Understanding User Types and User Management

All users, including those for SAP Integration Suite, are managed via the SAP BTP cockpit for the respective subaccount. Before assigning user rights to individuals, familiarize yourself with the concept of user management on SAP BTP. Understanding how user rights are allocated and the different types of users within SAP BTP—and consequently within SAP Integration Suite—is essential. This knowledge ensures that you can effectively manage access and security within your SAP environment. It also helps to plan and determine who should have which kind of permissions in your SAP Integration Suite setup. This can be done using the ISA-M Methodology as described in this learning journey.

SAP BTP distinguishes between two user types:

• Platform users are usually administrators or operators (DevOps) who work with cloud management tools and deploy, administer, and troubleshoot services on SAP BTP. These are usually users who directly log on to SAP BTP cockpit and work there. These can also be developers who work and use services in Cloud Foundry spaces.
• Business users use the business applications that are deployed on SAP BTP. For example, the end users of a deployed custom application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

The SAP BTP is organized in global accounts at the highest level. A global account is a reflection of a contract with SAP. It can consist of several directories and/or several subaccounts that provide different applications and services to users. Further levels are in place for a better structuring and organization of work. For example, if you have too many subaccounts in a global account, you can create directories to structure them.

Subaccounts can have up to three environments: Cloud Foundry, Kyma, or ABAP environment. The environments allow the development and administration of business applications with different approaches and tools based on their selection. Of course, inside of the environments and their content, such as the runtime, service instances, and so on, there are also users required for providing access and authorizations.

Anyone who wants to use the services of SAP BTP must be assigned as a user to the specific authorizations through roles. User management happens at all levels from global account over subaccount and directories to the environments. On each level, an administrator is required who administers resources and the users on those levels. The way to administer differs depending on the level you are on.

When a customer signs a contract with SAP, a user is created at the global account level. On this level, entitlements are defined, assigning entities and services, including billing information. The global account administrator can initially log on to SAP BTP to manage these entitlements and create directories and subaccounts. To ensure that more than one employee can administer the global account, the administrator needs to create other users at the global account level and assign them administrator permissions.

Typically, a global account consists of various subaccounts. When a global account administrator creates a subaccount, they automatically become the administrator of the subaccount. The subaccount administrator can manage entitlements, service subscription, create other users on the subaccount level, and assign roles to the users. Subaccount administrators get administration authorizations for the subaccount only, not for the global account.

Subaccount administrators also create business users. Business users are consumers of applications and services that are provided on SAP BTP (for example, SAP Integration Suite) or business applications (SaaS) that were created with the help of the tools and services provided by SAP BTP. These users can have access to SAP BTP, but they cannot perform any administrative tasks. If a business user only uses a single application on SAP BTP. In that case, they do not necessarily require access to the SAP BTP cockpit (meaning the subaccount), but only to the application. In this case, the subaccount administrator creates the user on a subaccount level and only assigns application authorizations to the user.

Learn more about working with users in the SAP Help Portal.

You need to be authorized to use different functions of SAP BTP. You can configure authorizations using roles and role collections.

Role collections consist of individual roles that combine authorizations for resources and services on SAP BTP. A role collection can comprise of one or multiple roles. You only assign role collections to users, and not individual roles. Roles and their authorizations are provided automatically to users via role collection assignment. Role collections are managed separately at each SAP BTP level. Role collections that exist in the global account do not exist in the subaccounts. Likewise, role collections in subaccounts are not available in the global account.

SAP BTP already delivers a predefined set of role collections for platform users and also for application users. To set up administrator access for platform users in the global account, directories, subaccounts, and so on, an existing administrator of a certain level on SAP BTP assigns predefined role collections to other platform users.

For users of applications that can be subscribed on SAP BTP, there are also predefined role collections that become available after application subscription. It is also possible to create custom role collections with roles inside that give permissions for custom applications deployed on SAP BTP.

The roles are provided from the SAP BTP services you use and the developers delivering the role templates for the services. When enabled from the service, it is possible to customize these role templates. For a lot of scenarios, this is not possible, and you need to go with the roles provided by the service and can start composing them into role collections and assigning these role collections to users. It is also possible that the developers from a service provide role collection templates, but besides that, you can always create your own role collections.

The custom identity provider hosts users who can belong to user groups. It's efficient to use federation by assigning role collections to one or more user groups. The role collection contains all the authorizations that are necessary for this user group. This method saves time when you add a new business user. Simply add the users to the respective user groups, and the new business users automatically get all the authorizations that are included in the role collection.