Designing SAP Cloud Platform Security model

SAP Cloud platform utilised to enable number of services including Cloud platform integration services and enabling SaaS based functionalities.

Based on landscape strategy; SCP should have at least two sub account (Neo accounts; there might be CF accounts which can have similar setup); one categorised as non-prod and other as production.

Services and activities are performed within each sub accounts.

Authentication in SCP

IDP (Identity provider) – Enterprise Active Directory with federation services having ability to provide SAML assertion; This can ensure Corporate identity store is utilised for managing authentication and securing services and applications enabled via SAP Cloud Platform.

Diagram above provides over of how user within network accessing SCP via providing client corporate credentials and accessing services enabled via SCP.

Authorisation in SCP

SCP (SAP Cloud platform) has many preconfigured platform roles which can be utilised to manage various segregation requirements. i.e. Admin, developers, security etc. Following diagram is from SCP platform roles section where scope refers to permissions/rights available via role which can be assigned to members.

These roles are then mapped to users creating roles based authorisation. Following diagram provides overview of linking platform role to sub accounts. This can be performed by administrator within each sub accounts in SCP cockpit.

Hope you enjoyed quick overview on SCP Security.