Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP S/4HANA Cloud Public Edition Identity Access Management - Your Knowledge Base

anandkapadia
Product and Topic Expert
Product and Topic Expert
‎07-29-2022 8:37 AM

Latest Updates

  • 24.04.2024: Added link to blog post ISAE 3000 for SAP S/4HANA Cloud Public Edition - Evaluation of the Authorization Role Concept
  • 28.02.2024: Added SAP Note 3404825 - Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud 2402
  • 12.01.2024: Added reference to DSAG Audit Guidelines / DSAG Prüfleitfaden for SAP S/4HANA
  • 10.10.2023: Added link to Developer and Key User Extensibility
  • 22.09.2023: Added link to openSAP Microlearning "Understanding the Entry Source Value in Manage Workforce of SAP S/4HANA Cloud"

Introduction

In the last few years, a significant amount of S/4HANA Cloud IAM-related content was created aiming to help customers and partners to understand core IAM concepts relevant for the SAP S/4HANA Cloud Public Edition universe. As the content was created across different platforms (openSAP Microlearning, SAP Blogs, SAP Enterprise Support Portal, SAP Activate Roadmap, etc.) I want to provide a central location. The blog post "SAP S/4HANA Cloud Identity Access Management, Public Edition - Your Knowledge Base" aims to provide a one-stop-shop to find IAM-related content relevant for SAP S/4HANA Cloud Public Edition and thus simplify the journey for becoming an S/4HANA Cloud, public edition IAM expert. Therefore, I have collected different resources (blog posts, SAP notes, webinars, etc.) in this blog post which can help you to structure the topics and get started. Please note this blog post contains SAP S/4HANA Cloud 2-system landscape (2SL) as well as 3-system landscape (3SL) specific information. In general, this blog post is divided into following topics:

  • Access Management
  • Identity Management
  • Integration and Extensibility
  • Security
  • Tools and Methodology

Please note this blog post makes no claim to completeness as the development in the SAP S/4HANA Cloud IAM area is fast-moving and new solutions and concepts might be implemented at the time of reading. The idea of this blog post is to provide a knowledge base for SAP users who want to gain knowledge in this area.

Access Management

Trainings and Webinars

In this recorded webinar you get to learn how to get started with SAP S/4HANA Cloud IAM and the recommended implementation methodology for setting up an authorization conept. Before you can access the link, a one-time registration in the SAP Learning Hub, edition for SAP Enterprise Support, is required. A detailed step-by-step guidance can be found here.

*For internal employees, if the learning asset link does not work, you are missing an authorization for the SAP Learning Hub, edition for SAP Enterprise Support. Please utilize the Internal Edition of SAP Learning Hub

Note: First time users will be prompted to subscribe. The subscribe button is at the bottom of the page. Once you subscribe, you will get instant access to SAP Learning Hub, internal edition.

In this SAP Preferred Success webinar series you will get to learn about the different IAM apps in SAP S/4HANA Cloud. Access to the customer adoption journey requires a SAP Preferred Success subscription. Please reach out to your CSM in case you require any support.

In this course you will learn how to set up and manage user access in SAP S/4HANA Cloud Public Edition. Learn about the elements and tools of the authorization concept, understand the Business User Concept, administer Roles, perform troubleshooting and monitoring tasks upon authorization assignments, and manage and maintain Business Role changes after upgrades.

Fundamentals

The SAP S/4HANA Cloud help documentation provides a general overview of the IAM features in your system.

This blog post provides a basic understanding of business roles for SAP S/4HANA (onPrem as well as Cloud). It's giving interesting thoughts and is worth considering for your authorization concept philosophy.

For SAP S/4HANA Cloud 2SL:

It is recommended to use the Business Role Templates only in the Starter System and Quality System (e.g. for the fit-to-standard workshop and testing in general).

For the business roles in the Production System, it is strongly recommended to create your own custom business roles based on the identified workplaces. As part of compliance, these custom business roles should then be created and maintained only in the Q-System and transported into the P-System via Software Collections. Changing business roles directly in the P-System could cause an error that would put the productive environment and the productive data at greater risk.

For SAP S/4HANA Cloud 3SL:

It is recommended to use the Business Role Templates only in the Starter System and Development System (e.g. for the fit-to-standard workshop and testing in general).

For the business roles in the Production System, it is strongly recommended to create your own custom business roles based on the identified workplaces. As part of compliance, these custom business roles should then be created and maintained only in the Development System, transported into the Test System and then forwarded into the Production System via Software Collections. Changing business roles directly in the Production System could cause an error that would put the productive environment and the productive data at greater risk.

