Evaluating ALL BTP Role Templates

Objective

After completing this lesson, you will be able to understand the power of ALL BTP Roles.

The SAP Business Technology Platform Roles Overview

SAP BTP roles are essential for assigning specific permissions and access levels to users based on their responsibilities. With around 40-41 roles currently available, these roles enable fine-tuned security and functionality for users. This lesson explores the different types of roles and their applications.

Roles Categorized by Similar Functions

Category	Roles
General Activity	ACTIVITY, ACTIVITY_READ
Administration	ADMINISTRATION_ALL
Archive	ARCHIVE, ARCHIVE_READ
Comment	COMMENT, COMMENT_READ
Container	CONTAINER, CONTAINER_READ
Data Lock	DATALOCK, DATALOCK_READ
Data Privilege	DATAPRIVILEGE, DATAPRIVILEGE_READ
Event Log	EVENTLOG, EVENTLOG_READ
Layout	LAYOUT, LAYOUT_READ
Model	MODEL, MODEL_ALL, MODEL_READ
Page	PAGE, PAGE_READ
Process	PROCESS, PROCESS_ALL, PROCESS_READ
Report	REPORT, REPORT_ALL, REPORT_READ
System	SYSTEM_ALL
Team	TEAM, TEAM_READ
Tenant Connection	TENANTCONNECTION, TENANTCONNECTION_READ
Tenant Setting	TENANTSETTING, TENANTSETTING_READ
User	USER, USER_READ
Special Roles	ExtensionDeveloper, KeyUser, Multitenancy_administrator, Power_User, Token_Exchange

Role Expansion:

Continuous Development: SAP BTP continually expands its role offerings to enhance security measures for users.

Role Types: Roles are categorized into different types to manage access and permissions effectively.

Primary Roles Categories:

Model Roles
Function Roles

Detailed Breakdown of Model Roles

Model All Role:

Definition: This role is for power users who need comprehensive access.

Permissions: Grants access to all modeling tiles and capabilities within the environment.

Use Case: Ideal for users who are responsible for creating, editing, and managing all aspects of models in SAP UM.

Model All with Teams Restriction:

Definition: Similar to the Model All role but with restrictions based on team assignments.

Permissions: Allows full access but can be restricted by team settings.

Use Case: Provides flexibility by giving power users broad access while maintaining security boundaries via team restrictions.

Model Read Role:

Definition: This role is for users who only need viewing rights.

Permissions: Grants read-only access to modeling tiles and functions.

Use Case: Suitable for stakeholders or team members who must review models without making changes.

The Power Roles Overview

Assigning the correct roles in SAP BTP ensures that users have access to the necessary functionalities without overstepping into sensitive areas. Below is a comprehensive overview of the different power roles within an application, and the respective permissions each role entails.

Fiori Tiles and Associated Model Roles

SAP Fiori Tiles	Model_ALL Role	Model_READ Role	Model Role
Manage Environments	1 – 2 – 3 – 4 - 5	1	1 – 2 – 3 – 4 - 5
Manage Fields	1 – 2 – 3 – 4 - 5	1	1 – 2 – 3 – 4 - 5
Manage Functions	1 – 2 – 3 – 4 - 5	1	1 – 2 – 3 – 4 - 5
Manage Connections	1 – 2 – 3 – 5	1	1 – 2 – 3 – 5

Legend

1 = Display, 2 = Create, 3 = Edit, 4 = Copy, 5 = Delete

Power roles in SAP BTP define the extent to which users can interact with various components of an application. The three primary roles related to modeling within the Universal Model (UM) include:

Model All
Model Read
Model

Detailed Role Permissions

Role	Description	Permissions
Model	Full Control	Users can display, create, edit, and delete everything within the application.
Model Read	Read-Only Access	Users can only display information and cannot create, edit, or copy anything.
Model	Display and Edit	Users can display and edit information within the application but can be restricted by Teams.

1. Model All

Display: Users can view all information and configurations.

Create: Users can create new models and configurations.

Edit: Users can modify existing models and settings.

Delete: Users have the authority to delete models and configurations.

Use Case: This role is suitable for power users, such as senior data analysts or administrators who need comprehensive access to all functionalities within the application.

2. Model Read

Display: Users can only display information.

Create: Not allowed.

Edit: Not allowed.

Copy: Not allowed.

Use Case: This role is ideal for stakeholders or reviewers who must access and review model information without making any modifications. It prevents accidental changes and maintains data integrity.

3. Model

Display and Edit:

Display: Users can view all information.

Edit: Users can modify existing information.

Create: Not allowed.

Delete: Not allowed.

Team Restrictions: Permissions can be further restricted using Teams, allowing for granular control over who can edit specific parts of the application.

Use Case: This role is perfect for team leads or midlevel users who need the ability to edit information but within a controlled scope defined by team allocations.

