Understanding Environment Restriction via Reader/Writer Teams

Objective

After completing this lesson, you will be able to restrict environment access to the desired users.

Scenario: The Reader Team Role Assignment

User Setup:

Assigned Roles: The user at the bottom of the hierarchy is part of both the Reader Team and has been assigned the Model Read role.

The image shows two screenshots from the SAP SuccessFactors interface. One screenshot lists actions not allowed, such as editing, deleting, activating, deactivating, and copying the environment, as well as editing and deleting data. The other screenshot shows actions allowed, such as displaying the environment and data.

Role and Permission Details:

Reader Team Role:​

This role restricts the user to read-only access within the runtime environment.​

Model Read Role:​

Grants the user permission to view (read) data and configurations but not make any modifications.​

Allowed Actions:​

Display Environment: The user can view the environment details.​

Display Data: The user can access and view the data within the environment.​

Restricted Actions: The user is forbidden from performing the following actions:​

Edit Environment: Changing environment configurations.​

Activate Environment: Activating the environment.​

Deactivate Environment: Deactivating the environment.​

Copy Environment: Creating duplicates of the environment.​

Edit Data: Modifying the data within the environment.​

Delete Data: Removing data from the environment.​

Error Handling:

Forbidden Actions: Whenever the user attempts to perform any of the restricted actions, they encounter an error message indicating that the action is forbidden.​

The User Setup

The image displays two screenshots. The first shows the Writer Team roles, where display of the environment and data is not allowed. The second screenshot shows the Standard Model Environment, where no actions are allowed on the environment or data.

Assigned Roles: The user is part of the Model Writer Team but does not have the Model Read role.​

Objective: Analyze the limitations and necessary steps to grant adequate permissions for displaying and interacting with the environment.​

Limitations:​

Users with only the Model Writer role cannot even display the environment.​

Scenario Highlight: Despite being part of the writer team, the absence of read permissions restricts users from viewing the environment.​

Necessary Adjustments:​

To allow a Model Writer to display the environment, you must combine the Model Writer role with the Model Read role.

Scenario: The User in Both Reader and Writer Teams

When a user is part of both the Reader and Writer Teams in SAP BTP, they gain a broader set of permissions that allow them to both view and edit environments along with their artifacts. This configuration is useful for roles that need comprehensive access to perform various tasks.

The image displays two sets of screenshots. The first set shows the Reader Team permissions, where the environment and data can be displayed. The second set shows the Writer Team permissions, where actions like editing, deleting, activating, deactivating, copying the environment, and editing/deleting data are allowed.

Scenario: User in Both Reader and Writer Teams

User Setup:

Assigned Roles: The user is assigned to both Reader Team and Writer Team.​

Objective: Provide the user with the ability to display, view, and edit environments and artifacts.​

Combined Permissions:​

By being part of both teams, the user is granted permissions from both Reader and Writer roles.​

Display Permissions: Granted by the Reader Team role.​

Edit Permissions: Granted by the Writer Team role.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn