Managing Users and Authorizations

Objective

After completing this lesson, you will be able to manage Users and Authorizations.

Predefined Role Collections

Screenshot depicting Predefined Role Collections for SAP Cloud Identity Access Governance

When you have subscribed to SAP Cloud Identity Access Governance service in a subaccount, the predefined role collections for the solution are deployed to the subaccount as well. These can be viewed and managed in the subaccount under the navigation menu, SecurityRole Collections. Role collections must be eventually assigned to users to enable them to work with different services, like Access Request service, Role Designer service, and so on.

Note

For a better understanding of how to mange user authorizations using role collections on SAP BTP, refer to the security section in the SAP BTP administrator guide: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/1ff47b2d980e43a6b2ce294352333708.html

SAP BTP differentiates between platform users and business users. Platform users are those users who execute administrative tasks using the SAP BTP cockpit. Business users work with the application that is deployed on SAP BTP. They do not work with the SAP BTP cockpit.

In terms of SAP Cloud Identity Access Governance, platform users are security administrators in the subaccount. They are responsible for adding and managing other administrators, configuring the trust connection to custom identity providers, and creating and assigning role collections to users. Business users are users who work with the apps in SAP Cloud Identity Access Governance Fiori launchpad.

Authorizations for Security Administrators

Authorizations for Security Administrators

Screenshot showing Granting Admin Authorizations

Add security administrators to your subaccount. The users can be stored in the default identity provider (IdP) SAP ID Service.

The default IdP is a pre-configured SAP-delivered user store for platform and business users. It used for initial access to SAP BTP, and could also be used as a backup identity provider (that is, in parallel to custom IdP). For more information, read the SAP Help documentation: https://help.sap.com/docs/btp/sap-business-technology-platform/default-identity-provider?version=Cloud

Note

In the default IdP, the users can only be entered with their email address, not with the user ID.

SAP Cloud Identity Access Governance users can also be stored in a custom IdP.

Read more about the identity providers and the identity federation on SAP BTP here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/cb1bc8f1bd5c482e891063960d7acd78.html

When the user is created, assign a role collection to the user, for example, Subaccount Admin, to give them the administrator permissions.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn