zhongwei/gh-secondsky-sap-skills-skills-sap-btp-cias

Fork 0

Files

Zhongwei Li d5f8dc087c Initial commit

2025-11-30 08:54:54 +08:00

7.6 KiB

Raw Blame History

CIAS Role Assignment Templates

Templates and procedures for assigning roles in Cloud Integration Automation Service.

Role Collections Overview

Three role collections are automatically created during CIAS subscription:

Role Collection	Role	Purpose
`CIASIntegrationAdministrator`	Integration Administrator	Full access and administration
`CIASIntegrationExpert`	Integration Expert	Task execution
`CIASIntegrationMonitor`	Integration Monitor	Read-only monitoring

Role Assignment Templates

Template: Integration Administrator Assignment

Use for: IT administrators, solution architects, integration leads

Capabilities granted:

Access My Inbox application
Access Plan for Integration
Access Scenario Execution Monitoring
Plan integration scenarios and generate workflows
Review workflow execution plans
Monitor workflow execution
Terminate scenarios
Create destinations

Assignment procedure:

1. Navigate to SAP BTP Cockpit > [Subaccount] > Security > Role Collections
2. Select: CIASIntegrationAdministrator
3. Click: Edit
4. Go to: Users tab
5. Add users: [email1@domain.com, email2@domain.com]
6. Click: Save

Typical recipients:

Integration architects
BTP administrators
Project leads
System administrators

Template: Integration Expert Assignment

Use for: Functional consultants, configuration specialists, implementation team members

Capabilities granted:

Access My Inbox application
Work on assigned tasks
Execute manual and automated tasks
Add comments to tasks

Assignment procedure:

1. Navigate to SAP BTP Cockpit > [Subaccount] > Security > Role Collections
2. Select: CIASIntegrationExpert
3. Click: Edit
4. Go to: Users tab
5. Add users: [email1@domain.com, email2@domain.com]
6. Click: Save

Typical recipients:

Functional consultants
Configuration specialists
Implementation team members
Subject matter experts

Template: Integration Monitor Assignment

Use for: Project managers, auditors, stakeholders needing visibility

Capabilities granted:

Read-only access to Scenario Execution Monitoring
View task status
View execution progress

Assignment procedure:

1. Navigate to SAP BTP Cockpit > [Subaccount] > Security > Role Collections
2. Select: CIASIntegrationMonitor
3. Click: Edit
4. Go to: Users tab
5. Add users: [email1@domain.com, email2@domain.com]
6. Click: Save

Typical recipients:

Project managers
Internal auditors
Quality assurance
Stakeholders requiring visibility

Multi-User Assignment

Comma-Separated Assignment

You can assign multiple users per role with comma-separated user IDs:

Users: user1@domain.com, user2@domain.com, user3@domain.com

Bulk Assignment via Trust Configuration

For large teams, use Trust Configuration:

Navigate to Security → Trust Configuration
Select identity provider (SAP IDP, Custom IDP, or IAS tenant)
Map groups to role collections
Users in mapped groups automatically receive roles

Identity Provider Integration

SAP Cloud Identity Services (Default)

Trust Configuration:
  Identity Provider: SAP Cloud Identity Services
  Domain: accounts.sap.com

User Format: <email>@<domain>
Example: john.doe@company.com

Corporate Identity Provider (Custom IDP)

Trust Configuration:
  Identity Provider: Corporate SAML IDP
  Metadata: [Upload IDP metadata XML]

User Format: Per corporate IDP configuration
SAML Attribute: NameID (any supported format)

SAP Identity Authentication Service (IAS)

Trust Configuration:
  Identity Provider: IAS Tenant
  Tenant URL: [https://<tenant>.accounts.ondemand.com](https://<tenant>.accounts.ondemand.com)

User Format: <email> or <user_id>

Workflow User Assignment Template

When invoking workflows via Plan for Integration or Maintenance Planner:

Initial Task Assignment

Field: SAP BTP Workflow Users

Format: Comma-separated list of user IDs

Requirements:

Users must have access to specified SAP BTP subaccount
Users must be in configured identity provider
At least one user required

Template:

Workflow Users: admin@company.com, lead@company.com, consultant@company.com

Role-Based User Identification

During workflow execution, view role assignments:

Open task in My Inbox
Click role name in Task Instructions
View:
- Role description
- Complete list of assigned users

Task Claiming Behavior

Multi-User Task Assignment

When multiple users are assigned to a task:

Any assigned user can click Claim to lock the task
Task marked as Reserved for all other assigned users
Padlock icon appears next to claiming user in monitoring
Only claiming user can complete the task

Best Practices

Coordinate team assignments to avoid conflicts
Use Integration Monitor role for stakeholders needing visibility
Assign Integration Expert to implementation team members
Reserve Integration Administrator for lead personnel

Role Assignment Checklist

Before Assignment

Verify subaccount is subscribed to CIAS
Confirm identity provider is configured
Identify users requiring each role level
Verify user IDs exist in identity provider

During Assignment

Use correct role collection name
Add users via email ID or login user ID
Save changes after each modification
Verify assignment in Role Collection details

After Assignment

Have users test application access
Verify appropriate tiles are visible
Confirm task visibility in My Inbox
Check Scenario Execution Monitoring access (if applicable)

Troubleshooting Role Issues

User Cannot Access Application

Verify role collection assignment
Check identity provider user exists
Confirm user is logging in with correct credentials
Review trust configuration settings

User Cannot See Expected Tiles

Missing Tile	Required Role
My Inbox	Administrator or Expert
Plan for Integration	Administrator only
Scenario Execution Monitoring	Administrator or Monitor

User Cannot Claim Tasks

Verify user has Expert or Administrator role
Check if another user has already claimed the task
Confirm user is assigned to the specific task

Access Denied After IdP Change

Add users to new identity provider
Reassign role collections
Verify SAML attribute mapping
Test login with updated credentials

Documentation Links

Roles and Authorizations: https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/roles-and-authorizations-917f842.md
Role Assignment: https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/role-assignment-cd6b96b.md
Assigning Roles to Users: https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/assigning-roles-to-the-users-9ad530a.md
Identity Provider: https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/identity-provider-and-identity-management-1508b49.md

7.6 KiB Raw Blame History

CIAS Role Assignment Templates

Role Collections Overview

Role Assignment Templates

Template: Integration Administrator Assignment

Template: Integration Expert Assignment

Template: Integration Monitor Assignment

Multi-User Assignment

Comma-Separated Assignment

Bulk Assignment via Trust Configuration

Identity Provider Integration

SAP Cloud Identity Services (Default)

Corporate Identity Provider (Custom IDP)

SAP Identity Authentication Service (IAS)

Workflow User Assignment Template

Initial Task Assignment

Role-Based User Identification

Task Claiming Behavior

Multi-User Task Assignment

Best Practices

Role Assignment Checklist

Before Assignment

During Assignment

After Assignment

Troubleshooting Role Issues

User Cannot Access Application

User Cannot See Expected Tiles

User Cannot Claim Tasks

Access Denied After IdP Change

Documentation Links

7.6 KiB

Raw Blame History