It's always more common to see hybrid sceneries, meaning On-premise and on cloud systems. Or just on cloud.
In these systems too, obviously, it's necessary to activate these policies used in on-premise systems.
But what accesses should you supply? Especially to who still isn't part of this organization?
What is SAP SCP?
Let's start from the name, it's an acronym that means SAP Cloud Platform. Even though since a while its name has changed to BTP Business Technology Platform (and this time it's not just a name change from a commercial point of view).
In the past it was called SAP HANA Cloud Platform (HCP) and then SAP Cloud Platform (SCP) and now SAP BTP
It is a platform (PaaS Platform as a service) that, putting it simply, lets you expand, integrate and connect SAP and non-SAP solutions.
How to access SCP?
Through a web link you can access to your platform or to the trial version.
You can access using a S-User or a P-User.
- P-USER is a user (self-registered) that is created on one SAP website with a public access for example SAP community or SAP Partner Edge, this is not connected to a specific user (customer number)
- S-USER can be created from any customer and is connected to it (meaning to its customer number)
Why are these users important? Because to access a SCP/BTP, by default the identity store used by SAP is the repository of these users. In fact, in these systems there isn't a "real" user registry. These are read by an IP Identity Provider (which is SAP's default).
Once accessed, the connected sub-accounts are shown (if present)
Global Access (https://cockpit.hanatrial.ondemand.com/)
Cloud Access from outside
To be able to access to a cloud platform you need an S user or a P user.
Usually the externals (especially consultants) already have their own S user. This could therefore bring to using your own S user also to access your company's resources.
Let's make an example:
- Massimo Manara SAP consultant, owns the S (S0000xxx184) user connected to his company email m.manara@aglea.com
- He must make a consultation or project in the ONE Company
Here there can be different scenarios:
- The ONE Company enables the S0000xxx184 user (email m.manara@aglea.com) to access to its cloud space
- The ONE company creates a user, then an email, in its tenant (Active Directory, Azure, G suite etcc), for example m.manara@companyone.com giving this user access
In both situations the consultant has access to the cloud systems. But in the first case there wasn't an access control (based on the assumed scenario), but in the second case, there could be a greater control.
Warning, what was said above is even more important because some cloud systems don't let you see some informations about the user management, for example name, surname or email, except the S user.
This means that if this happened in your organization, you don't know who actually accessed the systems. Like, for example, in the case of SAP E-Commerce where only the S user is reported (that could be the one not connected to the company).
If you find yourself in this situation:
- Try to understand if you can recover the information from the suppliers
- In the worst case, delete the user and recreate it "detaching" it from the company support portal