SAP Business Technology Platform (BTP) is a comprehensive suite of integrated tools, services, and technologies designed to help businesses innovate, integrate, and scale their operations in the cloud. BTP encompasses a wide range of capabilities, including data management, analytics, artificial intelligence, application development, and integration services. By leveraging BTP, organizations can drive digital transformation, enhance decision-making, and streamline their processes.
SAP Business Technology Platform (BTP) provides a set of standard roles to facilitate the management and administration of the BTP platform. These roles are organized into role collections for easier assignment and management.
Standard Role Collections:
In BTP, roles are grouped into role collections, which are then assigned to users or user groups or indirectly to attributes such as groups. A role is created from a role template, allowing you to define specific permissions and functionalities. These roles are then bundled into a role collection. Using the SAP BTP cockpit, you can view and manage the role collections, as well as the roles within each collection. This system simplifies the process of assigning roles to users, ensuring that the right permissions are granted efficiently.
Additionally, role collections can be customized to meet the specific needs of your organization. This flexibility allows for the creation of tailored role collections that align with business requirements and security policies. Below are the standard role collection available:
| Role Collection | Role Name | Role Template | Role Description |
|---|---|---|---|
| Global Account Administrator | Global Account Admin | GlobalAccount_Admin | Role for global account members with read-write authorizations for core commercialization operations, such as updating global accounts, setting entitlements, and creating, updating, and deleting subaccounts. |
| Global Account Administrator | Global Account Usage Reporting Viewer | GlobalAccount_Usage_Reporting_Viewer | Role for global account members with read-only authorizations for core commercialization operations, such as viewing global account usage information. |
| Global Account Administrator | User and Role Administrator | xsuaa_admin | Manage authorizations, trusted identity providers, and users. |
| Global Account Administrator | System Landscape Administrator | GlobalAccount_System_Landscape_Administrator | Administrative access to systems and scenario-related resources. |
| Global Account Viewer | System Landscape Viewer | GlobalAccount_System_Landscape_Viewer | Viewer access to systems and scenario-related resources. |
| Subaccount Administrator | Cloud Connector Administrator | Cloud_Connector_Administrator | Operate the data transmission tunnels used by the Cloud connector. |
| Subaccount Administrator | Destination Administrator | Destination_Administrator | Manage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
| Subaccount Administrator | Subaccount Admin | Subaccount_Admin | Role for subaccount members with read-write authorizations for core commercialization operations, such as viewing subaccount entitlements, and creating and deleting environment instances. |
| Subaccount Administrator | User and Role Administrator | xsuaa_admin | Manage authorizations, trusted identity providers, and users. |
| Subaccount Administrator | Subaccount Service Administrator | Subaccount_Service_Administrator | Administrative access to service brokers and environments on a subaccount level. |
| Global Account Viewer | Global Account Viewer | GlobalAccount_Viewer | Role for global account members with read-only authorizations for core commercialization operations, such as viewing global accounts, subaccounts, entitlements, and regions. |
| Global Account Viewer | Global Account Usage Reporting Viewer | GlobalAccount_Usage_Reporting_Viewer | Role for global account members with read-only authorizations for core commercialization operations, such as viewing global account usage information. |
| Global Account Viewer | User and Role Auditor | xsuaa_auditor | Read-only access for authorizations, trusted identity providers, and users. |
| Subaccount Viewer | Cloud Connector Auditor | Cloud_Connector_Auditor | View the data transmission tunnels used by the Cloud connector to communicate with back-end systems. |
| Subaccount Viewer | Destination Viewer | Destination_Viewer | View destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
| Subaccount Viewer | Subaccount Viewer | Subaccount_Viewer | Role for subaccount members with read-only authorizations for core commercialization operations, such as viewing subaccount entitlements, details of environment instances, and job results. |
| Subaccount Viewer | User and Role Auditor | xsuaa_auditor | Read-only access for authorizations, trusted identity providers, and users. |
| Subaccount Viewer | Subaccount Service Auditor | Subaccount_Service_Auditor | Read-only access to service brokers and environments on a subaccount level |
| Subaccount Service Administrator | Subaccount Service Administrator | Subaccount_Service_Administrator | Administrative access to service brokers and environments on a subaccount level. |
| Cloud Connector Administrator | Cloud Connector Administrator | Cloud_Connector_Administrator | Operate the data transmission tunnels used by the Cloud connector. |
| Destination Administrator | Destination Administrator | Destination_Administrator | Manage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
| Connectivity and Destination Administrator | Cloud Connector Administrator | Cloud_Connector_Administrator | Operate the data transmission tunnels used by the Cloud connector. |
