Skip to Content
Personal Insights
Author's profile photo Anand Kapadia

SAP S/4HANA Cloud Identity Access Management – Your Knowledge Base

Last Update: 05.08.2022

Introduction

In the last few years, a significant amount of S/4HANA Cloud IAM-related content was created aiming to help customers and partners to understand core IAM concepts relevant for the SAP S/4HANA Cloud universe. As the content was created across different platforms (openSAP Microlearning, SAP Blogs, SAP Enterprise Support Portal, SAP Activate Roadmap, etc.) I want to provide a central location.
The blog post “SAP S/4HANA Cloud Identity Access Management – Your Knowledge Base” aims to provide a one-stop-shop to find IAM-related content relevant for SAP S/4HANA Cloud and thus simplify the journey for becoming an S/4HANA Cloud IAM expert. Therefore, I have collected different resources (blog posts, SAP notes, webinars, etc.) in this blog post which can help you to structure the topics and get started.

In general, this blog post is divided into three topics namely

  1. Managing Authorizations
  2. Managing Identities
  3. Tools

Please note this blog post makes no claim to completeness as the development in the SAP S/4HANA Cloud IAM area is fast-moving and new solutions and concepts might be implemented at the time of reading. The idea of this blog post is to provide a knowledge base for SAP users who want to gain knowledge in this area.

Managing Authorizations

Fundamentals

SAP S/4HANA Cloud Identity Access Management The SAP S/4HANA Cloud help documentation provides a general overview of the IAM features in your system.
Webinar SAP S/4HANA Cloud, Identity and Access Management In this recorded webinar you get to learn how to get started with SAP S/4HANA Cloud IAM and the recommended implementation methodology for setting up an authorization conept.
SAP Preferred Success Customer Adoption Journey “Identity Access Management for SAP S/4HANA Cloud”

In this SAP Preferred Success webinar series you will get to learn about the different IAM apps in SAP S/4HANA Cloud.

Access to the customer adoption journey requires a SAP Preferred Success subscription. Please reach out to your CSM in case you require any support.

Understanding SAP Business Roles This blog post provides a basic understanding of business roles for SAP S/4HANA (onPrem as well as Cloud). It’s giving interesting thoughts and is worth considering for your authorization concept philosophy.

It is recommended to use the Business Role Templates only in the Starter System and Quality System (e.g. for the fit-to-standard workshop and testing in general).

For the business roles in the Production System, it is strongly recommended to create your own custom business roles based on the identified workplaces. As part of compliance, these custom business roles should then be created and maintained only in the Q-System and transported into the P-System via Software Collections. Changing business roles directly in the P-System could cause an error that would put the productive environment and the productive data at greater risk.

[Back to top]

SAP Fiori

Get to Know the New Spaces Concept for SAP Fiori Launchpad

Manage Spaces and Pages for SAP Fiori Launchpad

Structure the SAP Fiori Launchpad Layout with Spaces

In this blog series the SAP Fiori Spaces and Pages concept is presented.

Introduction to Structuring SAP Fiori Launchpad with Spaces

Tools for Structuring SAP Fiori Launchpad with Spaces

In this openSAP microlearning the SAP Fiori Spaces and Pages concept is presented.
Translation of SAP Fiori Spaces and Pages in SAP S/4HANA Cloud This blog post describes how you can translate your custom SAP Fiori Spaces and Pages content in different languages. This is especially helpful for end user requirements requesting multiple languages support.

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 1

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 2

In this blog series you will get to learn how to search for classic T-Codes in your SAP S/4HANA Cloud system and what are the prerequisites.

[Back to top]

Release Upgrades and Continuous Feature Delivery

Upgrade Schedule & Maintenance Schedule (2SL)

Upgrade Schedule & Maintenance Schedule (3SL)

In these presentations you can always find the latest information about upgrade and maintenance schedules for your SAP S/4HANA Cloud landscape. Please click 2SL if your SAP S/4HANA Cloud landscape contains Q- and P-System only. Click on 3SL if you are using SAP S/4HANA Cloud with D-, T- and P-System.
SAP Note 2975653 – Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud This central SAP Note provides access to all available SAP Notes that contain release-specific IAM change information. You can mark this SAP Note as favorite to be notified when information is updated. Also you will see that this SAP Note is listed in every What’s New document.
Four Pillars of SAP S/4HANA Cloud IAM Release Activities This presentation contains SAP’s recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly. You can also find it in the SAP Activate Roadmap in the Run phase.
Manage Business Role Changes After Upgrade With this app you can display all relevant changes to business catalogs and restriction types after an upgrade. If a new restriction type was added to a business catalog for example, you can maintain the corresponding restrictions using this app.

Welcome 2111.1 update – welcome continuous delivery for SAP S/4HANA Cloud

How to adopt a new functionality delivered via SAP S/4HANA Cloud Updates

Releases, Updates and Hotfix: a short guide for SAP S/4HANA Cloud delivery channels

This blog series aims to inform about these questions and related news around the topic of continuous delivery.

