Introduction

Many users of the SAP S/4HANA Cloud, public edition are confused by the user management topic, because it is different from the traditional approach in the on-premises world, with a twist in the cloud environment. There are many topics within SAP Help Portal related to this subject, but they are just too many and it is easy to get lost after reading several of them: each topic points to another one and readers feel like walking in a maze.  To help you understand this very important topic, I am going to explain it in an easy-to-understand way, and in one place!

My discussion is divided into two sections: User Management in Theory, and User Management in Action.

User Management in Theory

In this section, I discuss the technical concept behind user management. It is the foundation before I move on to next section to do the user management in the systems.

User Management in the On-Premises World

In the on-premises world, especially the client-server architecture (like SAP R/3 and SAP S/4HANA), we have two important factors for user management (Figure 1):

• Authentication by username and password
• Authorizations by user profiles

Figure 1: User Management in the On-premises World

These two factors work in tandem: the system authenticates a user by checking the existence of the user and validates the user by his/her password.  Whether the user can perform any actions in the system is determined by the user profile, such as a financial expert, or a warehouse manager.  The user cannot access to a different area even you are in the system.  For example, a warehouse manager does not guarantee the access of the financial accounting data, unless that person is assigned both roles.

With the increase of number of systems, a Single Sign-On (SSO) technology emerged. Instead of logon multiple systems multiple times, you only need to logon once which eases the management of multiple credentials. An authentication token is issued to the system you need to logon from a centralized cooperate identity provider against a user repository such as Microsoft Lightweight Directory Access Protocol (LDAP) directory.

Figure 2 shows an example of using SSO in a company with SAP BW and SAP R/3 applications. When a user logs on to SAP BW for the first time, it is authenticated by the SSO server using the user’s name and password. After the user is authenticated, an authentication token is issued. Later, when the user tries to logon to SAP R/3, there is no need to provide the username and password. The SSO server will use the same token to authenticate the user to use the SAP R/3 system. This saves the user’s effort to re-type the username and the password for the 2nd time.

Figure 2: User Management in the On-premises World with Single Sign-On

Keep in mind that SSO only saves user’s effort for authentication, not authorizations. Each business system still does the user authorizations.  Luckily, authorizations are carried out by the system in the background. Users don’t need to do anything.

User Management in the SaaS World

In a broad sense, user management is part of the Identity Management which involves more technologies and buzzwords. To make our discussion easy to understand, I narrowly focus the discussion on the Test Environment of the SAP S/4HANA Cloud, public edition (3 system landscape, i.e., with developer extensibility) (Figure 3), without involvement of the business Technology Platform (BTP) or a full blown SAP Cloud Identity Services.

The Test Environment is composed of these components:

• Central Business Configuration (CBC) tenant
• Developer Extensibility Tenant – Client 080 of the Development System
• Configuration Tenant – Client 100 of the Development System
• Test Tenant – a test tenant in a 3 system landscape
• Identity Authentication Service (IAS) tenant – for authenticating users
• Identity Provisioning Service (IPS) tenant – for user provisioning purpose
• Identity Directory – for storing users and groups
• SAP Cloud Identity Services – the default SAP cloud services for authentication and user/group provisioning.  It is a collection of IAS, Identity Directory and IPS
• Identity Provider (IdP) – optional for customers adopt corporate IdP

Similar as the SAP Identity Management, SAP Access Control and SAP Single Sign-on for the on-premises world, the SAP CLoud Identity Services serve the SAP public cloud applications.

Why it is called Test Environment? Because all above systems are bundled together to be authenticated by one IAS tenant for the Test tenant. In fact, to be complete, the Starter System can be added to Figure 3 as well; but I left it out to simplify our discussion.  Otherwise, you can read my blog on From A to Z: Setup a Starter System of the SAP S/4HANA Cloud, public edition.

