Skip to Content
Technical Articles
Author's profile photo Ashutosh Kumar

Managing Access to Multiple BTP Applications by Grouping Users with Cloud Identity Services


Cloud Identity Services in SAP BTP provide a set of capabilities that help you manage identity and access in your applications and services. These services offer a robust and secure way to authenticate and authorize users, which is essential for both internal and external-facing applications.

In this blog post, we will explore the process of creating user groups tailored for various applications such as BAS, Integration Suite, and Build. This strategic approach will enable us to streamline the assignment of role collections to these groups, eliminating the need to allocate roles to individual users.


  • You should be having a BTP trial account or tenant account.
  • Your trial or tenant account should be configured with Cloud Identity services.
  • If you do not have Cloud Identity Services configured, refer to the link.



Our scenario involves managing different applications, each catering to specific user groups. For instance, we have designated user groups for the Build application, Business Application Studio, and more. When it comes to assigning role permissions to these user groups, we have two options:

  • The first approach involves assigning the same role collection to a specific user group via the BTP cockpit (Subaccount > Security > Users).
  • The second approach focuses on creating user groups within Cloud Identity Services and directly assigning role collections to these groups through the BTP cockpit (Subaccount > Security > Role Collections). This method stands out as the more efficient and time-saving alternative.

By adopting the second approach, we streamline the process, ensuring a more efficient and organized approach to role assignment



Step 1: Configuring Cloud Identity Services


  • Go to Service Marketplace, search for Cloud Identity Services. Click on create.

Image 1


Image 2


  • After creating subscription to Cloud Identity Services, an activation link will be sent to your registered mail Id. Activate it and create a password for Cloud Identity Services.
  • After creating password again login to Cloud Identity Services.

Image 3


Step 2: Establishing trust between Cloud Identity Services and BTP.

  • Go to BTP sub-account > Security > Trust Configuration


Image 4


  • Click on Establish Trust.

Image 5


Image 6


Image 7


Image 8


  • Trust is established between Cloud Identity Services and BTP.

Image 9



Step 3: Go to Cloud Identity Services and add all users.

  • Open Cloud Identity Services application. Go to user management.

Image 10


  • Add all users.

Image 11


  • Go to groups.

Image 12


  • Create groups for different application.

Image 13


  • Add users of different applications to the respective group. (In my case, i have created two groups: one for Business Application Studio i.e BAS Group and other for Build Apps i.e Build Group)

Image 14


Step 3: Creating role collection, assigning roles and adding respective groups to the role collection.

  • Go to BTP sub-account, then to Role Collections and click in create.

Image 15


  • Create a role collection for Business Application Studio.

Image 16


Image 17


  • Click on the role created and edit.

Image 18


  • Add the required role collections for Business Application Studio.

Image 19


  • Add respective group to the created role collection.

Image 20


  • Similarly, create role collection for Build Apps.

Image 21


Image 22


  • Edit role collection and assign roles to it.

Image 23


Image 24


  • Add respective group to the role collection.

Image 25


Testing using whether the application working for respective groups:

  • Logging in with a user from BAS group

Image 26


Image 27


  • Logging in with a user not in BAS group

Image 28


  • Similarly, Logging in with a user in Build group.

Image 29


  • Logging in with a user not in Build group.

Image 30



In Conclusion:

In the realm of SAP BTP, Cloud Identity Services emerge as a crucial asset for efficient identity and access management in your applications. The capabilities offered by these services not only enhance security but also streamline the process of authenticating and authorizing users, both within and beyond your organization.

Through this blog, we’ve explored a pragmatic approach to user management, focusing on the creation of distinct user groups tailored to specific applications. This approach empowers us to assign role collections with precision, simplifying the overall process.

By choosing the second approach of creating user groups within Cloud Identity Services and directly assigning role collections through the BTP cockpit, we gain not only efficiency but also time savings. This method aligns perfectly with the need for agile and organized role assignment, setting a foundation for effective identity and access management in the SAP BTP ecosystem.

Thanks and Regards,

Ashutosh Kumar

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah

      Ashutosh Kumar

      Good blog ! You can automate the user sync from IAS and as well as User Groups via Identity Provisioning (IPS) ( which will be scheduled Job)..  In your blog above, you have assigned the Users role collections and roles manually.

      You can explore more and write a next blog on how to automate.. So that makes everyone to know better 🙂

      Author's profile photo Ashutosh Kumar
      Ashutosh Kumar
      Blog Post Author

      Sure Yogananda Muthaiah, will work on it. Thanks for the input.

      Author's profile photo Carsten Olt
      Carsten Olt

      I agree; this blog is quite informative.

      Just a few thoughts: If one could express a further desire, it would be for insights into the recommended approach—perhaps an exchange of ideas among the experts in our community, similar to this resource

      What are your thoughts on the effectiveness of Federated Role Assignment through Claims compared to the allocation/provisioning of permissions and Group/Role Collection Mappings via IPS or IDM systems? So, for instance, if we revoke the permissions (IAS group assignment) the user wouldn't be deleted on the BTP through federation.

      Can you share the pros and cons based on your experience and maybe what preferences have customers expressed?

      Moreover, having guidelines for best practices, especially concerning naming conventions for groups and role collections, would be immensely valuable.

      Cheers Carsten