change default service user role to internal-user (#91)

rlindner81 · web-flow · commit 96017248b324 · 2025-02-10T11:20:22.000+01:00
* change default service user role to internal-user

* update links

* update CHANGELOG.md

* wording
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## v1.2.4 - tbd
 
+### Changed
+
+- cds-plugin: change default service access role to `internal-user` (fixes #90).
+
 ## v1.2.3 - 2025-02-05
 
 ### Added
diff --git a/docs/plugin/index.md b/docs/plugin/index.md
@@ -37,8 +37,8 @@ all of them the same unique name. See
 
 _serviceAccessRoles_, _readAccessRoles_, _writeAccessRoles_, _adminAccessRoles_<br>
 By default the `FeatureService` read and write endpoints are accessible only to users with the CAP pseudo-role
-[system-user](https://cap.cloud.sap/docs/guides/authorization#pseudo-roles). Different projects have their own access role preferences, so this setting allows them to set a
-list of strings, which represent the roles required to access the service. For details see [@requires](https://cap.cloud.sap/docs/guides/authorization#requires).
+[internal-user](https://cap.cloud.sap/docs/guides/security/authorization#pseudo-roles). Different projects have their own access role preferences, so this setting allows them to set a
+list of strings, which represent the roles required to access the service. For details see [@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).
 
 It will usually be sufficient to set the `serviceAccessRoles` configuration, which covers both the read and write
 endpoints, but not the admin endpoints. If more discriminating access control is required, the `readAccessRoles` and
diff --git a/example-cap-server/.cdsrc.json b/example-cap-server/.cdsrc.json
@@ -6,8 +6,7 @@
         "system": {
           "tenant": "system",
           "password": "system",
-          "id": "system-user",
-          "roles": ["system-user"]
+          "roles": ["internal-user"]
         },
         "alice": {
           "tenant": "people",
diff --git a/example-cap-server/package.json b/example-cap-server/package.json
@@ -31,7 +31,7 @@
     "featureToggles": {
       "configFile": "./srv/feature/toggles.yaml",
       "serviceAccessRoles": [
-        "system-user",
+        "internal-user",
         "custom-role"
       ]
     }
diff --git a/src/service/feature-service.cds b/src/service/feature-service.cds
@@ -2,13 +2,13 @@
 
 @impl: '@cap-js-community/feature-toggle-library/src/service/feature-service.js'
 service FeatureService {
-    @(requires: ['system-user'])
+    @(requires: ['internal-user'])
     function state() returns {};
-    @(requires: ['system-user'])
+    @(requires: ['internal-user'])
     action redisRead() returns {};
 
     // NOTE: expects an object as input
-    @(requires: ['system-user'])
+    @(requires: ['internal-user'])
     @open
     action redisUpdate(newValues: {});
 
diff --git a/test/cds-test-project/.cdsrc.json b/test/cds-test-project/.cdsrc.json
@@ -6,8 +6,7 @@
         "system": {
           "tenant": "system",
           "password": "system",
-          "id": "system-user",
-          "roles": ["system-user"]
+          "roles": ["internal-user"]
         }
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@`
`31`	`31`	`"featureToggles": {`
`32`	`32`	`"configFile": "./srv/feature/toggles.yaml",`
`33`	`33`	`"serviceAccessRoles": [`
`34`		`- "system-user",`
	`34`	`+ "internal-user",`
`35`	`35`	`"custom-role"`
`36`	`36`	`]`
`37`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,7 @@`
`6`	`6`	`"system": {`
`7`	`7`	`"tenant": "system",`
`8`	`8`	`"password": "system",`
`9`		`- "id": "system-user",`
`10`		`- "roles": ["system-user"]`
	`9`	`+ "roles": ["internal-user"]`
`11`	`10`	`}`
`12`	`11`	`}`
`13`	`12`	`}`