SAP Cloud Identity Services Administration for first time implementers in SAP S/4HANA Cloud, public edition project
Customers and Partners leveraging SAP S/4HANA Cloud, public edition are also provided with SAP Cloud Identity Services by-default with the subscription of the software. As the SaaS world and the Public Cloud framework is a bit different than that of the SAP On Premise or Legacy world, this blogpost intends to help our viewers with the understanding of how SAP Cloud Identity Services help throughout the lifecycle of the SAP S/4HANA Cloud, public edition for user identity and authentication.
We will be posing some scenarios and subsequently try to look into it in details accordingly. I will try to cover the most basic scenarios which happens during an implementation of the SAP S/4HANA Cloud, public edition implementations as well as operations.
Though the SAP Cloud Identity Services is used for multiple use cases, this blogpost is only limited to the scope of using it for SAP S/4HANA Cloud, public edition.
Before we get started, the first and foremost thing to understand is that for any SAP S/4HANA Cloud, public edition – it is MANDATORY to have the SAP Cloud Identity Services for authentications and to manage identity lifecycle to the applications included in it (here SAP S/4HANA Cloud, public edition). You cannot choose to skip using the SAP Cloud Identity Services when it comes to SAP S/4HANA Cloud, public edition implementation. In case you have a separate/externals Identity Provider, still the SAP Cloud Identity Services must be used as proxy delegating the authentication to your own Identity Provider.
First-time SAP S/4HANA Cloud, public edition Project Managers and Implementers: Making it easy to understand the Identity Services in SAP S/4HANA Cloud, public edition project:
The above illustration is a timelaned representation of tasks which an Identity administrator needs to do during the initial provisioning of the systems and the landscapes.
- Onboard Users for SAP Cloud ALM
- Initial User Account Setup for SAP CBC
- Import Users to IAS from Starter System (both Customizing and Development tenants)
- Import Users to IAS from Development System (bioh Customizing and Development tenants)
- Import Users to IAS from Test System
- Import Users to IAS from Production System
Question 1: How to subscribe for SAP Cloud Identity Authentication Services for SAP S/4HANA Cloud, public edition?
As stated in the introduction above, in very simple words – once a customer or partner signs a contract for SAP S/4HANA Cloud, public edition, they also get the SAP Cloud Identity Services included in the same offering. This means that you don’t have to separately subscribe or acquire separate licensing for the usage of the SAP Cloud Identity Services. This is a part of the SAP Cloud Services which comes as a part of the RISE with SAP and GROW with SAP packages. Find more details here – Service Use Description.
- The Cloud Service includes use of SAP Cloud Platform, Identity Authentication, which may only be used for Authorized User authentication
- The Cloud Service includes use of SAP Cloud Platform Identity Provisioning.
Hence the answer here is that – you don’t have to separately request or subscribe for the SAP Cloud Identity Services in an SAP S/4HANA Cloud, public edition project.
Question 2: Without subscribing for SAP Cloud Identity Services separately, how do I request for the SAP Cloud Identity Services?
In order to receive the actual SAP Cloud Identity Services tenants, you as implementers don’t need to separately request for theses tenants.
- If you are working in a Customer Project -> The SAP Cloud Identity Services will be automatically provisioned for you in the project lifecycle in the Prepare phase on requesting the provisioning of the SAP Central Business Configuration and SAP Cloud ALM via SAP For Me. To understand in more details the provisioning sequence and landscapes, please follow my previous blogpost – How’s and Who’s of Provisioning and Onboarding for SAP S/4HANA Cloud, public edition
- If you are working as a Partner -> The SAP Cloud Identity Services will be automatically be provisioned for you in the project lifecycle in the Discover phase (can also be later or anytime while buying the SAP S/4HANA Cloud Partner Demo Test, Demo and Development tenant). For more details on the Partner landscape and what’s included in it, please check Alessandro Sabidussi’s blogpost – Step-by-Step Guide to Onboarding and Activating the Partner Cloud Test, Demo, and Development for S/4HANA Cloud, Public Edition.
Question 3: If SAP Cloud Identity Services is not to be requested, how will I know if I have access to the tenant or can start my project work?
That’s a pretty fair question looking at the above two answer. If you are not expected to request the SAP Identity Services tenants, how in the world will you know what are the tenants and how to start working on them? Worry not – SAP has made this automatic too. The IT contact person is the customer/partner contact who receives the initial emails to activate and access the SAP Cloud Identity Services. Hence for those who have not yet used the SAP Cloud Identity Services prior to the current project, they can find the activation email to the IT contact person which consist of the Activation URL + SAP Cloud Identity Services Admin Console URL which will be used for further actions and steps in the SAP Cloud Identity Services. The first user created by SAP Cloud Operations is this IT contact person in the SAP Cloud Identity Services and is also the initial administrator of the system. This person is now here-on responsible for doing the administrative steps or add further administrators to the SAP Cloud Identity Services.
The below is a look-alike of the email for activation which the IT contact person should receive:
Question 4: What if I already have an SAP Cloud Identity Services being used separately or with other SAP Cloud solutions?
The SAP Cloud Identity Services – Tenants application shows which are the Identity Authentication and Identity Provisioning tenants that are assigned to a customer ID and who are the tenant administrators of these tenants. Viewing Assigned Tenants and Administrators tells how to check for the tenants assigned for your contracts.
The default tenants, one test and productive tenant per customer, are provided regardless of the number of contracts signed in which SAP Cloud Identity Services is included or bundled. Additional productive or test tenants beyond the initial ones must be purchased separately. For more information, see Tenant Model and Licensing. This means that if you already have an SAP Cloud Identity Services with your Customer or Partner scenario, you will have to re-use the same for managing the overall applications you will be provisioning in SAP S/4HANA Cloud, public edition project.
Once you login to the SAP Cloud Identity Services as an administrator, you can also check the applications managed by the current Identity Services in the Applications & Resources tab.
Question 5: Now that I have accessed the SAP Cloud Identity Services as an administrator, what do I do next ?
Depending on the project charter and the roles and responsibilities, you are either an administrator yourself or you being the IT contact person want to delegate the next steps to the right person.
- If you are an Administrator yourself – You should now proceed with the next steps for accessing the landscape systems and setting up the tenants and the systems as listed in the Prepare Phase. Soon after you received the activation emails for the SAP Cloud Identity Services, the same IT contact person should also have received the initial emails for the SAP Cloud ALM, SAP Central Business Configuration tenant, SAP S/4HANA Cloud, public edition – Customizing and Development tenants. If you are just going to take care of the security and identity related administration, then you should immediately get in touch with the project team – project managers, technical consultants, functional consultants and the business stakeholders as the next setup steps are going to be critical with the original project. Critical tasks like adding the business users to the SAP Central Business Configuration, selecting the scope, localizations, primary finance settings and selecting the deployment targets. If you are looking for tasks only related to the SAP Cloud Identity Services you are supposed to follow the steps mentioned here for 1) Access SAP Cloud ALM and Create Users and 2) Access SAP Central Business Configuration Tenant and Setup the tenant for authentications to the users going to be working on the SAP Cloud ALM and SAP Central Business Configuration.
- For the SAP Cloud ALM Setup, the SAP Cloud Identity Services assumes the role of the identity provider. hence any users logging in to the SAP Cloud ALM will have to mandatorily go through the authentication process of the provided SAP Cloud Identity Services. Please note that for SAP Cloud ALM, a productive SAP Cloud Identity Services is provisioned and used. The steps for the Identity Administrator to be done for SAP Cloud ALM is mentioned here and can be followed here – Onboard Users in Your Identity Authentication Service. For SAP Cloud ALM only the authentications is done in the SAP Cloud Identity Services whereas the authorizations/roles are assigned directly in the SAP Cloud ALM.
- For the SAP Central Business Configuration, currently the SAP Cloud Identity Services assumes the role for both authentication as well as authorizations. Meaning the SAP Cloud identity Services is responsible for not just authentication but also responsible for authorizations on the tasks to be done in the SAP Central Business Configuration. The SAP Central Business Configuration does not have it’s own authorization concept as of today and hence relies on the SAP Cloud Identity Services for propagating the authorizations using the User Groups which are nothing but the roles in the SAP Central Business Configuration. These roles are already created in the SAP Cloud Identity Services by default and cannot be tweaked. Find more details here – Standard Roles and Authorizations and Standard Authorization Concept in Project Experiences (SAO Central Business Configuration). The steps in the SAP Cloud Identity Services for the SAP Central Business Configuration is mentioned here – Initial User Account Setup.
- For the SAP S/4HANA Cloud system, currently the SAP Cloud Identity Services assumes the role of authenticators, hence you will have to add the users who want to login to SAP S/4HANA Cloud systems into the respective SAP Cloud Identity Services so that they can be authenticated every time logging in to SAP S/4HANA Cloud systems. The non-Productive SAP Cloud Identity Services is used for systems including Starter System – Customizing + Development tenant, Development System – Customizing + Development tenant, Test System whereas Production System in the Productive SAP Cloud Identity Services (the one which was received with SAP Cloud ALM). The steps mentioned here should be able to help for the Identity administrator of the project to use the SAP Cloud Identity Services – Initial System Access to SAP S/4HANA Cloud in Your 3-System Landscape. For the Starter System, these steps are done in the Prepare phase, whereas for the Development, Test and the Production, the same steps are done in the Realize phase.