| Connectivity and Destination Administrator | Destination Administrator | Destination_Administrator | Manage destination configurations, certificates and subaccount trust via the Destination editor in the SAP BTP cockpit. |
| Directory Administrator | Directory Admin | Directory_Admin | Role for directory members with read-write authorizations for core commercialization operations, such as updating directories, setting entitlements, and creating, updating, and deleting subaccounts. |
| Directory Administrator | User and Role Administrator | xsuaa_admin | Manage authorizations, trusted identity providers, and users. |
| Directory Administrator | Directory Usage Reporting Viewer | Directory_Usage_Reporting_Viewer | Role for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information. |
| Directory Viewer | Directory Viewer | Directory_Viewer | Role for directory members with read-only authorizations for core commercialization operations, such as viewing directories, subaccounts, entitlements, and regions. |
| Directory Viewer | User and Role Auditor | xsuaa_auditor | Read-only access for authorizations, trusted identity providers, and users. |
| Directory Viewer | Directory Usage Reporting Viewer | Directory_Usage_Reporting_Viewer | Role for directory members with read-only authorizations for core commercialization operations, such as viewing directory usage information. |
Creating a Custom Role Collection:
Custom role collections in BTP provide a structured and efficient way to manage user permissions, enhancing security, compliance, and operational efficiency. Custom role collections are crucial in BTP for several reasons:
- Security and Compliance: Custom role collections ensure that users have the appropriate permissions required for their specific roles and responsibilities. This helps in maintaining security and compliance by following the principle of least privilege.
- Operational Efficiency: By creating custom role collections, organizations can streamline the assignment of permissions. Instead of assigning individual roles to each user, a custom role collection can bundle multiple roles, making user management more efficient.
- Tailored Access Control: Different teams or projects might require different sets of permissions. Custom role collections allow administrators to tailor access controls to meet the specific needs of various groups within the organization.
Prerequisites:
The User has administration rights in the subaccount and or global account.
The users are stored in identity providers that are connected to SAP BTP:
- Default identity provider (SAP ID service).
- Custom identity provider (SAP Cloud Identity Services).
Creating custom roles in SAP BTP allows you to tailor access controls to fit specific business requirements. Here’s how you can create and use custom roles:
- Login to BTP account and go to your global account.
- Navigate to “Role Collections” and Click “Create” to create a Custom Role collection in BTP
- Provide the Role Collection “Name and Description” and click “create”.
- Click Edit and select the “+” (Add a role) option. Use the dropdown list under Role Name to display the available roles. Choose the desired role and click Save.
- Upon saving the role collection, it will be displayed as shown below, along with the number of roles it contains.
Additionally, you can perform the following tasks from Role Collection in the BTP:
Delete Roles from a Role Collection:
You can remove roles from a role collection by selecting the specific role collection, then editing it to delete the roles that are no longer required.
Assigning Role Collections to Users or User Groups:
- Assign Users to Role Collections: You can assign users from both default and custom identity providers to a role collection. Role collections can be assigned to users via the “Users” or “Role Collections” options under the Security Node in your BTP account. Simply enter the user ID of the user you wish to assign to the role collection and click save.
- Delete Users from Role Collections: You can unassign users from a role collection by removing them from the role collection. Navigate to the “Role Collections” option under the Security Node, select the role collection from which you want to unassign users, click “Delete” in the row of the user you wish to unassign, and save your changes.
- Assign User Groups to Role Collections: You can assign user groups to a role collection by adding them to it. (Prerequisites: You are using a custom identity provider). You can assign user groups from custom identity providers to a role collection. To assign user groups from custom identity providers, navigate to the “Role Collections” option under the Security Node. Select the role collection to which you want to assign user groups, go to the User Groups section, and choose Edit. Select the identity provider where the user group is stored, enter the name of the user group, and save your changes.
- Delete User Groups from Role Collections: You can unassign user groups from a role collection by removing them from it. In your SAP BTP cockpit, navigate to your global account and subaccount, then select Role Collections under Security. Choose the role collection from which you want to unassign a user group, go to the User Groups section, and select (Delete). Save your changes.
In summary, creating custom role collection will be efficient for simplified administration as managing user roles and permissions can become complex in large organizations, where custom role collections will simplify this by grouping related roles together and reducing administrative overhead. They also facilitate better collaboration by providing team members with the necessary access to tools and data relevant to their tasks, fostering a more productive and agile work environment.
