🚀 Introducing ABAPer — AI-powered development tools for SAP ABAP developers.
Logo
Login Contact Us

By Phani Puttabakula, Aug 29, 2025

Part of SAP BTP Series

Designing Security & Roles in SAP BTP: Directories and Subaccounts

When organizations adopt SAP Business Technology Platform (BTP), they quickly realize that security and roles aren’t just a checklist item — they are foundational for scalability, compliance, and collaboration.

In this article, we’ll walk through a practical approach to managing security and roles on BTP with directories and subaccounts in mind.

🏗️ Core Concepts in BTP Security

Before diving into strategy, let’s align on terminology:

  • Global Account → Your top-level tenant, tied to contracts and entitlements.
  • Directories → Logical containers to organize subaccounts (by division, region, or project).
  • Subaccounts → Workspaces where services, applications, and connectivity live.
  • Role Collections → Bundles of business roles (assigned to users).
  • Identity Provider (IdP) → E.g., SAP ID service, Microsoft Entra ID, or Keycloak for custom setups.

🔑 Principles for Role & Security Design

  1. Separation of Concerns

    • Keep business roles (e.g., “Finance Analyst”) separate from technical roles (e.g., “Subaccount Admin”).
    • Assign access at the lowest necessary scope.

  2. Directory-Based Governance

    • Use directories to align with organizational structure (SAP Financials vs. IS-U vs. Shared Services).
    • Apply directory-level role collections for admins who need oversight across all subaccounts inside.

  3. Centralized Identity, Local Assignments

    • Integrate with corporate IdP (Keycloak, Entra, etc.).
    • Sync user groups → map them to role collections in subaccounts.
    • Avoid direct user assignments wherever possible.

🗂️ Example Directory Setup

Recommended Architecture

🛡️ Security Role Layers

Think of security in four layers:

  1. Global Account Layer

    • Assign Global Account Administrator sparingly.
    • This is usually only the platform owner.

  2. Directory Layer

    • Create Directory Admin role collections (e.g., SAP Financials-Admin, SAP Utilities-Admin).
    • Use for monitoring, entitlements, and subaccount governance.

  3. Subaccount Layer

    • Assign developers, operators, and app admins here.
    • Keep business users out of subaccount roles unless needed.

  4. Application Layer

    • Define business roles (e.g., “Accounts Payable Clerk”) at the app level.
    • Bundle them into role collections and map to IdP groups.

⚙️ Recommended Role Design Pattern

  1. Start with IdP Groups

    • Example: SAP Financials-Finance-Analyst, SAP Utilities-Billing-Manager, Shared-Integration-Dev.

  2. Map IdP Groups → Role Collections

    • Each group maps to a role collection in the subaccount.

  3. Bundle Technical Roles for Admins

    • E.g., Subaccount Admin + Security Admin → SAP Financials-Admin-RoleCollection.

  4. Audit Regularly

    • Monthly review: remove inactive users, check drift.
    • Automate using BTP CLI or APIs for role assignment audits.

🧩 Example: Finance Analyst Access Flow

  1. User belongs to group SAP Financials-Finance-Analyst in Keycloak/Entra.
  2. Group is mapped to Role Collection Finance-Analyst in SAP Financials subaccount.
  3. Role Collection grants:
    • DisplayJournalEntry role (CAP app)
    • AccessAnalytics role (Analytics app).

Result: User logs in via IdP → lands with only the business-relevant authorizations.

đź“Ś Daily, Weekly, Monthly Best Practices

  • Daily → Monitor login failures and role assignment changes.
  • Weekly → Validate new app/service role requirements; sync with IdP.
  • Monthly → Audit all role collections, prune unused ones, ensure naming convention consistency.

🚀 Key Takeaways

  • Directories = organizational boundaries
  • Subaccounts = workspaces for apps/services
  • Role Collections = bridge between IdP groups and BTP roles
  • Separation of concerns keeps business roles and platform roles clean.
  • Regular audits prevent role sprawl and compliance risks.

đź”® Looking ahead: As your BTP landscape grows, consider automating role provisioning with SCIM APIs or Identity Provisioning Service (IPS). This ensures scale + compliance without manual effort.

✍️ BlueFunda, Inc., SAP Open Ecosystem Partner.

Interested in pilots or collaboration? Connect with us on LinkedIn or join our Discord community.

For direct inquiries, reach out to your Customer Success Manager or email us at info@bluefunda.com.

Think SAP. Think Smart. Think BlueFunda.

Share this article
LinkedIn