Attribute-based Access Control for Landscape Objects

Landscape objects, such as cloud services, technical systems, and business services, are among the main entities in SAP Cloud ALM. Cloud services and technical systems represent the managed landscape of the SAP Cloud ALM customer, while business services group these services and systems into logical units.

Every use case uses landscape objects in some way. SAP Cloud ALM for Operations use cases monitor the managed system landscape, while SAP Cloud ALM for Implementation uses services and systems in projects. 

SAP Cloud ALM uses an XSUAA-based role concept to control access to its applications. To access an application, a user needs to be assigned a role collection that contains the necessary scopes for this application. That works well to control the general access to and the possible activities in an application. What it can't restrict is the access to single landscape entities used by the application. That means if a user has access to, e.g., Health Monitoring, they will be able to see all services and systems that are supported by Health Monitoring in this SAP Cloud ALM tenant.

This authorization concept doesn't go far enough for many customers. For this reason, Landscape Management developed its own attribute-based authorization concept on top of the existing XSUAA-based concept. The attribute-based access control will allow customers to restrict exactly which specific services and systems users can access in their applications. 

Please note: Attribute-based Access Control doesn't replace the Role-based authorizations maintained in User Management, but rather complements and refines them. To access Landscape Management a user still needs the appropriate roles assigned in User Management.

Prerequisites

Attention

For security reasons, activating Access Control is a one-way switch. Once it is activated in Landscape Management, it cannot be disabled globally anymore.

Therefore the following steps are recommended before the activation:

  • Familiarize yourself with Access Control by reading this documentation
  • Create and test access control lists appropriate for your organization
  • Assign all users to the access control lists they need to perform their tasks

Access Control will also affect the following SAP Cloud ALM use cases:

  • Health Monitoring

Technical Prerequisites

For Access Control to take effect in your end-users, no specific roles need to be assigned to them. Once Access Control is activated, all end-users will automatically be affected.

However, to see the Access Control UIs and to maintain Access Control you need certain Landscape Management roles.

To maintain Access Control Lists and User Assignments you need the role:

  • Landscape Management Access Controller

To view existing Access Control Lists and user Assignments you need the role:

  • Landscape Management Access Control Viewer

Maintenance of Attribute-based Access Control

Attribute-based Access Control in Landscape Management works using Access Control Lists (ACLs). Each access control list has a set of restrictions, which define which landscape objects are covered by it. To grant a user access to the objects in the access control list, the user needs to be assigned to the list.

To set up Attribute-based Access Control in Landscape Management you have to execute the following tasks:

  1. Create Access Control Lists and maintain restrictions that define which services, systems and business services are included in the list
  2. Assign users to these Access Control lists

  1. Open the Landscape Management application in SAP Cloud ALM
  2. Click on the 'Configuration' button in the upper right corner
  3. You will find the section 'Attribute-based Access Control' at the end of the Landscape Management Configuration panel
  4. Click the pen icon in the subsection 'Access Control List Maintenance' to open the Access Control List Maintenance UIs

Important: In this section, you will also see the toggle button for global activation. Before you activate Access Control, make sure you understand the consequences as described on this page. You do not need to activate Access Control to access the maintenance UIs. You should create your access control lists and user assignments before you activate Access Control globally.

  1. Open the Access Control List Maintenance
  2. Make sure you are in the view 'Access Control Lists'
  3. Click the 'Add' button in the upper right corner of the Access Control Lists table
  4. Enter the name for the Access Control List. The name does not have to be a technical name.
  5. Enter a description for the Access Control List
  6. Press the 'Save' button
  7. The new access control list will be added to the list of existing access control lists

  1. Open the Access Control List Maintenance
  2. Make sure you are in the view 'Access Control Lists'
  3. Click on the row for the access control list you want to copy or delete
  4. You will navigate to the access control list details
  5. In the upper right corner of the header area, you will find a 'Copy' and a 'Delete' button
  6. If you click the 'Copy' button:
    1. A new list with the name '<old name>_Copy' will be created. You can change this name.
    2. All restrictions and user assignments for the original list will be copied.
    3. Save your changes to persist the copied list
  7. If you click the 'Delete' button:
    1. Confirm the pop-up to delete the list. Deletion is instant and cannot be reversed.
    2. All restrictions and use assignments for the list will be deleted.

Restrictions in Access Control can be:

  • Rule-based: These restrictions describe an attribute that several landscape objects can share. Rule-based restrictions are calculated during runtime. Hence, new services or systems added to Landscape Management later on are automatically covered by the access control list if their attribute match the restrictions.
    Each rule can only be added once.
  • Fixed: These restrictions describe a unique attribute of the landscape object and always cover only one very specific landscape object. To add a new landscape object under these restrictions they have to be explicitly added to the access control list.

The restriction evaluation is executed in the following way:

  • Inside a rule, the elements are joined with OR (i.e. customer number 123 OR customer number 456)
  • The rules among each other are joined with AND (i.e. customer number 123 AND service type 'SAP S/4HANA Cloud')
  • Fixed restrictions are joined to rule-based restrictions with OR (i.e. they are added to the list of authorized objects no matter what the rules above state)

Information: Restrictions on Input Fields

Access Restrictions

Some input help dialogs are access-restricted. This was designed to allow customers to have different Access Controllers for different subsidiaries and to allow data separation even for Access Controllers.

If this is not desired, it is recommended that access controllers be exempt from Access Restrictions. How to do this is described in the section 'Exempt Users from Access Restrictions'.

Otherwise, it is recommended that access control lists for Access Controllers be created first, based on, for example, the customer number.

Technical Restrictions

Technical restrictions limit the number of entries in each restriction input field to 100 entries.

In the unlikely case that you need to add more than 100 customer numbers, systems types, names, or single landscape objects to an access control list, please create an additional access control list.

Please note: it is not necessary to create an “All systems” access control list. If you want someone to see everything it makes more sense to “exempt” this person from Access Control. How this is done is described in the section “Exempt Users from Access Restrictions”.

Maintain Restrictions for Services & Systems

  1. Open the Access Control List Maintenance
  2. Click on the row for the access control list you want to edit
  3. Navigate to the tab "Service & Systems"
  4. Maintain Access Rules:
    1. Click the '+' button in the 'Access Rules' area to add a new rule
    2. Select the rule attribute
    3. Use the input help to select the desired values
    4. For 'Service/System Name' you can choose the operator CONTAINS. If you choose this operator you can enter the filter string directly in the input field.
  5. Add single Landscape Objects
    1. Use the input help for the filed 'Landscape Object ID' to select your services and systems
  6. Preview the result
    1. Use the 'Refresh' button in the preview area to update the table and see which services and systems are included in your access control list

Rule-based Restrictions

The following rule-based restrictions are currently available for services and systems:

Restriction AttributeDescriptionOperatorsAccess controlled
Customer NumberThe ERP customer number the landscape object is assigned to.ISNo
Service TypeThe product type of the service or systemISNo
Service/System NameThe name of the landscape object.IS or CONTAINS*Yes

* For contains, you can either enter a part of the name (without wildcards) and press ENTER or if you want a precise name, select it from the input help.

Fixed Restrictions

The following fixed restrictions are currently available for services and systems:

Restriction AttributeDescriptionOperatorsAccess Controlled
Landscape Object IDThe technical ID of the landscape object. Please use the input help to select the correct landscape objectISYes

Maintain Restrictions for Business Services

  1. Open the Access Control List Maintenance
  2. Click on the row for the access control list you want to edit
  3. Navigate to the tab "Business Services"
  4. To include all existing or future business services in the access control list check the box 'Include all Business Services'
    1. If this box is checked, all further rules regarding Business Services will be ignored.
  5. To add specific business services by their technical ID select them via the input help for the field 'Business Service ID'
    1. Business Services with the same name will not be included
  6. To add business services by their name select them via the input help or enter parts of their name in the field 'Business Service Name'
    1. Business Services with the same name or a name matching the pattern will be included

Rule-based Restrictions

The following rule-based restrictions are currently available for Business Services:

Restriction AttributeDescriptionOperatorsAccess Controlled
Business Service NameThe name of the Business ServiceIS or CONTAINS*Yes

* For contains, you can either enter a part of the name (without wildcards) and press ENTER or if you want a precise name, select it from the input help.

