BTP Settings for Process Insights

In this section, step 2 is considered in the interaction of administrators.

This section of the course is relevant for: SAP BTP Administrators

In the previous chapters, the SAP Source System Administrator has dealt with identifying possible SAP on-premise and SAP cloud source systems and checking that they fulfil all the necessary requirements.

In this section, we describe the activities on the SAP Business Technology Platform (SAP BTP) to create the SAP Signavio Process Insights tenant, first users, roles and authorisations.

As a new customer of SAP Signavio Process Insights, you may or may not have previously had a global account in SAP BTP. 

• If a new global account is set up for your organization when you become an SAP Signavio Process Insights customer, you receive welcome emails from SAP BTP about the global account set up for your organization in SAP BTP. These emails are sent to the email address specified in your contract. One email contains confirmation of what was provisioned and the other email contains the global account URL and logon credentials. The person in your organization named as the main IT contact in your contract is the person who is automatically given access to the global account and is assigned the entitlements. So, this person is the only person who is initially the global account administrator. The S-user specified in the welcome email has an SAP BTP user with the Global Account Administrator role collection for your global account and this account has the entitlements for SAP Signavio Process Insights. SAP recommends assigning at least one additional colleague as a global account administrator. Assigning an additional global account administrator ensures your organization can still access the global account if the initial colleague is absent. If you're new to working with SAP BTP, see Log On to Your Global Account in the SAP BTP documentation for information.
• If your organization already has one or more global accounts and is licensed for a new subscription for an existing global account, the initial access email with credentials from SAP BTP is not sent again. The global account administrator for the existing global account is the global account administrator for the global account.

When you are new to SAP BTP you can check out the following videos from SAP BTP for help with getting started:

• Learn how to get started and get access to SAP BTP (03:02)
• Learn all about entitlements in SAP BTP (3:08)

Entitlements are assigned for the set of services that your organization has purchased or is entitled to use. Your global account administrator can check the entitlements of your global account in the SAP BTP cockpit. To check the plan entitlements for SAP Signavio Process Insights, you (the global account administrator) can choose Entitlements > Service Assignments and select SAP Signavio Process Insights to see what plan entitlements are configured. Your global account should have entitlements for:

• the SAP Signavio Process Insights application and
• API services.

• Check your entitlements ("SAP Signavio Process Insights application" and „API services").
• Work on the next section (running the booster) for details and watch the video about the BTP Booster for SAP Signavio Process Insights to get a good understanding of the input needed and decisions to be made.

There is a booster available to prepare your account for SAP Signavio Process Insights. During the execution you have the option to get users created and authorizations assigned for BTP and the application SAP Signavio Process Insights.

The booster distinguishes between two user categories:

• Administrators and
• Developers.

Both user types receive role collections for both

• the BTP subaccount as well as for
• the SAP Signavio Process Insights application

assigned.

• Administrators are assigned a role collection on the BTP as a „BTP subaccount administrator".
• Developers are assigned a role collection on the BTP as a „BTP subaccount viewer".

• Administrators are assigned a role collection in the application as „administrators" and „users".
• Developers are assigned a role collection in the application as a „user"

When you have access to your SAP BTP global account, you can use the booster available to prepare your account for SAP Signavio Process Insights. The booster is a wizard that guides you through some short steps to automate the tasks to set up your SAP Signavio Process Insighs in SAP Business Technology Platform (BTP).

Watch this introduction video to understand how you can prepare your account for SAP Signavio Process Insights in SAP Business Technology Platform (SAP BTP).

You will execute the following steps on BTP:

1. From your global account in the SAP BTP cockpit, choose Boosters
2. Search for SAP Signavio Process Insights. Get more information about what the booster does by choosing the tile.
3. Launch the booster by choosing Start.
4. The booster wizard loads and the prerequisite checks run automatically. These checks ensure that your user account has the required authorizations to subscribe to services and that your SAP BTP global account has the entitlements for SAP Signavio Process Insights.
5. When the check has completed successfully, choose Next
6. In the Select Scenario step, specify whether you want to create a new subaccount or select an existing one.
7. In the Configure Subaccount step, provide the details for your subaccount.Select the plan you want to subscribe to based on your entitlements. Only those plans that you're entitled to are available (select „test" for the test tenant and „standard" for the production tenant). And specify the relevant details for the subaccount if you're creating a new one.
8. In the Add Users step, configure the authentication service for users, typically identified by email address, who will be working with the SAP Signavio Process Insights application. There are two types of users:

   - Platform users are usually developers, administrators or operators who deploy, administer, and troubleshoot applications and services on SAP BTP. These users are authorized using platform roles.

   - Application users use the applications that are deployed to SAP BTP, for example, administrators and business users of the SAP Signavio Process Insights application.

   These users are authorized using application-specific roles.

   A) Select two identity providers, one for the authetication of platform users and one for the authentication of application users.

