https://cdnapisec.kaltura.com/p/1921661/sp/192166100/playManifest/entryId/1_tyf3wtms/format/download/protocol/https/flavorParamIds/0

Configuring Roles and Authorization in SAP RPM

created the subscription for both the options basically we have assigned RPM into this particular sub account with the both the options for the first option which I have created if I click on go to application you will not be able to see any of the RPM application tiles right basically so I entered into an RPM launchpad where I will not be able to see any of the applications. This is because I have not assigned any users to RPM and also have not utilized any of the RPM roles for that particular users. So in the next step, I will be showing how you can configure the identity authentications, basically the authorizations, and also how you can access the rpm application from there yeah any questions um nothing yet in the chat i think you can prepare the next video if something comes up i will inform you yeah sure okay yeah i think we can continue maybe more questions will come up later yeah so in this particular video um just a second i still see your folder not the video uh i will reshare it again now i see your video configuring identity provider thank you okay yeah thanks so now we will see how to configure the identity provider So for the demo purpose I have used SAP own identity providers but it is not mandatory that you should use the SAP identity provider itself. You can have your own identity providers and also can configure it to SAP BTP and access RPM application. So to configure any of the identity providers what you need to do is that you need to go to a sub account. Currently I'm there in the sub-account which I've created in the previous steps. Also, I went to a security section and I'm coming to a trust configuration. When I click on the trust configuration, you will be able to see two different options. One is establishing the trust automatically and also one thing is configuring the trust manually. What will happen is that when you click on establish trust, so it will be listing down all the identity providers which are available on the landscape suppose in case if you have not seen this particular option uh already uh from your end then what you have to do is that you need to click on uh the manual uh setup yeah so currently i'm showing with suppose in case the automatically you have got this identity provider which is there in the landscape how to configure the same so by default the automatic configuration will be for the open id connect and also as and when you establish it it will be in the active status so you can make it as inactive suppose in case if you don't want to use this particular identity provider Yeah, so currently have you used this as and when you see that and once you open your identity authentication, now I'm showing SAP's own identity authentication service. This is how the SAP own identity authentication service launchpad looks like and here you will be having multiple options to configure the tenants. So once you click on Application and Resources and click on Applications, what will happen is that whatever the test account which you have created will be displayed automatically here, which means that when you click on Establish Trust, automatically your IAS will be taking the subaccount information where you have established a connection and that will be displayed it here automatically. Once you click on the subaccounts, you will be having multiple options. By default, the OpenID Connect will be the protocol which will be taken by the identity provider. But you can choose to segregate into a SAML as well. Currently, we support both. Also, there are multiple options you can use for the subject name identifier. So, the recommendation is to have the email as a subject name identifier for your identity provider so that the email will be used for logging into the RPM application. So, there are multiple options. You can use it and play around with your identity provider. Now, I will be deleting whatever I have created automatically and I will show how you can configure the trust manually. For that, what you need to do is that you need to click on new trust configuration. For that, you have to go to the identity provider and you need to choose the tenant settings. Yeah, so inside the tenants settings, there is an option called SAML 2 .0 authentication configuration. So from here, you need to download the metadata file, store it in your local. And this metadata file which you have downloaded, you will be loading back into the subaccount where you want to configure the IDP. so I will be choosing the metadata file automatically the information will be taken so you can have your name of your own and click on save so once you click on save automatically the configuration or a protocol which will be using is a SAML protocol yeah so now you have established a trust between the idp and the cockpit the next step is you need to establish a trust from cockpit to a idp so for that what you need to do is that you need to download the saml file so this is how like this step was automatically created in the previous step right when you click on the established trust now i will be doing everything manually yeah so i will be adding the name here so since the tenant is already available here uh it will throw you an error saying that the tenant is already available okay it's not available yet yeah fine so now uh what i will do is that uh if you see here saml 2.0 protocol is already selected but the saml configuration is not yet done it says that not configured so which means that trust between the cockpit or idp is not yet established right so for that what i will do is that i will go to the