(Example images are taken from a trial account)

Managing BTP Role Collection via SAP Cloud Identity Service

In this blog I will explain how SAP BTP role collections can be handled by SAP Cloud Identity Services. Multiple services and applications can be deployed on SAP BTP Cockpit, and these services may have different role collections. Most of the time, these services are deployed on different subaccounts. We can manage users and roles individually for every subaccount. However, we can manage all users and roles from one identity service by establishing a trust between the identity service and BTP subaccounts. In this blog, we will create role collection mapping to manage BTP role collections via SAP Cloud Identity Services. So, we will be able to manage different role  collections from only one identity provider.

Prerequisites

If you have an identity provider, you can configure it as a custom provider for a BTP subaccount. It can be used as the source of users and role collections. There are some prerequisites for creating role collection mappings.

• Have a Subaccount Administrator role in the subaccount that will be trusted with SAP Cloud Identity Services
• SAP Cloud Identity Services tenant, could be subscribed in different subaccount but should be in the same Global account and region

Here is the help.sap document to configure trust between your subaccount and the SAP IAS tenant:

Configure Trust Between SAP BTP and IAS

NOTE: To be able to use the role collection mapping, you should be authorized with your custom identity provider to your application.

Configurations

1. BTP Role Collections

Before creating a role collection mapping, you must ensure that you have the role on “Role Collections” in your subaccount. Navigate to <Your Subaccount> -> Security -> Role Collections 

You can use default role collections that are defined for the standard BTP applications. Also, you can create a new custom role collection with clicking on the Create button from the top right. 

SAP BTP Role Collections

In this example, I created a new custom role collection called “My_Custom_Role”.

2. SAP Cloud Identity Services

Before starting to configure role collection mapping, we must ensure that we send necessary attributes to the application. In the SAP Cloud Identity Service, navigate to Application & Resources -> <Your Application> -> Single Sign-On -> Assertion Attributes

Application Page on SAP Cloud Identity Services

In the assertion attributes, you must have a Groups attribute. This is what we will send to the application as a BTP role.

Assertion Attributes of an Application on SAP Cloud Identity Services

Then we should create a group for a BTP role that we will be mapping. Navigate to Users & Authorizations -> Groups. Create a new group, if you have already one, add members who will have this BTP role.

Groups and its Users on SAP Cloud Identity Services

3. BTP Role Collection Mapping

Now we are ready to make role collection mapping. Go to your BTP subaccount and navigate to <Your Subaccount> -> Security -> Trust Configuration and click on the custom identity provider that you have established in the beginning.

SAP BTP Trust Configurations

Click on the New Role Collection Mapping and choose your BTP role collection (1). You can also choose your BTP custom role collection. For “Attribute”, you should write what you defined in IAS as a Groups attribute (2). In this case, we can leave it as “Groups”. In the “Value” section, you should write your IAS group’s name which corresponds to your BTP role collection (3). Then save it.

SAP BTP Role Collection Mapping

You can see your mapping from Role Collections.

SAP BTP Role Collections Mapped with IAS Groups

In the end:

• You can manage this role collection on SAP Identity Authentication Service with managing the corresponding group’s members.
• In the BTP subaccount, you cannot see the user’s role assigned by IAS. These roles are assigned to users when they are authorized to your application via SAP IAS.

Please be aware that your IAS user must be created in your SAP BTP subaccount as well. You can check more about to create user on BTP from here:

Managing SAP BTP Users

Hope this blog will help you to manage your BTP roles from your identity provider!

Thank you so much for reading my first blog!