It was over one year ago I wrote a well-received blog User Management in a Nutshell for the SAP S/4HANA Cloud, public edition. Things have been changing fast in the SAP S/4HANA Cloud Public Edition world, and I think it is worth a new deep dive into the Central Business Configuration (CBC) User authentication and authorization concept. I will start from the fundamentals with diagrams and follow by a walkthrough in the real systems.
When coming to CBC user authentication and authorizations, many users are confused. Because there are similarities as well as more differences in its working mechanism comparing with the traditional solution, such as SAP S/4HANA Cloud Public Edition.
Below picture is an illustration of how Authentication and Authorization are designed. On the lefthand side, there is the Cloud Identity Services (CIS), which has three components:
The IAS and IPS were two separated tenants with different URLs until last year. Now they are combined as one. There is a new drop-down menu within the IAS tenant to provide the IPS functions called Identity Provisioning. I will show you soon in the system.
Identity Authentication and Authorization Management in the SAP S/4HANA Cloud solution
In parallel, the SAP S/4HANA Cloud solution has its own built-in Identity Authorization Management functions, such as User Creation, User Role Assignment and User Authorization. It only relies on the CIS for authentication service during a user logon process.
Now let’s look at the same Identity Authorization Management in the Central Business Configuration tenant. It only has the User Role (officially called User Groups within CBC; I use them interchangeably) definition and User Authorizations capability built-in within the system. It relies on the CIS to create users and assign users with roles after User Roles are copied from the CBC tenant by the IPS.
Identity Authentication and Authorization Management in the Central Business Configuration Tenant
Based on the above architecture difference, the process of CBC user management is as following:
CBC User Management Process
Let me summarize the similarities and differences between the SAP S/4HANA Cloud tenants and the CBC tenant:
Similarities:
1) The authentication is carried out by the Identity Authentication Service (IAS)
2) The authorizations are checked against the User Groups/User Roles within the application.
Differences:
1) User Roles are called User Groups in the CBC
2) There are only six pre-defined User Groups (was five last year) and no user-defined User Groups are allowed
3) SAP-delivered User Groups are copied/provisioned from the CBC system to the Identity Provision Service (IPS), so that they can be assigned to the CBC users
4) The CBC user role assignment is conducted in the IAS, and provisioned to the CBC by the IPS
With the good understanding of the CBC user management in theory, we can get into the system to do our job.
When you receive a brand-new CBC tenant along with the SAP S/4HANA Cloud Public Edition, you need to follow the below steps to get the system ready. After that, you can execute any one of these steps on a needed basis.
As I explained above, the CBC User Groups are delivered by SAP. Users cannot define their own CBC User Groups. Periodically SAP updates the User Groups. For example, before May 2023, there were only five User Groups:
The User Role SAP_CBC_CONSUMPTION_ACTIVITY_ALL has the most powerful authorizations to manage projects (creation, target system assignment, etc.).
In May of 2023, SAP CBC development did an overhaul on User Management by introducing the project team concept. The User Group SAP_CBC_CONSUMPTION_ACTIVITY_ALL was split to two User Groups: SAP_CBC_CONSUMPTION_PROGRAM_LEAD and SAP_CBC_CONSUMPTION_PROJECT_LEAD. The User Group SAP_CBC_CONSUMPTION_ACTIVITY_ALL became deprecated. Therefore, you can see seven User Groups in the CBC Tenants:
At the very top is the Program Manager (SAP_CBC_CONSUMPTION_PROGRAM_LEAD), which is by default the customer’s IT Contact and the very first user in the system. This IT Contact can access the CBC Tenant immediately after the CBC tenant provisioning.
There is another role called the Project Manager (SAP_CBC_CONSUMPTION_PROJECT_LEAD) which is responsible for the project team, such as assigning users to his/her project(s). This will be discussed in details in "Step 4 – Project Team Management the CBC System" shortly.
As a super user, the Program Manager can access any projects in the CBC Tenant, like the Project Manager.
The CBC Authorization Concept details are provided in the SAP Help Portal.
The following picture is the Home page of the Cloud Identity Services.
The Home Page of the SAP Cloud Identity Services
To get the latest CBC User Groups from the CBC tenant, we access the menu Identity Provisioning --> Source Systems. I am only focusing on the top two entries in this blog.
Source Systems within the IPS
For a while, I was confused by which system to choose in the Source Systems panel. To understand these Source Systems, you need to think like this: the IPS is a provisioning system, or a middleman; it gets the information from the Source System and turns around to deliver to the Target System. For example, the SAP-delivered CBC User Group information is stored in the Source System (the CBC Tenant). To provision them to the IAS tenant, we need to select CBC – cbc-ap-rel-xxx-source. When we provision the user information back to the CBC tenant, this time the Source System is the IAS, so we choose IAS for -cbc-ap-rel-xxx-source.
