Authorization

The authorization concept in SAP Cloud Appliance Library is based on user roles and access control lists (ACLs). User roles and ACLs define which objects users can access and which actions they can perform. The users and ACLs are persisted in the SAP Cloud Appliance Library database.

The authorization check is performed in the following order:

The system checks whether the user belongs to the SAP Cloud Appliance Library user store.
The system checks whether the user has permissions for the selected resource (based on ACLs).

User Roles

User Role	Administrator of SAP Cloud Appliance Library
Administrator of SAP Cloud Appliance Library	Provides administrative permissions for performing the initial configuration of SAP Cloud Appliance Library, as well as permissions for managing users and access in SAP Cloud Appliance Library. The administrator role also has the following permissions: Manage access to the accounts (assign users, change user roles and remove users) Delete accounts Deactivate solutions Remove accounts assigned to activated solutions Unlock solutions Perform the following operations on solution instances: connect and reboot Perform the following operations on backups of solution instances: delete and restore
Account Owner of SAP Cloud Appliance Library	Provides permissions for managing accounts of SAP Cloud Appliance Library. The account owner role also has the following permissions: Manage access to the accounts owned by you (assign users, change user roles and remove users) Unlock solutions Activate solutions Deactivate solutions where you are an account owner of the account for which the solution is activated Create, edit and delete customized solutions Create and manage instances (activate, edit, connect, suspend, reboot and terminate) Create and manage instance backups (restore and delete)
User of SAP Cloud Appliance Library	Provides the following permissions for creating and managing the solution instances which are created from the user: Create solution instances by using the solutions activated for the SAP Cloud Appliance Library account that you are assigned to Perform the following operations on solution instances created by the user: activate, edit, connect, suspend, reboot, terminate Perform the following operations on backups for the solution instance owned by the user: create, restore and delete Perform the following operations on solution instances created by other users: view and connect to instances Provide business users with access details for the solution instance

ACLs

In addition to the user role concept, another authorization concept is used - ACLs. ACLs are created for both solutions and solution instances. When performing an authorization check, the system searches for these ACLs.

SAP Cloud Appliance Library ACL

The SAP Cloud Appliance Library ACL contains all registered users. This ACL distinguishes between the following users:

Administrators - the permissions of these users are described in the table above (see the administrator role).
Users - the permissions of these users are described in the table above (see the account owner and user role).

This ACL is delivered with SAP Cloud Appliance Library. By default, it contains only the initial user of the SAP Cloud Appliance Library.

Account ACL

The Account ACL distinguishes between the following users:

Account Owners - the permissions of these users are described in the table above (see the account owner role).
Users - the permissions of these users are described in the table above (see the user role).