Console Administration in SAP Customer Data Cloud
10 min read
SAP Customer Data Cloud provides a framework that enables creation of users (user keys) or applications (application keys), grants them permissions, and evaluates their permissions upon incoming requests.
The permissions determine :
which (application programming interface) API methods the user/application can call
what parameters the users/applications can pass
what the valid values for these parameters are
what types of logical operations are allowed
This article presents a quick and easy approach to providing and managing permissions for SAP Customer Data Cloud (CDC) sites using the Admin Console. If this is your first time creating users or applications and assigning permissions, spend some time learning about all the available options within console administration. While it may seem like a lot to take in, once you understand the options and decisions to make in creating users and application keys, the more simple the task will become as you begin owning your role as console administrator.
Generally speaking, adding, editing and removing users from the SAP CDC Console is a quick task that can be completed in under 10 minutes.
Table of Contents
- Manage Administrators
- What are 'Application Keys' ?
- How to manage 'Permission Groups' ?
- What is a 'User Key' ?
- IP Restrictions
Where to Manage 'Administrators and User Groups' ?
The "Admin" tab of the SAP Customer Data Cloud console is used to manage administrators and user groups.
The site administrator can invite additional admins and edit existing ones from this page, which lists all the admins associated with the current client site(s):
Click the "Invite Administrator" button and fill in the new user's email and select the group.
Once done, an invitation is sent by email that expires 72 hours after it is sent.
Edit button under "Settings" in the table, is used to edit a user.
This opens the Edit User page, which includes three tabs:
Details - shows the user information
Groups - lists all the available groups for the partner
Resolved Privileges - lists the privileges for the selected user
The Details tab displays the user's name and email.
The Groups tab lists all the available groups for the partner, including the groups to which the user is assigned and the ones to which the user is not assigned.
An admin can delete user from a group or add the user to a group by clicking the "Assign Group" button:
Resolved Privileges Tab
The Resolved Privileges tab displays the list of privileges for the selected user per site.
The overall list of Privileges assigned to a group can be found by selecting the specific group in the "Permissions Group" section.
Users can manage their cookie preferences from the user menu, by selecting Cookie Preferences:
What are 'Application Keys' ?
The Applications page allows creation, removal and editing "application keys" - credentials that are given to third-party applications to enable them to access the Customer Data Cloud platform and make system calls.
An application key is not associated with a specific user which has higher rate limits than standard user keys, but their actions are not audited.
The applications are assigned to a user group either at the time of the creation of the application key, or through the Permission Groups page. Also, when an application is assigned to one or more groups -- it gains the permissions defined by that group and is able to make API calls to SAP Customer Data Cloud based on those permissions.
Under Settings, there is an edit button and a remove button for each application.
Create New Application
When creating a new application, provide the name of the app and select a group to include the new app in. (This group can later be removed, or other groups can be added through the Manage Groups tab.)
Once done, the special User Key and a Secret are used as authentication and authorization when making system calls to Customer Data Cloud. To see these credentials, click the application's name in the main table and go to the Details tab.
Add Existing Application
Adding an existing application is a way to grant access and permissions to an existing application that is not a part of your site, such as a third-party service that you want to enable to make Customer Data Cloud system calls on your site.
How to manage 'Permission Groups' ?
The permissions or privileges given to each user key and application key are listed in this page.
The page allows you to :
add or remove groups
edit the members of each group
define the privileges that are granted to members of that group .
To create a new group, click the Create Group button above the group table and fill in the new group's name and description.
To duplicate a group - i.e, to create a new group with the same permissions - click the Duplicate icon next to a specific group's name.
To edit a group, click the Edit button next to a specific group's name.
The Edit Group page opens, containing the following tabs:
Privileges - lists all the available permissions and allows the admin to enable/disable privileges
Members - lists the users and applications assigned to the specific group and allows the admin to add or remove members from the group
Scope - shows the list of sites enabled for this group
The Privileges tab displays all the available privileges and allows the admin to enable/disable privileges for the specified group:
Privileges are divided into categories and are mapped to allowed API methods.
The Privileges Section, can be referred to get the list of categories and full mapping of privileges to APIs.
The Members tab displays two tables.
The first table lists the admins assigned to that specific group
The second lists the applications assigned to the group.
The Scope tab displays the list of sites that are enabled for this group:
Data Field Access
This feature is part of the Early Adopters Program.
The Data Field Access tab of the Permission Groups section allows you to restrict access to specific fields of your schema based upon permissions of the user or group accessing them.
5 levels of access can be granted to the schema:
No access to any fields
Full access to all fields
Specific access to defined fields
Read-only access to specific defined fields
Write-only access to specific defined fields
Read and write access to specific defined fields
What is a 'User Key' ?
User keys are used to grant individual permissions to certain users on certain sites. User keys are more secure than giving all users the partner secret key, which grants full permission to all data and actions on the API key, including the ability to delete user data. In addition, actions taken using the user key are tracked for auditing purposes.
A user may have access to multiple sites and multiple partner accounts. After creating a user, you can set permissions for that user across all sites that the user has access to, via the SAP Customer Data Cloud Administration Console or using an API call.
Finding Your User Key
To find the user key, login into console and click your name at the top right hand corner. Select "Account" to open an Accounts Settings page where you can find your User Key.
Note: The User Key is personal and should not be shared with others.
The IP addresses that can access SAP Customer Data APIs on behalf of your organization can be controlled by configuring either allowlists, blocklists, or both, within the SAP Customer Data Console.
Navigate to the Admin section of the SAP Customer Data Console by selecting from the User Account drop-down at the top of the page to setup the IP restrictions.
Select the IP Restrictions tab from the left-hand navigation options to proceed with the next steps.
Upon reading this article, you should be in a position to create users (user keys) and grant them permissions to be signed-off ready for implementation.
To learn more about User Groups and Permissions, follow along in the SAP CDC Developers Guide: Console Administration.