Mapping Role Collections Between SAP BTP and IdP

Objectives

After completing this lesson, you will be able to:

  • Manage a large number of users and roles with role collection mapping

Introduction to Role Collection Mapping

In units 3 and 4, we covered how role collections can be assigned to users directly in SAP BTP cockpit (in the SecurityUsers section). For example, to get access to the SAP S/4HANA purchasing tiles, the federated SAP_BR_PURCHASER role collection needs to be assigned to your user.

Where customers have tens or hundreds of business roles and hundreds of users, it can be cumbersome to assign each of these roles to individual users within the SAP BTP cockpit. A possible solution is to use role collection mappings as described in this lesson.

Prerequisites

The corporate IdP you are using that is connected to SAP BTP should hold a user attribute that can be used to decide which roles can be assigned to the user. For example, Groups in Identity Authentication as shown in the following example.

Example

Let’s take an example of an attribute "Groups" with the values PURCHASER or ACCOUNTS.

User NameAttribute NameAttribute Value
example@sap.comGroupsPURCHASER
example@sap.comGroupsACCOUNTS

A user with the attribute value "PURCHASER" in the connected IdP should have access to apps belonging to the following SAP Fiori business roles: 

  • SAP_BR_PURCHASER
  • SAP_BR_PURCHASING_MANAGER

A user with the attribute value "ACCOUNTS" in the connected IdP should have access to apps belonging to the following SAP Fiori business roles: 

  • SAP_BR_AP_ACCOUNTANT
  • SAP_BR_AR_ACCOUNTANT

This can be achieved by creating role collection mappings in SAP BTP. Each mapping is a one-to-one connection between an SAP BTP role collection and an IdP attribute as shown in the following table:

Role CollectionAttributeValue
For example, ~s4h_SAP_BR_PURCHASERGroupsPURCHASER
For example, ~s4h_SAP_BR_PURCHASING_MANAGERGroupsPURCHASER
For example, ~s4h_SAP_BR_AP_ACCOUNTANTGroupsACCOUNTS
For example, ~s4h_SAP_BR_AR_ACCOUNTANTGroupsACCOUNTS

This avoids the need for an administrator to manually assign the role collections to individual user IDs.

Prepare Identity Authentication for Group-Based Role Collection Mapping

In this lesson, we will use the example of Identity Authentication as the IdP. Identity Authentication uses an attribute called Groups, which holds the groups (for example, PURCHASER) assigned to that user. These values are mapped to the SAP BTP role collections (for example, SAP_BR_PURCHASER federated from SAP S/4HANA) for the user. This allows the user to see the purchasing tiles on the launchpad site.

Note
The exact attribute to be used depends on the IdP that you are using. You can follow a similar process to the one described here for Identity Authentication for the setup with your IdP.

Watch the following video to learn how to set up user groups and add the groups attribute to the assertion:

Create Role Collection Mappings on SAP BTP

Now that the preparation on Identity Authentication is completed, you can create the role collection mapping on SAP BTP subaccount. The service within SAP BTP (SAP Build Work Zone, standard edition in this scenario) assigns this role collection in runtime to the user and allows them to access the corresponding business content, for example, SAP Fiori app tiles for the role collection ~s4h_SAP_BR_PURCHASER.

Watch the following video to learn how to create the role collection mapping on SAP BTP subaccount:

Result

Once created and saved, it should look as follows:

The following figure gives a visual summary of how the settings that you have completed in Identity Authentication and SAP BTP are linked:

Note
Depending on the connected IdP and its settings, the Attribute and Value in SAP BTP must be adjusted to match the IdP assertion attributes. For example, some IdPs might use other assertion attributes or a unique ID instead of the group name (PURCHASER) for identification.

Test the Mapping

The setup for role collection mapping can be tested via the SAP Build Work Zone, standard edition site that has the federated purchaser role assigned. Log in to this site using the connected Identity Authentication and the user that was assigned to the Identity Authentication Group, for example, "example@sap.com").

Note

Ensure that this user does not have the mapped role collection (~s4h_SAP_BR_PURCHASER) assigned in the SAP BTP cockpit (SecurityUsers).

If the login is successful and the tiles of the federated SAP S/4HANA role are shown, the mapping is working correctly.

You can now create more mappings with further groups and role collections, for example, ~s4h_SAP_BR_PURCHASING_MANAGER.

In case it did not work, make sure to check that the steps have been executed correctly and that the Site has the role assigned as required.

Note
First, test the setup using a browser on your desktop by connecting to the SAP Build Work Zone, standard edition site. If this works, you can test the same site using the same end-user credentials via SAP Mobile Start.

Restrictions

Note the general restrictions for SAP Build Work Zone, standard edition on the help page. For example, a user should not be assigned to more than 150 role collections. The use of Identity Provisioning as described in the next section should be used in such a scenario. 

Use of Identity Provisioning

The logical view for the mapping in SAP BTP that you have completed in the previous section would look like this:

Role CollectionAttributeValue
For example, ~s4h_SAP_BR_PURCHASERGroupsPURCHASER
For example, ~s4h_SAP_BR_PURCHASING_MANAGERGroupsPURCHASER
For example, ~s4h_SAP_BR_AP_ACCOUNTANTGroupsACCOUNTS
For example, ~s4h_SAP_BR_AR_ACCOUNTANTGroupsACCOUNTS

This is still a lot of work for an administrator, as they would need to manually create role collection mapping for every single user group. It can be further streamlined with the use of Identity Provisioning to provision user records (identities and their authorizations) to various cloud and on-premise business applications. You must decide on a primary system for user records; for example, it can be SAP S/4HANA, your own corporate IdP, Identity Authentication, and so on. Depending on this, you can define the source system (primary system for user records) and configure Identity Provisioning to sync the user info with target systems. You can also do a bidirectional sync. Refer to the help page to learn more about Identity Provisioning.

In the context of the setup for SAP S/4HANA and SAP Build Work Zone, standard edition, Identity Provisioning provides the following two useful scenarios:

  • For customers who are using Identity Authentication, Identity Provisioning can keep users in synch between SAP S/4HANA and Identity Authentication. Refer to the help page for setting up your respective source and target systems. You must create role collection mapping in SAP BTP based on Identity Authentication attributes as outlined previously.
  • To completely eliminate the need for manual role collection mapping, you can use Identity Provisioning to directly connect SAP S/4HANA (where it is the source system for roles) to SAP Build Work Zone, standard edition (target system to receive roles) as outlined on the help page. This setup automates the sync between SAP S/4HANA roles and the federated roles within SAP Build Work Zone, standard edition.

Log in to track your progress & complete quizzes