CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Console Administration in SAP Customer Data Cloud

10 min read

Quickly add users and associated permissions for implementing SAP Customer Data Cloud.

Overview :

SAP Customer Data Cloud provides a framework that enables creation of users (user keys) or applications (application keys), grants them permissions, and evaluates their permissions upon incoming requests.

The permissions determine :

  • which (application programming interface) API methods the user/application can call

  • what parameters the users/applications can pass

  • what the valid values for these parameters are

  • what types of logical operations are allowed

This article presents a quick and easy approach to providing and managing permissions for SAP Customer Data Cloud (CDC) sites using the Admin Console. If this is your first time creating users or applications and assigning permissions, spend some time learning about all the available options within console administration. While it may seem like a lot to take in, once you understand the options and decisions to make in creating users and application keys, the more simple the task will become as you begin owning your role as console administrator. 

Generally speaking, adding, editing and removing users from the SAP CDC Console is a quick task that can be completed in under 10 minutes. 

Table of Contents

Where to Manage 'Administrators and User Groups' ?

The "Admin" tab of the SAP Customer Data Cloud console is used to manage administrators and user groups.

       Manage Administrators

The site administrator can invite additional admins and edit existing ones from this page, which lists all the admins associated with the current client site(s):

Invite Administrator

Click the "Invite Administrator" button and fill in the new user's email and select the group.

Once done, an invitation is sent by email that expires 72 hours after it is sent.

Edit User

Edit button under "Settings" in the table, is used to edit a user.

This opens the Edit User page, which includes three tabs:

  • Details - shows the user information

  • Groups - lists all the available groups for the partner

  • Resolved Privileges - lists the privileges for the selected user


Details Tab

The Details tab displays the user's name and email.

Groups Tab

The Groups tab lists all the available groups for the partner, including the groups to which the user is assigned and the ones to which the user is not assigned.

An admin can delete user from a group or add the user to a group by clicking the "Assign Group" button:


Resolved Privileges Tab

The Resolved Privileges tab displays the list of privileges for the selected user per site.

The overall list of Privileges assigned to a group can be found by selecting the specific group in the "Permissions Group" section.

Users can manage their cookie preferences from the user menu, by selecting Cookie Preferences:

What are 'Application Keys' ?

The Applications page allows creation, removal and editing "application keys" - credentials that are given to third-party applications to enable them to access the Customer Data Cloud platform and make system calls.

An application key is not associated with a specific user which has higher rate limits than standard user keys, but their actions are not audited.

The applications are assigned to a user group either at the time of the creation of the application key, or through the Permission Groups page. Also, when an application is assigned to one or more groups -- it gains the permissions defined by that group and is able to make API calls to SAP Customer Data Cloud based on those permissions.

Under Settings, there is an edit button and a remove button for each application.

Create New Application

When creating a new application, provide the name of the app and select a group to include the new app in. (This group can later be removed, or other groups can be added through the Manage Groups tab.)

Once done, the special User Key and a Secret are used as authentication and authorization when making system calls to Customer Data Cloud. To see these credentials, click the application's name in the main table and go to the Details tab.

Add Existing Application

Adding an existing application is a way to grant access and permissions to an existing application that is not a part of your site, such as a third-party service that you want to enable to make Customer Data Cloud system calls on your site.

How to manage 'Permission Groups' ?

The permissions or privileges given to each user key and application key are listed in this page.

The page allows you to :

  • add or remove groups

  • edit the members of each group

  • define the privileges that are granted to members of that group .

Create Group

To create a new group, click the Create Group button above the group table and fill in the new group's name and description.

Duplicate Group

To duplicate a group - i.e, to create a new group with the same permissions - click the Duplicate icon next to a specific group's name.

Edit Group

To edit a group, click the Edit button next to a specific group's name.

The Edit Group page opens, containing the following tabs:

  • Privileges - lists all the available permissions and allows the admin to enable/disable privileges

  • Members - lists the users and applications assigned to the specific group and allows the admin to add or remove members from the group

  • Scope - shows the list of sites enabled for this group

Privileges Tab

The Privileges tab displays all the available privileges and allows the admin to enable/disable privileges for the specified group:

Privileges are divided into categories and are mapped to allowed API methods.

The Privileges Section, can be referred to get the list of categories and full mapping of privileges to APIs.

Members Tab

The Members tab displays two tables.

  • The first table lists the admins assigned to that specific group

  • The second lists the applications assigned to the group.

Scope Tab

The Scope tab displays the list of sites that are enabled for this group:

Data Field Access

This feature is part of the Early Adopters Program.

The Data Field Access tab of the Permission Groups section allows you to restrict access to specific fields of your schema based upon permissions of the user or group accessing them.

5 levels of access can be granted to the schema:

  • No access to any fields

  • Full access to all fields

  • Specific access to defined fields

  • Read-only access to specific defined fields

  • Write-only access to specific defined fields

  • Read and write access to specific defined fields

What is a 'User Key' ?

User keys are used to grant individual permissions to certain users on certain sites. User keys are more secure than giving all users the partner secret key, which grants full permission to all data and actions on the API key, including the ability to delete user data. In addition, actions taken using the user key are tracked for auditing purposes.

A user may have access to multiple sites and multiple partner accounts. After creating a user, you can set permissions for that user across all sites that the user has access to, via the SAP Customer Data Cloud Administration Console or using an API call. 

Finding Your User Key

To find the user key, login into console and click your name at the top right hand corner. Select "Account" to open an Accounts Settings page where you can find your User Key.

Note: The User Key is personal and should not be shared with others.  

IP Restrictions

The IP addresses that can access SAP Customer Data APIs on behalf of your organization can be controlled by configuring either allowlists, blocklists, or both, within the SAP Customer Data Console.  

Navigate to the Admin section of the SAP Customer Data Console by selecting from the User Account drop-down at the top of the page to setup the IP restrictions.

Select the IP Restrictions tab from the left-hand navigation options to proceed with the next steps.


Upon reading this article, you should be in a position to create users (user keys) and grant them permissions to be signed-off ready for implementation. 

To learn more about User Groups and Permissions, follow along in the SAP CDC Developers Guide: Console Administration.