8.0 KiB
Security and Roles Guide - SAP BTP Intelligent Situation Automation
Source: https://github.com/SAP-docs/sap-btp-intelligent-situation-automation/tree/main/docs Last Verified: 2025-11-22
Overview
Intelligent Situation Automation uses role-based access control through SAP BTP role templates and role collections. Users must be assigned appropriate role collections to access application features.
Role Templates
Intelligent Situation Automation provides two role templates:
| Role Template | Purpose | Attributes |
|---|---|---|
| SituationAutomationKeyUser | Key user for daily operations | None |
| SituationAutomationAdminUser | Admin user for system management | None |
Note: Since these templates have no attributes, corresponding roles are created automatically. Templates with attributes require manual role creation with specified attribute values.
SituationAutomationKeyUser
Purpose
Key user access for managing situation automation on a daily basis.
Access Level
Full application access including all operational tiles.
Available Tiles
| Tile | Function |
|---|---|
| Manage Situation Actions | Create and manage custom actions |
| Manage Situation Automation | Configure automation rules and conditions |
| Situation Dashboard | View situation overview and status |
| Analyze Situations | Analyze resolution flows and outcomes |
| Delete Data Context | Manage data retention and cleanup |
| Explore Related Situations | View relationships between situations |
Typical Users
- Business process owners
- Operations managers
- Situation analysts
- Automation administrators
SituationAutomationAdminUser
Purpose
Admin access for system onboarding and technical configuration.
Access Level
Limited to system onboarding tasks only.
Available Functions
| Function | Description |
|---|---|
| Onboard System | Add and configure S/4HANA systems |
| Edit System | Modify onboarded system details |
| Retry Onboarding | Retry failed onboarding attempts |
Typical Users
- System administrators
- Technical architects
- Initial setup personnel
RuleRepositorySuperUser
Purpose
Business rules management for authoring automation rules.
Origin
This role comes from SAP Business Rules service, not Intelligent Situation Automation.
Requirement
Key users who need to author rules must have both:
- SituationAutomationKeyUser
- RuleRepositorySuperUser
Role Collections
What Are Role Collections?
Role collections bundle one or more roles from one or more applications. They provide a convenient way to assign multiple permissions at once.
Creating Role Collections
- Navigate to SAP BTP Cockpit
- Go to your subaccount
- Navigate to Security → Role Collections
- Click Create
- Enter name and description
- Add roles from role templates
Recommended Role Collections
| Role Collection Name | Included Roles | Target Users |
|---|---|---|
| ISA Key Users* | SituationAutomationKeyUser, RuleRepositorySuperUser | Business users |
| ISA Administrators* | SituationAutomationAdminUser | Technical admins |
*Example names; customize based on your organization's naming conventions.
Reference: See Building Roles and Role Collections for Applications
Assigning Role Collections to Users
Prerequisites
Users must exist in one of:
- SAP ID service
- Identity Authentication service (IAS)
- Another configured identity provider (IdP)
Assignment Methods
| Identity Provider | Assignment Method |
|---|---|
| SAP ID service | Individual user assignment only |
| Identity Authentication | Individual users OR user groups |
| Other IdP | Individual users OR user groups |
Individual User Assignment
- Navigate to SAP BTP Cockpit
- Go to your subaccount
- Navigate to Security → Users
- Select the user
- Click Assign Role Collection
- Select appropriate role collection
- Confirm assignment
User Group Assignment (IAS/Custom IdP)
- Navigate to SAP BTP Cockpit
- Go to your subaccount
- Navigate to Security → Role Collections
- Select the role collection
- Go to User Groups tab
- Add user group from IdP
- All users in group receive the role collection
Required Role Collections by User Type
For Key Users (Daily Operations)
| Role Collection | Required |
|---|---|
| SituationAutomationKeyUser | Yes |
| RuleRepositorySuperUser | Yes (for rule authoring) |
For Admin Users (Setup Only)
| Role Collection | Required |
|---|---|
| SituationAutomationAdminUser | Yes |
Trust and Federation
Identity Provider Configuration
For detailed guidance on configuring trust with identity providers, see SAP BTP documentation for Trust and Federation with Identity Providers.
Common Configurations
| Configuration | Use Case |
|---|---|
| SAP ID service | Default BTP identity provider |
| SAP Cloud Identity Services | Enterprise SSO integration |
| Corporate IdP (SAML/OIDC) | Integration with existing IdP |
Authorization Flow
User Login
│
▼
Identity Provider
│
▼
BTP Authentication
│
▼
Role Collection Check
│
├─── SituationAutomationKeyUser ───► Access operational tiles
│
└─── SituationAutomationAdminUser ──► Access onboarding only
Best Practices
Role Assignment
- ✅ Create dedicated role collections for your organization
- ✅ Use descriptive names for role collections
- ✅ Document which users/groups have which roles
- ✅ Assign minimum necessary roles (least privilege)
- ✅ Use group-based assignment when possible (with IAS)
Security
- ✅ Review role assignments regularly
- ✅ Remove roles when users change responsibilities
- ✅ Separate admin and key user roles
- ✅ Track changes via audit logs
Common Mistakes
- ❌ Assigning SituationAutomationAdminUser to all users
- ❌ Forgetting RuleRepositorySuperUser for rule authors
- ❌ Not removing roles when users leave
- ❌ Over-permissioning for convenience
Troubleshooting Access Issues
"Server Error" on Application Access
Symptom: Error message when accessing Manage Situation Automation app
Cause: User not assigned required role collection
Solution: Assign SituationAutomationKeyUser role collection to the user
Cannot Access Onboard System
Symptom: Onboard System app not visible or accessible
Cause: Missing admin role
Solution: Assign SituationAutomationAdminUser role collection
Cannot Create/Edit Rules
Symptom: Rule authoring functions unavailable
Cause: Missing rule repository role
Solution: Assign RuleRepositorySuperUser role collection in addition to SituationAutomationKeyUser
External Links
For a comprehensive list of SAP documentation links with document IDs, see references/external-links.md.
Key resources for role and security management:
- Building Roles and Role Collections: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/eaa6a26291914b348e875a00b6beb729.html
- Trust Configuration: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/cb1bc8f1bd5c482e891063960d7acd78.html
- Authorization Management: https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/6373bb7a96114d619bfdfdc6f505d1b9.html
Document Version: 1.0.0 Last Updated: 2025-11-22