Thursday, March 1, 2018

Understanding SAP Identity management for SAP Cloud Platform

SAP Cloud Platform can use three types of identity provider
1. SAP ID service
The identity service is managed by SAP for SAP community, and is default one for many SAP service.

2. SAP Cloud Identity Service provider
This identity service provider is similar to SAP ID service, but it is managed by the owner of this customer identity provider, it is recommended for SAP customer

3. Third party Identity provider
If a customer already has an identity provider that supports SAML2, then it can also be used by SAP Cloud Platform to authenticate the user.


User, Role, Group and Permission
SAP Cloud Platform uses User and Role to assign the different privileges to user for running the Cloud Platform applications.

To easily manage the users, the administrator can defines Group, a Group can have one or few predefined roles to its members, and administrator can assign multiple users to the group, and those users will automatically have the roles configured for the group.

In addition, Group can dynamically decide which user belongs to the group based on the user's attribution, which is not available for Role definition.

Html5 or Java application developers use permission defined in neo-app.json to decide what resource is required by which permission. Then administrator can configure which role was assigned to the specified permission.

Available users are defined in Identity provider.
Role, Group, Permission are defined in each individual SAP Cloud Platform Html5 or java application.

No comments:

Post a Comment