Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
This blog is targeted at those people in the company who take care of managing users and authorizations and want to upskill themselves on how to do identity management on SAP Business Technology Platform. In this blog, I will highlight only some BTP security-relevant topics. To get a full BTP security overview, I highly recommend you to start with the 1-hour learning journey on SAP Learning site.

If you are someone in the security department of your company who is responsible for managing SAP users and your company has purchased a BTP account, you will be probably the one who will take care of the user management there too. Congrats on that!

Now, you’re probably wondering how to do that and how different is it to what you’re used to in the SAP Business Suite or SAP S/4HANA On-Prem. I have to admit, the user creation itself is easy, also how you provide authorizations to users. However, the concept is quite different. A classic SAP on-prem system has its own user store, the SU01, where you create and maintain users. It is maybe your team or another team who is also taking care of creating roles in PFCG and generating authorization profiles. Compared to that, BTP does not have an own user store. It utilizes the concept of identity federation, which means that the “cloud identity” (user) is stored in an identity provider (IdP). BTP acts only as a service or resource provider. So, if the user logs on to the BTP cockpit, he needs an account in the identity provider.

Supported Identity Providers

SAP BTP can work with several identity providers. Per default SAP ID Service is used, which is an IdP provided by SAP. Normally, your S-User is stored there. For the SAP ID Service, no configuration is needed. It is always there and cannot be deactivated.

Additionally, customers can use Identity Authentication (IAS) service, which comes in a bundle with BTP or other cloud solutions as part of Cloud Identity services. IAS provides users with a basic authentication option by locally storing the username and password, which end users have to enter manually. This is, however, not ideal with regards to security. To ensure secure authentication, IAS  also enables single sign-on allowing the authentication with client certificates (X.509) or via Kerberos/SPNEGO. End users can also benefit from that option as they don’t have to enter their credentials manually.

Both SAP Id Service and IAS can be used as IdPs for the global account or the subaccount. For subaccounts, administrators can also manually configure custom third-party IdPs that are based on SAML 2.0 protocol. This can be, for example, Azure Active Directory.

User Categories

SAP BTP differentiates between two categories of users: platform and business users. Platform users are usually administrators or those who work with BTP cockpit or BTPcli (could be developers too). Business users are end users of the services, be it standard BTP services like SAP Build Apps or SAP BAS, or be it custom application. Those users do not log on to the BTP cockpit.

The user categories are not something that you can select when creating a new user. This differentiation is based more on the place where you store the identities – the IdP. SAP ID Service can store both platform and business users, but most probably you will not use this IdP for business users. Business users are your end users working with business applications, meaning the employees of your company or customers/partners of your company. Especially for the employees your company has a storage, e.g. MS Active Directory, which you want to reuse. And you can configure this IdP for the subaccount or you can connect it indirectly via the Identity Authentication service (recommended) that serves as a proxy. You can configure a custom IdP only for subaccounts, not for the global account, because subaccount is where your business applications are running.

You can configure the IAS also for platform users too. You have to do it for the entire global account though. The screenshot below shows a possible configuration in a subaccount. As you can see, there is a default IdP already configured, there is an IAS configured as custom IdP for platform users, which is inherited from the global account, and there is an IAS (the same one) configured as custom IdP for applications (business users).

Shadow Users

Identity Federation is used in the most cloud products. If the user has an account in IdP, does this mean that he can log on to every cloud product? Not exactly. On e.g. BTP a concept of shadow users is valid. This means, that the user has to be listed in the BTP entity (global account or subaccount) too. This can be done manually by the administrator or the user creation can happen automatically at user’s logon. You can select this option for each configured IdP separately.

If this option is selected, the user will be created automatically during his log on and entered into the users list (Subaccount --> Security --> Users). However, southorizations need to be assigned via role collections on BTP.

These are only a few BTP security basics I wanted to share with you in this blog. For the complete picture, please start the Introducing Cloud Security on SAP Business Technology Platform learning journey and visit the SAP Learning Site for more.

Fill the gap through upskilling and enjoy SAP’s learning offerings on the SAP Learning site. This article is created and brought to you by SAP Product Learning CoE experts!