SAP Cloud Platform Open Connectors

Roles

Manage Roles

User roles define the information that a specific user assigned to the role can view and what they can do in SAP Cloud Platform Open Connectors. Each role includes a list of privileges that you can add or remove depending on how you want to manage roles in your organization.

SAP Cloud Platform Open Connectors supports the following roles:

  • Organization Administrator — Manage all aspects of security; create connectors, formula templates, and common resources for the organization; and can access all logs in Activity.
  • Account Administrator — Performs the same function of the Organization Administrator, but only on the account where they are the administrator. Account Administrator cannot create or manage accounts or set security rules.
  • Default User — A non-administrator role for users in non-default accounts.
  • Organization User — non-administrator users in the default company account. Users with the Organization User have no different privileges than other default users.

Update Permissions Assigned to Roles

You can customize the permissions assigned to the SAP Cloud Platform Open Connectors roles. You can grant access to new permissions or remove access from existing permissions.

To update permissions assigned to roles:

  1. Access the Security page.

    Note: If you don't see Security, your assigned role does not have access to it. 

  2. Click the Roles tab.
  3. Click the check boxes to assign or remove permissions.
  4. Click Update Roles.

Update User Roles 

You can assign a user as an organization or account administrator or remove roles. If you want to assign a user as an organization administrator, they must be in the Company Default Account.

Using our APIs?

Change a users role with PATCH /users/{id} .

Remove a role with DELETE /users/{userId}/roles/{roleKey}.

Assign a role with PUT /users/{userId}/roles/{roleKey}.

To update a user's role or information:

  1. Access the Accounts Edit page.
  2. Click Edit Button.
  3. Update the user role or information. To reassign the user to be an organization or account administrator, select Org Admin or Account Admin
  4. Click Save.

Role-Based Access Control to Connector Instances

The SAP Cloud Platform Open Connectors platform allows users to view, use, modify, and delete connector instances from the same account, provided the user has a role with one or more of these privileges active:

PermissionDescription
viewAccountElementInstancesAbility to view instances from users of the same account
useAccountElementInstancesAbility to use instances from users of the same account
editAccountElementInstancesAbility to modify instances from users of the same account
deleteAccountElementInstancesAbility to delete instances from users of the same account


Changing User Permissions

While these connector-related privileges are granted to account administrators by default, but they and other permissions can be disabled. In order to enable or disable changes to user permissions, users must have the necessary permissions to do so. To enable or disable connector-related or other permissions, follow these steps:

  1. After logging in to SAP Cloud Platform Open Connectors, navigate to the Security page.

  2. From the Security page, click the Roles tab.

  3. On the Roles tab, toggle permissions on and off using the checkboxes in the Enabled column, and then click Update Roles.

Role-Based Connector Listing

The Role Based Connector Listing feature provides the ability for users to control listing connectors at organizational level; that is, the ability to control what connectors at organization level can be viewed by all the accounts and users under an organization.

To list connectors of your preference, you need to enable the Manage Connector Org Lists privilege. You require this privilege to add, update and delete connectors for listing connectors as per your requirements. 

  • On SAP Cloud Platform Open Connectors UI, click the Security option on the navigational panel to your left.
  • Switch to the Roles tab on the console that opens.
  • Ensure that the Manage Connector Org Lists privilege is enabled.

This privilege is enabled for Organization Administrators by default. Organization administrators can use the listing APIs without having to explicitly enable this privilege as mentioned above. 

This feature makes use of the following APIs:

  1. Get Connector Safelists - GET/url/organisations/{organisationId}/connectors-safelist - Gets the list of safelisted connectors for the provided organization id.
  2. Update Connector Safelists - PUT/url/organisations/{organisationId}/connectors-safelist - Adds connectors to be safelisted for the provided organization id.
  3. Patch Connector Safelists - PATCH/url/organisations/{organisationId}/connectors-safelist - Adds connectors to connectors saflisted in an organization.
  4. Delete Connector Safelists - DELETE/url/organisations/{organisationId}/connectors-safelist - Deletes connectors from the list of safelisted connectors in an organization.
  5. Delete Connector Safelists by Connector Id - DELETE/url/organisations/{organisationId}/connectors-safelist/{ connector Id} - Deletes the connector corresponding to the connector Id, from the list of safelisted connectors in an organization.

Points to note:

  • SAP Cloud Platform Open Connectors also has a feature to add {{snippet.termElementlcPlural} to a Denylist at the super-organization level. This feature is implemented only for white-label partners, using which they can make sure an connector is not visible to any of the organizations under the super-organization.
  • If a white-label super-organization which contains multiple organizations has added an connector to it denylist at the super-organization level, that connector cannot be safelisted for any of its organizations. Both the safelist and denylist are mutually exclusive to each other for a given organization. An error message appears when you try adding an connector to a denylist when it is already added to a safelist and vice versa.
  • When connectors are added to safelist by an organization, all the accounts and users under the organization will only be able to see the safelisted connectors. Any user who has private connectors in an organization, will not see them.
  • This privilege is enabled by default for an organization administrator and can be enabled for other roles by enabling the configure_roles privilege. Hence this feature is not tied to any particular role and is at the discretion of the organization administrator.
  • To remove connectors from the safelist of an organization, you will need to use the DELETE API and delete the connectors from the safelist. The privilege does not directly impact the behaviour of this functionality, so enabling or disabling the privilege would not change what is on the list.