Authorization on the SAP Cloud Platform
This blueprint provides common information, guidance, as to how authorizations on the SAP Cloud Platform are implemented and how authorizations relate to identity providers and the applications and services on SAP Cloud Platform.
To learn how to implement this scenario in your landscape, view the HANA Academy videos in the
Learn more section.
SAP Cloud Platform is an essential part of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey toward digital business models. This open platform as a service (PaaS) provides unique in-memory database and application services. It is the proven cloud platform that enables you to rapidly develop new applications or extend existing ones, all in the cloud.
While user authentication is the method of determining whether someone is who he pretends to be, authorization is the determination of permissions for accessing applications or business functions within applications.
Users are principals managed by identity providers (SAP Cloud Platform Identity Authentication or others). The SAP Cloud Platform does not have a user database on its own. SAP Cloud Platform offers possibilities to manage the authorizations of users authenticated by an identity provider (IDP). Authorization is based on a role-based authorizations concept. This role-based authorizations allows administrators to easily manage user access, permissions for services on the platform and for applications deployed on the platform.
For the platform and its services, authorizations are managed in terms of technical roles, whilst for applications deployed on the platform, one has the possibility to choose the application authorization model wanted. That means, you define the roles of the application users and the associated permissions needed for those roles. You can then group collections of roles that allow the definition of business-level functions.
In order to understand the role based authorization model better, we need to distinguish between technical roles and organizational roles:
Technical roles are internal, predefined roles that are required for accessing and working in design time tools and services such as the SAP Cloud Platform cockpit. Examples include: SAP Cloud Platform Member, Developer, Tenant_Admin, etc.
Organizational roles are external, custom roles that are defined by an organization in the SAP Cloud Platform cockpit to restrict access to portal sites, pages, and applications. Organizational roles are created for various job functions. Users working in an organization are assigned to these roles. Examples for such roles could be “Manager” or “Sales”.
In terms of the identity provider for SAP Cloud Platform distinction is made between the Platform Identity Provider and Application Identity Provider:
The platform IDP is the user base for access to SAP Cloud Platform account and tools (cockpit, console client, Eclipse tools, and others). The default user base is provided by SAP ID service. You can switch to an SAP Cloud Platform Identity Authentication tenant for the platform IDP. By default, the cockpit and console client are configured to use SAP ID service as an identity provider for user authentication. If you want to use your custom user base and custom tenant settings (such as two-factor user authentication, or corporate user store, for example), you must use a custom SAP Cloud Platform Identity Authentication tenant as a platform identity provider.
By changing the platform identity provider and (thus switching the user base), you need to add as subaccount members existing users in the SAP Cloud Platform Identity Authentication tenant. You will need to assign the required platform roles (Administrator, Developer, Support User etc.) to the user base from your assigned platform IDP. Individual services on SAP Cloud Platform have their own role structures and may have specific predefined roles which will need to be assigned to the account members in your user base.
The application IDP supplies the user base for your applications. It is important to note that adding an application identity provider does not give your application developer or administrator access to the administration cockpit and associated functions. This access would still need to be granted via the platform identity provider (IDP). You can use an SAP Cloud Platform Identity Authentication tenant or your corporate IDP as the user base for your applications. Once you have assigned the application IDP, you will need to take care of the role assignments for your users. This varies according to the different runtimes supported on the SAP Cloud Platform but they all support role based authorizations, but differ in their implementation depending on the runtime, for example:
HTML5 applications may be protected by permissions. Permissions for an HTML5 application are defined in the application descriptor file. To enforce authorization for an HTML5 application, permissions can be added to application path. In the SAP Cloud Platform admin cockpit, you can create custom roles and assign them to the defined application permissions. If a user accesses an application path that starts with a path defined for a permission, the system checks if the current user is a member of the assigned role. If no role is assigned to a defined permission only subaccount members with developer permission or administrator permission have access to the protected resource.
If only authentication is required for a path, but no authorization, a security constraint can be added without a permission.
To assign users to a permission of an HTML5 application, a role must be assigned to the corresponding permission. As a result, all users who are assigned to the role get the corresponding permission. Roles are not application-specific but can be reused across multiple HTML5 applications.
To grant a user the permission to access a protected resource, you can either assign a custom role or one of the predefined virtual roles (AccountAdministrator, AccountDeveloper, Everyone) to such a permission. The “Everyone” virtual role represents all authenticated users for the configured Identity Provider.
