Understanding Identity Management

Identity and Access Management (IAM) lets you control user access to apps and specify what business users can do and see in the apps. This ensures regulatory compliance and security standards. IAM in SAP S/4HANA Cloud Public Edition comprises user and identity management, roles and authorization, and authentication.

About authentication, which we talked about in the previous lesson.

In this lesson, we would like to give a short overview of users, roles, and authorizations with a focus on the SAP S/4HANA Cloud Public Edition component. If you want to define an authorization concept, we recommend checking the additional sources at the end of this lesson.

We concentrate on the following components within the 3-System-Landscape:

There are different categories of users for different purposes and with different capabilities. Business users represent end users performing day-to-day business tasks. They constitute personal data, and their lifecycle is governed by retention and deletion policies.

Technical users are used in the background for system tasks such as inter-system communication, printing, and support.

The following figure introduces the different user categories:

Business Users

Relation of Employees and Business Users

Employees are metadata-records containing personal and employment-related data. Employees cannot access the system directly, but only via corresponding business users.

A business user corresponds to a real-life person who works with the system interactively. Business users are created to allow a person access to the system. You can maintain business users in the Maintain Business Users app.

Authentication and logon for business users happen at the identity provider.

You can assign business users to business roles in the Maintain Business Roles app. The main purpose of the app, though, is to create and adapt business roles.

Business User Lifecycle. Business users who haven't used it for a certain time can be automatically locked. Retention and ultimate deletion of blocked business users are governed by the Information Lifecycle Management (ILM) component. More information regarding ILM can be found here.

Technical Users

Technical users correspond to a local or remote process, typically part of the cloud management process (such as system provisioning, support) or intrinsic system processes. Some technical users belong to the software or service provider, and some technical users belong to the customer.

You can get an overview of all technical users in the Display Technical Users app.

Here are some examples of Technical Users:

• Communication Users: The communication user is a technical user type aimed at technical communication. A communication user corresponds to a remote system connecting to your system. You can define communication users in the Maintain Communication Users app.
• Support Users: Support users are a separate type of technical user for temporary access. These users are intended for SAP employees who access the system based on a support ticket from the customer. The Display Technical Users app shows which support users were created for the system on which incident.

Note

Also, other types of technical users exist, like: SAP Workflow Runtime User, Provider Communication User, SAP Technical User,...

As discussed Identity and Access Management (IAM) enables you to control user access to apps and specify what business users can do and see in the apps.

The main elements of IAM are business catalogs, business roles, and business users. The IAM apps secure the access to your solution based on these elements.

Access to business apps is controlled by a role-based authorization management. That means you assign business roles to users, providing access to specific business tasks.

The following figure shows the main elements:

SAP divides the business functionality into semantically meaningful business catalogs, representing tasks or sub-processes within a business process. Business catalogs grant access to an app, a set of apps, or individual aspects of an app. Some business catalogs have restrictions. These restrictions allow you to specify how users interact with the app; for example, they may grant write or read access.

Business catalogs are grouped into collections called business roles. A business role generally contains multiple business catalogs and corresponds to a set of authorizations required to perform the tasks of a particular job description, for example, a warehouse clerk. On the business role level, restriction values of the contained business catalogs are defined. A business catalog might be contained in different business roles and might have different restriction values assigned in these different business roles.

Business catalogs are a well-established concept to pre-bundle authorizations. They combine authorizations for business functionality (selection of apps) into semantically meaningful building blocks as best practices delivered by SAP that represent tasks or sub-processes for a specific workplace within an overall business process. With the introduction of app authorization variants, business catalogs change from indivisible entities into entities that bundle app authorization variants that can be activated or deactivated. Consequently, app authorization variants become the smallest entity for business role design, providing greater flexibility to manage authorizations for business users, including which apps they can use.

But Adam wants to see what this looks like in the System. Therefore, he asks Carl to outline the authorization concept in SAP S/4HANA Cloud Public Edition. Carl then explains the basic idea of Identity and Access Management (IAM):

There are two types of users within SAP S/4HANA Cloud Public Edition: workers and business users.

• Workers can be either permanent or temporary, depending on their Worker Type (with his background knowledge on on-premise ERP, Adam would have called this "Business Partner Role": BUP003 (employee) for permanent, BBP005 (contingent worker) for temporary. They can be imported with the help of the Manage Workforce app. This app is included in the Business Role BR_ADMINISTRATOR_HRINFO and SAP_BR_ADMINISTRATOR (via the Business Catalog SAP_BUM_BC_MNG_WORKFORCE_PC).
• A Business User first needs to be an employee of the company before they have a user account in the SAP system. Adam may use either the ​Maintain Business Roles​ or the ​Maintain Business Users​ app to assign Business Roles to Business Users. Both apps are included in the Business Role SAP_BR_ADMINISTRATOR (via the Business Catalogs SAP_CORE_BC_IAM_RM and/or SAP_CORE_BC_IAM_UM).