In addition to this, you can also get informed on the Continuous Feature Delivery landing page in the SAP Community.

What’s New in Your System App Since the 2208 release of SAP S/4HANA Cloud customers can also navigate to the What’s New entries via their system. Check out this blog post for more details.

[Back to top]

Compliance

Compliance with SAP S/4HANA Cloud – Change Documents (SAP Help Documentation)

Compliance with SAP S/4HANA Cloud – Business User Monitoring

Compliance with SAP S/4HANA Cloud – Business Role Monitoring

Compliance with SAP S/4HANA Cloud – Security Audit Log

This blog series informs about the different compliance features in SAP S/4HANA Cloud.
Security Audit Log API for SAP S/4HANA Cloud This blog post describes how you can make use of the Security Audit Log REST API which has been released with the 2108 release upgrade. Check the SAP Help documentation for more details on the SAL.
SAP Note 2903873 – FAQ: Fiori App “Display Security Audit Log” This SAP Note is a FAQ document for the the Fiori App “Display Security Audit Log” and provides further information in addition to the SAP Help documentation.
SAP Support User Request Log In the Display Technical Users app, you can display more information about when and why SAP support users accessed your customer system in the past 12 months. For each support user, the relevant incident ID, access level, access category, customer user, request date and validity date is displayed when you click on the required entry in the Users list. SAP support user IDs are pseudomized to respect the data subject rights of SAP employees according to GDPR.

[Back to top]

Common Use Cases

Restricting Payment Runs to Establish a Control Process In this Microlearning you will learn about the importance of a control process during the payment run. In addition, you there is a demo on how to configure the business roles in order to restrict the payment run.
Configuration Activity Excel

The Configuration Activity Excel provides an overview which business catalog in SAP S/4HANA Cloud gives you access to which configuration activity in CBC. Go to the tab IMG_ACT BusinessCatalog Match to get the overview.

For further information on configuration activities, please refer to the document Configuration Activity Excel assigned to the Accelerators in “SAP Activate Methodology for SAP S/4HANA Cloud (2SL)” or “SAP Activate Methdology for SAP S/4HANA Cloud (3SL).

Restrictions in Analytics for Universal Journal Check this SAP Help documentation to understand the basic authorization concept for the Universal Journal in order to learn about the authorization context for

  • GENLDGR (General Ledger Accounting)
  • ASSET (Fixed Asset Accounting)
  • OVHDCOST (Cost Accounting – Overhead)
  • SALES (Cost Accounting – Sales)
  • INVTRY (Cost Accounting- Inventory)
  • PRODNCOST (Cost Accounting – Production)
Implement Dual Control for Sensitive Fields in Customer Master Data In this SAP Help documentation you find guidance on how to implement a four-eyes-principle for sensitive fields in customer master data.
Implement Dual Control for Sensitive Fields in Supplier Master Data In this SAP Help documentation you find guidance on how to implement a four-eyes-principle for sensitive fields in supplier master data.

[Back to top]

Managing Identities

SAP S/4HANA Cloud

Initial System Access to SAP S/4HANA Cloud

This Enable Now recording guides customers through the initial steps for getting started with the SAP S/4HANA Cloud system.

Please also check out the onboarding guide for SAP S/4HANA Cloud.

[Back to top]

SAP Central Business Configuration

User Setup and Access On this SAP Help page you can find all relevant details for user setup and access in SAP Central Business Configuration. In addition you should check out the Tutorial Library which includes recordings for setup.
Authorization Concept 

This SAP Help page provides and overview of the authorization concept in SAP Central Business Configuration.

Please note that the authorizations of the configuration user need to be maintained individually, i.e. in SAP Central Business Configuration and in SAP S/4HANA Cloud.

User Authentication in SAP Central Business Configuration In this blog post, you will see how to manage business users in Central Business Configuration and how the authentication works.
CBC no authorization to start the UI while accessing SCCUI in S/4HANA Cloud This blog post has been written to address common customer query on authorization issues while accessing the configuration activites in CBC.
Avoid access issues during the initial set up of SAP Central Business Configuration for SAP S/4HANA Cloud This blog post summarizes the most common access issues for SAP Central Business Configuration as well as some tips and tricks to avoid these.
SAP Note 3151787 – Central Business Configuration: Synchronize user permissions for configuration activities This SAP Note addresses the issue when users with display (read-only) authorization in CBC can change (edit) configuration activities in SAP S/4HANA Cloud.

