Introduction

S/4 HANA Cloud, Public Edition is SaaS based ready to adopt/consume cloud ERP that delivers the latest industry best practices and continuous innovation.

This blog is aimed to elaborate the concept of Identity and Access Management (IAM) in S/4 HANA  Cloud, Public Edition covering end-to-end implementation journey.

Architecture

S/4 HANA Cloud, Public Edition is delivered to customers in 2 possible architectures based on customer requirements

3 System Landscape

3 system landscape

 

2 System Landscape

2 system landscape

 

Systems in S4HC Landscape

 

Identity Access Management – Implementation Journey

S/4HANA Cloud, public edition is a closely knit landscape of multiple tenants and access is granted in each tenant during respective phases of implementation journey

IAM S4HC Implementation Journey

 

Prepare Phase

Setup of SAP Central Business Configuration (CBC) with Cloud Identity Services (CIS) and sync CBC standard groups to CIS

SAP CBC system is central point of configuring the system. SAP provides pre-delivered standard SAP CBC groups to perform scope activation and other configurations in the S/4HC system. Projects are created in SAP CBC system with respect to each system to perform system configuration.

From IAM perspective, pre-delivered standard SAP CBC groups needs to be synced to Test IAS tenant so that they can be assigned to Technical/Functional Administrators

Procedure

• Configure Subject Name Identifier for CBC Application as “Login Name”

Login to Cloud Identity Services and navigate to Applications & Resources tab à Applications. Select SAP Central Business Configuration application and maintain Subject Name Identifier as “Login Name”

Figure 1 Subject Name Identifier for CBC Application

 

Figure 2 Subject Name Identifier for CBC Application

 

• Sync CBC roles as groups in Cloud Identity Services (CIS)

Login to Cloud Identity Services and navigate to Identity Provisioning tab à Source Systems. Select CBC application as source and run Read job. This will sync/enrich CBC roles as groups in CIS.

You can verify the synced groups from Users & Authorizations tab à User Groups

Figure 1 Sync CBC roles as groups in Cloud Identity Services

 

Figure 2 Sync CBC roles as groups in Cloud Identity Services

 

Figure 3 Sync CBC roles as groups in Cloud Identity Services

 

Figure 4 Sync CBC roles as groups in Cloud Identity Services

 

Onboarding of Technical/Functional Administrators in SAP Central Business Configuration (CBC)

Procedure

• Create User in Cloud Identity Services (CIS)

Login to Cloud Identity Services and navigate to Users & Authorizations tab à User Management. Click on Add and enter First Name, Last Name, Email, Login Name. Click on Save

Open the User and add the CBC groups. Click on Save

Figure 1 Create User in Cloud Identity Services

 

Figure 2 Create User in Cloud Identity Services

 

• Sync User from Cloud Identity Services (CIS) to CBC

Login to Cloud Identity Services and navigate to Identity Provisioning tab à Source Systems. Select IAS application as source and run Read job. This will create user-group assignment in CBC system

Users can verify by logging into CBC system tenant URL.

Figure 1 Sync User from CIS to CBC

 

Figure 2 Sync User from CIS to CBC

 

Figure 3 Sync User from CIS to CBC

 

Create Business Roles in S/4HC Starter System

Pre-requisite - Scope Items activation

Once S/4HC system is provisioned to Customers, it only contains below 3 standard roles.

SAP_BR_ADMINISTRATOR, SAP_BR_BPC_EXPERT, SAP_BR_MANAGER

Scope items for in-scope business processes needs to be activated in SAP CBC system by creating a project in it. This activity is usually handled by business process consultants/SMEs.

From IAM perspective, once Scope Items are activated, it creates standard “Business Catalogs” and “Business Role Templates” which can be consumed to create Business Roles.

Procedure

• Business Role Creation

Business Roles in S/4HC public edition can be created in 2 possible ways as below.

Possbility 1- Create Business Roles from Business Role Templates

If we intend to create a copy or reference business role from standard role templates, this scenario needs to be used.  Once Business Role is created, we can maintain appropriate “restrictions” in the role based on customer requirement

Figure 1 Create Business Role from Business Role Template

 

Figure 2 Create Business Role from Business Role Template

 

Figure 3 Create Business Role from Business Role Template

 

Possibility 2 - Create Business Roles as “New” from scratch

Use this option if we need to create role from scratch by adding business catalog. Once we add business catalog, it may/may not show pop up to add “dependent” catalog. It is recommended to add the dependent catalog as well in the role to ensure users don’t face any access issues.

