In the cloud management tools feature set B, SAP BTP provides a set of role collections to set up administrator access to your global account and subaccounts.
Note
The content in this section is only relevant for cloud management tools feature set BRole collections group authorizations for resources and services. Your administrators assign these role collections to other platform users to create new administrators. Role collections consist of individual roles. For more information on role collections, roles, see the related link.
Role collections are account specific. Role collections that exist in the global account don’t exist in the subaccounts. Likewise, role collections in subaccounts aren’t available in the global account.
Role Collections
You can use the default role collections, but you can’t change or delete them. SAP BTP provides the following administrator role collections:
- Global Account Administrator
- Subaccount Administrator
- Directory Administrator
- Cloud Connector Administrator
- Connectivity and Destination Administrator
- Destination Administrator
- Subaccount Service Administrator
SAP BTP provides also viewer role collections for the global account and for subaccounts. In contrast to the administrator role collections, viewer role collections only grant read access.
- Global Account Viewer
- Subaccount Viewer
- Directory Viewer
Administrator Role Collections
If you assign the Global Account Administrator role collection to a user, this user can perform administration tasks for subaccounts, role collections, identity providers, entitlements, and regions on the level of the global account. If you assign the Global Account Viewer role collection, this user can view subaccounts, role collections, identity providers, entitlements, and regions on the level of the global account.
Global Account Administrator Role Collection
Roles Included | Description |
---|---|
Global Account Admin | Includes read-write authorizations for updating the global account, setting entitlements, and creating, updating, and deleting subaccounts. The GlobalAccount_Admin role template contains this role. You find the role template in the SAP BTP Cockpit if you choose the cis-central! <suffix> application identifier. |
Global Account Usage Reporting Viewer | Includes read-only authorizations for viewing global account usage information. The GlobalAccount_Usage_Reporting_Viewer role template provides this role. You find the role template in the SAP BTP Cockpit if you chose the uas! <suffix> application identifier. |
User and Role Administrator | Includes read-write authorizations for trusted identity providers, role collections, roles and users. The xsuaa_admin role template provides this role. You find the role template in the SAP BTP Cockpit if you choose the xsuaa!<suffix> application identifier. |
System Landscape Administrator | Includes read-write authorizations for registering SAP systems and assigning SAP systems to formations. The GlobalAccount_System_Landscape_Administrator role template provides this role. You find the role template in the SAP BTP Cockpit if you choose the cmp!<suffix> application identifier. |
If you assign the Subaccount Administrator role collection to a user, you grant a user administration permission for a subaccount.
Subaccount Administrator Role Collection
Roles Included | Description |
---|---|
Cloud Connector Administrator | Operate the data transmission tunnels used by the Cloud connector. |
Destination Administrator | Manage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
Subaccount Admin | Includes read-write authorizations for viewing subaccount entitlements and for creating and deleting environment instances. |
Subaccount Service Administrator | Administrative access to service brokers and environments on a subaccount level. |
User and Role Administrator | Includes read-write authorizations for trusted identity providers, role collections, roles and users. |
If you assign the Cloud Connector Administrator role collection to a user, you grant the user administration permissions for the Cloud Connector in a subaccount.
Cloud Connector Administrator Role Collection
Roles Included | Roles Included |
---|---|
Cloud Connector Administrator | Operate the data transmission tunnels used by the Cloud connector. |
If you assign the Connectivity and Destination Administrator role collection to a user, you grant the user administration permissions for the Cloud Connector and SAP Destination service in a subaccount.
Connectivity and Destination Administrator Role Collection
Roles Included | Description |
---|---|
Cloud Connector Administrator | Operate the data transmission tunnels used by the Cloud connector. |
Destination Administrator | Manage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
If you assign the Destination Administrator role collection to a user, you grant the user administration permissions for the SAP Destination service in a subaccount.
Destination Administrator Role Collection
Roles Included | Description |
---|---|
Destination Administrator | Manage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
If you assign the Subaccount Service Administrator role collection to a user, you grant the user administration permissions for the Service Manager in a subaccount.
Subaccount Service Administrator Role Collection
Roles Included | Description |
---|---|
Subaccount Service Administrator | Administrative access to service brokers and environments on a subaccount level. |
Viewer Role Collections
If you assign the Global Account Viewer role collection to a user, you grant read access to the same information as the Global Account Administrator role collection.
Global Account Viewer Role Collection
Roles Included | Description |
---|---|
Global Account Viewer | Includes read authorizations for viewing subaccount entitlements and for creating and deleting environment instances. |
Global Account Usage Reporting Viewer | Includes read-only authorizations for viewing global account usage information. |
User and Role Auditor | Includes read authorizations for trusted identity providers and users |
If you assign the Subaccount Viewer Subaccount Viewer role collection to a user, you restrict a user's viewer permission to the subaccounts.
Subaccount Viewer Role Collection
Roles Included | Description |
---|---|
Cloud Connector Auditor | View the data transmission tunnels used by the Cloud connector to communicate with back-end systems. |
Destination Viewer | View destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
Subaccount Service Auditor | Read-only access to service brokers and environments on a subaccount level |
Subaccount Viewer | Includes read authorizations for viewing subaccount entitlements and for creating and deleting environment instances. |
User and Role Auditor | Includes read authorizations for trusted identity providers and users |
Directory Role Collections
The role collections Directory Administrator and Directory Viewer can be assigned during the creation of a directory. If you select the checkbox Manage Authorizations in the creation wizard, you can assign users the role collections during the step Manage Authorizations. You can't create custom role collections for directories.
The Directory Administrator role collection grants a user administration permission for directories.
Directory Administrator Role Collection
Roles Included | Description |
---|---|
Directory Admin | Role for directory members with read-write authorizations for core commercialization operations, such as updating directories, setting entitlements, and creating, updating, and deleting subaccounts. |
Directory Usage Reporting Viewer | Role for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information. |
User and Role Administrator | Includes read-write authorizations for trusted identity providers, role collections, roles and users. |
The Directory Viewer role collection grants a user read access to the same information as the Directory Administrator role collection.
Directory Viewer Role Collection
Roles Included | Description |
---|---|
Directory Usage Reporting Viewer | Role for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information. |
Directory Viewer | Role for directory members with read-only authorizations for core commercialization operations, such as viewing directories, subaccounts, entitlements, and regions. |
User and Role Auditor | Includes read authorizations for trusted identity providers and users |