While we have tried to make upgrading your account management feature set as simple as possible, we've had to make a few adjustments. To help you find your way, we've gathered a summary of changes you can expect in your accounts.
For more information about the upgrade process itself, see SAP Note 3027721.
If you deactivated the default identity provider, SAP ID service, for business users in multi-environment subaccounts in cloud management tools feature set A, the process of upgrading to cloud management tools feature set B reactivates the default identity provider. We reactivate the default identity provider because cloud management tools feature set B also uses it for platform users.
Keep at least one user from the default identity provider in each account to still have access if there are ever issues with a custom identity provider.
Even though the default identity provider has been reactivated, the option to authenticate with the default identity provider is hidden from business users. Business users are redirected to your custom identity provider. Hiding the default identity provider ensures that the user experience for your business users remains the same. Users from the default identity provider can log on, only if the users are authorized, in other words, users with existing shadow users.
For more information about shadow users, see Working with Users.
Whether the default identity provider was reactivated or not, applications that share the default identity provider, such as SAP Support Portal or your demo application in your subaccount, no longer require reauthentication, when you switch from one application to the other. This change improves the single sign-on experience.
In cloud management tools feature set B you're free to integrate custom identity providers for platform users. If you use custom identity providers for platform users in cloud management tools feature set A, you can't move to cloud management tools feature set B. Details about the ability to upgrade existing custom identity provider configurations for platform users from cloud management tools feature set A to cloud management tools feature set B will be covered in the future.
This limitation doesn't apply to business users of your applications.
With cloud management tools feature set B, global account users from the SAP ID service are identified by their e-mail address and not their user ID. If you've multiple user accounts that share the same e-mail address, they all get the same authorizations.
The following table lists the role collections for account administration that a user has in cloud management tools feature set B, based on the role memberships the user had in cloud management tools feature set A.
Account Authorization Mappings Between Feature Set A and Feature Set B
|
Authorizations in Feature Set A |
Authorizations in Feature Set B |
More Information |
|---|---|---|
|
Administrator of global account |
Global Account Administrator in global account and Subaccount Administrator in multi-environment subaccounts |
In cloud management tools feature set A, members of the global account have global account administrator privileges. Such users can create and manage subscriptions for subaccounts.
|
|
Security administrator in multi-environment subaccount |
Subaccount Administrator in multi-environment subaccount |
Security administrators rely mostly on the User & Role Administrator role for their authorizations. In cloud management tools feature set B, these authorizations are bundled in the Subaccount Administrator role collection. |
The following table lists the roles and role collections a user receives, based on the Cloud Foundry roles the user had in cloud management tools feature set A.
Mappings of Cloud Foundry Authorizations Between Feature Set A and Feature Set B
|
Authorizations in Feature Set A |
Authorizations in Feature Set B |
More Information |
|---|---|---|
|
Org Manager Space Manager Space Developer |
Org Manager Space Manager Space Developer
|
In cloud management tools feature set A, a user with the Org Manager, Space Manager, or Space Developer roles could also manage cloud connectors and destinations. To make sure that such users don't lose any authorizations, we check the users authorizations and add the required role collections. |
|
Org Auditor Space Auditor |
Org Auditor Space Auditor |
No change. |
Any role collection that you created in cloud management tools feature set A with a name that is a reserved role collection name in cloud management tools feature set B, will have the suffix "(Custom)" appended to your role collection's name. For example, Subaccount Administrator will be renamed to Subaccount Administrator (Custom) after the upgrade.
The authorization model of Neo subaccounts remains the same in both feature sets.