Automate Role Collections in SAP BTP

How to automatically assign role collections in SAP BTP using role collection mappings

Today, we will talk about automating role collection mappings and user creation using SAP BTP services with SAP Identity Authentication Service (IAS) and possibly Azure AD.

Why this is important? As more solutions are deployed into the SAP Business Technology Platform we need a way in which we can automatically assign the different roles in SAP BTP to the different types of users. For example, if we use the SAP BTP Launchpad service, we could assign the different Fiori roles depending on which security groups your users are in Azure AD. This way, you only need to add a user to an Azure AD security group to properly provision it.

SAP BTP Trust Configuration, Identity Provider, and Users

First, we need to understand the concept of the trust configuration in SAP BTP. When we create a new subaccount in the SAP BTP landscape, we have the trust configuration using the SAP Default Identity provider as the default. This means that our services, like the SAP Launchpad Service, use SAP’s identity provider (S-user with email) to login into our applications:

It is important to differentiate between

• Platform Identity Provider: Provides access to the SAP BTP subaccount cockpit
• Application Identity Provider: Provides access to the applications in the subaccount (like the SAP BTP Launchpad service).

User Creation and Identity Providers: An important thing to understand is that when we create users, those need to be assigned to an identity provider as seen in the image below:

You could have the same user created for the SAP Identity Provider and your custom Identity Provider, as seen in the image below:

SAP BTP Role Collections and Roles

Role collections are what you assign users at the SAP BTP level to gain access to the different SAP BTP applications. For example, to get access to the SAP Launchpad service administration, you would need to be assigned the Launchpad Admin role collection:

Consider that role collection and roles are different. Users can be assigned a role collection that may contain several roles.

Adding a Trusted Provider

In most cases, end-users won’t use the SAP identity provider to log in to these applications; instead, we need to add their corporate one. For example, you could use SAP IAS as a user’s database or connect an existing Azure AD to IAS. Details of how to enable that trust; can be found in the link below:

https://help.sap.com/viewer/f36ad14527694a6fad161093090618ec/latest/en-US/f3aee5c4106c4172a000c9a76065cff1.html

Let’s assume the trust has been established between the SAP BTP subaccount and SAP IAS:

SAP IAS and Role Collection Mappings

The trust between SAP BTP and IAS is established using SAML 2.0, which uses SAML Assertion attributes:

The concept of role collection mappings requires us to assign role collections depending on the values of these attributes. The attribute that is used most often for this is called Groups.

As an example, we could assign these groups to a user in IAS:

The values coming from the Groups attribute would be SES (Service Entry Sheets) and Fiori.

Now, we could use the feature role collection mappings to assign our role collections:

Once this is done, all the users in IAS that have the group Fiori will automatically have the Launchpad_admin role. Note that this step will have to be done for each of the different security groups and different role collections at the organization.  Since users are automatically created, there is no need to create the users manually.

Azure AD

Great, we use Azure; now what? The concept is the same, but we need to use the Azure AD security groups instead of using the IAS groups. This way, if a user is added to the security group, it will automatically gain access to the role collection mapping assigned.

Let’s assume IAS has been configured with Azure AD using the corporate identity provider option:

See this link for more information:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial

Once the SSO has been established, we need to make sure the SAML attribute “Groups” is also mapped into our Azure AD SSO configuration:

Depending on your Azure AD configuration, you could use Group ID as the value for the mapping.

So, for example, we could create a role collection mapping like this:

Now, all users in Azure AD that are on the Security group RVP_Employee will get the Launchpad_admin role.

Troubleshooting Attributes

A good way to see what is coming through the SAML is to use trace tools on the browser. For example, if something is not working, you might need to check the value of the attribute that is coming and the one you have set on the mapping.

As we try to login into the app, this would appear like this:

Closing

In this blog post, we show how to easily assign our different SAP BTP roles to our custom build groups or Azure security groups automatically. If we do this, we can have the user onboarding and security centralized and remove the hassle of adding and removing users from our SAP BTP applications.

Please feel free to comment or ask any questions related.

** All images included in this post were taken from ConvergentIS demo environments**