Skip to Content
Personal Insights
Author's profile photo Anand Kapadia

SAP S/4HANA Cloud, Public Edition Identity Access Management – Your Knowledge Base

Last Update: 10.10.2023

Latest Updates

  • 10.10.2023: Added link to Developer and Key User Extensibility
  • 22.09.2023: Added link to openSAP Microlearning “Understanding the Entry Source Value in Manage Workforce of SAP S/4HANA Cloud”
  • 14.07.2023: SAP Note 3312167 – Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud 2308 released
  • 07.02.2023: Added SAP Note 2970113 – SAP S/4HANA Cloud: Replacement of SAP Fiori launchpad Home Page by Spaces and Pages / Provisioning of New Systems

Introduction

In the last few years, a significant amount of S/4HANA Cloud IAM-related content was created aiming to help customers and partners to understand core IAM concepts relevant for the SAP S/4HANA Cloud, public edition universe. As the content was created across different platforms (openSAP Microlearning, SAP Blogs, SAP Enterprise Support Portal, SAP Activate Roadmap, etc.) I want to provide a central location. The blog post “SAP S/4HANA Cloud Identity Access Management, Public Edition – Your Knowledge Base” aims to provide a one-stop-shop to find IAM-related content relevant for SAP S/4HANA Cloud, public edition and thus simplify the journey for becoming an S/4HANA Cloud, public edition IAM expert. Therefore, I have collected different resources (blog posts, SAP notes, webinars, etc.) in this blog post which can help you to structure the topics and get started. Please note this blog post contains SAP S/4HANA Cloud 2-system landscape (2SL) as well as 3-system landscape (3SL) specific information.
In general, this blog post is divided into three topics namely
  1. Managing Authorizations
  2. Managing Identities
  3. Tools

Please note this blog post makes no claim to completeness as the development in the SAP S/4HANA Cloud IAM area is fast-moving and new solutions and concepts might be implemented at the time of reading. The idea of this blog post is to provide a knowledge base for SAP users who want to gain knowledge in this area.

Managing Authorizations

Fundamentals

SAP S/4HANA Cloud Identity Access Management The SAP S/4HANA Cloud help documentation provides a general overview of the IAM features in your system.
Webinar SAP S/4HANA Cloud, Identity and Access Management In this recorded webinar you get to learn how to get started with SAP S/4HANA Cloud IAM and the recommended implementation methodology for setting up an authorization conept.
SAP Preferred Success Customer Adoption Journey “Identity Access Management for SAP S/4HANA Cloud”

In this SAP Preferred Success webinar series you will get to learn about the different IAM apps in SAP S/4HANA Cloud.

Access to the customer adoption journey requires a SAP Preferred Success subscription. Please reach out to your CSM in case you require any support.

Understanding SAP Business Roles

This blog post provides a basic understanding of business roles for SAP S/4HANA (onPrem as well as Cloud). It’s giving interesting thoughts and is worth considering for your authorization concept philosophy.

For SAP S/4HANA Cloud 2SL:

It is recommended to use the Business Role Templates only in the Starter System and Quality System (e.g. for the fit-to-standard workshop and testing in general).

For the business roles in the Production System, it is strongly recommended to create your own custom business roles based on the identified workplaces. As part of compliance, these custom business roles should then be created and maintained only in the Q-System and transported into the P-System via Software Collections. Changing business roles directly in the P-System could cause an error that would put the productive environment and the productive data at greater risk.

For SAP S/4HANA Cloud 3SL:

It is recommended to use the Business Role Templates only in the Starter System and Development System (e.g. for the fit-to-standard workshop and testing in general).

For the business roles in the Production System, it is strongly recommended to create your own custom business roles based on the identified workplaces. As part of compliance, these custom business roles should then be created and maintained only in the Development System, transported into the Test System and then forwarded into the Production System via Software Collections. Changing business roles directly in the Production System could cause an error that would put the productive environment and the productive data at greater risk.

How to set up a Naming Convention for Business Roles, Spaces and Pages in a 2-System-Landscape

How to set up a Naming Convention for Business Roles, Spaces and Pages in a 3-System-Landscape

This accelerator shares recommendations for setting up a naming convention in S/4HANA Public Cloud for Business Roles, Spaces and Pages.

