HOW TO AUTOMATICALLY ASSIGN ROLE COLLECTIONS IN SAP BTP
SAP Business Technology Platform (SAP BTP), previously known as SAP Hana
Cloud Platform before transitioning to SAP Cloud Platform, is a comprehensive
offering that encompasses four key technology portfolios:
2. Application Development & Integration
3. Analytics
4. Intelligent Technologies.
SAP BTP provides users with a suite of tools, services, and products aimed at
facilitating the development, integration, and extension of both SAP and third-party applications.
The services and solutions offered by SAP BTP are accessible across various cloud infrastructure providers. Its multi-cloud foundation caters to diverse environments, including Cloud Foundry, ABAP, and Kyma, accommodating multiple regions and offering a wide range of programming languages for developers to choose from. Here is structure of the SAP BTP:
SAP BTP has two types of users, i.e., Platform Users and Business Users.
Business users are those who use the applications that are deployed to SAP BTP. For example, users of subscribed apps or services, such as SAP Web IDE, are business users.
1) How do users obtain access?
Understanding Role Collections in SAP BTP
Role collections in SAP BTP serve as containers for roles (similar to composites in SAP ECC/S4) that define permissions and access levels for users within the platform. By assigning users to role collections, administrators can efficiently manage access rights across various applications and services.
Role collections can be assigned either from the BTP account or through Groups via IAS or the third party Identity Provider. Assigning role collections directly via BTP account is an easy and a direct activity. Here are the steps:
2. Navigate to Security > Users
3. Select the User from the list and in the right window, navigate to Role Collections
4. Click … (three dots) and choose Assign Role Collection
5. Select the Role collections from the list as shown in below figure:
However, as the number of users and applications increases, manually assigning roles to each user becomes impractical and time-consuming. So, what’s the solution? Automation?
The Importance of Automation
Automating role assignments in SAP BTP offers several benefits:
How to implement automatic Role collecting assignment in SAP BTP?
Before implementing automatic role assignments (dynamic assignment), it’s essential to define Groups in IAS collection policies based on job roles, departmental requirements, and security considerations. Identify the roles and permissions required for different user groups within your organization.
NOTE: I assume the Corporate/Custom IDP is already configured and setup in the BTP sub-account. If the BTP is using Default Identity provider as shown below, you can’t use the auto Role collection assignment feature.
2. Click Groups tile
3. Create User Groups by clicking + Create button
4. Enter the Group Name, Display Name, and Description.
5. Click the Group and click + Add to add Users.
NOTE: Users must be onboarded before assigning the groups. Once the groups are created, Role Collections can be mapped. Go to SAP BTP sub account and click the Corporate IDP under Trust Configuration:
6. Click Role collection Mappings
7. Click New Role Collection Mapping button.
8. Select Role Collection, Enter “Groups” as Attribute and a value (free text) as shown below:
You can notice the Role collection mappings as shown below:
Whenever users are assigned to groups in IAS (Identity Authentication Service), a
Ghost ID will be automatically created for the respective user in the corresponding
application. The Ghost ID will be mapped with the appropriate role collections,
granting the user the respective access automatically.
Conclusion
