User access management

Everything begins with accessing SAP LeanIX. Thus, defining the preferred login method for your organization's users is crucial. Before settling on these foundational decisions, let's briefly clarify the distinctions between Authentication, Authorization, SCIM and User Roles, and how they're managed in SAP LeanIX:

• Authentication

  Authentication is the process of verifying the identity of a user, system, or entity attempting to access a particular resource or system. It involves providing credentials to confirm the identity and ensure secure access.

  For SAP LeanIX, two ways of Authentication are possible:

  

• Authorization

  Authorization is the process of granting specific access rights once you are in the system. It is a crucial component of the broader access control process, which involves defining, managing, and enforcing policies that dictate what actions users or systems are allowed to perform.

  In simpler terms, after a user has successfully authenticated (proven their identity through mechanisms like user name and password), authorization determines what that authenticated user is allowed to do within a system or application. Authorization often involves assigning roles, permissions, or access levels to users, specifying what actions they can perform, what data they can access, and what functionality they can use.

  In SAP LeanIX, two ways to manage Authorization are possible:

  

• SCIM Provisioning

  While Authentication and Authorization defines a users access and permission rights, SCIM is responsible to synchronize user information throughout their life-cycle between systems.

  It synchronizes user information from the source system (AD/LDAP/directly maintained in the IdP) to the target system (LeanIX). SCIM works in conjunction with Single Sign-on (SSO), hence SSO is also required.

  In a nutshell, the purpose of SSO is to verify during login time whether a user is allowed to access the system (authentication) and, optionally, what the user is allowed to do in the system (authorization).

  The three main use cases of SCIM are:

  

• User roles

  The overall access to SAP LeanIX is managed through User Roles. These defined access rights allow the Admin to control the access of each collaborator within SAP LeanIX. SAP LeanIX provides predefined User Roles, for which you can configure permission on demand. If you are using SSO for Authentication and Authorization you can also configure custom User Roles.

  User Roles define the overall access and permissions within the SAP LeanIX workspace. Later on, we will also delve into Subscription Roles within SAP LeanIX, which specify responsibilities for certain actions and Fact Sheets.

  If you are using SSO for Authentication and Authorization you don't need to define User Roles within LeanIX. The access rights are managed throughout your SSO.

  Hint

  Find further documentationhere

The default User Roles within SAP LeanIX are:

This lesson is about configuring access management only; the invitation of users and matching their permissions follows later during onboarding. To manage your access setup, choose between three options:

OPTION 1: CHECK IF YOU WANT TO PROCEED WITHOUT SSO

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Description:

If your company does not utilize any form of Single Sign-On (SSO), you can proceed by using a user-name and password to login to the workspace. It is also possible to initiate this method during onboarding and later transition to SSO as needed.

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Your task:

1. Configure the permissions of predefined User Roles within SAP LeanIX or, alternatively, follow SAP LeanIX best practices and use the default User Roles.

   How to - Only relevant if you want to change predefined permissions:

   To edit permissions navigate to your Profile → Administration → Basic Settings, Meta Model Configuration → Select the Fact Sheet Type you want to edit → Permissions and define the general permissions per predefined User Role.

   

OPTION 2: CHECK IF YOU WANT TO USE SSO FOR AUTHENTICATION ONLY

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Description:

SAP LeanIX implements Single Sign-on (SSO) using the SAML 2.0 protocol. It is also possible to initiate login via user-name and password during onboarding and later transition to SSO as needed.

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Your task:

1. Send your company's metadata IdP XML (exported from your IdP) via this form to the SAP LeanIX Support team. If you are a SAP customer, submit a request via the SAP for Meportal. In addition, import the SAP LeanIX metadata and configure SAML attributes for SAP LeanIX SP requirements. Find the mapping attributes here.

   or set up manually:

   Reply URL (ACS): https://[yourleanixdomain].leanix.net/Shibboleth.sso/SAML2/POSTAudience URI (entity ID): https://[yourleanixdomain].leanix.net/Shibboleth.sso

   Next: LeanIX sets up a domain and configures it to your IdP. Once set up, the metadata of SAP LeanIX is available at https://[customerdomain].leanix.net/Shibboleth.sso/Metadata

2. After receiving an email from SAP LeanIX you can test the access to https://[customerdomain].leanix.net/
3. Once successful, the login via username and password will be disabled (which was the default IdP).

   For example, prior to setting up SSO, you might be logging into SAP LeanIX via us-2.leanix.net. Once SSO is successfully configured, login via the default IdP will be disabled. At this point, login will only be possible via https://[customerdomain].leanix.net/

4. Configure the permissions of predefined User Roles within SAP LeanIX or proceed with the default User Roles.

   To edit permissions navigate to your Profile → Administration → Basic Settings, Meta Model Configuration → Select the Fact Sheet Type you want to edit → Permissions and define the general permissions per predefined User Role:

   

OPTION 3: CHECK IF YOU WANT TO USE SSO FOR AUTHENTICATION AND AUTHORIZATION

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Description:

SAP LeanIX implements Single Sign-on (SSO) using the SAML 2.0 protocol. It is also possible to initiate login via user-name and password during onboarding and later transition to SSO as needed.

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Your task:

1. Reach out to the SAP LeanIX Support team via this form.

   • Send your companies metadata IdP XML (exported from your IdP).
   • Import the SAP LeanIX metadata and configure SAML attributes for SAP LeanIX SP requirements. Find the mapping attributes here.
     • or set up manually:

       Reply URL (ACS): https://[yourleanixdomain].leanix.net/Shibboleth.sso/SAML2/POSTAudience URI (entity ID): https://[yourleanixdomain].leanix.net/Shibboleth.sso

   • Inform them that you want to set up SSO Authorization.

     The configuration will depend on the system your company uses, as well as the specific permission rights you wish to configure.

   Next: SAP LeanIX sets up a domain and configures it to your IdP. Once set up, the metadata of SAP LeanIX is available at https://[customerdomain].leanix.net/Shibboleth.sso/Metadata

2. After receiving an email from SAP LeanIX you can test the access to https://[customerdomain].leanix.net/
3. Once successful, the login via username and password will be disabled (which was the default IdP).

   For example, prior to setting up SSO, you might be logging into SAP LeanIX via us-2.leanix.net. Once SSO is successfully configured, login via the default IdP will be disabled. At this point, login will only be possible via https://[customerdomain].leanix.net/

4. Edit existing User Roles or configure custom User Roles within SAP LeanIX as described here. To edit the permissions of existing User Roles follow this instruction(of course you are also welcome to proceed with the default User Roles).

CHECK IF YOU WANT TO USE SCIM

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Description:

Use the following SCIM Endpoint to manage automated user provisioning:

https://{SUBDOMAIN}.leanix.net/services/mtm/v1/scim/v2

Replace {SUBDOMAIN} with your SAP LeanIX subdomain. You can copy the subdomain value from the workspace URL.

Your task:

1. In your SAP LeanIX workspace, create a new technical user (Admin → Technical User ) with an ADMIN permission role
2. Notify SAP LeanIX Support via this form and share the name of the Technical User, so we can grant the necessary rights (accountuser to accountadmin).

   For proper set up we recommend to get in touch with the SAP LeanIX Support team.

3. Use your technical user token, create a short-lived bearer token
4. Transform the short-lived bearer token into a long-lived bearer token. Keep in mind that you are synchronizing only the workspace you are creating the token in.
5. Configure provisioning in your IDP (URL: https://{SUBDOMAIN}.leanix.net/services/mtm/v1/scim/v2) and the long-lived bearer token that you created.
6. Configure attribute mappings.

SCIM Provisioning