Many users of the SAP S/4HANA Cloud, public edition are confused by the user management topic, because it is different from the traditional approach in the on-premises world, with a twist in the cloud environment. There are many topics within SAP Help Portal related to this subject, but they are just too many and it is easy to get lost after reading several of them: each topic points to another one and readers feel like walking in a maze. To help you understand this very important topic, I am going to explain it in an easy-to-understand way, and in one place!
My discussion is divided into two sections: User Management in Theory, and User Management in Action.
In this section, I discuss the technical concept behind user management. It is the foundation before I move on to next section to do the user management in the systems.
In the on-premises world, especially the client-server architecture (like SAP R/3 and SAP S/4HANA), we have two important factors for user management (Figure 1):
Figure 1: User Management in the On-premises World
These two factors work in tandem: the system authenticates a user by checking the existence of the user and validates the user by his/her password. Whether the user can perform any actions in the system is determined by the user profile, such as a financial expert, or a warehouse manager. The user cannot access to a different area even you are in the system. For example, a warehouse manager does not guarantee the access of the financial accounting data, unless that person is assigned both roles.
With the increase of number of systems, a Single Sign-On (SSO) technology emerged. Instead of logon multiple systems multiple times, you only need to logon once which eases the management of multiple credentials. An authentication token is issued to the system you need to logon from a centralized cooperate identity provider against a user repository such as Microsoft Lightweight Directory Access Protocol (LDAP) directory.
Figure 2 shows an example of using SSO in a company with SAP BW and SAP R/3 applications. When a user logs on to SAP BW for the first time, it is authenticated by the SSO server using the user’s name and password. After the user is authenticated, an authentication token is issued. Later, when the user tries to logon to SAP R/3, there is no need to provide the username and password. The SSO server will use the same token to authenticate the user to use the SAP R/3 system. This saves the user's effort to re-type the username and the password for the 2nd time.
Figure 2: User Management in the On-premises World with Single Sign-On
Keep in mind that SSO only saves user’s effort for authentication, not authorizations. Each business system still does the user authorizations. Luckily, authorizations are carried out by the system in the background. Users don’t need to do anything.
In a broad sense, user management is part of the Identity Management which involves more technologies and buzzwords. To make our discussion easy to understand, I narrowly focus the discussion on the Test Environment of the SAP S/4HANA Cloud, public edition (3 system landscape, i.e., with developer extensibility) (Figure 3), without involvement of the business Technology Platform (BTP) or a full blown SAP Cloud Identity Services.
The Test Environment is composed of these components:
Similar as the SAP Identity Management, SAP Access Control and SAP Single Sign-on for the on-premises world, the SAP Cloud Identity Services serve the SAP public cloud applications.
Why it is called Test Environment? Because all above systems are bundled together to be authenticated by one IAS tenant for the Test tenant. In fact, to be complete, the Starter System can be added to Figure 3 as well; but I left it out to simplify our discussion. Otherwise, you can read my blog on From A to Z: Setup a Starter System of the SAP S/4HANA Cloud, public edition.
Figure 3: User Management in the Test Environment of the SAP S/4HANA Cloud, public edition
Note: If the customer does not use the IAS for user authentication, they can use their existing corporate IdP for that purpose, but use SAP's IAS as a proxy system. In this blog, I don't go further in this direction.
In contrast to the Test Environment, the Production Environment is much simpler: it authenticates the Production Tenant as well as a Cloud Application Lifecycle Management (CALM) Tenant. Since there is no CBC tenant in this environment, the IPS is gone as well.
Figure 4: User Management in the Production Environment of the SAP S/4HANA Cloud, public edition
In the commercial contract of subscribing the SAP S/4HANA Cloud, public edition, it includes the name and the email address of an IT Contact person. When a system is provisioned, all systems related emails are sent to this IT Contact, not these people who sign the contract or pay the bill! If there is a change of this IT Contact person, such as taking a new job role within the company, a new IT Contact is named, etc., a customer should contact SAP immediately to name a new IT Contact by creating a ticket in the component XX-S4C-OPR-SRV.
During the first phase of an implementation project, a CBC tenant is provisioned first. At that time, the IT Contact will receive an email similar as in Figure 5 to activate the IAS (part of SAP Cloud Identity Service) as an Initial Admin User.
Figure 5: Email to IT Contact when the Initial Admin User Is Created on the IAS Tenant
This Initial Admin User is the first user in many systems for this customer. For example, the IT Contact can logon to Dev-100 using his/her email address using the same password set up in the IAS tenant. In the Dev-100 tenant, this IT Contact’s user ID is CB000000000, representing the very first user in the system. The IT Contact can use this user account to create more users in the system.
Figure 6: Initial Admin User in All Relevant Systems
Figure 6 illustrates the Initial Admin Users in all relevant systems. We can list them as the following:
In addition to the Initial Admin User, there is another type of user called S-User. S-User stands for SAP User, or Super User. It is not new to the SAP S/4HANA Cloud, public edition and has been used by SAP customers for many years. Super User can create other S-users for his/her colleagues.
S-user takes the format of S00xxxxxxxx (eight numbers). It is used in SAP Support System, like SAP4Me or SAP Support Portal. This S-user is not authenticated in the customer's IAS Tenant, but an IdP within SAP.
If a customer is not new to SAP, there might be already some S users in the company. Please check the authorizations of these S users to make sure they have the right access to the cloud systems.
SAP Cloud Identity Services have three key components: Identity Authentication Service (IAS), Identity Provision Service (IPS) and Identity Directory (Figure 7). The Identity Directory is coupled with the IAS. Therefore, from system administration point of view, you only work with IAS and IPS directly.
Figure 7: Roles IAS and IPS play in the User Management
For an IT Contact, you use the same credential to access the IAS and IPS tenants, jointly called SAP Cloud Identity Services.
The IAS Plays following roles:
Let me explain what “Assign CBC user roles to CBC users” means: Different from Dev and Test tenants, CBC tenant does not have capabilities to assign user roles. This functionality is delicate to the IAS tenant. After users in Dev-100 tenant are created, if these users need to access to CBC, IAS assigns 1 out of 5 CBC roles to these users, so that they can play their roles after accessing the CBC tenant.
When a business user is created in Dev and Test tenants, the following information is mandatory:
The username is the most critical here. It is exported to the IAS and stored as Login Name for the authentication purpose. In other words, Username in Dev-100 and Login Name in the IAS link one unique business user together.
In contrast, the same business user in Dev-100 and Dev-080 (sharing the same Login Name) can have different User ID, for example, CB998000050 in Dev-080 tenant and CB998000002 in Dev-100 tenant.
Most times, we use email address as the login name. That is a setting in the IAS tenant. We can also change that to use Login Name to logon to a system.
Both User ID and Business Roles only stay within the Dev-100 tenant; they are never exported to the IAS tenant.
The IPS Plays following roles:
With the user provisioning role by the IPS tenant, CBC tenant has a user’s following information:
Under the user icon of the CBC tenant, the Login Name: georgey is used to identify the user.
Figure 8: User Logon Name is Used as the Identifier in CBC Tenant
In contrast, when login to Dev-100, the user’s full name is shown in Figure 9 as the identifier.
Figure 9: User Full Name is Used as the Identifier in Dev-100 Tenant
After explained all building blocks of the user management, now it is time to see how user login is executed. Keep in mind that the same Web Browser (could be different tabs) must be open. The Authentication Token plays a role very similar as Single Sign-on as we discussed previously. If the Web Browser is closed, the token is lost. If the system is logon too long, the token is expired.
Example 1: Login to the Dev-100 Tenant
Example 2: Login to the CBC Tenant right after Example 1, without closing the Web Browser
Example 3: Login to the Test Tenant right after Example 1 or 2, without closing the Web Browser
Example 4: Login to the Production Tenant right after Example 1 or 2 or 3, without closing the Web Browser
With all the background information in place about user management in the SAP S/4HANA Cloud, public edition, I am going to go through the entire user creation process with eight steps (Figure 10) through Dev-100, IAS, IPS and CBC tenants.
Figure 10: User Creation Steps
Step Num | Description | Tenant |
1 | Prepare new user template | Dev – 100 |
2 | Import workers and create business users | |
3 | Assign user roles to business users | |
4 | Download business users | |
5 | Import users | IAS |
6 | Check user status (optional) | |
7 | Assign CBC user groups to CBC users | |
8 | Read CBC users from IAS tenant and provision them to CBC Tenant | IPS |
Table 1: User Creation Steps
Note: Steps 1-4 are the same for user creation in Dev-080 and Test-100 tenants. However, if we create an exact same group of users on Dev-080, Dev-100 and Test-100 tenants, do we need to run Steps 5-8 three times on IAS and IPS tenants? It is a good question to think about.
