microsoft Azure AD
ADFS
Okta
Ping Identity
Any SAML-based IdP

IAS becomes the bridge between SAP systems and corporate identity providers.

Conditional Authentication Policies

IAS can decide:

Who can log in
From where
Under what conditions

Examples:

Allow MFA only when user logs in from outside office
Block login from certain countries
Force password reset for risky accounts
Apply SSO only for trusted devices

User Store (Identity Directory)

IAS stores user accounts, including:

Username
Email
First Name / Last Name
Groups
Password (if local authentication)

Note : BUT IAS does NOT create users automatically — IPS usually does provisioning.

Authorization Pre-Processing (via Groups → Mappings)

IAS can assign groups, and these groups can be mapped in target apps (like SAP BTP) to give role collections.

IAS Group = “FinanceUsers”

→ Mapped to

BTP Role Collection = “Finance App Access”

But IAS itself does NOT assign app roles.

Note : IAS group can only be mapped to BTP role collections, not to PFCG Role etc.

Branding & Custom Login Pages

IAS allows full customization of login screens:

Company logo
Color theme
Background
Messages
Terms & conditions

Security Enforcement

IAS applies:

Password policies
MFA rules
Account lockout rules
Device trust
Risk-based authentication

What IAS Does NOT Do

IAS does NOT create users(IPS or external IdP does)
IAS group does NOT assign roles in S/4, SAC, Ariba, etc.
IAS does NOT do provisioning(IPS does)
IAS does NOT perform GRC / SoD checks(IAG does)

SAP Identity Provisioning Service (IPS)

IPS is SAP’s central user provisioning and synchronization service.

It moves users from one system to another, ensuring that user accounts, attributes, and group/role assignments stay consistent across:

SAP BTP
IAS (Identity Authentication Service)
SAP S/4HANA Cloud
SAP Ariba
SAP SuccessFactors
SAP Analytics Cloud
Azure AD, Okta, Ping, etc.

Think of IPS as the “delivery service” for user accounts.

What IPS Does

Creates Users in Target Systems

IPS automatically provisions users into multiple systems.

Example:
SuccessFactors → IPS → IAS → BTP → S/4HANA

IPS can create user accounts in:

IAS
SAP BTP
S/4HANA Cloud
SAP Ariba
SAP Concur
SAP Analytics Cloud (via SCIM)

Updates User Attributes

If an employee changes department, email, manager, etc., IPS updates the data in all connected systems.

Example:
SuccessFactors updates → IPS sync → IAS/BTP/S4/Ariba update

Deletes / Deactivates Users

When an employee leaves the company, IPS can mark them inactive or delete their user account.

Maps and Transforms Attributes

IPS allows:

Attribute mapping
Attribute transformation
Conditional provisioning

Example:
IF user.department = "Finance" → assign group “FIN_USERS”

Assigns Groups / Roles (but not everywhere)

IPS can assign:

IAS Groups
BTP Role Collections
S/4HANA Business Roles
SAP Ariba groups
SAC roles (via SCIM)

But only where system supports it.

Connects to Many Identity Sources

IPS can read users from:

Azure AD
SuccessFactors
IAS
LDAP
Okta
On-premise systems (via Cloud Connector)

What IPS does NOT do

IPS does NOT Authenticate Users (IAS does)

Real World Scenario

Company:

A global manufacturing company using:

SAP SuccessFactors (HR system of record)
SAP BTP (custom apps, Integration Suite)
SAP S/4HANA Cloud (ERP)
SAP Ariba (Procurement)
SAP IAS (Authentication)
SAP IPS (Provisioning)
SAP IAG (Access Governance)

Scenario 1: A New Employee Joins the Company

Step 1 — Employee is Hired in SuccessFactors

HR creates a new employee: Rohan Sharma with below details

Department: Finance
Location: India
Manager: Priya Singh
Job: Accounts Payable Analyst

SuccessFactors stores all HR attributes.

Step 2 — IPS Reads Rohan’s Data from SuccessFactors

IPS acts as the "provisioning engine."

