SAP Cloud Identity offers a wealth of functionality in the space of Identity and Access Management (IAM). Especially in larger organizations, it may not be possible for any individual to manage all IAM processes available in the cockpit or be responsible for the IAM-related configuration of all end users in the organization. A solution for this problem is to share the work among multiple persons. However, by default, everybody working as an administrator in the SAP Cloud Identity cockpit has very broad authorizations. It may be a security risk if individuals that are meant to perform limited administrative tasks have full administrative access way beyond their area of responsibility. In this exercise you will learn how to implement fine grained administrative authorizations that allow you to give limited access when delegating administrative tasks to others.
- Open the administrative console for SAP Cloud Identity services from your bookmarks or like described in the first exercise.
- Go to Tenant Settings in the Applications & Resources section.
- Open the tab Policy-Based Authorizations.
- Enable policy-based authorizations.
SAP Cloud Identity now evaluates policy-based authorizations in addition to the role-based authorizations that are used by default.
- Open the Applications & Resources menu and go to the Applications user interface.
- Select the system application Administration Console, which represents the administration console of SAP Cloud Identity services.
- Open the tab Authorization Policies.
- A list of authorization policies is displayed, which can be used to manage access to the administration console. Click on the Create dropdown menu and select the menu item Create Restriction
- In the popup dialog, enter the policy name READ_USERS_BESTRUN and choose the base policy users.READ_USERS. Then click on Create.
- Save the newly created policy.
- Go to the Assignments tab of the policy, click the button with the 3 dots and choose Add.
- Select your user and click the Add button.
You have now created an authorization policy that gives READ access to user accounts and assigned this policy to your administrator user.
- Go to the User Management page.
- Click the Add button and enter the details for a new user. Then click the Add button on the popup dialog.
- Click on the new user account in the list and then click on the Edit button.
- Scroll down to the Company Information section and enter the company name Bestrun. Then click the Save button.
- Go to Users & Authorizations --> Administrators.
- Select your administrator user and disable the authorizations Manage Users and Read Users. Then click the Save button.
- Go to the Home tab.
- The User Management tile shows that there are 2 users that you have access to. Click on the tile to display the list of users.
As the READ_USERS_BESTRUN policy does not have any restrictions, you still have access to all user records.
- Go to Applications & Resources --> Applications.
- Select the system application Administration Console, which represents the administration console of SAP Cloud Identity services.
- Open the tab Authorization Policies.
- In the list of policies, click on the policy READ_USERS_BESTRUN.
- Open the Rules tab for the policy and then click the Edit button.
- Click on the + icon to add a new restriction.
- Click on the + icon next to the label RESTRICT and select Value.
- Enter the restriction attribute user.organization, the operator = and the value Bestrun. Then click on Save.
- Go to the Home tab.
- The tile User Management shows the value 1. So out of the 2 users that are stored in the user management, you only have access to 1. Click on the tile.
- You can only see the user account with the company name Bestrun, due to the restriction that you applied to the access policy.
In this exercise you learned how to switch from classic, role-based authorizations in SAP Cloud Identity to the new policy-based authorizations. You defined a new access policy and applied restrictions to it. When assigning this policy to the administrator user, you saw how the access of the administrator is reduced based on the restrictions in the policy definition.