Exploring Memberships Roles

Objective

After completing this lesson, you will be able to explore the concept of Memberships, Role Collections, and Roles

Memberships

In the cloud management tools feature set B, SAP BTP provides a set of role collections to set up administrator access to your global account and subaccounts.

Note

The content in this section is only relevant for cloud management tools feature set B

Role collections group authorizations for resources and services. Your administrators assign these role collections to other platform users to create new administrators. Role collections consist of individual roles. For more information on role collections, roles, see the related link.

Role collections are account specific. Role collections that exist in the global account don’t exist in the subaccounts. Likewise, role collections in subaccounts aren’t available in the global account.

Role Collections

You can use the default role collections, but you can’t change or delete them. SAP BTP provides the following administrator role collections:

  • Global Account Administrator
  • Subaccount Administrator
  • Directory Administrator
  • Cloud Connector Administrator
  • Connectivity and Destination Administrator
  • Destination Administrator
  • Subaccount Service Administrator

SAP BTP provides also viewer role collections for the global account and for subaccounts. In contrast to the administrator role collections, viewer role collections only grant read access.

  • Global Account Viewer
  • Subaccount Viewer
  • Directory Viewer

Administrator Role Collections

If you assign the Global Account Administrator role collection to a user, this user can perform administration tasks for subaccounts, role collections, identity providers, entitlements, and regions on the level of the global account. If you assign the Global Account Viewer role collection, this user can view subaccounts, role collections, identity providers, entitlements, and regions on the level of the global account.

Global Account Administrator Role Collection

Roles IncludedDescription
Global Account Admin

Includes read-write authorizations for updating the global account, setting entitlements, and creating, updating, and deleting subaccounts.

The GlobalAccount_Admin role template contains this role. You find the role template in the SAP BTP Cockpit if you choose the cis-central! <suffix> application identifier.

Global Account Usage Reporting Viewer

Includes read-only authorizations for viewing global account usage information.

The GlobalAccount_Usage_Reporting_Viewer role template provides this role. You find the role template in the SAP BTP Cockpit if you chose the uas! <suffix> application identifier.

User and Role Administrator

Includes read-write authorizations for trusted identity providers, role collections, roles and users.

The xsuaa_admin role template provides this role. You find the role template in the SAP BTP Cockpit if you choose the xsuaa!<suffix> application identifier.

System Landscape Administrator

Includes read-write authorizations for registering SAP systems and assigning SAP systems to formations.

The GlobalAccount_System_Landscape_Administrator role template provides this role. You find the role template in the SAP BTP Cockpit if you choose the cmp!<suffix> application identifier.

If you assign the Subaccount Administrator role collection to a user, you grant a user administration permission for a subaccount.

Subaccount Administrator Role Collection

Roles IncludedDescription
Cloud Connector AdministratorOperate the data transmission tunnels used by the Cloud connector.
Destination AdministratorManage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit.
Subaccount AdminIncludes read-write authorizations for viewing subaccount entitlements and for creating and deleting environment instances.
Subaccount Service AdministratorAdministrative access to service brokers and environments on a subaccount level.
User and Role AdministratorIncludes read-write authorizations for trusted identity providers, role collections, roles and users.

If you assign the Cloud Connector Administrator role collection to a user, you grant the user administration permissions for the Cloud Connector in a subaccount.

Cloud Connector Administrator Role Collection

Roles IncludedRoles Included
Cloud Connector AdministratorOperate the data transmission tunnels used by the Cloud connector.

If you assign the Connectivity and Destination Administrator role collection to a user, you grant the user administration permissions for the Cloud Connector and SAP Destination service in a subaccount.

Connectivity and Destination Administrator Role Collection

Roles IncludedDescription
Cloud Connector AdministratorOperate the data transmission tunnels used by the Cloud connector.
Destination AdministratorManage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit.

If you assign the Destination Administrator role collection to a user, you grant the user administration permissions for the SAP Destination service in a subaccount.

Destination Administrator Role Collection

Roles IncludedDescription
Destination AdministratorManage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit.

If you assign the Subaccount Service Administrator role collection to a user, you grant the user administration permissions for the Service Manager in a subaccount.

Subaccount Service Administrator Role Collection

Roles IncludedDescription
Subaccount Service AdministratorAdministrative access to service brokers and environments on a subaccount level.

Viewer Role Collections

If you assign the Global Account Viewer role collection to a user, you grant read access to the same information as the Global Account Administrator role collection.

Global Account Viewer Role Collection

Roles IncludedDescription
Global Account ViewerIncludes read authorizations for viewing subaccount entitlements and for creating and deleting environment instances.
Global Account Usage Reporting ViewerIncludes read-only authorizations for viewing global account usage information.
User and Role AuditorIncludes read authorizations for trusted identity providers and users

If you assign the Subaccount Viewer Subaccount Viewer role collection to a user, you restrict a user's viewer permission to the subaccounts.

Subaccount Viewer Role Collection

Roles IncludedDescription
Cloud Connector AuditorView the data transmission tunnels used by the Cloud connector to communicate with back-end systems.
Destination ViewerView destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit.
Subaccount Service AuditorRead-only access to service brokers and environments on a subaccount level
Subaccount ViewerIncludes read authorizations for viewing subaccount entitlements and for creating and deleting environment instances.
User and Role AuditorIncludes read authorizations for trusted identity providers and users

Directory Role Collections

The role collections Directory Administrator and Directory Viewer can be assigned during the creation of a directory. If you select the checkbox Manage Authorizations in the creation wizard, you can assign users the role collections during the step Manage Authorizations. You can't create custom role collections for directories.

The Directory Administrator role collection grants a user administration permission for directories.

Directory Administrator Role Collection

Roles IncludedDescription
Directory AdminRole for directory members with read-write authorizations for core commercialization operations, such as updating directories, setting entitlements, and creating, updating, and deleting subaccounts.
Directory Usage Reporting ViewerRole for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information.
User and Role AdministratorIncludes read-write authorizations for trusted identity providers, role collections, roles and users.

The Directory Viewer role collection grants a user read access to the same information as the Directory Administrator role collection.

Directory Viewer Role Collection

Roles IncludedDescription
Directory Usage Reporting ViewerRole for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information.
Directory ViewerRole for directory members with read-only authorizations for core commercialization operations, such as viewing directories, subaccounts, entitlements, and regions.
User and Role AuditorIncludes read authorizations for trusted identity providers and users

Roles

The roles are based on role templates, which are provided by applications. The application identifier refers to the application, which provides the role templates.

The following table provides the information about some of the more common roles available.

Role Details

RolesAvailable inRole TemplatesApplication Identifier
Cloud Connector AdministratorSubaccountCloud_Connector_Administratorconnectivity! <suffix>
Cloud Connector AuditorSubaccountCloud_Connector_Auditorconnectivity!<suffix>
Destination AdministratorSubaccountDestination_Administratordestination-xsappname! <suffix>
Destination ViewerSubaccountDestination_Viewerdestination-xsappname! <suffix>
Directory AdminDirectoryDirectory_Viewercis-central! <suffix>
Directory Usage Reporting ViewerDirectoryDirectory_Usage_Reporting_Vieweruas!<suffix>
Directory ViewerDirectoryDirectory_Admincis-central!<suffix>
Global Account AdminGlobal accountGlobalAccount_Admincis-central! <suffix>
Global Account ViewerGlobal accountGlobalAccount_Viewercis-central!<suffix>
Global Account Usage Reporting ViewerGlobal accountGlobalAccount_Usage_Reporting_Vieweruas!<suffix>
System Landscape AdministratorGlobal accountGlobalAccount_System_Landscape_Administratorcmp!<suffix>
Subaccount AdminSubaccountSubaccount_Admincis-local!<suffix>
Subaccount ViewerSubaccountSubaccount_Viewercis-local!<suffix>
Subaccount Service AdministratorSubaccountSubaccount_Service_Administratorservice-manager!<suffix>
Subaccount Service AuditorSubaccountSubaccount_Service_Auditorservice-manager!<suffix>
User and Role AdministratorGlobal account and subaccountxsuaa_adminxsuaa!<suffix>
User and Role AuditorGlobal account and subaccountxsuaa_auditorxsuaa!<suffix>

Log in to track your progress & complete quizzes