Skip to Content
Product Information
Author's profile photo DHANASHREE BIRADARPATIL

User Authentication in SAP Central Business Configuration

SAP Central Business Configuration is a new tool that will make it possible to configure business process spanning multiple SAP cloud solutions from one central place. SAP Central Business Configuration will first allow the configuration of SAP S/4 HANA Cloud but aims at seamless implementation of end-to-end business processes across SAP’s intelligent enterprise.

In this blogpost we will see how to manage business users in Central Business Configuration.

Initial Handover Emails

After contract is signed with SAP, the IT administrator at customer will receive four handover emails as shown below.

  • The first email is for accessing SAP Central Business Configuration System. This email will contain links for Central Business Configuration, Identity Authentication, and Identity Provisioning. You should use your S User credentials to login to Identity Provisioning
  • The second email is for accessing SAP S/4HANA Cloud Starter system URL and Initial User ID. This email contains the Initial Technical User.
  • The Third handover mail is for Initial Password set up in SAP S/4HANA Cloud Starter system.
  • Fourth and last handover email is for Identity Authentication. This email comes with the access information to the SAP Cloud Platform Identity Authentication. Again, the IT person specified in the contract will be the owner of this system. The IT Administrator should reset his/her password and access this tenant as the first step.

User Management

The below diagram outlines the end-to-end process steps involved in user management within SAP Central Business Configuration. The highlighted steps are manual check to ensure initial password resets have been carried out. Once you complete the activity of resetting the password in the admin console, you will be able to access the Identity Authentication system. Let’s start the further process, step by step.

Next, you have to set subject name identifier, according to your log in preference.  Go into application and resources tab and click on applications and navigate to the administration console and go to subject name identifier there you have an option set basic attribution as per your requirement.

Next step is to go to home page and go into user management and create new user with the help of basic details of user and click on save. After that you will see that user is created in the system and user will receive an activation email as well.

Next step that you need to do is assign the users groups to the users, these user groups are nothing but our prerequisites.

Please note: if you are doing this activity for the first time you need to replicate the user groups from Central Business Configurations to Identity Authentication Services first because, all the user groups relevant with Central Business Configuration are pre delivered with Central Business Configuration

In the Central Business Configurations environment, you must bring these from Central Business Configurations into Identity Authentication Services, then you will be able to assign user groups to the users.

For this activity you need to go to the Identity Provisioning System with the help of link provided in the Initial Central Business Configurations handover mail.

In Identity Provision System you need to get in to the Source system, here you need to ensure that the source system is Central Business Configurations, and need to bring data from Central Business Configurations to  Identity Authentication System , then you have to run the background Job.

The moment you can click on run now the batch program runs. All the user groups will appear in Identity Authentication Service system user group section.

For next activity you need to come to Identity Authentication System and choose user group section, click on assign user groups, there you will find all the standard user groups are visible.

Based on the access requirement you can assign the specific user group to the user, by clicking on User management tab and user as shown in below image.

Next step is replicating users and user groups from Identity Authentication System to Central Business Configurations. Here again you need to get back to the Identity Provisioning System to run the background job again with Identity Authentication Services as source system. Once this activity completes the newly created user with assigned user groups will be available in the Central Business Configuration System.

You can check and confirm via logging in to the  SAP Central Business Configuration System (SAP Central Business Configuration URL is available in the handover mail from SAP).


Note: Whenever there is change in user/ user groups, you must run the background jobs in IPS.

System Landscape

Based on the emails that’s is received by the customer, below diagram shows the different systems involved:

Note: User groups are used only in  SAP Central Business Configuration.

Identity Authentication System:  The Identity Authentication service provides you with controlled cloud-based access to business processes, applications, and data. It simplifies your user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.

Identity Authentication System shared across SAP Central Business Configuration, SAP S/4HANA, Starter and Quality tenants.  Like before SAP S/4HANA Cloud Production system has a separate productive Identity Authentication tenant.

Identity Provisioning System: Identity Provisioning system acts like a bridge between SAP Central Business Configuration and Identity Authentication System,

Manage identity lifecycle processes for cloud and on-premise systems. The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.

Customers can access the system via S- User credentials.

Central Business Configuration:   As I mentioned SAP Central Business Configuration is a new tool that will make it possible to configure business process spanning multiple SAP cloud solutions from one central place. To start with, SAP Central Business Confugaration supports SAP S/4HANA Cloud implementation experience. SAP Central Business Configuration is connected to S/4 HANA Starter, Quality, and Production systems.

User management in SAP S/4HANA Cloud remains the same as before.

For further details about  SAP Central Business Configuration please refer below blogposts:

Now you would be able to define the users in SAP S/4 HANA Central Business Configuration. Please let me know if you have any feedback or comments.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Prasobh Prakash
      Prasobh Prakash

      Very good information. Thanks for sharing.

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh

      Great information DHANASHREE BIRADARPATIL ... This will immensely clarify the authentication procedure in CBC

      Author's profile photo Otávio Henrique Damasceno Soares
      Otávio Henrique Damasceno Soares

      Usefull article and clear procedure. Nice job!

      Author's profile photo Lucy Gray
      Lucy Gray


      Thank you for this blog, and two questions :

      1. Just to confirm, since user management in Central Business Configuration is not anywhere related to user management in S/4HANA Cloud tenant, the user IDs and the number of users created in CBC can be different from those of S/4HANA Cloud?
        For example, say 3 users were created for using CBC - User X, User Y, and User Z. Whereas, the number of users created for using S/4HANA Cloud can be say 5 - User A, B, C, D & E. Is this understanding correct?
      2. Regarding the step in IAS where specific user groups are assigned to the users, are these users created beforehand manually in IAS one by one? (For example, the 17 users shown in the screenshot were manually created?)


      Author's profile photo DHANASHREE BIRADARPATIL
      Blog Post Author

      Hi Lucy,

      Thank You !!

      1. Yes, This could be a customer scenario but ABCDE will not be doing any configuration in CBC, and also XYZ only has access to CBC where they explore phase activity but not configurations as they do not have access to S/4 HANA Cloud.

      2. Yes these users are created manually.

      Author's profile photo Sasha Nunes
      Sasha Nunes

      Hello Dhanashree


      Is SAP Central Business Configuration available for S/4HANA Private Edition (included in RISE)?

      Thanks for your help