Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Showing results for 
Search instead for 
Did you mean: 
George_Yu
Product and Topic Expert
Product and Topic Expert
2,415

Introduction

It was over one year ago I wrote a well-received blog User Management in a Nutshell for the SAP S/4HANA Cloud, public edition.  Things have been changing fast in the SAP S/4HANA Cloud Public Edition world, and I think it is worth a new deep dive into the Central Business Configuration (CBC) User authentication and authorization concept. I will start from the fundamentals with diagrams and follow by a walkthrough in the real systems.

 

Fundamentals of CBC User Authentication and Authorizations

When coming to CBC user authentication and authorizations, many users are confused.  Because there are similarities as well as more differences in its working mechanism comparing with the traditional solution, such as SAP S/4HANA Cloud Public Edition. 

Below picture is an illustration of how Authentication and Authorization are designed. On the lefthand side, there is the Cloud Identity Services (CIS), which has three components:

  • Identity Authentication Service (IAS) – authenticates a user during a logon process
  • Identity Provision Service (IPS) – provides identity service to a cloud service such as the Central Business Configuration tenant
  • Identity Directory (ID) – stores user identity information

The IAS and IPS were two separated tenants with different URLs until last year.  Now they are combined as one. There is a new drop-down menu within the IAS tenant to provide the IPS functions called Identity Provisioning.  I will show you soon in the system.

1.png

Identity Authentication and Authorization Management in the SAP S/4HANA Cloud solution

In parallel, the SAP S/4HANA Cloud solution has its own built-in Identity Authorization Management functions, such as User Creation, User Role Assignment and User Authorization.  It only relies on the CIS for authentication service during a user logon process.

Now let’s look at the same Identity Authorization Management in the Central Business Configuration tenant.  It only has the User Role (officially called User Groups within CBC; I use them interchangeably) definition and User Authorizations capability built-in within the system.  It relies on the CIS to create users and assign users with roles after User Roles are copied from the CBC tenant by the IPS.

2.png

Identity Authentication and Authorization Management in the Central Business Configuration Tenant

Based on the above architecture difference, the process of CBC user management is as following:

  1. SAP-delivered CBC User Groups are copied from the CBC tenant to the IPS.  Periodically SAP updates the CBC User Groups.  Therefore, the customers need to copy the updated User Groups accordingly to the IPS.
  2. Users with assigned CBC User Group(s) are copied (called provisioned) to the CBC tenant by the IPS.
  3. The IAS provides an authentication check when a user logs on to the CBC tenant.
  4. Authorization check is conducted within the CBC tenant when a user uses the CBC functions.

 3.png

CBC User Management Process

Let me summarize the similarities and differences between the SAP S/4HANA Cloud tenants and the CBC tenant:

Similarities:

1) The authentication is carried out by the Identity Authentication Service (IAS)

2) The authorizations are checked against the User Groups/User Roles within the application.

Differences:

1) User Roles are called User Groups in the CBC

2) There are only six pre-defined User Groups (was five last year) and no user-defined User Groups are allowed

3) SAP-delivered User Groups are copied/provisioned from the CBC system to the Identity Provision Service (IPS), so that they can be assigned to the CBC users

4) The CBC user role assignment is conducted in the IAS, and provisioned to the CBC by the IPS

With the good understanding of the CBC user management in theory, we can get into the system to do our job.

 

CBC User Authentication and Authorizations in Action

When you receive a brand-new CBC tenant along with the SAP S/4HANA Cloud Public Edition, you need to follow the below steps to get the system ready.  After that, you can execute any one of these steps on a needed basis.

Step 1 – Provision the latest list of CBC User Groups to the IPS

As I explained above, the CBC User Groups are delivered by SAP.  Users cannot define their own CBC User Groups.  Periodically SAP updates the User Groups.  For example, before May 2023, there were only five User Groups:

  • SAP_CBC_CONSUMPTION_ACTIVITY_ALL
  • SAP_CBC_CONSUMPTION_AUDITOR
  • SAP_CBC_CONSUMPTION_DISPLAY_USER
  • SAP_CBC_CONSUMPTION_KEY_USER
  • SAP_CBC_CONSUMPTION_PROJECT_LEAD

The User Role SAP_CBC_CONSUMPTION_ACTIVITY_ALL has the most powerful authorizations to manage projects (creation, target system assignment, etc.).

In May of 2023, SAP CBC development did an overhaul on User Management by introducing the project team concept. The User Group SAP_CBC_CONSUMPTION_ACTIVITY_ALL was split to two User Groups: SAP_CBC_CONSUMPTION_PROGRAM_LEAD and SAP_CBC_CONSUMPTION_PROJECT_LEAD.  The User Group SAP_CBC_CONSUMPTION_ACTIVITY_ALL became deprecated.  Therefore, you can see seven User Groups in the CBC Tenants:

  • SAP_CBC_CONSUMPTION_PROGRAM_LEAD
  • SAP_CBC_CONSUMPTION_PROJECT_LEAD
  • SAP_CBC_CONSUMPTION_ACTIVITY_ALL (deprecated)
  • SAP_CBC_CONSUMPTION_KEY_USER
  • SAP_CBC_CONSUMPTION_DISPLAY_USER
  • SAP_CBC_CONSUMPTION_AUDITOR
  • SAP_CBC_CONTENT_PROCESSOR

At the very top is the Program Manager (SAP_CBC_CONSUMPTION_PROGRAM_LEAD), which is by default the customer’s IT Contact and the very first user in the system.  This IT Contact can access the CBC Tenant immediately after the CBC tenant provisioning. 

There is another role called the Project Manager (SAP_CBC_CONSUMPTION_PROJECT_LEAD) which is responsible for the project team, such as assigning users to his/her project(s). This will be discussed in details in "Step 4 – Project Team Management the CBC System" shortly.

As a super user, the Program Manager can access any projects in the CBC Tenant, like the Project Manager.

The CBC Authorization Concept details are provided in the SAP Help Portal.

The following picture is the Home page of the Cloud Identity Services. 


4.png

The Home Page of the SAP Cloud Identity Services

To get the latest CBC User Groups from the CBC tenant, we access the menu Identity Provisioning --> Source Systems.  I am only focusing on the top two entries in this blog.


5.png

Source Systems within the IPS

For a while, I was confused by which system to choose in the Source Systems panel.  To understand these Source Systems, you need to think like this: the IPS is a provisioning system, or a middleman; it gets the information from the Source System and turns around to deliver to the Target System.  For example, the SAP-delivered CBC User Group information is stored in the Source System (the CBC Tenant).  To provision them to the IAS tenant, we need to select CBC – cbc-ap-rel-xxx-source.  When we provision the user information back to the CBC tenant, this time the Source System is the IAS, so we choose IAS for -cbc-ap-rel-xxx-source.

Note: Within IPS-Source Systems, the naming conventions are different for customer systems and SAP internal VLAB systems:

  • For customer systems, it is like “IAS for my99999999 – target”
  • For VLAB systems, it is like “IAS for- cbc-ap-rel-vlab-xxxx – source ”

For the information provisioning from and to the IPS, SAP has jobs ready for that purpose.  For example, to copy the SAP-delivered CBC User Group from the CBC tenant to the IPS, you select CBC – cbc-ap-rel-xxx-source in the Source Systems panel, click on Jobs, then click on Run Now button in the Read Job line. That’s it.

To put this User Group change in a history book, I am attaching the below picture.  On the righthand side, you can see the five User Groups delivered before May of 2023.  On the lefthand side, there are seven User Groups.


6.png

CBC User Groups before and after Running the Copying Job

 

Step 2 – Assigning User Group(s) to Users in the IPS

The prerequisite of assigning User Group(s) to Users is the creation/importing users in the IAS.  In other words, users must be there first.  I discussed this in details in a separate Blog: User Management in a Nutshell for the SAP S/4HANA Cloud, public edition.

Similar as User Management within the SAP S/4HANA Cloud, you can open a User Group and add users to it or open a User profile and add User Groups to it.

Add Users to the User Group

  • Open menu Users & Authorizations Groups
  • Select the User Group, such as SAP_CBC_CONSUMPTION_PROJECT_LEAD
  • Click the +Add button to add user(s) to this group


7.png

Add User(s) to a User Group

Add User Groups to the User

  • Open menu Users & Authorizations User Management
  • Select the User, such as George Yu
  • Select the Groups tab
  • Click the Assign button to add User Group(s) to this user


8.png

Assign User Group(s) to a User

Subject Name Identifier

While we are here, it worths discussing the concept of Subject Name Identifier.

