Managing Access to Multiple BTP Applications by Grouping Users with Cloud Identity Services

Introduction:

Cloud Identity Services in SAP BTP provide a set of capabilities that help you manage identity and access in your applications and services. These services offer a robust and secure way to authenticate and authorize users, which is essential for both internal and external-facing applications.

In this blog post, we will explore the process of creating user groups tailored for various applications such as BAS, Integration Suite, and Build. This strategic approach will enable us to streamline the assignment of role collections to these groups, eliminating the need to allocate roles to individual users.

Pre-requisites:

  • You should be having a BTP trial account or tenant account.
  • Your trial or tenant account should be configured with Cloud Identity services.
  • If you do not have Cloud Identity Services configured, refer to the link.

 

Scenario:

Our scenario involves managing different applications, each catering to specific user groups. For instance, we have designated user groups for the Build application, Business Application Studio, and more. When it comes to assigning role permissions to these user groups, we have two options:

  • The first approach involves assigning the same role collection to a specific user group via the BTP cockpit (Subaccount > Security > Users).
  • The second approach focuses on creating user groups within Cloud Identity Services and directly assigning role collections to these groups through the BTP cockpit (Subaccount > Security > Role Collections). This method stands out as the more efficient and time-saving alternative.

By adopting the second approach, we streamline the process, ensuring a more efficient and organized approach to role assignment

 

Solution:

Step 1: Configuring Cloud Identity Services

 

  • Go to Service Marketplace, search for Cloud Identity Services. Click on create.

Image 1

 

Image 2

 

  • After creating subscription to Cloud Identity Services, an activation link will be sent to your registered mail Id. Activate it and create a password for Cloud Identity Services.
  • After creating password again login to Cloud Identity Services.

Image 3

 

Step 2: Establishing trust between Cloud Identity Services and BTP.

  • Go to BTP sub-account > Security > Trust Configuration

 

Image 4

 

  • Click on Establish Trust.

Image 5

 

Image 6

 

Image 7

 

Image 8

 

  • Trust is established between Cloud Identity Services and BTP.

Image 9

 

 

Step 3: Go to Cloud Identity Services and add all users.

  • Open Cloud Identity Services application. Go to user management.

Image 10

 

  • Add all users.

Image 11

 

  • Go to groups.

Image 12

 

  • Create groups for different application.

Image 13

 

  • Add users of different applications to the respective group. (In my case, i have created two groups: one for Business Application Studio i.e BAS Group and other for Build Apps i.e Build Group)

Image 14

 

Step 3: Creating role collection, assigning roles and adding respective groups to the role collection.

  • Go to BTP sub-account, then to Role Collections and click in create.

Image 15

 

  • Create a role collection for Business Application Studio.

Image 16

 

Image 17

 

  • Click on the role created and edit.

Image 18

 

  • Add the required role collections for Business Application Studio.

Image 19

 

  • Add respective group to the created role collection.

Image 20

 

  • Similarly, create role collection for Build Apps.

Image 21

 

Image 22

 

  • Edit role collection and assign roles to it.

Image 23

 

Image 24

 

  • Add respective group to the role collection.

Image 25

 

Testing using whether the application working for respective groups:

  • Logging in with a user from BAS group

Image 26

 

Image 27

 

  • Logging in with a user not in BAS group

Image 28

 

  • Similarly, Logging in with a user in Build group.

Image 29

 

  • Logging in with a user not in Build group.

Image 30

 

 

In Conclusion:

In the realm of SAP BTP, Cloud Identity Services emerge as a crucial asset for efficient identity and access management in your applications. The capabilities offered by these services not only enhance security but also streamline the process of authenticating and authorizing users, both within and beyond your organization.

Through this blog, we’ve explored a pragmatic approach to user management, focusing on the creation of distinct user groups tailored to specific applications. This approach empowers us to assign role collections with precision, simplifying the overall process.

By choosing the second approach of creating user groups within Cloud Identity Services and directly assigning role collections through the BTP cockpit, we gain not only efficiency but also time savings. This method aligns perfectly with the need for agile and organized role assignment, setting a foundation for effective identity and access management in the SAP BTP ecosystem.

Thanks and Regards,

Ashutosh Kumar

Scroll to Top