zhongwei/gh-secondsky-sap-skills-skills-sap-btp-service-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0e7a2dc56eb2769e0b9dc29e71a2e34cb6a65e69
gh-secondsky-sap-skills-ski…/references/roles-permissions.md
Zhongwei Li 0e7a2dc56e Initial commit
2025-11-30 08:55:15 +08:00

267 lines
9.4 KiB
Markdown
Raw Blame History

# SAP Service Manager Roles and Permissions
Complete reference for SAP Service Manager plans, roles, and scopes.
**Documentation**: [https://github.com/SAP-docs/sap-btp-service-manager/tree/main/docs/Service-Consumption/SAP-Service-Manager](https://github.com/SAP-docs/sap-btp-service-manager/tree/main/docs/Service-Consumption/SAP-Service-Manager)
---
## Table of Contents
1. [Service Manager Plans](#service-manager-plans)
- [subaccount-admin](#1-subaccount-admin)
- [subaccount-audit](#2-subaccount-audit)
- [container](#3-container)
2. [Roles in SAP BTP](#roles-in-sap-btp)
- [Subaccount Service Administrator](#subaccount-service-administrator)
- [Subaccount Service Viewer](#subaccount-service-viewer)
- [Assigning Roles](#assigning-roles)
3. [Scope Reference](#scope-reference)
- [Broker Scopes](#broker-scopes)
- [Platform Scopes](#platform-scopes)
- [Service Instance Scopes](#service-instance-scopes)
- [Service Binding Scopes](#service-binding-scopes)
4. [Best Practices](#best-practices)
- [Choose the Right Plan](#choose-the-right-plan)
- [Principle of Least Privilege](#principle-of-least-privilege)
- [Client vs User Scopes](#client-vs-user-scopes)
---
## Service Manager Plans
Three broker plans with different access levels:
### 1. subaccount-admin
**Purpose**: Full administrative access to manage all resources in a subaccount.
**Use Case**: Administrators who need to create, update, and delete all service resources.
**Scopes** (10 total):
| Scope | Description |
|-------|-------------|
| `subaccount_broker_manage` | Create, update, delete brokers |
| `subaccount_broker_read` | Read broker information |
| `subaccount_platform_manage` | Create, update, delete platforms |
| `subaccount_platform_read` | Read platform information |
| `subaccount_service_instance_manage` | Create, update, delete instances |
| `subaccount_service_instance_read` | Read instance information |
| `subaccount_service_binding_manage` | Create, delete bindings |
| `subaccount_service_binding_read` | Read binding information |
| `subaccount_service_plan_read` | Read service plans |
| `subaccount_service_offering_read` | Read service offerings |
---
### 2. subaccount-audit
**Purpose**: Read-only access for monitoring and auditing.
**Use Case**: Auditors, monitoring systems, and read-only dashboards.
**Scopes** (6 total):
| Scope | Description |
|-------|-------------|
| `subaccount_broker_read` | Read broker information |
| `subaccount_platform_read` | Read platform information |
| `subaccount_service_instance_read` | Read instance information |
| `subaccount_service_binding_read` | Read binding information |
| `subaccount_service_plan_read` | Read service plans |
| `subaccount_service_offering_read` | Read service offerings |
**Note**: No manage/write permissions.
---
### 3. container
**Purpose**: Isolated access scoped to individual service instances.
**Use Case**: Applications that need to manage their own bindings without access to other resources.
**Visibility Rules**:
- Instances created via container credentials are visible from:
