It's always more common to see hybrid sceneries, meaning On-premise and on cloud systems. Or just on cloud.
In these systems too, obviously, it's necessary to activate these policies used in on-premise systems.
But what accesses should you supply? Especially to who still isn't part of this organization?
Let's start from the name, it's an acronym that means SAP Cloud Platform. Even though since a while its name has changed to BTP Business Technology Platform (and this time it's not just a name change from a commercial point of view).
In the past it was called SAP HANA Cloud Platform (HCP) and then SAP Cloud Platform (SCP) and now SAP BTP
It is a platform (PaaS Platform as a service) that, putting it simply, lets you expand, integrate and connect SAP and non-SAP solutions.
Through a web link you can access to your platform or to the trial version.
You can access using a S-User or a P-User.
Why are these users important? Because to access a SCP/BTP, by default the identity store used by SAP is the repository of these users. In fact, in these systems there isn't a "real" user registry. These are read by an IP Identity Provider (which is SAP's default).
Once accessed, the connected sub-accounts are shown (if present)
Global Access (https://cockpit.hanatrial.ondemand.com/)
To be able to access to a cloud platform you need an S user or a P user.
Usually the externals (especially consultants) already have their own S user. This could therefore bring to using your own S user also to access your company's resources.
Let's make an example:
Here there can be different scenarios:
In both situations the consultant has access to the cloud systems. But in the first case there wasn't an access control (based on the assumed scenario), but in the second case, there could be a greater control.
Warning, what was said above is even more important because some cloud systems don't let you see some informations about the user management, for example name, surname or email, except the S user.
This means that if this happened in your organization, you don't know who actually accessed the systems. Like, for example, in the case of SAP E-Commerce where only the S user is reported (that could be the one not connected to the company).
If you find yourself in this situation: