Assigning Role Collections

After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Assign role collections

Assign Role Collections to an Application in BTP

Usage Scenario

You will add a role collection to access your deployed application through the SAP BTP cockpit with an authenticated and authorized user.

As the name implies, role collections "group together authorizations for resources and services"1.

Role collections consist of individual roles. Role collections are account-specific.

Role collections that exist in the global account don’t exist in the subaccounts. Likewise, role collections in subaccounts aren’t available in the global account.

The way this application is designed, the deployed service can only be accessed when a user has a corresponding role collection assigned. If users tried to open the application without this authorization, they would get a Forbidden message. How do you assign the role collection to a user?

Exercise Options

You can perform this exercise in two ways:

  1. Live Environment – using the instructions provided below, you can perform the tasks in the SAP BTP Free Tier account
  2. Platform Simulation – follow the step-by-step instructions within the simulation

We are strongly recommending first performing the exercise in the live environment.

Live Environment

Follow the below instructions to assign a role collection.


Please make sure that you have already added the UI and approuter to the mta.yaml file.


  1. In your subaccount in the SAP BTP cockpit tab, navigate to the Security tab. Choose Users and click on your username.

  2. After clicking on your user, a new view displays on the right side. Click on the Assign Role Collection button.

  3. From the list, choose RiskManager-<space-name>. Click on the Assign Role Collection button.

    Now you are ready to access the application!

  4. Reopen the risk-management application and verify if you now have access to your applications' data.

  5. Select your space.

  6. Verify that the risk-management application, which has been deployed, is up and running.

  7. Choose the row risk-management.

  8. Choose the link under Application Routes.

  9. Open the application and then in the application, click on the Go button.

    You should see the final deployed application with the data:

    In some cases, your browser might still have cached the authorization information from the previous app call. When you still receive the Forbidden message, try to either delete your browser cache and cookies or to close and reopen your browser.

    Platform Simulation

    Click on the Start button below to open a simulation of the platform. Then follow the step-by-step instructions to assign role collections.


You have assigned a role collection to access the application through the SAP BTP cockpit.

Reference Links: Assigning Role Collections

For your convenience, this section contains the external references in this lesson.

If links are used multiple times within the text, only the first location is mentioned in the reference table.

Ref#SectionContext text fragmentBrief descriptionLink
1Assign Role CollectionsAs the name implies, role collectionsRole collections

Log in to track your progress & complete quizzes