SAP C4C User Provisioning Integration with GRC/IDM
This article lays out a framework of managing user administration and access controls for SAP C4C and provides a outline of “how to” integrate C4C to provisioning architecture of your landscape.
Business use case:
From its initial days SAP Hybris C4C (Cloud for Customer) did not offer std. connectors to integrate with Identity and Access Management tools, and in large scale projects which have a large user base for C4C users, user access maintenance was manual.
Imagine 60k+ users to be maintained individually for a large go live, and such requirements leads you to explore solutions that necessitates some way forward on mass maintenance of user accounts in SAP C4C. Neither IDM solution nor SAP GRC had a std. connector to SAP C4C. Consequently it meant SAP C4C could not follow the user admin processes and provisioning policies of rest of landscape.
This is why we designed a framework to allow for integration of C4C to existing user provisioning in a large SAP landscape containing multiple systems and overall a set of user admin processes from Hire to retire guiding all the provisioning policies and procedures operations through an Identity Management and GRC solution.
Solution was to employ std. report which will create employees in C4C based on CRM on-premise BP data and fetch the C4C business role data from user master record in CRM utilizing various enhancement/BADI implementation points working in tandem with relevant stakeholders from business and technology.
This solution also leverages the fact that C4C user’s validity is tied to CRM on-premise BP record’s validity, which is internally fed from same HR source that also sends data to GRC/IDM solution that controls all user access from hire to retire. For example, if its determined a user needs access to CRM on-premise and C4C, then they will be created in CRM on-premise with BP record from HR feed and if the user leaves the company – same HR feed will disable their CRM BP Record and which in turn will deactivate C4C user account of the employee.
Role assignment happens through the BADI implementation which allows outbound idoc utilized in employee replication process to be populated with C4C role assignment information (by default IDOC doesn’t store business user role information of the C4C employee)
Steps in the process:
1. Enhancement implementation in SU01 code to allow check at user save to identify C4C roles assigned to user in CRM on-premise (Dummy roles in CRM on-premise which correspond to C4C business roles, mapping stored in CRM on-premise as a custom table)
2. Build IDOC structure by calling FM ‘CRMPCD_EMPLOYEE_OUTBOUND’ to fetch CRM user id’s employee information
3. Create new BADI implementation for CRMPCD_EMPLOYEE_OUTBOUND BADI to populate role data information in Outbound IDOC
4. Use report CRMPCD_EMPLOYEE_EXTRACT for employee replication, which now also contains C4C business role information thereby assigning correct access for employee in C4C based on data sent from HR freed and GRC/IDM solution
5. You will need to work with your development team to fill in the details for each of these steps and carry out the customization needed to leverage this framework which employs BADI CRMPCD_EMPLOYEE_OUTBOUND to implement role data to the outbound IDOC and finally send this data through employee replication
Employee replication shall happen via report CRMPCD_EMPLOYEE_EXTRACT.
The figures given below gives a sample landscape and provides information on how user provisioning occurs from birthright/additional access change and how we can integrate SAP C4C user administration to follow provisioning policies for rest of the SAP landscape. Similarly by extrapolation user account change/user termination processes can be built to administer C4C users. *
*P.S: Please note that the main objective of the blog is to illustrate a path forward on how to integrate C4C to existing user provisioning landscape, figures provided are just an example of how integration is done based on a particular landscape setup, best practices on employee replication and how its done (whether from SAP ERP, SAP CRM or SAP Success Factors Employee Central (EC) is not the focus area of this blog, so please work with relevant stakeholders to customize user provisioning solution according to unique requirements of your landscape/systems and mechanisms being followed).
Thanks for reading and hope this blog helps !!