User Authentication in SAP Central Business Configuration
SAP Central Business Configuration is a new tool that will make it possible to configure business process spanning multiple SAP cloud solutions from one central place. SAP Central Business Configuration will first allow the configuration of SAP S/4 HANA Cloud but aims at seamless implementation of end-to-end business processes across SAP’s intelligent enterprise.
In this blogpost we will see how to manage business users in Central Business Configuration.
Initial Handover Emails
After contract is signed with SAP, the IT administrator at customer will receive four handover emails as shown below.
- The first email is for accessing SAP Central Business Configuration System. This email will contain links for Central Business Configuration, Identity Authentication, and Identity Provisioning. You should use your S User credentials to login to Identity Provisioning
- The second email is for accessing SAP S/4HANA Cloud Starter system URL and Initial User ID. This email contains the Initial Technical User.
- The Third handover mail is for Initial Password set up in SAP S/4HANA Cloud Starter system.
- Fourth and last handover email is for Identity Authentication. This email comes with the access information to the SAP Cloud Platform Identity Authentication. Again, the IT person specified in the contract will be the owner of this system. The IT Administrator should reset his/her password and access this tenant as the first step.
The below diagram outlines the end-to-end process steps involved in user management within SAP Central Business Configuration. The highlighted steps are manual check to ensure initial password resets have been carried out. Once you complete the activity of resetting the password in the admin console, you will be able to access the Identity Authentication system. Let’s start the further process, step by step.
Next, you have to set subject name identifier, according to your log in preference. Go into application and resources tab and click on applications and navigate to the administration console and go to subject name identifier there you have an option set basic attribution as per your requirement.
Next step is to go to home page and go into user management and create new user with the help of basic details of user and click on save. After that you will see that user is created in the system and user will receive an activation email as well.
Next step that you need to do is assign the users groups to the users, these user groups are nothing but our prerequisites.
Please note: if you are doing this activity for the first time you need to replicate the user groups from Central Business Configurations to Identity Authentication Services first because, all the user groups relevant with Central Business Configuration are pre delivered with Central Business Configuration
In the Central Business Configurations environment, you must bring these from Central Business Configurations into Identity Authentication Services, then you will be able to assign user groups to the users.
For this activity you need to go to the Identity Provisioning System with the help of link provided in the Initial Central Business Configurations handover mail.
In Identity Provision System you need to get in to the Source system, here you need to ensure that the source system is Central Business Configurations, and need to bring data from Central Business Configurations to Identity Authentication System , then you have to run the background Job.
The moment you can click on run now the batch program runs. All the user groups will appear in Identity Authentication Service system user group section.
For next activity you need to come to Identity Authentication System and choose user group section, click on assign user groups, there you will find all the standard user groups are visible.
Based on the access requirement you can assign the specific user group to the user, by clicking on User management tab and user as shown in below image.
Next step is replicating users and user groups from Identity Authentication System to Central Business Configurations. Here again you need to get back to the Identity Provisioning System to run the background job again with Identity Authentication Services as source system. Once this activity completes the newly created user with assigned user groups will be available in the Central Business Configuration System.
You can check and confirm via logging in to the SAP Central Business Configuration System (SAP Central Business Configuration URL is available in the handover mail from SAP).
Note: Whenever there is change in user/ user groups, you must run the background jobs in IPS.
Based on the emails that’s is received by the customer, below diagram shows the different systems involved:
Note: User groups are used only in SAP Central Business Configuration.
Identity Authentication System: The Identity Authentication service provides you with controlled cloud-based access to business processes, applications, and data. It simplifies your user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.
Identity Authentication System shared across SAP Central Business Configuration, SAP S/4HANA, Starter and Quality tenants. Like before SAP S/4HANA Cloud Production system has a separate productive Identity Authentication tenant.
Identity Provisioning System: Identity Provisioning system acts like a bridge between SAP Central Business Configuration and Identity Authentication System,
Manage identity lifecycle processes for cloud and on-premise systems. The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.
Customers can access the system via S- User credentials.
Central Business Configuration: As I mentioned SAP Central Business Configuration is a new tool that will make it possible to configure business process spanning multiple SAP cloud solutions from one central place. To start with, SAP Central Business Confugaration supports SAP S/4HANA Cloud implementation experience. SAP Central Business Configuration is connected to S/4 HANA Starter, Quality, and Production systems.
User management in SAP S/4HANA Cloud remains the same as before.
For further details about SAP Central Business Configuration please refer below blogposts:
- Simplifying SAP S/4HANA Cloud Implementation Experience for Customers with SAP Central Business Configuration
- Empowering SAP S/4HANA Cloud customers with SAP Central Business Configuration
- Guided Framework for Simplified Organizational Structure Set up in CBC for SAP S/4HANA Cloud
Now you would be able to define the users in SAP S/4 HANA Central Business Configuration. Please let me know if you have any feedback or comments.