Authorization

The authorization concept in SAP Cloud Appliance Library is based on user roles and access control lists (ACLs). User roles and ACLs define which objects users can access and which actions they can perform. The users and ACLs are persisted in the SAP Cloud Appliance Library database.

The authorization check is performed in the following order:

The system checks whether the user belongs to the SAP Cloud Appliance Library user store.
The system checks whether the user has permissions for the selected resource (based on ACLs).

User Roles

User Role	Description
Administrator	Provides administrative permissions for performing the initial configuration of SAP Cloud Appliance Library, as well as permissions for managing users and access in SAP Cloud Appliance Library. The administrator role also has the following permissions: Manage access to the accounts (assign users, change user roles and remove users) Delete accounts Deactivate solutions (appliance templates and products) Remove accounts assigned to activated solutions Unlock appliance templates Perform operations on appliances (connect and reboot) Perform operations on appliance backups (delete and restore)
Account Owner	The account owner role has the following permissions: Manage access to the accounts owned by you (assign users, change user roles and remove users) Unlock appliance templates Activate solutions (appliance templates and products) Deactivate solutions where you are an owner of the account for which the solution is activated Create and manage customized appliance templates (edit and delete) Create and manage appliances (activate, edit, connect, suspend, reboot, and terminate) Create and manage appliance backups (restore and delete) Deploy and discover productive systems from products in a Microsoft Azure cloud provider account with the Authorization with Application type Basic management for productive systems (start and stop) Terminate systems which are deployed via SAP Cloud Appliance Library
Account Operator	The account operator role has the following permissions in the account where the operator is assigned to: Create appliances by using the appliance templates activated for the SAP Cloud Appliance Library account Manage your appliances (activate, edit, connect, suspend, reboot, and terminate) Perform operations on backups for your appliances (create, restore and delete) Perform operations on all appliancess in the account where the operator is assigned to (suspend, activate, reboot, connect, back up such appliances and restore their backups) Deploy productive systems from products in the Microsoft Azure cloud provider accounts with the Authorization with Application type and these products are already activated for their accounts in SAP Cloud Appliance Library in which they are assigned to
Account User	The account user role has the following permissions in the account where the user is assigned to: Create appliances by using the appliance templates activated for the SAP Cloud Appliance Library account that the user is assigned to Perform operations on appliances created by the user (activate, edit, connect, suspend, reboot, terminate) Perform operations on backups for the appliances owned by the user (create, restore and delete) Perform operations on appliances created by other users (view and connect) Provide business users with access details for the appliances Deploy productive systems from products in the Microsoft Azure cloud provider accounts with the Authorization with Application type and these products are already activated for their accounts in SAP Cloud Appliance Library in which they are assigned to Terminate systems if they are deployed by the user via SAP Cloud Appliance Library

ACLs

In addition to the user role concept, another authorization concept is used - ACLs.

ACLs are created for both solutions (appliance templated and products) and workloads (appliances and systems). When performing an authorization check, the system searches for these ACLs.

SAP Cloud Appliance Library ACL

The SAP Cloud Appliance Library ACL contains all registered users. This ACL distinguishes between the following users:

Administrators - the permissions of these users are described in the table above (see the administrator role).
Users - the permissions of these users are described in the table above (see the account owner, operator and user role).

This ACL is delivered with SAP Cloud Appliance Library. By default, it contains only the initial user of the SAP Cloud Appliance Library.

Account ACL

The Account ACL distinguishes between the following users:

Account Owners - the permissions of these users are described in the table above (see the account owner role).
Users - the permissions of these users are described in the table above (see the operator and user role).

Basic System Management

Basic System Management requires one set of Host Agent (user sapadm) credentials for all systems that are managed via SAP Cloud Appliance Library.

Microsoft Azure Subscription Authorization

Service Principal for SAP Cloud Appliance Library - this is the service principal that is required for the creation of SAP Cloud Appliance Library account. The required roles are:
- Contributor
- User Access Administrator
Service Principal for SAP Cloud Appliance Library - this is the service principal that is required for the configuring High Availability cluster with Pacemaker. SAP Cloud Appliance Library will automatically grant permissions to this principal for managing the virtual machines for Enqueue Replication Services and Application Server Central Services as well as primary and secondary HANA database machines.
Using Managed Identity - during the provisioning process, a managed identity is assigned to the deployment server, so that it can access the Azure Key Vault as well as specific DNS records in the scenarios with High Availability.