SAP BTP - How to add a user to a BTP subaccount that does not have S-user account.

Introduction

This guide's purpose is to assist customers with the workflow required to create a user in your organization who does not have an S-user account.

Task

You need to provide access to a user, whether internal or external to your company's SAP BTP subaccount, who needs access to the following applications:

• SAP Build Process Automation (developer) 

The user can either be a developer or a read-only user.

Workflow

The complete task is broken down into several steps across two environments:

1. BTP Cockpit

   1. Verify that your Cloud Identity Services (CIS) are available and active in your BTP subaccount.

      1. Ensure that the shadow user creation in your subaccount's CIS is switched off (Security -> Trust Configuration).

   2.  If you need to manually create a shadow user in the BTP Subaccount, follow these steps:

      1. Create a custom IAS user.  

      2. Create a custom role collection.

      3. Assign the newly created user to the custom role.

2. Administrative Console of Cloud Identity Service

   1. Create a CIS user.

   2. Activate the user.

   3. Log in and start working.

Note

In our blog post, we will use the scenario where the creation of the shadow user in the CIS is switched off because it is more secure, and the BTP administrator has greater control over user creation.

BTP Cockpit part:

1.a. Check if your Cloud Identity Service is Active.

Log in to the SAP BTP cockpit as an Administrator and  go to your subaccount:

Once you reach to the subaccount level, go to the Security and Trust Configuration

You are in the Trust Configuration, you should be checked if your Custom IAS Tenant is Active (must have Active green status) !

1.a.i.  Shadow User creation switched off

Create Shadow User on User Logon should be on the No (if it is not, then click on the Edit and deactivate it )

1.b. Manual Shadow User Creation In the subaccount go to the security and create User

Enter your Email address and select Custom IAS Tennant for Identity Provider, then press Create Button

The New user has been created

1.b.ii. Create a Custom Role collection.

In the Security section please choose Rolle Collection and then Create

Name your role  (e.g. BM_developer )  and press Create

Assign the newly created user to the custom role.

Press + to assign already-created user

Administrative Console of Cloud Identity Service

 Create a CIS user.

Go to Security and click on the Trust configuration and then on the Custom IAS Tennant in order to get to the Administrative Console.

On the next screen click on the URL link !

Enter you admin account credentials

In the next screen click on the User Management 

Press +Add to add a new user.

Please select the same email you selected in the BTP cockpit selection!

After adding the user to the CIS, the user will get an invitation email in his/her mailbox immediately.

When he/she activates the account the account will become active in the next 2/3 hours. ( In my case it started functioning/working  the next day!) 

If you have a problem with account activation (manual shadow user creation approach), try skipping manual activation and using automatic shadow user creation instead. 

Thank you

SAP SCN Link is here