BTP-账户授权

配置角色集合

分配角色集合

 

1.Configuring Role Collections

Role collections group together the different role templates that can be applied to the SAP Intelligent Robotic Process Automation users.

Context

As an administrator, you first need to create and set up your first role collections before assigning any users.

Procedure

1. Open the SAP BTP cockpit.
2. Go to your SAP Intelligent Robotic Process Automation subaccount and select Security  Role Collections.
3. Click the symbol to create a new role collection.
4. Enter the name and the description of your role collection. Click Create.
5. Select the role collection you just created and click Edit.
6. Click the field under Role Name, on the left-hand side. The pop-up screen Select: Role opens.
7. SAP BTP prompts you to make the following mandatory entries:

   • Role Name

     The roles come with the role templates of SAP Intelligent Robotic Process Automation.

     Tip

     If the fields in the popup are disabled, and you can't configure any role collection, this usually means that you didn't subscribe to your SAP Intelligent Robotic Process Automation subaccount. For more information, see Manually Subscribing to SAP Intelligent RPA in SAP Business Technology Platform (BTP).

   • Role Template

     Select one or several of the following pre-defined roles in SAP Intelligent Robotic Process Automation:

     • IRPAOfficer
     • IRPAProjectMember
     • IRPAParticipant
     • IRPAAgentUser
     • IRPASupervisor
     • IRPASystemManager
     • IRPAPersonalDataAccess
     • Document_Information_Extraction_UI_Templates_Admin

       For more information on annotating document templates, see Extract Document Information with Template and Standard Roles.

     Note

     IRPASupervisor, IRPASystemManager and IRPAPersonalDataAccess are now obsolete roles. You should avoid using them. For more information, see: Obsolete roles.

   • Application Identifier

     Since the application security descriptor contains the role template, it's necessary to choose the one specific to SAP Intelligent Robotic Process Automation.

     Tip

     To easily recognize the dedicated identifier for SAP Intelligent Robotic Process Automation, look for the one with uaa-ipa in the URL.

8. Click Add.
9. Save your changes.

 

2.Assigning Role Collections

 

You configured role templates in role collections, and now want to assign these role collections to your users.

You are using one or both of the following trust configurations:

• Default trust configuration (SAP ID service)
• Custom trust configuration (SAP BTP Identity Authentication service or any SAML 2.0 identity provider)

How you assign users to their authorizations depends on the type of trust configuration, and on whether or not you prefer to maintain the authorizations of individual users rather in the identity provider or in SAP Business Technology Platform (BTP). The following options are available:

• Directly assign role collections to users.
• Map role collections to user groups defined in your identity provider. You initially maintain the mapping between user groups and role collections once in SAP BTP and maintain group memberships of users in the identity provider.

Directly Assigning Role Collections to Users

You want to directly assign a role collection to a user. You can use this option for default and custom trust configurations.

Prerequisites

You have created role collections containing authorizations in the form of roles.

Procedure

1. Open the SAP BTP cockpit.
2. Go to your SAP Intelligent Robotic Process Automation subaccount and select Security  Trust Configuration.
3. Choose the trust configuration for the identity provider of the user, for example SAP ID.
4. Enter the user's name, for example john.doe@example.com.
   Note

   If you are using a custom trust configuration, enter the user name according to the name ID format configured in the identity provider. If you are using SAP ID Service, enter the e-mail address.

5. To see the role collections that are currently assigned to this user, choose Show Assignments.
6. To assign a role collection, choose Assign Role Collection. Select the name of the role collection you want to assign.
7. Click Assign Role Collection to save your changes.

   You have assigned a role collection to a user.

Mapping Role Collections to User Groups

You want to assign a role collection to a user group provided by an SAML 2.0 identity provider that has a custom trust configuration in SAP BTP. In this case, the assignment is a mapping of a user group to a role collection. Your identity provider provides the user groups using the SAML assertion attribute called Groups. Each value of the attribute is mapped to a role collection as described in this procedure.

Prerequisites

• You have configured your custom SAML 2.0 identity provider and established trust in your SAP Intelligent Robotic Process Automation subaccount.
  Remember

  The name of the trust configuration is different from SAP ID Service. The name of a custom trust configuration to SAP BTP Identity Authentication service could be as follows:

  https://Identity_Authentication_tenant>.accounts.ondemand.com

• You have configured the identity provider so that it conveys the user's group memberships in the Groups assertion attribute.
• You have created role collections containing authorizations in the form of roles.

Context

The SAML 2.0 identity provider provides the users, who can belong to user groups. It’s efficient to map user groups to role collections. The role collection as a reusable element contains the authorizations that are necessary for this user group. This saves time when you want to add a new user. Simply add the user to the respective user group or groups, and the user automatically gets all the authorizations that are included in the role collections.

For this reason, the assignment is a mapping of user groups to role collections.

Procedure

1. Open the SAP BTP cockpit.
2. Go to your SAP Intelligent Robotic Process Automation subaccount and select Security  Role Collections.
3. Select a role collection.
4. In the role collection overview page, choose the Edit button.
5. Under User Groups, select an identity provider.
6. Enter the name of the user group.
   Tip

   You must use the exact name of the user group as provided by the identity provider.

   Example

   In the SAP BTP Identity Services - Identity Authentication, you find the user groups in the administration console of your SAP BTP Identity Services - Identity Authentication tenant under Users & Authorizations  User Groups. Open the administration console using https://<tenant_id>.accounts.ondemand.com/admin.

7. Save your changes.