Flow: SuccessFactors → IPS → IAS

IPS automatically:

Reads new user
Maps attributes
Creates user in IAS
Assigns IAS group “Finance_Employees”
Pushes email, username, and department

Step 3 — IAS Creates User Entry + Prepares Authentication

IAS now has user:

Username: rohan.sharma
Email: rohan.sharma@company.com
Group: Finance_Employees
Status: Active

IAS does NOT assign roles.

IAS only sets up login policies:

MFA required
Corporate SSO allowed
Conditional rule: India region → allow password login

Step 4 — IAG Triggers Access Request Workflow

Rohan needs access to:

SAP BTP Finance App
S/4HANA Finance Business Roles
Ariba Buyer Role

In large companies, users cannot get access automatically,they must request access via IAG.

Flow:

Rohan goes to IAG Access Request Portal
Selects: "Finance Analyst Access Package"
Request goes to Manager (Priya Singh)
IAG performs SoD checks  No conflicting roles  No risk
Manager approves

Step 5 — IAG Sends Provisioning Action to IPS

After approval:

IAG → IPS → Target Systems

IPS now provisions the approved roles

In SAP BTP: Assigns BTP Role Collection:

Finance_Analyst_RoleCollection

In S/4HANA Cloud: Assigns Business Roles:

AP_STANDARD

FIN_POSTING

FIN_DISPLAY

In SAP Ariba: Assigns Ariba group:

Buyer_Professional

Step 6 — Rohan Logs In to SAP Systems

Rohan logs in to:

SAP BTP App

IAS checks login
IAS → BTP trusts IAS
BTP picks up role collection assigned via IPS

S/4HANA Cloud

Login route:
Browser → IAS → S/4
S/4 checks Business Role assignments provisioned via IPS

Ariba

IAS federates login → Ariba validates user groups

Step 7 — Rohan Changes Department (Employee Movement)

After 1 year, Rohan moves from Finance to Supply Chain.

HR updates this in SuccessFactors.

IPS reads update
IPS updates IAS + BTP + S/4HANA + Ariba
IAG dynamically checks if old roles must be removed.
Roles get de-provisioned: Finance roles removed & New Supply Chain roles added

Step 8 — Employee Exit

When Rohan leaves company:

HR marks employee as terminated in SuccessFactors
IPS deactivates him in IAS
IPS removes roles in BTP, S/4, Ariba
IAS blocks login

User access fully revoked

How to restrict editing of fields like UOM, weight, and volume in Fiori Manage Product Master Data?

2025-11-13T07:11:17.975000+01:00

Hello Expert,

I have a requirement to restrict editing of certain fields such as Unit of Measure (UOM), weight, and volume in the SAP Fiori Manage Product Master Data tile. These fields should be visible but not editable to users for data consistency and control purposes.

Currently, I am exploring various possibilities including:

Using UI adaptation/runtime authoring to make these fields read-only
Setting authorization roles and restrictions
Extending OData services or adding validations on the backend

Could you please share best practices or known solutions to achieve this? Is there any standard way or recommended approach within SAP S/4HANA and Fiori to restrict these specific fields on the product master data app?
SAP HANA Cloud, SAP HANA database SAP BTP ABAP environment Security NW ABAP User Administration and Authorization SAP BTP Security field masking for Web Client UI

SAP BTP ADMINISTRATOR Learning Path

2025-11-23T08:58:17.499000+01:00

I'm working in SAP Basis for 2 years, have worked on Public cloud and GRC too. Want to have the complete knowledge in SAP BTP Administrator. What will be the roadmap to achieve this. Firstly I want to learn that and then I want to complete a SAP certification which will make me ready to perform live activities. Later I wish to explore the Development side of SAP BTP too to advance my career. Any advice and roadmap for that.

Thanks a lot in advance.

Unable to authenticate backend system from SAP BAS via Cloud Connector – “Authentication incorrect”

2025-11-24T07:45:40.372000+01:00

Hello Experts!!

I am trying to consume an on-premise S/4HANA system from SAP Business Application Studio (BAS) using SAP Cloud Connector and a BTP Destination.

