Technical Articles
Get Your Hands On SAP Identity Management 8.0 S/4HANA Connector
It’s time to move on from any workaround you might have implemented so far to connect SAP Identity Management 8.0 with SAP S/4HANA on-premise.
As of SAP Identity Management (IDM) 8.0 SP08, you can take advantage of the new S/4HANA connector to integrate an S/4HANA system into your IDM landscape for managing and provisioning business users.
This connector is developed and delivered based on your requests submitted in the SAP Customer Connection program. The results are in! Let’s see if they meet your needs and expectations!
Before You Start
You must be running SAP IDM 8.0 SP08 or higher and SAP S/4HANA on-premise 2005 or higher.
You should always use the S/4HANA connector along with the ABAP or the Business Suite connector, as this will ensure data synchronization between IDM, S/4HANA and ABAP.
You need to be familiar with the supported scenarios, so that you know what you can achieve. There are two scenarios for using the S/4HANA connector depending on whether the S/4HANA integration with a human resource (HR) system is active or inactive.
HR Integration is Active
When HR integration is active, business users from the HR system are replicated to S/4HANA. Synchronization of business users between both systems is managed with a scheduled sync report.
The S/4HANA connector can only be used if you have run the ABAP or Business Suite initial load job and want to load business users with the new S/4HANA attributes supported by IDM. Creating, modifying or deleting business users and provisioning the changes to S/4HANA is not possible.
For more information, see: HR integration is active
HR Integration is Inactive
When HR integration is inactive, the HR integration switch in S/4HANA is deactivated. The S/4HANA connector can be used for loading and managing business users to and from an S/4HANA system just like any other IDM connector is used for managing users in the corresponding systems.
For more information, see: HR Integration is Inactive
Connecting an S/4HANA System
Once ready, follow the well-known steps to connect IDM to your S/4HANA system.
1. Import the S/4HANA connector package.
See: Importing the Provisioning Framework for SAP Identity Management 8.0
2. Create a repository of type S4HANA and configure the repository constants.
See: Repository Constants for SAP S/4HANA
3. Run the ABAP or the Business Suite initial load job.
Recommendation: If you have an SAP S/4HANA system with existing business users, it is mandatory to run the ABAP or the Business Suite initial load job before the S/4HANA initial load. Otherwise, if S/4HANA initial load is run first, this might cause an issue, where two separate person entries are created in IDM – the SU01 user and its linked business partner, for one and the same business user in S/4HANA. IDM does not support cases where one business user is represented by two person entries.
See: Two Identities One Business Partner section in S/4HANA Initial Load Job
4. Read the value help of S/4HANA attributes.
Note: Due to technical constraints, IDM cannot provide an option to read value help from S/4HANA. Therefore, you need to manually read the value help of the S/4HANA attributes. See Defining Attribute Value Help
5. Run the S/4HANA initial load job. See: S/4HANA Initial Load Job
Creating an S/4HANA User
Now that you established the connection, you can create a new user in IDM User Interface (UI) and provision it to S/4HANA.
We assume that the SU01 user does not exist neither in ABAP, nor in IDM.
1. Create a user in IDM UI with MX_S4HANA_USERASSIGNMENT_USERID (on the Settings tab) equal to the MSKEYVALUE (on the General tab) and fill in all mandatory attributes (including the Business Partner Role Code).
This is the standard way to create a business user in IDM and provision it to S/4HANA. For other possible options, see: Creating an S/4HANA Business User
For more information about supported S/4HANA attributes, see: S/4HANA Attributes
2. Assign the ABAP and SAP S/4HANA account privileges to the user and save your changes.
Modifying an S/4HANA User
When modifying S/4HANA business user attributes, note that it depends on whether the user assignment between S/4HANA business partner and the SU01 user is active or non-active. See: Modifying S/4HANA Business User
User Assignment is Active
Once the user assignment is active, you can no longer change the attribute MX_S4HANA_USERASSIGNMENT_USERID of the S/4HANA business partner. However, you can modify certain attributes (other than those starting with MX_S4HANA) using either the ABAP or Business Suite connector, or the S/4HANA connector.
User Assignment is Non-Active
If the user assignment is non-active, you can change the attribute MX_S4HANA_USERASSIGNMENT_USERID of a business partner and link it to a different SU01 user.
If you had a good read, get your hands on the S/4HANA connector.
Let us know what you think and what can be improved!
Hi Ivelina,
At Maastricht University we are about to set up a connection between SAP IDM 8.0 SP08 and SAP S/4HANA on-premise. This SAP S/4HANA on-premise system is a green field implementation which will run alongside our already existing SAP ECC (with HRM). So, we have no HR data nor BP data in our S/4HANA system. Furthermore we are implementing SuccessFactors (EC) as well as Ariba as new SaaS systems.
We are not sure whether we should have HR activation active or HR activation inactive. What are deciding factors to determine this?
Next, we wonder why you should have the S/4Hana connector along with the ABAP Business Suite connector? Are they complementary? Where is the S/4Hana connector different to the ABAP Business Suite connector?
Kind regards,
Ronald Nobbe
Hi Ronald,
When using SAP IDM, the difference between choosing HR active or inactive scenario is that with HR active, the S/4HANA connector is mainly used for reading data. As your question is more on the deciding factors why choose one scenario over another, I suggest you look at the S/4HANA documentation. I hope this could help: Business User Concept and Business User
With regards to using S/4HANA connector along with the Business Suite connector, this is needed for ensuring data synchronization between SAP IDM, SAP S/4HANA and ABAP. In an S/4HANA system, users are managed by three services. The S/4HANA connector uses the following two: SOAP API – QUERYBUSINESSUSERIN (for reading data from S/4HANA) and SOAP API MANAGEBUSINESSUSERIN (for writing data to S/4HANA), while the Business Suite connector is needed for the third one: SAP BAPI (for reading and writing ABAP specific attributes).
Best regards,
Ivelina
Hi,
We are trying to integrate SAP IDM on-prem to S4 HANA on-prem solution.
The S/4HANA connector uses the following SOAP API – QUERYBUSINESSUSERIN
What should be the URL to access this API ? We need to populate the connector constants :SOAP_SERVICE_PREFIX. What should this string value be ?
Please help to respond. Thanks.
Hi Suhani,
You can find a description of the SOAP_SERVICE_PREFIX constant in Repository Constants for SAP S/4HANA.
Best regards,
Adriana
The most important part is missing... How to activate Web Services so IDM can reach S/4 with S4HANA connector.
Found here:
https://help.sap.com/docs/ABAP_PLATFORM_NEW/de55b3fdb209469397b4e1221c60b3e6/14851c8e864a4b24b9385a7473a53848.html?version=202009.000&locale=en-US
Configure Service Definitions
Call up transaction SOAMANAGER.n the SOA Manager, choose Service Administration, Simplified Web Service Configuration.
In the search bar, enter ManageBusinessUserIn & QueryBusinessUserIn.
Choose Go.
Select your preferred authentication method.
Choose Save.