Since November 2018 SAP has release a new connector for S/4HANA Cloud system in SAP Cloud Platform Identity Provisioning Service (we will call it IPS in the rest of this article). With this new connector, we could now add the new S/4HANA Cloud system into the SAP centralized identity management landscape. We’ve started a pilot project at one of customer in Germany and have successfully implemented the integration between S/4HANA Cloud and IPS+IDM (a hybrid IDM solution) for user management. Here I would like to share some experiences about this integration.
I’ve decided to divide this article into 2 parts. Since both of the connector and the S/4HANA Cloud system are quite new, I would like to first introduce some basic user management concepts in S/4HANA Cloud system and share some of the design consideration in the 1stpart, so that you would have a better understanding of the background of the project. And in the 2ndpart I will focus on the technical integration and share you some hands-on information.
Let’s first take a look at the S/4HANA Cloud system. The 1sttime I’ve heard of this new system, I thought it would be just “an S/4HANA system on the cloud”. But indeed, the S/4HANA Cloud system has a very different system architecture and different sets of APIs comparing to S/4HANA on-premise. Therefore, the way how to integration S/4HANA Cloud to IDM is also very different than the S/4HANA on-premise system.
Before we talk about the user management in S/4HANA Cloud system, we need to first know some basic concepts related to user management in S/4HANA Cloud system. They are mainly Business Partners, Business Users and Business Roles.
- Business Partners: the business partner is not something new in S/4HANA Cloud system. In the old ABAP world we also have similar concept in some of the applications, e.g. ERP, CRM, SRM. In short, business partners are the central master data objects, which host the complete person profile in the S/4HANA system. Business Partners cover all kinds of personal profiles, including employees, externals, customers, suppliers and etc.
- Business Users: Business Users in S/4HANA Cloud system are the technical user accounts, which can be used to login to S/4HANA system and perform operations. You can compare it with SU01 users in ABAP system. The big difference here is, in ABAP you could create standalone SU01 users without Business Partner records; while in S/4HANA Cloud each Business User is linked to exact one Business Partner. A Business User can only be created in S/4HANA Cloud if a Business Partner for this person already exists. Additionally, the master data of a Business User always comes from Business Partner and cannot be maintained separately in Business User anymore. If we take a closer look into the Business Partners and Business Users relations, there could be persons existing in S/4HANA Cloud as Business Partners without Business Users, meaning having no access to the S/4HANA Cloud system. Typical example here are the Business Partners for customers and suppliers. But each Business User must have a Business Partner record.
- Business Roles: Business Roles are set of authorization objects in S/4HANA, which can be assigned to Business Users and define which users can do what in the system. Since the focus of this guide is not on the role management itself, we are not going to dive deeply inside the Business Role concept in S/4HANA. From the user management perspective, it is not much different than the PFCG roles in ABAP. You can assign them to users or unassign them from users, either in S/4HANA Cloud system itself or via external IDM system.
After having the above concepts clarified, when we talk about user management in S/4HANA Cloud, we could focus on the below 3 scenarios:
- Scenario 1: Management of Business Partners (mainly the master data management)
- Scenario 2: Lifecycle management of Business Users (without master data management)
- Scenario 3: Authorization Management of Business Users
There are a set of tools inside S/4HANA Cloud, which can be used to cover to above scenarios. Since the focus of this guide is on the S/4HANA Cloud and IDM integration, I will not describe those tools here in deep.
The Business Partners management could be done in multiple ways:
- Option 1: Local manual management with build-in APPs
- Option 2: CSV interface for file uploading
- Option 3: Integration with SuccessFactors Employee Central
- Option 4: Integration with SAP HCM or other third party HCM system
- Option 5: Integration with IPS or IPS+IDM
Option 1 and 2:The first 2 options are manual management, which are quite straight forward. We will not describe them here in deep.
Option 3:If the customers already have SuccessFactors Employee Central in-place and use it actively as central HCM system, the SF integration would be definitely the best option for Business Partner management in S/4HANA Cloud. There is standard integration available between SF and S/4HANA Cloud.
Option 4:If the customers do not have SuccessFactors Employee Central but use SAP HCM or other third party HCM systems, a direct integration between S/4HANA Cloud and external HCM system is still possible. There is a SOAP-based web service API available in S/4HANA Cloud (Scenario SAP_COM_0301) and a custom development in the external HCM system is needed here.
Option 5: The last option would be to use the S/4HANA Cloud connector in IPS. Upon user creation/modification process, the connector can also create/update the Business Partners in S/4HANA Cloud. But I don’t think this is the best practice option to make Business Partners management, because:
- With the IPS connector you cannot easily separate the Business Partners creation and Business Users creation because both Business Partner and Business User are created in one step. It means you cannot create a Business Partner in S/4HANA Cloud without a Business User. But in real situation, there could be a lot of externals, customers and suppliers, who need to be created as Business Partners in S/4HANA Cloud but do not need Business Users to access the S/4HANA Cloud system. Even for the employees, not all of them need to have Business Users in S/4HANA Cloud. If we use the IPS connector also for Business Partners management, we would end up with creation lots of unnecessary Business Users in S/4HANA Cloud system, which might lead to additional license cost.
- The IPS/IDM system is naturally not the best suitable system to management the master data. The focus of the IDM system is the login account management not the entire set of the master record for a person. There are way much more attributes available in master data record but not needed in IDM. Either we have to use IDM to only manage a subset of the master records (then we still have to deal with the other parts of the master records), or we need to load the complete sets of master data from an HCM system into IDM and then sync to S/4HANA, which would result in unnecessary redundant data storage in IDM.
As a short summary, the best option for Business Partner management is to make a direct integration with the source system, which hosts the master data records. As we know different types of Business Partners may be hosted in different systems. For example, SAP HCM is the source system for employee master data and another application hosts the externals master data. In this case, the integration needs to be implemented in each of the source system. If IDM is the source system for hosting the externals, it is still worth to consider to make a custom development directly against the API SAP_COM_0301 in order to separate the Business Partners management and Business Users management.
One thing to notice is that once the HR integration in S/4HANA system for Business Partners is switched on, e.g. integration with SF EC, the IPS connector cannot be used to create and maintain the Business Partners in S/4HANA Cloud anymore. It is designed like this to avoid conflict by Business Partners maintenance.
Scenario 2 & 3:
For the lifecycle and authorization management of Business Users in S/4HANA Cloud, we can utilize the S/4HANA Cloud connector in IPS and integrate S/4HANA Cloud into IPS and IDM. If the customer has a pure cloud landscape, IPS might be sufficient. If the customer has a mixed application landscape containing cloud and on-premise application, a hybrid IDM solution with IDM+IPS is recommended. The S/4HANA Cloud connector is supported in both cases.
In our project, based on the customer’s requirements and landscape, following design decisions have been made and implemented in the project:
- Management of Business Partners with SAP HCM integration
A custom development has been made against S/4HANA Cloud API SAP_COM_0301. We will not focus on this part in this article.
- Management of Business Users and Business Roles assignment with hybrid IDM solution (IPS + IDM). Following scenarios have been implemented here:
- Business User creation
- Business User modify
- Business User deletion
- Business User lock/unlock
- Business Role assignments and unassignments
These are more or less what the S/4HANA Connector in IPS currently can do.
In the part II, I will focus on the implementation steps for the S/4HANA Cloud and IPS+IDM integration.