Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 


In today's interconnected business landscape, SAP Cloud Integration plays a crucial role in ensuring seamless data flow and integration across various systems. While SAP's inherent security measures are robust, implementing best practices and utilizing advanced tools can provide an additional layer of protection. We will delve into the world of Custom IDP, Custom Domains, Roles, and Access Policies. In this blog post will provide a detailed overview of these topics, highlighting their significance and the security benefits they bring to SAP Cloud Integration.

‎ ‎‎ ‎‎ ‎

Providing Secure Roles for SAP Cloud Integration:

Roles in SAP Cloud Integration enable you to control user access and permissions effectively. Follow these steps to provide secure roles:

  1. Define Role-Based Access Control (RBAC): Identify the functional responsibilities within your organization and create roles accordingly. Assign the appropriate permissions to each role to ensure a granular level of access control. For this, you can create the role collections.

  2. Regularly Review and Update Roles: Periodically review the roles and permissions assigned to users to ensure they align with organizational changes and adhere to the principle of least privilege. Remove or adjust unnecessary access rights promptly.

  3. Implement Principle of Least Privilege (PoLP): Assign only the necessary permissions to each role, ensuring that users have access to the minimum resources required to perform their tasks. This approach reduces the risk of unauthorized actions. There are many cases where the Admin user provides unnecessary roles to a user, and this can lead to future problems.

      • For example, providing a Read Only role collection (AuthGroup.ReadOnly for NEO and PI_Read_Only for Cloud Foundry) for a user to be able to view iflows created. A more efficient solution that leaves no loopholes is to use a role collection WebToolingWorkspace.Read (for Neo) or WorkspacePackagesRead (for CF) that will enable only viewing of Packages and Integration flows for the user, thus preventing the user from seeing the Keystore and other important data (that will occur if you set the Read Only role for the user).

        1. Difference between Role and Role Collection: Roles and Role Collections 

        2. Overview of all Cloud Integration roles: Tasks and Permissions

        3. Predefined roles (collection): Persona

Benefits of using roles appropriately:

    • Granular Access Control: By creating roles based on functional responsibilities and assigning appropriate permissions, you can achieve a granular level of access control. This ensures that users only have access to the resources necessary to perform their tasks, reducing the risk of unauthorized actions.

    • Principle of Least Privilege (PoLP): Following the PoLP principle ensures that users have access to the minimum resources required for their tasks. By assigning only necessary permissions, you limit the potential impact of any compromised accounts and minimize the attack surface.

    • Regular Review and Updates: Periodically reviewing and updating roles is crucial for maintaining the security of your SAP Cloud Integration environment. It allows you to align roles with organizational changes and remove or adjust unnecessary access rights promptly. This reduces the risk of role accumulation and unauthorized access over time.

    • Mitigation of Admin User Risks: Providing unnecessary roles to users, often done by admin users, can introduce security risks. By following RBAC principles, will prevent exposure to sensitive data and will keep your Cloud Integration safe from possible errors, like deleting an iflow, keystore, or something else by users who don't have the knowledge but have the roles.

    • Minimized Data Exposure: Assigning role collections with specific permissions limits users' visibility to only the required resources. This reduces the chances of accidental or unauthorized access to sensitive information

‎ ‎

Custom Domains in SAP BTP:

A custom domain is a domain name that you can use to access your SAP BTP applications. For example, instead of accessing your integrations at, you could access them at Using a custom domain can make your applications more secure by making it more difficult for unauthorized users to access them.

To use a custom domain with SAP Cloud Integration, you need to create a DNS record for the domain name. You also need to configure SAP Cloud Integration to use the custom domain:

Benefits of using custom domains:

    • Enhanced User Experience: Custom domains provide a consistent user experience, strengthening trust in the platform by aligning it with your organization's brand.

    • Increased Security Awareness: A custom domain helps users identify and authenticate with your organization's SAP Cloud Integration instance, reducing the risk of falling prey to phishing attacks.


Custom IDPs in SAP BTP:

A custom IDP is an identity provider that you can use to authenticate users in SAP BTP. By using a custom IDP, you can integrate SAP Cloud Integration with your existing identity management system. This can make your integrations more secure by centralizing user authentication.

To use a custom IDP with SAP Cloud Integration, you need to configure SAP Cloud Integration to use the custom IDP. You also need to configure the custom IDP to trust SAP Cloud Integration:

Benefits of using custom IDPs:

    • Single Sign-On (SSO): Custom IDP integration enables users to log in to SAP Cloud Integration using their existing credentials, reducing the need for multiple passwords and enhancing security by leveraging strong authentication mechanisms provided by the IDP.

    • Centralized User Management: By connecting to your organization's IDP, you can streamline user provisioning and provisioning processes, ensuring consistent access control across systems.

For further details about Custom IDPs:

‎ ‎ ‎

Access Policies in SAP Cloud Integration:

Access policies are a way to restrict access to specific artifacts in SAP Cloud Integration. For example, you could create an access policy that only allows users with the Integration Developer role to access a particular integration flow and APIs. Access policies can be used to further secure your integrations by preventing unauthorized users from accessing sensitive data.

To create an access policy, you need to specify the artifacts that you want to protect and the users or groups that you want to grant access to. You can also specify the permissions that you want to grant to the users or groups.

Benefits of using access policies:

    • Resource-Specific Access Controls: Access policies allow you to specify who can perform specific operations on integration artifacts, such as creating or modifying integration flows or accessing APIs

    • Authorization Enforcement: With access policies, you can enforce authorization rules based on user roles and permissions, ensuring that only authorized users can perform critical actions. As it let you restrict access to integration artifacts and their associated data.

    • Compliance and Auditability: Access policies enable you to track and monitor user activities, providing an audit trail for compliance purposes.

For example:

    • Let us assume that a custom role is created/activated in the SAP BTP account cockpit for the HR department and the users of the HR department are assigned to the custom role, an Access policy is created, and the integration flows of the HR department are referenced to the custom role. Now, if a user who doesn’t belong to the HR department tries to perform any operations on the HR integration flows, then they will be restricted and shall see an error message.

For further details of Access Policies:

‎ ‎ ‎ ‎


In this blog post, we explored how to provide secure roles in SAP Cloud Integration, the benefits of using custom domains and custom IDPs in SAP BTP, and the significance of access policies in ensuring a robust security framework. By following best practices such as role-based access control, custom domains, custom IDP integration, and access policy enforcement, organizations can strengthen the security posture of their SAP Cloud Integration deployments. Safeguarding your integration scenarios is vital for maintaining data integrity, confidentiality, and business continuity in today's interconnected world. You can also check the guides below for more information about security in your SAP Cloud Integration:

For Cloud Foundry:

For Neo: