The authorization concept in SAP Cloud Appliance Library is based on user roles and access control lists (ACLs). User roles and ACLs define which objects users can access and which actions they can perform. The users and ACLs are persisted in the SAP Cloud Appliance Library database.
The authorization check is performed in the following order:
- The system checks whether the user belongs to the SAP Cloud Appliance Library user store.
- The system checks whether the user has permissions for the selected resource (based on ACLs).
User Role | Description |
---|---|
Administrator | Provides administrative permissions for performing the initial
configuration of SAP Cloud Appliance Library, as well as permissions for
managing users and access in SAP Cloud Appliance Library. The
administrator role also has the following permissions:
|
Account Owner | The account owner role has the following permissions:
|
Account Operator | The account operator role has the following permissions in the
account where the operator is assigned to:
|
Account User | The account user role has the following permissions in the account
where the user is assigned to:
|
In addition to the user role concept, another authorization concept is used - ACLs.
ACLs are created for both solutions (appliance templated and products) and workloads (appliances and systems). When performing an authorization check, the system searches for these ACLs.
SAP Cloud Appliance Library ACL
The SAP Cloud Appliance Library ACL contains all registered users. This ACL distinguishes between the following users:- Administrators - the permissions of these users are described in the table above (see the administrator role).
- Users - the permissions of these users are described in the table above (see the account owner, operator and user role).
Account ACL
The Account ACL distinguishes between the following users:- Account Owners - the permissions of these users are described in the table above (see the account owner role).
- Users - the permissions of these users are described in the table above (see the operator and user role).
Basic System Management
Basic System Management requires one set of Host Agent (user sapadm) credentials for all systems that are managed via SAP Cloud Appliance Library.
Microsoft Azure Subscription Authorization
- Service Principal for SAP Cloud Appliance Library - this
is the service principal that is required for the creation of SAP Cloud Appliance
Library account. The required roles are:
- Contributor
- User Access Administrator
- Service Principal for SAP Cloud Appliance Library - this is the service principal that is required for the configuring High Availability cluster with Pacemaker. SAP Cloud Appliance Library will automatically grant permissions to this principal for managing the virtual machines for Enqueue Replication Services and Application Server Central Services as well as primary and secondary HANA database machines.
- Using Managed Identity - during the provisioning process, a managed identity is assigned to the deployment server, so that it can access the Azure Key Vault as well as specific DNS records in the scenarios with High Availability.