[Back to top]

SAP S/4HANA Cloud embedded SAP Analytics Cloud

SAP Identity Provisioning (IPS) is now bundled with SAP S/4HANA Cloud! This blog post gives insights on how the user management works for embedded SAC applications running on SAP S/4HANA Cloud. Check this blog post for the integrated analytics scenarios in SAP S/4HANA Cloud
Go for your quick win! Migrate Identity Provisioning tenants to SAP Cloud Identity infrastructure

Administrators of Identity Provisioning bundle tenants on SAP BTP, Neo environment can now migrate them to the infrastructure of SAP Cloud Identity Services.

Migrating bundle tenants to the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory.

It allows you to take advantage of all Identity Provisioning new features, which from now on are released only for tenants on SAP Cloud Identity infrastructure.

For more information, see Migrate Identity Provisioning Tenant

[Back to top]

SAP Cloud Identity Services

YouTube – Connect Azure AD with SAP IAS

Blog – Connect Ping Identity with SAP IAS

Blog – Connect Okta to SAP IAS

These resources document how a corporate identity provider can be integrated with the SAP Cloud Identity Services – Identity Authentication.
Options to manipulate the subject name ID coming from the corporate IdP in proxy scenarios In this blog post, you will learn what options there are available in case you are using SAP IAS as a proxy and you want to modify the subject name ID (let’s say attribute A) that you got from the corporate IdP.
SAP IAM Tenant Overview As an SAP customer, would you like to see all of your SAP IAS and IPS tenants in one place, with the region, tenant type, creation date, and administrators. Enter your S-User to get an overview of your administrators. Check this blog post for details.
Go for your quick win! Migrate Identity Provisioning tenants to SAP Cloud Identity infrastructure

Administrators of Identity Provisioning bundle tenants on SAP BTP, Neo environment can now migrate them to the infrastructure of SAP Cloud Identity Services.

Migrating bundle tenants to the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory.

It allows you to take advantage of all Identity Provisioning new features, which from now on are released only for tenants on SAP Cloud Identity infrastructure.

For more information, see Migrate Identity Provisioning Tenant

[Back to top]

Tools

SAP Activate Methodology for SAP S/4HANA Cloud

SAP Activate Methodology for SAP S/4HANA Cloud (2SL)

SAP Activate Methodology for SAP S/4HANA Cloud (3SL)

The roadmap is intended to guide the implementation team through the SAP S/4HANA Cloud implementation. It is comprised of Phases, Deliverables, and Tasks in accordance with the SAP Activate methodology.

Please check this blog post to stay up-to-date with the latest SAP Activate Content Updates.

New IAM Tag in SAP Activate Methodology for SAP S/4HANA Cloud In this blog post you will learn how to identify IAM-related tasks within your SAP S/4HANA Cloud implementation project.
Accelerating SAP S/4HANA Cloud IAM Activities with SAP Activate In this openSAP microlearning you can see how you can accelerate your IAM activities by leveraging the SAP Activate Methodology for SAP S/4HANA Cloud.
Configuration Activity Excel

The Configuration Activity Excel provides an overview which business catalog in SAP S/4HANA Cloud gives you access to which configuration activity in CBC. Go to the tab IMG_ACT BusinessCatalog Match to get the overview.

For further information on configuration activities, please refer to the document Configuration Activity Excel assigned to the Accelerators in “SAP Activate Methodology for SAP S/4HANA Cloud (2SL)” or “SAP Activate Methdology for SAP S/4HANA Cloud (3SL).

How to Create Application – Workplace List

The purpose of this accelerator is to enable and educate users on how to download the relevant information required for the Application – Workplace list from the SAP Fiori Apps Reference Library. This list will help to identify the applications and required business catalogs during the Fit-to-Standard workshops.

For more details check the task Document Identity and Access Management in the Activate Roadmap.

Four Pillars of SAP S/4HANA Cloud IAM Release Activities This presentation contains SAP’s recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly. You can also find it in the SAP Activate Roadmap in the Run phase.

[Back to top]

SAP Fiori Apps Reference Library

SAP Fiori Apps Reference Library The SAP Fiori apps reference library supports you with its functions and integration with existing tools throughout the phases of an SAP Fiori implementation project: from exploring the available apps and planning your SAP Fiori implementation project to setting up and configuring your system landscape and running your apps in the productive system.

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 1

Finding the Equivalent SAP Fiori App with Classic T-Code in SAP S/4HANA Cloud – Part 2

In this blog series you will get to learn how to search for classic T-Codes in your SAP S/4HANA Cloud system by making use of the content in the SAP Fiori Apps Reference Library

[Back to top]

Conclusion

Please feel free to provide your feedback in the comment sections.

For more updates you can follow me via LinkedIn or @anandkapadia18

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh

      Great compilation of knowledge, resources and information on Identity and Access Management in SAP S/4HANA Cloud. Surely benefit our ecosystem in this area. Thanks Anand Kapadia

      Author's profile photo Andrew Saunders
      Andrew Saunders

      This is the most comprehensive resource I've seen on these topics for S/4HANA Cloud.

      Thanks for this!