[Back to top]

SAP Fiori Launchpad for SAP S/4HANA Cloud

Get to Know the New Spaces Concept for SAP Fiori Launchpad

Manage Spaces and Pages for SAP Fiori Launchpad

Structure the SAP Fiori Launchpad Layout with Spaces

In this blog series the SAP Fiori Spaces and Pages concept is presented. Please also check SAP Note 2970113 – SAP S/4HANA Cloud: Replacement of SAP Fiori launchpad Home Page by Spaces and Pages / Provisioning of New Systems

Introduction to Structuring SAP Fiori Launchpad with Spaces

Tools for Structuring SAP Fiori Launchpad with Spaces

In this openSAP microlearning the SAP Fiori Spaces and Pages concept is presented.
Translation of SAP Fiori Spaces and Pages in SAP S/4HANA Cloud This blog post describes how you can translate your custom SAP Fiori Spaces and Pages content in different languages. This is especially helpful for end user requirements requesting multiple languages support.
Best Practices for Managing Spaces and Pages Spaces and pages offer more flexibility to influence the launchpad layout for different user groups. Each user sees one or more spaces that contain one or more pages. The pages show apps clustered in different sections. Spaces and pages are assigned to users via the business roles. Read this for tips on creating and handling spaces and pages.

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 1

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 2

In this blog series you will get to learn how to search for classic T-Codes in your SAP S/4HANA Cloud system and what are the prerequisites.

[Back to top]

Release Upgrades and Continuous Feature Delivery

Upgrade Schedule & Maintenance Schedule (2SL)

Upgrade Schedule & Maintenance Schedule (3SL)

In these presentations you can always find the latest information about upgrade and maintenance schedules for your SAP S/4HANA Cloud landscape. Please click 2SL if your SAP S/4HANA Cloud landscape contains Q- and P-System only. Click on 3SL if you are using SAP S/4HANA Cloud with D-, T- and P-System.

SAP Note 2975653 – Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud

SAP Note 3312167 – Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud 2308

This central SAP Note provides access to all available SAP Notes that contain release-specific IAM change information. You can mark this SAP Note as favorite to be notified when information is updated. Also you will see that this SAP Note is listed in every What’s New document.

Four Pillars of SAP S/4HANA Cloud IAM Release Activities (2SL)

Four Pillars of SAP S/4HANA Cloud IAM Release Activities (3SL)

This presentation contains SAP’s recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly. You can also find it in the SAP Activate Roadmap for SAP S/4HANA Cloud in the Run phase or in the SAP Activate for Upgrade of SAP S/4HANA Cloud 3-system landscape.
Manage Business Role Changes After Upgrade With this app you can display all relevant changes to business catalogs and restriction types after an upgrade. If a new restriction type was added to a business catalog for example, you can maintain the corresponding restrictions using this app.

Welcome 2111.1 update – welcome continuous delivery for SAP S/4HANA Cloud

How to adopt a new functionality delivered via SAP S/4HANA Cloud Updates

Releases, Updates and Hotfix: a short guide for SAP S/4HANA Cloud delivery channels

This blog series aims to inform about these questions and related news around the topic of continuous delivery.

In addition to this, you can also get informed on the Continuous Feature Delivery landing page in the SAP Community.

[Back to top]

Compliance

Compliance with SAP S/4HANA Cloud – Change Documents (SAP Help Documentation)

Compliance with SAP S/4HANA Cloud – Business User Monitoring

Compliance with SAP S/4HANA Cloud – Business Role Monitoring

Compliance with SAP S/4HANA Cloud – Security Audit Log

This blog series informs about the different compliance features in SAP S/4HANA Cloud.
Security Audit Log API for SAP S/4HANA Cloud This blog post describes how you can make use of the Security Audit Log REST API which has been released with the 2108 release upgrade. Check the SAP Help documentation for more details on the SAL.
SAP Note 2903873 – FAQ: Fiori App “Display Security Audit Log” This SAP Note is a FAQ document for the the Fiori App “Display Security Audit Log” and provides further information in addition to the SAP Help documentation.
More Food for Security Monitors – the new APIs in SAP S/4HANA Cloud 2208 This blog post highlights the improvements in the Security Audit Log API and presents the newly introduced Business Role Change Log API and Business User Change Log API.
SAP Support User Request Log In the Display Technical Users app, you can display more information about when and why SAP support users accessed your customer system in the past 12 months. For each support user, the relevant incident ID, access level, access category, customer user, request date and validity date is displayed when you click on the required entry in the Users list. SAP support user IDs are pseudomized to respect the data subject rights of SAP employees according to GDPR.

