[review] Security Guide #2321

renejeglinsky · 2026-01-16T09:23:51Z

General remarks on:

Remote Authentication

renejeglinsky · 2026-01-16T09:25:16Z

guides/security/authorization.md

-### Filter Conditions { #filter-consitions }
+### Filter Conditions
+
+For instance, a user is allowed to read or edit `Orders` (defined with the `managed` aspect) that they have created:


This idea was to move the example first, as we often do it in capire. We could do the same in other sections as well, if we agree on doing so. This is just an example to show what I mean.

renejeglinsky · 2026-01-16T09:29:43Z

Remote Authentication

That guide is based on a Java sample only, right? Are there plans for Node.js as well?

renejeglinsky · 2026-01-16T11:12:50Z

guides/security/authentication.md

 - streamlined SAP and non-SAP system [integration](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integrating-service) (due to [OpenId Connect](https://openid.net/connect/) compliance)

-IAS authentication is best configured and tested in the Cloud, so let's enhance the started bookshop sample application with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF).
+IAS authentication is best configured and tested in the Cloud, so let's enhance the [previously started bookshop sample application](#mock-user-authentication) with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF).


It feels kind of hidden that we started an example. WDYT about making "Set up a Sample" an own section so that it can be found easily?

renejeglinsky · 2026-01-16T11:17:13Z

guides/security/authentication.md

+```sh
 TODO
+```


Needs to be filled

renejeglinsky · 2026-01-16T11:17:26Z

guides/security/authentication.md

+
 TODO
+


Needs to be filled

renejeglinsky · 2026-01-16T13:18:17Z

guides/security/authentication.md

+Mock users require **basic authentication**, hence sending the same request on behalf of mock user `alice` (no password) with
 ```sh
-curl http://alice:basic@localhost:4004/odata/v4/admin/Books
+curl http://alice:@localhost:4004/odata/v4/admin/Books


@PDT42 Is this correct or does Alice have a password? Please also check the curl command for correctness. Thanks :)

renejeglinsky · 2026-01-16T14:02:49Z

guides/security/authorization.md

 Unsupported privilege properties are ignored by the runtime. Especially, for bound or unbound actions, the `grant` property is implicitly removed (assuming `grant: '*'` instead). The same also holds for functions:

-```cds
+::: code-group


I feel it does make sense to show a wrong version and the resulting model after implicitly removing it. WDYT?
Please check the resulting model. Or is there a better/right way to show that?

renejeglinsky · 2026-01-16T14:21:35Z

guides/security/authorization.md

 | action/function |  <Na/>  | <Y/> | <Na/><sup>2</sup> | = `@requires` |

-> <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`.
+> <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level, see [link] (somewhere in Node.js docs)<br>


I felt that there was too much text that could be part of the runtime docs. I'm not saying is has to but maybe we can find a place for that and set a link here. Would be preferred.

renejeglinsky · 2026-01-16T14:25:50Z

guides/security/authorization.md


-> <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`.
+> <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level, see [link] (somewhere in Node.js docs)<br>
 > <sup>2</sup> For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`.


Should it say "bound and unbound actions and functions"? In consequence we should add 2 also in the table for entity.
See:

Suggested change

> 2 For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`.

> 2 For bound and unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`.

Example first

0440376