When you check the user information under the tab User Details, pay attention to the Login Name.  The system IAS and CBC use this to identity the CBC user. If the Login Name is blank for whatever the reason, the user cannot logon to the system.


9.png

Login Name for CBC User Identification

The reason behind that is the Subject Name Identifier, the CBC tenant uses it to identify the user. Let’s look at it closely.

  • Click on Applications and Resources --> Applications
  • Select the application under Bundled Applications panel, SAP S/4HANA Cloud – CBC Tenant.
  • Select Trust Single Sign-On
  • Check Subject Name Identifier
  • Check Primary Attribute section highlighted with a red box.
  • Here you can see the system uses Login Name stored in the Identity Directory to identify the user. From the pull-down menu, you have many options for the Value. Try not to change it unless you have a thorough understanding of how IAS and IPS work.


10.png

Login Name as the Subject Name Identifier for the CBC Tenant

Similarly, we can see the SAP S/4HANA Cloud uses Email instead of Login Name as its Subject Name Identifier.


11.png

Email as the Subject Name Identifier for the SAP S/4HANA Cloud Tenant

 

Step 3 – Provisioning Users to the CBC System

After User Groups assigned to users, we can provision them from the IAS to the CBC Tenant by following these steps:

  • Click Identity Provisioning Source Systems
  • Select the system name with IAS as prefix, such as IAS for -cbc-ap-rel-xxx – source
  • Click on Jobs tab
  • Click on Run Now button in the Read Job line


12.png

Running User Provisioning Job from IAS

After 10-15 seconds if not many users to be provisioned, the provisioning log can be accessed through Identity Provisioning Provisioning Logs.


13.png

IPS Provisioning Logs

There are two logs in this example. The 2nd log is about copying CBC User Group from the CBC tenant to the IPS. It was executed successfully on May 29.

The 1st log is about provisioning users from the IAS to the CBC tenant on June 4. It has errors in two areas and need your attention (see Failed Entities section):

  1. User P000050 has a userName problem
  2. 8 users don’t have their status set as active.  If a user is not active, he/she cannot logon to the CBC tenant.


14.png

IPS Provisioning Log

I am also interested in another area of information: Statistics. It tells us the following

  • From source system IAS, there are 7 User Groups and 61 users are read; they are all existing ones, so there is no change.  No new user or group is created or updated.
  • From source system CBC, 2 User Groups are updated.  No changes in users.

 

Step 4 – Project Team Management the CBC System

After users are provisioned to the CBC tenant, we can start working in the CBC tenant, such as creating a project, assigning a target system, activating scopes, deploying scopes to the S/4HANA Cloud, etc.  I have a blog talking about these tasks: From A to Z: Setup a Starter System of the SAP S/4HANA Cloud, public edition.

From CBC user management point of view, one important task is to assign users to the project after logging on to the CBC tenant.  First, you want to switch to the project you intend to work on by using the Switch Project button on the lower left corner.  In this example, I use the project Dev-080 Extensibility

 
15.png

Home Page of the CBC System

Then, by clicking on the Team button, you can Add or Remove users to and from this project. The user roles assigned in the IAS are shown in the column Roles.


16.png

CBC Project Team Management of a Development Project

You might notice that for majority of users, there are two identical roles, all called “Project Manager”.  Why?

If you recall my discussion on User Group change in May 2023, we can find answer there. Before that time, the User Group SAP_CBC_CONSUMPTION_ACTIVITY_ALL plays the role of a Project Manager.  It becomes “deprecated” now.  After that date, a new role serves this purpose as a Project Manager: SAP_CBC_CONSUMPTION_PROJECT_LEAD. 

To verify my understanding, we can look at user GEORGEY as shown below.  It has both User Group assigned.  As soon as I remove the deprecated user group SAP_CBC_CONSUMPTION_ACTIVITY_ALL, there won’t be any duplicated user role anymore.


17.png

Two Identical User Groups Are Assigned to the User

Conclusion

In this blog, I explained the background of the user management in the CBC tenants, i.e., it doesn’t have user management capabilities.  This is different from our familiar user management concept in the system like SAP S/4HANA Cloud tenants.  Due to this difference, we rely on the Identity Provisioning Service within the Cloud Identity Services to copy User Groups from the CBC tenant to the IPS, and provision users to the CBC tenant after their CBC related User Groups are assigned.  A walkthrough within the IAS/IPS and CBC tenants gives readers a good visual experience of the subject.

 

References

 

2 Comments