In this 3 blogs series I will cover the following technical topics in order to give you an end to end view of a full S/4HANA Cloud Implementation:
- Blog 1: S/4HANA Cloud – System Setup
- Blog 2: S/4HANA Cloud – Key User In-App Extensibility
- Blog 3: S/4HANA Cloud – Side-by-Side Extensibility
Let’s start! 🙂
From a System Lifecycle point of view, different systems are used to ensure a successful implementation of S/4HANA Cloud.
- Starter system
In addition to these three systems, the landscape is complemented by:
- SAP Cloud Identity for the Sarter System and Q-system
- SAP Cloud Identity for the P-system
- SAP Cloud Platform for Side-by-Side Extensibility and Custom Development
Signing a Contract
An IT contact or a Technical Administrator should be named in the contract. This person will be the Owner of the systems.
Tip: Put some thought into which IT contact signs the contract. A change to these details will require opening ticket with SAP resulting in 2 or 3 day delay.
Once the Contract is signed, SAP delivers 3 separate emails with the all necessary information to set up your system.
Starter system URL and Initial User
The first email contains the Initial User and access information to the starter system. This 20-char user is a Technical Administrator which allows you to create the Business users with the Administrator Role. It is not required to be used further. But it’s a good idea to keep it safe.
Tip: You should use the system URL with the parameter saml2=disabled since no Identity Provider has been set at this moment.
The second email, sent separately for security, contains the Initial password which you can reset to make it memorable.
SAP Cloud Identity and User Onboarding Guide
The third email comes with the access information to the SAP Cloud Identity system (SCI). Again the IT person specified in the Contract will be the owner of this system.
SAP attaches with this email an Onboarding Guide to setup the Starter system and the SAP Cloud Identity.
The Onboarding Process guides you to create and maintain Employees and Business roles in the Starter System and import the associated Business Users into the SCI (SAP Cloud Identity).
Creating Employees and Business Users
- First you Log-on as a Technical Admin (The user and password provided by SAP). This user, as mentioned before, is meant only for temporary use in order to create the Administrator Employee and its Business User which will create the other Employees and Users.
- Navigate to Import Employees app and Download the Employee and Employment Data templates.
- Fill the data in the templates. Please note:
- Fields Marked with an asterisk are mandatory
- E-mail address is needed for the user registration in SCI
- The field EmployeeID represents the employee
- The field UserName represents the business user
- EmployeeID and UserName must be identical
- In the Starter System, CompanyCode is 1010 for DE and 1710 for US. For Q and P systems it should be the one you handed over to SAP.
- When uploaded, the system triggers an asynchronous import and create the employee data, synchronize the business Partner, and create the Business Users. Check if there are any Logs.
Creating the Administrator Business Role
- Navigate to Maintain Business Roles app and create the Administrator Business Role from the Template
- Check if the Administrator role has assigned the Business Catalog Employee – HR Data. If not assign it. Save and Activate.
- Go to Maintain Business Users app and assign the Administrator Role to the Administrator User previously imported.
- Download the user list as a CSV file. You will need to configure their access in SCI.
SAP Cloud Platform Identity Authentication service is a cloud solution for identity lifecycle management for SAP Cloud Platform applications, and optionally for on-premise applications.
It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.
For administrators, Identity Authentication provides features for user lifecycle management and application configurations.
Please note that SAP delivers an SCI tenant for the Starter System and Q-system and a separate tenant for the P-System. SCI configuration should be updated once the q-system is delivered.
The URL looks like https://xxxxxxxxx.accounts.ondemand.com/admin where you can find different sections to manage Users & Authorizations, Applications & Resources and Identity Providers.
Tip: The SCI is key to configure the trust between SAP Cloud Platform and your S/4HANA Cloud system in the Side-by-Side Extensibility scenario.
In Applications you can set up the SAML 2.0 configuration and the Assertion Consumer Service Endpoint which will point to your S/4HANA Cloud tenant.
Tip: The Co-Pilot functionality is also configured in SCI as an application with a different end-point configuration.
In the previous section you exported the users list in a CSV file and now you need to go to Import Users and import.
Once imported you can send emails to the users with a link to set up their passwords.
You can always reset the password for a specific user and send the authentication information email in the User Management Section.
For more Information about SCI refer to SAP documentation.
Now your S/4HANA Cloud system is set up and ready for users to Log-In! You can create Custom Roles, assign Catalogs and users to them and configure your launchpad. (Not covered in this serie of Blogs)
See you soon ;)!