Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Showing results for 
Search instead for 
Did you mean: 
Kailashb
Explorer
Introduction - In today's world of Digital Transformation where most of the customers are moving from conventional ECC and GRC systems to S/4Hana and IAG (Identity Access Governance) on BTP platform . Integration becomes a real challenge as the systems need to be integrated across different network . In this blog i will try to guide with the technical steps to integrate S/4Hana system on SAP Private cloud to IAG on Public cloud integration to achieve SOX compliance for S/4HANA.

Technical Details : To start with the technical steps to Integrate IAG to S/4Hana i will start with the systems required , followed by prerequisites and then the actual configuration steps.

Systems Involved

  1. SAP S/4Hana system installed on SAP Private cloud.

  2. IAG tenant included in BTP subscription

  3. Cloud connector


Pre Requisites

  1. Cloud connector Installed and configured with BTP subaccount

  2. S/4Hana system with compatible NetWeaver version - It is important to use only supported SAP NetWeaver versions because the SAP Cloud Identity Access Governance Services Data Extractor API has to be included there.SAP Support Note:2628749 - IAG Provisioning Services for SAP ERP and S/4HANA on-premise Systems

  3. Technical RFC user (System user) with proper authorizations created om S/4Hana system which will be used for integration of IAG to S/4Hana.

  4. SAP Cloud Identity Access Governance user with admin access either to subaccount or global account available.This user is used for registering the SAP Cloud Identity Access Governance subaccount in the Cloud Connector.


Configuration steps

1.Open Cloud connector UI using url https://<hostname>:8443 . Enter the required                 credentials.

2.Navigate to the Connector. Make sure that the previously created SAP Cloud Identity Access Governance subaccount is selected in the Subaccount field.

3.To register the SAP S/4HANA on-premise target system to the Cloud Connector, select Cloud to On-Premise. This will create a connection to the SAP S/4HANA on-premise target system.

4.Navigate to the Access Control section and choose the + button on the right side of the Mapping Virtual to Internal System panel.

5.Follow the wizard and provide the following information:

Back-end type: ABAP System

Protocol: RFC / RFC_SNC

Connection Type: With / Without load balancing

Application Server: <Application server of the SAP S/4HANA on-premise target system>

Instance number: <Instance number of the SAP S/4HANA on-premise target system>

SAP router: <SAP router string in case there is one used for the SAP S/4HANA on-premise target system>

Virtual Application Server: <Provide virtual host name>

Virtual Instance Number: <Provide virtual port>

Description: <Any description>

Check Internal Host: False (unchecked)

Principal Type: <Only relevant if you are using RFC_SNC>

SNC Partner Name: <Only relevant if you are using RFC_SNC>

Host in Request Header: Use Virtual Host

6.Choose Finish.

7.Expose resources of the SAP S/4HANA system.

  •  Add the following function modules under Resources of the previously created RFC connection. These function module classes can be called in the SAP S/4HANA on-premise target system by SAP Cloud Identity Access Governance:


Function Name: SIAG

Naming Policy: Prefix

 

Function Name: RFC_READ_TABLE

Naming Policy: Exact Name

8.Perform the connection check.

Create Destination for the SAP S/4HANA On-Premise System in the SAP Cloud Identity Access Governance Subaccount

1.Open SAP BTP cockpit. 

2.Open Subaccounts and choose your SAP Cloud Identity Access Governance subaccount.

3.Navigate to Connectivity → Destinations. 

4.Create a New Destination using the button.

  • Provide the following information:


Name: <IAG_S4HANA_DEV>

Type: RFC

Description: <IAG to S4HANA Dev >

Proxy Type: On-premise

User: <Technical RFC user (type: system) created in the SAP S/4HANA on-premise target system with proper authorizations

Password: <Password of the technical RFC user>

Other destination fields: optional, not needed

Additional Properties: Following properties needs to be added

a) jco.client.ashost: Enter host name of the server; in this case, this has to be the virtual host name set in the RFC connection (Cloud To On-Premise) of Cloud Connector (mandatory)

b) jco.client.client: Enter client number (mandatory)

c) jco.client.lang: Enter language, for instance, EN (optional)

d) jco.client.sysnr: Enter your system number; in this case, this has to be the virtual instance number set in the RFC connection (Cloud To On-Premise) of Cloud Connector (mandatory)

e) jco.destination.pool_capacity: Enter pool capacity, for example, 6 (optional)

f) jco.destination.proxy_type: On-premise (optional)

7.Choose Save.

Create an Application Instance for SAP S/4HANA On-Premise System in SAP Cloud Identity Access Governance Fiori Launchpad

1.Open the SAP Cloud Identity Access Governance Fiori Launchpad.

2.Navigate to Administration → Applications.

3.Add a new Application by using the + button.

  • Provide the following information:


Application name: <Any application name>

Description: <Any description>

Application Type: SAP S/4HANA On-Premise

HCP Destination: <Name of the created SAP S/4HANA on-premise destination in the SAP Cloud Identity Access Governance subaccount>

5.Choose Save.

Sync Data from the SAP S/4HANA On-Premise System to SAP Cloud Identity Access Governance Using the Job Scheduler App in the SAP Cloud Identity Access Governance Fiori Launchpad

Schedule the following 2 job categories:

Repository Sync: used to sync all relevant data from the SAP SuccessFactors target system to SAP Cloud Identity Access Governance, which can be applied in access request service

Provisioning: used to trigger the provisioning of SAP Cloud Identity Access Governance access request

Perform the following steps:

1.Open the SAP Cloud Identity Access Governance Fiori Launchpad.

2.Navigate to Administration → Job Scheduler.

  • Schedule the job and provide the following information:


Job name: <Any Job name>

Job category: Repository Sync and/or Provisioning

Recurring Job: Yes or No, depending on your needs

Start immediately: Yes or No, depending on your needs

Application Type: SAP S/4HANA On-Premise

Application: <Previously created instance in the SAP Cloud Identity Access Governance Fiori Launchpad>

4.Choose Schedule Job.

5.Check the job status in the Job History List.

 

References

https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/e6c7616abb5710148cfcf3e75...

https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/9d16...

2628749 - IAG Provisioning Services for SAP ERP and S/4HANA on-premise Systems

Configure Access Control (RFC) | SAP Help Portal

 

Conclusion

To conclude , this blog post provides a high level steps for configuring Integration between IAG on Public cloud to S/4Hana on Private cloud . This configuration will help the customers in their Digital transformation journey by using cloud based IAG solution as a replacement for On Premise GRS solution . This is preconfigured and will save lot of time for the customers.

 

Dear Reader’s please provide your valuable feedback on this post  in the comment section , as this will help me to improve upon my future posts .