Analyzing User and Authorization Management on SAP BTP


After completing this lesson, you will be able to:

  • Describe the user management on SAP BTP.
  • Describe the role and authorization management on SAP BTP.

Business Introduction to User and Authorization Management

As IT landscapes become more and more complex, the topic of security becomes more important. Your company must manage application users (business users) and platform users (admins, operators, and so on).  You want to assign roles and authorizations and build a central identity provisioning with the SAP Cloud Identity Services. All APIs and interfaces that are used or integrated need to get secured as well.

User and Authorization Management on SAP BTP

SAP BTP distinguishes between:

  • Platform users are usually administrators or operators (DevOps) who work with cloud management tools and deploy, administer, and troubleshoot services on SAP BTP. These are usually users who directly log on to SAP BTP cockpit and work there. These also can be developers who work and use services in Cloud Foundry spaces.
  • Business users use the business applications that are deployed on SAP BTP. For example, the end users of a deployed custom application or users of subscribed apps or services, such as SAP Business Application Studio, are business users.

Platform Users on SAP BTP

The SAP BTP is organized in global accounts on the highest level. A global account is a reflection of a contract with SAP. It can consist of several directories and/or several subaccounts that provide different applications and services to users. Further levels are in place for a better structuring and organization of work. For example, if you have too many subaccounts in a global account, you can create directories to structure them.

Subaccounts can have up to three environments: Cloud Foundry, Kyma or ABAP environment. The environments allows the development and administration of business applications with different approaches and tools based on your selection. Of course, inside of the environments and their content, such as the runtime, service instances and so on - there are also users required for providing access and authorizations.

Anyone who wants to use capabilities of the SAP BTP must be assigned as a user to the specific authorizations through roles. User management happens at all levels from global account over subaccount and directories to the environments. On each level, you require an administrator, who administers resources and the users on those levels. The way to administer has some differences depending on the level you are on.

User Management on SAP BTP

When a customer signs a contract with SAP, one user is created at the global account level. On this level, entitlements are defined, assigning entities and services, including billing information. The global account administrator can initially log on to SAP BTP to manage these entitlements, and create directories and subaccounts. To ensure that more than one employee can administer the global account, the administrator needs to create other users at the global account level and assign them administrator permissions.

Typically, a global account consists of various subaccounts. When a global account administrator creates a subaccount, they automatically become the administrator of the subaccount. The subaccount administrator can manage entitlements, service subscription, create other users on the subaccount level, and assign roles to the users. Subaccount administrators get administration authorizations for the subaccount only, not for the global account.

Subaccount administrators also create business users. Business users are consumers of applications and services that are provided on SAP BTP (for example: SAP Business Application Studio) or business applications (SaaS) that were created with the help of the tools and services provided by SAP BTP. These users can have access to SAP BTP, but they are not able to do any administrative tasks. If a business user only uses a single application on SAP BTP, they do not necessarily require access to the SAP BTP cockpit (meaning the subaccount), but to the application only. In this case, the subaccount administrator creates the user on a subaccount level and only assigns application authorizations to the user.

Learn more about working with users in SAP BTP in the official documentation:

Roles and Authorizations

To use different functions of SAP BTP, you need to be authorized for it. You can configure authorizations using roles and role collections.

Role Collections

Role collections consist of individual roles that combine authorizations for resources and services on SAP BTP. A role collection can comprise of one or multiple roles. You only assign role collections to users, but not individual roles. Roles and their authorizations are provided automatically to users via role collection assignment. Role collections are managed on each SAP BTP level separately. Role collections that exist in the global account do not exist in the subaccounts. Likewise, role collections in subaccounts are not available in the global account.

SAP BTP already delivers a predefined set of role collections for platform users and also for application users. To set up administrator access for platform users in the global account, directories, subaccounts, and so on, an existing administrator of a certain level on SAP BTP assigns predefined role collections to other platform users.

For users of applications that can be subscribed on SAP BTP, there are also predefined role collections that become available after application subscription. It is also possible to create custom role collections with roles inside that give permissions for custom applications deployed on SAP BTP.


The roles are provided from the SAP BTP services you use and the developers delivering the role templates for the services. When enabled from the service, it is possible to customize these role templates. For a lot of scenarios, this is not possible and you need to go with the roles provided by the service, and can start composing them into role collections and assigning these role collections to users. It is also possible that the developers from a service provide role collection templates, but besides that, you can always create own role collections.

More information for assigning role collections


All users of SAP BTP are stored in identity providers. How you assign users to their authorizations depends on the type of trust configuration with the identity provider. If you're using the default trust configuration with SAP ID service, you assign users directly to role collections. However, if you're using a custom identity provider, you can assign role collections to individual users directly, or you map role collections to user groups or other user attributes defined in the identity provider. This is called federation.

The custom identity provider hosts users who can belong to user groups. It's efficient to use federation by assigning role collections to one or more user groups. The role collection contains all the authorizations that are necessary for this user group. This method saves time when you add a new business user. Simply add the users to the respective user groups, and the new business users automatically get all the authorizations that are included in the role collection.

Find more information in Assigning Role Collections:

Key Takeaways Of This Lesson

The SAP BTP has built-in functionalities for managing role collections and assigning them to platform users or to business users who mostly consume the applications and services. Platform users inside of SAP BTP need to be managed and assigned on the architecture level with global accounts, directories, subaccounts, and spaces.

Log in to track your progress & complete quizzes