[SAP BTP Onboarding Series] SAP BTP Directories – Entitlement and User Management
In my previous blog, [SAP BTP Onboarding Series] SAP BTP Cockpit – Global Account Technical Overview, I provided you with an overview of the BTP Cockpit features and structure. In this blog post, I’m going to dig deeper into the topic of Directories. Specifically, Entitlements and User Management at the directory level. Before introducing directories at your company you should have an account model in place and understand how to create a directory. Directories are an optional feature but would be useful for companies who are running multiple projects across the globe or across various departments. Directories can be thought of as an additional layer to organize subaccounts, similar to a folder structure. By default, SAP grants global administrative access to one user in your organization. Keeping tight control and governance over your global account is a best practice however if your running many projects there can be too much dependency on the Global Admin, so managing the entitlements and users at the directory level can be helpful.
For demonstration purposes, I have created 2 users – User1 who is assigned the Global Account Administrator role, and User2 who is assigned the Global Account Viewer role. I also created a couple of directories.
Note: User Management, Roles, and Authorization are huge topics on security. I am only touching upon the basics in this blog with regards to Directories and Subaccounts.
In any organization, one Global Admin may not be able to do all the required work, as a best practice SAP recommends creating at least 2 Global Account Admins. It is often assumed that the Global Admin role has access to all the directories and subaccounts inherently; however, for security purposes, SAP BTP is designed so that global admins can only access subaccounts they have created or been added to. For example, consider two Global Admins, Admin1 and Admin2 with the same role as Global Administrator, Global Admin2 cannot access/manage the subaccounts created by Global Admin1 unless Global Admin2 is added to the subaccounts with the required roles. This applies vice versa to the Global Admin1 on subaccounts created by Global Admin2.
In the above example, I want User2 to see the organization account structure but I don’t want them to make changes, hence I have assigned the Global Account Viewer role providing read-only access. Without further authorization, User2 would get an error while trying to access other subaccounts. This example is meant to illustrate that user management is a very important topic.
While planning your account model, you can plan to manage the users directly at Global Account Level or the Directory level based on your project requirements. Some organizations do not wish to give access to global view and would prefer users only see the projects they are assigned to. In such a case, managing at the Directory or Subaccount level is recommended.
As a Global Admin, once you have created your Directories and Subaccounts (irrespective of the structure), you have the option to enable User Management or Entitlement Management on one path only and the same applies to all services in a given path. For example, a path can be recognized from the first directory defined from the global account till the sub-account is defined under the same route, the image 2 can help you better understand with a pictorial way to understand the path.
In case you follow the directory entitlement and user management approach, we suggest exploring this option at the top directory to avoid confusion.
To Enable Entitlement and User Management click on your directory and then go to Users, you should see the option shown below. Click on it to enable.
If you decide only to manage Entitlements and not the users, you can skip the above step and go to Entitlements, click on Enable Entitlement Management.
Please read the instructions carefully. At the time of writing this blog, January 2022, we do not have the option to revoke the user management or entitlements.
Once the service is enabled you will see User Assignments and Entitlements Assignments options. At this stage I want the User2 to be assigned to this directory as well with the Viewer role.
When User2 logins to the directory, they will be able to see all the details including Usage Analytics with this role.
Looking into the entitlements, I can no longer manage the other directories BankstownOffice and SydLiverpool below the “DevDirectory” as it is managed in this path.
From here on, I can now follow the Directory approach to manage my Users and their related entitlements specified to its projects. To achieve this, please ensure your Global Admin assigns the required entitlements to your directory and you can further manage it within your subaccounts as required do not forget to add the Directory Administrator role to users which can help to reduce the overhead work of Global Admins.
In any case, you would like to revert the changes on Entitlement and User Management at Directories, you can click on Disable button and select the required option.
While disabling either User Management or both please be careful about the changes in the system.
Hope this blog helps to effectively manage users and entitlements from directories and helps to avoid Global Admin requirements.