[Back to top]

Common Use Cases

Restricting Payment Runs to Establish a Control Process In this Microlearning you will learn about the importance of a control process during the payment run. In addition, you there is a demo on how to configure the business roles in order to restrict the payment run.
Configuration Activity Excel

The Configuration Activity Excel provides an overview which business catalog in SAP S/4HANA Cloud gives you access to which configuration activity in CBC. Go to the tab IMG_ACT BusinessCatalog Match to get the overview.

For further information on configuration activities, please refer to the document Configuration Activity Excel assigned to the Accelerators in “SAP Activate Methodology for SAP S/4HANA Cloud (2SL)” or “SAP Activate Methdology for SAP S/4HANA Cloud (3SL).

Restrictions in Analytics for Universal Journal Check this SAP Help documentation to understand the basic authorization concept for the Universal Journal in order to learn about the authorization context for

  • GENLDGR (General Ledger Accounting)
  • ASSET (Fixed Asset Accounting)
  • OVHDCOST (Cost Accounting – Overhead)
  • SALES (Cost Accounting – Sales)
  • INVTRY (Cost Accounting- Inventory)
  • PRODNCOST (Cost Accounting – Production)
Implement Dual Control for Sensitive Fields in Customer Master Data In this SAP Help documentation you find guidance on how to implement a four-eyes-principle for sensitive fields in customer master data.
Implement Dual Control for Sensitive Fields in Supplier Master Data In this SAP Help documentation you find guidance on how to implement a four-eyes-principle for sensitive fields in supplier master data.
Chart of Accounts Maintenance: Authorization Concept This SAP Help documentation explains the authorization concept for CoA maintenance.

[Back to top]

Extensibility

Developer Extensibility

Developer extensibility allows you to create development projects in an SAP S/4HANA Cloud system. It gives you the opportunity to develop cloud-ready and upgrade-stable custom ABAP code on SAP S/4HANA Cloud, combining the benefits of custom ABAP code, with the required restrictions for Cloud readiness, and the SAP S/4HANA programming model to build SAP Fiori apps.

Check out the Identity and Access Management (IAM) Guide for details.

Key User Extensibility The extensibility apps help you customize applications and their UIs, reports, email templates, and form templates. Using extensibility apps, you can create database tables for segmentation, and design queries.

[Back to top]

Managing Identities

SAP S/4HANA Cloud, Public Edition

Initial System Access to SAP S/4HANA Cloud

This Enable Now recording guides customers through the initial steps for getting started with the SAP S/4HANA Cloud system.

Please also check out the onboarding guide for SAP S/4HANA Cloud.

Manage Workforce

Manage Workforce App – Deep Dive for IAM Experts (Part 1)

Understanding the Entry Source Value in the Manage Workforce App

The app “Manage Workforce” is a new app which is available with the 2208 release of SAP S/4HANA Cloud. With this app, you can create and update workers (employees and contingent workers) including work agreements and change employment situations. Check the blog post for more details.

Further details can be found in the SAP Help documentation.

Identity Management for SAP S/4HANA Cloud and Integrated Products Depending on the setup of your IT landscape, choose between different identity management scenarios for your SAP S/4HANA Cloud system and integrated products. The identity management scenarios differ with regard to the leading system to which workers (employees or contingent workers) and their work agreements (employments) are onboarded as well as where the corresponding users are initially created. This guide covers identity management scenarios.

[Back to top]

SAP Central Business Configuration

User Setup and Access On this SAP Help page you can find all relevant details for user setup and access in SAP Central Business Configuration. In addition you should check out the Tutorial Library which includes recordings for setup.
Authorization Concept 

This SAP Help page provides and overview of the authorization concept in SAP Central Business Configuration.

Please note that the authorizations of the configuration user need to be maintained individually, i.e. in SAP Central Business Configuration and in SAP S/4HANA Cloud.

User Authentication in SAP Central Business Configuration In this blog post, you will see how to manage business users in Central Business Configuration and how the authentication works.
CBC no authorization to start the UI while accessing SCCUI in S/4HANA Cloud This blog post has been written to address common customer query on authorization issues while accessing the configuration activites in CBC.
Avoid access issues during the initial set up of SAP Central Business Configuration for SAP S/4HANA Cloud This blog post summarizes the most common access issues for SAP Central Business Configuration as well as some tips and tricks to avoid these.
SAP Note 3151787 – Central Business Configuration: Synchronize user permissions for configuration activities This SAP Note addresses the issue when users with display (read-only) authorization in CBC can change (edit) configuration activities in SAP S/4HANA Cloud.