Fixed Restrictions

The following fixed restrictions are currently available for Business Services:

Restriction AttributeDescriptionOperatorsAccess Controlled
Business Service IDThe technical ID of the Business Service. Please use the input help to select the correct business service.ISYes
Information: Services & System in Business Services

Adding a business service to an access control list does not automatically give access to the systems and services in this business service.

The user will only have access to information on the business service level and the header information of the services and systems for which he doesn't have explicit authorizations.

Currently, the Access Controller needs to make sure that he also adds the services and systems of a business service if the user needs to see all the details for the services in the Business Service.

We plan to provide a consistency check function for this in the future. 

You must assign users to Access Control Lists to give them access to landscape objects on this list.

When you assign a user to an access control list, you can decide whether to grant the user edit or read-only privileges for the objects on this list. This means the same user can have edit access for some systems in Landscape Management and read-only access for others.

Information: Granting privileges for Landscape Objects

In Landscape Management we support two different privileges:

  1. "Edit" access will allow the user to access the systems on this list in Landscape Management in change mode, i.e. add and edit system details, endpoints, clients, and tags
  2. "Read" access means the user can access the systems in this list in Landscape Management but cannot execute any change operations for them
  • If a user is assigned to more than one access control list and both lists contain the same system, the highest available privilege for this system will be given
  • Privileges in other use cases are not affected by this setting. Only the changeability of the object in Landscape Management is controlled.

You can access the user assignment in several ways:

  • Using the 'Edit Access Control User Assignment' button in the upper right corner of the Access Control List Restrictions maintenance
  • Via 'User Assignment' > 'By List' view to assign users to lists
  • Via 'User Assignment' > 'By User' view to assign lists to users

Assigning Users to Lists

The 'User Assignment' > 'By List' view contains all Access Control Lists maintained in this SAP Cloud ALM. In this view, you can see which users are currently assigned to each Access Control List.

You can use the Live Search to search for access control lists.

  1. Navigate to 'User Assignment' > 'By List'
  2. Click on the row for your access control list
  3. In the 'Users' area click the 'Add' button and choose how you want to add your users
    1. 'By Selection': You can choose one or more users from a list of the existing SAP Cloud ALM users
    2. 'Mass Entry': You can provide a list of email addresses separated by a semicolon. 
      1. Only users existing in SAP Cloud ALM User Management will be added. 
      2. You will receive a list of the skipped users after the operation, so you can add them to SAP Cloud ALM User Management and try again.
  4. Select the checkbox under the user table or input field to grant 'Edit' access to the users
    1. Checking this box will allow users to edit the systems on this access control list in the Landscape Management application
    2. You can reverse your decision later in the user table
  5. Press the 'OK' button

Assigning Lists to Users

The 'User Assignment' > 'By User' view contains all users known in SAP Cloud ALM. In this view, you can see which users are currently restricted by Access Control and which Access Control Lists are assigned to a user.

You can use the Live Search to search for users.

Depending on the global status of Access Control there is also a button to:

  • "Release All" users if Access Control is still not activated globally. This allows you to quickly release all test users after your tests are finished.
  • "Restrict All" users if Access Control is globally activated. This allows you to restrict all users that were exempt from access restrictions. You can find more information on this option in the section 'Exempt Users from Access Restrictions'

  1. Navigate to 'User Assignment' > 'By User'
  2. Click on the row for the user you want to assign lists to
  3. In the 'Access Control Lists' area click the 'Add' button and choose the Access Control Lists you want to add
  4. Select the checkbox under the items table to grant the user 'Edit' access to the selected lists
    1. Checking this box will allow the user to edit the systems on the selected access control list in the Landscape Management application
    2. You can reverse your decision later in the Access Control Lists table
  5. Press the 'OK' button

During the user assignment, we also check if the user has the necessary roles to execute his tasks in Landscape Management. If the user doesn't have the required roles, we will try to assign the respective role in User Management in Cloud ALM.