Figure 3: User Management in the Test Environment of the SAP S/4HANA Cloud, public edition

Note: If the customer does not use the IAS for user authentication, they can use their existing corporate IdP for that purpose, but use SAP’s IAS as a proxy system. In this blog, I don’t go further in this direction.

In contrast to the Test Environment, the Production Environment is much simpler: it authenticates the Production Tenant as well as a Cloud Application Lifecycle Management (CALM) Tenant. Since there is no CBC tenant in this environment, the IPS is gone as well.

Figure 4: User Management in the Production Environment of the SAP S/4HANA Cloud, public edition

Initial Admin User and S-User

In the commercial contract of subscribing the SAP S/4HANA Cloud, public edition, it includes the name and the email address of an IT Contact person.  When a system is provisioned, all systems related emails are sent to this IT Contact, not these people who sign the contract or pay the bill!  If there is a change of this IT Contact person, such as taking a new job role within the company, a new IT Contact is named, etc., a customer should contact SAP immediately to name a new IT Contact by creating a ticket in the component XX-S4C-OPR-SRV.

During the first phase of an implementation project, a CBC tenant is provisioned first. At that time, the IT Contact will receive an email similar as in Figure 5 to activate the IAS (part of SAP Cloud Identity Service) as an Initial Admin User.

Figure 5: Email to IT Contact when the Initial Admin User Is Created on the IAS Tenant

This Initial Admin User is the first user in many systems for this customer.  For example, the IT Contact can logon to Dev-100 using his/her email address using the same password set up in the IAS tenant. In the Dev-100 tenant, this IT Contact’s user ID is CB000000000, representing the very first user in the system.  The IT Contact can use this user account to create more users in the system.

Figure 6: Initial Admin User in All Relevant Systems

Figure 6 illustrates the Initial Admin Users in all relevant systems. We can list them as the following:

• User P00000 (five zeros) in the IAS, IPS and CBC tenants
• User CB000000000 (nine zeros) in Dev-080, Dev-100 and Test-100 tenants

In addition to the Initial Admin User, there is another type of user called S-User.  S-User stands for SAP User, or Super User.  It is not new to the SAP S/4HANA Cloud, public edition and has been used by SAP customers for many years.  Super User can create other S-users for his/her colleagues.

S-user takes the format of S00xxxxxxxx (eight numbers).  It is used in SAP Support System, like SAP4Me or SAP Support Portal.  This S-user is not authenticated in the customer’s IAS Tenant, but an IdP within SAP.

If a customer is not new to SAP, there might be already some S users in the company. Please check the authorizations of these S users to make sure they have the right access to the cloud systems.

Roles Played by the SAP Cloud Identity Services

SAP Cloud Identity Services have three key components: Identity Authentication Service (IAS), Identity Provision Service (IPS) and Identity Directory (Figure 7). The Identity Directory is coupled with the IAS. Therefore, from system administration point of view, you only work with IAS and IPS directly.

Figure 7: Roles IAS and IPS play in the User Management

For an IT Contact, you use the same credential to access the IAS and IPS tenants, jointly called SAP Cloud Identity Services.

The IAS Plays following roles:

• Authenticate users
• Assign CBC user roles to CBC users
• Act as a proxy system when a corporate IdP is used

Let me explain what “Assign CBC user roles to CBC users” means: Different from Dev and Test tenants, CBC tenant does not have capabilities to assign user roles.  This functionality is delicate to the IAS tenant. After users in Dev-100 tenant are created, if these users need to access to CBC, IAS assigns 1 out of 5 CBC roles to these users, so that they can play their roles after accessing the CBC tenant.

When a business user is created in Dev and Test tenants, the following information is mandatory:

• Username: georgey or D123456 for a corporate ID
• Email address: [email protected]
• User ID: CB9980000050
• Business roles: BR_BPC_EXPERT and SAP_BR_ADMINISTRATOR

The username is the most critical here.  It is exported to the IAS and stored as Login Name for the authentication purpose.  In other words, Username in Dev-100 and Login Name in the IAS link one unique business user together.

