SAP Learning Journey

Defining Technical Users

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Define technical users

Technical Users

Platform Users

Platform users are usually developers, administrators or operators who deploy, administer, and troubleshoot applications and services on SAP BTP. They’re the users that you give certain permissions for instance at global account or subaccount level.

Platform users who were added as members and who have administrative permissions can view or manage the list of global accounts, subaccounts, and environments, such as Cloud Foundry orgs and spaces. Members access them using the SAP BTP Cockpit or the SAP BTP command-line interface (btp CLI) or environment-specific CLI, such as the Cloud Foundry (CF) CLI.

For platform users, there's a default identity provider. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider. Custom identity provider for platform users is only supported in cloud management tools Feature set A.

Business Users

Business users use the applications that are deployed to SAP BTP. For example, the end users of SaaS apps or services, such as SAP Workflow service or SAP Cloud Integration, or end users of your custom applications are business users.

Application developers (platform users) create and deploy application-specific security artifacts for business users, such as scopes. Administrators use these artifacts to assign roles, build role collections, and assign these role collections to business users or user groups. In this way, they control the users' permissions in the application.

For business users, there's a default identity provider, too. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider.

Member Management and User Management

Member management refers to managing permissions for platform users. You can think about it as managing the members of your team.

Member management happens at global account, directory, subaccount, and environment level. Members' permissions apply to all operations that are associated with the global account, the organization, or the space, irrespective of the tool used. Depending on the scope and the cloud management tools feature set you're using, you manage members in different ways:

Managing Members, Feature Set A

Global AccountsDirectoriesSubaccounts

You add global account administrators on the Members page at global account level in the cockpit. All members/administrators of the lower levels (e.g subaccounts or spaces) are automatically global account members.

On the Members page at the global account level in the cockpit, all global account members can view the global account administrators.

You can only manage global account administrators using the cockpit.

Not available

You don't have member management at subaccount level directly.

The person who created the subaccount is automatically a security administrator of that subaccount. That person can assign additional subaccount security administrators on the Security Administrators page at subaccount level in the cockpit.

As a security administrator, you can manage authentication and authorization in the subaccount for business users, such as configuring trust to application identity providers, and assigning role collections to business users.

You can only manage subaccount security administrators using the cockpit.

Managing Members, Feature Set B

Global AccountsDirectoriesSubaccounts

You manage global account members by assigning role collections to platform users. Use the following predefined role collections:

  • Global Account Administrator
  • Global Account Viewer

Assign these role collections from the cockpit or the btp CLI.

You manage directory members by assigning role collections to platform users. Use the following predefined role collections:

  • Directory Administrator
  • Directory Viewer

Assign these role collections from the SAP BTP cockpit or the btp CLI.

You manage subaccount members by assigning role collections to platform users.

Note

Neo subaccounts don’t use role collections.

Use the predefined role collections, such as:

  • Subaccount Administrator
  • Subaccount Viewer

Assign these role collections from the SAP BTP cockpit or the btp CLI.

Member management in the Cloud Foundry environment is independent of the feature set you use.

Member Management in the Cloud Foundry Environment

  

Manage organization members on the Members page at environment level in the cockpit or with the Cloud Foundry CLI.

A platform user added as an org member can be either an Org Manager or an Org Auditor.

Manage space members on the Members page at space level in the cockpit or with the Cloud Foundry CLI.

A platform user added as a space member can be either a Space Manager, Space Developer, Space Auditor, or Space Supporter.

User management refers to managing authentication and authorization for your business users.

To Manage Your Business Users

To manage your business users:

Steps

  1. Configure trust to an application identity provider in your subaccount.

  2. Create shadow users in your subaccount for your business users in your identity provider.

    When a user accesses a resource, SAP BTP redirects the user to the identity provider for authentication. You assign authorizations to shadow users in SAP BTP.

  3. Assign role collections either directly to users or map them to user groups.

    The role collections were either delivered from the applications to which you subscribed, or custom developed by your team.

Log in to track your progress & complete quizzes