[Back to top]

SAP S/4HANA Cloud embedded SAP Analytics Cloud

SAP Identity Provisioning (IPS) is now bundled with SAP S/4HANA Cloud! This blog post gives insights on how the user management works for embedded SAC applications running on SAP S/4HANA Cloud. Check this blog post for the integrated analytics scenarios in SAP S/4HANA Cloud
Go for your quick win! Migrate Identity Provisioning tenants to SAP Cloud Identity infrastructure

Administrators of Identity Provisioning bundle tenants on SAP BTP, Neo environment can now migrate them to the infrastructure of SAP Cloud Identity Services.

Migrating bundle tenants to the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory.

It allows you to take advantage of all Identity Provisioning new features, which from now on are released only for tenants on SAP Cloud Identity infrastructure.

For more information, see Migrate Identity Provisioning Tenant

[Back to top]

SAP Cloud Identity Services – Identity Authentication Service

SAP IAM Tenant Overview As an SAP customer, would you like to see all of your SAP IAS and IPS tenants in one place, with the region, tenant type, creation date, and administrators. Enter your S-User to get an overview of your administrators. Check this blog post for details.

YouTube – Connect Azure AD with SAP IAS

Blog – Connect Ping Identity with SAP IAS

Blog – Connect Okta to SAP IAS

These resources document how a corporate identity provider can be integrated with the SAP Cloud Identity Services – Identity Authentication.
Options to manipulate the subject name ID coming from the corporate IdP in proxy scenarios In this blog post, you will learn what options there are available in case you are using SAP IAS as a proxy and you want to modify the subject name ID (let’s say attribute A) that you got from the corporate IdP.

[Back to top]

SAP Cloud Identity Services – Identity Provisioning Service

SAP Cloud Identity Services – Why and how to integrate them for a consistent identity lifecycle? When it comes to the SAP Cloud Identity Services, some of the most common questions raised in implementation projects revolve around: “What would be the best option for us out of all available ones?”. This blog will explain what those options are and how to choose among them.
Go for your quick win! Migrate Identity Provisioning tenants to SAP Cloud Identity infrastructure

Administrators of Identity Provisioning bundle tenants on SAP BTP, Neo environment can now migrate them to the infrastructure of SAP Cloud Identity Services.

Migrating bundle tenants to the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory.

It allows you to take advantage of all Identity Provisioning new features, which from now on are released only for tenants on SAP Cloud Identity infrastructure.

For more information, see Migrate Identity Provisioning Tenant

Simulate it until you make it! Try out the Identity Provisioning job that tests your configuration.

In this blog post you will learn how the new Simulate Job works in SAP Cloud Identity Services – Identity Provisioning Service.

For more details also check out the documentation.

After simulation, try out validation. Identity Provisioning closes the loop with a fresh new test job.

In this blog post you will learn how the new Validation Job works in SAP Cloud Identity Services – Identity Provisioning Service.

For more details also check out the documentation.

[Back to top]

SAP for Me

How do I get access to SAP for Me? In this blog post you will learn how to get access to SAP for Me and basic steps required to get started in SAP for Me.

What permissions do you need for SAP for Me?

What permissions do you need for SAP for Me for Partners?

In this blog post you will get to know about the authorization concept in SAP for Me. You will learn which authorizations your S-User will require to see specific dashboards and cards.

[Back to top]

Tools

SAP Activate Methodology for SAP S/4HANA Cloud

SAP Activate Methodology for SAP S/4HANA Cloud (2SL)

SAP Activate Methodology for SAP S/4HANA Cloud (3SL)

The roadmap is intended to guide the implementation team through the SAP S/4HANA Cloud implementation. It is comprised of Phases, Deliverables, and Tasks in accordance with the SAP Activate methodology.

Please check this blog post to stay up-to-date with the latest SAP Activate Content Updates.