In contrast, the same business user in Dev-100 and Dev-080 (sharing the same Login Name) can have different User ID, for example, CB998000050 in Dev-080 tenant and CB998000002 in Dev-100 tenant.

Most times, we use email address as the login name. That is a setting in the IAS tenant.  We can also change that to use Login Name to logon to a system.

Both User ID and Business Roles only stay within the Dev-100 tenant; they are never exported to the IAS tenant.

The IPS Plays following roles:

• Replicate five CBC user roles from CBC to IAS. This only performs once when the system is set up for the first time.
• Read CBC users from the IAS tenant and provision them to the CBC tenant. This needs to be done each time when new CBC users are added/created.

With the user provisioning role by the IPS tenant, CBC tenant has a user’s following information:

• Login Name: georgey
• User ID: P00010
• Business Role: SAP_CBC_CONSUMPTION_ACTIVITY_ALL

Under the user icon of the CBC tenant, the Login Name: georgey is used to identify the user.

Figure 8: User Logon Name is Used as the Identifier in CBC Tenant

In contrast, when login to Dev-100, the user’s full name is shown in Figure 9 as the identifier.

Figure 9: User Full Name is Used as the Identifier in Dev-100 Tenant

Put all of them together

After explained all building blocks of the user management, now it is time to see how user login is executed.  Keep in mind that the same Web Browser (could be different tabs) must be open. The Authentication Token plays a role very similar as Single Sign-on as we discussed previously.  If the Web Browser is closed, the token is lost.  If the system is logon too long, the token is expired.

Example 1: Login to the Dev-100 Tenant

1. Enter Dev-100 Tenant’s URL in a Web Browser by an end user.
2. The Dev-100 Tenant immediate redirects the logon request to the IAS tenant because there is no active session between them.
3. The URL on the Web Browser changes from the Dev-100 Tenant to the IAS Tenant, and a login window pops up.
4. After the user enters the email address and the password, the IAS Tenant checks against the Identity Directory and authenticates the user. If the authentication is successful, an authentication token or certificate is sent to the user’s Web Browser, and the Dev-100 Tenant accepts user’s login request.
5. Depending on the user’s business user roles, the Dev-100 Tenant displays relevant Spaces and Pages on the My Home page.
6. When the end user clicks on one of the apps, a user authorization check is executed against his/her assigned business user roles. If successful, the relevant app is launched.

Example 2: Login to the CBC Tenant right after Example 1, without closing the Web Browser

1. Enter the CBC Tenant’s URL in the Web Browser by the same user.
2. Since the authentication token exists on the Web Browser, the CBC Tenant accepts the login request.
3. The CBC Tenant check the user’s CBC group assigned, to authorize the relevant configuration activities.

Example 3: Login to the Test Tenant right after Example 1 or 2, without closing the Web Browser

1. Enter the Test Tenant’s URL in the Web Browser by the same user.
2. Since the authentication token exists on the Web Browser, the Test Tenant accepts the login request.
3. Depending on the user’s business user roles, the Test-100 Tenant displays relevant Spaces and Pages on the My Home page.
4. When the end user clicks on one of the apps, a user authorization check is executed against his/her assigned business user roles. If successful, the relevant app is launched.

Example 4: Login to the Production Tenant right after Example 1 or 2 or 3, without closing the Web Browser

1. Enter the Production Tenant’s URL in the Web Browser by the same user.
2. Since the existing authentication token was not issued by the Test Environment IAS Tenant and there is no active session between them, the Production Tenant immediately redirects the login request to the Production IAS tenant.
3. The URL on the Web Browser changes from the Prd-100 Tenant to the Production IAS Tenant, and a login window pops up.
4. After the user enters the email address and the password, the Production IAS Tenant checks against the Identity Directory and authenticates the user. If the authentication is successful, an authentication token or certificate is sent to the user’s Web Browser, and the Prd-100 Tenant accepts user’s logon request.
5. Depending on the user’s business user roles, the Prd-100 Tenant displays relevant Spaces and Pages on the My Home page.
6. When the end user clicks on one of the apps, a user authorization check is executed against his/her assigned business user roles. If successful, the relevant app is launched.

