Skip to Content
Personal Insights
Author's profile photo Saumitra Deshmukh

Avoid access issues during the initial set up of SAP Central Business Configuration for SAP S/4HANA Cloud

Hi All,

With the introduction of SAP Central Business Configuration tool starting with SAP S/4HANA Cloud, our customers and partners have experienced a paradigm shift in the way their SAP S/4HANA Cloud systems are configured and managed centrally and in an out-of-box fashion. This shift in understanding the new tool for configuration also brings in a lot of questions and doubts. It also sometimes creates situations where often best practices & help guidance is knowingly/unknowingly  missed which causes delays and issues while setting up or onboarding the solutions in the preliminary stages

I am writing this blog here to showcase the importance of the best practices and the help documentation which will help you in avoiding basic issues from real time experiences and customer cases.

Earlier with the Solution Builder (which was a in-system configuration mechanism), there was no additional step to setup the users and accesses separately for using the configuration tool. Earlier, it was easy by assigning the relevant roles and one had access to the Manage Your Solution and Configure your solution app. But with the introduction of SAP Central Business Configuration (SAP CBC), it has also introduced some additional steps to start with your configuration activities.

Off course, these additional steps are included as a part of the new architecture of the SAP Central Business Configuration from a futuristic point of view. Our colleague DHANASHREE BIRADARPATIL  has already explained very well in her blog – Here how the user authentication takes place in SAP Central Business Configuration. This blog also provides an overarching view of the overall architecture involved during the onboarding and the authentication process for a user.

Now coming to the crux of this blog, SAP has provided guidance in the form of User Setup and Access guidance which the project teams and related users are required to perform while initially setting up the SAP Central Business Configuration. This consist of the below steps which can be treated as the best practices for initial setup :

  1. Configuring the Subject Name Identifier for the Logon
  2. Running Jobs for Pushing Roles
  3. Creating Business Users and Providing Access Rights
  4. Running Jobs for User Provisioning
  5. Enabling Business Users to Access the SAP Central Business Configuration Tenant

Among the most common issues we have been seeing from SAP Central Business Configuration support side, there is a trend that most basic and fundamental understandings are sometimes missed causing issue during the initial setup and access process. Below we are trying to list down some common pointers which should be taken into considerations while setting up the SAP Central Business Configuration for SAP S/4HANA Cloud.


  1. Issue/Message- “You are not logged in or your session has expired. Please login in order to proceed.
    • The above issue is mostly seen during the initial setup phase for the SAP Central Business Configuration for SAP S/4HANA Cloud
    • This issue can majorly be avoided if you follow the steps mentioned in the step – Running Jobs for Pushing Roles which clearly states that you must run the job in SAP Identity Provisioning service only once to replicate the required roles from the SAP Central Business Configuration tenant to your Identity Authentication tenant
    • In case the job is run more than once, the user group assignments are impacted causing access rights to mess up
    • To fix the issue for now , you need to reach out to CBC support X4-CBC-SRV or X4-CBC-PRX
  2. Issue/Message – “Unauthorized/SAP CBC URL shows unauthorized
    • For a complete resolution for this error, recently we have come up with a KBA – which explains the situation in details. In summary you can follow the below steps to know more on it.From the Identity Provisioning side, please ensure you have the latest version :
      1. Download the attached Source / Target transformations for CBC and Identity Authentication systems as what suits the current set up (Attachment in KBA – )
      2.  Navigate to the Identity Provisioning Tenant UI.
      3. In Identity Provisioning, ensure the current transformations match:
        1. Navigate to the System ->Transformations tab.
        2. To modify it, choose  Edit in the bottom right corner.
        3. Make your changes and save the configuration.
      4. Perform a Read Job, for more information: Start and Stop Provisioning Jobs
    • The above issue is caused usually due to the cache issues in most of the case in the communication setup between SAP IAS and SAP Central Business Configuration system. In this case – SAP Central Business Configuration subaccount and Identity Authentication Services Tenant
    • Following the below steps will help you overcome the issue:
      1. Check the Subject Name Identifier Sent to the Application to be ‘Login name’ under basic configuration for the IAS entry under Bundled Applications  starting with XSUAA_CUSTOMER_NAME  following the steps :1. Ensure that the Subject Name Identifier configured for the CBC application in IAS is set to “Login Name”:
        a. Navigate to the Identity Authentication Administration Console. The URL has the pattern: https://<tenant ID>
        b. Under Applications and Resources, choose the Applications tile.
        c. Choose the affected CBC application
        d. Under SINGLE SIGN-ON, choose Subject Name Identifier.
        e. Select Login Name and Save the configuration.
      2. If the problem persists, revert other changes in the IAS Administration Console. To figure out what was changed, navigate to Monitoring & reporting -> Audit and Change Logs and download the CSV file containing the change logs. The migration only affected IAS applications with a name pattern “XSUAA_<BTP-Tenant-ID>”. You can check the column “Resource Name” for these names.
      3. In some cases, a new SAML based application with default settings was created in the Administration Console as side effect. This application can be safely deleted. To delete the application, see Delete Applications. To identify the application to be deleted, see the points below:
        a. The application appears under Charged Applications.
        b. The name follows the pattern “XSUAA_<BTP subaccount display name>”
        c. The protocol is SAML 2.0.
        d. The SAML2.0 Configuration is partially empty (no endpoints configured).
      4. For the users created in IAS while the attribute Subject Name identifier was not “Login name” the following steps are required if the “Unauthorized” error message is still raised :
        1. Login into your IAS tenant with an admin user, find the affected user in User Management tab.
        2. Change the email to a dummy email address and save.
        3. Clear the cache in your browser or open a new browser in a incognito mode.
        4. Login CBC with affected user by login name (not email address) to validate if the authentication parameters were updated.
        5. If authentication works, change the email in IAS back to the original value
        6. Test the authentication again, with email sign-in , it should work now without other errors.This is a temporary change required to reset the logon cached data resulted after the subject name identifier update. Future users will not face the problem as long as the attribute Subject Name identifier is not changed again in IAS for the corresponding CBC application entry
  1. Issue/Message – “Initial login user and password not received
        1. The ‘IT contact person’ is setup while signing the contract with SAP to receive the initial onboarding mails during the system provisioning from SAP. The overall steps for access to Central Business Configurations in the Explore phase is mentioned here – Access the SAP Central Business Configuration.
        2. Many times, the IT contact person who is receives these emails is not available or left the company or not active for administration activities. In such cases it is advised:
          • To mention the IT contact person who shall be available to start the onboarding process during the contractual phases
          • Immediately add extra admins – in order to delegate onboarding process for the customer project
          • In exceptional cases if the admin is not available, please create a ticket to X4-CBC-PRX/XX-S4C-OPR-SRV in order to re-initiate the onboarding mails to some other contact as required

These are some concurrent issues we are seeing as a trend for access issues while setting up SAP Central Business Configurations for SAP S/4HANA Cloud. In general these are not the only issues and there might be several other issues while setting up the landscape, however the above issues were repeatedly seen from our customers and partners as a result of which I thought of creating this quick personal insight blog.

For other issues related to SAP Central Business Configuration, our support colleagues (X4-CBC-*) are eager to help and assist you in your issues.


Hope this helps you ease your onboarding process.





Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Gursharan Kang
      Gursharan Kang

      Hello Saumi,


      Any suggestions if this error of "You are not logged in or your session has expired. Please login in order to proceed." only appears for selective set of users.


      Thank you!


      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Hi @Gursharan Kang: This issue might be due to different reasons out of which one common reason is that the parameters which are setup for the authentication mechanism during the initial login was not configured correctly at the Identity Authentication Services level. These user mappings along with the parameters get cached with email address as authentication parameter instead of login name.

      I think for resolution you must create a ticket to the component - X4-CBC-PRX - Consumption - Project Experience. The user might need to be deleted in order for the user to get newly cached with the correct mappings at the parameter levels in the Identity Authentication Services Level. Then a job is required to be run for user provisioning with the newly established parameters - as per

      Hope this helps.




      Author's profile photo Gursharan Kang
      Gursharan Kang

      Hello Saumi,


      We will certainly try these proposed solutions.