The Cloud Connector connection is reachable, and the Destination is visible inside BAS, but when I select the destination (“S4H”) in the SAP Fiori Generator wizard, BAS returns the error:

"Authentication incorrect. Please check the SAP BTP destination authentication configuration."

Even when I remove authentication from the BTP Destination and directly enter credentials in the BAS wizard, the same error appears.

I can successfully log in to the S/4HANA backend via SAP GUI with the same user and password, and the SAP Easy Access screen loads correctly.
However, BAS / Cloud Connector authentication fails.

Use Microsoft Entra Id to Secure CAP Fiori Application

2025-11-30T12:53:35.707000+01:00

I have an HTML5 application developed using SAP Fiori and CAP for Node.js. An XSUAA instance was created for security, and the application uses the Build Work Zone Managed App Router.

I want users to be able to browse the app even if they don’t have a BTP account. However, if they are part of our Microsoft tenant, they should be able to access and use the site.

I’m not sure how to achieve this. Any suggestions or resources would be highly appreciated. Thanks.

SAP BTP Integration Suite Cloud to SAP S4 Private Cloud

2025-11-30T18:21:37.643000+01:00

Dear All,

Good Day!

Is there any documentation/steps to integrate SAP BTP Integration Suite Cloud to SAP S4 Private Cloud via Oauth2.0 Bearer Token.

Am not finding any documentation from SAP.

Thanks and Regards,

Rajesh PS

Consume Soap service using post method in build process automation.

2025-12-08T23:27:59.568000+01:00

Hello community,

I am currently working with SAP BTP Build Apps and need to consume a SOAP web service using the POST method. Since Build Apps does not natively support XML payloads, I attempted to handle the integration through SAP Build Process Automation (BPA), but I am still unable to get it working.

Does anyone have technical documentation, best practices, or a concrete example of how to properly call a SOAP service from Build Apps (directly or via BPA/destination)?

Thank you in advance.

Principal propagation from SAP Digital Manufacturing Production Process towards S/4HANA public cloud

2025-12-17T10:45:33.035000+01:00

Hi experts,

I am working on a requirement that needs a custom production process in SAP Digital Manufacturing calling an SAP S/4HANA Cloud, Public Cloud OData api. I have followed the steps as mentioned in this blog post external-api-web-service-integration-with-sap-digital-manufacturing .

Here is my BTP destination in the subaccount where DM is subscribed.

tokenServiceURLType=Dedicated
audience=https\://myXXXXXX-api.s4hana.cloud.sap
authnContextClassRef=urn\:oasis\:names\:tc\:SAML\:2.0\:ac\:classes\:X509
includeSigningCertificateInSAMLAssertion=false
tokenServiceUser=ZS4H_DMC_COMM
tokenServiceURL=https\://myXXXXXX-api.s4hana.cloud.sap/sap/bc/sec/oauth2/token
skipUserUuidInSAMLAttributes=false
URL=https\://myXXXXXX-api.s4hana.cloud.sap/sap/opu/odata4/sap/zapi_productionorder_labels/srvd_a2x/sap/zser_mfg_label/0001
Name=S4-Dev-Label-api-pp
tokenServicePassword=<removed>
Type=HTTP
clientKey=ZS4H_DMC_COMM
Authentication=OAuth2SAMLBearerAssertion
nameIdFormat=urn\:oasis\:names\:tc\:SAML\:1.1\:nameid-format\:emailAddress
skipUserAttributesPrefixInSAMLAttributes=false
ProxyType=Internet
userIdSource=
SAMLAssertionProvider=DestinationServiceGenerated

I have created the communication arrangement in S/4HANA Cloud:

But when I test the production process which uses the service thus created is not working, i.e., failing with HTTP 401

The production process worked successfully when I had used basic authentication at the BTP destination.

So, does SAP DM support such principal propagation with destination using OAuth2SAMLBearerAssertion? Or where am I going wrong?

