Skip to content

Latest commit

 

History

History
204 lines (109 loc) · 7.23 KB

step-2-assign-roles-to-users-in-sap-cloud-alm-7304b17.md

File metadata and controls

204 lines (109 loc) · 7.23 KB

Step 2: Assign Roles to Users in SAP Cloud ALM

After onboarding your users to your Identity Authentication tenant, you need to add them to SAP Cloud ALM and assign roles to them.

You can add users and assign roles to them directly in the SAP Cloud ALM User Management app (recommended) or as corresponding role collections in the SAP BTP cockpit.

To assign role templates to users, first create a role collection and add the role template to it. After a daily sync job, the role collection you've created also appears under Custom Roles in the User Management app and can be assigned to other users from there.

Note:

If you're working with role mapping to user groups in your identity provider, you need to assign role collections in the SAP BTP cockpit. In this case, you can't view or change roles in the User Management app. You also can't use the role request and assignment features in SAP Cloud ALM, so we don't recommend this method.

SAP Cloud ALM User Management (Recommended)

Prerequisites

  • Your user has the role Global Administrator or User Administrator.

    If you've requested SAP Cloud ALM, you've automatically received the role Global Administrator. If someone else has requested SAP Cloud ALM, they can assign one of the required roles to you by following the process below.

  • The identities of the users to whom you want to assign roles already exist in the identity provider, as described in Step 1: Onboard Users in Your Identity Authentication Service.

Procedure

  1. Access SAP Cloud ALM. A link is included in the email Welcome to SAP Cloud ALM.

    Sign in with the email address and password you've defined when activating your account in the Identity Authentication service. Don't sign in with your S-user.

  2. Open the User Management app, which is located on the Administration page.

  3. To go to the user list, choose (Users).

  4. Choose Add User.

  5. Enter the User ID and/or Email as you've defined them in the settings of your identity provider. If you've selected your email address as your user ID in your identity provider, you only need to enter the email address.

  6. Select a type for your user. Possible types are:

    Type

    Description

    Not Assigned

    No user type (default value)

    Employee

    Employee of your company

    SAP

    Consultant from SAP

    Partner

    Consultant from official SAP partner

    Other

    Person from a company other than SAP or official SAP partner

  7. Assign one or multiple roles to the user.

    For an overview of all predefined role collections that are available in SAP Cloud ALM, refer to Role Collections.

  8. Save your settings.

Result

The user now receives a welcome email from SAP Cloud ALM.

For more information on how to use the User Management app to view, add, and change roles, refer to User Management.

SAP BTP Cockpit

The roles in SAP Cloud ALM are available as role collections in your subaccount in the SAP BTP cockpit.

Note:

The role collections that you assign in the SAP BTP cockpit are synchronized by the User Management app only once a day.

As a result, although the role collection assignment takes effect in SAP Cloud ALM immediately (with the next logon of the user), it may not be displayed in the User Management app for up to 24 hours.

Prerequisites

  • Your user has the role Subaccount Administrator in the subaccount that contains your SAP Cloud ALM subscription.

    If you've requested SAP Cloud ALM, your user has received this authorization during the creation of the subaccount. If you don't have this authorization, the subaccount administrator can assign the role to you by following Add Members to Your Subaccount.

  • The identities of the users to whom you want to assign roles already exist in the identity provider, as described in Step 1: Onboard Users in Your Identity Authentication Service.

Procedure

  1. Open the SAP BTP cockpit.

  2. Select the global account that contains your SAP Cloud ALM entitlement, which was created when you requested SAP Cloud ALM.

  3. Under Subaccounts, select the subaccount that contains your SAP Cloud ALM subscription.

  4. Navigate to Security > Role Collections.

    Caution:

    If you map role collections to user groups in SAP BTP, the users have the corresponding authorizations, but these roles are not displayed in the User Management of SAP Cloud ALM. For more information, see KBA 3472730.

  5. Select the role collection to which you want to add users.

  6. Choose Edit.

  7. Add users to this role collection as follows:

    • If you’re using the standard configuration in trust settings and identity provider that was set when you requested SAP Cloud ALM, enter the email address of the user into the fields ID and E-Mail. Select Custom IAS Tenant as identity provider.

    • If you've manually connected the identity provider or selected a different identification attribute (such as user ID) in your identity provider, enter the identification attribute that you maintained there in the field ID and select the correct identity provider.

      Caution:

      Don't use the identity provider Default identity provider, SAP ID Service, or sap.default.

  • Role Collections
    Role collections in SAP Cloud ALM are delivered predefined and ready to use.
  • Role Templates
    Besides predefined role collections, which are ready to use, some areas also offer single role templates. Before you can use these role templates, you need to assign them to a role collection.