This blog will cover how we can provision users from SAP Cloud Identity Authentication Service (IAS) to SAP S/4HANA Cloud.  I will use SAP Cloud Identity Provisioning Service (IPS) to accomplish this.

If you are familiar with S/4HANA Cloud you will know that the user onboarding process involves:

1. Creating employees and business users in S/4HANA Cloud system.  This can be done by importing the employees from an HCM system like SAP SuccessFactors or from a csv file.


2. Exporting the business users from S/4HANA Cloud system and importing them into SAP Cloud Identity Authentication Service (IAS) that is pre-configured with the S/4 instance.

Here are couple links to help you get familiar with the user onboarding process in S/4HANA Cloud:

• https://blogs.sap.com/2017/12/07/sap-s4hana-cloud-system-setup/


• https://microlearning.opensap.com/media/User+Management+Overview+-+SAP+S+4HANA+Cloud+Deployment/1_26...

Now, you might be wondering why would I need to provision users from IAS into S/4HANA Cloud? In step 2 of the onboarding process, aren't we doing the exact opposite?

One reason is to ensure that the S/4HANA Cloud user profile has the Global User ID populated with a value that matches the User UUID field from IAS.  The Global User ID field in the S/4HANA Cloud user profile will be empty unless we actually run a job to provision users from IAS to S/4.  The User UUID field in IAS is used by applications such as SAP Task Center to uniquely identity a user record across different SAP applications.  I covered SAP Task Center integration with S/4HANA Cloud in another blog where I also highlight the importance of the User UUID field.

 



The second reason is that you may also want to manage S/4 business roles assignment based on user's group membership in IAS.  This way the user can be added/removed from group(s) in IAS and that change will be reflected in the S/4 system after the provisioning job is run.

NOTE: It's not possible to add new business roles to S/4HANA Cloud via provisioning job.  The roles must already exist in the S/4 system.  It's also not possible to create a new business users during the provisioning job, unless the employee record already exists in S/4 system.  For eg, I can't just add a new user in my IAS tenant and expect it to be created in the S/4 system during the provisioning process.

To prove my point, I've create a "DEMO" user in my S/4Cloud system.  Since it's a brand new user the Global User ID field is empty.  I've also created a Business Role "BR_DEMO" in my S/4 system, but notice that the user is not assigned this business role.

The user onboarding process in S/4 requires that the user from S/4 is imported into the IAS tenant.  When my demo user is imported into IAS, it will get a User UUID field.  I've also created a group in IAS called "BR_DEMO" and assigned the user to that group.  The screenshot below shows the user attributes in IAS and its group membership.

Now that we know why we need to do this, let's look at the mechanics of how to use SAP Cloud Identity Provisioning Service (IPS) to replicate the users from SAP Cloud Identity Authentication Service (IAS) to SAP S/4HANA Cloud.  Following steps are required to provision users:

1. Create a Communication System in S/4HANA Cloud


2. Setup IAS as a source system in IPS


3. Setup SAP S/4HANA Cloud as a target system in IPS


4. Run the source provisioning job

Create a Communication System in S/4HANA Cloud

1. Log into your S/4HANA Cloud system and access Maintain Communication Users.


2. Click New and create a new communication user.  Specify a User Name, Description, and Password.  Click Create.


3. Access Communication Systems.


4. Click New and specify a System ID and System Name and click Create.


5. Specify a value for Host Name to match your IAS tenant hostname.  For eg. xxxxxxx.accounts.ondemand.com


6. Click + under Users for Inbound Communication.


7. Select the Communication user created earlier and click OK.


8. Save your Communication System.


9. Access Communication Arrangements


10. Click New and choose the value help icon to open up the list of available communication scenarios.


11. Search for SAP_COM_0193 and select it from the list.  This communication scenario is relevant for Identity Provisioning integration.


12. Specify a name for the arrangement and click Create.


13. Use the value help icon and select the Communication System created earlier.  The User Name for inbound communication should automatically populate.  Save your configuration.

Setup IAS as a source system in IPS

1. Access your IAS Administration Console.


2. Under Administrators, click Add >> System.


3. Specify a name for your user and ensure the following authorizations are enabled:
   
   
   
   • Manage Users
   
   
   • Manage Groups
   
   
   • Manage Tenant Configuration
   
   
   
   


4. For Set Password section, click Not Configured.


5. Specify a password for your user and click Save.  After saving, you will redirected back to the previous screen.  Navigate back to the password screen and copy the User ID using the Copy icon.  We need this User ID and the password later when setting up IAS as a source system in IPS.


6. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.


7. Click on Source Systems.


8. Click Add.


9. Specify the following and click Save:
   
   
   
   • Type: Identity Authentication
   
   
   • System Name: <name of your choice>
   
   
   
   


10. Click Properties. You will see a list of pre-created properties.


11. Click Add to add new properties.  Use the Standard option for non-sensitive properties and Credential option for password fields.


12. Add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with Identity Authentication as a target system.
    
    
    
    • Type: HTTP
    
    
    • ProxyType: Internet
    
    
    • URL: <your IAS tenant URL>
    
    
    • Authentication: BasicAuthentication
    
    
    • User: <IAS system user>
    
    
    • Password: <IAS system user password>
    
    
    
    

Screenshot below shows the setup of my source job setup in IPS.  Notice that I've also added some additional properties to filter the user and group that is read from IAS.  It's good idea to test the provisioning job with couple users and groups before you remove the filter and run the job for all users and groups.  For the purpose of this blog, I am just going to provision the "DEMO" user and "BR_DEMO" group.

Setup SAP S/4HANA Cloud as a target system in IPS

1. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.


2. Click the Target System icon and click Add.


3. Specify the following and click Save:
   
   
   
   • Type: SAP S/4HANA Cloud
   
   
   • System Name: <name of your choice>
   
   
   • Source System: <your IAS source system created earlier>
   
   
   
   


4. Under Properties, add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with S/4HANA Cloud as a target system.
   
   
   
   • Type: HTTP
   
   
   • ProxyType: Internet
   
   
   • URL: <S4/HANA Cloud URL>
   
   
   • Authentication: BasicAuthentication
   
   
   • User: <Communication User created in S/4 system earlier>.
   
   
   • Password: <Password of the communication user>
   
   
   
   

The screenshot below shows the setup of my target system in IPS.

Run the source provisioning job

1. Switch to Source Systems.


2. Select your source job and click Jobs icon.  Click Run Now icon to start the Read Job.


3. Monitor the status of your job under the Job Logs until you see a Success or Failure status.  You will need to navigate away and come back to this page to see the updated status.


4. View the details of the job execution.  In my case 1 users and 1 group is created successfully.

Once the provisioning job is successfully executed, the demo user in S/4 system has the Global User ID and Business Role assigned.

 

While the focus of this blog is on S/4HANA Cloud, majority of the steps covered here can easily be adapted to provision users to other ABAP based cloud systems, such as: SAP Integrated Business Planning (IBP) and SAP BTP ABAP Environment.