Purpose

SAP Cloud Platform Integration (formerly HCI) is used to connect on-premise / third party applications to SAP Cloud applications. HCI acts as an interface between applications deployed on SCP (SAP Cloud Portal) and on-premise / third party applications for data communication purposes. The communication protocols used would vary from being webservice (HTTPS) to Odata services depending on the nature of application that communicates with the cloud. This guide serves to explains the security configuration from application perspective.

User interface

Web URL would be used to access SCP – HCI link for administrative purpose:

https://account.AAA.hana.ondemand.com/cockpit#/organization/AAAAAA

Once the user launches the above URL, they will be asked to enter SAP Identity provider (SAP ID Service) with either S- or P-user ID credentials to login to the SCP portal. Once logged in, user gets to see the below screen.



 

On the first page, user can access the accounts that are setup on the SCP (SAP Cloud Platform). Each environment (Dev, QA, PROD) are given separate accounts to have separation of actions between lower and higher environments.

Once the user selects one of the accounts (in this case we select AAAA), the portal takes to the following page:

Authentication

As long as no custom platform identity provider is configured, all users need to use SAP ID service credentials in order to gain access to the SAP cockpit page.  Other than the cockpit, to access applications deployed on the tenants, SCP leverages the Trust settings to determine the login method. By default, SCP leverages SAP ID service to authenticate the users to the applications.

Users need to provide their S- or P-user ID (ID that is used e.g. to login to SAP Service Marketplace) credentials to gain access to the SCP applications. Below are the trust settings maintained that establishes the use of SAP Identity provider.



As seen in the above figure, the Trust settings show the identity provider set to SAP ID service, that uses the standard SAP user ID (e.g. S- or P-user) to authenticate users to the SCP applications. In this scenario, HCI is leveraging the SAP S-user ID to allow users to authenticate to the applications deployed on the tenant. We can have custom identity providers configured to allow SCP applications use Corporate ID to authenticate the users.

The list of applications that are currently deployed can be found by navigating to the Applications -> Subscriptions as shown below:



As shown in the figure, we see there are multiple applications listed which are being deployed and used on this tenant. These applications leverage the “Trust settings” for authentication purposes.

The identity provider for the SCP cockpit can be changed to a custom SCP Identity Authentication tenant via the Platform Identity Provider configuration under “Trust settings”. Precondition is that the “Platform Identity Provider” feature was enabled under the “Services” configuration of the SCP account.

When we click on any application, we get the following screen that displays the web URL:



Upon clicking on this URL, the webpage is launched that authenticates against your SAP S-user ID that’s defined in your “Trust settings” and if the user has proper authorization, the following results is displayed:

 

On the level of access that the user needs, we will be providing information in the following section.

Authorization

Access to Applications

Access to applications deployed on HCI is controlled via specific authorizations assigned to users via Roles. This is achieved via Groups that contain composite of single roles per application that are assigned to users to gain access to specific parts within the application. Below is the screenshot on the role management on HCI.

 



 

On the side menu, on the Authorizations Ribbon, the cockpit displays the Authorization Management screen to Create new groups, assign roles per application and assign Individual users to the specific group



 

To assign the roles to the specified group, click on the ‘Assign’ beside Roles highlighted in RED. A pop-window asks the respective subaccount, the application and the role that needs to be assigned to the specified group. Once the entries are completed, click on ‘Save’ to finish the activity.

The respective role and application is then assigned to the specified group. Similarly, users can be assigned to the group by clicking on the ‘Assign’ link besides the Users.

Once the S-user ID is entered in the User free text, click on ‘Save’ to finish the activity.

The authorizations will now take into effect and user would be allowed to access content based on the authorizations assigned via group.

The definitions of the authorizations are defined in the below link:

For Tasks and Required Roles:

https://help.sap.com/viewer/368c481cd6954bdfa5d0435479fd4eaf/Cloud/en-US/289ef3f8cfad442ea86fe0d5dda...

Access to Cloud Cockpit

Users would gain access to Cloud Cockpit by assigning their S-user ID’s to the Members section. Below is the screenshot that displays the Members screen:



 

On the top corner, click on ‘Add Members’ to find the below window:



 

Key in the S-User ID under the User ID’s free text and select the appropriate role under the ‘Assign Roles’ to grant the respective access to the specified users. These roles are standard pre-defined roles provided by SAP Cloud cockpit. The following is the description of the roles:

• Administrator: Provides complete administrative permissions to the cockpit.


• Developer: Provides development related access to the cockpit.


• Support User: Provides Read only access to the cockpit.


• Application User Admin: Provides User administration access to the cockpit.


• Cloud Connector Admin: This access is granted only for Service accounts that are utilized for connectivity between Cloud and on-premise applications.