   B) Enter the email addresses of the users you want to be authenticated and authorized to use the SAP Signavio Process Insights application.

• Check that you do have all needed details and access rights in BTP to run the booster.
• Run the booster.
• By entering Administrators and Developers in the booster you create initial users on SAP BTP and in the application SAP Signavio Process Insights

Before you create additional users for end users of the SAP Signavio Process Insights application, you should familiarize yourself with the delivered roles and role collections.

Get an overview of the roles that provide access to the SAP Signavio Process Insights application and the default role collections in which they are included. SAP Signavio Process Insights uses the SAP BTP concept of role collections to provide role-based access control to application users. The table below lists all the roles available for SAP Signavio Process Insights and what each role allows users to do. Default role collections that include these roles are created when you set up your subaccount and subscribe to the application using the booster provided.

The default roles can be grouped by (A) roles for dedicated tasks / features in the application and (B) roles that allow you data visibility.

The standard features (Process Flows, Standard Performance Indicatior, Correction Recommendations, Innovation Recommendations and Value Analysis) are accessable for all users. Some task / features in the application are protected by dedicated authorization roles. Dedicated authorization is available for the "Application Administration" (ADMIN) and the "Data Privicy Administration" (DATA_PRIVACY_ADMIN). These roles do not authorize for any of the features for business users.

Additionally there are default role templates for the special user tasks „Transformation Planning" (TRANSFORMATION_PLANNING) and the „editing of the value analysis parameters" (EDIT_VALUE_ANALYSIS).

Here you find a list of Role-Templates for Special User Tasks

To get data displayed the relevant roles for end-to-end processes (E2E) or lines of business (LoB) need to be assigned to the user / user group. Data Visibility can be restricted by End-to-End (E2E) Processes (Roles with technical name "E2E_Process_ …") or via Line of Business (LoB) (Roles with technical name "LOB_ …"). Personal Data and Monetary Values are managed via dedicated roles (MONETARY_VALUES and PERSONAL_DATA).

Here you find a list of Role-Templates for E2E-Processes

Here you find a list of Role-Templates for LoBs

Here you find a list of Role-Templates for special data visibility

Role collections contain one or more single roles. The following role collections are delivered:

The end user authorization concept is optional. You can make use of the predelivered roles and role collections to set up users.

• Discuss the end user authorization requirements.
• Define individual role collections for your organisation.

One way to define a role collection is to create a new role collection. After you've entered a name and description, you find the new role collection in the list of role collections. You can then add the roles you need and assign users and user groups. If you have an existing role collection that you want to use as a template, it's a good idea to copy it. The copied role collection includes all of the roles of the origin. However, it doesn't include the users or user groups. You can give it a new name and description. You can find the copy in the list of role collections and assign users and user groups.

These are the steps to create new role collections in your SAP BTP subaccount:

1. Open the SAP BTP cockpit.
2. Go to your global account and subaccount
3. Choose Security > Role Collections.
4. To create a new role collection, choose + (Create New Role Collection). To copy an existing role collection, choose Copy at the end of the row.
5. Enter a new name and description. If you copied an existing role collection, you can see the included roles.
6. Save your changes.
7. You can now add or remove roles and assign users or user groups.

For more information about creating role collections, see

• Working with Role Collections and

• Define a Role Collection in the SAP BTP documentation.

When you decided to have individual role collections for your organisation:

Create the new role collections for your organisation in your SAP BTP Subaccount.

As a subaccount administrator, you set up user access to the SAP Signavio Process Insights application in the SAP BTP cockpit. To do this, you must ensure that users can log on (user creation), as well as give them authorization to use the application's features they need by assigning role collections (role assginment).

All users in the subaccounts of SAP BTP are stored in identity providers, either in the default or in a custom identity provider. SAP BTP creates a copy of the user in the subaccount when a user-related action happens. The copy of the user in the subaccount is called shadow user. As an SAP BTP Sub account administrator, you can create shadow users in your subaccount and you must determine which identity provider stores the user. You can then give the user authorizations by assigning role collections to the user.

1. Open the SAP BTP cockpit.
2. Go to your global account and/or subaccount
3. Choose Security - Users.
4. Choose Create. The SAP BTP cockpit displays a new row where you can enter the user data.
5. Enter the user ID and e-mail address.
6. Choose the identity provider where the user is stored. The dropdown list displays the identity providers configured in the trust configuration of your subaccount.
7. Save your changes.

You can now proceed to assign role collections to the new user.

Users stored in your identity provider can now log on the SAP Signavio Process Insights application with the permissions granted by the assigned role collections.

For more information about creating user on BTP check the BTP documentation „Create Users"

The end user authorization concept and setting up application users is optional. You can set up application users (w/o BTP roles assigned) based on your individual role collections:

• collect the needed user details you would like to set up in your BTP identity provider
• create the user master data and assign the required role collections to the user.