Provisioning Systems and Initial Setup

Objectives

After completing this lesson, you will be able to:

  • Review the communications delivered to customers after purchasing SAP S/4HANA Cloud Public Edition
  • Provision systems in SAP for Me
  • Create users and grant access in SAP Cloud Identity

Onboarding Communication Journey

Onboarding Communication Journey

After signing the SAP S/4HANA Cloud contract, the signer (CTO, CIO, or similar) will receive a purchase order confirmation email with the purchase details and next steps. On the contract start date, the signer will receive a separate "Welcome" email with detailed information about beginning the implementation project. If an IT Contact (customer system admin) was not specified at the time the contract was signed, only the signer receives this "Welcome" email, however the person who will be the system admin should also be aware of the information in this email. Because this email is only sent once and can't be resent, we have documented all the information from the welcome email in a website called the Customer Onboarding Resource Center. We strongly recommend the core members of the customer project team attend one of the onboarding webinars to get an overview of the resources available to help them succeed and what the next steps are.

Note

In addition to the SAP S/4HANA Cloud welcome email, an SAP Business Technology Platform welcome email will also be sent.

If the IT Contact role was not assigned to the correct person, this can be resolved by creating a support case in SAP for MeServices & Support dashboard with the following information:

  • Subject: Request update to the Contact Person IT
  • Description: Please change the IT Contact to 〈NAME〉, 〈EMAIL ADDRESS〉
  • Component: XX-S4C-OPR-SRV
Note

Only one person is assigned as the IT Contact. The IT Contact is the customer system admin and will receive all system provisioning notifications and other communication about the systems. While only one person can be assigned as the IT Contact, multiple people can be assigned as a Communication Contact to enable them to receive general communications related to the systems.

System Provisioning in SAP for Me

IT Contact provisions systems via SAP for Me → Systems and Provisioning dashboard

The customer IT Contact triggers provisioning of the following systems from SAP for MeSystems & Provisioning dashboard, in this order:

  1. SAP Cloud ALM
  2. SAP Central Business Configuration
  3. SAP S/4HANA Cloud Starter System
  4. SAP S/4HANA Cloud Development System
  5. SAP S/4HANA Cloud Test System
  6. SAP S/4HANA Cloud Production System
Note

During the provisioning of SAP Cloud ALM, SAP Central Business Configuration, and the SAP S/4HANA Cloud systems, you have a choice of selecting an existing SAP Cloud Identity Service to connect to the new systems. For brand new customers, there will not be an existing SAP Cloud Identity Service available, so a new one will be automatically created in the region of the customer's choosing. To learn how to set up SAP Cloud Identity Services, check out this SAP Blog: SAP Cloud Identity Services Administration for first time implementers in SAP S/4HANA Cloud Public Edition projects and the Identity Authentication documentation in SAP Help Portal.

Note

You only provision the customizing tenant of the Starter and Development systems. After customizing has been provisioned, it automatically triggers the development tenant provisioning.

The IT Contact will receive several email notifications with login information for each system. Regardless of the order in which the email notifications are received, the SAP Cloud Identity Authentication Service (IAS) must be activated first. From within the IAS, users can be created and assigned permission to access each of the provisioned systems.

Try it yourself!

Learn how to request SAP Central Business Configuration via SAP for Me in this tutorial.

User Creation and Permission in SAP Cloud Identity

Who needs access to which system at the beginning of the project?

The customer IT Contact needs to create users and assign permission to the following members of the partner implementation team:

  • Lead configuration expert access to SAP Central Business Configuration - after receiving access, the partner lead configuration expert will use SAP Central Business Configuration to deploy the business content in the SAP S/4HANA Cloud Starter System tenants. The partner line of business (LoB) configuration experts will eventually need access to SAP Central Business Configuration, but this can be assigned at a later point in time.
  • Project manager access to SAP Cloud ALM - after receiving access, the partner project manager will use SAP Cloud ALM to set up the implementation project so tasks can be assigned to the relevant project team members and the project progress can be documented and tracked. The customer project manager should be included in this task so they can become familiar with how to use SAP Cloud ALM for project management. All project team members (partner and customer) should then be provided access to SAP Cloud ALM so they can see tasks assigned to them and use the tool to document task completion.
  • LoB configuration expert access to the SAP S/4HANA Cloud Starter System - after the business content has been deployed in the starter system by the lead configuration expert, the partner LoB configuration experts should be provided access so they can immediately begin preparing to deliver their Fit-to-Standard Analysis workshops. The partner lead configuration expert should also be given access, as this role also needs to run Fit-to-Standard workshops either in an LoB, or to address the non-LoB topics including, Organizational Structure, Chart of Accounts, Two-Tier ERP, and Human Resources.

Overview of providing access to SAP Central Business Configuration

Even though SAP Cloud Identity Services sounds like one system, it's a collection of systems including both the Identity Authentication Service (IAS) and Identity Provisioning Service (IPS). This means the IT Contact navigates back and forth between two different websites to complete the steps to provide users access to SAP Central Business Configuration.

Activate the user account in the SAP Identity Authentication Service

The IT Contact first activates the SAP Cloud Identity Authentication Service (IAS) via the link provided in the system provisioning email.

