Starting SAP S/4HANA Cloud 1911 release, all S/4HANA Cloud tenants are bundled with a SAP Identity Provisioning cloud service! This is already included in the S/4HANA Cloud license which you purchase, so no additional licensing is needed for its use. This applies to all S/4HANA Cloud tenants which are provisioned before 1911 release as well.
In this blog post, i will try to shed more light on SAP Identity Provisioning and address some questions which you might have in mind. For simplicity, moving on in this blog, I will be referring to SAP Identity Provisioning as IPS which stands for Identity Provisioning Service.
IPS offers a simple and secure approach to identity lifecycle management in the cloud. It allows you to provision and de-provision users and their authorizations to cloud business applications by simply re-using identity data from an existing central user store. To get more insights about the features and capabilities of IPS, please go through the What is Identity Provisioning page in SAP Help Portal. Below is a screenshot of an Identity Provisioning Service Administration user interface.
On SAP's quest to deliver a truly integrated intelligent enterprise to our customers, we noticed that identity and user management between different cloud business applications could become a challenge. SAP Identity Provisioning service is now introduced to fill this gap and simplify user provisioning into different cloud applications which are connected to your S/4HANA Cloud solution.
Have you recently heard about the Embedded Analytics for S/4HANA Cloud powered by SAP Analytics Cloud (SAC)? This is one aspect or use case in which IPS becomes interesting with 1911 release of S/4HANA Cloud! IPS is a key component and is used for provisioning and de-provisioning of your S/4HANA Cloud business users into SAP Analytics Cloud (SAC) without you (S/4HANA Cloud administrator) needing to care about the user provisioning in SAC. This also ensures a seamless UX for end-users enabling them to view and create embedded SAP Analytics Cloud stories and data analyzer reports within S/4HANA cloud without having to login twice.
How many IPS tenants do I get in my S/4HANA Cloud landscape?
In total you will get only 2 IPS tenants. A Test IPS tenant which is integrated out-of-the-box to your Quality (Q) S/4HANA Cloud tenant and a Production IPS tenant which is connected to your Production (P) S/4HANA Cloud tenant. In case you have a Starter S/4HANA Cloud tenant, it will be integrated to the Test IPS tenant.
Please note that if you have multiple Q or multiple P S/4HANA Cloud tenants, they would be integrated to the same Test or Production IPS tenants. Meaning, if you have 3 Q S/4HANA Cloud tenants (assigned to the same Customer ID), then all 3 Q tenants will be integrated to one Test IPS tenant. Same applies if you purchase more S/4HANA Cloud tenants. Newly provisioned ones will be connected to the existing IPS tenants.
Do I get a new IPS tenant provisioned by SAP even if I already have an existing one?
No. In case you already have IPS bundled with another SAP solution you purchased (eg. SAP SuccessFactors or SAP Marketing Cloud), you will not get provisioned new IPS tenants. Your S/4HANA Cloud tenants will be integrated to the existing IPS tenants you already have.
How can I access my newly provisioned IPS instance?
This depends on whether your S/4HANA Cloud tenant is provisioned with 1911 release and later or before that. Below I explain the different cases.
You purchased S/4HANA Cloud before 1911 release (existing S/4HANA Cloud tenants)
In order to access your IPS tenant, you will need to get back to SAP by opening a support incident. More information about that is available in the SAP Help Portal documentation on how to obtain access to IPS bundled accounts for S/4HANA Cloud.
You purchased S/4HANA Cloud with 1911 release or later (newly provisioned)
You will receive an onboarding mail from SAP for each S/4HANA Cloud tenant gets provisioned for you. According to your contract with SAP, a technical contact person has been chosen as the first user of the Identity Provisioning service, who is granted with Administrator permissions. Each onboarding e-mail contains a URL link which you, as an administrator, can use to directly access the Identity Provisioning UI.
Do I need to do any integration setup between my S/4HANA Cloud tenants and IPS?
No. SAP pre-configures your S/4HANA Cloud tenant so that it is integrated with IPS out-of-the-box. This is done for both existing S/4HANA Cloud tenants and ones which are newly provisioned after 1911. The communication established between your S/4HANA Cloud tenant and IPS is customer-managed and enabled via the communication arrangement CA_SAP_COM_0193. Please note that altering or deleting this communication arrangement or its associated communication system or user will break your out-of-the-box integration of IPS and you will need to set it up your self in case needed. A new communication scenario SAP Cloud Platform Identity Provisioning Integration (SAP_COM_0193) is available starting 1911 for all S/4HANA Cloud customers to enable this IPS integration. It is advised not to alter the existing communication arrangement especially that you can create multiple arrangements of the same scenario SAP Cloud Platform Identity Provisioning Integration (SAP_COM_0193) in case needed.
Does SAP provide any pre-configured system connections on my IPS tenant?
Yes. SAP provides one source and one target system configuration on your IPS tenants in order to enable the integration of the Embedded SAP Analytics Cloud (SAC) tenant with S/4HANA Cloud. In case you alter or delete the pre-configured source and target systems, the user business user replication from S/4HANA Cloud to SAC will stop or break and your business users might face issues displaying or creating analytical content from SAC in S/4HANA Cloud. SAP pre-configured system connections on your IPS tenants will follow this naming pattern:
To what extent am I allowed to create new system connections in IPS?
Creation of new source and target systems is generally allowed. However, the connection system type is restricted according to the SAP products you have purchased. The restriction matrix in SAP Help Portal could tell you which source and target systems you are allowed to create in IPS.
For existing S/4HANA Cloud tenants, SAP Identity Provisioning (IPS) may not be available directly after the upgrade to SAP S/4HANA Cloud 1911 release. There will be a phased roll out of Identity Provisioning tenants. Please refer to the official SAP S/4HANA Cloud 1911 release restriction note for more information.