Explaining User and Authorization Management on SAP BTP

After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Explain user and authorization management on SAP BTP

User and Authorization Management on SAP BTP

Business Introduction

As IT landscapes become more and more complex, the topic of security becomes  more important. Your company must manage application users (business users) and platform users (admins, operators and so on).  You want to assign roles and authorizations and build a central identity provisioning with the SAP Cloud Identity Services. All API's and interfaces which are used or integrated need to get secured as well.

SAP BTP distinguishes between:

  • Platform users are usually administrators or operators (DevOps) who work with cloud management tools and deploy, administer, and troubleshoot services on SAP BTP. These are usually users who directly log on to SAP BTP cockpit and work there. These also can be developers who work and use service in Cloud Foundry spaces.
  • Business users use the business applications that are deployed on SAP BTP. For example, the end users of a deployed custom application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

The SAP BTP is organized in global accounts on the highest level. These are hosted by multiple cloud infrastructure providers in different regions. A global account is a reflection of a contract with SAP. It can consist of several directories and/or several subaccounts that provide different applications and services to users. Furthermore, subaccounts can have multiple environments. Environments constitute the actual platform-as-a-service offering of SAP BTP that allows the development and administration of business applications. These environments are called spaces.

In Cloud Foundry, further levels are in place for a better structuring and organization of work. For example, if you have too many subaccounts in a global account, you can create directories to structure them. And if you enable the Cloud Foundry environment, you automatically create a Cloud Foundry org, in which you create one or more spaces.

Anyone who wants to use SAP BTP must be assigned as a user to it. User management happens at all levels from global account to space. On each level you require an administrator, who administers resources and the users on those levels.

When a customer signs a contract with SAP, one user is created at the global account level. On this level, entitlements are defined, assigning entities and services, including billing information. The global account administrator can initially log on to SAP BTP to manage these entitlements, and create directories and subaccounts. To ensure that more than one employee can administer the global account, the administrator needs to create other users at the global account level and assign them administrator permissions.

Typically, a global account consists of various subaccounts. When a global account administrator creates a subaccount, they automatically become the administrator of the subaccount. The subaccount administrator can manage entitlements, service subscription, create other users on the subaccount level and assign roles to the users. Subaccount administrators get administration authorizations for the subaccount only, not for the global account.

Subaccount administrators also create business users, who are consumers of applications and services that are provided on SAP BTP (for example: SAP Business Application Studio) or business applications (SaaS) that were created with the help of the tools and services provided by SAP BTP and deployed in a subaccount. These users can have access to SAP BTP, but they are not able to do any administrative tasks. If a business user only uses a single application on SAP BTP, he or she does not necessarily require access to the SAP BTP cockpit (meaning the subaccount) but to the application only. In this case, the subaccount administrator creates the user on a subaccount level and only assigns application authorizations to the user.

Users, Roles and Role Collections

To use different functions of SAP BTP, you need to be authorized for it. In Cloud Foundry environment, you can configure authorizations using roles and role collections.

Role collections consist of individual roles that combine authorizations for resources and services on SAP BTP. A role collection can comprise one or multiple roles. You only assign role collections to users but not individual roles. Roles and their authorizations are provided automatically to users via role collection assignment.

Role collections are managed on each SAP BTP level separately. Role collections that exist in the global account do not exist in the subaccounts. Likewise, role collections in subaccounts are not available in the global account.

SAP BTP already delivers a predefined set of role collections for platform users and also for application users. To set up administrator access for platform users in the global account, directories, subaccounts etc., an existing administrator of a certain level on SAP BTP assigns predefined role collections to other platform users.

For users of applications that can be subscribed on SAP BTP, there are also predefined role collections that become available after application subscription. It is also possible to create custom role collections with roles inside that give permissions for custom applications deployed on SAP BTP.

All users of SAP BTP are stored in identity providers. How you assign users to their authorizations depends on the type of trust configuration with the identity provider. If you're using the default trust configuration with SAP ID service, you assign users directly to role collections. However, if you're using a custom identity provider, you can assign role collections to individual users directly, or you map role collections to user groups or other user attributes defined in the identity provider. This is called federation.

The custom identity provider hosts the business users who can belong to user groups. It's efficient to use federation by assigning role collections to one or more user groups. The role collection contains all the authorizations that are necessary for this user group. This method saves time when you add a new business user. Simply add the users to the respective user groups and the new business users automatically get all the authorizations that are included in the role collection.

Find more information in Assigning Role Collections - https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/9e1bf57130ef466e8017eab298b40e5e.html

Neo subaccounts don't use role collections. For more information, see Managing Member Authorizations in the Neo Environment.

SAP Identity Management and Access Governance Solutions

The SAP Identity Management and Access Governance solutions portfolio spreads along multiple cloud and on-premise applications:

  • SAP Single Sign-On provides simple, secure access to IT applications for business users. It offers advanced security capabilities to protect your company data and business applications.
  • SAP Identity Authentication provides simple and secure access to web-based applications with a variety of authentication methods anytime, from anywhere. The service was previously known as SAP Cloud Identity service.
  • SAP Identity Management keeps user's data secure and consistent and supports customers by implementing integrated identity lifecycle scenarios with SAP's cloud or on-premise HR solutions: SAP SuccessFactors solutions (cloud) and SAP ERP Human Capital Management (on-premise).
  • Identity Provisioning offers a comprehensive, low-cost approach to identity lifecycle management in the cloud. Identity Provisioning covers a broad range of source and target systems, both in the cloud and on-premise.
  • SAP Cloud Identity Access Governance is a cloud solution that integrates out-of-the-box with SAP S/4HANA and can run similar SOD scenarios as SAP GRC Access Control. Additionally, it has functionalities to build business roles in the cloud, provision those to various target systems through SAP Cloud Identity Services – Identity Provisioning and integrate in complex workflows thanks to SAP BTP Workflow service.
  • The SAP GRC Access Control application helps streamline the process of managing and validating user access to applications. SAP Identity Management and SAP Access Control as an integrated solution for identity and access governance.

Save progress to your learning plan by logging in or creating an account