Skip to Content

Tenant Usage in IoT Services 4.0

Nov 07, 2017 at 07:12 AM


avatar image


we would like to collect and host data from different business partners of our client within on single SAP IoT Services 4.0 account. We though about using the Business Partner concept in IoT Service 4.0. Am I right, that it is possilbe to assign each business partner a different SCI user assigned to a different object (Thing) instance of a tenant to seperate this?

Is it possilbe to define Things through packages for cross tenant usage, meaning the data is stored within one SAP CP tentant, but seperated interanly through an object based instance tenant acces only the data that is related to the Business Partner?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Marcus Behrens
Nov 07, 2017 at 09:28 AM

... I guess you are referring to the business partner in iot application enablement.

Yes, each "Person" can have a unique SAP cloud identity user associated with it. This allows the user to access the apis with the roles and functional scopes (e.g. thing engineer) based on the user group defined in the cloud identity tenant used. All of this happens in the context of a particular tenant, for which the api is called (e.g. iotae-handson). Furthermore the access to the data in the things is then governed by the instance-based authorization concept. This concept uses Thing data but also Person data to define the rules with which certain users/persons can access the specific data. The help at > SAP IoT Application Enablement Services > Authorization gives a good overview.

Do you have a more specific question?

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Yes, many thanks for your swift reply. I had a look into the quiet impressive documentation. I think a small example would really help to understand the entire concept.

  • Two business partners: BP01, BP02
  • SCI: U1 belonging to user groups UG_BP01 and U2 belonging to user group UG_BP02, both with respective, roles, scopes to access application A
  • There are two ObjectGroups OG1 for UG_BP01 and OG2 for UG_BP02
  • There is one single ThingType “Car”, ignoring the capacity concept
  • U1 has created a thing “MyCarU1” of ThingType “Car”, U2 has created a thing “MyCarU2” of ThingType “Car”
  • Application A is displaying the last n IoT data send by things of type “Car”
  • Now U1 is only able to read data of his object-instance (“MyCarU1”) as he has the authorization through OG1 that is related to UG_BP1 and vis-versa for U2

    Is that correct? How is the instance-based isolation working in detail? Are you having a more sophisticated example?

    Thx & Cheers


I suggest you get a system and try this out. In SAP you can go to our getting started wiki. For outside of SAP we are working hard to offer a free trial soon. For customers an evaluation license would make sense, for partners there is an add-on offered that contains both iot service 4.x and iot application enablement for a low monthly fee.