For organisations using SAP BTP, SAP S/4HANA Public Cloud, and other SAP Cloud solutions, a single SAP Cloud Identity Service (IAS) tenant for all applications is common. However, while the default administrator roles grant full privileges in the administration console, they often lack the granular control needed over application access.
When you add a user as an administrator through the ‘Administrator’ tile, that administrator automatically gains access to all applications. This does not support effective permission management at the application level.
Implementing granular access control is crucial for security and compliance. It ensures that each administrator can manage only the applications relevant to their role, reducing the risk of unauthorised access.
So, how can you ensure that an SAP BTP administrator can manage only the BTP application while a S/4HANA administrator focuses solely on the S/4HANA application? The good news is that IAS supports policy-based authorisations, allowing you to create more specific access controls. Administrators can define authorisation policies based on application attributes and assign these policies to other administrators. This setup ensures that each administrator has access only to the applications relevant to their role.
As an administrator, a user is responsible for managing applications created for S/4HANA within SAP Cloud Identity Services. Your organisation uses a single Cloud Identity Service tenant for all SAP Cloud solutions, and you want to limit users’ access to only the S/4HANA application.
Ensure you have administrative permissions in SAP Cloud Identity Services with the following authorisations:
Step-by-Step Implementation
Reference: Configuring Authorization Policies
In the Rules tab, click ‘+’ to restrict access to the ‘application.organization’ level.
Note: Ensure that the ‘Organization ID’ you enter is in all lowercase letters.
These users are authorised to access and use the resources with the rules and restrictions defined in the authorisation policy.
Applications are created under the ‘global’ Organization ID by default. The super administrator (with full privileges) needs to change the Organization ID for each application so that the respective application administrator can manage it effectively.
Click on Edit to change the Organization ID.
Once configured, users will only see the applications they can access when they log in.
By following these steps, you can establish granular application access control in SAP Cloud Identity Services, ensuring each administrator has the appropriate access level for their responsibilities. This approach enhances security and simplifies application management within SAP Cloud Identity Service.
If you have questions or want to share your experiences managing access control in IAS, please comment below!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
15 | |
9 | |
7 | |
7 | |
6 | |
4 | |
3 | |
3 | |
3 |