You are an administrator at SAP Cloud Identity Services, but the standard predefined administrator roles that are offered to you, such as Manage Users or Read Users, are not flexible or fine granular enough for your user management needs and scenarios. If you are looking for a solution to that problem, then you are in the right place.
Tenant administrators in SAP Cloud Identity Services are offered a predefined set of roles (authorizations) that provide a full set of permissions in a particular area. The administrators can get some roles assigned, but their scope (set of permissions) can’t be modified, and very often it’s too broad.
However, you may need to define authorization models with more complex restrictions for data access, like the so-called Attribute-Based Access Control (ABAC). So, with the need for finer granular separation of the administration work, the new feature of SAP Cloud Identity Services for admin authorizations based on policies (aka delegated administration for user management) comes as a solution for that need. In other words, administrators define custom authorization policies based on user attributes and assign these policies to other administrators or users, thus delegating them granular administrator rights. In this way, one administrator can have access to a subset of the users in the tenant and further to a subset of the attributes of these users.
So, this recently released feature offers the opportunity for delegating specific responsibilities for user management to different administrators by precisely limiting the user data an administrator can access and control. This helps to reduce manual administration efforts for user management and identity provisioning and avoid work disruption by leveraging the suite quality “consistent security and identity management” for an intuitive login process within your intelligent sustainable enterprise.
This fine granular access control is based on a generic Authorization Management functionality provided by SAP Cloud Identity Services for which you can read more at Configuring Authorization Policies.
So, let’s see how the user management admin access can be restricted to a subset of the whole user base.
Using the predefined Base Policies for users (CREATE_USERS, READ_USERS, UPDATE_USERS, DELETE_USERS, MANAGE_USERS) you can define a custom one with restriction rules based on the values of some user attributes. In this way you limit the corresponding permission granted by the base policy, so it will be relevant only for the subset of users that match the specified rule.
You can restrict for which users the admin gets the corresponding access level (permission), based on the following user attributes:
User Attributes | |
Attributes | Value |
user.userName | The Login Name attribute of the user as defined in the administration console. |
user.addresses.country | The Country attribute part of the address in the personal user information. The value must match the predefined master data one. See Countries.properties. Tip Use the key from the key-value pair for the value of the user.country attribute. For example, you must use DE from the key-value pair DE=Germany. |
user.costCenter | The Cost Center of the user, part of the employee information. |
user.division | The Division of the user, part of the employee information. |
user.department | The Department of the user, part of the employee information. The value must match the predefined master data one. See Departments.properties. |
user.organization | The Company of the user, part of the company information. |
You can also limit the attributes of the users that the admin can access by configuring one of the following attributes in your custom policy:
User Attributes | |
Attributes | Value |
user.attributes | Allows you to define a subset of the user attributes (by listing them in the value field separated with commas) that the admin would be able to access. User attributes that are not part of the SCIM Core Schema must be specified with their fully qualified name that includes the corresponding schema. Note: If the user.аttributes is used with the "=" operator, it supports only one attribute. For more attributes, use the "IN" operator adding each attribute separately. Note: If you use the attribute ‘password’, you must also add the following two attributes: ‘active and ‘urn:ietf:params:scim:schemas:extension:sap:2.0:User:status’. |
Deprecated user.excludedAttributes
| Note: The user.excludedAttributes attribute is deprecated. If you have a policy configured with the user.excludedAttributes attribute, exchange the user.excludedAttributes with the user.attributes attribute in combination with the "NOT IN" operator. If the policy is configured with the user.аttributes attribute used with the "=" operator, it supports only one attribute. For more attributes, use the "IN" operator adding each attribute separately. |
Important:
The user attributes that currently can be used for user.attributes, and user.excludedAttributes restrictions are listed in the Supported Attributes chapter.
For the attributes defined in the core schema, the Schema URI notation [urn:ietf:params:scim:schemas:core:2.0:User] is not needed, for all the other attributes, schema URI and the attribute name is required.
Еxample: user.attributes IN displayName, addresses.country, emails.value;
All Enterprise user resource schema attributes require the schema URI [urn:ietf:params:scim:schemas:extension:enterprise:2.0:User] and the attribute name.
Еxample: user.attributes IN urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization;
Note:
All SAP Extension user resource schema attributes require the schema URI [urn:ietf:params:scim:schemas:extension:sap:2.0:User] and the attribute name.
Еxample: user.attributes=urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid
To illustrate how the new feature can be used to establish delegated administration, let’s have look a simple scenario with two administrators that should have different access level to the users:
Michael’s position in the company requires that he acts as a “super admin”.
Dona on the other hand, should have access only to the users that are in the USA. Further she should be able to see only a limited set of user details - the display name, username, email, company, and the address of the users in the USA. In addition, she should be able to help these users if they cannot log in, so she needs permissions to unlock user account, set initial password or send emails in case of forgotten password (again only for users in USA).
Michael’s task is to allow Dona to perform her duties in the Administration Console of SAP Cloud Identity Services.
Michael performs the following configurations to provide the necessary access for Dona:
I. Create a new custom policy that grants restricted read-only permissions.
3. Save the policy.
II. Create a new custom policy that grants restricted update permissions.
III. Create a new custom policy that combines the custom policies created from procedures I. and II.
IV. Assign the US_SUPPORTER policy to Dona
Because Michael is super admin, when he signs in he can see all the users in the admin console:
He can also update the personal and company information of the users:
Dona, on the other hand can see only the users in the USA, after signing in to the administration console:
She can't update their personal and company information:
But, because Dona is assigned to the RESET_PASSWORD_US policy, she can also unlock a user:
And set the initial password for the unlocked user:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
23 | |
12 | |
12 | |
9 | |
9 | |
9 | |
8 | |
8 | |
6 | |
6 |