Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
In order to use the SAP Cloud Platform Backend service, your user needs to be configured with the required authorizations, i.e. roles.

This blog explains which steps need to be done.

This blog is part of a series of tutorials explaining the usage of SAP Cloud Platform Backend service in detail.


The SAP Cloud Platform Backend service has to be subscribed
See here for guidance


View the roles and role templates

Go to the Backend service overview page:
Log on to your trial account -> Cloud Foundry -> yourSubaccount -> "Subscriptions" -> click on Backend service tile

Once the overview - page is opened, expand "Security" on the left navigation pane and click on "Roles".



Here you can see that 2 default role instances are already generated for you:

"Admin" and "AllAccess"

So you don't need to do anything here.
You can see that the roles are based on templates.
So you can click on "Role Templates" to view the description.

Or, even better, you can read my own short explanation:

The good old Admin is the one who believes he is all-mighty.... but in fact, poor him, he is not.
The "Admin" role enables the user to access the Backend service cockpit and also to use it.
That means, he can create APIs and monitor their usage.
From my understanding, it is like a "developer" role, because the API is designed and created from scratch.
Anyways: he cannot access the APIs. Means, he cannot invoke the (OData) services

A user who has this role, is allowed to access the APIs, he is allowed to use the (OData) services.
All APIs.
But: he cannot create APIs

There's a third role for fine-granular assignment of authorizations, but we ignore it for now

OK, still nothing to do here.
Not here, but anywhere else?

Yes, somewhere you have to somehow assign both roles to you.
Yes, both roles because we need them in the tutorials.


Create and Configure Role Collection

I don't see any Role Collection
Yes, Role Collections are available for the whole Identity Zone, i.e. Subaccount:
So we have to go to the (BETA-enabled) Subaccount.
Still don't see

In the left navigation pane, expand “Security”: Here they are!
Click on “Role Collections”.
Create a Role Collection and give it a name of your choice

This creates an empty collection.
Click on the new role collection, in order to fill the collection with roles

In the role collection screen, click on “Add Role”

In the dialog, choose “Backend-service” as Identifier,
choose the “Admin” role template
and also the existing corresponding role “Admin”

After “Save”, repeat the procedure to add another role: “AllAccess”


Assign Role Collection

Now that the role collection is created and configured, it needs to be used.

Again, in your Subaccount, expand the “Security” entry in the navigation pane on the left side and click on “Trust Configuration”

Then click on your identity provider, in most cases the “SAP ID Service”

This takes you to the "Role Collection Assignment" screen of the "Trust Configuration"

Enter your mail address (your Trial user) and press “Show Assignments

Result: nothing

BUT: the “Assign Role Collection” gets enabled.

So click it

The subsequent dialog offers your new role collection
Select it then press “Assign Role Collection” on the dialog

As a result, the role collection is assigned to your user (mail) which is maintained in your identity provider.


That’s it.

Now you can access the Backend service.

Go back to your "beta"-enabled Subaccount -> Subscriptions->Backend service->Go to Application
And log in

If you still get an error message telling that you don't have authorization:Try reloading your browser, i.e. close and reopen
If you still get anerrormessage, try to log off and log on again.
Ifyoustillgetanerrormessage,try a different browser, buy a new laptop, whatever, but don't believe the error message...
Maybe you only need to wait until the invalid JWT token, which reached the Backend service application, expires...



In this blog you've learned about the roles that are provided and required by the Backend service application.
In order to use Backend service, you have to assign these roles to your user
This is done by adding the roles to a role collection, then assigning the collection to your user

For more information and advanced power-user role configuration, see this blog