Within SAP S/4HANA Cloud, public edition, we have two concepts: workers and business users. Workers are also called employees. They can be either a permanent employee or a temporary employee, distinguished by Worker Type (BUP003 for permanent, BBP005 for temporary). A business user first should be an employee of the company, then he/she has a user account in the system.
When creating a business user, we need to create a worker first. For that purpose, we use the Manage Workforce app to either entering a single worker information or importing a group of workers. To demonstrate the workflow of creating a group of users, I take the importing approach (even with only one user).
After downloading the template of the worker, I fill it with the user information (using myself info, but to distinguish it from an existing user, changing my last name to Yu02) (Figure 11). For simplicity, I don’t include the Work Agreement. Otherwise, two template files will be used: Templ_WorkerBasic_Comma.csv and Templ_WorkAgreement_Comma.csv.
Figure 11: Worker Data File Template
Considering it is long in horizontal direction and hard to read Figure 11, I am listing the fields and values herewith.
The template is saved as a comma delimited CSV file.
In the Manage Workforce app, click on Import à Worker, the Import Worker Data window pops up (Figure 12).
Figure 12: Import Worker Data window
The field Import Name is mandatory. You can treat it as a different worker importing batch name to distinguish different batches, such as a date, or a group name.
After importing, you can search the Application Log to find out its status. In my example, it is a success with one new employee GEORGEY02 created (Figure 13).
Figure 13: Import Worker Log
We have two ways to assign business roles to users: using Maintain Business Roles app to assign a group of users to the same business role; or using Maintain Business Users app to assign multiple business roles to individual users. Since they are quite straightforward, I won’t discuss further.
In Figure 7 we illustrated the step of exporting business users to be imported to the IAS tenant. To do that, we use Maintain Business Users app, click on Download -> Download for IDP (Figure 14). You can use the filter to select one user only (user georgey02 for example) or list all users without applying any filtering values. In Figure 14, I entered George for First Name, and the system returns two entries.
Figure 14: Download Business Users for IDP
The outcome from this download action is a file called data.csv. If you only have one user selected, the downloaded file contains one record; otherwise, it contains multiple records.
Figure 15 shows the content of the file data.csv with two business user records. There are only five data fields, the most critical information about a user for authentication purpose: status, login name, email address, first name and last name. Business roles and User ID created in the Dev-100 Tenant are not part of it, since they are irrelevant during the authentication process.
Figure 15: Downloaded Business Users for IAS
Now let’s launch the IAS tenant.
This step is executed on the Test environment IAS tenant. Following the path Users & Authorizations -> Import Users.
Figure 16: The IAS Tenant User Interface
As we discussed before, users are created in the Dev-100 tenant and to be imported to the IAS Tenant. Therefore, under Bundled Applications list on the left, we need to select “SAP S/4HANA Cloud – Customizing Tenant”, not others. Because the data we are going to import is downloaded from the Customizing Tenant.
Figure 17: Import Users in the IAS Tenant
If the user list is exported from the Test Tenant, then we need to select “SAP S/4HANA Cloud – Test Tenant”. That way the user list is consistent between Test Tenant and IAS Tenant.
Before the final import, the system wants you to Confirm the user creation. For example, we created one user in Dev-100, and exported a total of two users in data.csv file. The confirmation message is like this:
1 user will be created, 1 user will be updated because they already exist. Do you want to continue?
This matches our scenario: 1 user georgey02 is new and will be created; 1 user georgey exists in the IAS tenant, and only needs to be updated if there are any changes. Now hit the Import button to import the users.
After importing the users, you need to hit Send button to send activation email to all the users that are not active (Figure 18). This explains why some users receive this activation email multiple times. Because if they don't do their job to activate the user account, they will receive a reminder each time this Send button is hit.
Figure 18: Send User Activation Emails out in the IAS Tenant
After the business users are imported, activation emails are sent, but you haven’t activated these new users for accessing the CBC Tenant, you should review the users by following the path in the IAS Tenant: Users and Authorizations -> User Management. Select the user, and open its editing interface (Figure 19).
