Creating Custom Role Collections in SAP BTP: A Step-by-Step Guide -

SAP Business Technology Platform (BTP) is a comprehensive suite of integrated tools, services, and technologies designed to help businesses innovate, integrate, and scale their operations in the cloud. BTP encompasses a wide range of capabilities, including data management, analytics, artificial intelligence, application development, and integration services. By leveraging BTP, organizations can drive digital transformation, enhance decision-making, and streamline their processes.

SAP Business Technology Platform (BTP) provides a set of standard roles to facilitate the management and administration of the BTP platform. These roles are organized into role collections for easier assignment and management.

Standard Role Collections:

In BTP, roles are grouped into role collections, which are then assigned to users or user groups or indirectly to attributes such as groups. A role is created from a role template, allowing you to define specific permissions and functionalities. These roles are then bundled into a role collection. Using the SAP BTP cockpit, you can view and manage the role collections, as well as the roles within each collection. This system simplifies the process of assigning roles to users, ensuring that the right permissions are granted efficiently.

Additionally, role collections can be customized to meet the specific needs of your organization. This flexibility allows for the creation of tailored role collections that align with business requirements and security policies. Below are the standard role collection available:

Role Collection

Role Name

Role Template

Role Description

Global Account Administrator

Global Account Admin

GlobalAccount_Admin

Role for global account members with read-write authorizations for core commercialization operations, such as updating global accounts, setting entitlements, and creating, updating, and deleting subaccounts.

Global Account Administrator

Global Account Usage Reporting Viewer

GlobalAccount_Usage_Reporting_Viewer

Role for global account members with read-only authorizations for core commercialization operations, such as viewing global account usage information.

Global Account Administrator

User and Role Administrator

xsuaa_admin

Manage authorizations, trusted identity providers, and users.

Global Account Administrator

System Landscape Administrator

GlobalAccount_System_Landscape_Administrator

Administrative access to systems and scenario-related resources.

Global Account Viewer

System Landscape Viewer

GlobalAccount_System_Landscape_Viewer

Viewer access to systems and scenario-related resources.

Subaccount Administrator

Cloud Connector Administrator

Cloud_Connector_Administrator

Operate the data transmission tunnels used by the Cloud connector.

Creating a Custom Role Collection:

Custom role collections in BTP provide a structured and efficient way to manage user permissions, enhancing security, compliance, and operational efficiency. Custom role collections are crucial in BTP for several reasons:

Security and Compliance: Custom role collections ensure that users have the appropriate permissions required for their specific roles and responsibilities. This helps in maintaining security and compliance by following the principle of least privilege.
Operational Efficiency: By creating custom role collections, organizations can streamline the assignment of permissions. Instead of assigning individual roles to each user, a custom role collection can bundle multiple roles, making user management more efficient.
Tailored Access Control: Different teams or projects might require different sets of permissions. Custom role collections allow administrators to tailor access controls to meet the specific needs of various groups within the organization.

Prerequisites:

The User has administration rights in the subaccount and or global account.

The users are stored in identity providers that are connected to SAP BTP:

Default identity provider (SAP ID service).
Custom identity provider (SAP Cloud Identity Services).

Creating custom roles in SAP BTP allows you to tailor access controls to fit specific business requirements. Here’s how you can create and use custom roles: