Introduction
When working with SAP Integration Suite Advanced Event Mesh (AEM) across multiple brokers, it is essential to enforce strict user access controls. This ensures adherence to the separation of concerns principle and protects provisioned brokers from unauthorized actions. Without appropriate controls, users may inadvertently disrupt services—such as by deleting a broker or spinning up new brokers—which can compromise the environment or affect other users.
While AEM offers standard inbuilt roles designed for granular access management, these roles often do not align with the specific combinations required for specific landscape setup. For example, you may want users to have the ability to manage queues (create, edit, delete) within a specific broker, but restrict their ability to perform any other critical actions elsewhere. Achieving this level of intermediate access control is possible with Group management feature of AEM in conjunction with external Identity Provider (IdP) configurations.
To learn how to set up the Cloud Identity Service, refer to the blog post: “Streamlining User Management in Advanced Event Mesh with SAP CIS and Identity Federation.”
This blog post, co-authored by Sunny Kapoor and Tobias Griebe outlines the necessary steps to set up and enforce such granular access, ensuring users have only the permissions needed for their designated tasks—thereby protecting your AEM environment from accidental disruptions.
Why User Groups over Users in User Management of AEM?
While AEM offers standard inbuilt roles, these typically grant either full access to a feature set or restrict users to viewer-only permissions. In scenarios where controlled, intermediate access is required—such as delegating limited management of a specific event broker—standard roles may not suffice. This is where the “Mission Control User” role becomes essential and is available only if you have user groups configured. Mission Control Users have limited viewing access in Cluster Manager. They can’t see event broker services they are not assigned permissions to, and they have no access to Mesh Manager. Users can be given greater access to event broker services by assigning permissions to them. For more information about event broker service-specific access levels, see Configuring User Access to Event Broker Services.
Prerequisites
Before you enable group and role mapping for your advanced event mesh account, you need to do the following:Configure your SAP Cloud Identity Service instance to provide claim values that you can map to user groups. For more information, see the SAP Cloud Identity Services documentation.
Also, you can refer to the blog post: “Streamlining User Management in Advanced Event Mesh with SAP CIS and Identity Federation.”
Creating a User Group
In this example configuration, we have created two User Groups by following the official documentation.First user group called Administrators where we have assigned two roles – Account Administrator and Insights Advanced Editor.
Second User Group called Participants where we have assigned single role i.e. Mission Control Users that can access Cluster Manager but have limited access and viewing capabilities.
Further event broker service access levels i.e. Viewer, Editor or Manager needs to be granted to user groups with the Mission Control User as per the requirement. In this example, we will assign Editor user access to one of the event brokers so that users with Participants group assignment can manage queues (create, edit, delete) within a specific broker, but restrict their ability to perform any other critical actions.
Group Management
You can assign roles to user groups rather than directly to individual users. By mapping claims received from your identity provider (IdP) to these user groups, users can be automatically assigned to the appropriate groups upon authentication. When group management is enabled, users are automatically added to groups based on the claim mapping that you have configured. For example, if your IdP returns a claim values such as “service_manager”, users with that claim value would be automatically assigned to the user group that the claim value is mapped to. If no claim returned for the user is mapped to a group when a user authenticates, the user can be added to a default role or denied access.
After you configure group management you can continue to invite new users manually or you can enable just-in-time provisioning to add new users to groups based on the existing claim mapping configuration when a user successfully authenticates using SSO.
To set up group management for your account, see Configuring Group Management.
In this example we do click on the “Group Management” button in the user groups screen and do the configuration as per the screenshot to enable it. It mainly have the mapping of claims received from your IdP to the user groups created earlier.
This is the attribute key sent from the IdP to AEM.Groups are configured in the IdP, and users are added to these groups within the IdP.
Configure user access in the Cluster Manager
Last step is to choose the specific event broker for which you like to further control the access like in this example we will assign Editor user access to one of the event brokers so that users with Participants group assignment can manage queues (create, edit, delete) within a specific broker, but restrict their ability to perform any other critical actions.
In Cluster Manager, select the Event Broker, click the three dots, and choose Set User Access.
Click Add User Groups, select the Participants group, and set access to Editor and finally Save.
Important Points to Consider
Advanced event mesh also lets you enable just-in-time provisioning, which lets you onboard new advanced event mesh users without inviting them manually. If you don’t select this option, you’ll need to manually invite each user in AEM. Note that the Invite button in the Users tab is disabled when group management is enabled, so you’ll have to disable group management every time you want to invite users.Do not select Customize Default User Group and select a user group from the Default User Group drop-down list that has the least privileges without proper testing. When selected, if no defined claim mappings match the user claim value, the user is added to the specified group. This could unintentionally lower privileges for all users, including administrators, which might make it impossible to change user management settings and could lead to the tenant becoming unusable. When not selected, if no claim value for the user is mapped to a user group, the user is denied access to advanced event mesh.Make sure you test the setup by Clicking Test Access > Run Test to test the updates to ensure that your Account Administrator account is allowed access with the new settings. A message confirms whether you will still have Account Administrator privileges on the account after the settings are applied. If you will lose Account Administrator access, update the settings before continuing.
Conclusion
With this configuration, when a non-admin user logs in, they will only have visibility of the specific event broker to which access has been granted. They will be able to manage queues (create, edit, delete) within that broker, while their ability to perform other critical actions—such as creating or deleting an event broker—will remain restricted.
