There have been a number of occasions on projects where I have not had access to the UI Theme Designer and have received an error message stating that I was unauthorised. My colleagues would also try and gain access to no avail. In the first instance it was confusing because we did have the TENANT_ADMIN role assigned which is what we thought was required to gain access to this service. I then found a little nugget – that a new custom role was required to gain access to the UI Theme Designer when SCP sub-account services were authenticating via an on-premise Identity Provider. Ordinarily developers would normally have the AccountDeveloper role which also added to the confusion however as we know this would have no bearing when authentication takes place via the on-premise iDP.
For the above reasons I thought I would provide a quick guide around this. So, the scenario is. You want some support users to gain access to the UI Theme Designer and you also authenticate your SAP Cloud Platform sub-account services to your on-premise Identity Provider. The below instructions will guide you through this process.
Initially, when you then try and run the UI Theme Designer you receive the following error.
Figure:1 UI Theme Designer error
If you check the console using the Chrome Developer Tools you will also see the following error message. The message is sort of misleading as it points to the members area.
Figure:2 UI Theme Designer error in the developer tools console
When you see the above errors it means you do not have the right authorisations in SAP Cloud Platform. What is needed is a new custom security role called AccountDeveloper.
Follow these instructions to create a new Security role – namely AccountDeveloper – this custom role is required to access the UI Theme Designer in the specific sub-account.
To do this follow these steps:
- From the SAP Cloud Platform cockpit navigate to the UI Theme Designer service. If not enabled please enable this.Figure:3 UI Theme Designer service
- Select the [Configure Service] option. You will see the Destinations and Permissions section.You should also notice that the AccountDeveloper role is the one assigned to the UIThemeDesignerPermission. This is shown below.
Figure:4 UI Theme Designer service
- Select the [Roles] option to check the security roles defined.
Figure:5 UI Theme Designer Configure Service screen
- Click on the [New Role] words to create a new custom security role. The following screen will appear.
Figure:6 UI Theme Designer Configure Service – Roles screen
- Enter the role name as AccountDeveloper and click on the [Save] icon. You should see the following custom role details.
Figure:7 UI Theme Designer Configure Roles screen
- Assign the relevant users or group to this security role. I would normally assign a Group to this role as I have done so below. If you have not created a User group as yet then you can also choose the [New Group] option to create it directly in this screen.
Figure:8 UI Theme Designer Configure Roles and Assign screen
This will assign the AccountDeveloper security role to the ThemeDesignerDev user group. If there are other individuals whom you would like to provide access click on the [Assign] word in the Individual Users area.
The security role configuration will now look like this.
Figure:9 UI Theme Designer Roles screen
Once this is done the user will need to log off and log in again but when they do they should have the access for the UI Theme Designer now.
To do this:
- From the SAP Cloud Platform cockpit navigate to the UI Theme Designer service.
- Click on the [Go to Service] option.
The UI Theme Designer will then be displayed and you will have full access to all of the themes and of course can create new themes.
This concludes the quick guide on providing users access to the UI Theme Designer when you are authenticating against an on-premise Identity Provider. Hopefully this can be of assistance to those configuring security permissions within SAP Cloud Platform.
More information on this can be found in the SAP Help here.
Thanks for reading and feel free to Like or comment on the blog itself.