User Management in Action

With all the background information in place about user management in the SAP S/4HANA Cloud, public edition, I am going to go through the entire user creation process with eight steps (Figure 10) through Dev-100, IAS, IPS and CBC tenants.

Figure 10: User Creation Steps

Step Num	Description	Tenant
1	Prepare new user template	Dev – 100
2	Import workers and create business users
3	Assign user roles to business users
4	Download business users
5	Import users	IAS
6	Check user status (optional)
7	Assign CBC user groups to CBC users
8	Read CBC users from IAS tenant and provision them to CBC Tenant	IPS

Table 1: User Creation Steps

Note: Steps 1-4 are the same for user creation in Dev-080 and Test-100 tenants. However, if we create an exact same group of users on Dev-080, Dev-100 and Test-100 tenants, do we need to run Steps 5-8 three times on IAS and IPS tenants? It is a good question to think about.

Step 1 – Prepare new user template

Within SAP S/4HANA Cloud, public edition, we have two concepts: workers and business users. Workers are also called employees. They can be either a permanent employee or a temporary employee, distinguished by Worker Type (BUP003 for permanent, BBP005 for temporary). A business user first should be an employee of the company, then he/she has a user account in the system.

When creating a business user, we need to create a worker first.  For that purpose, we use the Manage Workforce app to either entering a single worker information or importing a group of workers. To demonstrate the workflow of creating a group of users, I take the importing approach (even with only one user).

After downloading the template of the worker, I fill it with the user information (using myself info, but to distinguish it from an existing user, changing my last name to Yu02) (Figure 11).  For simplicity, I don’t include the Work Agreement. Otherwise, two template files will be used: Templ_WorkerBasic_Comma.csv and Templ_WorkAgreement_Comma.csv.

Figure 11: Worker Data File Template

Considering it is long in horizontal direction and hard to read Figure 11, I am listing the fields and values herewith.

• WorkerID (mandatory) – georgey02
• UserName – georgey02
• WorkerType (mandatory) – BUP003
• Is Contingent Worker of [Mandatory for BBP005] – blank
• FirstName (mandatory) – George
• LastName (Mandatory) – Yu02
• FullName – George Yu02
• Email – [email protected]
• PhoneNumber – blank
• MobilePhoneNumber -blank
• Language – EN
• StartDate (mandatory, YYYYMMDD) – 20230301
• EndDate (mandatory, YYYMMDD) – 99991231

The template is saved as a comma delimited CSV file.

Step 2 – Import workers and create business users

In the Manage Workforce app, click on Import à Worker, the Import Worker Data window pops up (Figure 12).

Figure 12: Import Worker Data window

The field Import Name is mandatory. You can treat it as a different worker importing batch name to distinguish different batches, such as a date, or a group name.

After importing, you can search the Application Log to find out its status. In my example, it is a success with one new employee GEORGEY02 created (Figure 13).

Figure 13: Import Worker Log

Step 3 – Assign user roles to business users

We have two ways to assign business roles to users: using Maintain Business Roles app to assign a group of users to the same business role; or using Maintain Business Users app to assign multiple business roles to individual users. Since they are quite straightforward, I won’t discuss further.

Step 4 – Download business users

In Figure 7 we illustrated the step of exporting business users to be imported to the IAS tenant. To do that, we use Maintain Business Users app, click on Download -> Download for IDP (Figure 14).  You can use the filter to select one user only (user georgey02 for example) or list all users without applying any filtering values.  In Figure 14, I entered George for First Name, and the system returns two entries.

Figure 14: Download Business Users for IDP

The outcome from this download action is a file called data.csv.  If you only have one user selected, the downloaded file contains one record; otherwise, it contains multiple records.