- The container instance itself
- Instances of subaccount-* plans
- NOT visible from other container instances
**Scopes** (7 total):
| Scope | Description |
|-------|-------------|
| `container_service_instance_manage` | Manage container-scoped instances |
| `container_service_instance_read` | Read container-scoped instances |
| `container_service_binding_manage` | Manage container-scoped bindings |
| `container_service_binding_read` | Read container-scoped bindings |
| `subaccount_service_plan_read` | Read service plans |
| `subaccount_service_offering_read` | Read service offerings |
| `subaccount_resource_read` | Read subaccount resources |
---
## Role Collections
### Subaccount Service Administrator
**Description**: Full management access to service resources in the subaccount.
**Permissions** (10):
- Manage and read brokers
- Manage and read platforms
- Manage and read service instances
- Manage and read service bindings
- Read service plans
- Read service offerings
**Assignment**:
1. Navigate to subaccount > Security > Trust Configuration
2. Select SAP ID Service
3. Enter user email
4. Click Show Assignments > Add User
5. Assign Role Collection > Subaccount Service Administrator
---
### Subaccount Service Viewer (Feature Set B)
**Description**: Read-only access to service resources.
**Permissions** (6):
- Read brokers
- Read platforms
- Read service instances
- Read service bindings
- Read service plans
- Read service offerings
**Note**: Available only in Feature Set B subaccounts.
---
## Plan Selection Guide
| Scenario | Recommended Plan |
|----------|------------------|
| Administrative automation | subaccount-admin |
| CI/CD pipelines | subaccount-admin |
| Monitoring dashboards | subaccount-audit |
| Security auditing | subaccount-audit |
| Application self-service | container |
| Isolated microservices | container |
---
## Scope Matrix
| Scope | subaccount-admin | subaccount-audit | container |
|-------|------------------|------------------|-----------|
| Broker manage | Yes | No | No |
| Broker read | Yes | Yes | No |
| Platform manage | Yes | No | No |
| Platform read | Yes | Yes | No |
| Instance manage (subaccount) | Yes | No | No |
| Instance manage (container) | No | No | Yes |
| Instance read (subaccount) | Yes | Yes | No |
| Instance read (container) | No | No | Yes |
| Binding manage (subaccount) | Yes | No | No |
| Binding manage (container) | No | No | Yes |
| Binding read (subaccount) | Yes | Yes | No |
| Binding read (container) | No | No | Yes |
| Plan read | Yes | Yes | Yes |
| Offering read | Yes | Yes | Yes |
---
## API Scope Requirements
### Platforms API
| Operation | Required Scope |
|-----------|----------------|
| List platforms | `subaccount_platform_read` |
| Get platform | `subaccount_platform_read` |
| Register platform | `subaccount_platform_manage` |
| Update platform | `subaccount_platform_manage` |
| Delete platform | `subaccount_platform_manage` |
### Brokers API
| Operation | Required Scope |
|-----------|----------------|
| List brokers | `subaccount_broker_read` |
| Get broker | `subaccount_broker_read` |
| Register broker | `subaccount_broker_manage` |
| Update broker | `subaccount_broker_manage` |
| Delete broker | `subaccount_broker_manage` |
### Instances API
| Operation | Required Scope (subaccount) | Required Scope (container) |
|-----------|----------------------------|---------------------------|
| List instances | `subaccount_service_instance_read` | `container_service_instance_read` |
| Get instance | `subaccount_service_instance_read` | `container_service_instance_read` |
| Create instance | `subaccount_service_instance_manage` | `container_service_instance_manage` |
| Update instance | `subaccount_service_instance_manage` | `container_service_instance_manage` |
| Delete instance | `subaccount_service_instance_manage` | `container_service_instance_manage` |
### Bindings API
| Operation | Required Scope (subaccount) | Required Scope (container) |
|-----------|----------------------------|---------------------------|
| List bindings | `subaccount_service_binding_read` | `container_service_binding_read` |
| Get binding | `subaccount_service_binding_read` | `container_service_binding_read` |
| Create binding | `subaccount_service_binding_manage` | `container_service_binding_manage` |
| Delete binding | `subaccount_service_binding_manage` | `container_service_binding_manage` |
### Plans & Offerings API
| Operation | Required Scope |
|-----------|----------------|
| List plans | `subaccount_service_plan_read` |
| Get plan | `subaccount_service_plan_read` |
| List offerings | `subaccount_service_offering_read` |
| Get offering | `subaccount_service_offering_read` |
---
## Token Scope Verification
**Check token scopes**:
```bash
# Decode JWT token (without verification)
echo "<access_token>" | cut -d'.' -f2 | base64 -d | jq '.scope'
```
**Expected format**:
```json
{
"scope": [
"<xsappname>.subaccount_service_instance_manage",
"<xsappname>.subaccount_service_instance_read",
...
]
}
```
---
## Best Practices
1. **Principle of Least Privilege**: Use audit plan for read-only needs
2. **Container Isolation**: Use container plan for application self-service
3. **Separate Credentials**: Different credentials for different environments
4. **Rotate Credentials**: Regular rotation of client secrets
5. **Audit Access**: Monitor who has admin access
6. **X.509 for Production**: Use certificate auth in production
---
## Documentation Links
- **Broker Plans**: [https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/sap-service-manager-broker-plans-917a8a7.md](https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/sap-service-manager-broker-plans-917a8a7.md)
- **Roles**: [https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/sap-service-manager-roles-d95fbe7.md](https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/sap-service-manager-roles-d95fbe7.md)
- **Role Assignment**: [https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/assign-the-subaccount-service-administrator-collection-0735965.md](https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/assign-the-subaccount-service-administrator-collection-0735965.md)
Reference in New Issue View Git Blame Copy Permalink