SAP Cloud Platform Neo环境的权限管理

SAP云平台的帮助文档：https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/a1ab5c4cc117455392cd0a512c7f890d.html

SAP Cloud Platform includes predefined platform roles that support the typical tasks performed by users when interacting with the platform. In addition, subaccount administrators can combine various scopes into a custom platform role that addresses their individual requirements.

CloudFoundry的帮助文档：https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/

SAP云平台包含了预定义的平台角色，每个角色能完成SAP Cloud Platform使用者需要进行的一系列典型操作。当然，Administrator也能根据实际需求，创建自定义的角色。

A platform role is a set of permissions, or scopes, managed by the platform.

平台角色是一系列permissions或者scopes的集合。

Scopes are the building blocks for platform roles.
Scope是平台角色的组成部分。

They represent a set of permissions that define what members can do and what platform resources they can access (for example, configuration settings such as destinations or quotas).

Scopes是一系列操作许可(permissions)的集合，定义了SAP云平台的用户能够进行的操作和能够访问的资源。

Most scopes follow a “Manage” and “Read” pattern. For example, manageXYZ comprises the actions create, update, and delete on platform resource XYZ.

大多数Scope本身遵循了Manage和Read的模式。例如，manageXYZ包含对资源XYZ的增删改查操作。

下面是一些基本的role：

• Administrator：Manage subaccount members管理Subaccount, 管理subscription，trust，Authentication和OAuth设置，以及SAP HANA services on HANA databases.

The Administrator role in a global account is automatically assigned to the user who has started a trial account or who has purchased resources for an enterprise account.

Furthermore, you can view heap dumps and download a heap dump file.

和developer role比较，具备后者定义的所有permission，除了调试权限之外。

Administrator role包含的scope：

• Cloud Connector Admin:Open secure tunnels via Cloud Connector from on-premise networks to your subaccounts.

• Developer: 这个role会默认分配给所有新建的用户：Supports typical development tasks, such as deploying, starting, stopping, and debugging applications. You can also change loggers and perform monitoring tasks, such as creating availability checks for your applications and executing MBean operations.

• Support User:Designed for technical support engineers, this role enables you to read almost all data related to a subaccount, including its metadata, configuration settings, and log files. For you to read database content, a database administrator must assign the appropriate database permissions to you. 对所有Subaccount的数据(包含元数据)提供只读访问。

• application user admin:Assigned by the subaccount administrator to a subaccount member. Manage user permissions on application level to access Java, HTML5 applications, and subscriptions. You can control permissions directly by assigning users to specific application roles or indirectly by assigning users to groups, which you then assign to application roles. You can also unassign users from the roles or groups.

从下图能够看出，Administrator role的scope最大：The Admin role includes all platform scopes available on SAP Cloud Platform. The Developer and Support User are subsets of the Admin role.

The user you want to add to SAP ID service must have an SAP user account (for example, an S-user or P-user).

要获取更多Jerry的原创文章，请关注公众号"汪子熙":