Roles in BTP, IAS and Launchpad service

Hello!
I’m still new to cloud development with SAP and got confused the other day about the different roles that exist in the BTP, IAS and Launchpad service.

I want to write this blog to help people who are also just new in this environment.

Simply put:

BTP = Roles / Role Collections

IAS = Groups

Launchpad Service = Roles

Instead of going deep into the theory of why different terms for roles are used for different platforms, I want to show how to implement it.

Create Role in Launchpad Service

Role%20in%20Launchpad%20Service

Role in Launchpad Service

Name%20Role

Name Role

With this ID a role collection is automatically created in the BTP cockpit.

Role%20collections%20BTP

Role collections BTP

In the BTP Cockpit navigate to Security > Role Collections to check if the role is now created.

IAS Assertion Attributes

IAS%20Assertion%20Attributes

IAS Assertion Attributes

Groups

Groups

Now you have to navigate to the IAS and select the application. Then you can define “Groups” via Assertion Attributes, so that the user group can be saved with the user.

IAS User Groups

User%20Groups

User Groups

Under User Groups you can add groups in IAS to which you can assign multiple users and which are automatically updated if you add a Group to user like the screenshot below.

You have to navigate in the “User Management” in the IAS to see and edit all users. Now you can assign a role to your user.

BTP

Trust%20Configuration

Trust Configuration

Back in the BTP, you have to navigate to the IAS Overview under Security > Trust Configuration to set Role Collections Mappings.

New%20Role%20Collection%20Mapping

New Role Collection Mapping

Now you can choose the role collection (which has been created when you add the role to launchpad service) and set the attribute from the group of the IAS.

So you have users in the IAS that are part of a group and you map this group to the Role Collection in BTP. So all users of the group will have access to the respective content.

Set content in Launchpad service

add%20app%20to%20role

add app to role

After that, you need to add the apps that you are allowed to view with this role to the role in the Launchpad service.

settings

settings

add%20role%20to%20website

add role to website

In the settings of the website you have to add the roles that the site contains.
To see the changes, press Refresh in the Launchpad Service > Provider Manager and relog in to the website itself.

This blog post and the answer to one of my questions also helped me a lot.

https://blogs.sap.com/2022/04/06/automate-role-collections-in-sap-btp/

https://answers.sap.com/answers/13713270/view.html

This article was about the roles in BTP, IAS, and the Launchpad service and how they all play together. I hope you learned something new and would be happy if you add your insights in the comments.

Feel free to comment with any questions/issues as well!

Kind regards

Sebastian