Skip to Content
Technical Articles
Author's profile photo Ivelina Kiryakova

Get Your Hands On SAP Identity Management 8.0 S/4HANA Connector

It’s time to move on from any workaround you might have implemented so far to connect SAP Identity Management 8.0 with SAP S/4HANA on-premise.

As of SAP Identity Management (IDM) 8.0 SP08, you can take advantage of the new S/4HANA connector to integrate an S/4HANA system into your IDM landscape for managing and provisioning business users.

This connector is developed and delivered based on your requests submitted in the SAP Customer Connection program. The results are in! Let’s see if they meet your needs and expectations!

Before You Start

You must be running SAP IDM 8.0 SP08 or higher and SAP S/4HANA on-premise 2005 or higher.

You should always use the S/4HANA connector along with the ABAP or the Business Suite connector, as this will ensure data synchronization between IDM, S/4HANA and ABAP.

You need to be familiar with the supported scenarios, so that you know what you can achieve. There are two scenarios for using the S/4HANA connector depending on whether the S/4HANA integration with a human resource (HR) system is active or inactive.

HR Integration is Active

When HR integration is active, business users from the HR system are replicated to S/4HANA. Synchronization of business users between both systems is managed with a scheduled sync report.

The S/4HANA connector can only be used if you have run the ABAP or Business Suite initial load job and want to load business users with the new S/4HANA attributes supported by IDM. Creating, modifying or deleting business users and provisioning the changes to S/4HANA is not possible.

For more information, see: HR integration is active

HR Integration is Inactive

When HR integration is inactive, the HR integration switch in S/4HANA is deactivated. The S/4HANA connector can be used for loading and managing business users to and from an S/4HANA system just like any other IDM connector is used for managing users in the corresponding systems.

For more information, see: HR Integration is Inactive

Connecting an S/4HANA System

Once ready, follow the well-known steps to connect IDM to your S/4HANA system.

1. Import the S/4HANA connector package.

See: Importing the Provisioning Framework for SAP Identity Management 8.0

2. Create a repository of type S4HANA and configure the repository constants.

See: Repository Constants for SAP S/4HANA

3. Run the ABAP or the Business Suite initial load job.

Recommendation: If you have an SAP S/4HANA system with existing business users, it is mandatory to run the ABAP or the Business Suite initial load job before the S/4HANA initial load. Otherwise, if S/4HANA initial load is run first, this might cause an issue, where two separate person entries are created in IDM – the SU01 user and its linked business partner, for one and the same business user in S/4HANA. IDM does not support cases where one business user is represented by two person entries.

See: Two Identities One Business Partner section in S/4HANA Initial Load Job

4. Read the value help of S/4HANA attributes.

Note: Due to technical constraints, IDM cannot provide an option to read value help from S/4HANA. Therefore, you need to manually read the value help of the S/4HANA attributes. See Defining Attribute Value Help

5. Run the S/4HANA initial load job. See: S/4HANA Initial Load Job

Creating an S/4HANA User

Now that you established the connection, you can create a new user in IDM User Interface (UI) and provision it to S/4HANA.

We assume that the SU01 user does not exist neither in ABAP, nor in IDM.

1. Create a user in IDM UI with MX_S4HANA_USERASSIGNMENT_USERID (on the Settings tab) equal to the MSKEYVALUE (on the General tab) and fill in all mandatory attributes (including the Business Partner Role Code).

This is the standard way to create a business user in IDM and provision it to S/4HANA. For other possible options, see: Creating an S/4HANA Business User

For more information about supported S/4HANA attributes, see: S/4HANA Attributes

2. Assign the ABAP and SAP S/4HANA account privileges to the user and save your changes.

Modifying an S/4HANA User


When modifying S/4HANA business user attributes, note that it depends on whether the user assignment between S/4HANA business partner and the SU01 user is active or non-active. See: Modifying S/4HANA Business User

User Assignment is Active

Once the user assignment is active, you can no longer change the attribute MX_S4HANA_USERASSIGNMENT_USERID of the S/4HANA business partner. However, you can modify certain attributes (other than those starting with MX_S4HANA) using either the ABAP or Business Suite connector, or the S/4HANA connector.

User Assignment is Non-Active

If the user assignment is non-active, you can change the attribute MX_S4HANA_USERASSIGNMENT_USERID of a business partner and link it to a different SU01 user.

If you had a good read, get your hands on the S/4HANA connector.

Let us know what you think and what can be improved!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ronald Nobbe
      Ronald Nobbe

      Hi Ivelina,

      At Maastricht University we are about to set up a connection between SAP IDM 8.0 SP08 and SAP S/4HANA on-premise. This SAP S/4HANA on-premise system is a green field implementation which will run alongside our already existing SAP ECC (with HRM). So, we have no HR data nor BP data in our S/4HANA system. Furthermore we are implementing SuccessFactors (EC) as well as Ariba as new SaaS systems.

      We are not sure whether we should have HR activation active or HR activation inactive. What are deciding factors to determine this?

      Next, we wonder why you should have the S/4Hana connector along with the ABAP Business Suite connector? Are they complementary? Where is the S/4Hana connector different to the ABAP Business Suite connector?

      Kind regards,

      Ronald Nobbe

      Author's profile photo Ivelina Kiryakova
      Ivelina Kiryakova
      Blog Post Author

      Hi Ronald,

      When using SAP IDM, the difference between choosing HR active or inactive scenario is that with HR active, the S/4HANA connector is mainly used for reading data. As your question is more on the deciding factors why choose one scenario over another, I suggest you look at the S/4HANA documentation. I hope this could help: Business User Concept and Business User

      With regards to using S/4HANA connector along with the Business Suite connector, this is needed for ensuring data synchronization between SAP IDM, SAP S/4HANA and ABAP. In an S/4HANA system, users are managed by three services. The S/4HANA connector uses the following two: SOAP API – QUERYBUSINESSUSERIN (for reading data from S/4HANA) and SOAP API MANAGEBUSINESSUSERIN (for writing data to S/4HANA), while the Business Suite connector is needed for the third one: SAP BAPI (for reading and writing ABAP specific attributes).

      Best regards,


      Author's profile photo Suhani Chamankar Deloitte IDAM
      Suhani Chamankar Deloitte IDAM


      We are trying to integrate SAP IDM on-prem to  S4 HANA on-prem solution.


      The S/4HANA connector uses the following SOAP API – QUERYBUSINESSUSERIN


      What should be the URL to access this API ? We need to populate the connector constants :SOAP_SERVICE_PREFIX. What should this string value be ?


      Please help to respond. Thanks.


      Author's profile photo Adriana Daskalova
      Adriana Daskalova

      Hi Suhani,

      You can find a description of the SOAP_SERVICE_PREFIX constant in Repository Constants for SAP S/4HANA.

      Best regards,


      Author's profile photo Jiri Dolezel
      Jiri Dolezel

      The most important part is missing... How to activate Web Services so IDM can reach S/4 with S4HANA connector.


      Found here:

      Configure Service Definitions

      Call up transaction SOAMANAGER.n the SOA Manager, choose Service Administration,   Simplified Web Service Configuration.

      In the search bar, enter ManageBusinessUserIn & QueryBusinessUserIn.

      Choose Go.


      Select your preferred authentication method.

      Choose Save.