- SAP Managed Tags
Hello SAP Community members!
I’m excited to announce the launch of our brand-new Environment Access Management screen in SAP Profitability and Performance Management Cloud Standard Model (SAP PaPM Cloud SM). This new feature fulfills our Cloud users’ need for enhanced security in managing access to environments.
With this, you can now control the visibility to your environments by setting them as either “Public” or “Private”. This ensures that only authorized users have access.
It's essential to note that admin users must possess one of the following roles to utilize this new screen:
- ENVIRONMENTS_ACCESS_ALL
- ADMIN_USER_ALL
- ADMIN_USER_RESTRICTED
Here's an in-depth overview along with the instructions on how to use it:
Navigating to the Screen
To open the Environment Access Management screen, first choose the Menu option.
Next, navigate to Administration, and then choose Environments Access:
The Environment Access Management screen provides a list of all environments available in the system including the following information:
- Select (checkbox): Mark the environment as needed
- Environment Description: Displays details of the environment
- Environment: Defines the identifier of the environment
- Version: Defines the version of the environment
- Access: Indicates the access level (“Public” or “Private”) for each environment
- Authorized Teams: Contains a list of teams who have authorized access to each environment
Note: The screen follows the existing application standards, such as layout, column options, column filters, and so on.
Understanding Access Levels
Access levels determine who can view and perform actions with different environments within an application. These levels can either be public or private.
1. Public: By default, environments are set to “Public”. When an environment is “Public”, all users of the application have access to it.
2. Private: Access to environments is restricted to users who are granted permissions fulfilling one of the following conditions:
- As an administrator, having any of the following roles:
- ENVIRONMENTS_ACCESS_ALL
- ADMIN_USER_ALL
- ADMIN_USER_RESTRICTED - Being member of a team that has been granted access to particular environment
Access restrictions are enforced across all screens that display an environment list, such as Environments, Process Scheduler (used for job creation), Content Management (used for exporting an environment), and others.
Setting Access Level to Environment
Managing access to various environments is crucial for maintaining security and control.
Here’s a guide on how to set access levels to ensure that only authorized users can view and access designated environments.
1. Select the environment(s) for which you want to set the access level by marking the corresponding checkbox. Note that environments are set to “Public” by default.
2. Choose the Edit access for environment(s) icon in the header section to open the dialog.
The dialog includes the following details:
- Title: Edit access for environment(s)
- Description: Adjusting access affects all selected environments
- Placeholder list of the environments selected by the user
- Access: Radio buttons allow you to select either “Public” or “Private” option
When a user selects “Private”, the Authorized Teams multiselect component is shown - Buttons: CONFIRM and CANCEL
Dialog: Access (Public)
Dialog: Access (Private)
3. Set Access to “Private” and fill in the Authorized Teams by selecting from the dropdown list.
4. Choose CONFIRM to apply the setting.
The access level for "ABC Environment" has been changed from “Public” to “Private”.
The "ABC-Team" is now assigned to the Authorized Teams field.
Access to Environment when Configured as Private
Let’s explore the outcomes of setting environments to “Private” for the following scenarios:
Scenario 1: Privileged Role Access
Condition:
- User Role: Users must have one of the following roles:
- ENVIRONMENTS_ACCESS_ALL
- ADMIN_USER_ALL
- ADMIN_USER_RESTRICTED - Access: Environment is set to “Private”
- Authorized Teams: This field is empty/blank or the user is not a member of any team assigned to this field
Expected Result: The user will be able to view and access all environments (both public and private)
Summary: In this scenario, any of the roles ENVIRONMENTS_ACCESS_ALL, ADMIN_USER_ALL, OR ADMIN_USER_RESTRICTED grants the user permissions that override access controls based on access level and authorized teams’ membership. As a result, the user will be able to view all environments within the system.
Sample Screens:
Team Management Screen
The user who will be updating the Environment Access Management screen by changing the Access Level and assigning the Authorized Teams must not be member of the ”AAA Team”
Environment Access Management
For the ”ABC Environment”, access is set to “Private”. The “AAA Team” is assigned as authorized team.
For the “AAA Test Env”, access is also set “Private”, but no teams are authorized.
All other environments are set to “Public”.
As you can see, the user has access to all environments, including "ABC Environment" and "AAA Test Env," as shown on the following screens:
Environments
Process Scheduler when adding a Job
Content Management when Exporting an Environment
Scenario 2: Authorized Team Membership Granting Access
Condition:
- User Role: Users must not possess any of the following roles:
- ENVIRONMENTS_ACCESS_ALL
- ADMIN_USER_ALL
- ADMIN_USER_RESTRICTED - Access: Environment is set to “Private”
- Authorized Teams: User is a member of at least one of the teams assigned for this field to access environments
Expected Result: The user can access private environments if he/she belongs to at least one of the authorized teams. Additionally, they will have access to all public environments.
Summary: This scenario demonstrates how access to private environments is controlled based on team membership authorization.
Sample Screens:
Team Management Screen
The user who will be updating the Environment Access Management screen by changing the Access Level and assigning the Authorized Teams must meet the following criteria:
Must be a member of the “ABC-Team”
Must not be a member of the “AAA Team”
Environment Access Management
For the ”ABC Environment”, access is set to “Private”. The ”AAA Team” and ”ABC-Team” are assigned as authorized teams.
For the ”AAA Test Env”, access is also set to “Private”, but no teams are authorized.
For the ”AAA Environment”, access is also set to “Private”, and the ”AAA Team” is assigned as authorized team.
All other environments are set to “Public”.
How can you identify which private environments the user can access based on the given criteria?
For private environments, users can view the ”ABC Environment” only because he/she is a member to at least one of the authorized teams. However, the “AAA Test Env” and ”AAA Environment” will not be visible to the user. Furthermore, the user will have access to all public environments.
Environments
Process Scheduler when adding a Job
Content Management when Exporting an Environment
That’s a wrap for this blog post! I hope you find this overview of the new Environment Access Management screen beneficial.
Stay tuned for the latest updates and insights on the next one. Thank you!
| User | Count |
|---|---|
| 12 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
