Describing the Authorization Management Service

Authorizations are essential for application developers. They allow you to give your end users controlled access to critical data and functionality, protecting your company from damage caused by mistakes or even malicious behavior. However, managing authorizations is often painful. Ensuring that everybody has the right level of access can be complex and challenging.

Most applications define authorizations internally because authorizations are domain-specific. However, as technology and products evolve, localized management of authorizations can become a challenge.

SAP Cloud Identity Services - Authorization Management Service (AMS) is a part of SAP Cloud Identity Services that helps developers manage users' authorizations securely and efficiently on SAP BTP. It's a tool that makes it easier for businesses to control who can execute specific tasks in their digital environments.

To centralize user assignment to roles and groups in SAP Cloud Identity Services, New SAP BTP applications apply the Authorization Management Service (AMS) to streamline authorization management for developers and help centralize end-user authorizations for business applications based on SAP BTP.

AMS allows administrators to assign access based on policies derived centrally within SAP Cloud Identity Services.

• An access policy allows users to perform specific actions on a resource, subject to restricting rules.
  • Developers specify the type of access, for example, "Read," and the resource, usually a business object
  • Administrators can adapt the available conditions by setting restriction values as required so that policies fit company requirements before being assigned to users
  • A policy is part of a specific business application and evaluated at runtime

• Customers can assign SAP-provided or customer-derived policies to users in the Identity Directory
  • Using the user interfaces in the SAP Cloud Identity Services administration console
  • Using the SCIM API of the Identity Directory

Here are the critical aspects of this service:

• Centralized Authorization Management: It provides centralized role and access control across multiple applications, reducing complexity and increasing transparency.
• Secure Access Control: It enables businesses to manage who can access their applications and data and what actions they can perform. It ensures that users only access the required resources, adhering to the principle of least privilege.
• Easy Role Definitions: It allows businesses to define user roles and assign necessary permissions. This role-based access control (RBAC) simplifies the management of user access rights.
• Integration Capabilities: The service can be integrated with other systems within the same landscape, including both SAP and non-SAP applications, allowing for seamless management of authorizations across the organization.
• Supports Compliance Efforts: This service can help maintain compliance with various data protection and privacy regulations by precisely controlling and monitoring user authorizations.
• Enhanced Security: Granular control over user permissions enhances security by minimizing the risk of unauthorized access to sensitive information.

AMS user interfaces for configuring and assigning authorization policies to users are integrated into the SAP Cloud Identity Services administration console. AMS is integrated with SAP’s development models on the SAP Business Technology Platform, with a focus on the SAP Cloud Application Programming Model (CAP).