For Java applications, SAP Cloud Platform allows developers to use the traditional Java EE web roles in their applications. The role management is performed in SAP Cloud Platform cloud cockpit. Checking for role assignment for logged in used can be done using standard Java EE Servlet API.
If you have SAP Cloud Platform extension package for SAP SuccessFactors configured for your subaccount, you can change the default SAP Cloud Platform role provider to another one. This allows you to manage the roles in your SAP SuccessFactors system.
The identity provider used should not impact how the authorizations, roles and groups on the SAP Cloud Platform are structured. Applications can be developed with authorizations implemented using standard methods (e.g. HTML application permissions, JAVA EE Roles).
The user, role, group structure allows you to structure user access to application resources and group that access into logical business roles for your organization and then, optionally, align this with the groups from your chosen identity provider.
For SAP SuccessFactors extensions, you can use the SAP SuccessFactors role provider which allows you to manage roles on your SAP SuccessFactors system instead of on the SAP Cloud Platform.
It is important to understand how authorizations are organized and managed on SAP Cloud Platform:
Users are principals managed by identity providers.
Roles allow you to diversify user access to application resources (role-based authorizations).
Groups are collections of roles that allow the definition of business-level functions within your subaccount. Groups allow you to easily manage the role assignments to collections of users instead of individual users. They are similar to the actual business roles existing in an organization, such as "manager", "employee", "external" and so on. They help you to get better alignment between application permissions/roles and organizational roles. For each identity provider (IdP) for your subaccount, you define a set of rules specifying the groups a user for this IdP belongs to.
Assertion-based groups are groups determined by values of attributes in the SAML 2.0 assertion and can be mapped to groups on the SAP Cloud Platform based on mapping rules.
A Role Provider is the component that retrieves the roles for a particular user. By default, the role provider used for SAP Cloud Platform applications and services is the SAP Cloud Platform role provider. For extension applications, however, you can change the default role provider to another one, for example, a SAP SuccessFactors role provider. Depending on whether the application is running in your subaccount or your subaccount is subscribed to the extension application, you configure the role provider from either the roles section for your application, or the subscription section for your subaccount. In addition, you can view the role provider for each enabled SAP Cloud Platform service in the services section of the SAP Cloud Platform cockpit.
Although it is a recommended practice to use the above structure for authorizations, you can assign users to roles statically, that is, the administrator can assign individual users directly to roles, although this approach is generally not scalable.
SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.
SAP Cloud Platform supports application scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is available for all three scenarios. All types of users will be asked to authenticate. Authenticated users will need to have the appropriate authorizations in order to access the resources requested.
The following graphical diagram of the solution illustrates a general pattern, with SAP Cloud Platform Identity Authentication as the identity provider. The same principle applies to authorizations regardless of the selected IDP. The diagram depicted assumes that authentication has already taken place through the selected IDP.
User is authenticated and authorization check is performed.
Note: The on premise systems and the other cloud systems are depicted above for completeness of the overall landscape picture. In the case of authentication and single sign-on (accessing other system resources without authenticating again) and using the SAP Cloud Platform Identity Authentication Service as the identity provider will be covered in other blueprints. You can link directly to them here.
The following list describes the main components needed to implement this scenario and the role they play in the overall solution
User Network
End User – This is the person who is running the SAP Cloud Platform application. They will be the entity being authenticated.
SAP Cloud Platform
SAP Cloud Platform Identity Authentication service – A cloud solution for identity lifecycle management for SAP Cloud Platform applications, and for on premise applications. It provides services for authentication, single sign-on, and on premise integration.
Connectivity Service – The connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on premise.
Generic SAP Cloud Platform Service – To keep the blueprint simplified a generic icon is used since any SAP Cloud Platform.
This is an overview of the steps needed to implement this blueprint:
This blueprint highlights important considerations companies need to analyze when implementing authentication for cloud platform applications. It only provide a high level overview of the process. It is recommended to review further information to help you implement your authentication design and develop applications using a cloud based IdP. The following resources are a starting point:
Click below for step by step videos detailing how to implement authorizations on the SAP Cloud Platform:
SAP HANA Academy - Authorizations
SAP Cloud Platform Identity Authentication service - on line documentation includes an overview of the offering as well as details on how to implement and configure the service
Securing Java applications - managing roles – On line documentation for how to manage roles in your Java applications.
Authorization for HTML5 Applications – On line documentation for how to manage authorizations in HTML5 applications.
