Avoid access issues during the initial set up of SAP Central Business Configuration for SAP S/4HANA Cloud
With the introduction of SAP Central Business Configuration tool starting with SAP S/4HANA Cloud, our customers and partners have experienced a paradigm shift in the way their SAP S/4HANA Cloud systems are configured and managed centrally and in an out-of-box fashion. This shift in understanding the new tool for configuration also brings in a lot of questions and doubts. It also sometimes creates situations where often best practices & help guidance is knowingly/unknowingly missed which causes delays and issues while setting up or onboarding the solutions in the preliminary stages
I am writing this blog here to showcase the importance of the best practices and the help documentation which will help you in avoiding basic issues from real time experiences and customer cases.
Earlier with the Solution Builder (which was a in-system configuration mechanism), there was no additional step to setup the users and accesses separately for using the configuration tool. Earlier, it was easy by assigning the relevant roles and one had access to the Manage Your Solution and Configure your solution app. But with the introduction of SAP Central Business Configuration (SAP CBC), it has also introduced some additional steps to start with your configuration activities.
Off course, these additional steps are included as a part of the new architecture of the SAP Central Business Configuration from a futuristic point of view. Our colleague DHANASHREE BIRADARPATIL has already explained very well in her blog – Here how the user authentication takes place in SAP Central Business Configuration. This blog also provides an overarching view of the overall architecture involved during the onboarding and the authentication process for a user.
Now coming to the crux of this blog, SAP has provided guidance in the form of User Setup and Access guidance which the project teams and related users are required to perform while initially setting up the SAP Central Business Configuration. This consist of the below steps which can be treated as the best practices for initial setup :
- Running Jobs for Pushing Roles
- Creating Business Users and Providing Access Rights
- Configuring the Subject Name Identifier for the Logon
- Running Jobs for User Provisioning
- Enabling Business Users to Access the SAP Central Business Configuration Tenant
Among the most common issues we have been seeing from SAP Central Business Configuration support side, there is a trend that most basic and fundamental understandings are sometimes missed causing issue during the initial setup and access process. Below we are trying to list down some common pointers which should be taken into considerations while setting up the SAP Central Business Configuration for SAP S/4HANA Cloud.
- Issue/Message- “You are not logged in or your session has expired. Please login in order to proceed.”
- The above issue is mostly seen during the initial setup phase for the SAP Central Business Configuration for SAP S/4HANA Cloud
- This issue can majorly be avoided if you follow the steps mentioned in the step – Running Jobs for Pushing Roles which clearly states that you must run the job in SAP Identity Provisioning service only once to replicate the required roles from the SAP Central Business Configuration tenant to your Identity Authentication tenant
- In case the job is run more than once, the user group assignments are impacted causing access rights to mess up
- To fix the issue for now , you need to reach out to CBC support X4-CBC-SRV or X4-CBC-PRX
- Issue/Message – “Unauthorized/SAP CBC URL shows unauthorized“
- For a complete resolution for this error, recently we have come up with a KBA – https://launchpad.support.sap.com/#/notes/3103503 which explains the situation in details. IN summary you can follow the below steps to know more on it
- The above issue is caused usually due to the lack of trust between the two connecting systems. In this case – SAP Central Business Configuration subaccount and Identity Authentication Services Tenant
- To establish the trust between these two accounts, you must add the SAP Central Business Configuration SAML 2.0 Metadata into the application created in the Identity Authentication Services admins console. Following the below steps will help you overcome this trust issue:
- Create New application in the Identity Authentication Services
- Complete SAML 2.0 configuration by uploading the metadata XML file of the service provider. Metadata XML can be obtained by appending https://myxxxxxxxx/saml/metadata on the Subaccount domain URL given to the customer by SAP in their onboarding details
- Configure the Subject Name Identifier Sent to the Application to Login name under basic configuration
- Once the trust is established, the issue for no authorizations will no more appear
- Issue/Message – “Initial login user and password not received”
- The ‘IT contact person’ is setup while signing the contract with SAP to receive the initial onboarding mails during the system provisioning from SAP. The overall steps for access to Central Business Configurations in the Explore phase is mentioned here – Access the SAP Central Business Configuration.
- Many times, the IT contact person who is receives these emails is not available or left the company or not active for administration activities. In such cases it is advised:
- To mention the IT contact person who shall be available to start the onboarding process during the contractual phases
- Immediately add extra admins – in order to delegate onboarding process for the customer project
- In exceptional cases if the admin is not available, please create a ticket to X4-CBC-PRX/XX-S4C-OPR-SRV in order to re-initiate the onboarding mails to some other contact as required
These are some concurrent issues we are seeing as a trend for access issues while setting up SAP Central Business Configurations for SAP S/4HANA Cloud. In general these are not the only issues and there might be several other issues while setting up the landscape, however the above issues were repeatedly seen from our customers and partners as a result of which I thought of creating this quick personal insight blog.
For other issues related to SAP Central Business Configuration, our support colleagues (X4-CBC-*) are eager to help and assist you in your issues.
Hope this helps you ease your onboarding process.