cockpit again i will download the saml metadata from the cockpit store it in local and i will be uploading the saml metadata file back into the idp yeah so what i did till now currently is that I will download the metadata file from the IDP and upload it into the cockpit. And then as a next step, I will be downloading the metadata file from the cockpit and uploading back in the IDP. So basically, I will be establishing a link from IDP to a cockpit and cockpit to an IDP. So now I can establish a connection. There are different options which you will be getting it. I'm not changing anything. I will be going with the default options and I will be saving it. This particular step is very specific to the IDP. Since I'm using SAP Identity Provider, the steps are as follows. Since I had the RPM test account before, it is not allowing me to save. So, what I established in the previous step as a default step, I will be deleting that and I will be reloading the SAML metadata again and configuring it. So, if you have utilized the default option in the previous steps, then you will be getting the same error in your IDP as well. Yeah, so now it will allow you to save it. So now, the SAML to configuration step will take certain time to reflect. So once this is done and you will be able to see that instead of not configured, it says that the configuration is done and also you will be able to see the cockpit link. So by default, you will be having the basic configuration as user ID. So, the recommendation is to change the configuration from user ID to an email. So, you have to go to subject name identifier and choose the option from user ID to email. So, with that, the trust between the cockpit and as well as the identity provider is established. If you want to know more about how to configure the identity providers, you will be getting a link inside the cockpit itself. You can click on that particular link, which will be navigating into the specific information, how to use the custom identity providers and how to access that and all those informations, which are very generic to any SAP BTP application. So you can go through that and configure it accordingly. Any doubts on the same? So, no questions yet. Maybe colleagues will save them up for the end of the day. I think we can continue then with the next part. Yeah, so with that, now we saw the linkage between the IDP as well as SAP BTP cockpit where the RPME is subscribed to. Now we will see how to create a user as well as the role collections. Yeah, how to create basically the user in both IDP as well as in the cockpit. Then probably we'll see how we can create a role for RPM and how to access the RPM application. We'll be sharing it. Let me know, Paul, when my screen is visible. I'm seeing the identity authentication service now. Are you able to see the video? no i see the ias at the moment no i'm still in the identity authentication service okay i will stop sharing it and reshare again is that visible now no you still shared again the identity authentication service okay i think some technical issue give me a second now i see creating a user and Vanni is that the last block of your part? I will be having one more video to be played, probably I can go through that quickly. Yeah, so now we will see how we can create a user in SAP Identity Authentication Service and also how we can utilize the same user in the cockpit. Yeah, so for that what you need to do is that you need to go to the users and authorizations and you need to go to the user management there are multiple options we can choose it one thing is import users and add users so import user option is to basically if you have if you want to upload the entire csv file of users you can utilize the same or you want to create a users individually you can create it individually as well so currently I'm showing like how you can create the user in IDP via a create option so I'm giving the valid email address which is existing it and also there are multiple options for the account activation so you can choose any of these options and make the user which is available for the idp yeah so i'm you going with the initial password option so we can have the initial password set up and click on save so once you create a user here next step is to add the same user into your sub account So I will be adding the same user into a sub -account which is already created and where the RPM subscription is already done and also the IDP setup is done for the same sub -account. So I'm clicking on users. I will click on create. And here I will be adding the same email which I have added in the IDP. and also there is an option to choose the identity providers so I created the identity provider with the name RPM test IAS so I will be choosing the same and if you have multiple identity providers you will be getting all those options here which are active and you need to choose the right identity providers and assign have an email and create a user. So this is how you will be creating the user both in the IDP as well as in the cockpit. So once the user is created by default he will not be having any authorizations and any roles. In the next video we will be seeing how to assign the role collections and how to access RPM. Any questions? Not in chat yet. Then next video will be your last before we go into the integration, right? Yes. So I think we should just go to the next video and then make a quick pause before we go into the integration then let's continue here yeah let me know when my screen is visible or I will reshare it again like before so I see your screen and you're in the identity authentication service is that the video yeah 12 minutes 0 3 okay yeah yeah so now we have created a user both in the cockpit as well as