IntroductionWhen working with SAP Integration Suite Advanced Event Mesh (AEM) across multiple brokers, it is essential to enforce strict user access controls. This ensures adherence to the separation of concerns principle and protects provisioned brokers from unauthorized actions. Without appropriate controls, users may inadvertently disrupt services—such as by deleting a broker or spinning up new brokers—which can compromise the environment or affect other users.While AEM offers standard inbuilt roles designed for granular access management, these roles often do not align with the specific combinations required for specific landscape setup. For example, you may want users to have the ability to manage queues (create, edit, delete) within a specific broker, but restrict their ability to perform any other critical actions elsewhere. Achieving this level of intermediate access control is possible with Group management feature of AEM in conjunction with external Identity Provider (IdP) configurations.To learn how to set up the Cloud Identity Service, refer to the blog post: “Streamlining User Management in Advanced Event Mesh with SAP CIS and Identity Federation.”This blog post, co-authored by Sunny Kapoor and Tobias Griebe outlines the necessary steps to set up and enforce such granular access, ensuring users have only the permissions needed for their designated tasks—thereby protecting your AEM environment from accidental disruptions.Why User Groups over Users in User Management of AEM?While AEM offers standard inbuilt roles, these typically grant either full access to a feature set or restrict users to viewer-only permissions. In scenarios where controlled, intermediate access is required—such as delegating limited management of a specific event broker—standard roles may not suffice. This is where the “Mission Control User” role becomes essential and is available only if you have user groups configured. Mission Control Users have limited viewing access in Cluster Manager. They can’t see event broker services they are not assigned permissions to, and they have no access to Mesh Manager. Users can be given greater access to event broker services by assigning permissions to them. For more information about event broker service-specific access levels, see Configuring User Access to Event Broker Services.PrerequisitesBefore you enable group and role mapping for your advanced event mesh account, you need to do the following:Configure your SAP Cloud Identity Service instance to provide claim values that you can map to user groups. For more information, see the SAP Cloud Identity Services documentation.Also, you can refer to the blog post: “Streamlining User Management in Advanced Event Mesh with SAP CIS and Identity Federation.”Creating a User GroupIn this example configuration, we have created two User Groups by following the official documentation.First user group called Administrators where we have assigned two roles – Account Administrator and Insights Advanced Editor.Second User Group called Participants where we have assigned single role i.e. Mission Control Users that can access Cluster Manager but have limited access and viewing capabilities.Further event broker service access levels i.e. Viewer, Editor or Manager needs to be granted to user groups with the Mission Control User as per the requirement. In this example, we will assign Editor user access to one of the event brokers so that users with Participants group assignment can manage queues (create, edit, delete) within a specific broker, but restrict their ability to perform any other critical actions.Group ManagementYou can assign roles to user groups rather than directly to individual users. By mapping claims received from your identity provider (IdP) to these user groups, users can be automatically assigned to the appropriate groups upon authentication. When group management is enabled, users are automatically added to groups based on the claim mapping that you have configured. For example, if your IdP returns a claim values such as “service_manager”, users with that claim value would be automatically assigned to the user group that the claim value is mapped to. If no claim returned for the user is mapped to a group when a user authenticates, the user can be added to a default role or denied access.After you configure group management you can continue to invite new users manually or you can enable just-in-time provisioning to add new users to groups based on the existing claim mapping configuration when a user successfully authenticates using SSO.To set up group management for your account, see Configuring Group Management.In this example we do click on the “Group Management” button in the user groups screen and do the configuration as per the screenshot to enable it. It mainly have the mapping of claims received from your IdP to the user groups created earlier.This is the attribute key sent from the IdP to AEM.Groups are configured in the IdP, and users are added to these groups within the IdP.Configure user access in the Cluster ManagerLast step is to choose the specific event broker for which you like to further control the access like in this example we will assign Editor user access to one of the event brokers so that users with Participants group assignment can manage queues (create, edit, delete) within a specific broker, but restrict their ability to perform any other critical actions.In Cluster Manager, select the Event Broker, click the three dots, and choose Set User Access.Click Add User Groups, select the Participants group, and set access to Editor and finally Save.Important Points to ConsiderAdvanced event mesh also lets you enable just-in-time provisioning, which lets you onboard new advanced event mesh users without inviting them manually. If you don’t select this option, you’ll need to manually invite each user in AEM. Note that the Invite button in the Users tab is disabled when group management is enabled, so you’ll have to disable group management every time you want to invite users.Do not select Customize Default User Group and select a user group from the Default User Group drop-down list that has the least privileges without proper testing. When selected, if no defined claim mappings match the user claim value, the user is added to the specified group. This could unintentionally lower privileges for all users, including administrators, which might make it impossible to change user management settings and could lead to the tenant becoming unusable. When not selected, if no claim value for the user is mapped to a user group, the user is denied access to advanced event mesh.Make sure you test the setup by Clicking Test Access > Run Test to test the updates to ensure that your Account Administrator account is allowed access with the new settings. A message confirms whether you will still have Account Administrator privileges on the account after the settings are applied. If you will lose Account Administrator access, update the settings before continuing.ConclusionWith this configuration, when a non-admin user logs in, they will only have visibility of the specific event broker to which access has been granted. They will be able to manage queues (create, edit, delete) within that broker, while their ability to perform other critical actions—such as creating or deleting an event broker—will remain restricted. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