Figure 1 Create Business Role from scratch

 

Figure 2 Create Business Role from scratch

Keynote- In S/4HC, we cannot create custom business catalog. We can add standard delivered catalog which are created by scope activations in the business roles.

Figure 3 Create Business Role from scratch

• Maintain Restrictions

Maintain Restriction functionality in S/4HC helps to restrict the functioning of the business role when assigned to Users. There are 3 levels of restrictions (analogous to Activity ACTVT field in S/4HANA private cloud edition) as below

Figure 1 Maintain Restrictions

 

Figure 2 Maintain Restrictions

 

Figure 3 Maintain Restrictions

 

Figure 4 Maintain Restrictions

Keynote- S/4HC public edition is released each quarter which can bring in new business catalog or deprecate an existing catalog. These changes get reflected in “Business Role Templates” and customers can adapt them in business roles manually, if needed. Deprecated Catalogs are also visible in the App “Business Catalogs” with status field.

Onboard Users in S/4HC Starter System

Users in S/4HC are created as “Worker” and then maintained as “Business Users” by assigning appropriate business roles.

Figure 1 Onboard Users in S4HC Public Cloud

 

Authentication/Login – S/4HC Starter system is connected to test tenant of Cloud Identity Services and users are authenticated from it. Hence, business users need to be present and activated in Test IAS as well with same email ID.

Direct password login to S/4HC system is not available. Direct password login to S/4HC system is not available.

Procedure

• Create Worker using “Manage Workforce” Fiori app

Users in S/4HC system are closely linked with "workers" (employees and contingent workers) including work agreements and change employment situations.

Figure 2 Onboard Users in S4HC Public Cloud

 

• Click on “Maintain Business User” or alternatively use “Maintain Business Users” Fiori app and click on Add appropriate Business Roles.

Once worker is created, we can setup the user as "Business User" and assign business roles for access to fiori apps.

Figure 3 Onboard Users in S4HC Public Cloud

 

Figure 4 Onboard Users in S4HC Public Cloud

 

• Create the user in Test IAS tenant.

Figure 5 Onboard Users in S4HC Public Cloud

 

Explore Phase

During explore phase, IAM/Security consultant will provide system demonstrations/workshops. It covers designing roles/authorizations to align as much as possible to Fit-to-Standard.

 

Realize Phase

Realize phase marks the start of role creation and other developments in the Development tenant (in 3-system landscape) OR Test/Quality tenant (in 2-system landscape).

Roles once created in Development tenant can be transported to Test/Quality and production using “Export Software Collection” Fiori app.

Keynote- S/4HC public edition Starter System is a temporary system provisioned for Fit to standard workshops and perform hands-on/understand the operation of the system. Starter system is de-provisioned 30 days after Production S/4HC system is delivered. Hence, business role creation and other configurations must be re-done in development tenant.

 

Deploy Phase

Business roles created in Development tenant (in 3-system landscape) OR Test/Quality tenant (in 2-system landscape) are transported/” Imported” in Production S/4HC and User are created.

As Production S/4HC is connected to production IAS tenant, all users must be created in it for successful authentication/login.

 

Conclusion

Users and Roles administration in S/4HC, public edition is lot more simplified from traditional/S4HC private edition and provides a user-friendly Interface for Security Administrators to manage all the activities using Fiori Apps.

Idea behnd consumption and adoption of S/4HC, public cloud edition to adapt to "Fit to Standard" as much as possible

Limitation

As the whole essence of S/4HC, public cloud edition is Fit to Standard, extensive customizations are not possible like creation of custom business catalogs, seggragate between different actions/activities within "Write" umbrella (like create/edit/post/delete etc.)

 

List of Important Links

SAP Roadmap Viewer - IAM

SAP S/4HANA Cloud, Public Edition 2302 – Localization, Identity and Access Management (IAM), and Sec...

RISE with SAP: Comparing the Security of SAP S/4HANA Cloud, private edition Vs SAP S/4HANA Cloud, pu...

 

Feedbacks, questions and comments are most welcome!!

Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn

 

Happy Learnings!

Karanbir Singh.