Figure 15 shows the content of the file data.csv with two business user records. There are only five data fields, the most critical information about a user for authentication purpose: status, login name, email address, first name and last name. Business roles and User ID created in the Dev-100 Tenant are not part of it, since they are irrelevant during the authentication process.

Figure 15: Downloaded Business Users for IAS

Step 5 – Import users

Now let’s launch the IAS tenant.

This step is executed on the Test environment IAS tenant. Following the path Users & Authorizations -> Import Users.

Figure 16: The IAS Tenant User Interface

As we discussed before, users are created in the Dev-100 tenant and to be imported to the IAS Tenant.  Therefore, under Bundled Applications list on the left, we need to select “SAP S/4HANA Cloud – Customizing Tenant”, not others.  Because the data we are going to import is downloaded from the Customizing Tenant.

Figure 17: Import Users in the IAS Tenant

If the user list is exported from the Test Tenant, then we need to select “SAP S/4HANA Cloud – Test Tenant”. That way the user list is consistent between Test Tenant and IAS Tenant.

Before the final import, the system wants you to Confirm the user creation. For example, we created one user in Dev-100, and exported a total of two users in data.csv file.  The confirmation message is like this:

1 user will be created, 1 user will be updated because they already exist.  Do you want to continue?

This matches our scenario: 1 user georgey02 is new and will be created; 1 user georgey exists in the IAS tenant, and only needs to be updated if there are any changes. Now hit the Import button to import the users.

After importing the users, you need to hit Send button to send activation email to all the users that are not active (Figure 18). This explains why some users receive this activation email multiple times.  Because if they don’t do their job to activate the user account, they will receive a reminder each time this Send button is hit.

Figure 18: Send User Activation Emails out in the IAS Tenant

Step 6 – Check user status (optional)

After the business users are imported, activation emails are sent, but you haven’t activated these new users for accessing the CBC Tenant, you should review the users by following the path in the IAS Tenant: Users and Authorizations -> User Management.  Select the user, and open its editing interface (Figure 19).

In the User Details à Personal Information section, pay special attention to the Status and E-mail Verified entries.  When a new user is created, the user usually receives an email to activate his/her account. This step involves two key personal information change:

• Account Status – change from New to Active
• E-Mail Verified – ticked, since the user received the activation email

If you want to deactivate a user, just change the Status from Active to Inactive.

Figure 19: User Management Interface in the IAS Tenant

Note: If the user status is still at New, you cannot make him/her to be a CBC user.  In other words, this status change is a pre-requisite for Step 8.

Step 7 – Assign CBC user groups to CBC users

This step is executed by following the path: Users and Authorizations à User Groups. There are five CBC related groups to choose from:

• SAP_CBC_CONSUMPTION_ACTIVITY_ALL – CBC Consumption group for all activities
• SAP_CBC_CONSUMPTION_AUDITOR – CBC Consumption Auditor group
• SAP_CBC_CONSUMPTION_DISPLAY_USER – CBC Consumption Display User group
• SAP_CBC_CONSUMPTION_KEY_USER – CBC Consumption Key User group
• SAP_CBC_CONSUMPTION_PROJECT_LEAD – CBC Consumption Project Lead group

Depending on user’s intended business roles in accessing the CBC tenant, you assign one or more groups to the user.  From Figure 20 we can see the following:

• Currently only user P00000 belongs to CBC Group SAP_CBC_CONSUMPTION_PROJECT_LEAD
• By clicking on the Add button, Add Users sub-window pops up. You can add one or more users to this group by ticking the user and hitting the Save

Figure 20: Add a User to CBC Group in the IAS Tenant

After completion of this step, the newly created user has been assigned a proper CBC user group.

Step 8 – Read CBC users from IAS tenant and provision them to CBC Tenant

Now let’s launch the IPS tenant.

Note: In Step 6, we discussed user status.  Before doing this step, the user must activate his/her account on IAS.  Otherwise, this step ignores those New or Inactive users.

