Understanding the Initial Login and Identity Setup for S/4HANA Cloud (Public)
Recently we have seen a lot of queries and posts regarding the Initial Logins and the Identity Setup for S/4HANA Cloud Essential Edition where Consultants/Partners and Customers are eager to know more about the Identity and initial login for the S/4HANA Cloud Essential systems. I will try to illustrate and simplify the concept in the most basic way and also provide a one-stop-shop for all the available resources like accelerators, blog posts and videos combined related to this topic.
Following you will see two approaches to understand this process:
1) Micro-Learning Video – For viewers wanting a quick glance or revise on the concept of Initial Login & Identity Setup for S/4HANA Cloud Essentials (9 mins watch)
2) Detailed Blog – For viewers wanting to go through the concept in detail and correlate the associated steps in detail for each item explained (15 mins read)
Micro-learning Video –
Now to start with, it is of utmost importance to understand about the types of systems you will receive and its purpose as a part of your S/4HANA Cloud Implementation journey.
1) Starter System – This system is the first system in sequence you will receive after you decide to start with S/4HANA Cloud Essentials journey. This system is pre-configured with SAP Best Practices and Demo Data for evaluation purpose. The same system and it’s configurations is used extensively for the Fit-to-Standard workshops. The validity of the Starter System is only 30 days after you receive the Production System
2) Quality System – This system is the Quality Assurance System and will be requested from the the Starter system. The main objective of this system is to perform configurations and different types of testing which are required for business processes intended to operate one’s business. This system is utilized to preform configuration sprints and to transport required design to be moved into the upcoming Production System. The validity of this system remains as long as customer owns the Solution subscription along with Production system
3) Production System – This is the Customer’s productive environment where the intended business operations are performed. This system is requested from the Quality system over designated phases as per Activate Roadmap and contains configurations confirmed from the Quality Systems. The validity of this system remains as long as customer owns the Solution subscription.
The SAP Cloud Platform Identity Authentication Service
With an understanding of the types of systems and it’s usage, now we proceed to understand how the initial login works into these systems and how the identity is setup. Please make a note that for S/4HANA Cloud Essentials, the default authentication and identity service is provided by SAP Cloud Platform Identity Authentication Service (IAS). This is the central entry point (entry login page) for all the key business users to login into the S/4HANA Cloud Essential Systems (may it be Starter/Quality or Production System). What we understand as systems in S/4HANA Cloud essentials world are known as tenants in the SAP Cloud Platform Identity Authentication Service world, hence not to get confused if one says logging into Quality Tenant instead of Quality System.
Having said this, we need to note down that each type of system mentioned above is mapped with IAS tenant application. The starter and the Quality is mapped with one IAS tenant and Production is mapped to a separate IAS tenant. So every customer will have two IAS tenants upon receiving all types of systems. The SAP Cloud Platform Identity Authentication Service is provided in built for S/4HANA Cloud Essential contracts and holds no separate license/subscription.
Tip: In case the customer already owns another cloud solution whose identity and authentication is mapped with the SAP Cloud Platform Identity Authentication Service, the S/4HANA Cloud Essential systems will automatically check and map the S/4HANA Cloud Essential Systems with the already existing SAP Cloud Platform Identity Authentication Service tenants accordingly.
What is Initial Login?
As the customer/partner moves ahead with the S/4HANA Cloud Essentials implementation journey as per the Activate Roadmap, it is essential to understand the on-boarding procedure. Initial Login is the starting point for the further on-boarding journey. Every customer will have to maintain an IT Contact Person as a key and mandatory contact for the customer with a valid and working email ID. It is of prime importance to have an individual email ID valid, up to date and in working condition to receive emails on time or it might delay the overall project duration. This contact will be the front runner of receiving all the required confidential as well as general communications with respect to the S/4HANA Cloud implementation journey for initial logins. This contact will be receiving the initial login mails per system and is also responsible to initiate the on-boarding journey. For every system being provisioned, there are 3 emails this contact will receive ->
1) Initial Technical User Name and System URL Details -> This is a user who can login to the S/4HANA Cloud essentials directly with the URL provided in the same mail
2) Initial Password of the technical user -> This is strictly a confidential password only received by the IT contact person to login to the S/4HANA Cloud System directly using the provided technical user name
3) Admin Access to the SAP Cloud Platform Identity Authentication Service -> A mail with details about the identity provider setup over the SAP Cloud Platform with admin access is sent to the same IT contact person
Tip: The initial technical user is meant only for temporary use. It is highly recommended creating the employee and business user for the administrator. This business user can then create further employees and their respective business users, once the realize phase is reached. User name, e-mail address, and other available attributes related to the user have to be identical in the SAP S/4HANA Cloud system and in your corporate identity provider.
OBJECTIVE: The ultimate objective of the initial login and identity setup is to create admin business users and additional business users with relevant business roles in S/4HANA Cloud Essential Systems. Once this is done, the next step is to trigger those users for activation emails from SCP IAS in order for them to login into the S/4HANA Cloud Essential systems. Thing to note here is that default authentication identity for S/4HANA Cloud Essentials is setup on SCP IAS.
In the user onboarding and identity setup journey you will broadly come across below types of users depending on their functions:
- Initial Technical User/IT Contact Person – Temporary user who receives the login mails and is responsible for creating the Business users with Administrator roles in S/4HANA Cloud Systems and create further SCP IAS admins
- Administrator Business User – The administrator has very technical tasks related to setting up the system for all other users. For example, responsibility for creating users, assigning roles and authorizations to users, setting up connections between SAP S/4HANA Cloud and other software is part of the administrator’s tasks etc.
- Configuration Expert User- The configuration expert is responsible for adjusting SAP S/4HANA Cloud to the company-specific requirements, for example, by using the Configure Your Solution app
- Business Key & End User – The business key and end users are users in the company who fulfill the business processes, tasks of a particular department and may or may not be directly related to the implementation depending on their business roles and catalogs
- Other Users – There are other users too like communication, developer, print users etc. who fulfill functions like integrations, extensions, output management etc. for the business solution depending on the requirement of the company’s business processes
WORKFLOW : Below illustrated is the workflow sequentially how user onboarding is performed across multiple systems:
A] Administrator User Creation in the Systems
Tip: The SCP IAS initial admin has an option to create multiple administrators after logging into the SCP IAS Admin Console. This is illustrated in the help.sap.com documentation – Add Administrators
Steps 1, 2, 3 and 4 are documented in the help.sap.com documentation in the below links:
Steps 5, 6 and 7 are documented in the help.sap.com documentation in the below link:
B] Additional Business User Creation in the Systems
Step 1, 2 and 3 are documented in the help.sap.com documentation in the below link:
Step 4 and 5 are documented in the help.sap.com documentation in the below link:
NOTE: There is an exception in the Q system during the Preset Phase where an additional step of creating Configuration Expert User and Role is required to start with the initial configurations. Here the The configuration expert will receive a registration e-mail to access your SAP S/4HANA Cloud system.
The configuration user has to complete the initial setup of the quality system. Once the initial setup is complete and the quality system is active, you can create the administrator business user.The steps are mentioned in the help.sap.com documentation -> Creating the Preset Configuration User (Quality System Only)
You can find all the details regarding the complete on-boarding process and setting up on identity in the below links:
- help.sap.com – User Types and Authorization concept
- help.sap.com – User On-boarding
- Activate roadmap – Starter System Initial Access – Discover Phase
- Activate roadmap – Identity and Access Management Planning and Design – Explore Phase
- Activate roadmap – Quality System Initial Access – Realize Phase
- Activate roadmap – Production System Initial Access – Realize Phase
- help.sap.com – SAP Cloud Platform Identity and Authentication Service
- Blog: Identity and Access Management S/4HANA Cloud Essentials
- Blog: User Management Overview in S/4HANA Cloud Essentials
- Video – User Authorization in S/4HANA Cloud Essentials