SAP Business Technology Platform Power Roles (*_ALL)

In the following we have all power roles here in UM, which is model all, process all, report all, system all, and administration all.

The image displays a collection of screenshot tiles representing different sections of the SAP SuccessFactors Standard Model, including MODEL_ALL, PROCESS_ALL, REPORT_ALL, SYSTEM_ALL, and ADMINISTRATION_ALL.

Roles Overview

Model All: Provides comprehensive capabilities for creating, editing, and managing models within the Universal Model.
Process All: Allows full control over process creation, execution, and monitoring, ensuring smooth workflow management.
Report All: Enables users to generate, view, and manage reports, providing valuable insights and data analysis capabilities.
System All: Grants access to critical system settings and configurations, ensuring the system operates efficiently and securely.
Admin All: Offers complete administrative privileges, enabling full control over user management, security settings, and system configurations.

Power Role Assignment to Role Collection - User

By learning this you will be able to create power role user with all roles and privileges in the system.

Step 1: Logging into SAP BTP

Action	Log into your SAP BTP account.
Details	Navigate to the SAP BTP login page. Enter your username and password. Click on the 'Login' button. Ensure you have the necessary permissions to access and manage subaccounts and role collections. If you encounter any issues, contact your system administrator.

Step 2: Selecting the Subaccount

Action	Select the subaccount created in the previous unit.
Details	Once logged in, you will see a dashboard with an overview of your SAP BTP landscape. Locate the subaccount you created previously, typically found under the 'Global Account' or 'Subaccounts' section. Click on the subaccount name to enter its specific dashboard. Verify that you are in the correct subaccount by checking the subaccount details (e.g., region, ID).

Step 3: Navigating Security Options

Action	Go to the Security section of your subaccount.
Details	On the subaccount dashboard, find the left-hand navigation pane. Look for the 'Security' option and click on it. This will expand a menu with several security-related options such as 'Role Collections', 'Roles', and 'Users'. Ensure you have access to these options; if not, check your permissions or contact the administrator.

Step 4: Accessing Role Collections

Action	Click on Role Collections.
Details	In the expanded Security menu, click on 'Role Collections'. This will take you to a page listing all existing role collections within the subaccount. Here, you can see details such as the role collection names, descriptions, and assigned roles. You may also have options to edit, delete, or view details of existing role collections.

Step 5: Creating a Role Collection

Action

Click on 'Create' to start a new role collection.

Details

On the Role Collections page, locate the 'Create' button, usually positioned at the top right corner of the page.
Click on it to open the role collection creation form.
Fill in the required fields:
- Name: Provide a unique and descriptive name for the role collection (e.g., "Power User").
- Description: Add a brief but clear description of what the role collection is for and its scope (e.g., "This role collection grants comprehensive access to all Universal Model functionalities").
Click 'Save' or 'Create' to proceed.

Step 6: Editing the Role Collection

Action	Edit the role collection details.
Details	After creating the role collection, you will be redirected to its details page. Here, you can see the current settings and assigned roles. To add or modify roles, click on the 'Edit' button. This will open the editing interface where you can manage role assignments and permissions. Ensure all changes are saved once editing is complete.

Step 7: Adding Role Templates

Action

Add a role template in the Universal Model.

Details

In the editing interface, look for an option to add roles or role templates.
Click on 'Add Role' or similar button.
A list of available role templates will appear. These are predefined sets of permissions that can be assigned to the role collection.
Use the search or filter options to find role templates specific to the Universal Model.
Select the desired role templates and add them to the role collection.

Step 8: Applying Filters

Action	Apply a filter for Universal Model roles.
Details	To ensure you only see roles relevant to the Universal Model, use the filter functionality. Locate the filter options, typically found at the top of the roles list or as a sidebar. Set the filter criteria to 'Universal Model' or similar keywords. This will narrow down the list to only those roles applicable to the Universal Model, making it easier to select the correct roles.

Step 9: Assigning Key Roles

Action

Assign the following power roles:

Admin All
Model All
System All
Process All
Report All

Details

These roles are crucial for granting comprehensive access:
- Admin All: Full administrative access, allowing configuration and management of settings.
- Model All: Full access to all modeling functionalities, including creating and managing models.
- System All: Full access to system-level functionalities, including system settings and configurations.
- Process All: Full access to process management, allowing the creation, execution, and monitoring of processes.
- Report All: Full access to reporting functionalities, including generating and viewing reports.
Add each of these roles to the role collection by selecting them from the list and confirming their addition.

Step 10: Confirming Role Collection

Action	Confirm the role collection and its assignments.
Details	Review the role collection to ensure all necessary roles are included. Verify the descriptions and permissions associated with each role. Confirm that the role collection aligns with the intended access requirements for the user or group. Once verified, click 'Save' or 'Confirm' to finalize the role collection.

Next lesson