Technical Articles
Roles in BTP, IAS and Launchpad service
Hello!
I’m still new to cloud development with SAP and got confused the other day about the different roles that exist in the BTP, IAS and Launchpad service.
I want to write this blog to help people who are also just new in this environment.
Simply put:
BTP = Roles / Role Collections
IAS = Groups
Launchpad Service = Roles
Instead of going deep into the theory of why different terms for roles are used for different platforms, I want to show how to implement it.
Create Role in Launchpad Service
Role in Launchpad Service
Name Role
With this ID a role collection is automatically created in the BTP cockpit.
Role collections BTP
In the BTP Cockpit navigate to Security > Role Collections to check if the role is now created.
IAS Assertion Attributes
IAS Assertion Attributes
Groups
Now you have to navigate to the IAS and select the application. Then you can define “Groups” via Assertion Attributes, so that the user group can be saved with the user.
IAS User Groups
User Groups
Under User Groups you can add groups in IAS to which you can assign multiple users and which are automatically updated if you add a Group to user like the screenshot below.
You have to navigate in the “User Management” in the IAS to see and edit all users. Now you can assign a role to your user.
BTP
Trust Configuration
Back in the BTP, you have to navigate to the IAS Overview under Security > Trust Configuration to set Role Collections Mappings.
New Role Collection Mapping
Now you can choose the role collection (which has been created when you add the role to launchpad service) and set the attribute from the group of the IAS.
So you have users in the IAS that are part of a group and you map this group to the Role Collection in BTP. So all users of the group will have access to the respective content.
Set content in Launchpad service
add app to role
After that, you need to add the apps that you are allowed to view with this role to the role in the Launchpad service.
settings
add role to website
In the settings of the website you have to add the roles that the site contains.
To see the changes, press Refresh in the Launchpad Service > Provider Manager and relog in to the website itself.
This blog post and the answer to one of my questions also helped me a lot.
https://blogs.sap.com/2022/04/06/automate-role-collections-in-sap-btp/
https://answers.sap.com/answers/13713270/view.html
This article was about the roles in BTP, IAS, and the Launchpad service and how they all play together. I hope you learned something new and would be happy if you add your insights in the comments.
Feel free to comment with any questions/issues as well!
Kind regards
Sebastian
Wonderful!... Exactly what I needed. Thanks for sharing Sebastian.
One question I have though, how do we link these BTP role collections and launchpad services roles to the roles defined in our end-applications? For example Ariba, SuccessFactors, Concur, ECC, etc.
Each app have their own roles and groups, and are accessed through BTP. How would BTP know what tiles/content to show to a user, eg. a SuccessFactor user should only see SuccessFactor tiles that are relevant to them.
Thanks
Hello!
Thank you that I could help you!
Unfortunately, I have no experience with this yet. If I know more about it, I will report.
Kind regards
Sebastian
Good article, Sebastian.
very helpful article!! thanks!
Very nice Article.
I was just wondering if it is possible to add a Role Collection which was created in the BTP Cockpit to WorkZone.
We couldn't find any option to select existing ones and trying to create it with the same name results in an error which correctly claims it exists already in BTP.