Managing Users and Authorizations on SAP BTP

In a Global Account, you can create platform users and assign predefined role collections to them.

To create a user, you need to navigate to Security → Users, and choose the Create button in the top-right corner.

When creating a new user, you always have to specify the identity provider. By default, users are created using the default identity provider SAP ID service. If you've configured a custom identity provider in a global account, you can change the IdP in the Identity Provider field.

There's one predefined role collection for administrative tasks and one for read-only access to the global account.

With the Global Account Administrator role collection, the user can perform the following tasks:

• Create new and edit existing Subaccounts, within the Global Account
• Manage entitlements
• Manage users
• Manage role collections

With the Global Account Viewer role, the user only gets read access to the mentioned items.

With the authorizations from predefined roles for Global Accounts, the user is not permitted to access any Subaccount that has been not created by them.

You can create directories for better structuring. Furthermore, you can enable user management for the directories. You can create and maintain directory administrators and viewers. This is an optional step, and you can always disable it again if you need to.

If you want to have more directory administrators next to yourself, enable user management. If not, keep it disabled.

When adding a new user, you always have to specify the identity provider. By default, a user's origin is the default identity provider, SAP ID service. If you have configured a custom identity provider in a Global Account, you can change the IdP in the Identity Provider field.

If a user should be able to access a Subaccount, the user needs to be added under Security → Users on the Subaccount level.

To add a new user to the Subaccount, perform the following steps:

1. Open the SAP BTP cockpit.
2. Go to your Subaccount.
3. Choose Security → Users.
4. Choose Create. The SAP BTP Cockpit displays a dialog box where you can enter the user data.
5. Enter the user e-mail in the User Name and E-Mail fields.
6. Choose the identity provider where the user is stored. The dropdown list in the Identity Provider field displays the identity providers for which the trust connection has been configured in the Subaccount.

   If you've configured a custom identity provider in a Global Account and you want to create a new platform user for the Subaccount, choose the IAS tenant in the Identity Provider field that's used for platform users.

7. Choose Create.

You can now proceed with assigning Role Collections to the new user.

For more information, see Create Users.

There are several predefined rolecCollections that you can use when adding platform users to a Subaccount. These are the two most important ones:

• Subaccount Administrator
• Subaccount Viewer

If you assign the Subaccount Administrator role collection to a user, you grant the user administration permissions for the Subaccount. The user is then able to view and configure the entitlements for the Subaccount, create users, assign role collections, configure trust, create destinations, and so on.

The user who creates the Subaccount automatically gets the administrator permissions. All other users must explicitly be added as Subaccount users and have the corresponding role collections assigned.

After initially deploying your accounts, there are also other default role collections available in the cloud management tools. If you do not want to provide all administration rights to a user, but narrow it down to a specific task (for example, connectivity administration), you only assign the relevant role collection.

All users in Subaccounts of SAP BTP are stored in identity providers. This could be the default SAP ID service, SAP Cloud Identity Services, or also a third-party identity provider. Users that are created on SAP BTP are called shadow users, which are user copies from the identity provider.

Especially in Subaccounts, this concept is relevant. SAP BTP automatically creates a copy (shadow user) of the user in the Subaccount as soon as the user that exists in the identity provider logs on to the Subaccount or an application of it.

However, the user does not have any authorizations, so an administrator needs to assign role collections to the user.

For more information, read the official documentation: Mapping Role Collections in the Subaccount

When assigning role collections, administrators can assign predefined role collections. However, predelivered role collections don't always exist, or they don't meet the business requirements. Therefore, administrators can create new role collections by copying the existing ones or creating them from scratch.

Administrators then add predelivered roles to their own role collection. These can be default roles that already exist and are used in other role collections, or these can be roles that are created from a template. Afterward, administrators can assign the role collection to the appropriate user. A user can have one or many role collections assigned. Roles and permissions contained in role collections are then automatically assigned to the user.

For more information, see Define a Role Collection.

In the navigation pane, under Security → Roles, you can see a complete list of all existing Roles, sorted by the application name the roles belong to. It also contains the role template, role names, and role description.