Note: Within IPS-Source Systems, the naming conventions are different for customer systems and SAP internal VLAB systems:
For the information provisioning from and to the IPS, SAP has jobs ready for that purpose. For example, to copy the SAP-delivered CBC User Group from the CBC tenant to the IPS, you select CBC – cbc-ap-rel-xxx-source in the Source Systems panel, click on Jobs, then click on Run Now button in the Read Job line. That’s it.
To put this User Group change in a history book, I am attaching the below picture. On the righthand side, you can see the five User Groups delivered before May of 2023. On the lefthand side, there are seven User Groups.
CBC User Groups before and after Running the Copying Job
The prerequisite of assigning User Group(s) to Users is the creation/importing users in the IAS. In other words, users must be there first. I discussed this in details in a separate Blog: User Management in a Nutshell for the SAP S/4HANA Cloud, public edition.
Similar as User Management within the SAP S/4HANA Cloud, you can open a User Group and add users to it or open a User profile and add User Groups to it.
Add Users to the User Group
Add User(s) to a User Group
Add User Groups to the User
Assign User Group(s) to a User
While we are here, it worths discussing the concept of Subject Name Identifier.
When you check the user information under the tab User Details, pay attention to the Login Name. The system IAS and CBC use this to identity the CBC user. If the Login Name is blank for whatever the reason, the user cannot logon to the system.
Login Name for CBC User Identification
The reason behind that is the Subject Name Identifier, the CBC tenant uses it to identify the user. Let’s look at it closely.
Login Name as the Subject Name Identifier for the CBC Tenant
Similarly, we can see the SAP S/4HANA Cloud uses Email instead of Login Name as its Subject Name Identifier.
Email as the Subject Name Identifier for the SAP S/4HANA Cloud Tenant
After User Groups assigned to users, we can provision them from the IAS to the CBC Tenant by following these steps:
Running User Provisioning Job from IAS
After 10-15 seconds if not many users to be provisioned, the provisioning log can be accessed through Identity Provisioning Provisioning Logs.
IPS Provisioning Logs
There are two logs in this example. The 2nd log is about copying CBC User Group from the CBC tenant to the IPS. It was executed successfully on May 29.
The 1st log is about provisioning users from the IAS to the CBC tenant on June 4. It has errors in two areas and need your attention (see Failed Entities section):
IPS Provisioning Log
I am also interested in another area of information: Statistics. It tells us the following
After users are provisioned to the CBC tenant, we can start working in the CBC tenant, such as creating a project, assigning a target system, activating scopes, deploying scopes to the S/4HANA Cloud, etc. I have a blog talking about these tasks: From A to Z: Setup a Starter System of the SAP S/4HANA Cloud, public edition.
From CBC user management point of view, one important task is to assign users to the project after logging on to the CBC tenant. First, you want to switch to the project you intend to work on by using the Switch Project button on the lower left corner. In this example, I use the project Dev-080 Extensibility.
Home Page of the CBC System
Then, by clicking on the Team button, you can Add or Remove users to and from this project. The user roles assigned in the IAS are shown in the column Roles.
CBC Project Team Management of a Development Project
You might notice that for majority of users, there are two identical roles, all called “Project Manager”. Why?
If you recall my discussion on User Group change in May 2023, we can find answer there. Before that time, the User Group SAP_CBC_CONSUMPTION_ACTIVITY_ALL plays the role of a Project Manager. It becomes “deprecated” now. After that date, a new role serves this purpose as a Project Manager: SAP_CBC_CONSUMPTION_PROJECT_LEAD.
To verify my understanding, we can look at user GEORGEY as shown below. It has both User Group assigned. As soon as I remove the deprecated user group SAP_CBC_CONSUMPTION_ACTIVITY_ALL, there won’t be any duplicated user role anymore.
Two Identical User Groups Are Assigned to the User
In this blog, I explained the background of the user management in the CBC tenants, i.e., it doesn’t have user management capabilities. This is different from our familiar user management concept in the system like SAP S/4HANA Cloud tenants. Due to this difference, we rely on the Identity Provisioning Service within the Cloud Identity Services to copy User Groups from the CBC tenant to the IPS, and provision users to the CBC tenant after their CBC related User Groups are assigned. A walkthrough within the IAS/IPS and CBC tenants gives readers a good visual experience of the subject.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
8 | |
7 | |
7 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 |