Overview of creating users & assigning permission in the SAP S/4HANA Cloud Test System
For the Starter and Development system tenants, the SAP Cloud Identity Authentication Service (IAS) is the default identity provider. However, IAS can also function as a proxy for another identity provider (IdP). Most customers already have some type of corporate IdP, and we can set up a trust relationship between IAS and the customer's IdP. This enables IAS to delegate the responsibility of authenticating users to the customer's corporate IdP for both bundled and charged applications. When the customer's IdP authenticates a user, it is effectively "vouching" for the user, which IAS accepts because the two systems have established trust with each other. Bundled applications are generally recognized as SAP applications, and charged applications are third-party apps. Using IAS as a proxy for the customer's corporate IdP can ultimately simplify application management for customers in the long run.
A proxy relationship involves:
- Corporate Identity Provider: The identity provider proxy trusts the authenticating identity provider.
- Identity Provider Proxy: The identity provider proxy is both an identity provider and a service provider. The service provider of the identity provider proxy trusts the authenticating identity provider.
- Application: A service provider hosts a service that users want to access. This service provider trusts the identity provider of the identity provider proxy.
Because we recommend setting up IAS as a proxy for the customer's corporate IdP to manage users in the SAP S/4HANA Cloud Test and Production systems, the user creation/permission process is a bit different than it was for the Starter and Development system tenants. Keep in mind, this process is just to create users and assign permission to the partner configuration experts who need access to each system during implementation.
User data for an organization's employees is not manually created, but instead replicated from a separate HR system of record. This can be an SAP or third party HR system, hosted in a public cloud, private cloud, or on premise. Our recommended HR system of record is SAP SuccessFactors Employee Central and we provide two different types of predelivered integration packages to support customers and partner configuration experts setting up this integration during the Realize phase:
For integrating with third-party HR systems, we provide predelivered SOAP APIs in the SAP Business Accelerator Hub.