Best Practices for Business Role Management

This accelerator shares recommendations for setting up a naming convention in S/4HANA Public Cloud 2-System-Landscape for Business Roles, Spaces and Pages.

This accelerator shares recommendations for setting up a naming convention in S/4HANA Public Cloud 3-System-Landscape for Business Roles, Spaces and Pages.

This presentation contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly in a SAP S/4HANA Cloud 2-System-Landscape.

This presentation contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly in a SAP S/4HANA Cloud 3-System-Landscape.

Deep Dives

In this blog series you will get to learn how to search for classic T-Codes in your SAP S/4HANA Cloud system and what are the prerequisites.

In this openSAP Microlearning you will learn about the importance of a control process during the payment run. In addition, you there is a demo on how to configure the business roles in order to restrict the payment run.

Check this SAP Help documentation to understand the basic authorization concept for the Universal Journal.

In this SAP Help documentation you find guidance on how to implement a four-eyes-principle for sensitive fields in customer master data.

In this SAP Help documentation you find guidance on how to implement a four-eyes-principle for sensitive fields in supplier master data.

This SAP Help documentation explains the authorization concept for CoA maintenance.

The Configuration Activity Excel provides an overview which business catalog in SAP S/4HANA Cloud gives you access to which configuration activity in CBC. 

You can find it under Accelerators > Implementation > Configuration apps

Once you have downloaded the file, go to the tab IMG_ACT BusinessCatalog Match to get the overview.

SAP Fiori Launchpad for SAP S/4HANA Cloud

As a business user you can now benefit from a seamless and enjoyable user experience. If you are just getting started with spaces and pages, and My Home then the following demo videos are for you.

In this openSAP microlearning the SAP Fiori Spaces and Pages concept is presented.

In this openSAP microlearning the tools for the SAP Fiori Spaces and Pages concept is presented.

Spaces and pages offer more flexibility to influence the launchpad layout for different user groups. Each user sees one or more spaces that contain one or more pages. The pages show apps clustered in different sections. Spaces and pages are assigned to users via the business roles. Read this for tips on creating and handling spaces and pages.

This blog post describes how you can translate your custom SAP Fiori Spaces and Pages content in different languages. This is especially helpful for end user requirements requesting multiple languages support.

As already announced, the classic homepage based on groups will no longer be available in future SAP S/4HANA Cloud Public Edition releases; spaces and pages will be the only available layout option (please refer to SAP Note 2970113 - SAP S/4HANA Cloud Public Edition: Replacement of SAP Fiori launchpad home page (Outdated) ...).

With SAP S/4HANA Cloud Public Edition 2302 SAP has already shipped predefined spaces and pages that merged with each other on the SAP Fiori launchpad. Merging is now also available for customers with SAP S/4HANA Cloud Public Edition 2402, SAP S/4HANA 2023 Private Edition FPS01 and SAP S/4HANA 2023 FPS01.

Release Management

In this presentation you can always find the latest information about upgrade and maintenance schedules for your SAP S/4HANA Cloud landscape 2-System-Landscape.

In this presentation you can always find the latest information about upgrade and maintenance schedules for your SAP S/4HANA Cloud landscape 3-System-Landscape.

This central SAP Note provides access to all available SAP Notes that contain release-specific IAM change information. You can mark this SAP Note as favorite to be notified when information is updated.

This presentation contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly in a SAP S/4HANA Cloud 2-System-Landscape.

This presentation contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly in a SAP S/4HANA Cloud 3-System-Landscape.

Coming from a quarterly release cycle, SAP S/4HANA Cloud has started to reduce the number of releases and system upgrades per year and in parallel provide frequent updates in between these releases.  Overall goal: to significantly reduce the effort associated with release upgrades while innovations can be adopted faster and more flexibly in between releases.

Identity Management

Initial System Access

Learn about the initial onboarding concept and the related activities that the initial admin user performs to set up the systems. Check out the FAQs for guidance during the onboarding process.

This Enable Now recording guides customers through the initial steps for getting started with the SAP S/4HANA Cloud system.

Guides for Identity Management

Depending on the setup of your IT landscape, choose between different identity management scenarios for your SAP S/4HANA Cloud system and integrated products. The identity management scenarios differ with regard to the leading system to which workers (employees or contingent workers) and their work agreements (employments) are onboarded as well as where the corresponding users are initially created. This guide covers identity management scenarios.

SAP Cloud Identity Services are a group of services of SAP Business Technology Platform (SAP BTP), which enable you to integrate identity and access management (IAM) between systems. The goal is to provide a seamless single sign-on (SSO) experience across systems while ensuring that system and data access are secure.

