Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Mapping Role Collections Between SAP BTP and IdP

Objective

After completing this lesson, you will be able to manage a large number of users and roles with role collection mapping

Introduction to Role Collection Mapping

In units 3 and 4, we covered how role collections can be assigned to users directly in SAP BTP cockpit (in the Security → Users section). For example, to get access to the SAP S/4HANA purchasing tiles, the federated SAP_BR_PURCHASER role collection needs to be assigned to your user.

Where customers have tens or hundreds of business roles and hundreds of users, it can be cumbersome to assign each of these roles to individual users within the SAP BTP cockpit. A possible solution is to use role collection mappings as described in this lesson.

Prerequisites

The corporate IdP you are using that is connected to SAP BTP should hold a user attribute that can be used to decide which roles can be assigned to the user. For example, Groups in Identity Authentication as shown in the following example.

Example

Let’s take an example of an attribute "Groups" with the values PURCHASER or ACCOUNTS.

User Name	Attribute Name	Attribute Value
example@sap.com	Groups	PURCHASER
example@sap.com	Groups	ACCOUNTS

A user with the attribute value "PURCHASER" in the connected IdP should have access to apps belonging to the following SAP Fiori business roles:

SAP_BR_PURCHASER
SAP_BR_PURCHASING_MANAGER

A user with the attribute value "ACCOUNTS" in the connected IdP should have access to apps belonging to the following SAP Fiori business roles:

SAP_BR_AP_ACCOUNTANT
SAP_BR_AR_ACCOUNTANT

This can be achieved by creating role collection mappings in SAP BTP. Each mapping is a one-to-one connection between an SAP BTP role collection and an IdP attribute as shown in the following table:

Role Collection	Attribute	Value
For example, ~s4h_SAP_BR_PURCHASER	Groups	PURCHASER
For example, ~s4h_SAP_BR_PURCHASING_MANAGER	Groups	PURCHASER
For example, ~s4h_SAP_BR_AP_ACCOUNTANT	Groups	ACCOUNTS
For example, ~s4h_SAP_BR_AR_ACCOUNTANT	Groups	ACCOUNTS

This avoids the need for an administrator to manually assign the role collections to individual user IDs.

Prepare Identity Authentication for Group-Based Role Collection Mapping

In this lesson, we will use the example of Identity Authentication as the IdP. Identity Authentication uses an attribute called Groups, which holds the groups (for example, PURCHASER) assigned to that user. These values are mapped to the SAP BTP role collections (for example, SAP_BR_PURCHASER federated from SAP S/4HANA) for the user. This allows the user to see the purchasing tiles on the launchpad site.

Note

The exact attribute to be used depends on the IdP that you are using. You can follow a similar process to the one described here for Identity Authentication for the setup with your IdP.

Watch the following video to learn how to set up user groups and add the groups attribute to the assertion:

Create Role Collection Mappings on SAP BTP

Now that the preparation on Identity Authentication is completed, you can create the role collection mapping on SAP BTP subaccount. The service within SAP BTP (SAP Build Work Zone, standard edition in this scenario) assigns this role collection in runtime to the user and allows them to access the corresponding business content, for example, SAP Fiori app tiles for the role collection ~s4h_SAP_BR_PURCHASER.

Watch the following video to learn how to create the role collection mapping on SAP BTP subaccount:

Result

Once created and saved, it should look as follows:

Screenshot of the Role Collection Mappings table having one sample entry for the SAP_BR_PURCHASER role collection in the SAP BTP Trust Config.

The following figure gives a visual summary of how the settings that you have completed in Identity Authentication and SAP BTP are linked:

Diagram of Screenshots from IAS and SAP BTP highlighting the interrelationships of the Assertion and Group Attribute in IAS mapping to the Attribute and Value parameters of the Role Collection Mapping on SAP BTP.

Note

Depending on the connected IdP and its settings, the Attribute and Value in SAP BTP must be adjusted to match the IdP assertion attributes. For example, some IdPs might use other assertion attributes or a unique ID instead of the group name (PURCHASER) for identification.

Test the Mapping

The setup for role collection mapping can be tested via the SAP Build Work Zone, standard edition site that has the federated purchaser role assigned. Log in to this site using the connected Identity Authentication and the user that was assigned to the Identity Authentication Group, for example, "example@sap.com").

Note

Ensure that this user does not have the mapped role collection (~s4h_SAP_BR_PURCHASER) assigned in the SAP BTP cockpit (Security → Users).

If the login is successful and the tiles of the federated SAP S/4HANA role are shown, the mapping is working correctly.

Screenshot of the SAP Build Work Zone site filled with Tiles of the Purchaser Role showing that the mapping is working fine.

You can now create more mappings with further groups and role collections, for example, ~s4h_SAP_BR_PURCHASING_MANAGER.

In case it did not work, make sure to check that the steps have been executed correctly and that the Site has the role assigned as required.

Note

First, test the setup using a browser on your desktop by connecting to the SAP Build Work Zone, standard edition site. If this works, you can test the same site using the same end-user credentials via SAP Mobile Start.

Restrictions

Note the general restrictions for SAP Build Work Zone, standard edition on the help page. For example, a user should not be assigned to more than 150 role collections. The use of Identity Provisioning as described in the next section should be used in such a scenario.

Use of Identity Provisioning

The logical view for the mapping in SAP BTP that you have completed in the previous section would look like this:

Role Collection	Attribute	Value
For example, ~s4h_SAP_BR_PURCHASER	Groups	PURCHASER
For example, ~s4h_SAP_BR_PURCHASING_MANAGER	Groups	PURCHASER
For example, ~s4h_SAP_BR_AP_ACCOUNTANT	Groups	ACCOUNTS
For example, ~s4h_SAP_BR_AR_ACCOUNTANT	Groups	ACCOUNTS

This is still a lot of work for an administrator, as they would need to manually create role collection mapping for every single user group. It can be further streamlined with the use of Identity Provisioning to provision user records (identities and their authorizations) to various cloud and on-premise business applications. You must decide on a primary system for user records; for example, it can be SAP S/4HANA, your own corporate IdP, Identity Authentication, and so on. Depending on this, you can define the source system (primary system for user records) and configure Identity Provisioning to sync the user info with target systems. You can also do a bidirectional sync. Refer to the help page to learn more about Identity Provisioning.

In the context of the setup for SAP S/4HANA and SAP Build Work Zone, standard edition, Identity Provisioning provides the following two useful scenarios:

For customers who are using Identity Authentication, Identity Provisioning can keep users in synch between SAP S/4HANA and Identity Authentication. Refer to the help page for setting up your respective source and target systems. You must create role collection mapping in SAP BTP based on Identity Authentication attributes as outlined previously.
To completely eliminate the need for manual role collection mapping, you can use Identity Provisioning to directly connect SAP S/4HANA (where it is the source system for roles) to SAP Build Work Zone, standard edition (target system to receive roles) as outlined on the help page. This setup automates the sync between SAP S/4HANA roles and the federated roles within SAP Build Work Zone, standard edition.

Log in to track your progress & complete quizzes