Carl continues that access to business apps is controlled by a role-based authorization management. That means the user administrator assigns Business Roles to Business Users, and these roles (via the assignment of Business Catalogs) provide access to specific business tasks.

After this meeting, Adam learned that he needs to use the Maintain Business Users app to select the Business User in question and then assign them the Administrator (SAP_BR_ADMINISTRATOR) Business Role to make that user an administrator.

Typically, to define a business role from scratch using the Maintain Business Roles app, you will perform the following steps:

1. Maintain General Role Details
2. Assign Business Catalogs
3. Maintain Restrictions
4. Assign Launchpad Spaces and Pages

Changes to business roles should not be done directly in production systems.

We recommend that you define business roles in a development system and transport them into the production system instead of making local changes.

Monitoring and analysis tasks are part of the daily work as an administrator.

Common activities in this context include the following:

• Find business users with unnecessarily high privileges (for example, too many admin users)
• Find business users with unnecessary or critical authorization combinations (the result of privilege creep)
• Find business roles granting access to data too generously (that is, having unmaintained restrictions)
• Analyze the root cause for authorization errors

The following image shows examples of Identity and Access Management (IAM) applications:

The following apps are available:

IAM Information System

With this app, you can get an overview of business users in your system and what roles and restrictions are assigned to them. With this app, you can display information about the usage of business roles, business catalogs, business users, restrictions, and how they are related.

If you want to look up more information about a business role, derived business role, business user, business catalog, business role template, or restriction, you can jump directly to the respective app by clicking the entity. You can use this app to perform administrative tasks as part of your daily work.

Key Features:

• Check the usage of the following entities and how they are related: Business role, derived business role, business role template, application, business user, business catalog, restriction, launchpad space, launchpad page.
• Check, for example, which business roles are assigned to a business user, which business catalogs and restrictions are assigned to the business user, and to which applications a user has access. You can also download a list of business users and business catalogs.
• Check, for example, which business roles and business catalogs are required to make a certain app visible for a business user on the SAP Fiori Launchpad.

Note

You can also display the scope items that the business catalogs depend on. Business catalogs that do not depend on any scope items are always visible in the system. For these business catalogs, Scope Items (0) is displayed on the relevant tab, and the following message appears in the table: The business catalog is not scope-dependent.

IAM Key Figures

The charts in the IAM Key Figures app support you in increasing the security in your area and reducing costs by displaying which business users are inactive and can be removed. They also provide a good overview that can be useful before go-live to help, for example, you evaluate if the business user and role distribution in your area is ready to be used.

To define threshold values, you can use color codes for the bars in your charts (green: Accepted, yellow: Warning, red: Critical). You can, for example, define the colors based on certain time frames. If a user has not logged on to the system for 6 months and wants to use this point as a threshold value, you can determine that the corresponding bar in the chart is red.

You can also jump directly to the Maintain Business Users app or Maintain Business Roles app if you need more information about the business users or business roles that are shown in the overview charts.

You can use this app to display the following information:

• Number of business users assigned to business roles
• Month of the business user's last log-on
• Number of locked and unlocked business users
• Validity of business users
• Number of business roles with unmaintained restrictions
• Number of business roles with unrestricted accessNote
• You can filter for the productive business roles in your area, for example, by adding a specific namespace followed by an asterisk (*) in the Filter by Business Role ID field in the tile configuration.
• Business user price categories
• Business roles with default values from business catalogs. The default values are delivered automatically and can't be overwritten. This means either that an asterisk (*) overwrites all defined values or that fixed values are added to your defined restrictions. Business roles affected by these non-changeable values are displayed in red in the overview chart.

The following apps are not shown in the slide:

Display Authorization Trace

With this app, you can enable an authorization trace for a business user. This helps you analyze if any authorizations are missing or insufficient.

Key Features

• Activate or deactivate a trace
• Display authorization check results, including already assigned authorizations and failed checks
• Display all business roles granting access to selected fields and values

A maximum of 10.000 data sets is possible; therefore, we recommend considering this when defining the selection criteria, especially the date range.

Display Technical Users

Provides an overview of the technical users in the system – for example, communication users and SAP support users are provided.

Maintain User Sessions

This app enables you to analyze sessions containing a lock and to find the associated business user.

• SAP Help - SAP S/4HANA Cloud Public Edition - Identity and Access Management – Phase: Set Up Authorizations for Business Users in SAP S/4HANA Cloud Public Edition (In this section, search for the Identity and Access Management (IAM) Guide).
• SAP Learning - Managing User Identity and Access in SAP S/4HANA Cloud Public Edition