Deep Dive 2 with SAP Cloud SDK: What is what? Your quick reference to Communication Management, and Identity & Access Management Artifacts in S/4HANA
This blog post will give you an overview of SAP S/4HANA Communication, Integration and Authorization artifacts.
- This post is part of a series. For a complete overview visit the SAP Cloud SDK Overview.
- The specific blogs which use the concepts explained here are: Calling an OData Service, SAP Cloud SDK Virtual Data Model for OData, and Deep Dive 1 with SAP Cloud SDK.
Goal of this Blog Post
It is a given that the range and robustness of business processes and data residing in an SAP S/4HANA system offer unmatched value. Over the years, many of these business processes and data points have been exposed as services. Subsequently, application developers and system integrators have looked for ways in which they could consume these S/4HANA services in secure, reliable and simple manner.
Here is a great blog on how to achieve this.
In this endeavour, one faces the following challenges
- Which Communication and Integration artifacts are needed and how do I create them?
- How do I specify/manage authorization to S/4HANA system in general, and to the service being consumed in specific?
- How do these Communication, Integration and Authorization artifacts work together? What are their inter-relationships?
If you are facing one or more of these (or similar) question, then you are at the right place.
This blog is organized in two parts.
- Part 1 – deals with Communication Arrangement and related artifacts.
- Part 2 – talks about Business Roles and related IAM artifacts.
The Concept of Communication and Integration Artifacts
SAP S/4HANA Cloud uses of the concept of Communication Arrangement, which instantiates a given Communication Scenario and connects through a Communication System.
Figure 1 below gives you an overview of the interconnections and respective cardinalities of these communication artifacts.
Fig 1: S/4HANA Cloud Communication and Integration Artifacts and their inter-relationships
Let us now look at each of these entities in detail.
Purpose: Act as the primary integration point.
In the past, you may have been used to classic RFC or direct IDoc-based integration with S/4HANA. As we move to the Cloud, it’s now time to embrace the power of Communication Arrangement.
A Communication Arrangement lets you configure connection with S/4HANA Cloud system on a semantic level. It bundles Communication Scenario and Communication System to create a specific communication instance. Further, it holds information about the Communication User, with its Authentication Method (Basic, With certificate, or OAuth 2.0) for both inbound and outbound directions.
A Communication Arrangement (CA) is always based on one Communication Scenario and makes use of one Communication System. When a CA is saved and activated, it generates the particular communication runtime artifacts, like logical ports, RFC-destinations, etc., which are used for the communication.
Purpose: Represent the S/4HANA system.
A Communication System is a semantic representation of the system your application connects to. It holds all necessary technical information about the system, such as Hostname/IP Address, Identity, User Information, Certificates etc.
Communication Scenario (aka Integration Scenario)
Purpose: Act as basis for Communication Arrangement.
A Communication Scenario is used by a Communication Arrangement as basis to setup an instance of the scenario in the runtime system.
In other words, each Communication Arrangement instance instantiates a particular Communication Scenario, which holds information about In-bound and Out-bound services and related design time artifacts (e. g. Service Interfaces and Proxies). The Communication Arrangement will use this information to establish connection with the relevant Communication System.
You also have a choice to create your own Custom Communication Scenarios.
Purpose: Login credentials.
Also referred to as “Technical Users”, Communication Users are used for login to S/4HANA Cloud system. They are assigned to Communication Systems and are used by Communication Scenarios. Each Communication User has a “User Name” – chosen by you, and a unique “User ID” generated by the system.
Tip: In S/4HANA system, “User ID” of the Communication User corresponds to the field “User” of the technical user in User Maintenance (Transaction SU01). “User Name” corresponds to field “Alias”.
Each of the mentioned artifacts has a clear purpose, and in a sense, follows the principal of “Separate of Concerns”. As an application developer or a system integrator, this new model makes it highly convenient to model the communication concept and troubleshoot it later, if any issues arise.
The Concept of Authorization Artifacts – Identity and Access Management (IAM)
For Authorization and Identity and Access Management (IAM), S/4HANA Cloud makes intelligent use of the concept of Business Users, who are assigned to a Business Catalog, and are granted a Business Role.
Figure 2 below gives you an overview of the interconnections and respective cardinalities of these authorization artifacts.
Fig 2: S/4HANA Cloud IAM Artifacts and their inter-relationships
Let us now look at each of these entities in detail.
Purpose: Represent an end-user of the application.
With S/4HANA Cloud, comes the concept of Business User, which acts as a simplification layer on top of existing, well-known ABAP authorization concept. This hides much of the complexity pertaining to Authorization Objects and lets it run under the hood. Once granted the relevant Business Role, the Business User gets seamless access to the services the respective Business Catalog has been configured for.
Tip: In S/4HANA system, “User ID” of the Business User corresponds to the field “User” of the technical user in User Maintenance (Transaction SU01). “User Name” corresponds to field “Alias”.
Purpose: Represent an end-user role.
A Business Role represents a “business persona”, for example a “Purchase Manager”. It includes all Business Catalogs (with required authorization restrictions) the concerned Business User needs access to.Business Role
Under the hood, Business Roles make use of well-known PFCG-based ABAP authorization mechanism. As soon as a Business Role is assigned to a user, the corresponding PFCG profiles are generated in the S/4HANA system. This works seamlessly and is completely transparent to users and system administrators.
Certain Business Roles are delivered by SAP as pre-configured templates. You may define your own Business Roles either directly, or based on these templates.
Purpose: Group all required functionality.
A Business Catalog is a collection of applications (in the form of Fiori tiles) and authorization restrictions that should be assigned to a Business Role. It is used for structuring and organizing what the user sees on the Fiori Launchpad and which restrictions apply to him/her during application access.
Business Catalogs have a one-to-one reference to a Business Catalog Role.
In S/4HANA Cloud, Business Catalogs are defined and delivered by SAP, with a pre-configured Business Catalog Role that corresponds to it. On the customer’s side, the key user assigns the required Business Catalogs in a Business Role, and defines specific authorizations though restriction configuration.
Business Catalogs belonging the same functionality are logically grouped together by SAP into Business Groups, making assignment to Business Roles even easier.
Business Catalog Role
Purpose: Group all required authorizations.
Also delivered by SAP, a Business Catalog Roles contains a given Business Catalog, and all respective authorization configuration (Authorization Objects with specific fields and values).
Representing design-time configuration, a Business Catalog Role comes into play when the respective Business Role is granted to a Business User. Upon this assignment, all required PFCG profiles, containing respective authorization objects, are generated, enabling the user to access the applications seamlessly. All this happens inside S/4HANA system, silently under the hood, and all the complexity is completely hidden from the user.
For the user, the only activity required is assignment of Business Catalogs to Business Roles, and granting of Business Roles to Business Users.
The Identity and Access Management (IAM) concept of S/4HANA Cloud massively simplifies user authorization management, while reusing the power and robustness of PFCG-based ABAP authorization in the backend. It is a classic example of a situation where “strength” meets “simplicity”.
In SAP S/4HANA Cloud comes with a simple, yet robust and powerful concept of Communication, Integration, and Authorization management. Each artifact serves a distinct purpose and plays its part in the overall story. Some of these artifacts are delivered by SAP for an out-of-the-box usage to significantly simplify design-time configuration. The others are configurable by customers and bring the right amount of flexibility. To say that this hits the sweet spot between robustness and flexibility will be no exaggeration.
Hope this blog has been able to give you a concise, yet complete picture of integration and authorization concept used in S/4HANA Cloud. If you would like to dive into details of a specific topic, then navigate to the respective SAP Help Portal links.