Manage Workforce

The app "Manage Workforce" is a new app which is available with the 2208 release of SAP S/4HANA Cloud. With this app, you can create and update workers (employees and contingent workers) including work agreements and change employment situations. Check the blog post for more details.

In this blog post the IAM basics for the Manage Workforce are presented.

This openSAP Microlearning on SAP S/4HANA Cloud introduces you to the value of the entry source in the Manage Workforce application and explains the various entry sources available in SAP S/4HANA Cloud for the workforce.

Integration and Extensibility

APIs for Business User Management

Update business users from your external data source such as an identity management system using this synchronous inbound service.

Read business users from your external data source such as an identity management system using this synchronous inbound service.

Read metadata information from your external data source such as an identity management system for service Business User with this synchronous inbound service.

Read change documents for business users using this synchronous inbound service.

Read business role details using this synchronous inbound service.

Read and manage business users from an external system using the System for Cross-Domain Domain Identity Management (SCIM) protocol

APIs for Workforce Management

Replicate basic master data for workforce from external HR systems using this inbound service.

Read, create or delete the skill tag information of a person in S/4HANA system

APIs for Communication Management

Read communication arrangements using this synchronous inbound service.

Read communication systems using this synchronous inbound service.

Read communication user using this synchronous inbound service.

APIs for Security

Read the client certificates and certificate trust lists using this synchronous inbound serviceThe service provides certificate details.

Read Content Security Policy (CSP) using this synchronous inbound service. For more details also check out this blog post.

Read the protection allowlists using this synchronous inbound service.

This service enables you to retrieve the Security Audit Log data. For more details also check out this blog post.

Extensibility

Developer extensibility allows you to create development projects in an SAP S/4HANA Cloud system. It gives you the opportunity to develop cloud-ready and upgrade-stable custom ABAP code on SAP S/4HANA Cloud, combining the benefits of custom ABAP code, with the required restrictions for Cloud readiness, and the SAP S/4HANA programming model to build SAP Fiori apps. Check out the Identity and Access Management (IAM) Guide for details.

The extensibility apps help you customize applications and their UIs, reports, email templates, and form templates. Using extensibility apps, you can create database tables for segmentation, and design queries.

SAP Central Business Configuration

On this SAP Help page you can find all relevant details for user setup and access in SAP Central Business Configuration. In addition you should check out the Tutorial Library which includes recordings for setup.

This SAP Help page provides and overview of the authorization concept in SAP Central Business Configuration. Please note that the authorizations of the configuration user need to be maintained individually, i.e. in SAP Central Business Configuration and in SAP S/4HANA Cloud.

This blog post has been written to address common customer query on authorization issues while accessing the configuration activites in CBC.

This SAP Note addresses the issue when users with display (read-only) authorization in CBC can change (edit) configuration activities in SAP S/4HANA Cloud.

SAP S/4HANA Cloud embedded SAP Analytics Cloud

This blog post gives insights on how the user management works for embedded SAC applications running on SAP S/4HANA Cloud. Check this blog post for the integrated analytics scenarios in SAP S/4HANA Cloud.

SAP Cloud Identity Services - Identity Authentication

As an SAP customer, would you like to see all of your SAP IAS and IPS tenants in one place, with the region, tenant type, creation date, and administrators. Enter your S-User to get an overview of your administrators. Check this blog post for details.

This integration document aims to provide information about single sign-on (SSO) options for SAP S/4HANA Cloud or SAP Integrated Business Planning and SAP Analytics Cloud, that use Identity Authentication as an authenticating or proxy identity provider.

In this blog post, you will learn what options there are available in case you are using SAP IAS as a proxy and you want to modify the subject name ID (let’s say attribute A) that you got from the corporate IdP.

SAP Cloud Identity Services - Identity Provisioning

SAP S/4HANA Cloud bundle allows you to use the Identity Provisioning service for synchronizing user data between source and target systems. The available source and target systems in this bundle can also be configured as proxy systems for indirect connection to external identity management systems.

When it comes to the SAP Cloud Identity Services, some of the most common questions raised in implementation projects revolve around: “What would be the best option for us out of all available ones?”. This blog will explain what those options are and how to choose among them.

Administrators of Identity Provisioning bundle tenants on SAP BTP, Neo environment can now migrate them to the infrastructure of SAP Cloud Identity Services. Migrating bundle tenants to the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory. It allows you to take advantage of all Identity Provisioning new features, which from now on are released only for tenants on SAP Cloud Identity infrastructure. For more information, see Migrate Identity Provisioning Tenant.

SAP for Me

In this blog post you will learn how to get access to SAP for Me and basic steps required to get started in SAP for Me.

