Maintaining Business Users

Objective

After completing this lesson, you will be able to manage Business Users.

Business Users and Authorizations

As mentioned previously, predefined role collections are deployed with the SAP Cloud Identity Access Governance service. These role collections ensure that users can access and use specific apps that are relevant for their job function and their dedicated tasks. Within the framework of access governance, tasks have different levels of risk and sensitivity. By assigning the right role collections, you can ensure that users can only perform administrative tasks in line with their job function.

Note

SAP Cloud Identity Access Governance is a cloud solution that undergoes frequent changes and enhancement. The information about the recent updates can be found on the SAP Help Portal. For the current overview of all pre-deployed role collections, refer to the official documentation: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/b9bec487c67947f284347b8e4e7650e4.html.

Business users are not created in the default identity provider but rather in the Identity Authentication, that is, part of the bundle solution. You can make users available on a connected LDAP server. For this, Identity Authentication must be configured.

Role collections are not directly assigned to users in the SAP BTP cockpit. Instead, users in Identity Authentication (IAS) are assigned to groups. These groups are mapped with SAP BTP role collections. The group information is synchronized between the Identity Authentication tenant and the SAP Cloud Identity Access Governance on SAP BTP. The defined role collections will be indirectly assigned to the users based on the users included in the mapped IAS user groups.

The required steps are the following:

  1. Create user groups in Identity Authentication and assign users to them.
  2. Map role collections in the SAP BTP Cockpit to the created user groups.
  3. Synchronize user groups information between the Identity Authentication and SAP Cloud Identity Access Governance subaccount.

For more information, refer to the official documentation: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/d62c01ecdf314eaa8aa73a46ecb9d74f.html

User Groups in Identity Authentication Tenant

A user group is a collection of users. Groups serve to create sets of users who have something in common. For example, users who work in the same department or users who have similar tasks in a company.

Identity Authentication tenant administrators can create user groups, and assign and unassign groups to users using the administration console for Identity Authentication. As an administrator, you need to have the Manage Groups role assigned to you.

For the initial setup of the SAP Cloud Identity Access Governance, user groups in Identity Authentication tenant are required, so the pre-defined role collection in SAP BTP cockpit can be mapped to it. As a prerequisite, a trust relationship between the Identity Authentication tenant and the SAP Cloud Identity Access Governance subaccount needs to be established and the Identity Authentication has to be configured as custom identity provider.

Before you create user groups for the SAP Cloud Identity Access Governance, you have to maintain assertion attributes in Identity Authentication.

Maintain Assertion Attributes in Identity Authentication

Screenshot showing Maintaining Assertion Attributes
  1. Log on to the Identity Authentication service. Access the tenant's administration console for Identity Authentication by using the console's URL.

    The URL has the following pattern:

    https://<tenant ID>.accounts.ondemand.com/admin

  2. Under Applications and Resources, choose the Applications tile.
  3. Choose the service provider, which is the SAP Cloud Identity Access Governance subaccount.

    The name of the service provider has the format XSUAA_<Subaccount Name>, but you can change it if needed.

  4. On the Trust tab, choose Assertion Attributes.
  5. Ensure the following user attributes are maintained and the assertion attributes are entered as a value.

    Assertion Attributes

      
    GroupsGroups
    First Namefirst_name
    Last Namelast_name
    E-mailmail
  6. Optional: Add the user attribute Groups, if it is missing by choosing Add.

    Note

    The assertion attribute name is case-sensitive. Make sure that the letter G is in upper case.
  7. Choose Save.

For more information, read the official documentation on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/1691c1f23b2743ba95dfc2cb4b039e31.html

Create User Groups in Identity Authentication

Screenshot showing steps to Create User Groups in Identity Authentication

SAP Cloud Identity Access Governance services look for groups with specific names representing different owner groups. These groups have to be created in Identity Authentication. The overview of the required groups can be found on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/d62c01ecdf314eaa8aa73a46ecb9d74f.html

  1. In the administration console of Identity Authentication, choose Users & Authorizations.
  2. Choose User Groups.
  3. Choose Create to create a new user group.
  4. Fill in the required information: the name of the user group, the display name, and the description.

    Note

    When you create user groups for the SAP Cloud Identity Access Governance, you must follow this naming convention: IAG_<TYPE>_<NAME>.

    There are also specific groups that are required by SAP Cloud Identity Access Governance services. The overview of the required groups can be found on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/d62c01ecdf314eaa8aa73a46ecb9d74f.html

  5. Choose Create.
  6. Add users to the group by selecting the newly created group from the list and choosing Add.

    Now you can select the users that are maintained in the Identity Authentication and them to the group.

Demo: Create User Groups in Identity Authentication

Note

Due to the rapidly changing nature of cloud software, the naming of fields, buttons, and steps may differ in demos.
DemoStart Demo

Map Role Collections to User Groups

To enable users to work with the SAP Cloud Identity Access Governance, you need to map the role collections that are pre-delivered with the services to user groups that you have created in the Identity Authentication. It is only then that users who are assigned to the user groups will be provided with the authorizations to access the services of the SAP Cloud Identity Access Governance.

Screenshot showing steps to Map Role Collections to User Groups
  1. In your SAP Cloud Identity Access Governance subaccount, choose SecurityTrust Configuration.
  2. Under Custom Identity Provider, choose the IAS tenant, which was configured in the steps before.
  3. Choose New Role Collection Mapping to create a new mapping rule.
  4. In the dialog box, choose the role collection for which you do the mapping. Here you can choose from the list of pre-defined role collections.
  5. In the Attribute field, enter the assertion attribute Groups.
  6. In the Value field, enter the name of the group for which you want to map the role collection.
  7. Choose Save.

Demo: Map Role Collections to User Groups

Note

Due to the rapidly changing nature of cloud software, the naming of fields, buttons, and steps may differ in demos.
DemoStart Demo

Learning

SAP FacebookSAP YoutubeSAP LinkedIn