The Account service is a YaaS essential service. The Builder uses this service to:
- Create or delete an organization and edit the related information. The service also enables you to invite YaaS users to your organization and to manage the invitations.
- Manage join requests that users create for your projects and organizations.
- Invite YaaS users to projects and manage the invitations you send or receive.
- Grant roles from one account to another YaaS account of your choice.
Use this endpoint to manage organizations.
Grant Roles to an Alternate Account
The Account service allows you to duplicate your project and organization memberships and roles to you different YaaS accounts.
Use this functionality to duplicate the roles and memberships when you create a new user account with the SAP Cloud Platform Identity Authentication Service, or to combine the access and memberships of multiple accounts to a single user account.
This process does not affect the source account in any way. When you complete all of the steps, your old account remains unchanged. You can still access it and use it to work in YaaS.
To grant your roles to another account, follow these steps:
- Sign in to the Builder using the account which you want to use as the source of your roles and memberships.
- Click the account settings icon on the top navigation bar and go to My Account.
- Click Grant Roles to Alternate Account.
- In the Your Alternate Email Address field, enter the email address of the account to which you want to grant your roles and memberships. Click NEXT.
- Check your email for a security code. Enter that security code in the Security Code field.
- Click SUBMIT.
- You cannot grant roles to an email address that is not registered in YaaS.
- If you close the window that prompts you to enter the security code, you need to restart the process and use the new security code.
User roles are essential for security in YaaS. In the OAuth 2.0 Implicit Grant flow and the Resource Owner Password Credentials Grant flow, the authorization server cross-checks the scopes that you send in requests for access tokens and the scopes attached to user roles. Then, it issues the respective permissions. For more information about the authorization flows available in YaaS, see the Grants section of the OAuth2 service documentation.
When you create an organization or a project, you become their owner and all available scopes are automatically assigned to this role. These scopes come from the YaaS Essentials package. In a project, you can extend the range of available scopes with each package subscription. In addition, you can use scopes that you have in your own services within the project.
A single user in YaaS can have independent roles assigned in an organization, and in a project. For example, Thomas is the Owner of the BigFoot organization. This means he has full access to all data in its projects. At the same time, he is a Viewer in a project named Elbow that belongs to a different organization. This means that he has a read-only access to data in this project. He uses the Builder to switch between the organizations and access the respective data.
This lists the scopes assigned by the Account service to the pre-defined roles in an organization:
This lists the scopes assigned by the Account service to the pre-defined roles in a project:
Use the pre-defined roles when you invite users to your organization or project. You can make your organization or project management more efficient and create custom user roles.
Scopes in Account Service
These scopes are supported by the Account service:
|hybris.account_manage||Use this scope to manage accounts|
|hybris.account_view||Default scope with view rights|
|hybris.org_manage||Use this scope to manage organizations|
|hybris.org_members||Use this scope to manage members within an organization|
|hybris.org_payment||Use this scope to manage payment methods within an organization|
|hybris.org_project_create||Use this scope to create projects within an organization|
|hybris.org_project_manage||Use this scope to manage projects|
|hybris.org_view||Default scope with view rights|
For more information about scopes, see the Scopes document in the Overview section.
|account||User"s identity represented by email address, which is the account identifier, and a password.|
|client||An OAuth2 client as defined in the OAuth 2.0 Authorization Framework. It is created within a project and can interact with services in YaaS.|
|project||Company"s planned piece of work. It is required for registering clients and managing their credentials, and package subscriptions. It includes Staff members who have different User roles assigned.|
|scopes||The access rights to resources and operations in the service, such as hybris.product_manage, which enables you to create and modify products.|
|service||Software running as a part of a hosted application on a server.|
|staff members||A group of developers that develop and work with a project or site.|
|subscription||A contract granting a user the right to use an API product in a project or site.|
|user role||Set of permissions defined in the project or site. There are two default roles: OWNER and VIEWER.|
If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.
Use our private help channel. Receive updates over email and contact our specialists directly.
If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.