Skip to Content
Technical Articles
Author's profile photo Luis Eusa Mendia

Automate Role Collections in SAP BTP

How to automatically assign role collections in SAP BTP using role collection mappings

Today, we will talk about automating role collection mappings and user creation using SAP BTP services with SAP Identity Authentication Service (IAS) and possibly Azure AD.

Why this is important? As more solutions are deployed into the SAP Business Technology Platform we need a way in which we can automatically assign the different roles in SAP BTP to the different types of users. For example, if we use the SAP BTP Launchpad service, we could assign the different Fiori roles depending on which security groups your users are in Azure AD. This way, you only need to add a user to an Azure AD security group to properly provision it.

SAP BTP Trust Configuration, Identity Provider, and Users

First, we need to understand the concept of the trust configuration in SAP BTP. When we create a new subaccount in the SAP BTP landscape, we have the trust configuration using the SAP Default Identity provider as the default. This means that our services, like the SAP Launchpad Service, use SAP’s identity provider (S-user with email) to login into our applications:


It is important to differentiate between

  • Platform Identity Provider: Provides access to the SAP BTP subaccount cockpit
  • Application Identity Provider: Provides access to the applications in the subaccount (like the SAP BTP Launchpad service).

User Creation and Identity Providers: An important thing to understand is that when we create users, those need to be assigned to an identity provider as seen in the image below:

You could have the same user created for the SAP Identity Provider and your custom Identity Provider, as seen in the image below:


SAP BTP Role Collections and Roles

Role collections are what you assign users at the SAP BTP level to gain access to the different SAP BTP applications. For example, to get access to the SAP Launchpad service administration, you would need to be assigned the Launchpad Admin role collection:

Consider that role collection and roles are different. Users can be assigned a role collection that may contain several roles.

Adding a Trusted Provider

In most cases, end-users won’t use the SAP identity provider to log in to these applications; instead, we need to add their corporate one. For example, you could use SAP IAS as a user’s database or connect an existing Azure AD to IAS. Details of how to enable that trust; can be found in the link below:

Let’s assume the trust has been established between the SAP BTP subaccount and SAP IAS:


SAP IAS and Role Collection Mappings

The trust between SAP BTP and IAS is established using SAML 2.0, which uses SAML Assertion attributes:

The concept of role collection mappings requires us to assign role collections depending on the values of these attributes. The attribute that is used most often for this is called Groups.

As an example, we could assign these groups to a user in IAS:


The values coming from the Groups attribute would be SES (Service Entry Sheets) and Fiori.

Now, we could use the feature role collection mappings to assign our role collections:

Once this is done, all the users in IAS that have the group Fiori will automatically have the Launchpad_admin role. Note that this step will have to be done for each of the different security groups and different role collections at the organization.  Since users are automatically created, there is no need to create the users manually.

Azure AD

Great, we use Azure; now what? The concept is the same, but we need to use the Azure AD security groups instead of using the IAS groups. This way, if a user is added to the security group, it will automatically gain access to the role collection mapping assigned.

Let’s assume IAS has been configured with Azure AD using the corporate identity provider option:

See this link for more information:

Once the SSO has been established, we need to make sure the SAML attribute “Groups” is also mapped into our Azure AD SSO configuration:


Depending on your Azure AD configuration, you could use Group ID as the value for the mapping.

So, for example, we could create a role collection mapping like this:

Now, all users in Azure AD that are on the Security group RVP_Employee will get the Launchpad_admin role.

Troubleshooting Attributes

A good way to see what is coming through the SAML is to use trace tools on the browser. For example, if something is not working, you might need to check the value of the attribute that is coming and the one you have set on the mapping.

As we try to login into the app, this would appear like this:



In this blog post, we show how to easily assign our different SAP BTP roles to our custom build groups or Azure security groups automatically. If we do this, we can have the user onboarding and security centralized and remove the hassle of adding and removing users from our SAP BTP applications.

Please feel free to comment or ask any questions related.


** All images included in this post were taken from ConvergentIS demo environments**

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Shabeer Jameela
      Shabeer Jameela

      Thanks for sharing your experience and expertise Luis!!!

      Author's profile photo Claus Burgaard
      Claus Burgaard

      Good one Luis 🙂


      Author's profile photo Ramin Shafai
      Ramin Shafai

      Good information, thanks.

      What if a client has several backend systems, on-premise and cloud-based, each one with it's own user groups, roles and catalog hierarchy of access? For example, SuccessFactor, Ariba, Concur, ECC all in the same landscape.

      How do you combine all these user roles/groups into BTP, so when a user logs into the Launchpad service (or Work Zone), they see exactly what they should have access to?



      Author's profile photo Luis Eusa Mendia
      Luis Eusa Mendia
      Blog Post Author

      Hello Ramin,

      In the end, you will have a set of role collections, which will connect to the different cloud/on-premise backends. For example, if you have a role collection for HR employee apps to ECC, and another similar to SSFF, you can do 2 mappings to the same group id "Employee". Once the user login, it will get both role collection for ECC and SSFF.

      Hope this helps,




      Author's profile photo Subramaniam Iyer
      Subramaniam Iyer

      Thanks Luis for sharing this elaborate process. Much appreciated.

      One question, when establishing the trust configuration do we need to enable creation of shadow users (if the user does not exist in BTP) for this process to work?


      Subbu Iyer


      Author's profile photo Luis Eusa Mendia
      Luis Eusa Mendia
      Blog Post Author

      Hello, users will show automatically in BTP, we don't need to create it previously.




      Author's profile photo Sravan Pendyala
      Sravan Pendyala

      this is really nice one ..thanks for sharing ..

      Author's profile photo Anupam Shrotriya
      Anupam Shrotriya

      Nice Blog :), I have currently one issue where some users even exist in Azure group cannot see an app linked to Azure group. I have checked your mentioned tracing tool but that is blocked by our company, do you think is there any way to find out reason why role collection mapping is not working for some users exist in Azure Group.

      Thank you.

      Author's profile photo Harshitha B
      Harshitha B

      Thanks for the detailed blog.

      Is there any ways to read roles assigned to the user in BTP cockpit through SAPUI5 application?

      Thanks in advance 🙂

      Author's profile photo A. Kulkarni
      A. Kulkarni

      Great blog, Luis Eusa Mendia. I like the way you have explained the complex concepts in easy to digest fashion. One query regarding the Identify Provisioning Service. I don't see it explicitly mentioned in the blog. My understanding is that in CIS the IAS does the job of authentication while the IPS does the job of provisioning. Is it correct to assume that once the setup is done as explained in the blog, the IPS kicks in and does the actual user provisioning, including creation and role assignment?