New IAM Tag in SAP Activate Methodology for SAP S/4HANA Cloud In this blog post you will learn how to identify IAM-related tasks within your SAP S/4HANA Cloud implementation project.
Accelerating SAP S/4HANA Cloud IAM Activities with SAP Activate In this openSAP microlearning you can see how you can accelerate your IAM activities by leveraging the SAP Activate Methodology for SAP S/4HANA Cloud.
Configuration Activity Excel

The Configuration Activity Excel provides an overview which business catalog in SAP S/4HANA Cloud gives you access to which configuration activity in CBC. Go to the tab IMG_ACT BusinessCatalog Match to get the overview.

For further information on configuration activities, please refer to the document Configuration Activity Excel assigned to the Accelerators in “SAP Activate Methodology for SAP S/4HANA Cloud (2SL)” or “SAP Activate Methdology for SAP S/4HANA Cloud (3SL).

How to Create Application – Workplace List

The purpose of this accelerator is to enable and educate users on how to download the relevant information required for the Application – Workplace list from the SAP Fiori Apps Reference Library. This list will help to identify the applications and required business catalogs during the Fit-to-Standard workshops.

For more details check the task Document Identity and Access Management in the Activate Roadmap.

Revise Business Roles and Business Catalogs (2SL)

Revise Business Roles and Business Catalogs (3SL)

This task references a presentation which contains SAP’s recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly. You can also find it in the SAP Activate Roadmap for SAP S/4HANA Cloud in the Run phase or in the SAP Activate for Upgrade of SAP S/4HANA Cloud 3-system landscape.

How to set up a Naming Convention for Business Roles, Spaces and Pages in a 2-System-Landscape

How to set up a Naming Convention for Business Roles, Spaces and Pages in a 3-System-Landscape

This accelerator shares recommendations for setting up a naming convention in S/4HANA Public Cloud for Business Roles, Spaces and Pages.

[Back to top]

SAP Fiori Apps Reference Library

SAP Fiori Apps Reference Library The SAP Fiori apps reference library supports you with its functions and integration with existing tools throughout the phases of an SAP Fiori implementation project: from exploring the available apps and planning your SAP Fiori implementation project to setting up and configuring your system landscape and running your apps in the productive system.

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 1

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 2

In this blog series you will get to learn how to search for classic T-Codes in your SAP S/4HANA Cloud system by making use of the content in the SAP Fiori Apps Reference Library

[Back to top]

Conclusion

Please feel free to provide your feedback in the comment sections.

For more updates you can follow me via LinkedIn

Assigned Tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh

      Great compilation of knowledge, resources and information on Identity and Access Management in SAP S/4HANA Cloud. Surely benefit our ecosystem in this area. Thanks Anand Kapadia

      Author's profile photo Andrew Saunders
      Andrew Saunders

      This is the most comprehensive resource I've seen on these topics for S/4HANA Cloud.

      Thanks for this!

      Author's profile photo Help Desk
      Help Desk

      Absolutely stunning and very very helpful! It's been a pleasure to work with Anand for over a year on our project and he keeps on delivering. Thanks for this.

      Author's profile photo Anand Kapadia
      Anand Kapadia
      Blog Post Author

      Thank you 🙂

      Author's profile photo Hongbo Wang
      Hongbo Wang

      Very helpful central access for s4hc iam related topics. Thanks a lot!

      Author's profile photo Anand Kapadia
      Anand Kapadia
      Blog Post Author

      Thank you!

      Author's profile photo Prasanth Rajan
      Prasanth Rajan

      Excellent compilation Anand Kapadia!! Well thought and you also captured the most commonly occuring concerns via the KBAs. Brillant!! Really informative & enjoying the content. Truly a one-stop-shop for all interested parties. Thank for your time and effort!

      Author's profile photo Anand Kapadia
      Anand Kapadia
      Blog Post Author

      Thank you!

      Author's profile photo Alexander Felke
      Alexander Felke

      I have to say, I come to this page over and over again. To my knowledge the place to go for information on IAM. Period.

      Author's profile photo Anand Kapadia
      Anand Kapadia
      Blog Post Author

      Thank you!

      Author's profile photo Manuel Entrup-Galindo
      Manuel Entrup-Galindo

      Hello Anand Kapadia ,
      thank you for this excelent blog post.

      Unfortunately some links do not seem to be available.
      For Example:
      SAP Preferred Success Customer Adoption Journey “Identity Access Management for SAP S/4HANA Cloud”

      Maybe you could update the ones that are not available.

      Best wishes!