You want to restrict the access to an application only to specific users. Can you do this with SAP Cloud Identity Services - Identity Authentication?
Sure, you can do it via the Private option in User Application Access. The procedure is described in the official documentation of the product in Configure User Access to the Application. The result is that only the users registered by the application can log on. The others can’t.
Perfect! So, your job is done.
But is there an alternative to that?
Of course, there is. The Risk-Based Authentication of Identity Authentication, offers you that alternative. Instead of registering the users for the specific application and thus restricting the access only to them, you create a user group and restrict the access to the users that belong to that group. All you have to do is create a user group, assign the users to the group, and restrict the access to that group.
Sounds not so difficult. Why not try it yourself? Just follow these steps:
Create User Group
- Choose the User Groups tile under User and Authorizations in the Administration Console for SAP Cloud Identity Services.
- Choose the Create button.
- Fill in the required fields and confirm the creation of the group.The new group appears in the list of the groups on the left.
Assign Users to the Group
- Choose the User Management tile under User and Authorizations in the Administration Console.
- Choose user Donna Moore to assign her to the "HR" user group.
- Choose the User Groups tab and then the Assign Groups button.
- Select the checkbox next to the group you want to assign the user to and save your changes.Now the user is a member of that group. You can check this by choosing the User Groups tile in the Administration Console and selecting your group.
- Restrict User Access Based on the Group
- Choose the Applications tile under Applications and Resources in the Administration Console.
- Choose the application that you want to restrict the access to and choose Risk-Based Authentication under the Authentication and Access tab.
- Create a rule for the chosen application. In the pop-up window choose Allow for Action, and select your group from the drop-down list of the cloud groups.
- Choose Deny for Default Authentication Rule.As a result, only users that belong to the "HR" group will have access to the application. The other users will be rejected when they try to log on. They will get the following message: "Sorry, but you are currently not authorized for access".
If you find Risk-Based Authentication interesting and useful, you can find more about it in
Configure Risk-Based Authentication for an Application | SAP Help Portal and
Configure Default Risk-Based Authentication for All Applications in the Tenant | SAP Help Portal.