To review critical company data or access the support applications in the SAP for Me portal, visitors need a user ID, commonly named "S-user", and, in most cases, special permissions. For new customers, SAP creates the first user ID and assigns it the highest level of authorization, which makes it a so-called "super administrator" or, in case of an SAP cloud customer, a "cloud administrator".

In this blog post you will get to know about the authorization concept in SAP for Me. You will learn which authorizations your S-User will require to see specific dashboards and cards.

In this blog post you will get to know about the authorization concept in SAP for Me for SAP Partners. You will learn which authorizations your S-User will require to see specific dashboards and cards.

Security

Audit

The new DSAG audit guideline is designed to offer clear, actionable guidance for auditing SAP S/4HANA. It is structured to address the unique features and complexities of the SAP S/4HANA environment, thus making them an invaluable tool for auditors. With these guidelines, auditors can conduct more efficient and effective audits. Simultaneously, this guide also empowers customers to handle key security configurations in SAP S/4HANA, ensuring the secure processing of business data.

In order to identify the differences in auditing SAP S/4HANA on premise versus SAP S/4HANA Cloud Public Edition, Deloitte and SAP conducted a “dry run” audit of SAP S/4HANA Cloud Public Edition, and compared it with an existing on-premise system audit. The findings we generated from this project were summarized and presented to our development organization. More importantly, however, these findings are the basis of this blog series.

In this blog post, we will see the scope of the ISAE 3000 Assurance Report as well as the steps for requesting a copy of it. The use of this report is restricted. A copy of this report is available for all SAP S/4HANA Cloud Edition customers with productive systems. This report is also available for prospective customers under the signed non-disclosure agreement. The report may include a qualified opinion.

Compliance

SAP S/4HANA Cloud is delivered with secure default configurations wherever this is possible. However, you might want to review some settings and adjust them to your particular use case and corporate policies.

This SAP Note is a FAQ document for the the Fiori App "Display Security Audit Log" and provides further information in addition to the SAP Help documentation.

In the Display Technical Users app, you can display more information about when and why SAP support users accessed your customer system in the past 12 months. For each support user, the relevant incident ID, access level, access category, customer user, request date and validity date is displayed when you click on the required entry in the Users list. SAP support user IDs are pseudomized to respect the data subject rights of SAP employees according to GDPR.

Tools and Methodology

SAP Activate Methodology for SAP S/4HANA Cloud (2SL)

The roadmap is intended to guide the implementation team through the SAP S/4HANA Cloud (2SL) implementation. It is comprised of Phases, Deliverables, and Tasks in accordance with the SAP Activate methodology. Please check the SAP Activate Content Update blog posts for 2SL to stay up-to-date.

In this blog post you will learn how to identify IAM-related tasks within your SAP S/4HANA Cloud implementation project.

In this openSAP Microlearning you can see how you can accelerate your IAM activities by leveraging the SAP Activate Methodology for SAP S/4HANA Cloud.

The purpose of this accelerator is to enable and educate users on how to download the relevant information required for the Application - Workplace list from the SAP Fiori Apps Reference Library. This list will help to identify the applications and required business catalogs during the Fit-to-Standard workshops. For more details check the task Plan and Design Identity and Access Management in the Activate Roadmap.

This task references a presentation which contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly.

This accelerator shares recommendations for setting up a naming convention in S/4HANA Public Cloud 2-System-Landscape for Business Roles, Spaces and Pages.

This presentation contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly in a SAP S/4HANA Cloud 2-System-Landscape.

SAP Activate Methodology for SAP S/4HANA Cloud (3SL)

The roadmap is intended to guide the implementation team through the SAP S/4HANA Cloud (3SL) implementation. It is comprised of Phases, Deliverables, and Tasks in accordance with the SAP Activate methodology. Please check the SAP Activate Content Update blog posts for 3SL to stay up-to-date.

This task references a presentation which contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly.

This accelerator shares recommendations for setting up a naming convention in S/4HANA Public Cloud 3-System-Landscape for Business Roles, Spaces and Pages.

This presentation contains SAP's recommended approach for consuming IAM updates after the release upgrade and adopting your business roles accordingly in a SAP S/4HANA Cloud 3-System-Landscape.

SAP Fiori Apps Reference Library

The SAP Fiori apps reference library supports you with its functions and integration with existing tools throughout the phases of an SAP Fiori implementation project: from exploring the available apps and planning your SAP Fiori implementation project to setting up and configuring your system landscape and running your apps in the productive system.

In this blog series you will get to learn how to search for classic T-Codes in your SAP S/4HANA Cloud system and what are the prerequisites.

Conclusion

Please feel free to provide your feedback in the comment sections. 

For more updates you can follow me via LinkedIn.

 

13 Comments
Popular Blog Posts