Streamlining User Management: Integrating SAP Integration Suite with SAP Cloud Identity Services - Part 2

Welcome to the next installment in our series on streamlining user management within SAP environments. In the previous article, we explored how the integration of SAP Integration Suite with SAP Cloud Identity Services can enhance security and simplify provisioning processes. Building on that foundation, this blog will guide you through additional crucial steps to optimize user management further. You'll learn how to set up user groups, pivotal for organizing and managing roles and permissions efficiently. By establishing role collection mappings, you can ensure a seamless assignment of roles within your SAP environment, empowering administrators to tailor access according to organizational needs.

Furthermore, as security remains a paramount concern, we will introduce methods for integrating Two-Factor Authentication (2FA) into your system, bolstering protection against unauthorized access. This article also addresses the necessary steps for testing user provisioning to ensure a smooth implementation and provides valuable recommendations for maintaining and enhancing user management practices in the future. Whether you're looking to refine your SAP security infrastructure or improve user access protocols, this article promises insightful guidance to help you achieve your objectives.

Setup Instructions

Setup User Groups

Create group for platform access

I. Navigate to Groups via the Users & Authorizations menuII. Create group e.g. BTP_ADM

Create group for application (SAP Integration Suite) access

I. Create another group e.g. BTP_IS_CI_DEV

Configure Role Collection Mapping

I. In the SAP BTP cockpit, navigate to your subaccount and select Security > Trust Configuration. Select the Identity Provider for Applications.II.  Navigate to Role Collection Mappings and create new role collection mappings as follows.

Enhance Security - Configure Two-Factor Authentication (2FA)

You have the ability to establish authentication rules based on various risk factors and implement actions such as Allow, Deny, and Two-Factor Authentication across all applications within a tenant.

Define Default Authentication Rule

I. Navigate to Tennant Settings via the Applications & Resources menuII. Select the Authentication tab and select Risk-Based AuthenticationIII.  Select Edit and choose the Two-Factor Authentication as Default Action. Specify the authentication method(s) the end user should use e.g. TOTP and save the settings.

Define Authentication Rules

In order to continue basic authentication for the provisioning user an authentication rule needs to be created. Setup the rule as follows:

I.  Navigate to the Risk-Based Authentications menu via the Tennant Settings main menu. 

II. Create a new Authentication Rule as follows.III.  Optionally configure advanced conditions such as IP Range or Corporate Attribute.

SAP Help References: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-default-risk-bas... 

Test User Provisioning

Simulate provisioning

By simulating a provisioning job, you can evaluate your Identity Provisioning settings to confirm they yield the expected outcome in the target system. If the results differ from your expectations, you have the opportunity to pinpoint incorrect configurations and adjust them before executing the real provisioning job.

I.  Access the SAP BTP Platform Members (Cloud Foundry) source system and select the Jobs tab.

II. Select the Run Now option for the Simulate Job.III.  Navigate to the Identity Authentication source system and click on the Jobs tab and execute the simulation job.IV. Access the Provisioning Logs and check the provisioned entities.V.  Validate successful execution

SAP Help References: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/simulate-provisioning-jobs 

Synchronize SAP BTP Cloud Foundry groups

In order to synchronize and assign the respective SAP BTP Cloud Foundry organization groups to the IAS it's necessary to run the synchronization job of the SAP BTP Platform Members (Cloud Foundry) source system.

I. Navigate to the SAP BTP Platform Members (Cloud Foundry) source system and select the Jobs tab.
II. Select the Run Now option for the Resync Job.III. Navigate to Groups via the Users & Authorizations menu and validate the group creation based upon your defined btp.cf.pm.group.prefix property.IV. Check if the groups are also available as Role Collections via Security menu the of the SAP BTP cockpit.

Setup test user

I. Navigate to the User Management via the Users & Authorizations menu and create a user via the Add button.II. Enter the user details.III. Select the previously created user. Navigate to the Groups tab and assign application, platform and CF organization and space groups.

Provision user

The next step is to provision the user with the assigned authorizations to the created SAP BTP XS Advanced UAA (Cloud Foundry) target system.

I. Go to the Identity Authentication source system, choose the Jobs tab and execute the Resync Job.II.  Go to the SAP BTP cockpit, select the Users menue and validate user creation.III. Select the user and validate role collection assignmentIV. Navigate to the Cloud Foundry -> Org Members menu and validate user assignment.V. Go to the Cloud Foundry Spaces menu and validate user assignment in the respective space e.g. community.
Test access
I. Login to the SAP Integration Suite via https://<tenantId>.<systemId>.cfapps.<landscape>.hana.ondemand.com/shell/home and select the configured SAP Cloud Identity Services instance II.  Enter your logon details
III.  Provide the TOTP passcode
IV. Validate successful loginV. Navigate to the SAP BTP cockpit via your region specific URLs e.g. EMEA https://emea.cockpit.btp.cloud.sap/cockpit/?idp=<tenantId>.<landscape>.ondemand.com and select the assigned subaccount
VI. Navigate the Cloud Foundry spaces and check for successful assignment VII. You have successfully tested the access to the application, platform, CF organization and space via your SAP Cloud Identity Services instance

Outlook