Authorization management enables Identity Authentication administrators to use authorization policies in multiple environments, configure them, and assign them to users.
When you subscribe to an application that supports authorization policies, the system sets up an application in Identity Authentication for you and from there you can assign authorizations. An authorization management tenant is automatically created as a new tenant. Service instances and bindings are added automatically.
For more information, see Subscribe to Multitenant Applications Using the Cockpit.
-
Your application supports authorization policies. Refer to the documentation of your application.
-
Your user has administrative permissions in Identity Authentication with the following authorizations:
-
Manage Applications
-
Manage Groups
-
Read Users
For more information, see Edit Administrator Authorizations.
-
-
You are using SAP Cloud Identity Services - Identity Authentication. For more information, see Tenants.
If your application doesn't have an Authorization Policies tab, it doesn't support authorization management.
Authorization management allows SAP Cloud Identity Services administrators to refine authorization policies based on application policy templates with complex instance restrictions for data access. Developers define and deploy authorization policies with functional checks, instance-based authorizations, and user attributes. They're available in the Identity Authentication administration console. If necessary, developers can update existing authorization policies.
For more information, see Developing Authorizations.
An authorization policy is basically a collection of rules, which are applied to resources and restricted by conditions. Authorization policies are defined by developers and come with the respective application.
Setting Up Authorization Policies
|
Task |
User Role |
Tool |
|---|---|---|
|
Define authorization policies |
Developer |
Development environment |
|
Deploy authorization policies with the application |
Developer |
Development environment |
|
Modify authorization policies |
Administrator |
Administration console |
|
Assign authorization policies to users |
Administrator |
Administration console |
|
Delete authorization policies |
Administrator |
Administration console |
We distinguish between different types of authorization policies. You recognize the different types in the Package column.
-
The package name of the base policies is defined by the application.
-
Customers can deploy their own authorization policies in customer-developed packages, which have the package name Customer Package in the list of authorization policies.
Authorization Policy Types
|
Type |
Description |
|---|---|
|
Base authorization policy |
Authorization policy delivered by the application. Administrators can copy the authorization policy and modify the copy. The copy, modified or not, is a custom authorization policy. You can't change or delete it in the administration console. |
|
Custom authorization policy |
Authorization policy created by administrators. You can change and delete this authorization policy in the administration console. |
To make sure that authorization management is resilient, we've introduced an upper limit of 200 custom authorization policies and 200 base authorization policies that can be defined per application.
Authorization policy administrators can configure the following in custom authorization policies:
-
Combine authorization policies. See Combine Authorization Policies.
-
Add or delete rules and restrictions and their attribute values. See Edit an Authorization Policy.
Related Information
Configuring Provisioning Systems
Configuring Real-Time Provisioning
Configuring Social Identity Providers
Integrating with Existing Customer Landscape