Which role is assigned depends on the privilege that is assigned to the user:

  • "Read": Landscape Management will request User Management to assign the role 'Landscape Management Viewer'
    • If the user already has the role 'Landscape Management Admin' we will not request an additional assignment
  • "Edit": Landscape Management will request User Management to assign the role 'Landscape Management Administrator'

If the user already has the necessary roles, no assignment request is sent to User Management. 

  • If the user maintaining the access control lists (the Access Controller) in Landscape Management also has the SAP Cloud ALM role “User Management Administrator” or any other role containing the XSUAA write scope, the roles will automatically be assigned in User Management.
  • If the user maintaining the access control lists (the Access Controller) in Landscape Management does not have the role “User Management Administrator” or any other role containing the XSUAA write scope, an Approval Request will be opened in User Management. This approval request has to be approved or rejected by a User Administrator
    • User Management will open only one approval request per role and per user. This means if a user is assigned to more than one Access Control List with the same privilege, only one Approval Request will be opened for the respective role.
    • If the Approval Request for the role is rejected, the user will be removed from all access control lists to which he was added with the privilege that requires the role. 

The feature to exempt users from Access Control restrictions was included to allow the customer to address exceptional situations and to easily create super-users in their system without having to create all-encompassing Access Control Lists (i.e. a "See All ACL"). 

  1. Go to Landscape Management > Configuration
  2. Press the pen icon in the section Attribute-based Access Control > Access Control List Maintenance to open the Access Control Maintenance UI
  3. Navigate to User Assignment > By User
  4. Find the user in the user list
  5. Navigate to the user details by clicking on the row
  6. Switch the toggle button 'User is restricted by Attribute-based Access Control' from ON to OFF
  7. Save your changes
  8. The user has to reload Landscape Management for the changes to take effect

The assignment of access control lists to the user will not be affected. This is to allow for a fast reactivation of Access Control if a user is only temporarily unrestricted. 

Mass-Release / Mass Restrict Function

To make it easier for Access Controllers to reestablish the status quo (i.e. setting the global setting for all users), we included a feature that allows you to 

  • Release all users at once while Access Control is still not activated
  • Restrict all users at once when Access Control is globally activated
  1. Go to Landscape Management > Configuration
  2. Press the pen icon in the section Attribute-based Access Control > Access Control List Maintenance to open the Access Control Maintenance UI
  3. Navigate to User Assignment > By User
  4. The 'Restrict All' / 'Release All' button is in the upper right corner
    1. Which button will be available depends on the global setting of Access Control
  5. Confirm the dialog box to perform the change

With the global activation, Access Control will be activated in Landscape Management and all participating use cases.

The global activation is a setting that cannot be reversed.

  • The reason is that we assign the 'Landscape Management Administrator' role to all users who are assigned the "Edit" privilege for an access control list. If Access Control were to be disabled globally, these users could now access and change everything in Landscape Management.
  • It is still possible to exempt users from Access Control restrictions manually one by one (for more information see section 'Exempt Users from Access Restrictions')

Consequences of the Global Activation

  • Access Control will restrict all users in SAP Cloud ALM for access to Landscape Management and all participating use cases
  • Users will only see the services, systems, and business services for which they have access through an access control list
  • Users will only be able to select the services and systems in the scope selector of Landscape Management and participating use cases for which they have access through an access control list
  • Users who are not assigned to any access control list will no longer be able to see any services, systems, or business services in Landscape Management and participating use cases

Information: Testing Access Control

Before activating Access Control globally you should create your access control lists and test them. To test Access Control, you can activate access restrictions for single users, before you flip the global switch.

  1. Go to Landscape Management > Configuration
  2. Press the pen icon in the section Attribute-based Access Control > Access Control List Maintenance to open the Access Control Maintenance UI
  3. Navigate to User Assignment > By User
  4. Find your test user in the user list
  5. Navigate to the user details by clicking on the row
  6. Switch the toggle button 'User is restricted by Attribute-based Access Control' from OFF to ON
  7. Save your changes
  8. The test user has to reload Landscape Management for the changes to take effect

Please note: We do not automatically activate restrictions for users when they are assigned to an access control list. We want to enable the customer to completely maintain their access control lists including the user assignment before the global activation of Access Control.

