Setting up Platform Roles to secure your SAP Cloud Platform cockpit
SAP Cloud Platform provides default roles to different personas. When onboarding an Admin or Developer to the SAP Cloud Platform account, the appropriate roles need to be assigned. Below are the standard Platform roles which are available:
- Cloud Connector Admin
- Support User
- Application User Admin
You can find more about the purpose of each of these predefined roles in this SAP Help documentation.
Each of these Platform roles are made up of a collection of scope. Each scope defines the permission the user can perform on the resources. You will generally see scopes such as readDestinations and manageDestinations.
All the Platform scopes are documented here in SAP Help.
Quite often I see everyone assigned to Administrator role or lot of members assigned to Developer role when they are not required to have those roles. I would highly recommend to spend time designing you platform roles according to the different personas that will be accessing SAP Cloud Platform Cockpit. You can follow the below steps to create your own roles.
Navigate to the “Platform Roles” to view the scopes assigned to the predefined roles. You can either copy and existing platform role to create a new one.
You can provide a name for the custom platform role and add the relevant scopes. In my project, I have lot of Fiori developers and I don’t want them to see all the menu/configurations not related to them.
Hence, I have only assigned the 6 scope for this custom role.
When I login with the user “P1942768752”, I will see only few menu items with restricted access.
The custom platform roles will be made available across all the subaccounts within the Global Account. Hence, when you spin a new subaccount, you will see the custom Platform roles within the new subaccount too.