Delegated User Administration Using Attribute-Based Access Control in SAP Cloud Identity Services

Why is this feature important for you?

You are an administrator at SAP Cloud Identity Services, but the standard predefined administrator roles that are offered to you, such as Manage Users or Read Users, are not flexible or fine granular enough for your user management needs and scenarios. If you are looking for a solution to that problem, then you are in the right place. 

Feature overview

Tenant administrators in SAP Cloud Identity Services are offered a predefined set of roles (authorizations) that provide a full set of permissions in a particular area. The administrators can get some roles assigned, but their scope (set of permissions) can’t be modified, and very often it’s too broad.  

However, you may need to define authorization models with more complex restrictions for data access, like the so-called Attribute-Based Access Control (ABAC). So, with the need for finer granular separation of the administration work, the new feature of SAP Cloud Identity Services for admin authorizations based on policies (aka delegated administration for user management) comes as a solution for that need. In other words, administrators define custom authorization policies based on user attributes and assign these policies to other administrators or users, thus delegating them granular administrator rights. In this way, one administrator can have access to a subset of the users in the tenant and further to a subset of the attributes of these users.  

So, this recently released feature offers the opportunity for delegating specific responsibilities for user management to different administrators by precisely limiting the user data an administrator can access and control. This helps to reduce manual administration efforts for user management and identity provisioning and avoid work disruption by leveraging the suite quality “consistent security and identity management” for an intuitive login process within your intelligent sustainable enterprise. 

This fine granular access control is based on a generic Authorization Management functionality provided by SAP Cloud Identity Services for which you can read more at Configuring Authorization Policies. 

The solution

So, let’s see how the user management admin access can be restricted to a subset of the whole user base. 

Using the predefined Base Policies for users (CREATE_USERS, READ_USERS, UPDATE_USERS, DELETE_USERS, MANAGE_USERS) you can define a custom one with restriction rules based on the values of some user attributes. In this way you limit the corresponding permission granted by the base policy, so it will be relevant only for the subset of users that match the specified rule. 

You can restrict for which users the admin gets the corresponding access level (permission), based on the following user attributes: 

You can also limit the attributes of the users that the admin can access by configuring one of the following attributes in your custom policy: 

Remember:

You can use only the equal (= ) and not equal (<>) operators . If you use other operators, this could result in not having access to the administration console.

Important:

The user attributes that currently can be used for user.attributes, and user.excludedAttributes restrictions are listed in the Supported Attributes chapter. 

Supported Attributes

Core Schema:

globalUserId; validFrom; validTo

Note:

All SAP Extension user resource schema attributes require the schema URI [urn:ietf:params:scim:schemas:extension:sap:2.0:User] and the attribute name.

The scenario

To illustrate how the new feature can be used to establish delegated administration, let’s have look a simple scenario with two administrators that should have different access level to the users: 

• Michael Adams – an administrator in the central IT team of company BestRun, that has “super admin” permissions, i.e. he can see and manage all the users in the company. 
• Dona Moore – works in third party company that provides 24×7 support for employees and contractors in the US office of BestRun. 

Michael’s position in the company requires that he acts as a “super admin”.
Dona on the other hand, should have access only to the users that are in the USA. Further she should be able to see only a limited set of user details – the display name, username, email, company, and the address of the users in the USA. In addition, she should be able to help these users if they cannot log in, so she needs permissions to unlock user account, set initial password or send emails in case of forgotten password (again only for users in USA).  

Michael’s task is to allow Dona to perform her duties in the Administration Console of SAP Cloud Identity Services.

Prerequisites

• Michael must be an administrator in SAP Cloud Identity Services with a full set of administrator authorizations. 
• The new feature for admin authorizations based on policies must be enabled on the tenant.
   Note: This is a beta feature. More information about the enablement of the feature, can be found in the official documentation. Once the option is enabled, a new tab Authorization Policies appear for the Administration Console application. 

Configuration

Michael performs the following configurations to provide the necessary access for Dona:

1. Access the administration console->choose Applications->choose the list item for the Administration Console application under System Applications.

I. Create a new custom policy that grants restricted read-only permissions.

1. Choose the Authorization Policies tab->plus + button -> Restrict to create the new custom policy.
2. Provide the required information in the pop-up:
   1. Policy name – READ_USERS_US_RESTRICTED
   2. Base policies – users.READ_USERS)
   3. Select Open in edit mode
   4. Choose the Confirm button. (As a result the Rules tab of the newly created policy opens.)
   5. Choose the + button to add the rule:
      user.addresses.country = US
      user.attributes = displayName, emails.value, userName, addresses.country, password, active, urn:ietf:params:scim:schemas:extension:sap:2.0:User:status, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
3. Save the policy.

II. Create a new custom policy that grants restricted update permissions.

1. Choose the Authorization Policies tab->plus + button -> Restrict to create the new custom policy.
2. Provide the required information in the pop-up:
   1. Policy name – RESET_PASSWORD_US
   2. Base policies – users.UPDATE_USERS
   3. Select Open in edit mode
   4. Choose the Confirm button. (As a result the Rules tab of the newly created policy opens.)
   5. Choose the + button to add the rule:
      user.addresses.country = US
      user.attributes = password,active,urn:ietf:params:scim:schemas:extension:sap:2.0:User:status
      
3. Save the policy.

III. Create a new custom policy that combines the custom policies created from procedures I. and II.

1. Choose the Authorization Policies tab->plus + button -> Combine to create the new custom policy.
2. Provide the required information in the pop-up:
   1. Policy name – US_SUPPORTER
   2. Base policies – select READ_USERS_US_RESTRICTED and RESET_PASSWORD_US.
      

IV. Assign the US_SUPPORTER policy to Dona

.

1. Select the US_SUPPORTER policy
2. Select the Assignments tab and choose Add.
3. Select Dona Moore from the list and choose Add.

Because Michael is super admin, when he signs in he can see all the users in the admin console:

He can also update the personal and company information of the users:

Dona, on the other hand can see only the users in the USA, after signing in to the administration console:

She can’t update their personal and company information:

But, because Dona is assigned to the RESET_PASSWORD_US policy, she can also unlock a user:

And set the initial password for the unlocked user: