In units 3 and 4, we covered how role collections can be assigned to users directly in SAP BTP cockpit (in the Security → Users section). For example, to get access to the SAP S/4HANA purchasing tiles, the federated SAP_BR_PURCHASER role collection needs to be assigned to your user.
Where customers have tens or hundreds of business roles and hundreds of users, it can be cumbersome to assign each of these roles to individual users within the SAP BTP cockpit. A possible solution is to use role collection mappings as described in this lesson.
The corporate IdP you are using that is connected to SAP BTP should hold a user attribute that can be used to decide which roles can be assigned to the user. For example, Groups in Identity Authentication as shown in the following example.
Let’s take an example of an attribute "Groups" with the values PURCHASER or ACCOUNTS.
|User Name||Attribute Name||Attribute Value|
A user with the attribute value "PURCHASER" in the connected IdP should have access to apps belonging to the following SAP Fiori business roles:
A user with the attribute value "ACCOUNTS" in the connected IdP should have access to apps belonging to the following SAP Fiori business roles:
This can be achieved by creating role collection mappings in SAP BTP. Each mapping is a one-to-one connection between an SAP BTP role collection and an IdP attribute as shown in the following table:
|For example, ~s4h_SAP_BR_PURCHASER||Groups||PURCHASER|
|For example, ~s4h_SAP_BR_PURCHASING_MANAGER||Groups||PURCHASER|
|For example, ~s4h_SAP_BR_AP_ACCOUNTANT||Groups||ACCOUNTS|
|For example, ~s4h_SAP_BR_AR_ACCOUNTANT||Groups||ACCOUNTS|
This avoids the need for an administrator to manually assign the role collections to individual user IDs.