in idp so next step is uh to configure the uh the rpm specific uh details yeah so for that what we need to do is that i can quickly go through that so now uh we will be adding the users and also setting up a password and all these steps which we have done yeah we have already added the users yeah so also the no uh none of the role collections are assigned to this particular user so now i will click on role collections which you can see it inside the sub account and by default you will be able to see all the role collections which are coming up some are specific to our sub accounts and some are specific to applications. So I was talking about the business users as well as a platform users, right? So you will be able to see the role collections, which you can assign it to a platform users and business users accordingly. So from returnables, we have exposed multiple role collections. One is a configuration expert, another one is a machine learning specialist, and also the packaging manager yeah so these are the role collections you will be able to see as and when you assign an entitlement and do the subscription for rpm so each role collection will have set of roles which are associated to that these are the predefined roles and also the role collections yeah so currently none of the users are associated with this particular role collections so these role collections you cannot alter it but you can create your own custom role collections and also you can assign the roles which you want to add it for that yeah so now I will be creating a test role collection sorry and have created the test role collection and I will be adding the different roles for that. So I will select some of the roles which are for RPM. So these details you will be finding it in our help guide. So you can go through that what roles are meant for what and which are associated to which applications. You can choose it accordingly and create a custom role collections from your end so one option is you can add edit it and add the user from directly from here and choose the email id and all these details directly from here and save it or you can directly go to the users and add the role collection so you can do it in both the ways yeah so now what I have done is that I will go to the users I will choose the respective email IDs which I have created I will click on assign role collections so here what I will do is that I will add the default role collections which are exposed out of the application so currently I am adding packaging manager which has multiple roles yeah so i am assigned i have assigned this role now what i will do is that i will go to rpm application so i will go to the instance and subscriptions click on rpm and i will click on so once you get this option uh you will be able to see multiple uh options so one is with your default identity provider another one is a custom identity provider which you have configured so you can choose any of these and access it accordingly so if you want to go with a custom identity option you need to click on the custom identity option so by default it took it with the default thing I did a sign out and again I did a sign in again so I will choose the choose the custom default identity provider so it will ask me the initial name since I have said I will skip all these details due to the time constraint so basically these are the possible errors you must be getting it so I have activated it now once I log into the application I will be able to see all the the applications which are meant for this particular role yeah so currently you will be able to see now I will go back to the cockpit will go to the users again I will be adding the one more role collection which we we have given out of RPM. So I will be adding the configuration expert. So once I add this particular role now if I refresh the cockpit so it has its own set of authorizations. So once I refresh the cockpit I will be able to see the rest of the applications as well which are meant for that particular role collection so this is how you will be able to access the rpm application establishing a trust creating a user assigning the role collection and then accessing the application yeah i would like to take a pause here. Yes, thank you, Vani. Any questions, we can take it, otherwise we can proceed with other details here. So if there are any questions, you can put them in the chat while we pause here. Jörg, you're unmuted to add something. So I just wanted to say that And thanks a lot, Vani, for presenting this setup of the RPM application. And as it's like a one -time exercise for the system administrator, I think many of you might not do this. So thanks a lot for joining the session. But also see this as an opportunity to ask questions. So if something is not clear and you will have to set up the application in some time, it is now your chance to ask questions and also for us to understand where we should also maybe improve our documentation. So please take your time and ask any questions you like. And before we jump into the next part, there are still two questions open. The first one was about training environment and RPM demo license. So maybe Jörg and Meher, you can comment on that, how the demo instances and what we do here about training environment or what the approach here is. yes sure so for the if you just have a bdp license you you can do you can do two things on the one hand there is an rpm demo available a demo account a trial account is available But this trial account would only make it possible that you can access the RPM application with some predefined demo data on one of our own landscapes and not on your own BTP landscape. If you want to use RPM on your own BTP landscape, you would have to...

Share feedback

<p>We are aware of intermittent issues in accessing the learning content</p>

We are aware of intermittent issues in accessing the learning content

Personalize your learning.

Why create an SAP account?

Enhance your learning experience

SAP Learning

Choose your subscription

Manage your subscription

Live Sessions

Hands-on Practice

Certification

My Learning

Ready to start learning?

Creating Role Collections and Assigning Users

cleanFiles/bookmap_Implementing_SAP_Returnable_Packaging_Mana_en-US_learning-sap-com_lsc-prod.zip (MMCP-DROPZONE) - 2025-06-06T09:20:41.000Z

<div id="content"><div class="parentsection"><div class="section"><p tabindex="0">In the following it will be focused on configuring identity providers and accessing RPM applications via SAP BTP. It begins by addressing the issue of missing application tiles due to unassigned users and roles. We then delve into setting up identity authentication and authorization, covering both manual and automatic trust configurations with identity providers. The discussion includes creating users, assigning roles, and linking accounts between identity providers and the SAP cockpit.</p><p tabindex="0">Additionally, the guide explores configuring role collections, setting up users with diverse roles, and troubleshooting common access and authentication challenges in RPM applications. This guide is designed to assist users in effectively managing and securing access to RPM, ensuring robust configuration and user management practices. Follow along for detailed instructions that will help enhance your understanding and usability of these crucial processes.</p><div class="kalturaVideoLessonWrapper"><div id="1_tyf3wtms" data-testid="video" class="kalturaVideoLessonContainer" aria-label=""></div></div><p tabindex="0">The key aspects discussed are:</p><ol><li tabindex="0"><strong>Setting up Subscriptions and Assignments</strong>: Initial steps involve setting up subscriptions for application access and assigning proper roles and users to RPM to ensure visibility and functionality.</li><li tabindex="0"><strong>Configuring Identity Authentication and Authorization</strong>: Detailed instructions on configuring identity providers, both automatically and manually, including the interaction between identity providers and the SAP BTP landscape.</li><li tabindex="0"><strong>User Creation and Management</strong>: Steps to create and manage users in the identity provider and SAP cockpit, detailing how to assign roles and activate user accounts.</li><li tabindex="0"><strong>Role Assignments and Access Control</strong>: Explanation on configuring role collections specific to user types (e.g., business users, platform users) and how to assign these roles to users to grant appropriate access permissions for RPM applications.</li><li tabindex="0"><strong>Navigating through Identity Services</strong>: Guidance on using SAP's Identity Authentication Service to manage and verify user identities, ensuring secure access to applications.</li><li tabindex="0"><strong>Troubleshooting and Error Handling</strong>: Tips on addressing common errors encountered during the setup process, particularly relating to identity provider configurations and user authentications.</li></ol><p tabindex="0">These aspects focus on ensuring that SAP RPM applications are correctly set up with secure access and proper user management on the SAP BTP landscape.</p><div class="note"><div class="noteTitle"><span class="noteIcon"><img src="/icons/note.svg" title="Note"></span><span class="noteTitleText">Note</span></div><div class="noteBody">You can find more information on Roles and Authorization here: <a href="https://help.sap.com/docs/SAP%20RETURN%20PACK%20MGMT%20OD/ec52d66b5cd9439294779f1b65963aed/177c5f2e032146d9bac3a1da2fa28c2b.html" target="_blank">SAP Help: SAP Returnable Packaging Management - Administrator's Guide</a></div></div><p tabindex="0">In the following sections, we will provide a simulation that accurately reflect real system behavior, allowing you to gain hands-on experience and a better understanding of the actual SAP Returnable Packaging Management environment.</p></div></div></div>

Role Collection and User Creation

<div id="content"><div class="section"><div class="simulationTile exercise"><div class="content"><span class="simulationLabel">Exercise</span><a class="simulationButton" target="blank" href="https://learnsap.enable-now.cloud.sap/pub/mmcp/index.html?show=project!PR_BC728F47A834284:uebung">Start Exercise</a></div><div class="simulationImage"><img class="no-zoom" alt="" src="/illustrations/simulation-exercise.svg"></div></div></div></div>

Create User and Role Collection

This browser is not supported

Please try again later

Sorry, we encountered an error

Try again or reset results to continue browsing

We didn’t find what you’re looking for

To continue, please log in

Your session has timed out

Validate your skills and learning by completing the certification exam and gain a highly recognised accreditation.

Book your certification exam

Complete the assessment to validate your SAP PartnerEdge competency qualifications.

Ready to take your assessment?

Learn about the key features and essentials in the latest release to help you prepare for the Stay Certified assessment.

Prepare for assessment

Learn new skills you need at your own pace with our bite-sized lessons.

Prepare for certification

In your My Learning account you can view your certification and learn how to take your Stay Certified assessment.

Ready to take your Stay Certified assessment?

Explore {title} at SAP Learning. Find out more!

You have earned a new badge!

You've completed

Something went wrong when connecting to the badge service. You can always check your achievements in My Learning.

Badge couldn’t be issued

You’ve finished the course, but the external system didn’t verify it. Please try again later or refresh the page to update your record.

We couldn’t confirm your completion

The learning content has been updated. Refresh the page to reload the most recent content.

Your course content has changed

This badge was already awarded earlier, so no new one is added. You can view it anytime in My Learning.

You’ve already earned this badge

We couldn’t finish your request due to an unexpected error. Please refresh the page and try again. If the issue continues, check My Learning or try again later.

Something went wrong...

The saved progress data isn’t valid, so we couldn’t update your course status. Please try again later or refresh the page.

We couldn’t load your progress

{count, plural, one {Objective} other {Objectives}}

Assessment

Course Completion

Knowledge Badge

Overview

Support Resource

Certification Exam

Theoretical Exam

Schedule

External Course

Practical Exercise

Practical Test

External Hands-On

External Resource

Learning Journey

Learning Journey Assessment

Lesson

Live Session

Practice System

Quiz

Scenario Based Assessment

Course Assessment

Course

Stay Certified

Subscription

System Based Assessment

Test Out

Unit

Video

Video Playlist

Week

Your exclusive access to the SAP Learning Hub, event edition is ready. <link>Start learning now.</link>