To execute this step, we need to click on the Source Systems app (Figure 21).

Note: by clicking on the 3-horizontal-bar icon next to the SAP logo, you can hide and unhide the menu bar on the left.

Figure 21: IPS Tenant User Interface

This step is to copy the CBC user info from the IAS Tenant, so we need to select the “IAS for cbc-ap-rel-vlab-aws-027 – source” as the source system. Then select the Jobs tab. Finally, we click on Run Now button in the row of Read Job (Figure 22).

Figure 22: Run CBC User Copying Job

After running the CBC user copying job, we should check the job log (the 2nd from the bottom menu item on the menu bar) and pay attention to four lines (Figure 23):

• Line 1 – 5 user groups are read from the source system -> we have 5 CBC user groups, and all are successfully read from the source system.
• Line 2 – 45 users are read from the source system -> we have 45 CBC users in the source system, all read successfully.
• Line 3 – 1 user group is updated in the target system -> we assign one new user to the CBC group and that user group info has been updated.
• Line 4 – 1 user is created in the target system -> a new user is created.

Figure 23: Job Log for the CBC User Copying Job

After this step, the end user should be able to logon to the CBC Tenant to conduct business configuration tasks.

Note: During the implementation project, the CBC tenant is provisioned first, and then the Customizing tenant. In this case, you can create CBC users in the IAS Tenant first (manually one by one or by importing a user list). Just keep in mind the Logon Name you create in the IAS Tenant should be consistent with the User Name to be created later on in the Customizing Tenant.

CBC User Logon Errors (Added on May 24, 2023)

Error 1: Unauthorized

Symptom: When you log on to a CBC tenant for the first time, you get an “Unauthorized” error.

Cause: CBC Tenant does not have the user information. It is not pushed over from the IAS Tenant.  This happens a lot when you create a group of users. Some users activate their accounts right away. If you run above Step 8 after user activation, these users have no problem to logon to CBC.  However, some users only activate their account days(!) later, and the administrator is not aware and doesn’t run above Step 8 afterwards. These users will see this error.

This usually happens to some users but not all, because it requires one more step in user setup procedure.

Solution: Rerun the above Step 8.

Error 2: Unauthorized

Symptom: When you log on to a CBC tenant for the first time, you get an “Unauthorized” error.

Cause: As I explained before, when you create a new user in Dev tenants and export it to the IAS, the User Name in the Dev tenants becomes Login Name in the IAS tenant. This Login Name is used as the so-called Subject Name Identifier.  That means the CBC uses this SNI to identify the user.  If the SNI uses a different basic attribute, such as an email address or a User ID, the Login Name passed over from the IAS Tenant becomes useless.

This usually happens to all users, because it is a system setting.

Solution: Follow the steps listed in SAP Note 3103503 to fix the error, and rerun the above Step 8.

Error 3: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile, status message is User attribute configured for name-id format unspecified is not supported.

Symptom: After authentication is passed at the IAS Tenant, this message pops up.

Cause: This only happened to myself as the Initial Admin User. When the systems were provisioned, my user account was already created in the IAS (P000000) and the Dev Tenants (CB000000000). So I usually don’t need to create a new user account for myself. As I explained before, when you create a new user in Dev tenants and export it to the IAS, the User Name in the Dev tenants becomes Login Name in the IAS tenant. And that Login Name is passed on to the CBC Tenant when running above Step 8. In my case, the Login Name was blank in my user details. This causes above error message.

Solution: Fill the blank Login Name in the IAS Tenant with the User Name from the Dev -100, and rerun above Step 8.

Conclusion

I explained the background of how users are managed in the SAP S/4HANA Cloud, public edition (3 system landscape), and strengthened the concept with eight steps in user creation across four tenants: Dev-100, IAS, IPS and CBC. Now you should be able to do the user management with a deep understanding the mechanisms behind.  Enjoy!

References