Change the Subject Name Identifier from E-Mail to Login Name

By default, the login attribute for SAP Central Business Configuration is set to E-Mail. We call this field the Subject Name Identifier. However, this can cause replication issues between the Identity Authentication Service and SAP Central Business Configuration, so to resolve this issue, the Subject Name Identifier should be changed to Login Name.

  1. Log into the IAS and select the Applications tile, then choose your SAP Central Business Configuration system from the list.
  2. On the Trust tab, find the Subject Name Identifier field and select it. Change the basic attribute to Login Name. A fallback attribute is not necessary.
  3. Select Save, then close the Subject Name Identifier screen.

Enter the Home URL of the SAP Central Business Configuration system

When users are created and assigned permission to access a system in the IAS, you can generate an email notification that populates the link of the system the user should now have access to. The Home URL field must be maintained in order to populate the system link in the email notification.

  1. Select the Edit button in the top right corner to edit the application information.
  2. Find the system provisioning email for SAP Central Business Configuration and copy the system link from that email into the Home URL field.

Run a job to copy permission roles from SAP Central Business Configuration to the Identity Authentication Service

There are several different permission roles that can be assigned to users for SAP Central Business Configuration (CBC), however they do not already exist in the Identity Authentication Service (IAS), and therefore cannot be assigned. To "copy" the role permissions from CBC to the IAS, you run a job in the Identity Provisioning Service (IPS).

  1. Refer to the provisioning email sent after requesting SAP Central Business Configuration. There should be a link to the connected Identity Provisioning Service system, which you can log into with your S-User ID.
  2. Navigate to the Source Systems tile, then choose the SAP Central Business Configuration system from the list.
  3. Select the Jobs tab, and press the Run Now button ONCE for Read Job.

Create CSV User Template

Now it's time to create users and grant permission to access SAP Central Business Configuration. The IT Contact should ask for a list of the partner project team members who need access to SAP Central Business Configuration, with their first name, last name, and email addresses. In the Identity Authentication Service (IAS), you can create users one at a time in the User Management tile, or mass-import a CSV file of users with the Import Users tile. Because mass-importing a file is more efficient for creating many users and assigning permissions at once, this is the method we will cover. First, we need to create our own CSV (comma separated value) template in Microsoft Excel. The column names (attributes) in the CSV file must follow the naming structure defined in the SAP Help Portal documentation. You do not need to include all attributes listed in the documentation - only the attributes that are mandatory for the file and the additional attributes you intend to use.

  1. Create a new Microsoft Excel spreadsheet and Save AsComma Separated Value (.CSV).
  2. In the first row, enter the attributes: status, loginName, mail, firstName, lastName, and groups.
  3. The status should be active for all users
  4. Enter the information for each project team mmeber in the loginName, mail, firstName, and lastName fields. The IT Contact should add the information for their own user in a row, too.
  5. In the groups column, first check the latest roles that can be assigned in SAP Central Business Configuration and their authorized task activities.

    Role Assignments

    The partner lead configuration expert should be assigned the program manager role (SAP_CBC_CONSUMPTION_PROGRAM_LEAD), which provides the permission to create a new project and activate business content in the SAP S/4HANA Cloud starter system, in addition to the development system at a future point in time.

    The IT Contact should assign themselves and the partner and customer project managers the auditor role (SAP_CBC_CONSUMPTION_AUDITOR), so they have visibility into the activities being completed in the system.

    The partner LoB configuration experts should be assigned the key user role (SAP_CBC_CONSUMPTION_KEY_USER), so they have the ability to enter configuration values for the SAP S/4HANA Cloud development system when it eventually needs to be configured with the customer's data. It's not necessary to enter configuration values for the starter system, because this data is already delivered, however the LoB experts may still want to take a look at the configuration values set up in the starter system in preparation for their Fit-to-Standard workshops.

Import users to SAP Central Business Configuration

Now it's time to create users and grant permission to access SAP Central Business Configuration. You can create users one at a time in the User Management tile, or mass-import a CSV file of users with the Import Users tile. We will mass-import because it's more efficient for multiple users and we can both create a user and assign permission in the same file.

  1. Log into the Identity Authentication Service (IAS) and select the Import Users tile.
  2. Choose the SAP Central Business Configuration system from the list.
  3. Select the Browse… button, upload the CSV file of users created in the previous step and choose Import.
  4. Select Send to send email notifications to the users.

Run a job to replicate users & their assigned permissions to SAP Central Business Configuration

Last, the IT Contact needs to run another job in the Identity Provisioning Service (IPS) to replicate the users and their assigned permissions to the SAP Central Business Configuration system. This needs to happen immediately, because the activation emails have already been sent.

  1. Log into the IPS
  2. Select the Source Systems tile, then choose the Identity Authentication Service (IAS) from the list.
  3. Select the Jobs tab and click the Run Now button ONCE for the Read Job.

Email notifications sent to project team members

Each project team member will receive an activation email for their account and the link to the SAP Central Business Configuration system. The partner lead configuration expert can now begin activating content in the SAP S/4HANA Cloud starter system. This will be covered in detail later in the course.

Note

Learn about user setup & access in the SAP Help Portal and how to avoid common issues in this SAP Blog: Avoid access issues during the initial setup of SAP Central Business Configuration.

Try it yourself!

Learn how to manage create users and provide access to SAP Central Business Configuration via SAP Cloud Identity Services in this tutorial.

Log in to track your progress & complete quizzes