Attribute-based Access Control for Landscape Objects
Landscape objects, such as cloud services, technical systems, and business services, are among the main entities in SAP Cloud ALM. Cloud services and technical systems represent the managed landscape of the SAP Cloud ALM customer, while business services group these services and systems into logical units.
Every use case uses landscape objects in some way. SAP Cloud ALM for Operations use cases monitor the managed system landscape, while SAP Cloud ALM for Implementation uses services and systems in projects.
SAP Cloud ALM uses an XSUAA-based role concept to control access to its applications. To access an application, a user needs to be assigned a role collection that contains the necessary scopes for this application. That works well to control the general access to and the possible activities in an application. What it can't restrict is the access to single landscape entities used by the application. That means if a user has access to, e.g., Health Monitoring, they will be able to see all services and systems that are supported by Health Monitoring in this SAP Cloud ALM tenant.
This authorization concept doesn't go far enough for many customers. For this reason, Landscape Management developed its own attribute-based authorization concept on top of the existing XSUAA-based concept. The attribute-based access control will allow customers to restrict exactly which specific services and systems users can access in their applications.
Please note: Attribute-based Access Control doesn't replace the Role-based authorizations maintained in User Management, but rather complements and refines them. To access Landscape Management a user still needs the appropriate roles assigned in User Management.