This post is a follow up content for the previous blog post from my colleague
sonia.petrescu and me (
soumyaprakashmishra ) for SAP IAG integration with different SAP Ariba modules.
I recommend going through these two blogs first, if you are new to the area. This will give you understanding of
- how SAP IAG integrates to SAP Ariba modules and
- how you can extend/enhance the integration by using Integration Suite on SAP Business Technology Platform (previously referred to as SAP CPI on SAP Cloud Platform)
[Update: December 2023:
- The version 1 of Ariba Connection from IAG has been deprecated now [link] and the version 2 [link] is released. The version 2 of this integration uses a IPS proxy from IAG to connect to Ariba which in turn uses a SCIM API to do user provisioning.
- The current SCIM API has limitations of provisioning business attributes along with user attributes, which is currently in the SAP Roadmap to be delivered in 2024. I will still keep these two blogs here in case you want to familiarize yourself with the extensibility concepts and SAP Ariba multi ERP Architecture.
- I will Post another blog in 2024 once the limitations are resolved]
Now, we will extend the topic to one step further. There is a large set of SAP Ariba customers who utilize
SAP Ariba Buying (& Invoicing) in a MultiERP architecture - also referred to as FPC Realms in legacy terminologies.
We will discuss in this post:
- Summary of SAP IAG and SAP Ariba integration (current state).
- What are the challenges with SAP IAG and SAP Ariba integration when it comes to SAP Ariba MultiERP architecture (FPC Realms)
- How to resolve this situation using Integration enhancements.
[The products are evolving every month around this area, I will keep this blog updated when additional product/feature updates comes in this area, and as always you can use the concept mentioned in my blogs to further enhance your deployment scenarios.]
Note: In this post, "Realm" and "Site" might be used interchangeably. Please refer to them as the same entity.
What does MultiERP Architecture mean for SAP Ariba Buying/ SAP Ariba Buying and Invoicing :
With MultiERP Architecture, customers/organizations get the ability integrate multiple SAP Ariba procurement sites in a way that enterprise wide data can be shared through out the organization, where as the ERP specific data remains separate. In this case One Ariba Buying (&Invoicing) site acts as
Parent site/realm and One or more other Ariba Buying (&Invoicing) site act as
Child site/realm. You are refer to SAP Help documentation about SAP Ariba MultiERP setup if you are interested to know more detail about this.
This picture above depicts how a Parent/Child site setup looks like in a MultiERP Architecture for SAP Ariba.
As of today many customer utilize multiERP architecture even with a single Child site; for future extension/growth purposes. In such situation, customers get one Parent site and one Child site. Which are connected to each other for sharing required data across them.
Standard Integration between SAP IAG and SAP Ariba
SAP Cloud Identity Access Governance (SAP IAG) is a cloud-based solution for creating self-service requests to applications for on-premise and cloud source applications and systems. By connecting to the solution, it enables SAP Ariba users to initiate access requests, which are then provisioned to target applications.
As of today, SAP IAG can do user provisioning for SAP Ariba
Buying and Invoicing,
Catalogs,
Sourcing,
Contracts,
Supplier Management modules.
SAP Help Document for SAP IAG and Ariba Integration
Also, please refer to the previous blog posts mentioned at the top of this post to know more detail about it.
User Integration(Standard) Details with SAP Ariba Buying (and Invoicing)
In case of Ariba Buying User Provisioning, IAG’s user provision mechanism creates three set of data in SAP Ariba.
- Common User Data (general user information)
- Partition User Data (additional information needed for an user to operate in Ariba Buying)
- User to Group Mapping (to provide authorization)
** In case of Suite Integrated environment (strategic sourcing and buying realms together), the user provisioning ALWAYS happens via SAP Ariba Buying
Standard Integration between SAP IAG and SAP Ariba Buying
User Integration situation with SAP Ariba Buying with MultiERP setup
In Case of a MultiERP setup, customers get One Parent Realm and one or more Child Realms.
In Such Scenario,
- SAP IAG Has to Provision Users to BOTH Parent and Child Realms based on where the user needs to work on as per their Role.
- SAP IAG Has to provision Users to multiple destinations
Problem Statement:
As of today, this kind of provisioning cannot create Partition Data in Parent Realm which results in – User cannot log into Parent realm (And also into Strategic Sourcing Realm if Suite Integrated)
[technical reference for Ariba Technical Consultants: refer to the concept of "Import Control", to get more context around this area]
SAP IAG Integration Issue with MultiERP Setup
Resolution for User Provisioning issue with SAP Ariba Buying MultiERP setup
The resolution for this situation is relatively simple. We just need to pass the additional required data in the format which SAP Ariba expects in order to create both Common and Partition User data in the Parent realm. By doing so, the user can then be able to log into the environment as per expectation.
So what we need to do is following:
- Intervene the interfacing between SAP IAG and SAP Ariba Buying Realms using a middleware
- Add, Format and Translate the required data before sending to SAP Ariba Buying Parent realm.
Resolution using Integration Suite on SAP BTP
We recommend using Integration Suite on SAP Business Technology Platform to do it. But customer may choose other middlewares if they have to. We do not recommend to use an on-premise middleware though, as both Source and Target applications are on cloud.
Conclusion:
This post should help you understand the user provisioning concept with respect to SAP IAG and SAP Ariba MultiERP (FPC)setup. And this should also help you understand the current gap with this kind of provisioning and how to resolve this situation.
Not only that, this should also help you extend the standard integration flow to fit to your customer/organization's unique requirements which may not be covered by standard data flow.
This resolution mentioned above (via Integration Suite on SAP BTP) is already built by our consulting solution provisioning as conceptual templates and you can reach out to your SAP Ariba representative to get more detail around it. Please note: This is not a product offering.