User Authentication in SAP Central Business Configuration
SAP Central Business Configuration is a new tool that will make it possible to configure business process spanning multiple SAP cloud solutions from one central place. SAP Central Business Configuration will first allow the configuration of SAP S/4 HANA Cloud but aims at the seamless implementation of end-to-end business processes across SAP’s intelligent enterprise.
In this blog post, we will see how to manage business users in Central Business Configuration.
Initial Handover Emails
After the contract is signed with SAP, the IT administrator at customer will receive two handover emails as shown below.
- The first email is for accessing SAP Central Business Configuration System. This email will contain links for Central Business Configuration, Identity Authentication, and Identity Provisioning.
- The second handover email is for Identity Authentication. This email comes with the access information to the SAP Cloud Platform Identity Authentication. Again, the IT person specified in the contract will be the owner of this system. The IT Administrator should reset his/her.password and access this tenant as the first step. Contact IT person can access the SAP Identity provisioning with the same credentials of SAP Identity Authentication Services.
The below diagram outlines the end-to-end process steps involved in user management within SAP Central Business Configuration. The highlighted steps are manual checks to ensure initial password resets have been carried out. Once you complete the activity of resetting the password in the admin console, you will be able to access the Identity Authentication system. Let’s start the further process, step by step.
Configuring the Subject Name Identifier for the Logon:
Next, you have to set the subject name identifier as a login name. Go into the Applications & Resources tab on Identity Authentication Administration Console and click on Applications and navigate to the CBC application. The name of the application created for SAP Central Business Configuration, starts with XSUAA*. On this application go to subject name identifier, there you have an option to set basic attribute as a login name.
Please Note: If a CBC business user tries to access CBC without setting the subject name identifier as Login Name, you will run into access issues. Ensure this setting is in place before FIRST ACCESS by CBC User. We recommend CBC URL to be shared with business users only after this step is completed. Please refer blog for common access issues.
Running Jobs for Pushing Roles:
The next step that you need to do is replicate the user groups from Central Business Configuration to Identity Authentication System, these user groups are nothing but our prerequisites.
For this activity, you need to go to the Identity Provisioning System with the help of the link provided in the Initial Central Business Configurations handover mail.
In Identity Provision System you need to get into the Source system, here you need to ensure that the source system is Central Business Configuration and need to bring data from Central Business Configurations to Identity Authentication System, then you have to run the background job.
The moment you click on run now the batch program runs. All the user groups will appear in the Identity Authentication Service system user group section.
Please note: if you are doing this activity for the first time you need to replicate the user groups from Central Business Configurations to Identity Authentication Services first because all the user groups relevant with Central Business Configuration are pre-delivered with Central Business Configuration
In the Central Business Configurations environment, you must bring these from Central Business Configurations into Identity Authentication Services, then you will be able to assign user groups to the users. This job must be run only once. Running this job multiple times might impact the user group assignments.
Creating Business Users and Providing Access Rights :
The next step is to go to the home page and go into user management and create a new user with the help of basic details of the user and click on save. After that, you will see that the user is created in the system and the user will receive an activation email as well.
Assigning User Groups:
For the next activity you need to choose the user group section in Identity Authentication System, click on assign user groups, and there you will find all the standard user groups are visible.
Based on the access requirement you can assign the specific user group to the user, by clicking on the add button under the required role as shown in the below image.
Please note: For every business user, verify that the status is Active, and the Login Name fields are maintained to avoid access issues.
Replication of User from IAS to CBC
The next step is replicating users with assigned user groups from Identity Authentication System to Central Business Configurations. Here again, you need to get back to the Identity Provisioning System to run the background job again with Identity Authentication as the source system. Once this activity completes the newly created user with assigned user groups will be available in the Central Business Configuration System.
You can check and confirm via logging into the Central Business Configuration System (Central Business Configuration URL is available in the handover mail from SAP).
Please Note: Whenever there is a change in the login name for the user as a result of uploading the IDP file from the S/4 HANA Cloud system to the Identity Authentication Service system as per the help link make sure that background jobs in Identity Provision Services for Identity Authentication System as source system needs to be run.
Based on the emails received by the customer, the below diagram shows the different systems involved:
Note: User groups are used only in SAP Central Business Configuration.
Identity Authentication System: The Identity Authentication service provides you with controlled cloud-based access to business processes, applications, and data. It simplifies your user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.
Identity Authentication System shared across SAP Central Business Configuration, SAP S/4HANA, Starter, and Quality tenants. Like before SAP S/4HANA Cloud Production system has a separate productive Identity Authentication tenant.
Identity Provisioning System: Identity Provisioning system acts like a bridge between SAP Central Business Configuration and Identity Authentication System,
Manage identity lifecycle processes for cloud and on-premise systems. The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.
Note: IPS tenants which were provisioned in the second half of March 2022 or later, IAS administrators can access IPS directly (with IAS credentials), the S-user is no longer required. In IAS, the attribute “Manage Identity Provisioning” must be active for the administrator.
Central Business Configuration: As I mentioned SAP Central Business Configuration is a new tool that will make it possible to configure business processes spanning multiple SAP cloud solutions from one central place. To start with, SAP Central Business Configuration supports SAP S/4HANA Cloud implementation experience. SAP Central Business Configuration is connected to S/4 HANA Starter, Quality, and Production systems.
User management in SAP S/4HANA Cloud remains the same as before.
For further details about SAP Central Business Configuration please refer below blogposts:
- Simplifying SAP S/4HANA Cloud Implementation Experience for Customers with SAP Central Business Configuration
- Empowering SAP S/4HANA Cloud customers with SAP Central Business Configuration
- Guided Framework for Simplified Organizational Structure Set up in CBC for SAP S/4HANA Cloud
Now you would be able to define the users in SAP S/4 HANA Central Business Configuration. Please let me know if you have any feedback or comments.
Very good information. Thanks for sharing.
Great information DHANASHREE BIRADARPATIL ... This will immensely clarify the authentication procedure in CBC
Usefull article and clear procedure. Nice job!
Hi DHANASHREE BIRADARPATIL ,
Thank you for this blog, and two questions :
For example, say 3 users were created for using CBC - User X, User Y, and User Z. Whereas, the number of users created for using S/4HANA Cloud can be say 5 - User A, B, C, D & E. Is this understanding correct?
Thank You !!
1. Yes, This could be a customer scenario but ABCDE will not be doing any configuration in CBC, and also XYZ only has access to CBC where they explore phase activity but not configurations as they do not have access to S/4 HANA Cloud.
2. Yes these users are created manually.
Is SAP Central Business Configuration available for S/4HANA Private Edition (included in RISE)?
Thanks for your help