Best regards,

Sumit

EPD Collaboration: No workflows found in SBPA cross-subaccount setup

2025-12-18T23:14:43.602000+01:00

Hi everyone,

I am facing an issue where the SAP EPD Collaboration app cannot discover any processes from SAP Build Process Automation. The workflow dropdown in both 'Configure Collaboration' and 'Specification Types' remains empty, and the OData call to the "WorkflowProperties" returns 0 results.

Our architecture is the following:

Subaccount A: SAP Build Process Automation is subscribed and active here. This is where our processes are built and deployed.

Subaccount B : SAP EPD / IPD Collaboration is subscribed here.

Scenario: We need EPD in Subaccount B to trigger and manage workflows residing in Subaccount A.

I have attempted to bridge the two subaccounts by manually replicating the standard SBPA destinations in Subaccount B, pointing them to the Service Key credentials of Subaccount A. Specifically, I configured sap_process_automation_service and sap_process_automation_service_user_access.

I've searched but could not find any official documentation or for connecting these specific apps (EPD to SBPA) across different subaccounts. Most guides assume a single-subaccount setup where the SAP Booster handles the wiring automatically.

My questions:

Are these two specific destinations (sap_process_automation_service andsap_process_automation_service_user_access) designed to work across subaccounts for EPD discovery?

Does this scenario require an Identity Trust (SAML/OIDC) between the subaccounts for the discovery phase?

Any suggestions for this "split" architecture would be greatly appreciated.

Thanks!

BTP admin - Day to Day operation activities

2026-01-02T19:35:02.975000+01:00

Hi Experts,

Most of the BTP admin tasks are one-time activity ( account set up,Role assignment, IAS, Cloud connector integration and CTMS )

Could you please provide the list of daily operation activities of BTP admin from support and monitoring perspective.

Thanks in advance

Facing “Invalid Metadata” with Principal Propagation in SAP BTP Workzone

2026-01-09T10:33:33.684000+01:00

We’re currently working on an MTA project deployed to Cloud Foundry and integrated into SAP BTP Workzone.

Our setup uses Principal Propagation (one per client), but we’re consistently hitting issues:

401 error when trying to load metadata with Principal Propagation
Invalid metadata error since the metadata is not being retrieved.
Despite configuring Principal Propagation, the data is still not received
X.509 certificates for SSO for On-Premise is done by basis team.
with Basic Authentication it is working fine.

my Destination Setting:

👉 Has anyone faced similar challenges with Principal Propagation in Workzone?
👉 What are the key areas we should check (destination settings, authentication, trust configuration or Workzone site setup or MTA Project)?

Any guidance or pointers from the community would be greatly appreciated!

#SAP #SAPBASIS #BTPMTAProject #Authenticationissue #PrincipalPropagation

How can execution-time controls prove verified comprehension before obligation attaches?

2026-01-15T22:47:12.930000+01:00

Most compliance and security controls operate after execution, when obligation is already binding.

I’m exploring execution-time gating that enforces identity verification, disclosure acknowledgment, and verified comprehension before the moment of no return.

From a platform and security perspective, what patterns or controls exist today to prove comprehension at execution time rather than relying on post-hoc attestations or disclosures?

Looking for architectural approaches, not product recommendations.

Forms Service by Adobe (BTP): Persistent "No client with requested id" Error after Configuration

2026-01-20T20:49:08.473000+01:00

Hello SAP Community,

I am seeking assistance with a persistent authentication issue while setting up SAP Forms Service by Adobe in the BTP Cloud Foundry environment.

Despite following the standard setup documentation, I am unable to access the Template Store UI. I consistently receive the following error: No client with requested id: sb-ads-xsappname!b65488

What I have configured so far:

Entitlements: Added "Forms Service by Adobe" and "Forms Service by Adobe API" (free plans).
Subscription: Successfully subscribed to "Forms Service by Adobe" (default plan).
Instance: Created a service instance for "Forms Service by Adobe API" in my space.
Role Collections: Created and assigned a Role Collection containing ADSAdmin and TemplateStoreAdmin.
Direct Access: I have tried accessing the UI via the "Go to Application" link and via the direct URL found in the destination configuration.