Hence, you have to manually activate Access Control for the test users as long as Access Control is globally inactive. 

Effects of Access Control on Landscape Management

Access Control influences which services, systems, and business services a logged-on user can see in Landscape Management and whether he can edit them.

The effects of Access Control will be visible in different components of Landscape Management.

In the Scope Selector, the user will only see service types, if he can access at least one object of these types.

All other service types will be hidden, even if services and systems with this type exist in the managed landscape.

Currently still the total number of existing services and systems in the landscape is shown for authorized service types, even if the user can only access a subset of them. This will be addressed in the near future.

In the Overview, the user will only see information on the cards for service types if he can access at least one object of these types. Cards for service types that were selected in the scope before the activation of Access Control and can no longer be accessed, will show no information and contain the label "No Authorization". 

Currently still the total number of existing services and systems in the landscape is shown for authorized service types, even if the user can only access a subset of them. This will be addressed in the near future.

The Event Status indicator will be calculated based on the authorized services and systems of a service type. This means if an outage exists for a service the user doesn't have access to, it will not be propagated in the status event indicator on the service type card.

In Favorites, the user will only see information on the cards for services, systems, and service types if he can access the service or systems or at least one object of these types. Cards for services, systems, and service types that were selected in the scope before the activation of Access Control and can no longer be accessed, will show no information and contain the label "No Authorization". The user can still remove the favorite even if he is no longer authorized to access it by clicking on the star icon. 

The Services & System list will only contain services and systems that the user has access to. It can optionally be pre-filtered by service type depending on the selected scope and the navigation path chosen from the Overview. 

The filter, sort, and group functions are defined by the service types that are in scope. 

The Live Search will only find services and systems for which the user has authorizations. If the user searches for a service or system for which he doesn't have authorizations the Live Search will return an empty result. 

The user can add any new service or system type. To do so, he needs a role that contains the x-landscape-manage-ui scope. However, if the user adds a service or system with attributes that are not covered by any of his assigned access control lists, he will not be able to find or access it again until access is given.

From the Services & Systems List, the user can navigate to the System Details. Whether the details view is opened in edit or read-only mode depends on the user's privileges for this system. The privilege is defined during the user's assignment to the access control list (see section 'User Assignment').

In read-only mode, the user cannot perform any change operations for the system. This means the user cannot change system properties, create or change clients or endpoints, and cannot assign or edit tags. 

On the Where-Used list for a system, the user can see the Business Services the system is part of. Currently, all business services are shown. However, the user can only successfully navigate to the ones he has access to. If he tries to navigate to a business service he has no access to, he will receive an error message.

Direct jump-ins are also protected. If a user tries to access a service or system that he has no access to via a direct URL, he will receive an error message.

On the Business Services view the user can only see the business services he has access to.

In the business services details, he can see all services and systems that are part of this business service even if he doesn't have authorization to access the system details. This was designed to avoid blind spots for the user. However, if he tries to jump to a system to which he has no access, he will receive an error message.

Integration with Other Use Cases

Once Access Control is activated in Landscape Management, it will automatically affect use cases that have been onboarded to Access Control.

Right now the following use cases inherit Landscape Management Access Control settings:

  • Health Monitoring

Scope Selector

In the use case Scope Selector, the user will only see services, systems, and (if supported) business services for which he has authorizations.

All other services, systems, and business services will be hidden, even if they exist in the managed landscape, and are supported and configured for this use case.

Use Case-specific Views

The views of the use cases are also access restricted. How exactly Access Control affects them depends on the use cases. 

Troubleshooting

Please make sure that one of the following roles is assigned to your user:

  • Landscape Management Access Controller
  • Landscape Management Access Controller Viewer

If you just assigned the roles to yourself, please make sure to log off and log on to SAP Cloud ALM for the role changes to take effect.