Let’s Get Rolling – The New Roles and Authorizations in SAP HANA Cloud Portal
Note: SAP HANA Cloud Portal was renamed to “SAP HANA Cloud Platform, portal service” in May 2016.
A role is basically a collection of permissions that defines a function within a portal to which users and/ or groups are assigned. Roles and authorizations are created for various job functions within organizations. With the new role-based authorizations concept provided by SAP HANA Cloud Portal, you can now easily manage user access and permissions at the site and page levels.
The existing authorization mechanism has been enhanced to support the following role types:
- Technical Roles – Cloud Portal roles for maintaining account administrators and site creators.
- Organizational Roles – roles defined and managed in the HANA Cloud Platform (HCP) cockpit to restrict access to Cloud Portal sites and pages.
- Site Guests – an organizational role at site level, used to manage end users within Cloud Portal; it uses the invitation mechanism to provide access to the users who are assigned the site guest role.
Managing Roles and Groups
Organizational roles (defined in HCP as custom roles) can be created via the HANA Cloud Platform cockpit from the new Application Subscription view. These custom roles are created per application subscription. Custom roles are accessible only within the account where they are created; therefore different accounts subscribed to the same Cloud Portal application could have different custom roles.
To access the roles management page in productive accounts:
- Open the HANA Cloud Platform cockpit
- Select Subscription from the view on the left
- From the subscribed applications list, select the portal application in which you want to create the roles for
- Click on Roles
In trial accounts the roles are created from the Services view by selecting Manage Roles at the SAP HANA Cloud Portal service line.
In the HANA Cloud Platform cockpit you can also define groups to map individual users authorized by the identity provider (SAP ID service or others). The same groups can be assigned to organizational roles. Ideally, groups will help you get better alignment between technical application level roles and organizational roles. For more information see: Managing Roles and Groups
Once the organizational roles are defined in the cockpit, Cloud Portal administrators can view these roles in Cloud Portal’s administration space under the Authorization tab (Organization Roles) – currently read only.
Site authors can use these roles to set permissions at the site and pages level in alignment with the role-based authorization concept. The Access Management panel has been redesigned to enable role assignment at the site and pages level as well as manage end users access (site guests).
Restricting Access to Sites and Pages using Organizational Roles
Sites / pages can have one of the following access levels:
- Public – everyone can access
- Authenticated – only logged-on users can access
- Role-Based – only users that belong to specific roles can access
By default, every page inherits the access definitions from its parent:
- Parent is the site for 1st level pages
- Parent is the parent page in 2nd and 3rd level pages
Pages can break inheritance to define a stricter access level:
- Either a stricter access level type (Public < Authenticated < Role-Based)
- Or when the parent is Role-Based – a subset of the roles allowed in the parent.
To assign a role to a page the author should hover over the role tile and click on Allow Page Access. From that point, all the users/ groups assigned to that role will be able to access the page, however unauthorized users will not see the page in the navigation menu. If you decided to strict the page access using role-based access level, at least one role must be allowed to access the page.
The site aggregates all organizational roles used anywhere in the site. Once a new role is added to a site / role-based page
- It is added automatically to inheriting sub pages
- Can be added in sub-pages that are permission hubs but requires explicit action
Finally, when a role is deleted – it is automatically deleted from all sub-pages.
As of today (June 18, 2014) the new roles and authorizations mechanism is available for all trial and productive Cloud Portal users.
We invite you to experience the new functionality and provide us with your feedback (either in this blog or via email).
Great, and important capability! Thanks team!
Thanks Bob. I look forward to your feedback on this big topic. You (and your team) can check it out on trial.
Will the role management functionality become available for trial accounts at some point?
The role management capability is already in trial from day 1. You can find it under Access Management in the authoring panel.
Thanks for your quick reply. I missed the part where you need to add the role to the site before you can use it in a page...
You can find some guidance in our online help under Site Access and Permissions.
Thanks for that blog. very interesting.
It may be off topic but what about the roles and authorizations of the user that connect from Hana Cloud to the ECC system. Usually through Hana Connector.
Is there any documentation about it?
Roles and authorizations defined in SAP backend systems should be considered by the application logic developed in HCP. You can find more information on roles and authorizations in HANA Cloud Platform here.
Do you have similar steps for a FLP site ? Specially on the authorization concept. It looks like FLP has a different way of approaching authorization / permissions / roles.
Roles management is done in one place which is HANA Cloud Platform cockpit. You can find more details here.
With the new major release of cloud portal, FLP and cloud portal freestyle pages are merged into one product. For more information check out this blog.
I created a new role and assigned an "end user" to that role. In Cloud Portal, where do i go and assign the role to that FLP site ? In normal site, this is done at site/page level.
Hi! Thanks for the great information about restricting access to sites and pages. I was wondering if you can restrict access on a widget level (e.g., we want to create a page for a broad audience and then display different widgets for subgroups. Is that possible today? If not, is it on the roadmap?
Please refer to this blog to learn about the new major release of Cloud Portal. You can use the Fiori launchpad as part of Cloud Portal to assign roles at apps and tile groups level. You can find more information in this help page.
Thank you for the additional details. I undertsand that is possible to assign roles at apps and tile groups level as part of the fiori launchpad but I was wondering if it's possible to assign roles at the content editor level e.g, assign roles or target HTML editor widgets, image editor widgets. text editor widgets etc. within a content page on the Hana Cloud Portal. We want to be able to build out content pages and then target one paragraph of text to a group/audience and another paragraph of text to a different group/audience on the same page (not using the fiori launch pad). Is that possible?
This option is not available at the moment, however it is on the roadmap.
You can think of building the content pages in a way that each topic/ set of paragraphs that need to be updated by a certain group will be created on a separate page. The roles will then be assigned to the page level.
Public / Anonymous Access to HCP-FLP
How can I enable public (Anonymous or for Everyone ) access to my Apps on HCP-Portal Fiori Service without having the need to login via SAP ID .
when I try to access the above launchpad, it asks for a SAP Id which I want to avoid and have users seamless access to apps hosted on this launchpad.