Steps taken to resolve the issue (but failed):

Verified that the Application Identifier in the Role Collection matches the subscription.
Unsubscribed and re-subscribed to force a new OAuth registration.
Cleared browser cache and used Incognito/Guest modes.
Waited for propagation (over 30 minutes).

It seems the XSUAA service is still looking for a specific client ID (!b65488) that perhaps isn't being correctly mapped or registered in the Trust Configuration.

System Details:

Environment: Cloud Foundry
Region: US10
Identity Provider: Default and Custom

Has anyone encountered this specific mismatch before? Is there a way to force a refresh of the OAuth2 clients in the subaccount, or is this a backend issue that requires an SAP Support ticket?

Thank you for your help!

Use BTP Malware Service with VSCAN (VSI) - Detect hidden code in metadata of image file

2026-01-26T11:01:11.928000+01:00

Hi,

I have a requirement where we need to scan files uploaded via a Fiori application for malware (in our case attachments for a leave request). After some research I came across this amazing github project ( https://github.com/gregorwolf/sap-malware-scanning-vsi ) that explains how you can use the BTP malware service via the VSI BAdI to do your virus/malware scanning.

We initiated the BTP Malware instance, created the SM59 config, created all the classes and interfaces as per the github project, implemented the BADI and created the basic VSI configuration.

Now that all seems to be working correctly. When I use VSCANTEST with the standard Eicar test virus, it correctly detects the virus.

However when I try something more complex like hiding executable PHP code within the metadata of an image file, it does not detect this as malware :(. I tried searching through all available documentation, and it seems as if the VSI profile configuration options where you specify MIME types for active content is only if you configure a malware service via VSI and not when you use the BADI?

Has anyone tried this before where you use the VSI BADI to call a malware scanning service (Like the BTP one) and scan for things like PHP code in metadata? How I do that?

Kind Regards

Deon

SM59 Connection Test Error

2026-01-29T01:22:24.740000+01:00

Hello.

I am getting an error when trying to connect to the AVALA Tax service in SAP BTP using the OAUTH client profile.

SM59 Destinations Type G (HTTP External):
AVLR_AVATAX_ADDRESS
AVLR_AVATAX_GLOBAL
OAuth Profile : SAP_COM_0249_PREM
Error Observed : Create Failed

Testing Details:
T-code: SE38
Program Name: OA2C_GENERIC_ACCESS
HTTP Client Selection: SM59 Destination

HTTP Client Selection: URL option

Once SAP enables the required connectivity, the SM59 test should work as expected.

I would like to hear the opinions of seniors who can help me solve the above problem.

The SSAM app performs a full sync instead of a delta sync on login after 1–3weeks of inactivity

2026-02-09T20:55:14.754000+01:00

Issue Summary

When users of SAP Service and Asset Manager (SSAM 2405) do not use the mobile application for 1–3 weeks, the next login triggers a full data synchronization instead of a delta sync, resulting in significantly longer sync times.

Detailed Description

Users have reported that after a period of inactivity (approximately 2–3 weeks), logging into the SSAM mobile application triggers a full synchronization.
Normally, the application performs a delta sync to update only changed records, which is faster and more efficient.
Due to the full sync, the login process takes an extended time, impacting productivity and delaying field operations.
This behavior is observed consistently across multiple devices and users who have been idle for an extended period.

Expected Behavior

After a period of inactivity, logging into SSAM should perform a delta sync (syncing only changed data), not a full sync, unless there are configuration or data inconsistencies requiring a full sync.
The sync time should remain comparable to normal delta sync durations.

Actual Behavior

After 1–3 weeks of inactivity, the application performs a full sync, which significantly increases login and data retrieval time.

Impact

Reduced user productivity due to long sync times.
Delays in field operations and work order processing.
Increased network and backend load during full sync events.

Steps to Reproduce

Do not log in to the SSAM mobile application for 2–3 weeks.
Open the SSAM mobile app and log in.
Observe that the application performs a full sync instead of a delta sync.
Note the extended sync duration compared to normal delta sync operations.

