Skip to Content
Author's profile photo Valentin Atanassov

Risk-Based Authentication as an Alternative to Restrict User Access Option in SAP Cloud Platform Identity Authentication (previously SAP Cloud Identity Service)

You want to restrict the access to an application only to specific users. Can you do this with SAP Cloud Platform Identity Authentication, formerly known as SAP Cloud Identity service?

Sure, you can do it via the Private option in User Application Access. The procedure is described in the official documentation of the product in Configure User Access to the Application. The result is that only the users registered by the application can log on. The others can’t.

Perfect! So, your job is done.

But is there an alternative to that?

Of course, there is. The Risk-Based Authentication of SAP Cloud Platform Identity Authentication,shortly Identity Authentication, offers you that alternative. Instead of registering the users for the specific application and thus restricting the access only to them, you create a user group and restrict the access to the users that belong to that group. All you have to do is create a user group, assign the users to the group, and restrict the access to that group.

Sounds not so difficult. Why not try it yourself? Just follow these steps:

  1. Create User Group

    1. Choose the User Groups tile under User and Authorizations in the Administration Console for Identity Authentication service.Pic1.png
    2. Choose the Pic2.png button.
    3. Fill in the required fields and save your changes.Pic3.pngThe new group appears in the list of the groups on the left.Pic4.png
  2. Assign Users to the Group

    1. Choose the User Management tile under User and Authorizations in the Administration Console for Identity Authentication service.Pic5.png
    2. Choose the user Donna Moore to assign her to the “HR” user group.Pic6.png
    3. Choose the User Groups tab and then the Assign Groups button.Pic7.png
    4. Select the checkbox next to the group you want to assign the user to and save your changes.Pic8.pngNow the user is a member of that group.You can check this by choosing the User Groups tile in the Administration Console and selecting your group.Pic9.png


  3. Restrict User Access Based on the Group
    1. Choose the Applications tile under Applications and Resources in the Administration Console for Identity Authentication service.Pic10.png
    2. Under the Authentication and Access tab choose Risk-Based Authentication.Pic11.png
    3. Choose the application that you want to restrict the access to and add a rule for it. In the pop-up window choose Allow for Action, and select your group from the drop-down list of the cloud groups.Pic12.png
    4. Choose Deny for Default Authentication Rule.Pic13.pngAs a result, only users that belong to the “HR” group will have access to the application. The other users will be rejected when they try to log on. They will get the following message: “Sorry, but you are currently not authorized for access”.


If you find Risk-Based Authentication interesting and useful, you can read more about it in How to Define Risk-Based Authentication Rules with SAP Cloud Platform Identity Authentication (previously SAP Cloud Identity).

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.