Managing the BTP Accounts

Objective

After completing this lesson, you will be able to understanding Organizations and Spaces

Subaccounts, Organizations, and Spaces

Overview

When you enable the Cloud Foundry environment in one of your subaccounts, the system automatically creates a Cloud Foundry organization for you. The subaccount and the org have a 1:1 relationship and the same navigation level in the cockpit (even though they may have different names). You can create spaces within that Cloud Foundry organization. Spaces let you further break down your account model and use services and functions in the Cloud Foundry environment.

The diagram shows a subaccount with a Cloud Foundry organization containing four labeled spaces.

Organizations

An organization is a development account that an individual or multiple collaborators can own and use. All collaborators access an organization with user accounts, which have roles such as Org Manager or Org Auditor.

Spaces

A space provides users with access to a shared location for application development, deployment, and maintenance. An organization can contain multiple spaces. Every application, service, and route is linked to a space. Roles provide access control for these resources and each space role applies only to a particular space.

Memberships

In the cloud management tools feature set B, SAP BTP provides a set of role collections to set up administrator access to your global account and subaccounts.

Note

The content in this section is only relevant for cloud management tools, feature set B
The screenshot of an SAP BTP cockpit screen shows role collections. It lists roles like administrator, developer, and others, each with descriptions and a space for information about the connected roles and user groups. Role collections is highlighted as the selected option on the navigation pane. Notice how the UI look and feel evolved overtime (refer to the demos available in this learning).

Role collections group authorizations for resources and services. Your administrators assign these role collections to other platform users to create new administrators. Role collections consist of individual roles. For more information on role collections and roles, see the related link.

Role collections are account-specific. Role collections that exist in the global account don’t exist in the subaccounts. Likewise, role collections in subaccounts aren’t available in the global account.

Role Collections

You can use the default role collections, but you can’t change or delete them. SAP BTP provides the following administrator role collections:

  • Global Account Administrator
  • Subaccount Administrator
  • Directory Administrator
  • Cloud Connector Administrator
  • Connectivity and Destination Administrator
  • Destination Administrator
  • Subaccount Service Administrator

SAP BTP also provides viewer role collections for the global account and for subaccounts. In contrast to the administrator role collections, viewer role collections only grant read access. These include the following:

  • Global Account Viewer
  • Subaccount Viewer
  • Directory Viewer

Administrator Role Collections

If you assign the Global Account Administrator role collection to a user, this user can perform administration tasks for subaccounts, role collections, identity providers, entitlements, and regions on the level of the global account. If you assign the Global Account Viewer role collection, this user can view subaccounts, role collections, identity providers, entitlements, and regions on the level of the global account.

Global Account Administrator Role Collection

Roles IncludedDescription
Global Account Admin

Includes read-write authorizations for updating the global account, setting entitlements, and creating, updating, and deleting subaccounts.

The GlobalAccount_Admin role template contains this role. You find the role template in the SAP BTP cockpit if you choose the cis-central! <suffix> application identifier.

Global Account Usage Reporting Viewer

Includes read-only authorizations for viewing global account usage information.

The GlobalAccount_Usage_Reporting_Viewer role template provides this role. You find the role template in the SAP BTP cockpit if you chose the uas! <suffix> application identifier.

User and Role Administrator

Includes read-write authorizations for trusted identity providers, role collections, roles and users.

The xsuaa_admin role template provides this role. You find the role template in the SAP BTP cockpit if you choose the xsuaa!<suffix> application identifier.

System Landscape Administrator

Includes read-write authorizations for registering SAP systems and assigning SAP systems to formations.

The GlobalAccount_System_Landscape_Administrator role template provides this role. You find the role template in the SAP BTP cockpit if you choose the cmp!<suffix> application identifier.

If you assign the Subaccount Administrator role collection to a user, you grant a user administration permission for a subaccount.

