User authorizations are managed by assigning role collections to users (for example, Subaccount Administrator). Use the SAP BTP command-line interface (btp CLI) to manage roles and role collections, and to assign role collections to users.
All of these commands can be executed in the global account, a directory, or in a subaccount. To choose the level, use the
btp targetcommand. See Set a Target for Subsequent Commands with btp target.
Role collections are user-related authorizations that allow access to resources and services. You give users permissions by assigning role collections to them. All users in the global accounts, directories, and subaccounts are stored in identity providers, either in the default or in a custom identity provider. When the first role collection assignment to a user happens, SAP BTP creates a copy of this user in the global account, directory, or subaccount. This copy of the user is called shadow user.
When you do the first role collection assignment to a user through the btp CLI, you need to initially create the shadow user with parameter --create-user-if-missing. For example, after creating a subaccount, assign the role collection "Subaccount Administrator" to a user with the following command:
btp assign security/role-collection "Subaccount Administrator" --to-user name@example.com --create-user-if-missing --subaccount "my-subaccount-id"
See Role Collections and Roles in Global Accounts, Directories, and Subaccounts [Feature Set B] and User and Member Management.
|
Task |
Run the command ... |
Command help |
|---|---|---|
|
List users |
|
|
|
Get details about a specific user, including role collections |
|
|
|
Delete a user |
|
|
|
Assign a role collection to a user |
|
|
|
Unassign a role collection from a user |
|
A role is an instance of a role template; you can build a role based on a role template and assign the role to a role collection. See Add Roles to Role Collections on the Application Level.
|
Task |
Run the command ... |
Command help |
|---|---|---|
|
List apps |
|
|
|
Get details about a specific application |
To get the ID of a specific app, run . |
|
|
List roles |
|
|
|
Get details about a specific role |
|
|
|
Create a role |
|
|
|
Delete a role |
|
|
|
Add a role to a role collection |
|
|
|
Remove a role from a role collection |
|
Role collections consist of roles, which, in turn, are based on role templates. Role collections are specific to account entities, that is, there are different role collections in global accounts, subaccounts, and directories. There are predefined role collections, such as Global Account Administrator and Subaccount Viewer. For more information, see Role Collections and Roles in Global Accounts, Directories, and Subaccounts [Feature Set B].
|
Task |
Run the command ... |
Command help |
|---|---|---|
|
List role collections |
|
|
|
Get details about a specific role collection |
|
|
|
Create a role collection |
|
|
|
Change the description of a role collection |
|
|
|
Delete a role collection |
|
Related Information
Working with Global Accounts, Directories, and Subaccounts Using the btp CLI
Setting Entitlements Using the btp CLI
Working with Environments Using the btp CLI
Working with Multitenant Applications Using the btp CLI
Working with External Resource Providers Using the btp CLI
Working With Resources of the SAP Service Manager Using the btp CLI
Security Administration: Managing Authentication and Authorization
Set a Target for Subsequent Commands with btp target
Role Collections and Roles in Global Accounts, Directories, and Subaccounts [Feature Set B]