HOW TO AUTOMATICALLY ASSIGN ROLE COLLECTIONS IN SAP BTP
SAP Business Technology Platform (SAP BTP), previously known as SAP Hana
Cloud Platform before transitioning to SAP Cloud Platform, is a comprehensive
offering that encompasses four key technology portfolios:
1. Database & Data Management
2. Application Development & Integration
3. Analytics
4. Intelligent Technologies.
2. Application Development & Integration
3. Analytics
4. Intelligent Technologies.
SAP BTP provides users with a suite of tools, services, and products aimed at
facilitating the development, integration, and extension of both SAP and third-party
applications.
The services and solutions offered by SAP BTP are accessible across various cloud
infrastructure providers. Its multi-cloud foundation caters to diverse environments,
including Cloud Foundry, ABAP, and Kyma, accommodating multiple regions and
offering a wide range of programming languages for developers to choose from.
Here is structure of the SAP BTP:
Source – SAP website
SAP BTP has two types of users, i.e., Platform Users and Business Users.
SAP BTP has two types of users, i.e., Platform Users and Business Users.
Platform users are the members of global accounts and subaccounts: usually
developers, administrators or operators who deploy, administer, and troubleshoot
applications and services. They can view a list of all global accounts and
subaccounts, and access them using the cockpit.
Business users are those who use the applications that are deployed to SAP BTP. For example, users of subscribed apps or services, such as SAP Web IDE, are business users.
Business users are those who use the applications that are deployed to SAP BTP. For example, users of subscribed apps or services, such as SAP Web IDE, are business users.
1) How do users obtain access?
Access for users is facilitated through roles and role collections. Users cannot be
assigned roles directly; instead, role collections must be assigned to them. Roles
and role collections are pre-delivered with each application.
Understanding Role Collections in SAP BTP
Role collections in SAP BTP serve as containers for roles (similar to composites in
SAP ECC/S4) that define permissions and access levels for users within the
platform. By assigning users to role collections, administrators can efficiently
manage access rights across various applications and services.
Role collections can be assigned either from the BTP account or through Groups via IAS or the third party Identity Provider. Assigning role collections directly via BTP account is an easy and a direct activity. Here are the steps:
Role collections can be assigned either from the BTP account or through Groups via IAS or the third party Identity Provider. Assigning role collections directly via BTP account is an easy and a direct activity. Here are the steps:
1. Login to SAP BTP sub-account
2. Navigate to Security > Users
3. Select the User from the list and in the right window, navigate to Role Collections
4. Click … (three dots) and choose Assign Role Collection
5. Select the Role collections from the list as shown in below figure:
2. Navigate to Security > Users
3. Select the User from the list and in the right window, navigate to Role Collections
4. Click … (three dots) and choose Assign Role Collection
5. Select the Role collections from the list as shown in below figure:
6. Click Assign Role Collection
Once the Role collection is assigned, you may notice the role as shown below:
However, as the number of users and applications increases, manually assigning
roles to each user becomes impractical and time-consuming. So, what’s the
solution? Automation?
The Importance of Automation
Automating role assignments in SAP BTP offers several benefits:
| Efficiency | Automation eliminates the need for manual intervention, saving time and reducing the risk of errors associated with manual role assignments. |
| Scalability | As organizations scale their operations, automation ensures that role assignments remain consistent and manageable, regardless of the size of the user base. |
| Reduces Manual efforts | It automates assignment and removal of role collections to users via groups. |
| Enhanced Security | By automating role assignments, access privileges will be revoked automatically when users change roles or leave the company, as the assignment is always via groups. |
How to implement automatic Role collecting assignment in SAP BTP?
Before implementing automatic role assignments (dynamic assignment), it’s
essential to define Groups in IAS collection policies based on job roles,
departmental requirements, and security considerations. Identify the roles and
permissions required for different user groups within your organization.
NOTE: I assume the Corporate/Custom IDP is already configured and setup in the BTP sub-account. If the BTP is using Default Identity provider as shown below, you can’t use the auto Role collection assignment feature.
NOTE: I assume the Corporate/Custom IDP is already configured and setup in the BTP sub-account. If the BTP is using Default Identity provider as shown below, you can’t use the auto Role collection assignment feature.
Hence, the first step is to create a Corporate/Custom Identity Provider. Refer to my
learning video – https://www.youtube.com/watch?v=KPoi_NdwQ4U which explains
setting up custom IDP using SAML 2.0, and setup the Role collection.
Once the SAML is setup, now from IAS, setup Groups. Follow the steps mentioned
below:
1. Login to IAS
2. Click Groups tile
3. Create User Groups by clicking + Create button
4. Enter the Group Name, Display Name, and Description.
2. Click Groups tile
3. Create User Groups by clicking + Create button
4. Enter the Group Name, Display Name, and Description.
All the groups that are available are displayed as follows:
5. Click the Group and click + Add to add Users.
NOTE: Users must be onboarded before assigning the groups.
Once the groups are created, Role Collections can be mapped. Go to SAP BTP sub
account and click the Corporate IDP under Trust Configuration:
6. Click Role collection Mappings
7. Click New Role Collection Mapping button.
8. Select Role Collection, Enter “Groups” as Attribute and a value (free text) as shown below:
7. Click New Role Collection Mapping button.
8. Select Role Collection, Enter “Groups” as Attribute and a value (free text) as shown below:
You can notice the Role collection mappings as shown below:
Whenever users are assigned to groups in IAS (Identity Authentication Service), a
Ghost ID will be automatically created for the respective user in the corresponding
application. The Ghost ID will be mapped with the appropriate role collections,
granting the user the respective access automatically.
Additional references : https://www.youtube.com/watch?v=KPoi_NdwQ4U
Conclusion
Automating role assignments in SAP BTP is essential for streamlining access
management, and ensuring security in today’s dynamic business environment. By
defining role collection policies, and leveraging IAS services, organizations can
effectively manage user access while minimizing administrative overhead.
