This document describes how you enable a business user to act as resource owner in an AS ABAP. A resource owner makes resources available for OAuth 2.0 enabled applications. These are Web-based or cloud applications that can access these resources on behalf of the resource owner.
You have created OAuth 2.0 clients as users of the type System in AS ABAP.
The following description shows you how to expose OAuth 2.0 enabled resources to users. The resources are represented as OAuth 2.0 scopes.
If you assign the S_SCOPE authorization object to a user and specify the scope IDs together with the allowed OAuth 2.0 clients IDs as authorization values, you give this user the permission to delegate this user's resources in the form of OAuth 2.0 scopes to one or more trusted OAuth 2.0 clients.
In the context of a grant type SAML 2.0 bearer, this means that a configured OAuth 2.0 client is allowed to access all the scopes that are assigned to the user.
To configure a resource owner in as ABAP, you need a role with the authorization object S_SCOPE, which contains both, OAuth 2.0 client and scope. Take the following steps.
Even if the resource owner has access to multiple scopes, OAuth 2.0 only grants access tokens for some scopes because of the restricted scope of the OAuth 2.0 client.