Introducing Identity and Access Management

Identity and Access Management in SAP S/4HANA Cloud Public Edition comprises user and identity management, roles and authorization, and authentication. It enables you to control user access to apps and specify what business users can do and see in the apps. This ensures regulatory compliance and security standards.

In this case all components except SAP for Me are involved:

After the following explanation, Adam gets the idea that, compared to the on-premise world he is used to,

• the authentication (this represents either the user master record or the use of Single Sign-On software in the on-premise world) is done with the help of the Identity Authentication Service running outside the SAP S/4HANA Cloud Public Edition system.

  Note

  The Authentication Token from SAP Cloud Identity Service plays a role very similar to Single Sign-On. If the Web Browser is closed (closing a single tab is not sufficient), the token is lost (and the token can also expire after a certain time).

• the authorizations are assigned to users similar to in the on-premise world, by assigning roles (which are now called Business Roles and which are mapped to Business Catalogs) in the SAP S/4HANA Cloud Public Edition system itself.

During the different implementation phases for SAP S/4HANA Cloud Public Edition and integrated products you have to complete tasks related to identity and access management.

In the next image please find an overview about all implementation phases:

We recommend that you first familiarize yourself with the key concepts and apps before you jump to a specific implementation phase. Depending on the types of tasks you perform, some of these concepts may not apply to you:

Authentication

Every SAP S/4HANA Cloud Public Edition instance uses SAP Cloud Identity Services - Identity Authentication as identity provider (IdP). You can either use Identity Authentication natively as the source of user identities or you can use a proxy setup to connect an existing corporate IdP.

Identity and Access Management

Identity and Access Management (IAM) enables you to control user access to apps and specify what business users can do and see in the apps.

Workforce Management

Manage workforce that includes both employees and contingent workers in SAP S/4HANA Cloud Public Edition.

Transport Management for Identity and Access Management Artefacts

Get an overview of Identity and Access Management (IAM) artefacts that you can transport from your SAP S/4HANA Cloud Public Edition development system to your test system and then forward to your production system. Also learn about the best practices that we recommend for managing these transports.

Security Recommendations

SAP S/4HANA Cloud Public Edition is delivered with secure default configurations wherever this is possible. However, you might want to review some settings and adjust them to your particular use case and corporate policies. A typical example is user and authorization management.

Please find detailed information of every step in the SAP Help Portal – SAP S/4HANA Cloud Public Edition – Identity and Access Management.

Depending on the setup of your IT landscape, choose between different identity management scenarios for your SAP S/4HANA Cloud Public Edition system and integrated products. The identity management scenarios differ with regard to the leading system to which workers (employees or contingent workers) and their work agreements (employments) are onboarded as well as where the corresponding users are initially created.

In identity management scenarios without an integrated HR system, SAP S/4HANA Cloud Public Edition is the leading system for workers (employees and contingent workers) and work agreements. The flow for contingent workers and employees is identical in these identity management scenarios. The difference between these scenarios is where the corresponding users are initially created.

• Set Up SAP S/4HANA Cloud Public Edition as the Leading System for Users: In this identity management scenario, neither a corporate user store nor an HR system are integrated.
• Set Up SAP Cloud Identity Services as the Leading System for Users: In this identity management scenario, neither a corporate user store nor an HR system are integrated.
• Set Up a Corporate User Store as the Leading System for Users: In this identity management scenario, an HR system isn't integrated.

In identity management scenarios with an integrated HR system, the HR system is the leading system for employees. The leading system for contingent workers is either SAP S/4HANA Cloud Public Edition or an integrated HR system, such as SAP SuccessFactors Employee Central. The corresponding users for both employees and contingent workers are initially created in a corporate user store.

• Set Up SAP SuccessFactors Employee Central as the Leading System for Workers: In this identity management scenario, workers (employees or contingent workers) are onboarded to SAP SuccessFactors Employee Central. The corresponding users for both employees and contingent workers are initially created in a corporate user store.
• Set Up SAP SuccessFactors Employee Central as the Leading System for Employees and SAP S/4HANA Cloud Public Edition as the Leading System for Contingent Workers: In this identity management scenario, employees are onboarded to SAP SuccessFactors Employee Central. Contingent workers and their work agreements are onboarded to SAP S/4HANA Cloud Public Edition. The corresponding users for both employees and contingent workers are initially created in a corporate user store.

Depending on the use case the following components could be involved:

Get an overview of the components involved in different identity management scenarios.

SAP S/4HANA Cloud Public Edition

The SAP S/4HANA Cloud Public Edition environment is modular. Depending on the setup of your IT landscape and the products you want to integrate with SAP S/4HANA Cloud Public Edition, different identity management scenarios are possible.

SAP Central Business Configuration

SAP Central Business Configuration enables you to scope, configure, and implement end-to-end business processes for SAP S/4HANA Cloud Public Edition from one central place.

SAP Cloud Identity Services

SAP Cloud Identity Services are a group of services that run on SAP Business Technology Platform (SAP BTP) and enable you to integrate identity and access management between systems. The goal is to provide a seamless single sign-on (SSO) experience across systems while ensuring that system and data access are secure. SAP Cloud Identity Services include Identity Authentication, Identity Provisioning, and Identity Directory.

• Identity Authentication provides you with controlled cloud-based access to business processes, applications, and data. It simplifies your user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options. Identity Authentication provides the following benefits: Authentication: All SAP cloud applications can offer their users the same authentication mechanisms​, as well as strong authentication with configurable multi-factor (MFA) enforcement; easy separation mechanism for multiple user stores and flexible configuration where to validate user's credentials.
• Single Sign-On: Identity Authentication offers a central SSO endpoint for all SAP cloud applications and pre-configured or semi-automated trust configuration​.
• Integrating SAP applications: Identity Authentication offers common identity for users, as well as a unified way for user management and a security token service for protection of ​system-to-system communication. Data across applications can be correlated ​(precondition for central foundation services)​.
• Identity Provisioning offers easier and more secure identity lifecycle management as a service with identity and authorization provisioning and deprovisioning. It enables customers to set up a faster and more efficient administration of user onboarding and offboarding. Identity Provisioning supports a centralized lifecycle of corporate identities in the cloud. In addition, it can handle automated provisioning of existing on-premise identities to cloud applications.
• Identity Directory is the persistency layer of SAP Cloud Identity Services. It offers a central place for storing and managing users and groups. Its SCIM 2.0 REST API allows customers to define their own custom schemas with own attributes. The directory generates the Global User ID attribute - the unique user identifier across your IT landscape. This attribute is distributed by Identity Provisioning to SAP cloud applications, like SAP Task Center, which need the common user identifier in their integration scenarios.

SAP Business Technology Platform (BTP) subaccount

SAP BTP is an integrated offering comprised of five technology portfolios: application development, automation, integration, data and analytics, and AI. The platform offers you the ability to turn data into business value, compose end-to-end business processes, and build and extend SAP applications quickly

• The SAP Authorization and Trust Management service lets you manage users, user authorizations, and trust to identity providers. The Extended Services - User Account and Authentication (XSUAA) service provides functionality for administrating and assigning application authorizations.
• Business applications that run on SAP BTP: SAP Task Center, for example, is a business application that runs on SAP BTP and helps you integrate approval tasks into a central solution.
• SAP Master Data Integration (MDI) service: SAP Master Data Integration service enables you to share consistent master data across multiple products easily and efficiently.

SAP Cloud ALM

SAP Cloud ALM is an offering for application lifecycle management (ALM). It's intended for customers who use solutions provided by SAP, and who do not want to use their own ALM on-premise platform to manage those solutions.

Note

When you request SAP Cloud ALM, an SAP Cloud ALM-specific subaccount is created in the SAP Cloud ALM-specific global account on SAP BTP. You can't subscribe to any additional applications in the subaccount containing your SAP Cloud ALM subscription. The subaccount is set up exclusively for SAP Cloud ALM.

Corporate user store

In addition to the Identity Directory service, you can use an existing corporate user store to allow users to authenticate with their corporate credentials in SAP S/4HANA Cloud Public Edition and its integrated products.

Depending on your configuration only one or two of the following components will be used in addition:

Human Resources (HR) system

Use an external HR system to have a single source of master data for your company's entire workforce.

SAP SuccessFactors Employee Central

Use SAP SuccessFactors Employee Central to have a single source of master data for your company's entire workforce including employees and, optionally, contingent workers.

External workforce management system

Use an external workforce management system to manage a standardized record of your external workforce, such as contingent workers. SAP SuccessFactors Employee Central can then be used as a master system for employees only.