Automate Role Collections in SAP BTP
How to automatically assign role collections in SAP BTP using role collection mappings
Today, we will talk about automating role collection mappings and user creation using SAP BTP services with SAP Identity Authentication Service (IAS) and possibly Azure AD.
Why this is important? As more solutions are deployed into the SAP Business Technology Platform we need a way in which we can automatically assign the different roles in SAP BTP to the different types of users. For example, if we use the SAP BTP Launchpad service, we could assign the different Fiori roles depending on which security groups your users are in Azure AD. This way, you only need to add a user to an Azure AD security group to properly provision it.
SAP BTP Trust Configuration, Identity Provider, and Users
First, we need to understand the concept of the trust configuration in SAP BTP. When we create a new subaccount in the SAP BTP landscape, we have the trust configuration using the SAP Default Identity provider as the default. This means that our services, like the SAP Launchpad Service, use SAP’s identity provider (S-user with email) to login into our applications:
It is important to differentiate between
- Platform Identity Provider: Provides access to the SAP BTP subaccount cockpit
- Application Identity Provider: Provides access to the applications in the subaccount (like the SAP BTP Launchpad service).
User Creation and Identity Providers: An important thing to understand is that when we create users, those need to be assigned to an identity provider as seen in the image below:
You could have the same user created for the SAP Identity Provider and your custom Identity Provider, as seen in the image below:
SAP BTP Role Collections and Roles
Role collections are what you assign users at the SAP BTP level to gain access to the different SAP BTP applications. For example, to get access to the SAP Launchpad service administration, you would need to be assigned the Launchpad Admin role collection:
Consider that role collection and roles are different. Users can be assigned a role collection that may contain several roles.
Adding a Trusted Provider
In most cases, end-users won’t use the SAP identity provider to log in to these applications; instead, we need to add their corporate one. For example, you could use SAP IAS as a user’s database or connect an existing Azure AD to IAS. Details of how to enable that trust; can be found in the link below:
Let’s assume the trust has been established between the SAP BTP subaccount and SAP IAS:
SAP IAS and Role Collection Mappings
The trust between SAP BTP and IAS is established using SAML 2.0, which uses SAML Assertion attributes:
The concept of role collection mappings requires us to assign role collections depending on the values of these attributes. The attribute that is used most often for this is called Groups.
As an example, we could assign these groups to a user in IAS:
The values coming from the Groups attribute would be SES (Service Entry Sheets) and Fiori.
Now, we could use the feature role collection mappings to assign our role collections:
Once this is done, all the users in IAS that have the group Fiori will automatically have the Launchpad_admin role. Note that this step will have to be done for each of the different security groups and different role collections at the organization. Since users are automatically created, there is no need to create the users manually.
Great, we use Azure; now what? The concept is the same, but we need to use the Azure AD security groups instead of using the IAS groups. This way, if a user is added to the security group, it will automatically gain access to the role collection mapping assigned.
Let’s assume IAS has been configured with Azure AD using the corporate identity provider option:
See this link for more information:
Once the SSO has been established, we need to make sure the SAML attribute “Groups” is also mapped into our Azure AD SSO configuration:
Depending on your Azure AD configuration, you could use Group ID as the value for the mapping.
So, for example, we could create a role collection mapping like this:
Now, all users in Azure AD that are on the Security group RVP_Employee will get the Launchpad_admin role.
A good way to see what is coming through the SAML is to use trace tools on the browser. For example, if something is not working, you might need to check the value of the attribute that is coming and the one you have set on the mapping.
As we try to login into the app, this would appear like this:
In this blog post, we show how to easily assign our different SAP BTP roles to our custom build groups or Azure security groups automatically. If we do this, we can have the user onboarding and security centralized and remove the hassle of adding and removing users from our SAP BTP applications.
Please feel free to comment or ask any questions related.
** All images included in this post were taken from ConvergentIS demo environments**
Thanks for sharing your experience and expertise Luis!!!
Good one Luis 🙂
Good information, thanks.
What if a client has several backend systems, on-premise and cloud-based, each one with it's own user groups, roles and catalog hierarchy of access? For example, SuccessFactor, Ariba, Concur, ECC all in the same landscape.
How do you combine all these user roles/groups into BTP, so when a user logs into the Launchpad service (or Work Zone), they see exactly what they should have access to?
In the end, you will have a set of role collections, which will connect to the different cloud/on-premise backends. For example, if you have a role collection for HR employee apps to ECC, and another similar to SSFF, you can do 2 mappings to the same group id "Employee". Once the user login, it will get both role collection for ECC and SSFF.
Hope this helps,
Thanks Luis for sharing this elaborate process. Much appreciated.
One question, when establishing the trust configuration do we need to enable creation of shadow users (if the user does not exist in BTP) for this process to work?
Hello, users will show automatically in BTP, we don't need to create it previously.
this is really nice one ..thanks for sharing ..
Nice Blog :), I have currently one issue where some users even exist in Azure group cannot see an app linked to Azure group. I have checked your mentioned tracing tool but that is blocked by our company, do you think is there any way to find out reason why role collection mapping is not working for some users exist in Azure Group.