- If you are not an Administrator – You should immediately add an administrator following the steps mentioned here –Add Administrators . Subsequently as you are not really an administrator, then it would also be important for you to change the IT Contact person who will be receiving the initial emails for the initial emails for also the Dev, Test and the Production system. This can be done by submitting a ticket to the component XX-OPR-SRV-SRV with the valid email detail of the person intending to be the IT contact person titled ‘Request update to the Contact Person IT.’ Once the right admin is determined and added, then that person would be responsible for doing the above mentioned activities in SAP Cloud Identity Services for the project.
Question 6: Now that the Admin has done the initial setup tasks, what are the next steps for the Identity Admin?
Once the initial setup is done, there can be multiple tasks which might be requiring your expertise as an Identity Admin for maintaining the identity management throughout the implementation and even beyond the Go-Live. I am just jotting down very few of the common tasks which I have seen during real SAP S/4HANA Cloud, public edition implementation projects:
- Adding a new project member to SAP Central Business Configuration in between a project –
- Login to the SAP Cloud Identity Services Admin Console as administrator
- Adding a user in the SAP Identity Services -> Go to the Tab ‘User & Authorization’ >> User Management >> Import/Add. This also sends the initial emails for activation to the SAP Central Business Configuration system or you can use the ‘Import Users’ after the users are created to send them activation emails later.
- Once the user is created, add the relevant user group (SAP Central Business Configuration role) already available in the SAP Cloud Identity Services
- Add the User Groups by navigating directly to the user in ‘User Management’ >> Sub-tab ‘User Groups’ >> Assign
- Add multiple users to a User group by navigating to the ‘User Group’ >> Select the User Group >> Click ‘Add’ to add user listed after they are created
- Now that the user is created and assigned with the user group, next would be to replicate the created user to SAP Central Business Configuration using the SAP Cloud Identity Provisioning Service
- Go to the tab – ‘Identity Provisioning’ >> Drop down option ‘Source System’ >> Select the Source System as IAS-<part of CBC Link>. This will replicate the users from the IAS to the SAP Central Business Configuration
- The new user created now has the SAP Central Business Configuration roles assigned and can seamlessly access the SAP Central Business Configuration. Depending on what roles are assigned, the user can perform tasks in the SAP Central Business Configuration project experience. However many times the new users also need to work on configurations in the SAP S/4HANA Cloud system (Starter or Development System), hence the user will be required to be created as a worker (employee) in SAP S/4HANA Cloud system. After the worker has a business user in the SAP S/4HANA Cloud system with the right roles and authorizations which are directly governed by the SAP S/4HANA Cloud systems, the same user can now directly be propagated to the SAP S/4HANA Cloud configuration screen from the SAP Central Business Configuration. For this whole process, please once again follow the steps mentioned in the Initial System Access to SAP S/4HANA Cloud in Your 3 System Landscape.
- Allowing/Restricting User Authentication based on an IP Range:
- Many times in corporate environments, due to various security reasons it is required to only allow a certain set of IP ranges to be accessing the SAP S/4HANA Cloud systems. In order to do that SAP Cloud Identity Services provides the options:
- Setting up Single Sign-On (SSO) with Microsoft Azure AD
- This is also one of the common scenarios where you might want to integrate the SAP Cloud Identity Services with Microsoft Azure AD for SSO. For that case please look into this Product Documentation – Integrating the Service with Microsoft Azure AD
- Troubleshooting and Monitoring:
- There are multiple tasks under administration for troubleshooting and monitoring
- Usually while running the read jobs, inconsistencies or changes might cause the read job to fail for replication of users from IAS to the CBC. In such cases, go o the Provisioning Logs and analyze for errors. Most of the cases the error is quite comprehensive and the errors are already very well documented in the SAP For Me KBA collections. Just a glimpse of one of the errors we faced which we found an KBA immediately and solved the issue within 5 mins.
- There are multiple tasks under administration for troubleshooting and monitoring
Hope this provides a very brief yet essential view of the initial tasks for an SAP identity Administrator in SAP S/4HANA Cloud, public edition project. Naturally and obviously, there are many more tasks overall in the context of the SAP Cloud identity Services, but as this blogpost was just intended towards first timers SAP Cloud identity services for SAP S/4HANA Cloud, I believe this will help them to kickstart the projects easily and confidently.