User Administration, Authentication, and Authorizations

Access to SaaS application:

SAP Solution Sales Configuration- cloud edition delivers two roles (SAP BTP role collections) - SAP SSC Configuration User (required to access configuration UI) and SSC Admin User (required to access admin UI). If you don’t have role assignments, you won't be able to access the SAP SSC application or services.

Administrators must set up corresponding roles in the connected IDP. Assign them to relevant users and send them along in the SAML assertion.

Some details:

  • SAP BTP requires you to connect IDPs send role assignments in assertion attribute called Groups. It's important to consider this aspect while mapping your IDP.

  • You can choose any names for groups (for example, ssc_configuration and ssc_admin). For more information see, Federation Attribute Settings of Any Identity Provider

Once an IDP is set up to convey your group memberships in the Groups assertion attribute, the same group names must be mapped to the corresponding SAP BTP role collections available for SAP SSC in the tenant subaccount. For more information see, Map Role Collections to User Groups

Customers are responsible to retract roles and authorizations again from their employees when not needed anymore.

Access to SSC Cloud Services (API):

Customers need to create a service instance of the SAP Solution Sales Configuration- cloud edition service. Once it's created, they obtain the client credentials that are necessary to retrieve the OAuth token. They can then access the service using the OAuth token.

TheOAuth token includes the permission to call the service endpoints. There are no additional scopes required. The applications that call the services must implement a proper role and authorization concept to ensure that only intended data is displayed to its users.

The validity of the OAuth token for the services is up to 15 minutes.

All service endpoints providing business logic are secured. Communication with clients is done via HTTPS. The content of all incoming requests to the services is validated.