Let’s Get Rolling – The New Roles and Authorizations in SAP HANA Cloud Portal
Note: SAP HANA Cloud Portal was renamed to “SAP HANA Cloud Platform, portal service” in May 2016.
A role is basically a collection of permissions that defines a function within a portal to which users and/ or groups are assigned. Roles and authorizations are created for various job functions within organizations. With the new role-based authorizations concept provided by SAP HANA Cloud Portal, you can now easily manage user access and permissions at the site and page levels.
The existing authorization mechanism has been enhanced to support the following role types:
- Technical Roles – Cloud Portal roles for maintaining account administrators and site creators.
- Organizational Roles – roles defined and managed in the HANA Cloud Platform (HCP) cockpit to restrict access to Cloud Portal sites and pages.
- Site Guests – an organizational role at site level, used to manage end users within Cloud Portal; it uses the invitation mechanism to provide access to the users who are assigned the site guest role.
Managing Roles and Groups
Organizational roles (defined in HCP as custom roles) can be created via the HANA Cloud Platform cockpit from the new Application Subscription view. These custom roles are created per application subscription. Custom roles are accessible only within the account where they are created; therefore different accounts subscribed to the same Cloud Portal application could have different custom roles.
To access the roles management page in productive accounts:
- Open the HANA Cloud Platform cockpit
- Select Subscription from the view on the left
- From the subscribed applications list, select the portal application in which you want to create the roles for
- Click on Roles
In trial accounts the roles are created from the Services view by selecting Manage Roles at the SAP HANA Cloud Portal service line.
In the HANA Cloud Platform cockpit you can also define groups to map individual users authorized by the identity provider (SAP ID service or others). The same groups can be assigned to organizational roles. Ideally, groups will help you get better alignment between technical application level roles and organizational roles. For more information see: Managing Roles and Groups
Once the organizational roles are defined in the cockpit, Cloud Portal administrators can view these roles in Cloud Portal’s administration space under the Authorization tab (Organization Roles) – currently read only.
Site authors can use these roles to set permissions at the site and pages level in alignment with the role-based authorization concept. The Access Management panel has been redesigned to enable role assignment at the site and pages level as well as manage end users access (site guests).
Restricting Access to Sites and Pages using Organizational Roles
Sites / pages can have one of the following access levels:
- Public – everyone can access
- Authenticated – only logged-on users can access
- Role-Based – only users that belong to specific roles can access
By default, every page inherits the access definitions from its parent:
- Parent is the site for 1st level pages
- Parent is the parent page in 2nd and 3rd level pages
Pages can break inheritance to define a stricter access level:
- Either a stricter access level type (Public < Authenticated < Role-Based)
- Or when the parent is Role-Based – a subset of the roles allowed in the parent.
To assign a role to a page the author should hover over the role tile and click on Allow Page Access. From that point, all the users/ groups assigned to that role will be able to access the page, however unauthorized users will not see the page in the navigation menu. If you decided to strict the page access using role-based access level, at least one role must be allowed to access the page.
The site aggregates all organizational roles used anywhere in the site. Once a new role is added to a site / role-based page
- It is added automatically to inheriting sub pages
- Can be added in sub-pages that are permission hubs but requires explicit action
Finally, when a role is deleted – it is automatically deleted from all sub-pages.
As of today (June 18, 2014) the new roles and authorizations mechanism is available for all trial and productive Cloud Portal users.
We invite you to experience the new functionality and provide us with your feedback (either in this blog or via email).