In my previous article -Link I have explained how the Fiori apps defined in S4HANA On-Premises system via Role /Catalog/ Groups can be accessed in SAP Build Work Zone Site with the concept of content federation.
In this article I will explain how these federated roles from S/4HANA assigned automatically to users in BTP via SAP Identity provision service without any manual intervention.
To achieve this scenario, we should have below prerequisite: -
Below are the configuration Steps for automatic Federated role assignment in BTP Via SAP Identity provision service.
2. Create Source System as S/4HANA system.
Access Identity Provisioning. Add SAP Application Server ABAP as a source system. From the Destination Name dropdown, choose the RFC destination we have created in Step 1.
Read the users from Source S/4HANA based on the Federated Role assigned to users in S/4HANA system.
Add the Federated role in the User filter source system.
3.Create target system as SAP IAS
Add Identity Authentication as a target system and keep source system the same as created in Step 2. Set up the communication between Identity Provisioning and Identity Authentication and configure the authentication method. I have used basic authentication.
For basic authentication, provide a password. The user ID will be generated automatically when we set the password for the first time.
a. Add system as administrator and provide the respective credentials. Make sure Manage Users and Manage Groups authorization roles are enabled for the technical user. This way, we can create, edit and delete users and groups in the Identity Authentication user store.
Please put below mandatory property also other respective properties as required.
ias.user.unique.attribute | This property defines by which unique attribute(s) an existing user will be resolved in the event of conflicting users. Its value is set to emails[0].value , since we are using common attribute as email for user . |
User | For BasicAuthentication Enter the Client ID of the Identity Authentication technical user created in step 3(a) . For example: 1ab7c243-5de5-4530-8g14-1234h26373ab |
Password | Enter the Client Secret of the Identity Authentication technical user. It is generated automatically for the administrator of type system, when choosing Secrets. |
Note: - In our case we have different login name in S/4 Hana and SAP IAS and same email address is maintained in both the applications. SAP IAS has existing user master record based on SuccessFactors.
In this case IPS jobs with patch operation will make sure no information of existing IAS user will get change and it will patch the login name in display name of the S/4HANA user in SAP IAS.
Add the below transformation to perform Patch operation based on email Id since username in IAS is different from the one in S/4HANA system, so email ID is used. S/4HANA Login name will be updated in display name field in IAS.
4. Create IAS group with same name as S/4 Hana Roles.
Create User group in SAP IAS with the same name as S/4HANA roles. Since the same group name will be mapped to users based on the transformation scripts.
5. Map Role collection
Once S/4Hana Fiori roles are federated to BTP, they are visible as BTP role Collection. Map these federated roles with IAS group created in step 4 in BTP trust configuration for the IAS configuration subaccount.
6. Run the IPS synchronization Job.
Run the Read job for the Source S/4HANA created in Step 2 . This job can be scheduled in regular interval to read the users from S/4Hana and write in SAP IAS.
Job Logs will show the user and group – created/ updated/Deleted based on the source and target transformation scripts.
7. SAP IAS group assignment.
In SAP IAS user will get the IAS group automatically assigned once the IPS synchronization job gets finished. User will be getting the groups assigned based on the role assigned in S/4Hana.
a. Role Assigned in S/4HANA.
b. Same groups get assigned to user in SAP IAS automatically based on the Role assigned to user in S/4HANA in Step 7(a).
8. Login with the same user id’s email in SAP BTP Work zone site.
User can login to work Zone site and access the application federated by S/4 HANA roles.
Conclusion:
We can automate the role assignment of the S4HANA on-premises Fiori apps to BTP with the help of Identity provision services.
Based on the respective scenarios the Read/write transformation files can be adjusted for smooth provisioning.
I hope this blog post helps you during your IPS configuration for S/4HANA role addition. We look forward to your comments and feedback.
Happy Learning and please follow for more content on SAP BTP security.
References: -
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
12 | |
9 | |
6 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 |