cancel
Showing results for 
Search instead for 
Did you mean: 

Advanced Financial Closing on BTP

martinpfaff
Explorer
0 Kudos

Hello!

We are now starting with AFC on BTP (as a replacement of AFC on SAP S/4HANA Cloud) and are facing some issues, which we can't solve so far:

The process of creating new users has changed significantly, as a new system (BTP cockpit) needs to be used as a connection between IAS tenant and AFC

We defined the process of creating new users for AFC with these steps:

  1. Prepare the users in an excel sheet for uploading in AFC
    (fields: ID;FirstName;LastName;Address;Email;Phone;Mobile;Fax;Department;Position;Language)
    -- in the old AFC we've created them manually - now we can upload them; that's OK and a good improvement
  2. Assign the users to AFC-roles in AFC
    only the access (read/write) to company codes is manageable (we don't use other hierarchy types)
    -- this is also ok so far
  3. Export the users for creating them in our IAS tenant
    -- same procedure as in the past
  4. Create the users on our IAS tenant using the export file from step-3
    -- same procedure as in the past
  5. Create the users on the BTP sub account
    -- this is a new step; as we don't know of uploading the users from IAS or AFC we have to enter manually any user; this is cumbersome and sensitive for errors
    ==> do someone know a way to automate that process?
  6. Assign (prepared) role collections for AFC to the users in BTP Cockpit

Do someone have a recommendation to optimize that process or are we on a good way?

Thank you very much for your contributions and recommendations!

All the best for 2022!

regards, Martin

Accepted Solutions (0)

Answers (3)

Answers (3)

carlopus
Explorer

Hello Martin,

we intent it to perform in a different way (still to be validated):

1) User apply for AFC Access with the required Business Role in IGA

2) With the IGA within the SAP BTP we will manage the request, approval workflow and automatic assignment of "AFC BTP" Static User Role to view the respective AFC tiles.

3) User needs to login on the AFC Link

-> The user logs into AFC via the IDP (his user is created on-the-fly then in AFC)

4) User request via internal Ticketing Tool, what AFC User Role (Content releated Authorisation e.g. Company Code etc. User Group) he required. For the beginning it's planned to these roles that assigned via a Authorisation Team manual.

AFC does not yet cover the assignment of authorizations, e.g. via IAG. As a support SAP offer since the November release a CSV upload for the assignment of users/roles. However SAP is currently investigating the use of the SCIM protocol, which would allow automated synchronization of users and user groups with the IDP. They want to enable in the medium term an official API that performs the automatic assignment and synchronization of users, user groups, roles, role assignments based on the SCIM protocol.

PM me if you want to exchange on this.

Best regards

Carsten

martinpfaff
Explorer
0 Kudos

Thank you Max for the recommendations

We will do it in future slightly adjusted

  1. Prepare CSV files for user creation in expected file format for the target system
    - one for IAS tenant
    - one for AFC BTP
    --> based on the same data in one excel file
  2. Upload CSV in AFC BTP (done from ourselves as we are AFC admins)
  3. After AFC upload, assignment of roles in AFC BTP (done from ourselves as we are AFC admins)
  4. Upload CSV in IAS tenant (from our IT company as global admins for the whole group)
  5. After IAS upload, assignment of roles in BTP cockpit (this is again done by ourselves as we are subaccount admins)
Maximilian1
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Martin,

thanks for reaching out.

I would recommend to try a different process sequence than you currently use for the creation of users and the assignment of access roles.

If you want to use SAP IAS as the identity provider solution with SAP AFC, you should first set up the initial trust and federation in the Subaccount, where you have assigned the AFC service, this is described here.

Next, you should create the users in SAP IAS, for example via spreadsheet upload, this is described here.

As the users now exist in your Subaccount – they were synched through the XSUAA service – you can assign role collections to the users, this is described here. They control, which apps in AFC can be accessed by the users.

At this point, the users do not yet exist in the AFC application yet, therefore the required creation of users in the application’s master data tables can happen in two different ways (as mentioned correctly by Carsten already):

  • Either the users log on to SAP AFC initially, using SAP IAS as identity provider. This action will create their user master data in the AFC application on the fly.
  • Or you as admin upload the users in the “Manage Users” application of SAP AFC (you could download them as CSV-File from SAP IAS before), which will allow you to assign user roles to the users inside SAP AFC already before they have logged on to the application the first time, this is described here.

Best wishes,

Max