Table of Contents
As a continuation of the Setup Cloud Foundry BTP Environment example, we'll explore the capabilities of SAP Automation Pilot manage users and their permissions on subacount, organization and space level.
This example provides two commands which utilize the SAP Authorization and Trust Management Service (xsuaa-sapcp) and Cloud Foundry (cf-sapcp) provides catalogs.
GrantAdministratorPrivileges performs the following actions on the target user:
- Assigns Subaccount Administrator role collection
- Assigns Org Manager role
- Assigns Space Manager role
GrantDeveloperPrivileges performs the following actions on the target user:
- Assigns Subaccount Viewer role collection
- Assigns Org Auditor role
- Assigns Space Developer role
MassGrantPrivileges builds upon the above commands and executes them on multiple users at once.
ℹ️ Make sure to check the other examples in the BTP Provisioning section.
To use this example you'll need the following:
- BTP subaccount
- Configured Cloud Foundry environment
- Instance of SAP Authorization and Trust Management Service with plan apiaccess and a service key/binding with default configurations
- One or more custom identity providers
Check out the following resources for more information:
- Example: Create and Configure BTP Subaccount
- Example: Setup Cloud Foundry BTP Environment
- Getting Started in the Cloud Foundry Environment
- SAP Authorization and Trust Management Service
- Access Administration Using APIs of the SAP Authorization and Trust Management Service
- Trust and Federation with Identity Providers
Import the content of examples catalog in your Automation Pilot tenant. Navigate to the MassGrantPrivileges command and trigger it.
You'll need to provide values for the following input keys:
- region - Technical name of your SAP BTP region, e.g. cf-eu10, cf-us20
- org - Name of your Cloud Foundry organization
- space - Name of your Cloud Foundry space
- user - Email or ID of your technical user
- password - Password of your technical user
- identityProvider - Optional: origin key of your identity provider. Defaults to sap.ids
- serviceKey - Service key for SAP Authorization and Trust Management Service for apiaccess plan
- developers - Email address of the target users which should be granted developer privileges
- administrators - Email address of the target users which should be granted administrator privileges
- targetIdentityProvider - Optional: origin key of the target user's identity provider. Defaults to sap.ids
After the successful execution of the command, you can check which users were reassigned to another identity provider:
To grant privielges to a single user, navigate to the GrantAdministratorPrivileges or GrantDeveloperPrivileges commands and trigger them.
You'll need to provide values for the following input keys:
- region - Technical name of your SAP BTP region, e.g. cf-eu10, cf-us20
- org - Name of your Cloud Foundry organization
- space - Name of your Cloud Foundry space
- user - Email or ID of your technical user
- password - Password of your technical user
- identityProvider - Optional: origin key of your identity provider. Defaults to sap.ids
- serviceKey - Service key for SAP Authorization and Trust Management Service for apiaccess plan
- targetUser - user to whom the privileges will be granted
- targetIdentityProvider - Optional: origin key of the target user's identity provider. Defaults to sap.ids
ℹ️ You can verify the result of your executions by navigating to your BTP subaccount and choosing Security -> Users.