Creating Users and Granting Access to the SAP S/4HANA Cloud Development, Test, and Production Systems

The process of creating users and assigning permission is the same for the development system tenants as it was for the starter system tenants. Please see the lesson, Creating Users and Granting Access to the SAP S/4HANA Cloud Starter System in the Learning Journey Implementing SAP S/4HANA Cloud Public Edition for detailed step-by-step instructions and screenshots.

For the Starter and Development system tenants, the SAP Cloud Identity Authentication Service (IAS) is the default identity provider. However, IAS can also function as a proxy for another identity provider (IdP). Most customers already have some type of corporate IdP, and we can set up a trust relationship between IAS and the customer's IdP. This enables IAS to delegate the responsibility of authenticating users to the customer's corporate IdP for both bundled and charged applications. When the customer's IdP authenticates a user, it is effectively "vouching" for the user, which IAS accepts because the two systems have established trust with each other. Bundled applications are generally recognized as SAP applications, and charged applications are third-party apps. Using IAS as a proxy for the customer's corporate IdP can ultimately simplify application management for customers in the long run.

A proxy relationship involves:

• Corporate Identity Provider: The identity provider proxy trusts the authenticating identity provider.
• Identity Provider Proxy: The identity provider proxy is both an identity provider and a service provider. The service provider of the identity provider proxy trusts the authenticating identity provider.
• Application: A service provider hosts a service that users want to access. This service provider trusts the identity provider of the identity provider proxy.

Because we recommend setting up IAS as a proxy for the customer's corporate IdP to manage users in the SAP S/4HANA Cloud Test and Production systems, the user creation/permission process is a bit different than it was for the Starter and Development system tenants. Keep in mind, this process is just to create users and assign permission to the partner configuration experts who need access to each system during implementation.

User data for an organization's employees is not manually created, but instead replicated from a separate HR system of record. This can be an SAP or third party HR system, hosted in a public cloud, private cloud, or on premise. Our recommended HR system of record is SAP SuccessFactors Employee Central and we provide two different types of predelivered integration packages to support customers and partner configuration experts setting up this integration during the Realize phase:

• Basic point-to-point integration with the Core HR with SAP SuccessFactors Employee Central (JB1) business process
• New integration using the Master Data Service running on SAP Business Technology Platform

For integrating with third-party HR systems, we provide predelivered SOAP APIs in the SAP Business Accelerator Hub.

The steps for creating users and assigning permissions in the SAP S/4HANA Cloud Production system are similar to those for the Test system, with a few differences because of the transport path from SAP Central Business Configuration to the customizing tenant of the SAP S/4HANA Cloud Development system → Test system → Production system.