For organisations using SAP BTP, SAP S/4HANA Public Cloud, and other SAP Cloud solutions, a single SAP Cloud Identity Service (IAS) tenant for all applications is common. However, while the default administrator roles grant full privileges in the administration console, they often lack the granular control needed over application access.

When you add a user as an administrator through the ‘Administrator’ tile, that administrator automatically gains access to all applications. This does not support effective permission management at the application level.

Why Application Access Control Matters?

Implementing granular access control is crucial for security and compliance. It ensures that each administrator can manage only the applications relevant to their role, reducing the risk of unauthorised access.

So, how can you ensure that an SAP BTP administrator can manage only the BTP application while a S/4HANA administrator focuses solely on the S/4HANA application? The good news is that IAS supports policy-based authorisations, allowing you to create more specific access controls. Administrators can define authorisation policies based on application attributes and assign these policies to other administrators. This setup ensures that each administrator has access only to the applications relevant to their role.

Scenario

As an administrator, a user is responsible for managing applications created for S/4HANA within SAP Cloud Identity Services. Your organisation uses a single Cloud Identity Service tenant for all SAP Cloud solutions, and you want to limit users’ access to only the S/4HANA application.

Prerequisites

Ensure you have administrative permissions in SAP Cloud Identity Services with the following authorisations:

• Manage Applications
• Manage Groups
• Read Users

Step-by-Step Implementation

Reference: Configuring Authorization Policies

Step 1: Enable Policy-Based Authorization

1. Navigate to Applications & Resources and select Tenant Settings.
2. Under General, choose Policy-Based Authorizations
3. Enable Policy-Based Authorization
    

   

Step 2: Create Authorization Policy

1. In Applications & Resources, go to Applications.
2. Select System Applications for the administration console.
3. Under the Authorization Policies tab, create policies that restrict access
    

   

4. Select Base Policies, READ_APPLICATIONS, UPDATE_APPLICATIONS and DELETE_APPLICATIONS.

In the Rules tab, click ‘+’ to restrict access to the ‘application.organization’ level.

Note: Ensure that the ‘Organization ID’ you enter is in all lowercase letters.

Step 3: Assign Users to Authorization Policy

1. Click on the Assignments tab.
2. Click Add, choose the users you want to include in the policy, and then click Add again. This grants them access according to the defined rules.

These users are authorised to access and use the resources with the rules and restrictions defined in the authorisation policy.

Step 4: Change the Application’s Organization ID

Applications are created under the ‘global’ Organization ID by default. The super administrator (with full privileges) needs to change the Organization ID for each application so that the respective application administrator can manage it effectively.

Click on Edit to change the Organization ID.

Once configured, users will only see the applications they can access when they log in.

Conclusion

By following these steps, you can establish granular application access control in SAP Cloud Identity Services, ensuring each administrator has the appropriate access level for their responsibilities. This approach enhances security and simplifies application management within SAP Cloud Identity Service.

If you have questions or want to share your experiences managing access control in IAS, please comment below!