On SAP BTP, member management happens at all levels from global account to environment, while user management is done for business applications.
A user account corresponds to a particular user in an identity provider, such as the default identity provider or a custom tenant of the Identity Authentication service.
User accounts enable users to log on to SAP BTP and access subaccounts and use services according to the permissions given to them.
Before diving into the different user and member management concepts, it's important to understand the difference between the different types of users we’re referring to: Platform users and business users.
Platform users are usually developers, administrators or operators who deploy, administer, and troubleshoot applications and services on SAP BTP. They’re the users that you give certain permissions for instance at global account or subaccount level, either by adding them as members.
Platform users who were added as members and who have administrative permissions can view or manage the list of global accounts, subaccounts, and environments, such as Cloud Foundry orgs and spaces. Members access them using the SAP BTP Cockpit or the SAP BTP command-line interface (btp CLI) or environment-specific CLI, such as the Cloud Foundry (CF) CLI.
For platform users, there's a default identity provider. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider. Custom identity provider for platform users are only supported in cloud management tools feature set A.
For China (Shanghai) region, a different default identity provider is used.
For more information, see this blog article on SAP Community.
Business users use the applications that are deployed to SAP BTP. For example, the end users of SaaS apps or services, such as SAP Workflow service or SAP Cloud Integration, or end users of your custom applications are business users.
Application developers (platform users) create and deploy application-specific security artifacts for business users, such as scopes. Administrators use these artifacts to assign roles, build role collections, and assign these role collections to business users or user groups. In this way, they control the users' permissions in the application.
For business users, there's a default identity provider, too. We expect that you have your own identity provider. We recommend that you configure your custom tenant of Identity Authentication as the identity provider and connect Identity Authentication to your own corporate identity provider.
Member management refers to managing permissions for platform users. You can think about it as managing the members of your team.
Member management happens at global account, directory, subaccount, and environment level. Members' permissions apply to all operations that are associated with the global account, the organization, or the space, irrespective of the tool used. Depending on the scope and the cloud management tools feature set you're using, you manage members in different ways:
|
|
Global Accounts |
Directories |
Subaccounts |
|---|---|---|---|
|
Feature Set A |
You add global account administrators on the Members page at global account level in the cockpit. All members/administrators of the lower levels (e.g subaccounts or spaces) are automatically global account members. On the Members page at the global account level in the cockpit, all global account members can view the global account administrators. You can only manage global account administrators using the cockpit. |
Not available |
You don't have member management at subaccount level directly. The person who created the subaccount is automatically a security administrator of that subaccount. That person can assign additional subaccount security administrators on the Security > Administrators page at subaccount level in the cockpit. As a security administrator, you can manage authentication and authorization in the subaccount for business users, such as configuring trust to application identity providers, and assigning role collections to business users. You can only manage subaccount security administrators using the cockpit. See Managing Security Administrators in Your Subaccount [Feature Set A] |
|
Feature Set B |
You manage global account members by assigning role collections to platform users. Use the following predefined role collections:
Assign these role collections from the cockpit or the btp CLI. See: Role Collections and Roles in Global Accounts, Directories, and Subaccounts [Feature Set B] |
You manage directory members by assigning role collections to platform users. Use the following predefined role collections:
Assign these role collections from the SAP BTP cockpit or the btp CLI. See: Role Collections and Roles in Global Accounts, Directories, and Subaccounts [Feature Set B] |
You manage subaccount members by assigning role collections to platform users.
Use the predefined role collections, such as:
Assign these role collections from the SAP BTP cockpit or the btp CLI. See: Role Collections and Roles in Global Accounts, Directories, and Subaccounts [Feature Set B] |
Member management in the Cloud Foundry environment is independent of the feature set you use.
Member Management in the Cloud Foundry Environment
|
Orgs |
Spaces |
|---|---|
|
Manage org members on the Members page at environment level in the cockpit or with the Cloud Foundry CLI. A platform user added as an org member can be either an Org Manager or an Org Auditor or implicitly as an Org User. See: About Roles in the Cloud Foundry Environment |
Manage space members on the Members page at space level in the cockpit or with the Cloud Foundry CLI. A platform user added as a space member can be either a Space Manager, Space Developer, Space Auditor, or Space Supporter. See: About Roles in the Cloud Foundry Environment |
See also About User Management in the Cloud Foundry Environment.
User management refers to managing authentication and authorization for your business users.
To manage your business users:
-
Configure trust to an application identity provider in your subaccount.
-
Create shadow users in your subaccount for your business users in your identity provider.
When a user accesses a resource, SAP BTP redirects the user to the identity provider for authentication. You assign authorizations to shadow users in SAP BTP.
-
Assign role collections either directly to users or map them to user groups.
The role collections were either delivered from the applications to which you subscribed or custom developed by your team.
To learn more about user management, see Security Administration: Managing Authentication and Authorization.
Related Information