Subaccount Administrator Role Collection

Roles IncludedDescription
Cloud Connector AdministratorOperates the data transmission tunnels used by the Cloud connector
Destination AdministratorManages destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit
Subaccount AdminIncludes read-write authorizations for viewing subaccount entitlements and for creating and deleting environment instances
Subaccount Service AdministratorAdministrative access to service brokers and environments on a subaccount level
User and Role AdministratorIncludes read-write authorizations for trusted identity providers, role collections, roles, and users

If you assign the Cloud Connector Administrator role collection to a user, you grant the user administration permissions for the Cloud Connector in a subaccount.

Cloud Connector Administrator Role Collection

Roles IncludedRoles Included
Cloud Connector AdministratorOperates the data transmission tunnels used by the Cloud connector

If you assign the Connectivity and Destination Administrator role collection to a user, you grant the user administration permissions for the Cloud Connector and SAP Destination service in a subaccount.

Connectivity and Destination Administrator Role Collection

Roles IncludedDescription
Cloud Connector AdministratorOperates the data transmission tunnels used by the Cloud connector
Destination AdministratorManages destination configurations, certificates, and subaccount trust via the Destination editor in the SAP BTP cockpit

If you assign the Destination Administrator role collection to a user, you grant the user administration permissions for the SAP Destination service in a subaccount.

Destination Administrator Role Collection

Roles IncludedDescription
Destination AdministratorManages destination configurations, certificates, and subaccount trust via the Destination editor in the SAP BTP cockpit

If you assign the Subaccount Service Administrator role collection to a user, you grant the user administration permissions for the Service Manager in a subaccount.

Subaccount Service Administrator Role Collection

Roles IncludedDescription
Subaccount Service AdministratorAdministrative access to service brokers and environments on a subaccount level

Viewer Role Collections

If you assign the Global Account Viewer role collection to a user, you grant read access to the same information as the Global Account Administrator role collection.

Global Account Viewer Role Collection

Roles IncludedDescription
Global Account ViewerIncludes read authorizations for viewing subaccount entitlements and for creating and deleting environment instances
Global Account Usage Reporting ViewerIncludes read-only authorizations for viewing global account usage information
User and Role AuditorIncludes read authorizations for trusted identity providers and users

If you assign the Subaccount Viewer role collection to a user, you restrict a user's viewer permission to the subaccounts.

Subaccount Viewer Role Collection

Roles IncludedDescription
Cloud Connector AuditorView the data transmission tunnels used by the Cloud Connector to communicate with back-end systems
Destination ViewerView destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit
Subaccount Service AuditorRead-only access to service brokers and environments on a subaccount level
Subaccount ViewerIncludes read authorizations for viewing subaccount entitlements and for creating and deleting environment instances
User and Role AuditorIncludes read authorizations for trusted identity providers and users

Directory Role Collections

The role collections Directory Administrator and Directory Viewer can be assigned during the creation of a directory. If you select the checkbox Manage Authorizations in the creation wizard, you can assign users the role collections during the step Manage Authorizations. You can't create custom role collections for directories.

The Directory Administrator role collection grants a user administration permission for directories.

Directory Administrator Role Collection

Roles IncludedDescription
Directory AdminRole for directory members with read-write authorizations for core commercialization operations, such as updating directories, setting entitlements, and creating, updating, and deleting subaccounts
Directory Usage Reporting ViewerRole for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information
User and Role AdministratorIncludes read-write authorizations for trusted identity providers, role collections, roles, and users

The Directory Viewer role collection grants a user read access to the same information as the Directory Administrator role collection.

Directory Viewer Role Collection

Roles IncludedDescription
Directory Usage Reporting ViewerRole for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information
Directory ViewerRole for directory members with read-only authorizations for core commercialization operations, such as viewing directories, subaccounts, entitlements, and regions
User and Role AuditorIncludes read authorizations for trusted identity providers and users

Roles

A screenshot of SAP BTP Cockpit shows roles for a sample subaccount. There are columns for application name, description, role template, role name, role description, and actions. The current screen might be different but the logic has remained, for those that have been working with BTP for sometime you will find that the adoption to new UI5 innovations changes the graphical elements.

The roles are based on role templates, which are provided by applications. The application identifier refers to the application, which provides the role templates.

