Granular Application Access Control in SAP Cloud Identity Services: A Step-by-Step Guide

Estimated read time 6 min read

For organisations using SAP BTP, SAP S/4HANA Public Cloud, and other SAP Cloud solutions, a single SAP Cloud Identity Service (IAS) tenant for all applications is common. However, while the default administrator roles grant full privileges in the administration console, they often lack the granular control needed over application access.

When you add a user as an administrator through the ‘Administrator’ tile, that administrator automatically gains access to all applications. This does not support effective permission management at the application level.

Why Application Access Control Matters?

Implementing granular access control is crucial for security and compliance. It ensures that each administrator can manage only the applications relevant to their role, reducing the risk of unauthorised access.

So, how can you ensure that an SAP BTP administrator can manage only the BTP application while a S/4HANA administrator focuses solely on the S/4HANA application? The good news is that IAS supports policy-based authorisations, allowing you to create more specific access controls. Administrators can define authorisation policies based on application attributes and assign these policies to other administrators. This setup ensures that each administrator has access only to the applications relevant to their role.

Scenario

As an administrator, a user is responsible for managing applications created for S/4HANA within SAP Cloud Identity Services. Your organisation uses a single Cloud Identity Service tenant for all SAP Cloud solutions, and you want to limit users’ access to only the S/4HANA application.

Prerequisites

Ensure you have administrative permissions in SAP Cloud Identity Services with the following authorisations:

Manage ApplicationsManage GroupsRead Users

Step-by-Step Implementation

Reference: Configuring Authorization Policies

Step 1: Enable Policy-Based Authorization

Navigate to Applications & Resources and select Tenant Settings.Under General, choose Policy-Based AuthorizationsEnable Policy-Based Authorization

 

Step 2: Create Authorization Policy

In Applications & Resources, go to Applications.Select System Applications for the administration console.Under the Authorization Policies tab, create policies that restrict access

 

Select Base Policies, READ_APPLICATIONS, UPDATE_APPLICATIONS and DELETE_APPLICATIONS.

In the Rules tab, click ‘+’ to restrict access to the ‘application.organization’ level.

 

Note: Ensure that the ‘Organization ID’ you enter is in all lowercase letters.

Step 3: Assign Users to Authorization Policy

Click on the Assignments tab.Click Add, choose the users you want to include in the policy, and then click Add again. This grants them access according to the defined rules.

 

These users are authorised to access and use the resources with the rules and restrictions defined in the authorisation policy.

Step 4: Change the Application’s Organization ID

Applications are created under the ‘global’ Organization ID by default. The super administrator (with full privileges) needs to change the Organization ID for each application so that the respective application administrator can manage it effectively.

Click on Edit to change the Organization ID.

Once configured, users will only see the applications they can access when they log in.

Conclusion

By following these steps, you can establish granular application access control in SAP Cloud Identity Services, ensuring each administrator has the appropriate access level for their responsibilities. This approach enhances security and simplifies application management within SAP Cloud Identity Service.

If you have questions or want to share your experiences managing access control in IAS, please comment below!

 

​ For organisations using SAP BTP, SAP S/4HANA Public Cloud, and other SAP Cloud solutions, a single SAP Cloud Identity Service (IAS) tenant for all applications is common. However, while the default administrator roles grant full privileges in the administration console, they often lack the granular control needed over application access.When you add a user as an administrator through the ‘Administrator’ tile, that administrator automatically gains access to all applications. This does not support effective permission management at the application level.Why Application Access Control Matters?Implementing granular access control is crucial for security and compliance. It ensures that each administrator can manage only the applications relevant to their role, reducing the risk of unauthorised access.So, how can you ensure that an SAP BTP administrator can manage only the BTP application while a S/4HANA administrator focuses solely on the S/4HANA application? The good news is that IAS supports policy-based authorisations, allowing you to create more specific access controls. Administrators can define authorisation policies based on application attributes and assign these policies to other administrators. This setup ensures that each administrator has access only to the applications relevant to their role.ScenarioAs an administrator, a user is responsible for managing applications created for S/4HANA within SAP Cloud Identity Services. Your organisation uses a single Cloud Identity Service tenant for all SAP Cloud solutions, and you want to limit users’ access to only the S/4HANA application.PrerequisitesEnsure you have administrative permissions in SAP Cloud Identity Services with the following authorisations:Manage ApplicationsManage GroupsRead UsersStep-by-Step ImplementationReference: Configuring Authorization PoliciesStep 1: Enable Policy-Based AuthorizationNavigate to Applications & Resources and select Tenant Settings.Under General, choose Policy-Based AuthorizationsEnable Policy-Based Authorization Step 2: Create Authorization PolicyIn Applications & Resources, go to Applications.Select System Applications for the administration console.Under the Authorization Policies tab, create policies that restrict access Select Base Policies, READ_APPLICATIONS, UPDATE_APPLICATIONS and DELETE_APPLICATIONS.In the Rules tab, click ‘+’ to restrict access to the ‘application.organization’ level. Note: Ensure that the ‘Organization ID’ you enter is in all lowercase letters.Step 3: Assign Users to Authorization PolicyClick on the Assignments tab.Click Add, choose the users you want to include in the policy, and then click Add again. This grants them access according to the defined rules. These users are authorised to access and use the resources with the rules and restrictions defined in the authorisation policy.Step 4: Change the Application’s Organization IDApplications are created under the ‘global’ Organization ID by default. The super administrator (with full privileges) needs to change the Organization ID for each application so that the respective application administrator can manage it effectively.Click on Edit to change the Organization ID.Once configured, users will only see the applications they can access when they log in.ConclusionBy following these steps, you can establish granular application access control in SAP Cloud Identity Services, ensuring each administrator has the appropriate access level for their responsibilities. This approach enhances security and simplifies application management within SAP Cloud Identity Service.If you have questions or want to share your experiences managing access control in IAS, please comment below!   Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog

You May Also Like

More From Author