Note
Next to this you can consult the official documentation: Identity and Access Management in SAP BTP, ABAP environment
Identity Access Management in the SAP BTP ABAP environment is essential for securing applications and data by managing who has access to what. By integrating with identity providers, defining roles and permissions, organizations can ensure robust security and streamlined access management. Continuous monitoring, regular audits, and adherence to best practices are critical to maintaining an effective IAM strategy.
Understanding and implementing these IAM principles, you can ensure that your SAP BTP ABAP environment remains secure, compliant, and aligned with your organizational objectives. As an administrator of the ABAP environment, you work with the corresponding admin tool. Part of this admin tool is the Identity Access Management with all applications needed to maintain users and roles, and getting further insights through traces.
The user and authorization concept used in the ABAP environment is completely decoupled and independent from the concept of roles and role collections on the account level of SAP BTP or within Cloud Foundry. The ABAP environment runs on top of the Cloud Foundry environment. Therefore, administrators or developers may also need the right authorizations inside of Cloud Foundry to create the ABAP environment or other services, which get consumed in an application running in the ABAP environment.
User and authorization management within the ABAP environment is based on the Identity Access Management. This consists of several objects like Business Users, Technical Users, Business Roles, Business Catalogs, and more.
User management within the ABAP environment operates independently from the platform user and business user concepts intrinsic to SAP BTP. Although business users exist within the ABAP environment, their utilization diverges significantly. In this context, different categories of users are designated for distinct purposes, each possessing unique capabilities.
- Technical Users
Technical users are associated with local or remote processes and are essential for cloud management activities such as system provisioning and support. These users can belong to either the software or service provider, or to the customer.
- Communication Users
A communication user is a specialized technical user assigned to a communication system for inbound communication purposes. They can be assigned credentials like a password or an X.509 certificate. An administrator in the ABAP environment uses the Maintain Communication Users app in the SAP Fiori launchpad to create these users locally, as they are not transported between systems. Credentials for technical users may vary across different systems.
- Support Users
Support users represent a distinct category of technical users designated for temporary access. These users are specifically intended for SAP employees, who utilize them to access the system in response to a customer-initiated support ticket. They can also get used by Partners which are vendors of SaaS solutions running in ABAP environment.
- Business Users
A business user refers to an individual who interacts with the system directly. These users are created to grant personnel access to the system for operational purposes.
In the ABAP environment, user master data is stored locally, and similar to other environments within SAP BTP, the ABAP environment can also leverage identity providers for user management.
Maintaining users and user groups is also a task of administrators. The IAM offers several apps to make this. To create or maintain business users, you can use the app Maintain Business Users. For displaying technical users, you can use the app Display Technical Users. There's also an app for maintaining business user groups available.
- Business Role Templates
Business role templates in the SAP BTP ABAP environment are predefined sets of roles that align with common job functions or business needs. These templates provide a basis for creating customized roles that can be assigned to users, thereby streamlining the process of role management and ensuring consistency in access rights across the organization. Business role templates themselves cannot get directly assigned to users. Whenever you create a role to grant permissions to a user, it's worth checking whether a suitable business role template already exists.
- Business Roles
A business role defines a set of applications and the necessary authorizations (permissions) required to perform specific job functions, such as those of a Warehouse Manager, Sales Manager, Developer, or System Administrator. A business role encompasses all the tasks a user needs to execute as part of their job responsibilities.
As previously mentioned, there's no inherent distinction at the user level between technical employees, such as developers or administrators, and end-users who interact with the software. This differentiation is achieved solely through the assignment of business roles, which come with the appropriate authorizations for various features and functions.
In practice, administrators or developers may also have end-user authorizations in addition to their technical permissions. This assignment is made possible through the flexible concept of business roles, ensuring that each user has the exact access needed to perform their duties efficiently and securely within the SAP BTP environment.
Business roles are assigned to business users. Multiple business roles might be assigned to a single user. And a role might, of course, be assigned to different users.
As you've already learned about Business Role Templates, Business Roles, and Business Users, let's focus on the remaining objects within this authorization concept of IAM.
- Business Catalog
The ABAP environment organizes business functionality into semantically meaningful business catalogs, each representing specific tasks or sub processes within a larger business process. These catalogs are the most granular units for structuring work and assigning authorizations. By using business catalogs, you can grant access to an individual app, a set of apps, or specific features within an app. Certain business catalogs come with restrictions, allowing you to fine-tune how users interact with the app. For instance, you can specify whether a user has read-only access or full write permissions. Business Catalogs can only be maintained by SAP and your developers with the right development tools.
- Restriction
At the role level, restriction values for the included business catalogs are established to enforce access controls. These restrictions enable the segregation of duties and responsibilities, ensuring that each business user accesses only the necessary resources. This is achieved by adding specific authorization values to the restriction fields. Each business catalog delineates the available access categories for maintenance and outlines the applicable field restrictions. Consequently, the business role consolidates the authorizations derived from the assigned catalogs.
- Launchpad Space
Launchpad spaces define the organizational structure of the launchpad interface. By assigning specific launchpad spaces to distinct business roles, you ensure that the relevant launchpad space is accessible to all users associated with the corresponding business role. With the administration tools for the launchpad, administrators can adjust or create the launchpad and it's spaces if needed.
If you want to learn more about launchpad spaces, check out this learning journey about SAP Fiori: Learning the Basics of SAP Fiori- App and Application Data
Apps refer to the various software applications that users access and interact with within an organization. In this case, the applications deployed and running in the ABAP environment. The business catalog gives access to the app and it's application data. Application data typically refers to the user-related information, business data or access policies managed within the IAM system.
To create or adjust a business role, use the Maintain Business Roles app. You have the option to start a new business role from scratch or based on a business role template. When you start based on a business role template, you first need to select the template and afterward adjust the business role ID, the description, and if you want to also reuse the predefined launchpad spaces or not. After choosing OK, you'll be forwarded to the detail screens of the business role maintenance.
When you're maintaining a business role, you can maintain:
- General Role Details: General information, for example, ID, description, long text, and so on.
- Business Catalogs: The business catalogs that should be part of the business role. You also maintain the restrictions here.
- Launchpad Space: The launchpad spaces that will be displayed to the end user who has this business role assigned.
- Business Users: The business users that the business role gets assigned to.
When you've defined all the role details and assigned users to the role, you choose Save to save the role. You can change the role anytime via the same app.
Caution
Your system is upgraded regularly to deliver new features and improvements. These changes may include changes or deprecation of apps, business catalogs, and business role templates. To adjust your business roles after an upgrade, use the app Manage Business Role Changes after Upgrade. For more information, check the documentation: Manage Changes and Deprecations After Upgrade
The Key Figures app in the SAP BTP ABAP environment's IAM framework is a powerful tool for monitoring and managing user access and security metrics. By providing insights into user activities, role assignments, and compliance metrics, the app empowers administrators to make informed decisions, enhance security, and ensure compliance. Regular use of the Key Figures app helps in maintaining a robust and efficient IAM system that supports organizational goals while safeguarding critical assets. The overview displays:
- User metrics
- Role and permission metrics
- User activities
- And more