Request / Questions for SAP Support

Is this behavior expected for extended idle periods, or is it a potential issue with delta sync?
Are there configuration settings or best practices to ensure that the application performs a delta sync even after long periods of inactivity?
Is there a recommended way to minimize sync time for users returning after prolonged inactivity?

SAP BTP Boosters with Terraform Documentation

2026-02-13T12:59:22.354000+01:00

Hi DevOps,

since I am tinkering around with Terraform and the SAP BTP Platform. After some ClickOps (Boosters, and otherapproaches) vs. Infrastructure/Configuration As Code (via Terraform and BTP CLI and other REST APIs) experiments later, I miss some better integrated documentation. The "booster" feature within the SAP BTP Cockpit is pretty neat for a fast start and some initial experiments, but pretty intransparent for productive purpose.

Does anyone know, if the various boosters could be exported as a Terraform project (resources, variables and so on)? That would make a review process much easier. Furthermore, some customizing of the configuration would be possible.

By the way, the Terraform Sample Repo goes already a great direction for documenting some missions. I wish, some other SAP recommended reference architecture would be presented here as well.

Happy coding,

Florian

The JWT token only contains the openid scope, but none of the custom application scopes

2026-02-17T14:32:15.275000+01:00

Hi,

I am building CAP application and try to add custom roles and rolecollections through xs-security.json. Deploying in CF.

When i deploy my xs-auth service, i can see roles and rolecollections being created, i can see them in BTP cockpit Rolecollections, Roles . But what is missing is, i cant see roles under rolecollections. I tried below -

1) Created just roles through xs-security.json and created rolecollections manually in BTP. when try to browse and attach roles to rolecollection, i cant find my roles, templates or application identifier.

2) Created both roles and rolecollections through xs-security.json - i cant see roles inside rolecollections.

3) Removed template $XSAPPNAME from "role-template-references" as per recommendations, but i cant deploy, it gives error.

4) I tried delete and recreated whole auth service with new template, application name, identifier... no luck.

I am getting authenticated, but authorization is failing. My application require annotations and actions to be controlled (who can press button and perform action, this require custom roles).

Attached template i am using. I am sure you might have similar situations before. Please let me know what is the best way to resolve this issue. As Always, thanks for your help.

Below is my app trace log.

template used as below:

{
"xsappname": "my-app-reprocess-v2",
"tenant-mode": "dedicated",
"description": "Message Reprocessing Application - Security Configuration",
"scopes": [
{
"name": "$XSAPPNAME.ReprocessViewer",
"description": "View messages, content, and statistics (read-only access)"
},
{
"name": "$XSAPPNAME.ReprocessAdministrator",
"description": "Full administrative access including reprocess operations and CRUD"
}
],
"attributes": [
{
"name": "email",
"description": "User email address",
"valueType": "string"
}
],
"role-templates": [
{
"name": "ReprocessViewer",
"description": "Read-Only Access - View messages and statistics",
"scope-references": [
"$XSAPPNAME.ReprocessViewer"
],
"attribute-references": [
"email"
]
},
{
"name": "ReprocessAdministrator",
"description": "Full Administrative Access - CRUD operations and reprocess actions",
"scope-references": [
"$XSAPPNAME.ReprocessAdministrator",
"$XSAPPNAME.ReprocessViewer"
],
"attribute-references": [
"email"
]
}
],
"role-collections": [
{
"name": "MessageReprocessViewersRC",
"description": "Message Reprocess Viewers - Read-only access",
"role-template-references": [
"$XSAPPNAME.ReprocessViewer"
]
},
{
"name": "MessageReprocessAdministratorsRC",
"description": "Message Reprocess Administrators - Full access",
"role-template-references": [
"$XSAPPNAME.ReprocessAdministrator"
]
}
],
"oauth2-configuration": {
"credential-types": ["binding-secret", "x509"],
"redirect-uris": [
"https://*.cfapps.example.com/**",
"http://localhost:*/**"
],
"token-validity": 3600,
"refresh-token-validity": 86400
}
}