SAP SCP/BTP for external, how to do it?

Posted by Andrea Mazzolani on Dec 9, 2022 8:15:00 AM
Andrea Mazzolani

It's always more common to see hybrid sceneries, meaning On-premise and on cloud systems. Or just on cloud.

 

SAP SCP

 

In these systems too, obviously, it's necessary to activate these policies used in on-premise systems.

 

But what accesses should you supply? Especially to who still isn't part of this organization?

What is SAP SCP?

Let's start from the name, it's an acronym that means SAP Cloud Platform. Even though since a while its name has changed to BTP Business Technology Platform (and this time it's not just a name change from a commercial point of view).

 

In the past it was called SAP HANA Cloud Platform (HCP) and then SAP Cloud Platform (SCP) and now SAP BTP

 

It is a platform (PaaS Platform as a service) that, putting it simply, lets you expand, integrate and connect SAP and non-SAP solutions.

 

How to access SCP?

Through a web link you can access to your platform or to the trial version.

 

SAP BTP

 

You can access using a S-User or a P-User.

 

  • P-USER is a user (self-registered) that is created on one SAP website with a public access for example SAP community or SAP Partner Edge, this is not connected to a specific user (customer number)
  • S-USER can be created from any customer and is connected to it (meaning to its customer number)

 

Why are these users important? Because to access a SCP/BTP, by default the identity store used by SAP is the repository of these users. In fact, in these systems there isn't a "real" user registry. These are read by an IP Identity Provider (which is SAP's default).

 

Once accessed, the connected sub-accounts are shown (if present)

 

SAP BTP_Access

Global Access (https://cockpit.hanatrial.ondemand.com/)

 

SAP BTP_global

 

Cloud Access from outside

To be able to access to a cloud platform you need an S user or a P user.

 

Usually the externals (especially consultants) already have their own S user. This could therefore bring to using your own S user also to access your company's resources.

 

Let's make an example:

  • Massimo Manara SAP consultant, owns the S (S0000xxx184) user connected to his company email m.manara@aglea.com
  • He must make a consultation or project in the ONE Company

 

Here there can be different scenarios:

  1. The ONE Company enables the S0000xxx184 user (email m.manara@aglea.com) to access to its cloud space
  2. The ONE company creates a user, then an email, in its tenant (Active Directory, Azure, G suite etcc), for example m.manara@companyone.com giving this user access

 

In both situations the consultant has access to the cloud systems. But in the first case there wasn't an access control (based on the assumed scenario), but in the second case, there could be a greater control.

 

Warning, what was said above is even more important because some cloud systems don't let you see some informations about the user management, for example name, surname or email, except the S user.

 

This means that if this happened in your organization, you don't know who actually accessed the systems. Like, for example, in the case of SAP E-Commerce where only the S user is reported (that could be the one not connected to the company).

 

How to Manage Users in the Cloud Portal- SAP Commerce Cloud

If you find yourself in this situation:

  1. Try to understand if you can recover the information from the suppliers
  2. In the worst case, delete the user and recreate it "detaching" it from the company support portal

Contact us!

 

Topics: SAP Cloud Security, sap btp

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all