8.1 KiB
SAP Cloud Transport Management - Security & Roles Reference
Role Templates
SAP Cloud Transport Management provides seven role templates for access management.
1. Administrator
Scope: Overall administration for all TMS tasks
Capabilities:
- Manage import queues
- Forward transport requests
- Reset transport request statuses
- Full landscape configuration
- All other role capabilities
2. LandscapeOperator
Scope: Transport infrastructure management
Capabilities:
- Create transport nodes
- Create transport routes
- Edit transport nodes and routes
- Delete transport nodes and routes
Pre-delivered Collection: TMS_LandscapeOperator_RC
3. TransportOperator
Scope: Import queue operations
Capabilities:
- Remove files from import queues
- Forward transport requests
- Reset transport request statuses
- Upload MTA extension descriptors
- Schedule imports
- Enable/disable automatic imports
Node-Specific Attribute: TmsNodesTransportOperator
4. ImportSelectedOperator
Scope: Selective import operations
Capabilities:
- Start import of selected requests in import queue
5. ImportOperator
Scope: Bulk import operations
Capabilities:
- Start import of all transport requests in import queue
- Test modifiable transport requests
Node-Specific Attribute: TmsNodesImport
6. ExportOperator
Scope: Export and upload operations
Capabilities:
- Add files to import queues
- Create modifiable transport requests
Node-Specific Attribute: TmsNodesExport
7. Viewer
Scope: Read-only access
Capabilities:
- View all TMS information
- No landscape configuration
- No import capabilities
- No modification capabilities
Pre-delivered Collection: TMS_Viewer_RC
Pre-Delivered Role Collections
| Collection | Included Role |
|---|---|
TMS_LandscapeOperator_RC |
LandscapeOperator |
TMS_Viewer_RC |
Viewer |
Node-Specific Restrictions
Three roles support restricting operations to specific transport nodes.
Attributes
| Role | Attribute |
|---|---|
| TransportOperator | TmsNodesTransportOperator |
| ImportOperator | TmsNodesImport |
| ExportOperator | TmsNodesExport |
Usage
- Create role from template
- Add attribute with node name(s)
- Assign to role collection
- User can only operate on specified nodes
Example: Restrict TransportOperator to only DEV and TEST nodes.
Service Plans for API Access
Standard Plan
Authorization Level: Full access
Capabilities:
- All Cloud Transport Management API operations
- File upload, export, import, management
Use Cases:
- Default for standard integrations
- SAP Cloud ALM integration
- Solution Manager integrations
Export Plan
Authorization Level: Export actions only
Capabilities:
- File upload
- Node upload
- Node export actions
Use Cases:
- CI/CD pipelines
- Solution Lifecycle Management
- External archive upload scenarios
Restrictions:
- Cannot import
- Cannot reset
- Cannot forward
- Cannot delete
Transport Operator Plan
Authorization Level: Transport operations only
Capabilities:
- Import operations
- Reset operations
- Forward operations
- Delete operations
Restrictions:
- Cannot upload files
- Cannot export
Role Assignment Matrix
| Action | Admin | Landscape | Transport | ImportSel | Import | Export | Viewer |
|---|---|---|---|---|---|---|---|
| View all | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create nodes | ✓ | ✓ | |||||
| Create routes | ✓ | ✓ | |||||
| Edit nodes/routes | ✓ | ✓ | |||||
| Delete nodes/routes | ✓ | ✓ | |||||
| Add files | ✓ | ✓ | |||||
| Import all | ✓ | ✓ | |||||
| Import selected | ✓ | ✓ | ✓ | ||||
| Forward requests | ✓ | ✓ | |||||
| Reset requests | ✓ | ✓ | |||||
| Remove from queue | ✓ | ✓ | |||||
| Schedule imports | ✓ | ✓ | |||||
| Upload MTA desc | ✓ | ✓ | |||||
| Create modifiable | ✓ | ✓ | |||||
| Test modifiable | ✓ | ✓ |
Security Features
Malware Scanning
Policy: TMS does not perform malware scans on uploaded archives.
Rationale: Archives treated as "black box" content without processing or extraction.
Exception: MTA deployment descriptors are verified for malware-free content.
Responsibility: Target applications must perform malware scanning during deployment.
Encryption
Transport: SSL/TLS for all communications (HTTPS only)
Storage: Archives and MTA extension descriptors are NOT encrypted by persistency layer
Mitigation: Archives are only temporarily persisted and deleted after the configured file retention period (7-30 days depending on plan) has elapsed since the transport reached a final status (Deleted, Error, Skipped, Succeeded, Warning). See Storage Management in administration.md for retention details.
Audit Logging
Category: audit.security-events
Events Logged:
| Event | Description |
|---|---|
| Cleanup service runs | Scheduled file cleanup executed |
| Authorization check failed | API call without sufficient scope |
| Subscription plan updated | Plan changed successfully |
| Subscription plan update failed | Plan change failed |
Data Protection
Capabilities:
- Export transport action logs
- Export MTA extension descriptors
- Export landscape configurations
Use Cases:
- Data protection compliance
- Decommissioning processes
- Backup procedures
Backup Configuration
PostgreSQL (Main Database)
Contents: Landscape configuration, transport requests, log files
Backup: Automatic, 14-day retention
Restore: Datacenter level only (not individual customers)
Object Store
Contents: Uploaded files (MTAs), archived transport action logs
Backup: No automatic backup/restore
Manual Export Options
- Transport-related logs download
- MTA extension descriptors download
- Landscape configuration export
Best Practices
Role Assignment
- Principle of least privilege: Assign minimum required roles
- Separation of duties:
- Developers → ExportOperator
- Operations → TransportOperator, ImportOperator
- Admins → Administrator (sparingly)
- Node restrictions: Use attributes to limit scope
Technical Users
-
Use technical users for:
- Destination authentication
- CI/CD integrations
- Automated operations
-
Benefits:
- Avoid password rotation issues
- No personal data considerations
- Consistent authentication
Security Monitoring
- Review audit logs regularly
- Monitor for authorization failures
- Track subscription plan changes
Documentation Links
- Security: https://github.com/SAP-docs/sap-btp-cloud-transport-management/blob/main/docs/60-security/security-51939a4.md
- Auditing: https://github.com/SAP-docs/sap-btp-cloud-transport-management/blob/main/docs/60-security/auditing-and-logging-information-9e3ee94.md
- Data Protection: https://github.com/SAP-docs/sap-btp-cloud-transport-management/blob/main/docs/60-security/data-protection-and-privacy-a2749d5.md
- Backup: https://github.com/SAP-docs/sap-btp-cloud-transport-management/blob/main/docs/50-administration/configuring-backup-8d15541.md