In the User Details à Personal Information section, pay special attention to the Status and E-mail Verified entries. When a new user is created, the user usually receives an email to activate his/her account. This step involves two key personal information change:
If you want to deactivate a user, just change the Status from Active to Inactive.
Figure 19: User Management Interface in the IAS Tenant
Note: If the user status is still at New, you cannot make him/her to be a CBC user. In other words, this status change is a pre-requisite for Step 8.
This step is executed by following the path: Users and Authorizations à User Groups. There are five CBC related groups to choose from:
Depending on user’s intended business roles in accessing the CBC tenant, you assign one or more groups to the user. From Figure 20 we can see the following:
Figure 20: Add a User to CBC Group in the IAS Tenant
After completion of this step, the newly created user has been assigned a proper CBC user group.
Now let’s launch the IPS tenant.
Note: In Step 6, we discussed user status. Before doing this step, the user must activate his/her account on IAS. Otherwise, this step ignores those New or Inactive users.
To execute this step, we need to click on the Source Systems app (Figure 21).
Note: by clicking on the 3-horizontal-bar icon next to the SAP logo, you can hide and unhide the menu bar on the left.
Figure 21: IPS Tenant User Interface
This step is to copy the CBC user info from the IAS Tenant, so we need to select the “IAS for cbc-ap-rel-vlab-aws-027 – source” as the source system. Then select the Jobs tab. Finally, we click on Run Now button in the row of Read Job (Figure 22).
Figure 22: Run CBC User Copying Job
After running the CBC user copying job, we should check the job log (the 2nd from the bottom menu item on the menu bar) and pay attention to four lines (Figure 23):
Figure 23: Job Log for the CBC User Copying Job
After this step, the end user should be able to logon to the CBC Tenant to conduct business configuration tasks.
Note: During the implementation project, the CBC tenant is provisioned first, and then the Customizing tenant. In this case, you can create CBC users in the IAS Tenant first (manually one by one or by importing a user list). Just keep in mind the Logon Name you create in the IAS Tenant should be consistent with the User Name to be created later on in the Customizing Tenant.
Error 1: Unauthorized
Symptom: When you log on to a CBC tenant for the first time, you get an "Unauthorized" error.
Cause: CBC Tenant does not have the user information. It is not pushed over from the IAS Tenant. This happens a lot when you create a group of users. Some users activate their accounts right away. If you run above Step 8 after user activation, these users have no problem to logon to CBC. However, some users only activate their account days(!) later, and the administrator is not aware and doesn't run above Step 8 afterwards. These users will see this error.
This usually happens to some users but not all, because it requires one more step in user setup procedure.
Solution: Rerun the above Step 8.
Error 2: Unauthorized
Symptom: When you log on to a CBC tenant for the first time, you get an "Unauthorized" error.
Cause: As I explained before, when you create a new user in Dev tenants and export it to the IAS, the User Name in the Dev tenants becomes Login Name in the IAS tenant. This Login Name is used as the so-called Subject Name Identifier. That means the CBC uses this SNI to identify the user. If the SNI uses a different basic attribute, such as an email address or a User ID, the Login Name passed over from the IAS Tenant becomes useless.
This usually happens to all users, because it is a system setting.
Solution: Follow the steps listed in SAP Note 3103503 to fix the error, and rerun the above Step 8.
Error 3: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile, status message is User attribute configured for name-id format unspecified is not supported.
Symptom: After authentication is passed at the IAS Tenant, this message pops up.
Cause: This only happened to myself as the Initial Admin User. When the systems were provisioned, my user account was already created in the IAS (P000000) and the Dev Tenants (CB000000000). So I usually don't need to create a new user account for myself. As I explained before, when you create a new user in Dev tenants and export it to the IAS, the User Name in the Dev tenants becomes Login Name in the IAS tenant. And that Login Name is passed on to the CBC Tenant when running above Step 8. In my case, the Login Name was blank in my user details. This causes above error message.
Solution: Fill the blank Login Name in the IAS Tenant with the User Name from the Dev -100, and rerun above Step 8.
I explained the background of how users are managed in the SAP S/4HANA Cloud, public edition (3 system landscape), and strengthened the concept with eight steps in user creation across four tenants: Dev-100, IAS, IPS and CBC. Now you should be able to do the user management with a deep understanding the mechanisms behind. Enjoy!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
7 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |