Introduction
S/4 HANA Cloud, Public Edition is SaaS based ready to adopt/consume cloud ERP that delivers the latest industry best practices and continuous innovation.
This blog is aimed to elaborate the concept of Identity and Access Management (IAM) in S/4 HANA Cloud, Public Edition covering end-to-end implementation journey.
Architecture
S/4 HANA Cloud, Public Edition is delivered to customers in 2 possible architectures based on customer requirements
3 System Landscape
3 system landscape
2 System Landscape
2 system landscape
Systems in S4HC Landscape
Identity Access Management – Implementation Journey
S/4HANA Cloud, public edition is a closely knit landscape of multiple tenants and access is granted in each tenant during respective phases of implementation journey
IAM S4HC Implementation Journey
Prepare Phase
Setup of SAP Central Business Configuration (CBC) with Cloud Identity Services (CIS) and sync CBC standard groups to CIS
SAP CBC system is central point of configuring the system. SAP provides pre-delivered standard SAP CBC groups to perform scope activation and other configurations in the S/4HC system. Projects are created in SAP CBC system with respect to each system to perform system configuration.
From IAM perspective, pre-delivered standard SAP CBC groups needs to be synced to Test IAS tenant so that they can be assigned to Technical/Functional Administrators
Procedure
- Configure Subject Name Identifier for CBC Application as “Login Name”
Login to Cloud Identity Services and navigate to Applications & Resources tab à Applications. Select SAP Central Business Configuration application and maintain Subject Name Identifier as “Login Name”
Figure 1 Subject Name Identifier for CBC Application
Figure 2 Subject Name Identifier for CBC Application
- Sync CBC roles as groups in Cloud Identity Services (CIS)
Login to Cloud Identity Services and navigate to
Identity Provisioning tab à Source Systems. Select CBC application as source and run Read job. This will sync/enrich CBC roles as groups in CIS.
You can verify the synced groups from
Users & Authorizations tab à User Groups
Figure 1 Sync CBC roles as groups in Cloud Identity Services
Figure 2 Sync CBC roles as groups in Cloud Identity Services
Figure 3 Sync CBC roles as groups in Cloud Identity Services
Figure 4 Sync CBC roles as groups in Cloud Identity Services
Onboarding of Technical/Functional Administrators in SAP Central Business Configuration (CBC)
Procedure
- Create User in Cloud Identity Services (CIS)
Login to Cloud Identity Services and navigate to
Users & Authorizations tab à User Management. Click on
Add and enter First Name, Last Name, Email, Login Name. Click on Save
Open the User and add the CBC groups. Click on
Save
Figure 1 Create User in Cloud Identity Services
Figure 2 Create User in Cloud Identity Services
- Sync User from Cloud Identity Services (CIS) to CBC
Login to Cloud Identity Services and navigate to
Identity Provisioning tab à Source Systems. Select IAS application as source and run Read job. This will create user-group assignment in CBC system
Users can verify by logging into CBC system tenant URL.
Figure 1 Sync User from CIS to CBC
Figure 2 Sync User from CIS to CBC
Figure 3 Sync User from CIS to CBC
Create Business Roles in S/4HC Starter System
Pre-requisite - Scope Items activation
Once S/4HC system is provisioned to Customers, it only contains below 3 standard roles.
SAP_BR_ADMINISTRATOR, SAP_BR_BPC_EXPERT, SAP_BR_MANAGER
Scope items for in-scope business processes needs to be activated in SAP CBC system by creating a project in it. This activity is usually handled by business process consultants/SMEs.
From IAM perspective, once Scope Items are activated, it creates standard “Business Catalogs” and “Business Role Templates” which can be consumed to create Business Roles.
Procedure
Business Roles in S/4HC public edition can be created in 2 possible ways as below.
Possbility 1- Create Business Roles from Business Role Templates
If we intend to create a copy or reference business role from standard role templates, this scenario needs to be used. Once Business Role is created, we can maintain appropriate “
restrictions” in the role based on customer requirement
Figure 1 Create Business Role from Business Role Template
Figure 2 Create Business Role from Business Role Template
Figure 3 Create Business Role from Business Role Template
Possibility 2 - Create Business Roles as “New” from scratch
Use this option if we need to create role from scratch by adding business catalog. Once we add business catalog, it
may/may not show pop up to add “dependent” catalog. It is recommended to add the dependent catalog as well in the role to ensure users don’t face any access issues.
Figure 1 Create Business Role from scratch
Figure 2 Create Business Role from scratch
Keynote- In S/4HC, we cannot create custom business catalog. We can add standard delivered catalog which are created by scope activations in the business roles.
Figure 3 Create Business Role from scratch
Maintain Restriction functionality in S/4HC helps to restrict the functioning of the business role when assigned to Users. There are 3 levels of restrictions (analogous to Activity ACTVT field in S/4HANA private cloud edition) as below
Figure 1 Maintain Restrictions
Figure 2 Maintain Restrictions
Figure 3 Maintain Restrictions
Figure 4 Maintain Restrictions
Keynote- S/4HC public edition is released each quarter which can bring in new business catalog or deprecate an existing catalog. These changes get reflected in “Business Role Templates” and customers can adapt them in business roles manually, if needed. Deprecated Catalogs are also visible in the App “Business Catalogs” with status field.
Onboard Users in S/4HC Starter System
Users in S/4HC are created as “Worker” and then maintained as “Business Users” by assigning appropriate business roles.
Figure 1 Onboard Users in S4HC Public Cloud
Authentication/Login – S/4HC Starter system is connected to test tenant of Cloud Identity Services and users are authenticated from it. Hence, business users need to be present and activated in Test IAS as well with same email ID.
Direct password login to S/4HC system is not available. Direct password login to S/4HC system is not available.
Procedure
- Create Worker using “Manage Workforce” Fiori app
Users in S/4HC system are closely linked with "workers" (employees and contingent workers) including work agreements and change employment situations.
Figure 2 Onboard Users in S4HC Public Cloud
- Click on “Maintain Business User” or alternatively use “Maintain Business Users” Fiori app and click on Add appropriate Business Roles.
Once worker is created, we can setup the user as "Business User" and assign business roles for access to fiori apps.
Figure 3 Onboard Users in S4HC Public Cloud
Figure 4 Onboard Users in S4HC Public Cloud
- Create the user in Test IAS tenant.
Figure 5 Onboard Users in S4HC Public Cloud
Explore Phase
During explore phase, IAM/Security consultant will provide system demonstrations/workshops. It covers designing roles/authorizations to align as much as possible to Fit-to-Standard.
Realize Phase
Realize phase marks the start of role creation and other developments in the Development tenant (in 3-system landscape) OR Test/Quality tenant (in 2-system landscape).
Roles once created in Development tenant can be transported to Test/Quality and production using “Export Software Collection” Fiori app.
Keynote- S/4HC public edition Starter System is a temporary system provisioned for Fit to standard workshops and perform hands-on/understand the operation of the system. Starter system is de-provisioned 30 days after Production S/4HC system is delivered. Hence, business role creation and other configurations must be re-done in development tenant.
Deploy Phase
Business roles created in Development tenant (in 3-system landscape) OR Test/Quality tenant (in 2-system landscape) are transported/” Imported” in Production S/4HC and User are created.
As Production S/4HC is connected to production IAS tenant, all users must be created in it for successful authentication/login.
Conclusion
Users and Roles administration in S/4HC, public edition is lot more simplified from traditional/S4HC private edition and provides a user-friendly Interface for Security Administrators to manage all the activities using Fiori Apps.
Idea behnd consumption and adoption of S/4HC, public cloud edition to adapt to "Fit to Standard" as much as possible
Limitation
As the whole essence of S/4HC, public cloud edition is Fit to Standard, extensive customizations are not possible like creation of custom business catalogs, seggragate between different actions/activities within "Write" umbrella (like create/edit/post/delete etc.)
List of Important Links
SAP Roadmap Viewer - IAM
SAP S/4HANA Cloud, Public Edition 2302 – Localization, Identity and Access Management (IAM), and Sec...
RISE with SAP: Comparing the Security of SAP S/4HANA Cloud, private edition Vs SAP S/4HANA Cloud, pu...
Feedbacks, questions and comments are most welcome!!
Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn
Happy Learnings!
Karanbir Singh.