Managing Access to Multiple BTP Applications by Grouping Users with Cloud Identity Services
Cloud Identity Services in SAP BTP provide a set of capabilities that help you manage identity and access in your applications and services. These services offer a robust and secure way to authenticate and authorize users, which is essential for both internal and external-facing applications.
In this blog post, we will explore the process of creating user groups tailored for various applications such as BAS, Integration Suite, and Build. This strategic approach will enable us to streamline the assignment of role collections to these groups, eliminating the need to allocate roles to individual users.
- You should be having a BTP trial account or tenant account.
- Your trial or tenant account should be configured with Cloud Identity services.
- If you do not have Cloud Identity Services configured, refer to the link.
Our scenario involves managing different applications, each catering to specific user groups. For instance, we have designated user groups for the Build application, Business Application Studio, and more. When it comes to assigning role permissions to these user groups, we have two options:
- The first approach involves assigning the same role collection to a specific user group via the BTP cockpit (Subaccount > Security > Users).
- The second approach focuses on creating user groups within Cloud Identity Services and directly assigning role collections to these groups through the BTP cockpit (Subaccount > Security > Role Collections). This method stands out as the more efficient and time-saving alternative.
By adopting the second approach, we streamline the process, ensuring a more efficient and organized approach to role assignment
Step 1: Configuring Cloud Identity Services
- Go to Service Marketplace, search for Cloud Identity Services. Click on create.
- After creating subscription to Cloud Identity Services, an activation link will be sent to your registered mail Id. Activate it and create a password for Cloud Identity Services.
- After creating password again login to Cloud Identity Services.
Step 2: Establishing trust between Cloud Identity Services and BTP.
- Go to BTP sub-account > Security > Trust Configuration
- Click on Establish Trust.
- Trust is established between Cloud Identity Services and BTP.
Step 3: Go to Cloud Identity Services and add all users.
- Open Cloud Identity Services application. Go to user management.
- Add all users.
- Go to groups.
- Create groups for different application.
- Add users of different applications to the respective group. (In my case, i have created two groups: one for Business Application Studio i.e BAS Group and other for Build Apps i.e Build Group)
Step 3: Creating role collection, assigning roles and adding respective groups to the role collection.
- Go to BTP sub-account, then to Role Collections and click in create.
- Create a role collection for Business Application Studio.
- Click on the role created and edit.
- Add the required role collections for Business Application Studio.
- Add respective group to the created role collection.
- Similarly, create role collection for Build Apps.
- Edit role collection and assign roles to it.
- Add respective group to the role collection.
Testing using whether the application working for respective groups:
- Logging in with a user from BAS group
- Logging in with a user not in BAS group
- Similarly, Logging in with a user in Build group.
- Logging in with a user not in Build group.
In the realm of SAP BTP, Cloud Identity Services emerge as a crucial asset for efficient identity and access management in your applications. The capabilities offered by these services not only enhance security but also streamline the process of authenticating and authorizing users, both within and beyond your organization.
Through this blog, we’ve explored a pragmatic approach to user management, focusing on the creation of distinct user groups tailored to specific applications. This approach empowers us to assign role collections with precision, simplifying the overall process.
By choosing the second approach of creating user groups within Cloud Identity Services and directly assigning role collections through the BTP cockpit, we gain not only efficiency but also time savings. This method aligns perfectly with the need for agile and organized role assignment, setting a foundation for effective identity and access management in the SAP BTP ecosystem.
Thanks and Regards,