SAP BTP Cockpit screen shows a sample subaccount with SAP Business Application Studio subscribed. It displays roles by role template, including administrator, developer, and extension deployer, with information about descriptions, attributes, role collections, and actions. The SAP BTP Cockpit is now replaced by the Cloud Identity Services UI, the layout have changed but keep in mind that the UI evolution is a characteristic of SAP BTP, always refer to the most current documentation and keep in mind that changes happen frequently.

The following table provides the information about some of the more common roles available.

Role Details

RolesAvailable inRole TemplatesApplication Identifier
Cloud Connector AdministratorSubaccountCloud_Connector_Administratorconnectivity! <suffix>
Cloud Connector AuditorSubaccountCloud_Connector_Auditorconnectivity!<suffix>
Destination AdministratorSubaccountDestination_Administratordestination-xsappname! <suffix>
Destination ViewerSubaccountDestination_Viewerdestination-xsappname! <suffix>
Directory AdminDirectoryDirectory_Viewercis-central! <suffix>
Directory Usage Reporting ViewerDirectoryDirectory_Usage_Reporting_Vieweruas!<suffix>
Directory ViewerDirectoryDirectory_Admincis-central!<suffix>
Global Account AdminGlobal accountGlobalAccount_Admincis-central! <suffix>
Global Account ViewerGlobal accountGlobalAccount_Viewercis-central!<suffix>
Global Account Usage Reporting ViewerGlobal accountGlobalAccount_Usage_Reporting_Vieweruas!<suffix>
System Landscape AdministratorGlobal accountGlobalAccount_System_Landscape_Administratorcmp!<suffix>
Subaccount AdminSubaccountSubaccount_Admincis-local!<suffix>
Subaccount ViewerSubaccountSubaccount_Viewercis-local!<suffix>
Subaccount Service AdministratorSubaccountSubaccount_Service_Administratorservice-manager!<suffix>
Subaccount Service AuditorSubaccountSubaccount_Service_Auditorservice-manager!<suffix>
User and Role AdministratorGlobal account and subaccountxsuaa_adminxsuaa!<suffix>
User and Role AuditorGlobal account and subaccountxsuaa_auditorxsuaa!<suffix>

How to Explore Connections

This demonstration shows you where to look for the definitions that establish how your subaccounts can reach other systems. This can involve multiple communication protocols and a piece of SAP software named Cloud Connector. If you want to have a set of applications running on BTP and they need to read and write data into a system located in your own network, you will need to make sure that the SAP Cloud Connector is linked to your subaccount and that the different services you want to access, for example OData services, are set.

DemoStart Demo

How to Explore Trust Configuration

This demo allows you to find where to establish trust between the SAP BTP authentication mechanisms and external identity providers. SAP BTP itself is your default provider but external party options are available. Those can be set by example at subaccount level.

DemoStart Demo

How to Explore Role Collections

From a practical perspective, a user is allowed to perform tasks based on the role collections that have been granted. Role collections can be assigned at different levels like the global account or the subaccount, and they can be specific to each application the user is entitled to use.

DemoStart Demo

How to Create Role Collections

DemoStart Demo

How to Explore Roles

A role collection is made of roles. In this demonstration, you will learn how you can explore the roles available and how they are grouped across different role collections. A role itself is based in a role template provided by the relevant application.

DemoStart Demo

How to Explore Usage Analytics

This demonstration allows you to get acquainted with some monitoring tools that allow you to evaluate the sizing of your subscriptions. Here you can look into which subaccounts and functions contribute more to the overall resource consumption.

DemoStart Demo

How to Explore Monitoring

In this demonstration, you will learn how to access the monitoring tools available within the Cloud Identity Services UI. Under normal conditions, information relevant for auditing and usage will be accessible here. For more complex troubleshooting, you will need to collaborate with a BTP Administration specialist to gather additional logs regarding the behavior of the relevant functions.

DemoStart Demo

How to Explore Security Settings

In this demo, you will learn how to explore some security settings, like the validity for authentication tokens, but also how to find out which entitlements are available in your subaccount. Some are related to security monitoring, and always look for entitlements that receive the status 'deprecated'. The pace of innovation in SAP BTP requires a regular adoption of new features.

DemoStart Demo

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn