SAP Community - SAP Identity Management

IAS for ONB2.0 New Hires - 1 (upgrade OData to SCIM)

2023-03-15T13:39:46+01:00

We are aware about the use of BizX login page for login of Onboardee in ONB2.0.
From 2H2022, SAP has officially released the feature of having IAS(Identity Authentication System) available to be integrated with ONB2.0 for New hires.

This brings the option of having better security for login of Onboardee and leverage features of IAS such as conditional authentication, Multi factor authentication etc.

Following are the articles about my understanding in upgrading the IPS to SCIM and implementing the IAS for ONB new hires. If you see something wrong or steps which can be done better, please highlight 🙂

To integrate ONB with IAS, the IPS system must be upgraded to SCIM version.
If you already have the IAS setup in your system or has an instance provisioned before Dec 2022, those system possibly will be in version 1.
The clients who have provisioned new IAS-IPS system after Dec 2022 will have their instances come with SCIM - version 2.
You can check the version by checking the value of 'sf.api.version' in properties tab of the source system in your Identity Provisioning(IPS).

We will first see how to upgrade the IPS from version 1 to version 2(SCIM) and then see the configurations for ONB integration.

Upgrading IPS system from version 1 to version 2(SCIM)

Setup mTLS (mutual Transport Layer Security) as your authentication method between Identity Provisioning and SuccessFactors.
To do this, generate(if there is no certificate) and download the outbound certificate and link with SuccessFactors.

Go to SuccessFactors > Security Center >X509 Public Certificate Mapping > Add > upload the certificate created above.

Make sure you select 'Identity Provisioning Service' in the 'Integration Name' field and the login name of your admin user in the 'Login Name' field.

I used IPSADMIN as Login Name, which was used in the version 1 for IPS job.

Change the api.version in Source system > Properties > from 1 to 2.

Remove /odata/v2/ from the URL section in Properties

Before

After

Change the sf.user.filter as below

The transformation would also require changes once you upgrade the version from 1 to 2.

You can test this by running a IPS job simulation to check whether there is any error caused due to incorrect transformations.

This link will give you the mapping changes between SCIM and ODATA.

Note: As a best practice, Please be advised to update the Authentication setting from 'BasicAuthentication' to 'ClientCertificateAuthentication'. This adjustment will function smoothly given that you have already uploaded the outbound certificate of the Source System within the SuccessFactors security center's X.509 Public Certificate Mapping. Once this step is completed, there is no need to configure a username and password for IPSADMIN. The connection will operate effectively through certificate-based authentication.

Unlike sf.user.filter in version 1 where we had flexibility to sync only few users using 'OR' logical operator, version 2 is not offering that and hence making it hard to sync and test for only few users. As a bad workaround for testing you may used the operator 'Contains' to create a query.

Please vote the below enhancement request

Enhance SCIM version 2 API of Identity Provisioning to accept 'OR' operator

You can find the configurations necessary for the integration of ONB with IAS in next article - IAS for ONB2.0 New Hires - 2.

Resources:

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/568fdf1f14f14fd089a3cd15194d19cc/80d3d1d92fdd414c873ee9420ada1078.html

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/534356acc0ab4b0e8977ebfb2eb432f7/00df9b8134d04fe496a7144c18c0d4a4.html

https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/f29b5c6d7edd4f358548233c875ddefd.html#procedure

https://help.sap.com/docs/SAP_SUCCESSFACTORS_RELEASE_INFORMATION/8e0d540f96474717bbf18df51e54e522/2dbcd6ff61284a2a84a7ecb18e3be859.html

https://help.sap.com/docs/SAP_SUCCESSFACTORS_ONBOARDING/c94ed5fcb5fe4e0281f396556743812c/c3c8a0bd465246dc8aeda39700e358ad.html

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/568fdf1f14f14fd089a3cd15194d19cc/bb238913699a4bf4b1ebbc197ab2494d.html

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/534356acc0ab4b0e8977ebfb2eb432f7/895a0d10d4984152b9f6d0cd9f9f850c.html

https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/f29b5c6d7edd4f358548233c875ddefd.html#procedure

https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/f29b5c6d7edd4f358548233c875ddefd.html?state=DRAFT&version=Cloud

IAS for ONB2.0 New Hires – 3 (Transformations)

2023-03-15T13:40:15+01:00

IAS for ONB2.0 New Hires - 1

IAS for ONB2.0 New Hires - 2

Once the configurations explained in the previous articles is completed, you are expected to set up few transformations .

I did not perform any transformations in source, but following are few transformations used in the target system.

Below transformation under default userType mapping to set the user type in the IAS profile of user.

Below transformation is used to define the target URL (your SuccessFactors URL).

Next is to define if the user should receive emails or not.

In my case both regular users and onboardees are expected to receive emails, so both are true, but if you do not want the regular users to receive any kind of welcome emails but only the onboardees should receive email, you can set the first condition below as false.

Similar setup for mailVerified. (Set it according to your requirement)

You can also define separate welcome email template for onboardees using the code below. For this you must first create a separate email template set in IAS and then use its ID as a constant in below transformation.

The new email template set can be configured in IAS>Applications & resources >E-mail template.

Following transformation is to route the new hires to SF application in IAS.

You will get the application ID from the URL of the application section when you select the SuccessFactors application.

This was suggested earlier by SAP to route the external users to correct application in IAS. (Not sure whether this is needed anymore post Dec 2022. You can test it at your end and let me know 😊)

Also, don’t forget to maintain the Home URL of the application

Efficient Employee Grouping in SAP SuccessFactors: Custom Attribute-based Identity Provisioning

2023-04-21T22:17:17+02:00

Streamlining Employee Grouping in SAP SuccessFactors: Leveraging Custom Attributes from SAP SuccessFactors via Identity Provisioning for Identity Authentication User Store Management.

In this blog, the focus is on streamlining employee grouping in SAP SuccessFactors using custom attributes. For an example we are using custom15 from the User Data file is utilized to determine the appropriate group for employees in the Identity Authentication user store.

There could be different conditions that can be used to check a particular field value and update the employee in a specific group.

The custom attribute (custom15) is utilized as a key factor for grouping employees in SAP SuccessFactors. By checking the value of this field, employees are dynamically assigned to different groups. If the value is set to "Yes", they are directed to the 'MFAGROUP' group in Identity Authentication. On the other hand, if the value is set to anything other than "Yes" (e.g. "No" or left blank), the employees are directed to the 'NO_MFA' group.

By utilizing the "Is MFA?" (Custom15) field, employee grouping in Identity Authentication is streamlined, ensuring that employees are accurately placed in the appropriate groups based on the value of this custom attribute. This approach simplifies user store management and enhances the overall identity and access management process in SAP SuccessFactors.

Step 1- Identity Provisioning Source System - SAP SuccessFactors

The Custom15 value can be added to the sf.user.attributes property in the Identity Provisioning configuration. This allows Identity Provisioning to read and load this user attribute from SAP SuccessFactors during the provisioning process. It is important to ensure that the extra attribute, in this case Custom15, is appropriately separated by a comma to ensure accurate data processing.

sf.user.attributes

Step 2 - Mapping the data in Source System

Add the following code to the source system transformation into the User mapping section. I am updating the value of Custom15 from SF into CustomAttribute2 in IAS:

{
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15']",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['value']"
},
{
"condition": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15'] EMPTY false",
"constant": "customAttribute2",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['name']"
},
{
"sourcePath": "$.custom15",
"targetPath": "$.custom15"
}

Transformation - Source Code - UserMapping

Step 3 - Identity Provisioning Target System - Identity Authentication

Add the following code to the Identity Authentication target system transformation into the User mapping Section:

{
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15']",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['value']"
},
{
"constant": "customAttribute2",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['name']"
},

Transformation - Target Code - UserMapping

Step 4 - Create the two User Groups

In Identity Authentication Administration Console, create the two user groups to update the employees:

MFAGROUP

NO_MFA

User Groups

Step 5 - Add Condition for employees to get auto updated in User groups created in Identity Authentication

These mappings will assign the user groups to the users who are fits with the given condition.

{
"condition": "($.custom15 == 'Yes')",
"constant": "MFAGROUP",
"targetPath": "$.groups[0].value"
},
{
"condition": "($.custom15 != 'Yes')",
"constant": "NO_MFA",
"targetPath": "$.groups[0].value"
},

Transformation - Target Code - UserMapping - Groupingcode

Step 6- Run Read Job Identity Provisioning

Run a new Read job from Identity Provisioning from SAP SuccessFactors source system, and monitor in Identity Authentication that the employees are getting updated to the desired groups as per the condition we mentioned in step 5.

For Inital Testing, use filter for specific group of employees and once job is successfully; remove the filter and run the job for all active employees.

Custom Attribute 2 = Yes

User Group updated in User Profile

Finally, remove the employee specific filters and run the job for all active employees. The job should read the value from SF and accordingly update the details in IAS via IPS jobs.

Group 1, Custom Attribute == Yes

Group 2, Custom Attribute != Yes

In summary, by using custom attributes from SAP SuccessFactors via Identity Provisioning, employee grouping can be streamlined in SAP SuccessFactors. The steps outlined in this blog provide a straightforward approach to implementing this solution. By mapping the custom attribute field to a target attribute in Identity Authentication, and using conditions to assign employees to specific user groups, the overall identity and access management process in SAP SuccessFactors can be enhanced.

I hope you found this blog post informative and helpful. I would love to hear your thoughts and feedback on this topic, so please feel free to leave a comment below. Feedback, suggestions will help me to continue improving the content and providing with more valuable insights and learn more.

Thank you for reading! Happy Learning!

Thank you 🙂

Secure your SuccessFactors to IAS/IPS integration by migrating to mTLS cert based authentication

2023-05-02T09:14:39.321000+02:00

I am writing a short blog to highlight one recent change that came into effect with the latest SAP SuccessFactors Production release on December 9th, 2022. This relates specifically to Identity Authentication / Identity Provisioning so if you are working on this topic this will be relevant for you.

As of the December 9th, 2022 production release, any newly established integration between SuccessFactors BizX instance and SAP Identity Authentication/Identity Provisioning Services (IAS/IPS) will be using the X.509 certificate for authentication of integration between SuccessFactors HXM Suite and IAS/IPS instead of the previous basic authentication mechanism with just username and password. This change applies to both newly provisioned SuccessFactors BizX Instances that have an Identity Authentication and Identity Provisioning tenants bundled together and delivered at the same time, and to existing SuccessFactors BizX instances performing the Initiate IAS Upgrade or Change IAS tasks through the Upgrade Center.

What is X.509/mTLS

X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many internet protocols, including TLS (Transport Layer Security) /SSL. Mutual Transport Layer Security (mTLS) establishes an encrypted TLS connection, in which both parties use X.509 certificates to authenticate and verify each other.

Why X.509/mTLS

mTLS prevents malicious third parties from imitating genuine applications and provides a more secure authentication option to its users.

When an application attempts to establish a connection with another application's secure web server, the mTLS protocol protects their communications, and verifies that the incoming server truly belongs to the application being called. When the client application requests access to a server application, the server application will provide its certificate to the client application and, in turn, ask the client application for its public certificate. This certificate will contain a public key, an identity, and a signature by a trusted certificate authority. Both entities will then look for the signature and climb the trust chain untill they find a mutual certificate authority validating the authenticity of both entities and creating a secure and encrypted channel.

Since both entities have to be validated, mTLS can reduce the chances of attacks, and provides a basis for zero-trust security framework, which is becoming increasingly important in cloud-based applications, and micro services deployments.

How can I find out whether I am using certificate-based authentication or basic authentication?

If your SuccessFactors BizX instance is already integrated with IAS/IPS, to find out whether you are using the previous basic authentication or the new X.509/mTLS certificate-based authentication, you can complete the following steps:

Log into the IPS Admin Console.
From IPS Admin console home page, click on the Source Systems tile.

From the list of source systems, select the desired SuccessFactors tenant's record.
Click on the Properties tab to check the value of the “authentication” parameter; if the value is BasicAuthentication, then basic authentication is used. If the value is ClientCertificateAuthentication, then X.509/mTLS certificate-based authentication is used.

Can I migrate my SF to IPS integration from basic to certificate-based authentication?

If your SuccessFactors BizX instance is already integrated with IAS/IPS and is currently using the basic authentication for communication between BizX and IAS/IPS, we recommend that you migrate to the X509/mTLS certificate-based authentication.

For steps of migration on the BizX side, please refer to our help doc.

To migrate from basic authentication to X.509/mTLS certificate-based authentication, take the following steps:

Step 1: Generate and download the certificate from IPS.

Log into the IPS Admin Console.
From the IPS Admin console home page, click on Source Systems tile.
From the list of source systems, select the desired SuccessFactors tenant as the provisioning system that you want to configure client certificate authentication for.
Select the Outbound Certificate tab and choose Generate.
If the certificate is generated successfully, the toast message ‘Certificate generated successfully' is displayed on the screen.
View the certificate information.
Each certificate contains fields specifying the subject, the name of the CA issuing the certificate, the algorithm used by the issuer to sign the certificate, validity period, key size and the certificate unique identifier.
Download the certificate.

Step 2: Register IPS for certificate-based incoming calls in BizX.

In BizX, go to Admin Center → Security Center → X.509 Public Certificate Mapping.
Click Add.
Complete the following fields in the table below
Click Save to save the changes.

Field	Description
Configuration Name	Example: New X.509 Certificate Mapping
Integration Name	Select the name of your application from the drop-down menu.
Certificate File	Upload the corresponding file with a certificate file extension cer, pem, crt etc. and that follows the X.509 protocol.
Login Name	The login name of a user that has permission to consume the SAP SuccessFactors API for its respective application. By default, a technical user would be created and used for IPS, so this field is optional and should be left blank.

Step 3: Configure IPS to use certificate-based authentication when communicating with BizX.

Return to the Identity Provisioning admin console, from Source Systems, select the SF BizX tenant record, and select the Properties tab.
Set the Authentication property to ClientCertificateAuthentication (vs "BasicAuthentication" previously using IPSADMIN, also no need to set User and Password properties)
Set the URL parameter to the API URL with cert, for example: https://apiX.cert.sapsf.com/odata/v2
Click Add to add a new parameter “sf.company.id” if not already available on the Properties tab, and set the value to the SuccessFactors company id corresponding to this source.
Save your configuration.

If you are using real time user sync for new hires between BizX and IAS/IPS, then please complete the following two steps:

Step 4: Generate and download the certificate from BizX

In BizX, go to Admin Center → Security Center → X.509 Certificates:
Click Add to add a new entry, and enter the Configuration Name and Valid Until date.
Click Generate and Save.
Click Download, then select X509 Certificate.
When prompted by browser, save the file to your local file system.

Step 5: Register SF BizX as administrator in IAS using certificate.

In IAS Admin console, go to Users & Authorizations → Administrators.
Click on Add, then select System.
Enter the system name and click Save.
Click on the system you just created in the previous step.
Click on Certificate, then click Browse to find the X.509 cert file you downloaded to your local file system.
Click Save.

From A to Z: Setup a Starter System of the SAP S/4HANA Cloud, public edition

2023-05-31T19:19:28+02:00

Introduction

As a new customer to the SAP S/4HANA Cloud, public edition solution, the very first system you are going to get, and use is called the Starter System. This system has a set of master data and a set of 225+ SAP Best Practice scopes loaded to help you explore its capabilities and conduct the Fit-to-Standard Workshop.

In this blog, I am going to introduce all the concepts/terminology and steps to set up your Starter System from A to Z, with a focus on SAP Central Business Configuration (CBC) tenant. My explanation is divided into three sections:

Starter System Landscape

CBC Tenant Technical Configuration for Starter System

CBC Project Configurations for Starter System

You should be able to get the Starter System running in 2-3 days.

Starter System Landscape

To help the first-time users of the SAP S/4HANA Cloud, public cloud, I am going to explain the system landscape and its many relevant concepts.

Starter System Landscape

The Starter System Landscape is composed of these systems:

Central Business Configuration (CBC) tenant

Extensibility Tenant – Tenant 080 of the Starter System

Customizing Tenant – Tenant 100 of the Starter System

Identity Authentication Service (IAS) tenant

Identity Provisioning Service (IPS) tenant

Identity Directory

SAP Cloud Identity Service, which is composed of IAS, Identity Directory and IPS

Identity Provider (IdP) – optional for customers to adopt a corporation IdP.

Starter System Landscape

From a glimpse, there are a lot of systems. To many existing SAP on-premise customers, customizing tenant and extensibility tenant are easy to understand. The challenge ones are those new kids on the block, the CBC, IAS and IPS tenants; especially how they work together. In fact, these are the ones could easily go wrong and need support.

Initial Admin User and System Users

In the commercial contract of subscribing the SAP S/4HANA Cloud, public edition, it includes the name and the email address of an IT Contact person. When a system is provisioned, all systems related emails are sent to this IT Contact, not these people who sign the contract or pay the bill! If there is a change of this IT Contact, such as taking a new job role within the company, a new IT Contact is named, etc., a customer should contact SAP immediately to name a new IT Contact by creating a ticket in the component XX-S4C-OPR-SRV.

During the first phase of an implementation project, a CBC tenant is provisioned first. At that time, the IT Contact will receive an email like the below figure to activate the IAS (part of SAP Cloud Identity Service) as an Initial Admin User.

SAP Cloud Identity Service Admin User Activation Email

This Initial Admin User is the first user in many systems for this customer. For example, the IT Contact can logon to Tenant 100 using his/her email address. In the Tenant 100, this IT Contact’s user ID is CB000000000, representing the very first user in the system. The Initial Admin User can use this user account to create more users in the system (Tenant 100).

Initial Admin Users in Different Starter System Tenants

Above figure illustrates the Initial Admin Users in all relevant systems. We can list them as the following:

User P000000 (six zeros) in the IAS, IPS and CBC tenants

User CB000000000 (nine zeros) in Tenants 080 and 100

SAP User S0012345678 (ten numbers) in SAP Support System, like SAP4Me or SAP Support Launchpad (to be replaced by SAP4Me very soon)

SAP User, or Super User, is not new to the SAP S/4HANA Cloud, public edition. It is there in the on-premise world. Super User can create other S users for his/her colleagues. If a customer is not new to SAP, there might already be some S users in the company. Please check the authorizations of these S users to make sure they have the proper access to the cloud systems, not just the on-premise systems.

Roles Played by SAP Cloud Identity Services

SAP Cloud Identity Services have three key components: Identity Authentication Service (IAS), Identity Provision Service (IPS) and Identity Directory. The Identity Directory is coupled with the IAS. Therefore, from a system administration point of view, you only work with IAS and IPS directly.

Roles IAS and IPS Play in the User Management

For an IT Contact, you use the same credential to access IAS and IPS, jointly called SAP Cloud Identity Service.

The IAS Plays following roles:

Authenticate users

Assign CBC user roles to CBC users

Act as a proxy system when a corporate IdP is used

Let me explain what “Assign CBC user roles to CBC users” means: Different from Tenants 080 and 100, CBC tenant does not have capabilities to assign user roles by itself. This functionality is dedicated to the IAS. After users in Tenant 100 tenant are created, if these users need to access to CBC, the IAS assigns 1 out of 5 CBC roles to these users, so that they can play their roles when accessing the CBC tenant.

From the IAS User Management (see below), besides user’s First Name, Last Name and E-Mail, there is a Login Name. It is george.yu in this case. In addition, there is a User ID (P000000).

The Login Name is critical to the CBC. It is called Subject Name Identifier, an attribute pushed over from the IAS to identify a user who logons to the CBC Tenants.

User Management in IAS

When a business user is created in the Starter System tenants (080 and 100), the following information is mandatory:

Username: george.yu or D123456 for a corporate ID

Email address: george.yu@sap.com

User ID: CB9980000050

Business roles: BR_BPC_EXPERT and SAP_BR_ADMINISTRATOR

The username is the most critical here. It is exported to the IAS and stored as Login Name for authentication purposes. In other words, Username in Tenant 100 and Login Name in the IAS link one unique business user together.

Most times, we use email address as the login name. That is a setting in IAS. We can also change that to use Login Name to logon to a system.

Both User ID and Business Roles only stay within the Tenant 100; they are never exported to the IAS tenant. It is easy to understand: IAS is for authentication, and business roles are for authorizations within the customizing/extensibility tenant.

The IPS Plays following roles:

Replicate five CBC user roles from CBC to IAS. This only performs once when the system is set up for the first time.

Read CBC users from the IAS tenant and provision them to the CBC tenant. This needs to be done each time when new CBC users are added/created.

With the user provisioning role by IPS tenant, CBC tenant has a user’s following information:

User ID: P00000

Business Role: SAP_CBC_CONSUMPTION_ACTIVITY_ALL

Under the user icon of the CBC tenant, the Login Name: GEORGE.YU is used to identify the user.

User Login Name is Used as the Identifier in CBC Tenant

In contrast, when logon to Customizing Tenant 100, the user’s full name is used as shown below.

User Full Name is Used as the Identifier in Dev-100 Tenant

CBC Tenant Technical Configurations for Starter System

After a Starter System is provisioned by SAP, you usually have no difficulty in customizing and extensibility tenants. But you still need to follow the below steps to get the CBC Tenant ready for the first-time use.

Step 1 - Activate the Initial Admin User in SAP Cloud Identity Services (email)

In the Initial Admin User discussion, I introduced an email from SAP Cloud Identity Services which provides an administrator account (your email address) to you. You need to activate this account and create a password for it. With this account, you can act as an administrator in the IAS and the IPS tenants. Since Tenants 080 and 100 use the same IAS for authentication, this account is used to access Tenants 080 and 100 as well.

If for any reason, your administrator account activation period is over, when you try to activate the account with the original notification email, a new activation email will be sent to you right away, so that you can activate the account promptly.

The following email provides the URLs of three important tenants: IAS, IPS (in the middle section) and CBC (at the bottom).

System Access Information for the CBC Tenant

Note: Although in the SAP Cloud Identity Service email, the IAS and IPS tenants are listed separately with a different URL, in fact, they are now all using the same URL. When you access the IAS Tenant, the tab Identity Provisioning serves the IPS function.

Following Steps 2 – 7 might be optional for you as a customer, because they are all done by SAP’s operations team for you as part of the system provisioning process. However, to give you further technical details in case you need to do troubleshooting, I explain them in detail. You can follow through to ensure everything is set up correctly.

SAP Help Portal has a discussion on this subject: CBC User Setup and Access.

Step 2 - Configure the Trust Relationship in the IAS Tenant to the SAP CBC Sub-account

By clicking on the URL for the IAS, we launch the IAS Tenant.

User Interface of the IAS Tenant

Under Tab Applications & Resources, select Applications. Here we need to have at least three applications in the Bundled Applications section (name could vary):

CBC Tenant

Starter Customizing Tenant

Starter Development Tenant

If the CBC Tenant is not listed, we can create it as a new application by clicking on the Create button. In the Type dropdown list, select “SAP Central Business Configuration solution”.

Create a CBC Tenant in IAS

After the CBC Tenant application is created, you need to build a Trust in three areas by clicking on the CBC Tenant application, then clicking on the Trust tab on the right-hand panel:

SAML 2.0 Configuration

Subject name Identifier

Assertion Attributes

Configure the CBC Tenant Application

First, we do a SAML 2.0 Configuration by fetching a metadata file and uploading it to the interface, so that you don’t need to manually type the information. For example, if there is a metadata URL provided, https://cbc.yourdomain.authentication.aws.hana.ondemand.com/saml/metadata, click it. While nothing shows up on the web browser, in fact, a file saml-cbc-ap-rel-xyz-sp.xml has been downloaded. You can confirm this by checking the lower left corner of the web browser. When you click on the Browse button, select this xml file.

Note: The SAML 2.0 Configuration is only valid for SAP Internal systems; not for customers.

Define SAML 2.0 Configuration Metadata

Second, we need to verify the configuration in Subject Name Identifier, i.e., making sure Login Name is a basic attribute.

The Subject Name Identifier is a profile attribute that the IAS sends to the SAP Central Business Configuration application (see detailed explanation and example in my blog User Management in a Nutshell for the SAP S/4HANA Cloud, public edition). The CBC Tenant then uses this attribute to identify the user.

Configure the Subject Name Identifier

Finally, we need to maintain Assertion Attributes. The CBC tenant uses groups to authorize users. Before a user is pushed over from the IAS tenant to the CBC Tenant, the user is assigned a CBC group. This step is to insert a new attribute to be part of the user identifications, along with the Login Name and others.

Select Assertion Attributes, add a new field called Field for Groups by clicking on the +Add button. Then we maintain “Groups” (G should be in the capital letter) in the field and hit the Save button.

Configure the SAML Assertion Attributes

With the above three steps in place, the trust relationship from the customer´s IAS tenant to the SAP CBC Sub-account is successfully established.

Step 3 – Create A “System as a Technical User Administrator” in the IAS tenant

Previously I discussed how the CBC users are created in the IAS tenant. After assigning group(s), these users are pushed over to the CBC tenant by running a job. To make this step possible, we need to create a system as a technical user administrator, which is used by the IPS tenant to authenticate in the IAS tenant and create Groups.

In the main interface of the IAS tenant, under tab Users & Administrators, select Administrators. Check those entries with a database cylinder icon; they represent systems.

When you click on these listed systems (SAP IPS- Central Business Configuration, for example), its property is displayed on the right-hand side. In the Configure Authorizations section, make sure Manage Users and Manage Groups are turned on.

A System as a Technical User Administrator

To create a system as a technical user administrator if it does not exist, you click on Add → System. You give a name to the system, such as TechAdmin. After the System has been created, it is listed together with the other systems.

Click on the newly created System TechAdmin. Click on the Secrets to generate a password.

Set the Secrets (password) for TechAdmin System

Copy the Client ID and Secrets and save it in a safe place. Also make sure Manage Users and Manage Groups are turned on.

Step 4 - Create Source and Target Systems in IPS

I explained the roles of IPS previously. It is basically a broker of doing two job executions: first pushing roles from CBC to the IAS tenant; this is only executed once. Second, provisioning users from the IAS to the CBC. To make this easy to understand, we adopt source system and target system concept:

For User Provisioning from the customer´s IAS tenant to CBC tenant, the customer´s IAS tenant should be maintained as a Source and the CBC tenant as a Target in the IPS.

For pushing roles as groups from CBC to the customer IAS tenant, the CBC tenant should be maintained as a Source and the customer´s IAS tenant should be maintained as a target in the IPS.

These source systems and target systems have been set up by SAP’s operations team already. You can verify them by clicking on the tab Identity Provisioning → Source Systems or Identity Provisioning → Target Systems.

Check the Source Systems

Check the Target Systems

Step 5 - Push Roles from the CBC into IAS as Groups

Although the CBC Tenant does not do user management by itself, it does user access authorization by groups. During the initial setup, we need to push these CBC related roles from CBC into IAS as groups, so that when users are created in the IAS tenant, proper CBC role(s) can be assigned to the users.

Before executing this step, double check if the user roles are already available in the IAS tenant (could be done by the SAP operations team). Click on Users and Administrators --> User Groups, if all CBC related groups are available, you can find them (see below figure). In this case, there is no need to push roles from the CBC into IAS as groups.

Five CBC User Groups Are Available in the IAS Tenant

If the User Group shows empty, then there is a need to push roles from the CBC into IAS as groups. Click on tab Identity Provisioning → Source Systems. Select the CBC Tenant as a source, click on Jobs tab, click on Run Now button in the Read Job row.

Run a Job to Push CBC User Groups into the IAS Tenant

Step 6 - Provision the Initial Admin User to the CBC Tenant

Most likely, the Initial Admin User (P000000) has already been pushed to the CBC Tenant by the SAP operations team. You can verify that by following Step 7 to logon to the CBC tenant. If not, you can do the following:

Add User P000000 to the CBC group: Click on the tab Users & Administrators → User Group (refer to the 2nd figure from above). In my case, the user P000000 is already part of the group SAP_CBC_CONSUMPTION_ACTIVITY_ALL. If not, click on the Add button to add the user.

Provision User P000000 to the CBC tenant: Click on the Identity Provisioning → Source System. Select IAS for CBC entry. Click on the Jobs tab. Click on the Run Now button in the row of Read Job.

Run a Job to Push Users from the IAS Tenant into the CBC Tenant

After running the job, from the tab Identity Provisioning → Job Logs, we can check if a user is created or updated. In this case, since the CBC user was created by the SAP Ops Team, the user is updated only.

The job log tells us the following:

From the IAS Tenant, 5 CBC user groups are read; 1 user is read. No user or group is created.

Within the CBC Tenant, 5 user groups are updated; 1 user is updated. No user or group is created.

Job Log of Provisioning Users from the IAS Tenant to the CBC Tenant

Step 7 - Login to CBC as the Initial Admin User

To verify if the CBC system has been set up correctly, login as the Initial Admin User. If running into any error, go back to fix it until you can login successfully.

When you login to the CBC tenant for the first time, you will get a pop-up window to create a CBC project. That is our CBC Configuration activities to be discussed in next section.

A Pop-Up Window when Accessing a New CBC Tenant

Common CBC User Logon Errors

Many times we encounter CBC user logon errors. I am listing several common errors here

Error 1: Unauthorized

Symptom: When you log on to a CBC tenant for the first time, you get an “Unauthorized” error.

Cause: CBC Tenant does not have the user information. It is not pushed over from the IAS Tenant. This happens a lot when you create a group of users. Some users activate their accounts right away. If you run above Step 8 after user activation, these users have no problem to logon to CBC. However, some users only activate their account days(!) later, and the administrator is not aware and doesn’t run above Step 8 afterwards. These users will see this error.

This usually happens to some users but not all, because it requires one more step in user setup procedure.

Solution: Rerun the above Step 6.

Error 2: Unauthorized

Symptom: When you log on to a CBC tenant for the first time, you get an “Unauthorized” error.

Cause: As I explained before, when you create a new user in Dev tenants and export it to the IAS, the User Name in the Dev tenants becomes Login Name in the IAS tenant. This Login Name is used as the so-called Subject Name Identifier (SNI). That means the CBC uses this SNI to identify the user. If the SNI uses a different basic attribute, such as an email address or a User ID, the Login Name passed over from the IAS Tenant becomes useless.

This usually happens to all users, because it is a system setting.

Solution: Follow the steps listed in SAP Note 3103503 to fix the error, and rerun the above Step 6.

Error 3: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile, status message is User attribute configured for name-id format unspecified is not supported.

Symptom: After authentication is passed at the IAS Tenant, this message pops up.

Cause: This only happened to myself as the Initial Admin User. When the systems were provisioned, my user account was already created in the IAS (P000000) and the Dev Tenants (CB000000000). So I usually don’t need to create a new user account for myself. As I explained before, when you create a new user in Dev tenants and export it to the IAS, the User Name in the Dev tenants becomes Login Name in the IAS tenant. And that Login Name is passed on to the CBC Tenant when running above Step 6. In my case, the Login Name was blank in my user details. This causes above error message.

Solution: Fill the blank Login Name in the IAS Tenant with the User Name from the Dev -100, and rerun above Step 6.

Step 8 - Create Business Users in the Starter System

With the current Starter System landscape, we can create CBC users independent of customizing and extensibility tenants. In other words, the same user can have two separate accounts for CBC and customizing and extensibility tenants. My personal opinion is don't do that. From workflow of system configuration, the same person will start the system configuration in the CBC, and continue on product-specific activities in the customizing tenant. You hardly have two people doing that separately.

My approach is to create business users for both the Tenants 080 and 100 first, then export to the IAS, and then push to the CBC Tenant. This way we have the same user for all three tenants.

Please refer to my blog User Management in a Nutshell for the SAP S/4HANA Cloud, public edition for business user creation.

After the CBC Tenant is set up correctly and users can logon to it, we are moving on to configure CBC projects in next section.

CBC Project Configurations for Starter System

As I discussed in the Starter System Landscape section, we have two Starter System tenants: customizing tenant 100 and development extensibility tenant 080. For each tenant, we need to create a corresponding project in the CBC tenant. SAP Help Portal has good information on this at Phases, Project Activities, and Milestones in an Evaluation Project.

Note: For a Starter System project, it is categorized as the Evaluation Project, not the Implementation Project.

Create a Starter System Customizing Project

When we click on the Create New button shown in above figure, a New Project window pops up. Enter info for a new project; choosing Evaluation as the project type.

Create a New Project in the CBC Tenant

Note: There are two types of Project Type, Implementation and Evaluation. For a Starter System, you need to select Evaluation. With that selection, organization structure and master data will be created for you. For regular implementation, you select Implementation. No master data or organization structure will be created for you.

Define Scope Activity

After a project is created, the first activity is Define Scope.

A New Project Created Successfully

When you first work with the Evaluation Project, we recommend choosing only one country/region first. The reason is that the more countries you choose, the more scopes you will activate. This will make the activation process running much longer. If you want to do multi-countries together, the upper limit is five countries. Don't add more than five countries. You can add more countries/regions later via Initiate Change.

In my case, I select one country, USA; and the Private Sector. Some scopes are different for the Private Sector from the Public Sector.

Select Country and Sector for Define Scope Activity

The evaluation project only offers a limited scope selection. It already contains the Enterprise Management bundle. After hitting the Save button, all 225 scopes are selected automatically as part of the Enterprise Management Layer.

Two scenarios are available for parallel ledger accounting. You can choose either the group ledger scenario Accounting and Financial Close - Group Ledger US GAAP or Accounting and Financial Close - Group Ledger IFRS. Depending on your country/region selection, additional scenarios may also be available.

You can find the scope Accounting and Financial Close - Group Ledger US GAAP by scrolling down a little bit.

Add Scope Accounting and Financial Close - Group Ledger US GAAP

After reviewing all selected scopes, click on the Complete Activity button to complete the Define Scope Activity.

Complete Define Scope Activity

Assign Deployment Target Activity

In each evaluation project you must assign a deployment target, either the starter customizing tenant or the starter development tenant. That’s what the Assign Deployment Target Activity is for.

Assign Deployment Target Activity

After clicking the Open button of the Assign Deployment Target Activity, choose the Starter Customizing tenant to assign.

Assign Customizing Tenant as the Target System

After the target tenant is assigned, click on the Tab Activities. Now the task Assign Deployment Target falls in the In Progress Lane. Click on Manage to change it to be Completed.

Manage Assign Customizing Tenant Activity

Confirm Scoping is Completed Activity

Now we confirm scoping is completed by clicking on the Manage button in the task Confirm Scoping is Completed Activity. In the pop-up window, click on the button Confirm Milestone.

Confirm Milestone in Confirm Scoping is Completed Activity

Before confirmation proceeds, there is a warning message to ask you to be patient 😊.

A Warning Message before the Confirmation

During the confirmation, a progress bar displays the percentage of the work. This step usually completes in 30 minutes.

Confirmation Progress Bar

After the milestone is set, three new activities are listed under the Open Lane:

Specify Primary Finance Settings

Setup Organizational Structure

Confirm Scope and Organizational Structure Phase is Completed.

Specify Primary Finance Settings Activity

The preconfigured evaluation project only allows you to confirm K4 - Cal. Year, 4 Special Periods as fiscal year variant and USD (US Dollar) as group currency. All additional fiscal year variants or group currencies are presented for your information only.

Specify Primary Finance Settings

When you hit the Save button, a confirmation window pops up. Check the two check places and Confirm it.

Confirm Primary Finance Settings

After a successful confirmation, the setting check area grays out. Hit the Complete Activity button.

Complete Specify Primary Finance Settings Activity

Set Up Organizational Structure Activity

The evaluation project contains an existing organizational structure, with all organizational units confirmed already. You can choose to enhance the preconfigured organizational structure by creating your own organizational units. If you want to deploy the organizational units you created to the target system, you need to confirm them.

By scrolling down, we can see the predefined organization structure graphically, or in a grid format.

Predefined Organization Structure

If no new organization structure needs to be added, hit the Complete Activity button.

Confirm Scope and Organizational Structure Phase is Completed Activity

Click the Manage button in the Confirm Scope and Organizational Structure Phase is Completed activity. In the popup window, hit the Confirm Milestone button.

Confirm Milestone of the Confirm Scope and Organizational Structure Phase is Completed Activity

The progress is displayed with a progress bar. After about one to two hours, it reaches 60%. From that time on, it takes a long time to complete. In my own experience, the entire confirmation process takes more than six hours. I usually start it before leaving work and come back the next morning to see the result.

Confirmation Progress Bar

After the milestone is completed, go to the Product-Specific Configuration phase to carry out configuration activities that cover detailed settings of the solution process.

Product-Specific Configuration

Check the Master Data

Different from regular customer systems, the Starter System provides the master data for a user to quickly get a demo scenario running. These master data are created when we set the milestone in the CBC project. To check it out, we run the Product List app. One prerequisite is to create a user role by copying from SAP delivered user role SAP_BR_PRODMASTER_SPECIALIST and assign yourself to this user role.

The below figure shows 225 products in the Customizing tenant 100.

SAP Delivered Product List in the Starter System, Customizing Tenant – 100

Create Starter System Development Project

If you plan to test out the capabilities of the Development Extensibility Tenant, we need to create a new project in the CBC Tenant; otherwise, you can stop here.

Create Starter System Development Project

If the screen does not show the new project Starter System Development, you can manually click on the Switch Project button; otherwise, the newly created project is displayed.

Similarly, as the Starter System Customizing project, several activities are listed in the Open Lane, such as Define Scope Activity, and others for the Starter System Development project.

Activities in the Starter System Development Project

From this step and on, you basically repeat all the steps we did for the Create a Starter System Customizing Project, but for the Starter System Development Project.

Conclusion

In this blog, with the system landscape for the Starter System of the SAP S/4HANA Cloud, public edition as the foundation, I explained all the steps, from A to Z, to setup the Starter System after its provisioning, including CBC Technical Setups and CBC configurations for the Customizing and the Development Extensibility tenants, respectively. From this point on, you can use the system to explore its standard functionalities and conduct the fit-to-standard workshop with your business users.

Unleashing the Power of Cloud: A Fun Guide to Automating User Administration - SAP Best Practices Identity Lifecycle Service (IDLS) for SAP Cloud Identity Services (SCI)

2023-09-05T16:16:38+02:00

Why You Should Jump On Board!

Picture this: You're using SAP Cloud Identity Services (SCI), but there's a hitch. You can't whip out your magic wand and conjure up some custom logic for any event in the Identity Directory Service (IDDS). What a downer, right?

Well, wipe that frown away! The SAP Best Practices Identity Lifecycle Service (IDLS) is here to save the day. It's like your personal superhero, giving you the power to inject your own custom wizardry into the SCI. Whether there's a tiny tweak or a mammoth modification in the IDDS, IDLS is ready to execute your custom logic, written in the language of the internet - JavaScript!

Three Fabulous Feats You Can Perform:

Abra-cadabra! Change a name and the email address recalculates automatically!

Have a new hire? Or a sudden termination? No worries! Activate or deactivate identities based on data in the IDDS.

Organize a coup! Automatically assign groups based on juicy info like cost center.

How This Magic Works:

IDLS acts like a busy bee, frequently buzzing around the IDDS to gather user information. You decide how often it buzzes.

Detects any changes in the user data and neatly stacks them up in a queue in the Event Mesh service.

Voila! It executes your custom logic.

Writes back the modification into the IDDS, like a diligent scribe.

The service comes with a treasure chest of predefined JavaScript functions. It's nostalgia-inducing, just like good old SAP IdM. Use these to perform certain operations inside IDDS.

Peek Into A Sample Spellbook:

Here's a sneak peek at a script that covers two of the scenarios mentioned above: Recalculating an email address (including checking for uniqueness) and assigning a group based on the user's cost center.

function eventTriggered(value, event) {

    if (event.getValue() == "Changed") {

        if (value instanceof Java.type("com.sap.openapi.idds.model.User")) {

            let changesMap = new Map(Object.entries(JSON.parse(changes)));

            changesMap.forEach((valueAttr, key) => {

                print(`Changes: ${value.getUserName()} : ${key} `); 

                if (key == 'familyName' || key == 'givenName') {

                    handleUserNameChanged(value);

                }



                if (key == 'costCenter') {

                    addUserToGroupByCC(value);

                }

            });

            utils.patchValues('user', value);

        }

    }

}





function handleUserNameChanged(user) {

    let name = user.getName();

    var familyName = name.getFamilyName();

    var givenName = name.getGivenName();

    var emailList = [];

    var email = `${givenName}.${familyName}@company.com`;

    email = deleteUmlauts(email);

    var index = 1;

    while (utils.getValueByEntry("email", email)) {

        email = `${givenName}.${familyName}${index}@company.com`;

        index++;

    }

    user.getEmails().forEach(element => {

        element.setValue(email);

        element.display(email);

        element.setPrimary(true);

        element.setType(utils.getEmailType('work'));

        emailList.push(element);

    });

    print(emailList);

    user.setEmails(emailList);

    user.setUserName(email);

}



function addUserToGroupByCC(user) {

    if (user.isActive()) {

        var listGroups = utils.getGroups();

        listGroups.forEach((group) => {

            let name = group.getGroupExentsion().getName();

            print(`Cost Center Name: ${name}`);

            if(name.indexOf("_") > -1) {

                let cc_number = name.substring(name.indexOf("_") + 1)

                print(`Cost Center Number: ${name}`);

                if (cc_number == (user.getEnterpriseUser().getCostCenter())) {

                    utils.addUserToGroup(user.getId(), group.getId());

                }

            }

        });

    }   

}



function deleteUmlauts(value) {

    value = value.replace(/\u00e4/g, "ae");

    value = value.replace(/\u00fc/g, "ue");

    value = value.replace(/\u00f6/g, "oe");

    value = value.replace(/\u00df/g, "ss");

    value = value.replace(/\u00dc/g, "Ue");

    value = value.replace(/\u00c4/g, "Ae");

    value = value.replace(/\u00d6/g, "Oe");

    return value;

}

The function "eventTriggered" is like the red carpet rolled out for every modification the IDSL detects. This function sorts out the modifications ("Created", "Changed", "Deleted") and provides all the juicy details related to the event (like the modified name). This function is your VIP pass into the IDSL.

The functions "handleUserNameChanged" and "addUserToGroupByCC" jump into action when the name or cost center are tweaked, and perform the necessary operations. Think of them as your trusty sidekicks, ready to perform more feats as you add them.

So, buckle up and get ready to automate your user administration in the Cloud with SAP's IDLS!

Predefined Script Functions

This is a list of the predefined script functions available as of now:

patchValues

Input Parameters:<entryType>,<JSONEntry>

Updating the entry in the IDDS

getValueByEntry

Input Parameters: <searchAttribute>,<searchValue>

Return Value: Boolean (true if entry was found in the IDDS)

Search for an entry in IDDS by attribute name and value

addUserToGroup

Input Parameters: <userScimId>,<groupScimId>

Adding a user as member of a group inside the IDDS

deleteUserFromGroup

Input Parameters: <userScimId>,<groupScimId>

Removing a user as member from a group inside the IDDS

deleteUser

InputParameters: <userScimId>

Delete a user form IDDS

deleteGroup

InputParameters: <groupScimId>

Delete a group form IDDS

getGroups

Returning a List of all groups inside the IDDS

Prerequisites

The following BTP Services are required to be available to be able to use this SAP Best Practices Service:

SAP Cloud Identity Services

SAP Cloud Foundry Runtime Environment

SAP Event Mesh Service

SAP Object Store Service

The Inside Scoop

If your curiosity is piqued and you're itching to know more about this service and how to roll it out, don't be shy! Reach out to me directly or shoot an email to security.consulting@sap.com. We're all ears!

How to handle “usernames”, “Global User IDs” and “external IDs” in your landscape?

2023-09-12T14:41:17+02:00

When it comes to setting up Identity Access Management (IAM) flows, we are often asked for best practices regarding usernames, Global User Ids and external ids. This blog post explains exactly this so let's crack it !

In a nutshell, it is safe to say that it is good practice to avoid sensitive data when choosing a policy for usernames and IDs.

Here are some example of what sensitive data means:

credit card information,

user session identifiers,

customer data,

personal data / employee data.

The data type which is mainly processed in IAM context is personal data.

IAM admins might feel tempted to choose personal data derivations for usernames, Global User IDs and external IDs. This is bad practice.

Usernames, Global User IDs or external IDs appear in log files and other traces. DevOps who have access and authorisations to such log files might see personal data that they are otherwise not allowed to (need-to-know principle).

Furthermore if you use personal data in these attributes, the changes to values might not be applied, because the effort to keep track of audit-trails in log files would be too high. Keeping a history of multiple username- or external-ID-values over time (log files are read-only) is expensive. Some applications do not allow an ID change at all, which adds up complexity in the processes.

What is the difference between these attributes and when to use them?

The username is a mutable attribute which can be used for login hints like an email address, but which is also often distributed into applications.

Best described in the SCIM2 RFC7643 a username is the service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to "id" or "externalId", which are generally opaque and not user-friendly identifiers).

Imagine your user is provisioned in various target applications and for business purposes (such as workflows), the same user must be uniquely identified between them. In this case, one needs a correlation attribute. We in SAP call it the Global User ID.

Also, in case the application requires data from another systems, it fetches it based on a mapping done via this correlation attribute.

The externalID is also described in the SCIM2 RFC7643 - it is mutable, defined by the client (and not the server) and optional within SCIM2.

The email attribute is often used in cloud services as login-name, as notification attribute and sometimes also as userID. Emails frequently contain personal data. The email is mutable and changes more often than we think. Name changes happen for several reasons but also domain changes in case of company changes. The email is easy to remember as login name and indicates the notification channel, but it creates headaches regarding Security, Data Protection and Privacy if the app doesn't have other ways to identify the person at hand.

Best practices:

Generated usernames / IDs are better than manually assigned ones.
First and foremost, admins should differentiate between the processes where the attributes are used. It is common to use personal data derived attributes (such as email or a human-friendly username) as logon aliases at the authenticating Identity Provider (IdP). On the other hand, for technical integrations which are not visible to the end user (such as SAML/OIDC flows or SCIM based replication), generate unique values without personal data as usernames, external IDs or Global User ID. Consider uuid formats because uuids are, for practical purposes, unique. Their uniqueness does not depend on a central registration authority and uuid does not contain derived personal data.

The usage of immutable IDs (referencing to mutable information) for the entire Identity Lifecycle.
During the Identity Lifecycle, attributes such as lastname and email change. With stable identity identifiers the system to system communication continues without disruptions. The SAP Cloud Identity Services automatically generate the SCIM ID and Global User Id in uuid format for each record (The Global User Id is technically defined as mutable but there are rare reasons to change it during normal operations).

Avoid the usage of IDs in User Interfaces (UI).
In the User Interface the technical identifiers should be replaced with human-friendly attributes. No one likes to be greeted in the morning with a Hello 0ae23960-721d-453c-8b1f-12eab5494e93!. Instead, what is being displayed in UIs or in self service portals should be a personal data attribute like the Displayname or firstname (belonging to the identity having this uuid). At the same time, DevOps engineers can observe in monitoring tools the successful authentication of a user based on the uuid value (or a username / external ID) without seeing any personal data.

You can find more details in the links bellow:

SAP Cloud Identity Services (incl. IAM recommendations)

Global User ID concept

Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition

2023-10-04T19:56:34+02:00

Introduction

A Quick Review of Restrictions

Authorization Hierarchy and Restrictions

Access Restrictions with Three Apps

Maintain User Roles App

IAM Information System App

Display Restriction Types App

Maintain Restrictions

An Example of Using Restrictions

Business Scenario

Understand Restrictions in a Business User Role

Display Restriction Types App

Mass Change Restriction Values

Conclusion

Introduction

In my previous blog about Spaces and Pages, I discussed how to use business catalogs and business user roles to control the Fiori app access in the SAP S/4HANA Cloud, public edition. In the real world, this is not enough. For the data security purpose, we want to control data access. For example, an accountant in a large global organization is limited to only see one country’s data but no other countries, although accountants in country A and B both hold the job title “Accountant”. I am going to discuss using restrictions to enhance user authorizations in this blog.

A Quick Review of Restrictions

Authorization Hierarchy and Restrictions

When an end user accessing an enterprise resource planning (ERP) system, he/she passes two check points: authentication and authorizations. Authentication checks the user’s existence in the system and let him/her get onto the system or gaining an access to the system after verifying the password. This check is done through Identity Authentication Service (IAS) as I discussed in details in my blog about User Management.

Authorization does a different job. It checks which Fiori applications (apps) the user can see and/or use based on his/her business user roles. Authentication and authorization work in tandem in any real-world systems.

Within SAP S/4HANA Cloud, public edition, a user authorization is achieved through a 5-layer control:

Users – are assigned with business roles.
- Business Roles – are composed of business catalogs and restrictions. They are associated with Spaces.
  - Business Catalogs – control Fiori App access. They are associated with Pages.
  - Restriction Types – control customer data access within the Fiori Apps and bundle multiple restriction fields together.
    - Restriction Fields – are filled with authorization values.
      - Authorization Values

According to SAP Help document: “Depending on the business catalogs contained in a business role, certain restriction types are available. A restriction type is an authorization entity that bundles the available restriction fields into a logical definition, for example, company code. These restriction fields can be used to restrict the access to a specific business object, such as an organizational area. This means, the business catalogs contained in a business role define what a business user has access to. This access can be refined even more by restricting the access category for the fields and objects a user has access to. An access category defines what kind of access is granted to a user assigned to a business role, for example, read, write, or value help access. These access restrictions can be adapted in the business role in the Maintain Business Roles app.”

Let’s digest above paragraph in layman’s terms.

All business users are assigned 1 to many business user roles, such as SAP_BR_CASH_MANAGER, SAP_BR_CASH_SPECIALIST, etc. Spaces within Fiori Launch Pad is based on the business user roles.

You can view a business user role as an umbrella, and it is composed of 1 to many business catalogs. A business catalog grants a user to do certain things in the system. For example, we have one business catalog Master Data – Business Partner Display (Business Catalog ID: SAP_CMD_BC_BP_DISP_PC), it enables users to view business partner master data.

A user’s access to Fiori Apps is based on the business catalogs. Pages are organized by business catalogs.

As I said before, even with the same job title (aka business role), two different business users might have the same Spaces, Pages, and Fiori Apps on their Fiori Launch Pad, they access different data depending on certain criteria, e.g., countries. This is implemented by Restrictions.

With the right restrictions, we can create similar business roles but dedicated to relevant causes. For example, we make two business roles for cash managers, one for Germany called YU_CASH_MANAGER_DE, and another one for US called YU_CASH_MANAGER_US. The only difference is the country each covers. We will explain it further soon in our example section.

When we talk about restrictions, there are three concepts: Restriction Types, Restriction Fields and Authorization Values. Authorization Values are assigned to the Restriction Fields. Restriction Fields are organized into Restriction Types. In the below figure, we have a restriction type Bank Account Management FCLM_BAM, with four restriction fields: Bank Account Type ID, Company Code, Profit Center and Segment for Segmental Reporting. We can use the pencil icon to add/edit Authorization Values to these Restriction Fields.

Restrictions and Values of Restriction Type: Bank Account Management

One important thing to understand is that Restriction Type and Business Catalog work together, below the Business User Role layer. One Restriction Type can play the access control role in multiple Business Catalogs, thus the Business User Roles. Simultaneously, one business catalogs can be associated with multiple Restriction Types.

This authorization hierarchy concept can also be illustrated in the below figure.

A user can have multiple business user roles.
- Biz Role 1 and Biz Role 2

Within a business role, business catalogs and restriction types work in tandem.
- Biz Catalog 1, Restriction Type A, Restriction Type B and Biz Catalog 2 within Biz Role 1.

How many available restriction types are determined by business catalogs but used in the business roles.
- Restriction Types A and B in Biz Role 1, and B and C in Biz Role 2.

Even with the same restriction type, different restriction fields can be used/filled in different business roles.
- Biz Role 1 uses Restriction Fields B1 and B2, while Biz Role 2 uses Restriction Field B2

Authorization Hierarchy Concept with SAP S/4HANA Cloud, public edition

Access Restrictions with Three Apps

There are mainly three apps accessing restrictions, Maintain User Roles app, IAM Information System app, and Display Restriction Types app.

Maintain User Roles App

Here are the steps to access restrictions using Maintain User Roles App:

Launch Fiori App Maintain User Roles

Select one of the business roles you are interested and open it (arrow toward right)

The Restrictions related menus are at the top of the screen (below figure).
- When the role is in Display mode, you have the following menus within the Red Rectangle:
  - Edit – enters into Editing mode
  - Display Changes After Upgrade
  - Display Restrictions
  - Display Restrictions (Deprecated) – will be removed at next major upgrade.
  - Display Changes – a change log
- After you hit the Edit button, you have the following menus within the Green Rectangle:
  - Manage Changes After Upgrade
  - Maintain Restrictions – this is our primary tool!
  - Maintain Restrictions (Deprecated) – will be removed at next major upgrade.

Maintain Business Roles App

In this blog, we use the Edit mode in most discussions unless indicated.

When we maintain a business role, there is a section called Access Categories under General Role Details tab (see above figure). Let me explain it here as they are important to our restriction discussion.

There are three Access Categories

Write, Read, Value Help

Read, Value Help

Value Help

If I align these categories on the right instead of left on a paper, you immediately see the relationship among them:

Write, Read, Value Help

Read, Value Help

Value Help

Write, Read, Value Help supersedes all others. You basically have Write, Read and Value Help controls on all Restriction Fields.

Read, Value Help can only have Read and Value Help controls on all Restriction Fields, but not Write.

Value Help only have the Value Help controls on all Restriction Fields.

Value Help is a list of pre-defined values for you to select from. It is similar as a dropdown list in Excel application.

For each category, you have three possible access controls:

Unrestricted

Restricted

No Access

In the Restriction discussion, we most times select Restricted to assign relevant authorization value(s) to Restriction Fields.

IAM Information System App

The IAM Information System App is a central repository providing a complete overview of how applications, business catalogs, restrictions, business roles and business users are assigned to each other.

For example, when selecting Restriction in Main Entity, and enter Bank Country/Region Key as Restriction Field, we can see all the business roles used this restriction, and their Access Category.

Take business role YU_CASH_MANAGER_DE as an example (see below figure), we can learn the following:

No Leading Restriction is turned on (in comparison, Business Role YU_CASH_MANAGER_US) has Leading Restriction turned on)

Value Help is Unrestricted

Restriction Type General has Write and Read with restriction value of “DE”

Restriction Type Internal Banks for Cash Management has no value for Read, but value of “HK” (Hong Kong) for Write.

Explore Restrictions in IAM Information System App

Display Restriction Types App

I will discuss this access method in a real-world example shortly.

Maintain Restrictions

After you select a business role, hit Edit button, you can further hit Maintain Restrictions button (see below figure). Let’s use Cash Manager YU_BR_CASH_MANAGER as an example.

Maintain Restrictions window is divided into two panels, left and right. At the top left corner, it has a summary of Access Categories. If you want to make changes to Access Categories, you need to expand the middle section Access Categories. All the Restrictions can be accessed by expanding the Assigned Restriction Types.

Maintain Restrictions Window

The right panel contains all the details of each Restriction Type. For example, if you select the Restriction Type Company Code/ Memory Record Type F_CLM_MR, three tabs show up:

Values – assign authorization value(s) to the Restriction Field(s).

Description – gives an explanation to the Restriction Type, including its purpose, and sometimes, the explanations of these restriction fields.

Business Catalogs – list business catalog(s) this Restriction Type is relevant to.

Restriction Fields in Restriction Type Company Code/ Memory Record Type F_CLM_MR

Restriction Types that contain general organizational Restriction Fields are grouped together into a section called General (see below). For that reason, there are many Restriction Fields here in comparison with individual Restriction Type(s).

The General Section of Restrictions

To assign or change the values of Restriction Fields, just hit the pencil icon, and you can select relevant values there. In this example (see below figure), we can select Account Type value (A, D or K) to fill in the restriction field.

Select Value(s) for Restriction Field Account Type

An Example of Using Restrictions

Business Scenario

Now let’s put this restriction into use. In an international enterprise, we have operations in three countries, US, Germany, and Singapore. Each country subsidiary has a Cash Manager. The Headquarters has a Cash Manager as well. One of the responsibilities of Cash Managers is to setup local bank information in the system. To do that, all of them are given access to Fiori App Manage Banks – Cash Management. However, except the HQ Cash Manager, each country Cash Manager can only access (read and write) local banks in their relevant country.

Below figure is a list of all banks accessible by the HQ Cash Manager, including banks in four countries: Germany, Hong Kong, Singapore, and USA.

Full List of Banks in Four Countries

Understand Restrictions in a Business User Role

To access Fiori App Manage Banks – Cash Management, SAP Fiori Apps Reference Library tells us we need either SAP_BR_CASH_MANAGER or SAP_BR_CASH_SPECLIAST Business Roles. Only one Business Catalog is responsible for it:

SAP_FIN_BC_CM_BNK_PC, Cash Management – Banks Management

As an exploration, I create a new business role YU_BR_CASH_MANAGER_ALL for the HQ Cash Manager, copying from an SAP Standard Business Role Template SAP_BR_CASH_MANAGER, including predefined Spaces.

Create a Business Role YU_BR_CASH_MANAGER_ALL

Inside this business role, I make Access Category of Write to Unrestricted.

While browsing all available 14 Business Catalogs, there is only one SAP_FIN_BC_CM_BNK_PC controls Manage Banks – Cash Management App according to SAP Fiori Apps Reference Library. For the simplicity of discussion, I remove all other business catalogs except SAP_FIN_BC_CM_BNK_PC.

All 14 Business Catalogs from SAP Template SAP_BR_CASH_MANAGER

After assigning this business role to a user, the user Fiori Launch Pad (FLP) looks like the below figure (for simplicity purpose, I only assign only one business role to this user).

Fiori Launch Pad (FLP) for A Single Role (Cash Manager) User

If we want to further simplify this user role in displaying only needed Fiori Apps, we can remove the Fiori App Display House Banks as well. This is explained in details in my Spaces and Pages blog.

After this exploration, we got familiar with the SAP business role SAP_BR_CASH_MANAGER. Now we can create three new Cash Manager business roles, each with a restriction to its home country. I only explain in details the one to US based Cash Manager, YU_BR_CASH_MANAGER_US. Others are all similar.

When I get to Maintain Restrictions, I change the Write, Read, Value Help Access Category to Restricted.

Highlight the General in the section Assigned Restriction Types.

Two Restriction Fields are shown in the section Restrictions and Values: Bank Country/Region Key and Company Code.

By clicking on the pencil icon in the Bank Country/Region Key, a restriction edit window shows up on the right in the section Restrictions for Bank Country/Region Key.

Edit Values in a Restriction Field

Select Value of “US” and Save.

If there are multiple restriction values and you want Add/Remove them, click on Ranges tab. For example, I have both HK and DE added for the business role YU_CASH_MANAGER_DE.

Add/Remove Multiple Restriction Values

After this business role is assigned to a user, he can only see US based banks.

A User Can Only See US Based Banks with a Business Role YU_CASH_MANAGER_US

One thing we need to pay attention to is the overwriting of the restriction. A user is commonly assigned multiple business user roles. If the restriction Bank Country/Region Key appears in other business role(s), and it is Unrestricted, then the restriction Bank Country/Region Key in the business role YU_BR_CASH_MANAGER_US is overwritten. It becomes no restriction at all. For example, if a user is assigned both business roles YU_BR_CASH_MANAGER_US and YU_BR_CASH_MANAGER_ALL (all Access Categories are Unrestricted), then no restriction is in effect at all.

If you want to apply this country restriction to all restriction types within this business role, you can tick the Leading Restriction in the Maintain Business Roles App.

Apply Restriction to All Restriction Types by Switching on Leading Restriction

After a Leading Restriction is turned on, you can see the value in this field is automatically inherited to other restriction types the field is used as well, in the same business role. This can be checked in Restriction Overview (clicking Display Restriction Overview in Maintain Business Roles App). An organization hierarchy icon signals the Restriction Type is a Leading Restriction. This affects the restriction type in Internal Banks for Cash Management F_CLM_IBNK within the same business role.

The Effect of Leading Restriction Switch to Other Restriction Types in the Same Business Role

This effect can also be observed in the IAS Information System app, by specifying “Bank Country” Restriction Field. In the figure, you can see the General Restriction Type is the Leading Restriction, and it affects the Internal Banks for Cash Management Restriction Type.

The Effect of Leading Restriction Switch to Other Restriction Types

Display Restriction Types App

To thoroughly investigate if the Restriction Type Bank Country/Region Key has been assigned elsewhere, we use the Fiori App Display Restriction Types. By searching the Restriction Type Bank Country/Region Key, with corresponding Restriction Type ID BBANKS, we can find out all 52 Business Catalogs using this Restriction Type.

Business Catalogs Use the Restriction Type Bank Country/Region Key

When we open the Business Catalog SAP_CA_BC_BNK_PC Bank – Maintenance, we can see the Restriction Type Bank Country/Region Key is used there.

Restriction Field Bank Country/Region Key is used in the Business Catalog SAP_CA_BC_BNK_PC Bank – Maintenance

Mass Change Restriction Values

From Release 2302, we have a new function called Mass Change within the Maintain Business Roles Fiori App. After selecting 1 or more Business Roles, the Mass Change button is highlighted.

Mass Change within the Maintain Business Roles Fiori App

We can use the Mass Change Wizard to maintain Restriction Types of multiple business roles. For example, after selecting two business roles: YU_CASH_MANAGER_US and YU_CASH_MANAGER_DE, then hit the Mass Change, we can select Restrictions as an Attribute.

Use Mass Change to Define Restrictions

Then we can select Access Category and Restriction Change.

Restriction Changes in Mass Change Wizard

Restriction Change can be divided into three groups:

General Restriction Values
- Change – add new values to existing (if any) General Restriction Field(s)
- Replace – replace existing value(s) with a new value(s) in the General Restriction Field(s)
- Remove – remove existing value(s) in General Restriction Field(s)

Restrictions
- Add – add a restriction listed with the business role but is not being used.
- Remove – remove a restriction being used

Restriction Values
- Change – add new values to existing (if any) individual Restriction Field(s)
- Replace – replace existing value(s) with a new value(s) in the individual Restriction Field(s)
- Remove – remove existing value(s) in individual Restriction Field(s)

Let’s take an example here. We want to “Change General Restriction Values” in Restriction Field Bank Country/Region Key. We select “Change General Restriction Values” in Step 1. Select Attributes.

Step 1. Select Attributes in Mass Change Wizard

After hitting Next Step button, Step 1. Select Attributes in Mass Change Wizard, we select Bank Country/Region Key in General Restriction Values and enter AG using the pencil icon.

Step 2. Change Attributes in Mass Change Wizard

After hitting Review button, we enter Step 3. Confirm Changes in Mass Change Wizard. Hit the Submit button if everything looks fine. This change will affect two business roles YU_CASH_MANAGER_DE and YU_CASH_MANAGER_US.

Step 3. Confirm Changes in Mass Change Wizard

Now let’s check the impact of above Mass Change. After opening the Display Restrictions menu of business role YU_CASH_MANAGER_DE, we can see AG is part of Restriction Values on top of existing AI, DE and HK.

Change (Add) Restriction Values via Mass Change Wizard

Conclusion

As part of authorizations within SAP S/4HANA Cloud, public edition, we use restrictions to enhance access control within user business roles. With the proper design and implementation process, we can grant different data access based on certain criteria to those users with the same persona, like cash managers. This provides both the restrictions and flexibilities to an ERP system running in a complicated environment.

SAP ASE HADR Setup for IDM

2023-11-08T08:36:08+01:00

Configuring SAP Adaptive Server Enterprise HADR for SAP Identity Management 8.0

Introduction

Intention of this blog is to introduce a blueprint setup for configuring HADR for the SAP IDM 8.0 based on SAP Adaptive Server Enterprise. The SAP Identity Management Setup requires two SAP Adaptive Server Enterprise installations on each host. Key point to note for this scenario:

Primary and Standby must have the same:
- Operating system and its patch levels
- SAP ASE versions
- SAP ASE Configuration
- SAP ASE Logins / Passwords
- Character Set
- Sort Order

You can refer to the HADR Users Guide for more information on prerequisites, configuration, troubleshooting and tuning of both HADR environments.

This blog explains how to set this up based on the following steps:

SAP IDM System Installation on Primary and Secondary Site
- SAP NetWeaver 7.5 Java Installation
- SAP ASE Database instance for SAP Identity Management System
- SAP Identity Management Standard System

Installing Data Movement Option
- Java instance
- IDM instance

Configuring HADR on Primary Host
- SAP ASE for Java instance
  - Prepare response file for executing setuphadr on J50 instance
  - Execute setuphadr tool to configure HADR on Primary ASE for J50 instance
- SAP ASE for IDM instance
  - Prepare response file for executing setuphadr on I50 instance
  - Execute setuphadr tool to configure HADR on Primary ASE for I50 instance

Configuring HADR on Standby Host
- SAP ASE for Java instance
  - Prepare response file for executing setuphadr on J50 instance
  - Execute setuphadr tool to configure HADR on Standby ASE for J50 instance
- SAP ASE for IDM instance
  - Prepare response file for executing setuphadr on I50 instance
  - Execute setuphadr tool to configure HADR on Standby ASE for I50 instance

SAP IDM System Installation on Primary and Secondary Hosts:

Follow the SAP IDM Installation guides to install two identical systems. First system will be used as primary system. Second system will be used as a Disaster Recovery / High Availability system.

Installing SAP NetWeaver 7.5 Java “Standard System”

Use the following option in the latest “Software Provisioning Manager” to install SAP NetWeaver 7.5 Java system in preparation for SAP Identity Management 8.0 system. For this setup I will be using the system ID (SID) “J50” for my setup and all passwords will be set to “P@s$w0rd!” for the sake of simplicity as it is a test system only.

Installing “SAP ASE Database instance for SAP Identity Management System”

Use the following option in the latest “Software Provisioning Manager” to install “SAP ASE Database instance for SAP Identity Management System” in preparation for SAP Identity Management 8.0 system. For this setup I will be using the system ID (SID) “I50” for my setup and all passwords will be set to “P@s$w0rd!” for the sake of simplicity as it is a test system only.

Installing SAP Identity Management 8.0 “Standard System”

Use the following option in the latest “Software Provisioning Manager” to install “SAP Identity Management Standard System”. This setup will require you to connect to the SAP Adaptive Server Enterprise installed in the previous step.

Shutdown the Java instance (excluding database) on the Standby Host

We will shut down the SAP NetWeaver Java instance on the standby host. We will not start this instance until we perform a database failover and the current standby host becomes the new primary host.

Installing SAP ASE Data Movement Option

We will be installing two instances of SAP ASE Data Movement Option one for the SAP ASE instance “J50” and one for SAP ASE instance “I50”. Both ASE Instances were installed and configured in the previous steps.

Installing SAP ASE Data Movement Option for the SAP ASE used for SAP NetWeaver Java instance

Use the following sample response file for installing SAP ASE DM for the Java instance (J50) on both primary and secondary hosts. This will only install the DM option under the /sybase/J50/DM directory in preparation for setting up HADR for the Java instance.

#########################################

PRODUCTION_INSTALL=TRUE

INSTALL_SETUP_HADR_SAMPLE=TRUE

RUN_SILENT=true



SAP_HOST_AGENT_PASSWORD=Unknown

ENABLE_COCKPIT_MONITORING=false

INSTALL_SCC_SERVICE=FALSE



USER_INSTALL_DIR=/sybase/J50/

DO_UPDATE_INSTALL=false



CHOSEN_FEATURE_LIST=fase_hadr

CHOSEN_INSTALL_FEATURE_LIST=fase_hadr

CHOSEN_INSTALL_SET=Custom

INSTALL_SAP_HOST_AGENT=FALSE



#do not configure servers

SY_CONFIG_HADR_SERVER=false

SY_CONFIG_SCC_SERVER=false

SY_CONFIG_ASE_SERVER=false

SY_CONFIG_BS_SERVER=false

SY_CONFIG_XP_SERVER=false

SY_CONFIG_JS_SERVER=false

SY_CONFIG_SM_SERVER=false

SY_CONFIG_WS_SERVER=false



#license

SYBASE_PRODUCT_LICENSE_TYPE=license

SYSAM_LICENSE_SOURCE=proceed_without_license

SYSAM_PRODUCT_EDITION=Enterprise Edition

SYSAM_LICENSE_TYPE=AC : OEM Application Deployment CPU License



SYSAM_NOTIFICATION_ENABLE=false



AGREE_TO_SYBASE_LICENSE=true

AGREE_TO_SAP_LICENSE=true

RUN_SILENT=true 

#########################################

Installing SAP ASE Data Movement Option for the SAP ASE used for SAP IDM instance

Use the following sample response file for installing SAP ASE DM for the SAP IDM instance (I50) on both primary and secondary hosts. This will only install the DM option under the /sybase/I50/DM directory in preparation for setting up HADR for the IDM instance.

#########################################

PRODUCTION_INSTALL=TRUE

INSTALL_SETUP_HADR_SAMPLE=TRUE

RUN_SILENT=true



SAP_HOST_AGENT_PASSWORD=Unknown

ENABLE_COCKPIT_MONITORING=false

INSTALL_SCC_SERVICE=FALSE



USER_INSTALL_DIR=/sybase/I50/

DO_UPDATE_INSTALL=false



CHOSEN_FEATURE_LIST=fase_hadr

CHOSEN_INSTALL_FEATURE_LIST=fase_hadr

CHOSEN_INSTALL_SET=Custom

INSTALL_SAP_HOST_AGENT=FALSE



#do not configure servers

SY_CONFIG_HADR_SERVER=false

SY_CONFIG_SCC_SERVER=false

SY_CONFIG_ASE_SERVER=false

SY_CONFIG_BS_SERVER=false

SY_CONFIG_XP_SERVER=false

SY_CONFIG_JS_SERVER=false

SY_CONFIG_SM_SERVER=false

SY_CONFIG_WS_SERVER=false



#license

SYBASE_PRODUCT_LICENSE_TYPE=license

SYSAM_LICENSE_SOURCE=proceed_without_license

SYSAM_PRODUCT_EDITION=Enterprise Edition

SYSAM_LICENSE_TYPE=AC : OEM Application Deployment CPU License



SYSAM_NOTIFICATION_ENABLE=false



AGREE_TO_SYBASE_LICENSE=true

AGREE_TO_SAP_LICENSE=true

RUN_SILENT=true 

#########################################

Important: You need to repeat these two installations on the standby host as well.

Configuring HADR on Primary Hosts

In this step we will first configure the HADR for the SAP ASE instance used by the Java instance (J50).

Prepare response file for executing setuphadr

In this step we will prepare the setuphadr response file using the sample provided below.

###############################################################################

# Setup HADR sample responses file

#

# This sample responses file setup SAP ASE HADR on

# hosts "host1" (primary) and "host2" (companion).

#

# Prerequisite:

# - New SAP ASE and Backup servers setup and started on "host1" and "host2".

#   See HADR User Guide for requirements on SAP ASE servers.

# - Replication Management Agent (RMA) started on "host1" and "host2".

#

# Usage:

# 1. On host1 (primary), run:

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <this_responses_file>

#

# 2. Change this responses file properties:

#       setup_site=COMP

#       is_secondary_site_setup=true

#

# 3. On host2 (companion), run

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <responses_file_from_step_2>

#

###############################################################################





# ID that identifies this cluster

#

# Value must be unique,

# begin with a letter and

# 3 characters in length.

# Note: Set value to your SID incase of HADR on SAP Business Suite Installations

cluster_id=J50



# Which site being configured

#

# Note:

# You need to set "<setup_site_value>.*"

# properties in this responses file.

setup_site=PRIM



# Set installation_mode

#

# Valid values: true, false

#

# If set to true, installation_mode will be set to "BS". 

# If set to false, installation_mode will be set to "nonBS"

# Note: Set value to true for HADR on SAP Business Suite installations

setup_bs=false





# Note: Set enable_ssl to false for HADR on SAP Business Suite Installations 

# 

# true OR false

enable_ssl=false

# common name, take SYBASE for example

ssl_common_name=J50

ase_ssl_enabled=false

enable_ssl_for_bs=false

# private key file

#ssl_private_key_file=/tmp//hadr.key

# public key file

#ssl_public_key_file=/tmp//hadr.crt

# root CA cert

# NOTE: if you're using self-signed cert, put your public key file here

ssl_ca_cert_file=<certpath>

# ssl password

ssl_password=P@s$w0rd!





# Has the secondary site prepared for SAP ASE HADR

#

# Valid values: true, false

#

# If set to true, "<secondary_setup_site_value>.*"

# properties must set in this responses file.

is_secondary_site_setup=false



# How data is replicated

#

# Valid values: sync, async

synchronization_mode=sync



# SAP ASE system administrator user//password

#

# setuphadr will prompt from standard input if not specified

ase_sa_user=sa

ase_sa_password=P@s$w0rd!



# SAP ASE HADR maintenance user//password

#

# For a Business Suite installation, name the user <custer_id>_maint.

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

hadr_maintenance_user=J50_maint

hadr_maintenance_password=P@s$w0rd!



# Replication Management Agent administrator user//password

#

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

rma_admin_user=DR_admin

rma_admin_password=P@s$w0rd!





# This is for BusS only

# if set to true, DR admin user will be added to secure store

#add_user_to_secure_store=false

# Adding user action will be executed by following user

#sid_admin_user=J50adm

#sid_admin_password=P@s$w0rd!



# If we need to config and start Replication Management Agent

#

# Valid values: true, false

config_start_rma=true



# If we need to create Replication Management Agent windows service

# Only affects windows

#

# Valid values: true, false

# If set to true, rma_service_user and rma_service_password will be used

create_rma_windows_service=false



# Replication Management Agent Service user//password

# Only needed for windows instllations.

# Note: Set value of rma_service_user to sybJ50 user incase of HADR on SAP 

# Business Suite Installations

rma_service_user=sybJ50

rma_service_password=P@s$w0rd!



# Databases that will participate in replication

# and "auto" materialize.

#

# SAP ASE HADR requires SAP ASE to have a database

# with cluster ID name (see "cluster_id" above).



# cluster ID database



participating_database_1=J50

materialize_participating_database_1=true



###############################################################################

# Site "PRIM" on host host1 with primary role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.ase_host_name=ase-db1



# We don't support ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.rma_host_name=ase-db1





# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

PRIM.site_name=ROT1



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

PRIM.site_role=primary



# directory where SAP ASE installed

PRIM.ase_release_directory=/sybase/J50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

PRIM.ase_user_data_directory=



PRIM.ase_server_name=J50

PRIM.ase_server_port=5000



PRIM.backup_server_name=J50_BS

PRIM.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

PRIM.backup_server_dump_directory=/sybase/J50/data



# Port numbers for Replication Server and Replication Management Agent on host1

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

PRIM.rma_tds_port=4909

PRIM.rma_rmi_port=7000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

PRIM.srs_port=4905



# Device buffer for Replication Server on host1

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

PRIM.device_buffer_dir=/sybase/J50/data

PRIM.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host1

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

PRIM.simple_persistent_queue_dir=/sybase/J50/data

PRIM.simple_persistent_queue_size=2000





###############################################################################

# Site "COMP" on host host2 with companion role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.ase_host_name=ase-db2



# We don't support ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.rma_host_name=ase-db2



# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

COMP.site_name=WDF2



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

COMP.site_role=companion



# directory where SAP ASE installed

COMP.ase_release_directory=/sybase/J50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

COMP.ase_user_data_directory=



COMP.ase_server_name=J50

COMP.ase_server_port=5000



COMP.backup_server_name=J50_BS

COMP.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

COMP.backup_server_dump_directory=/sybase/J50/data





# Port numbers for Replication Server and Replication Management Agent on host2

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

COMP.rma_tds_port=4909

COMP.rma_rmi_port=7000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

COMP.srs_port=4905



# Device buffer for Replication Server on host2

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.device_buffer_dir=/sybase/J50/data

COMP.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host2

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.simple_persistent_queue_dir=/sybase/J50/data

COMP.simple_persistent_queue_size=2000

Execute setuphadr tool to configure HADR on Primary ASE for J50 instance

You need to logon as sybj50 user to the system and switch to the “/sybase/J50/ASE-16_0/bin/” directory and execute the setuphadr command and the response file prepared in the previous step as parameter for the command. The output will look like as follows:

ase-db1 ASE-16_0/bin% setuphadr ../init/logs/setuphadr_J50_SP4PL4_PRIM.txt

Clean up environment.

Environment cleaned up.

Setup ASE HADR maintenance user

        Create maintenance login "J50_maint"...

        Grant "sa_role" role to "J50_maint"...

        Grant "replication_role" role to "J50_maint"...

        Grant "replication_maint_role_gp" role to "J50_maint"...

        Grant "sap_maint_user_role" role to "J50_maint"...

        Grant "sybase_ts_role" role to "J50_maint"...

        Add auto activated roles "sap_maint_user_role" to user "J50_maint"...

        Allow "J50_maint" to be known as dbo in "master" database...

        Allow "J50_maint" to be known as dbo in "J50" database...

Setup ASE HADR maintenance user...Success

Setup administrator user

        Create administrator login "DR_admin"...

        Grant "sa_role" role to "DR_admin"...

        Grant "sso_role" role to "DR_admin"...

        Grant "replication_role" role to "DR_admin"...

        Grant "hadr_admin_role_gp" role to "DR_admin"...

        Grant "sybase_ts_role" role to "DR_admin"...

        Add user "DR_admin" to DB "sybsystemprocs".

Setup administrator user...Success

Setup Backup server allow hosts

        Backup server on "PRIM" site: Add host "ase-db2" to allow dump and load...

Setup Backup server allow hosts...Success



Setup complete on "PRIM" site.  Please run Setup HADR on "COMP" site to complete the setup.

ase-db1 ASE-16_0/bin%

Prepare response file for executing setuphadr on I50 instance

In this step we will prepare the setuphadr response file using the sample provided below.

###############################################################################

# Setup HADR sample responses file

#

# This sample responses file setup ASE HADR on

# hosts "host1" (primary) and "host2" (companion).

#

# Prerequisite:

# - New SAP ASE and Backup servers setup and started on "host1" and "host2".

#   See HADR User Guide for requirements on SAP ASE servers.

# - Replication Management Agent (RMA) started on "host1" and "host2".

#

# Usage:

# 1. On host1 (primary), run:

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <this_responses_file>

#

# 2. Change this responses file properties:

#       setup_site=COMP

#       is_secondary_site_setup=true

#

# 3. On host2 (companion), run

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <responses_file_from_step_2>

#

###############################################################################





# ID that identifies this cluster

#

# Value must be unique,

# begin with a letter and

# 3 characters in length.

# Note: Set value to your SID incase of HADR on SAP Business Suite Installations

cluster_id=I50



# Which site being configured

#

# Note:

# You need to set "<setup_site_value>.*"

# properties in this responses file.

setup_site=PRIM



# Set installation_mode

#

# Valid values: true, false

#

# If set to true, installation_mode will be set to "BS". 

# If set to false, installation_mode will be set to "nonBS"

# Note: Set value to true for HADR on SAP Business Suite installations

setup_bs=false





# Note: Set enable_ssl to false for HADR on SAP Business Suite Installations 

# 

# true OR false

enable_ssl=false

# common name, take SYBASE for example

ssl_common_name=I50

ase_ssl_enabled=false

enable_ssl_for_bs=false

# private key file

#ssl_private_key_file=/tmp//hadr.key

# public key file

#ssl_public_key_file=/tmp//hadr.crt

# root CA cert

# NOTE: if you're using self-signed cert, put your public key file here

ssl_ca_cert_file=<certpath>

# ssl password

ssl_password=P@s$w0rd!





# Has the secondary site prepared for SAP ASE HADR

#

# Valid values: true, false

#

# If set to true, "<secondary_setup_site_value>.*"

# properties must set in this responses file.

is_secondary_site_setup=false



# How data is replicated

#

# Valid values: sync, async

synchronization_mode=sync



# SAP ASE system administrator user//password

#

# setuphadr will prompt from standard input if not specified

ase_sa_user=sa

ase_sa_password=P@s$w0rd!



# SAP ASE HADR maintenance user//password

#

# For a Business Suite installation, name the user <custer_id>_maint.

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

hadr_maintenance_user=I50_maint

hadr_maintenance_password=P@s$w0rd!



# Replication Management Agent administrator user//password

#

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

rma_admin_user=DR_admin

rma_admin_password=P@s$w0rd!





# This is for BusS only

# if set to true, DR admin user will be added to secure store

#add_user_to_secure_store=false

# Adding user action will be executed by following user

#sid_admin_user=i50adm

#sid_admin_password=P@s$w0rd!



# If we need to config and start Replication Management Agent

#

# Valid values: true, false

config_start_rma=true



# If we need to create Replication Management Agent windows service

# Only affects windows

#

# Valid values: true, false

# If set to true, rma_service_user and rma_service_password will be used

create_rma_windows_service=false



# Replication Management Agent Service user//password

# Only needed for windows instllations.

# Note: Set value of rma_service_user to sybi50 user incase of HADR on SAP 

# Business Suite Installations

rma_service_user=sybi50

rma_service_password=P@s$w0rd!



# Databases that will participate in replication

# and "auto" materialize.

#

# SAP ASE HADR requires SAP ASE to have a database

# with cluster ID name (see "cluster_id" above).



# cluster ID database



#idm databases



participating_database_1=MXMC_db

materialize_participating_database_1=true



participating_database_2=I50

materialize_participating_database_2=true



###############################################################################

# Site "PRIM" on host host1 with primary role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.ase_host_name=ase-db1



# We don't support SAP ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.rma_host_name=ase-db1





# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

PRIM.site_name=ROT1



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

PRIM.site_role=primary



# directory where SAP ASE installed

PRIM.ase_release_directory=/sybase/I50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

PRIM.ase_user_data_directory=



PRIM.ase_server_name=I50

PRIM.ase_server_port=5000



PRIM.backup_server_name=I50_BS

PRIM.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

PRIM.backup_server_dump_directory=/sybase/I50/data



# Port numbers for Replication Server and Replication Management Agent on host1

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

PRIM.rma_tds_port=5909

PRIM.rma_rmi_port=8000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

PRIM.srs_port=5905



# Device buffer for Replication Server on host1

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

PRIM.device_buffer_dir=/sybase/I50/data

PRIM.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host1

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

PRIM.simple_persistent_queue_dir=/sybase/I50/data

PRIM.simple_persistent_queue_size=2000



PRIM.ase_data_device_create_2_1=I50_data_dev, /sybase/I50/data/I50_dev1.dat, 2048

PRIM.ase_log_device_create_2_1=I50_log_dev, /sybase/I50/data/I50_log_dev1.dat, 1024



###############################################################################

# Site "COMP" on host host2 with companion role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.ase_host_name=ase-db2



# We don't support SAP ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.rma_host_name=ase-db2



# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

COMP.site_name=WDF2



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

COMP.site_role=companion



# directory where SAP ASE installed

COMP.ase_release_directory=/sybase/I50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

COMP.ase_user_data_directory=



COMP.ase_server_name=I50

COMP.ase_server_port=5000



COMP.backup_server_name=I50_BS

COMP.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

COMP.backup_server_dump_directory=/sybase/I50/data





# Port numbers for Replication Server and Replication Management Agent on host2

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

COMP.rma_tds_port=5909

COMP.rma_rmi_port=8000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

COMP.srs_port=5905



# Device buffer for Replication Server on host2

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.device_buffer_dir=/sybase/I50/data

COMP.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host2

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.simple_persistent_queue_dir=/sybase/I50/data

COMP.simple_persistent_queue_size=2000



COMP.ase_data_device_create_2_1=I50_data_dev, /sybase/I50/data/I50_dev1.dat, 2048

COMP.ase_log_device_create_2_1=I50_log_dev, /sybase/I50/data/I50_log_dev1.dat, 1024

Create a new database with name “I50”

To make the HADR setup work, we would need to create a new database with the same name as the IDM System identifier which is I50 in this case. We have two choices to create this database:

Use setuphadr tool to create the database and its corresponding devices.

If we want to let the setuphadr create the database and its devices then we must keep the two parameters “ase_data_device_create_2_1” and “ase_log_device_create_2_1” in the setuphadr response file, otherwise we will need to remove them if we choose to manually create the database before running setuphadr. If we decide to go with this option, then we need to ensure that these two parameters are configured for both Primary (PRIM) and Companion (COMP) section of the response file. If we want to use the manual method, then we need to remove these 2 parameters from the response files to avoid any configuration issues.

Manually create this database by using the following sample script:

use master

go

disk init name='I50_data', physname='/sybase/I50/data/I50_data_001.dat', size='2000M', dsync=true

go

disk init name='I50_log', physname='/sybase/I50/log/I50_log_001.dat', size='1000M', dsync=true

go

create database I50

on I50_data = 2000

log on I50_log = 1000

go

Execute setuphadr tool to configure HADR on Primary SAP ASE for I50 instance

You need to logon as sybi50 user to the system and switch to the “/sybase/I50/ASE-16_0/bin/” directory and execute the setuphadr command and the response file prepared in the previous step as parameter for the command. The output will look like as follows:

ase-db1 ASE-16_0/bin% setuphadr ../init/logs/setuphadr_J50_SP4PL4_PRIM.txt

Clean up environment.

Environment cleaned up.

Setup user databases

        Create user database I50...

Setup user databases...Success

Setup ASE HADR maintenance user

        Create maintenance login "I50_maint"...

        Grant "sa_role" role to "I50_maint"...

        Grant "replication_role" role to "I50_maint"...

        Grant "replication_maint_role_gp" role to "I50_maint"...

        Grant "sap_maint_user_role" role to "I50_maint"...

        Grant "sybase_ts_role" role to "I50_maint"...

        Add auto activated roles "sap_maint_user_role" to user "I50_maint"...

        Allow "I50_maint" to be known as dbo in "master" database...

        Allow "I50_maint" to be known as dbo in "MXMC_db" database...

        Allow "I50_maint" to be known as dbo in "I50" database...

Setup ASE HADR maintenance user...Success

Setup administrator user

        Create administrator login "DR_admin"...

        Grant "sa_role" role to "DR_admin"...

        Grant "sso_role" role to "DR_admin"...

        Grant "replication_role" role to "DR_admin"...

        Grant "hadr_admin_role_gp" role to "DR_admin"...

        Grant "sybase_ts_role" role to "DR_admin"...

        Add user "DR_admin" to DB "sybsystemprocs".

Setup administrator user...Success

Setup Backup server allow hosts

        Backup server on "PRIM" site: Add host "ase-db2" to allow dump and load...

Setup Backup server allow hosts...Success



Setup complete on "PRIM" site.  Please run Setup HADR on "COMP" site to complete the setup.

ase-db1 ASE-16_0/bin%

Configuring HADR on Standby Host

In this step we will first configure the HADR for the SAP ASE instance used by the Java instance (J50).

Prepare response file for executing setuphadr

In this step we will prepare the setuphadr response file using the sample provided below.

###############################################################################

# Setup HADR sample responses file

#

# This sample responses file setup ASE HADR on

# hosts "host1" (primary) and "host2" (companion).

#

# Prerequisite:

# - New SAP ASE and Backup servers setup and started on "host1" and "host2".

#   See HADR User Guide for requirements on SAP ASE servers.

# - Replication Management Agent (RMA) started on "host1" and "host2".

#

# Usage:

# 1. On host1 (primary), run:

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <this_responses_file>

#

# 2. Change this responses file properties:

#       setup_site=COMP

#       is_secondary_site_setup=true

#

# 3. On host2 (companion), run

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <responses_file_from_step_2>

#

###############################################################################





# ID that identifies this cluster

#

# Value must be unique,

# begin with a letter and

# 3 characters in length.

# Note: Set value to your SID incase of HADR on SAP Business Suite Installations

cluster_id=J50



# Which site being configured

#

# Note:

# You need to set "<setup_site_value>.*"

# properties in this responses file.

setup_site=COMP



# Set installation_mode

#

# Valid values: true, false

#

# If set to true, installation_mode will be set to "BS". 

# If set to false, installation_mode will be set to "nonBS"

# Note: Set value to true for HADR on SAP Business Suite installations

setup_bs=false





# Note: Set enable_ssl to false for HADR on SAP Business Suite Installations 

# 

# true OR false

enable_ssl=false

# common name, take SYBASE for example

ssl_common_name=J50

ase_ssl_enabled=false

enable_ssl_for_bs=false

# private key file

#ssl_private_key_file=/tmp//hadr.key

# public key file

#ssl_public_key_file=/tmp//hadr.crt

# root CA cert

# NOTE: if you're using self-signed cert, put your public key file here

ssl_ca_cert_file=<certpath>

# ssl password

ssl_password=P@s$w0rd!





# Has the secondary site prepared for SAP ASE HADR

#

# Valid values: true, false

#

# If set to true, "<secondary_setup_site_value>.*"

# properties must set in this responses file.

is_secondary_site_setup=true



# How data is replicated

#

# Valid values: sync, async

synchronization_mode=sync



# SAP ASE system administrator user//password

#

# setuphadr will prompt from standard input if not specified

ase_sa_user=sa

ase_sa_password=P@s$w0rd!



# SAP ASE HADR maintenance user//password

#

# For a Business Suite installation, name the user <custer_id>_maint.

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

hadr_maintenance_user=J50_maint

hadr_maintenance_password=P@s$w0rd!



# Replication Management Agent administrator user//password

#

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

rma_admin_user=DR_admin

rma_admin_password=P@s$w0rd!





# This is for BusS only

# if set to true, DR admin user will be added to secure store

#add_user_to_secure_store=false

# Adding user action will be executed by following user

#sid_admin_user=J50adm

#sid_admin_password=P@s$w0rd!



# If we need to config and start Replication Management Agent

#

# Valid values: true, false

config_start_rma=true



# If we need to create Replication Management Agent windows service

# Only affects windows

#

# Valid values: true, false

# If set to true, rma_service_user and rma_service_password will be used

create_rma_windows_service=false



# Replication Management Agent Service user//password

# Only needed for windows instllations.

# Note: Set value of rma_service_user to sybJ50 user incase of HADR on SAP 

# Business Suite Installations

rma_service_user=sybJ50

rma_service_password=P@s$w0rd!



# Databases that will participate in replication

# and "auto" materialize.

#

# SAP ASE HADR requires SAP ASE to have a database

# with cluster ID name (see "cluster_id" above).



# cluster ID database



participating_database_1=J50

materialize_participating_database_1=true



###############################################################################

# Site "PRIM" on host host1 with primary role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.ase_host_name=ase-db1



# We don't support ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.rma_host_name=ase-db1





# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

PRIM.site_name=ROT1



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

PRIM.site_role=primary



# directory where SAP ASE installed

PRIM.ase_release_directory=/sybase/J50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

PRIM.ase_user_data_directory=



PRIM.ase_server_name=J50

PRIM.ase_server_port=5000



PRIM.backup_server_name=J50_BS

PRIM.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

PRIM.backup_server_dump_directory=/sybase/J50/data



# Port numbers for Replication Server and Replication Management Agent on host1

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

PRIM.rma_tds_port=4909

PRIM.rma_rmi_port=7000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

PRIM.srs_port=4905



# Device buffer for Replication Server on host1

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

PRIM.device_buffer_dir=/sybase/J50/data

PRIM.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host1

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

PRIM.simple_persistent_queue_dir=/sybase/J50/data

PRIM.simple_persistent_queue_size=2000





###############################################################################

# Site "COMP" on host host2 with companion role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.ase_host_name=ase-db2



# We don't support SAP ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.rma_host_name=ase-db2



# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

COMP.site_name=WDF2



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

COMP.site_role=companion



# directory where SAP ASE installed

COMP.ase_release_directory=/sybase/J50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

COMP.ase_user_data_directory=



COMP.ase_server_name=J50

COMP.ase_server_port=5000



COMP.backup_server_name=J50_BS

COMP.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

COMP.backup_server_dump_directory=/sybase/J50/data





# Port numbers for Replication Server and Replication Management Agent on host2

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

COMP.rma_tds_port=4909

COMP.rma_rmi_port=7000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

COMP.srs_port=4905



# Device buffer for Replication Server on host2

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.device_buffer_dir=/sybase/J50/data

COMP.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host2

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.simple_persistent_queue_dir=/sybase/J50/data

COMP.simple_persistent_queue_size=2000

Execute setuphadr tool to configure HADR on Standby SAP ASE for J50 instance

ase-db2 ASE-16_0/bin% setuphadr ../init/logs/setuphadr_J50_SP4PL4_COMP.txt

Clean up environment.

Environment cleaned up.

Setup ASE HADR maintenance user

        Create maintenance login "J50_maint"...

        Grant "sa_role" role to "J50_maint"...

        Grant "replication_role" role to "J50_maint"...

        Grant "replication_maint_role_gp" role to "J50_maint"...

        Grant "sap_maint_user_role" role to "J50_maint"...

        Grant "sybase_ts_role" role to "J50_maint"...

        Add auto activated roles "sap_maint_user_role" to user "J50_maint"...

        Allow "J50_maint" to be known as dbo in "master" database...

        Allow "J50_maint" to be known as dbo in "J50" database...

Setup ASE HADR maintenance user...Success

Setup administrator user

        Create administrator login "DR_admin"...

        Grant "sa_role" role to "DR_admin"...

        Grant "sso_role" role to "DR_admin"...

        Grant "replication_role" role to "DR_admin"...

        Grant "hadr_admin_role_gp" role to "DR_admin"...

        Grant "sybase_ts_role" role to "DR_admin"...

        Add user "DR_admin" to DB "sybsystemprocs".

Setup administrator user...Success

Setup Backup server allow hosts

        Backup server on "COMP" site: Add host "ase-db1" to allow dump and load...

        Backup server on "PRIM" site: Add host "ase-db2" to allow dump and load...

Setup Backup server allow hosts...Success

Setup RMA

        Set SAP ID to "J50"...

        Set installation mode to "nonBS"...

        Set maintenance user to "J50_maint"...

        Set site name "ROT1" with SAP ASE host:port to "ase-db1:4901" and Replication Server host:port to "ase-db1:4905"...

        Set site name "WDF2" with SAP ASE host:port to "ase-db2:4901" and Replication Server host:port to "ase-db2:4905"...

        Set site name "ROT1" with Backup server port to "4902"...

        Set site name "WDF2" with Backup server port to "4902"...

        Set site name "ROT1" databases dump directory to "/sybase/J50/data"...

        Set site name "WDF2" databases dump directory to "/sybase/J50/data"...

        Set site name "ROT1" synchronization mode to "sync"...

        Set site name "WDF2" synchronization mode to "sync"...

        Set site name "ROT1" distribution mode to "remote"...

        Set site name "WDF2" distribution mode to "remote"...

        Set site name "ROT1" distribution target to site name "WDF2"...

        Set site name "WDF2" distribution target to site name "ROT1"...

        Set site name "ROT1" device buffer directory to "/sybase/J50/data"...

        Set site name "WDF2" device buffer directory to "/sybase/J50/data"...

        Set site name "ROT1" device buffer size to "5000"...

        Set site name "WDF2" device buffer size to "5000"...

        Set site name "ROT1" simple persistent queue directory to "/sybase/J50/data"...

        Set site name "WDF2" simple persistent queue directory to "/sybase/J50/data"...

        Set site name "ROT1" simple persistent queue size to "2000"...

        Set site name "WDF2" simple persistent queue size to "2000"...

        Set master, J50 databases to participate in replication...

Setup RMA...Success

        Setting up replication on 'standby' host for local database 'master'...................

        Setting up replication on 'standby' host for local database 'J50'.....................

Setup Replication...Success

Materialize Databases

        Materialize database "master"...

                Starting materialization of the master database from source 'ROT1' to target 'WDF2'..

                Completed materialization of the master database from source 'ROT1' to target 'WDF2'..

                Waiting 10 seconds: Before checking if Replication Connection 'J50_WDF2.master' is suspended......

        Materialize database "J50"...

                Materializing database 'J50' automatically from source 'ROT1' to target 'WDF2'..

                Executing ASE dump and load task for database 'J50'................

                Successfully verified materialization on database 'J50'..

                Stop the Replication Agent for database 'J50' on host 'ase-db1:4901' and data server 'J50_ROT1'..

                Configuring Replication Server: set 'hide_maintuser_pwd' to 'on'..

                Waiting 10 seconds: Before checking if Replication Connection 'J50_WDF2.J50' is suspended with dump marker...

                Waiting 10 seconds: Before checking if Replication Connection 'J50_WDF2.J50' is suspended........

Materialize Databases...Success

Prepare response file for executing setuphadr on I50 instance

In this step we will prepare the setuphadr response file using the sample provided below.

###############################################################################

# Setup HADR sample responses file

#

# This sample responses file setup SAP ASE HADR on

# hosts "host1" (primary) and "host2" (companion).

#

# Prerequisite:

# - New SAP ASE and Backup servers setup and started on "host1" and "host2".

#   See HADR User Guide for requirements on SAP ASE servers.

# - Replication Management Agent (RMA) started on "host1" and "host2".

#

# Usage:

# 1. On host1 (primary), run:

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <this_responses_file>

#

# 2. Change this responses file properties:

#       setup_site=COMP

#       is_secondary_site_setup=true

#

# 3. On host2 (companion), run

#       $SYBASE/$SYBASE_ASE//bin//setuphadr <responses_file_from_step_2>

#

###############################################################################





# ID that identifies this cluster

#

# Value must be unique,

# begin with a letter and

# 3 characters in length.

# Note: Set value to your SID incase of HADR on SAP Business Suite Installations

cluster_id=I50



# Which site being configured

#

# Note:

# You need to set "<setup_site_value>.*"

# properties in this responses file.

setup_site=COMP



# Set installation_mode

#

# Valid values: true, false

#

# If set to true, installation_mode will be set to "BS". 

# If set to false, installation_mode will be set to "nonBS"

# Note: Set value to true for HADR on SAP Business Suite installations

setup_bs=false





# Note: Set enable_ssl to false for HADR on SAP Business Suite Installations 

# 

# true OR false

enable_ssl=false

# common name, take SYBASE for example

ssl_common_name=I50

ase_ssl_enabled=false

enable_ssl_for_bs=false

# private key file

#ssl_private_key_file=/tmp//hadr.key

# public key file

#ssl_public_key_file=/tmp//hadr.crt

# root CA cert

# NOTE: if you're using self-signed cert, put your public key file here

ssl_ca_cert_file=<certpath>

# ssl password

ssl_password=P@s$w0rd!





# Has the secondary site prepared for SAP ASE HADR

#

# Valid values: true, false

#

# If set to true, "<secondary_setup_site_value>.*"

# properties must set in this responses file.

is_secondary_site_setup=true



# How data is replicated

#

# Valid values: sync, async

synchronization_mode=sync



# SAP ASE system administrator user//password

#

# setuphadr will prompt from standard input if not specified

ase_sa_user=sa

ase_sa_password=P@s$w0rd!



# SAP ASE HADR maintenance user//password

#

# For a Business Suite installation, name the user <custer_id>_maint.

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

hadr_maintenance_user=I50_maint

hadr_maintenance_password=P@s$w0rd!



# Replication Management Agent administrator user//password

#

# Password must have at least 6 characters

# setuphadr will prompt from standard input if not specified

rma_admin_user=DR_admin

rma_admin_password=P@s$w0rd!





# This is for BusS only

# if set to true, DR admin user will be added to secure store

#add_user_to_secure_store=false

# Adding user action will be executed by following user

#sid_admin_user=i50adm

#sid_admin_password=P@s$w0rd!



# If we need to config and start Replication Management Agent

#

# Valid values: true, false

config_start_rma=true



# If we need to create Replication Management Agent windows service

# Only affects windows

#

# Valid values: true, false

# If set to true, rma_service_user and rma_service_password will be used

create_rma_windows_service=false



# Replication Management Agent Service user//password

# Only needed for windows instllations.

# Note: Set value of rma_service_user to sybi50 user incase of HADR on SAP 

# Business Suite Installations

rma_service_user=sybi50

rma_service_password=P@s$w0rd!



# Databases that will participate in replication

# and "auto" materialize.

#

# ASE HADR requires SAP ASE to have a database

# with cluster ID name (see "cluster_id" above).



# cluster ID database



#idm databases



participating_database_1=MXMC_db

materialize_participating_database_1=true



participating_database_2=I50

materialize_participating_database_2=true



###############################################################################

# Site "PRIM" on host host1 with primary role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.ase_host_name=ase-db1



# We don't support ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

PRIM.rma_host_name=ase-db1





# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

PRIM.site_name=ROT1



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

PRIM.site_role=primary



# directory where SAP ASE installed

PRIM.ase_release_directory=/sybase/I50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

PRIM.ase_user_data_directory=



PRIM.ase_server_name=I50

PRIM.ase_server_port=5000



PRIM.backup_server_name=I50_BS

PRIM.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

PRIM.backup_server_dump_directory=/sybase/I50/data



# Port numbers for Replication Server and Replication Management Agent on host1

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

PRIM.rma_tds_port=5909

PRIM.rma_rmi_port=8000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

PRIM.srs_port=5905



# Device buffer for Replication Server on host1

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

PRIM.device_buffer_dir=/sybase/I50/data

PRIM.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host1

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

PRIM.simple_persistent_queue_dir=/sybase/I50/data

PRIM.simple_persistent_queue_size=2000



PRIM.ase_data_device_create_2_1=I50_data_dev, /sybase/I50/data/I50_dev1.dat, 2048

PRIM.ase_log_device_create_2_1=I50_log_dev, /sybase/I50/data/I50_log_dev1.dat, 1024



###############################################################################

# Site "COMP" on host host2 with companion role

###############################################################################



# Host name where SAP ASE run

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.ase_host_name=ase-db2



# We don't support ASE and SRS on different hosts yet

# This is virtual host name for SRS//RMA

# Optional property

#

# Enter fully qualified domain name (FQDN)

# if your sites are on different subnet.

COMP.rma_host_name=ase-db2



# Site name

#

# Enter value that identifies this site,

# like a geographical location.

# Value must be unique.

COMP.site_name=WDF2



# Site role

#

# Enter the role of this site.

# Valid values: primary, companion

COMP.site_role=companion



# directory where SAP ASE installed

COMP.ase_release_directory=/sybase/I50/



# Directory that stored SAP ASE user data files

# (interfaces, RUN_<server>, error log, etc. files).

# Do not set value if your user data files are in

# SAP ASE installed directory (ase_release_directory).

COMP.ase_user_data_directory=



COMP.ase_server_name=I50

COMP.ase_server_port=5000



COMP.backup_server_name=I50_BS

COMP.backup_server_port=5001



# Directory to store database dumps

# in materialzation

#

# Backup server must able to access this directory

COMP.backup_server_dump_directory=/sybase/I50/data





# Port numbers for Replication Server and Replication Management Agent on host2

#

# In remote topology, these are the companion Replication Server and

# Replication Management Agent.

#

# See "rsge.bootstrap.tds.port.number" properties in

# <SAP ASE installed directory>//DM//RMA-15_5//instances//AgentContainer//config//bootstrap.prop

# for value

COMP.rma_tds_port=5909

COMP.rma_rmi_port=8000

#

# Starting port number to use when setup Replication Server.

# Make sure next two ports (+1 and +2) are also available for use.

COMP.srs_port=5905



# Device buffer for Replication Server on host2

# Recommend size = 128 * N

#       where N is the number of databases to replicate,

#       including the master and cluster ID databases.

#

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.device_buffer_dir=/sybase/I50/data

COMP.device_buffer_size=5000



# Persistent queue directory for Replication Server running on host2

#

# For synchronous replication (synchronization_mode=sync),

# enter directory to an SSD (solid state drive) or other

# type of fast read//write storage device

# Note: For HADR on SAP Business Suite Installations use SID database logsize * 1.5

COMP.simple_persistent_queue_dir=/sybase/I50/data

COMP.simple_persistent_queue_size=2000



COMP.ase_data_device_create_2_1=I50_data_dev, /sybase/I50/data/I50_dev1.dat, 2048

COMP.ase_log_device_create_2_1=I50_log_dev, /sybase/I50/data/I50_log_dev1.dat, 1024

Create a new database with name “I50”

To make the HADR setup work, we would need to create a new database with the same name as the SAP IDM system identifier which is I50 in this case. We have two choices to create this database:

Use setuphadr tool will create the database and its corresponding devices.

If we want to let the setuphadr create the database and its devices then we must keep the two parameters “ase_data_device_create_2_1” and “ase_log_device_create_2_1” in the setuphadr response file, otherwise we will need to remove them if we choose to manually create the database before running setuphadr. If we decide to go with this option, then we need to ensure that these two parameters are configured for both Primary (PRIM) and Companion (COMP) section of the response file. If we want to use the manual method, then we need to remove these 2 parameters from the response files to avoid any configuration issues.

Manually create this database by using the following sample script:

use master

go

disk init name='I50_data', physname='/sybase/I50/data/I50_data_001.dat', size='2000M', dsync=true

go

disk init name='I50_log', physname='/sybase/I50/log/I50_log_001.dat', size='1000M', dsync=true

go

create database I50

on I50_data = 2000

log on I50_log = 1000

go

Execute setuphadr tool to configure HADR on Standby SAP ASE for I50 instance

ase-db2 init/logs% setuphadr ./setuphadr_I50_SP3PL14_COMP.txt

Clean up environment.

Environment cleaned up.

Setup user databases

        Create user database I50...

Setup user databases...Success

Setup ASE HADR maintenance user

        Create maintenance login "I50_maint"...

        Grant "sa_role" role to "I50_maint"...

        Grant "replication_role" role to "I50_maint"...

        Grant "replication_maint_role_gp" role to "I50_maint"...

        Grant "sap_maint_user_role" role to "I50_maint"...

        Grant "sybase_ts_role" role to "I50_maint"...

        Add auto activated roles "sap_maint_user_role" to user "I50_maint"...

        Allow "I50_maint" to be known as dbo in "master" database...

        Allow "I50_maint" to be known as dbo in "MXMC_db" database...

        Allow "I50_maint" to be known as dbo in "I50" database...

Setup ASE HADR maintenance user...Success

Setup administrator user

        Create administrator login "DR_admin"...

        Grant "sa_role" role to "DR_admin"...

        Grant "sso_role" role to "DR_admin"...

        Grant "replication_role" role to "DR_admin"...

        Grant "hadr_admin_role_gp" role to "DR_admin"...

        Grant "sybase_ts_role" role to "DR_admin"...

        Add user "DR_admin" to DB "sybsystemprocs".

Setup administrator user...Success

Setup Backup server allow hosts

        Backup server on "COMP" site: Add host "ase-db1" to allow dump and load...

        Backup server on "PRIM" site: Add host "ase-db2" to allow dump and load...

Setup Backup server allow hosts...Success

Setup RMA

        Set SAP ID to "I50"...

        Set installation mode to "nonBS"...

        Set maintenance user to "I50_maint"...

        Set site name "ROT1" with SAP ASE host:port to "ase-db1:5000" and Replication Server host:port to "ase-db1:5905"...

        Set site name "WDF2" with SAP ASE host:port to "ase-db2:5000" and Replication Server host:port to "ase-db2:5905"...

        Set site name "ROT1" with Backup server port to "5001"...

        Set site name "WDF2" with Backup server port to "5001"...

        Set site name "ROT1" databases dump directory to "/sybase/I50/data"...

        Set site name "WDF2" databases dump directory to "/sybase/I50/data"...

        Set site name "ROT1" synchronization mode to "sync"...

        Set site name "WDF2" synchronization mode to "sync"...

        Set site name "ROT1" distribution mode to "remote"...

        Set site name "WDF2" distribution mode to "remote"...

        Set site name "ROT1" distribution target to site name "WDF2"...

        Set site name "WDF2" distribution target to site name "ROT1"...

        Set site name "ROT1" device buffer directory to "/sybase/I50/data"...

        Set site name "WDF2" device buffer directory to "/sybase/I50/data"...

        Set site name "ROT1" device buffer size to "5000"...

        Set site name "WDF2" device buffer size to "5000"...

        Set site name "ROT1" simple persistent queue directory to "/sybase/I50/data"...

        Set site name "WDF2" simple persistent queue directory to "/sybase/I50/data"...

        Set site name "ROT1" simple persistent queue size to "2000"...

        Set site name "WDF2" simple persistent queue size to "2000"...

        Set master, MXMC_db, I50 databases to participate in replication...

Setup RMA...Success

Setup Replication

        Setup replication from "ROT1" to "WDF2"...

        Configuring remote replication server.............................

        Configuring local replication server.................................

        Setting up replication on 'standby' host for local database 'master'..................

        Setting up replication on 'standby' host for local database 'I50'...................

        Setting up replication on 'standby' host for local database 'MXMC_db'......................

Setup Replication...Success

Materialize Databases

        Materialize database "master"...

                Starting materialization of the master database from source 'ROT1' to target 'WDF2'...

                Waiting 10 seconds: Before checking if Replication Connection 'I50_WDF2.master' is suspended......

        Materialize database "MXMC_db"...

                Materializing database 'MXMC_db' automatically from source 'ROT1' to target 'WDF2'..

                Executing ASE dump and load task for database 'MXMC_db'......

                Waiting 10 seconds: Before checking if Replication Connection 'I50_WDF2.MXMC_db' is suspended with dump marker....

                Waiting 10 seconds: Before checking if Replication Connection 'I50_WDF2.MXMC_db' is suspended........

        Materialize database "I50"...

                Materializing database 'I50' automatically from source 'ROT1' to target 'WDF2'..

                Executing ASE dump and load task for database 'I50'.....

                Successfully verified materialization on database 'I50'..

                Stop the Replication Agent for database 'I50' on host 'wsx-db1:5000' and data server 'I50_ROT1'..

                Stop the Replication Agent for database 'MXMC_db' on host 'wsx-db1:5000' and data server 'I50_ROT1'..

                Configuring Replication Server: set 'hide_maintuser_pwd' to 'on'...

                Waiting 10 seconds: Before checking if Replication Connection 'I50_WDF2.I50' is suspended with dump marker...

                Waiting 10 seconds: Before checking if Replication Connection 'I50_WDF2.I50' is suspended........

Materialize Databases...Success

ase-db2 ASE-16_0/bin%

Setup is now completed for both SAP Adaptive Server Enterprise instances.

Jazz up Your Hybrid User Management with the SCIM Extension for SAP Identity Management - SAP Best Practices SCIM Connector for SAP IdM

2023-11-14T18:52:24+01:00

Why It's the Bee's Knees

Imagine you're trying to link a SCIM target system, be it SAP or non-SAP, and you find yourself in a pickle. You realize it might be a cinch, or even downright essential, to bypass the SAP Cloud Identity Services Identity Provisioning Service (IPS) and instead go for the gold with a direct connection.

Now, this could sneak up on you for a myriad of reasons. Maybe, there isn't a connector in IPS for your dream target application. Or perhaps your target system demands certain fancy headers that IPS just won't let you set.

Regrettably, the standard-issue SCIM package of SAP Identity Management (IdM) is tailor-made for the IPS. It's a bit like trying to fit a square peg in a round hole when you want to connect any other SCIM target system.

How It's a Game Changer

But wait, there's hope! The wizards at SAP Professional Services have concocted a Java SCIM connector. This is no ordinary connector - it's more like a Swiss Army Knife! It not only lets you link SCIM target systems directly to IdM, but it also supports the extensions of SAP Identity Management Business Extensions Service (formerly known as RDS, more details here).

Moreover, you can dictate additional headers and cherry-pick the information you wish to glean from the return body of the SCIM API call. It's also compatible with native basic and oAuth authentication flows, including the support for X-CSRF tokens.

Deploying this connector is like having a backstage pass to connect any native SCIM application directly to SAP IdM.

For instance, I've harnessed this connector package to link a Service Now instance to an SAP IdM system - easy as pie!

The Inside Scoop

クラウド時代のSAPのIDとアクセス管理ソリューションのご紹介

2023-11-27T09:22:35+01:00

こんにちは！

今回のブログでは、クラウド時代にふさわしい SAP が提供する IDとアクセス管理（いわゆる IAM、Identity and Access Management）のためのソリューションをご紹介します。

ソリューションポートフォリオ

企業ユーザのための IDとアクセス管理ソリューションは、以下の３つの領域において、クラウドでの提供サービスと、従来からのオンプレミスソリューションで構成されます。

クラウドソリューション

SAP Cloud Identity Services

SAP Cloud Identity Services では、ユーザ認証およびプロビジョニングの基本機能が提供されます。SAP Cloud Identity Services は、Identity Authentication と Identity Provisioning の 2 つの主要コンポーネントで構成されています。

詳細については、ヘルプ「SAP Cloud Identity Services」を参照ください。

SAP Cloud Identity Services - Identity Provisioning

SAP Cloud Identity Services - Identity Provisioning は、ID ライフサイクルプロセスを管理するための SCIM ベースのクラウドサービスです。このサービスにより、アイデンティティライフサイクルプロセスが自動化され、さまざまなクラウドおよびオンプレミスのビジネスアプリケーションへの ID とその権限のプロビジョニングが容易になります。

詳細については、ヘルプ SAP Cloud Identity Provisioning、SAP Discovery Center でのサービスカタログ SAP Cloud Identity Services - Identity Provisioning を参照ください。

SAP Cloud Identity Services - Identity Authentication

SAP Cloud Identity Services, Identity Authentication は、SAP クラウドおよびオンプレミスアプリケーションの安全な認証およびシングルサインオンのためのパブリッククラウドサービスです。これは、アイデンティティプロバイダ自体として機能することも、顧客の既存のシングルサインオンインフラストラクチャと統合するためのプロキシとして使用することもできます。

詳細については、ヘルプ SAP Cloud Identity Services - Identity Authentication、SAP Discovery Center でのサービスカタログ SAP Cloud Identity Services - Identity Authentication を参照ください。

SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance は、シンプルでシームレスな適応型のビジネス主導の継続的なアクセス分析、ユーザプロビジョニング、およびロール設計により、管理者、監査人、およびビジネスユーザのアクセスガバナンスとコンプライアンスの複雑さとコストを削減します。IAG は、動的なロールエンジニアリングに機械学習を活用しています。

詳細については、ブログ「SAP Cloud Identity Access Governance (IAG) の概要」、ヘルプ SAP Cloud Identity Access Governance を参照ください。

SAP Secure Login Service for SAP GUI

SAP Secure Login Service for SAP GUI では、SAP GUI for Windows における安全な認証およびシングルサインオンが提供されます。

詳細については、ブログ「SAP GUI for Windows のためのシングルサインオンソリューションのご紹介」、ヘルプ SAP Secure Login Service for SAP GUI を参照ください。

オンプレミスソリューション

SAP Identity Management

SAP Identity Management は、オンプレミス環境のSAP、SAP以外のアプリケーションのためのIDMソリューションです。

詳細については、このブログの最後の概要、あるいはヘルプ SAP Identity Management を参照ください。

SAP Access Control

SAP Access Control では、アクセスリスク違反を検出、修正、および最終的に防止するプロセス、ロール管理アクティビティの標準化、プロビジョニングプロセスとユーザアクセスレビュープロセスの自動化、およびスーパーユーザアクティビティのエンドツーエンドの可視性の提供が含まれます。

詳細については、ブログ「SAP Access Control の概要」、ヘルプ SAP Access Control を参照ください。

SAP Single Sign-On

SAP Single Sign-On は、オンプレミスのシングルサインオンソリューションです。

詳細については、ブログ「SAP GUI for Windows のためのシングルサインオンソリューションのご紹介」、ヘルプ SAP Single Sign-On を参照ください。

補足: SAP Identity Management の主な機能について

以下は、過去、別サイトに投稿したブログからの抜粋です。該当サイトが近く閉鎖されることから記録として残すために、転載しています。灰色の文字が元のブログから、黒字が今回追記した箇所を示しています。

SAP Identity Managementとは?

SAP Identity Management によって、企業は、複雑で異機種混在のシステム環境において、ユーザーIDとそのIDへの権限の割当を集中管理できます。例えば、複数のシステムに分散した、本社、関連会社、契約社員のユーザーIDを一元管理できます。

SAP Cloud Identity Services により、本社、関連会社、契約社員を含むユーザID を一元管理できます。

SAPおよびSAP以外のアプリケーションにユーザーIDと権限割当を自動的に配信できます。また、SAP Access Controlソリューションと連携することで、職務分掌に適合したコンプライアンス対応のID管理を実現できます。

SAP Cloud Identity Services - Identity Provisioning、あるいは、SAP Cloud Identity Services - Identity Provisioning と SAP Cloud Identity Access Governance との組み合わせにより、SAPおよびSAP以外のアプリケーションにユーザーIDと権限割当を自動的に配信でき、SAP Cloud Identity Access Governance を利用して職務分掌に適合したコンプライアンス対応をサポートできます。

ワークフロー、レポート、セルフサービス機能を提供します。SAPのシングルサインオンソリューションと連携することで、ITシステム全体に対するシングルサインを、アクセスセキュリティを確保したうえで安全に提供できます。

SAP Cloud Identity Access Governance により、ワークフロー、レポート、セルフサービスの権限申請をサポートできます。SAP Cloud Identity Services - Identity Authentication により、ITシステム全体に対するブラウザベースでのシングルサインオンを実現できます。SAP GUI for Windows でのシングルサインオンに対しては、SAP Secure Login Service for SAP GUI がこれをサポートします。

図: SAP Identity Management の主な機能

SAP Identity Managementの差別化要因

SAPアプリケーションとの技術的連携
- SAP S/4HANA、SAP Business Suite、SAP HANA、SAP BusinessObjects、SAP SuccessFactorsを含むSAPアプリケーションとの連携

ビジネスプロセスレベルの連携
- SAP HCM、SAP SuccessFactorsとの連携（従業員情報）
- SAP CRMとの連携（ビジネスパートナー情報）

SAP Access Controlとの連携 -> コンプライアンス（職務分掌）

多くのSAPおよびSAP以外とのコネクタを標準装備（例： Active Directory、Outlook、Lotus Notes、データベース、ファイル、他）

SAP Identity Managementの利用シナリオ

統制されたID管理の代表例としてユーザーによるロール（権限）割当申請のシナリオと、ビジネスプロセスの効率化に有効な人事ビジネスプロセスとの連携によるプロビジョニングのシナリオを紹介します。

(1) ユーザーによるロール（権限）割当申請のシナリオ

ユーザーがSAP Identity Managementにログインし、Web UIを使って、ロール割当を申請

SAP Identity Managementのワークフロー機能により、マネージャーにワークフローのタスクが通知され、マネージャーは申請を承認
（3から6はオプション）

SAP Identity ManagementはSAP Access Controlのリスク分析へ依頼を転送

SAP Access Controlはリスクを分性（職務分掌に適合することをチェック）

リスクがある場合は適切な担当者が緩和処置を実行

SAP Access ControlはリスクステータスをSAP Identity Managementに転送

SAP Identity Managementは、ターゲットシステムへ配信（例えば、SAP ERPの請求処理ロールの申請のケースでは、SAP ERPのユーザIDに請求処理ロールを割当てる。ユーザーIDが未登録であればそのIDを登録する。）

SAP Identity Managementは、ユーザーとマネージャーへメールで完了を通知

図: ロール割当申請から配信までのプロセスフロー

(2)人事プロセス主導のIDとロール割当のシナリオ（採用時）

採用前フェーズ: 人事は、ポジションや入社日などの彼女の社員データを入力

イベント起動で個人データを抽出

SAP HCMでのポジションに基づき、IDMは、ビジネスロール “Marketing Specialist” を自動的に割当て

彼女の上司が割当を承認

仕事の初日: 関連システムにロールと権限情報を配信

図: ビジネスプロセス主導のID管理（採用時）

SAP Identity Managementのコネクタ

SAP Identity Managementの標準コネクタの一覧を示します。多くのコネクタが提供されていることを確認いただけると思います。これら以外に、パートナー企業から提供されているコネクタもあります。必要に応じて、コネクタを独自に開発することも可能です。

図: SAP Identity Management のコネクタ一覧

System Email Notification Status Report

2023-12-12T13:50:10+01:00

Overview:

In today's fast-paced business environment, staying informed and aware of critical system activities is essential. However, manually monitoring multiple email notifications can be time-consuming and inefficient. This is where the power of SuccessFactors Story Report comes into play.

Story Report, a powerful tool within People Analytics, transforms system email notifications into insightful data visualizations and interactive dashboards. This empowers users to gain valuable insights into key system activities, drill down into specific events, and identify potential issues or trends quickly and easily.

The Story type of report in Report Center is part of the People Analytics solution, and it's based on the integration of SAP SuccessFactors HXM Suite with SAP Analytics Cloud. It is a presentation-style report that uses charts, visualizations, text, images, and pictograms to describe data.

Target Audience:

Story Report is valuable for various user groups within an organization, including:

HR teams: Use story reports to track the delivery and engagement of onboarding emails, training notifications, and performance review reminders.

IT teams: Monitor the delivery of system alerts and notifications to ensure that users are receiving critical information about system outages or maintenance.

Modules supported:

All emails sent from BizX can be tracked and will be available in the Email Monitor report.

RMK and LMS data are currently not supported in story reports email notifications.

System Prerequisites:

Ensure Identity Authentication Service (IAS) and Identity Provider Service (IPS) are configured for the SAP SuccessFactors tenant.

Sync users from SAP SuccessFactors HXM Suite to SAP Identity Authentication Service.

Role based permissions - Prerequisites.

View permission to the following three objects in User Permissions Miscellaneous Permissions:

1. Email Notification: contains the data of generating email notifications in SAP SuccessFactors.
2. Email Notification Recipient Details: contains the delivery information of each email notification on the recipient side.
3. Email Notification Processing Details: contains the processing data of email notifications within SAP internal servers.

Role Based Permission

- User Permissions >> Reports Permission Create Story Email Notifications permission.

Create story permission

Step to Create System Email Notifications Report:

Go to the Report Center.
Click New to create a Story type of report. Choose Classic Design Experience & then select sapsfsfrep as connection information.

Query Designer for tracking Email Notification

A query model is a representation of large amounts of business data using common business terminology. The Query Designer enables to select the fields that can be used to create reports using Story. The queries build using the Query Designer are stored within the stories. They are referred to as Data Sources in the Story.

- Browse the module data sets in the Available Data section, and expand the data set "Email Notifications".
- To select a table for the query, double-click it or drag-and-drop the tables on the query canvas.

On the query canvas, select the table available in the schema to build the query.

Add required columns and filters based on the modules/templates required to build the query, using the options on the action menu.

choose Finish, when the query is completed.

Enter a query name along with an appropriate description & Choose OK to save the query.

Step to create a simple filter:

On the Query Designer canvas, find the table for applying the simple filter and click it.

Click the (filter) icon and select Simple Filter.

From the list of columns available, select a column for the simple filter.

The Select Members dialog appears, and the Available Members section shows all the values of the selected column appears.

Simple Filter

From the Available Members section, select the values that are required to be included in the filter definition. (Select Performance Management Module)

Check the Selected Members list to ensure that the choices are correct.

Click OK.

Apply the other required filters by following the above steps.(Optional)

Add an object to story canvas:

Once the query design is completed, select the object type "Table" for the story as shown in the below screenshot.

Adding Object - Table

Choose the dimensions & styling for the story. Styling

The report output will be as below.

Conclusion:

Leveraging system email notifications effectively in SuccessFactors can streamline communication, improve user engagement, and boost overall efficiency.

Start implementing these tips today and witness the positive impact on organization's workflow and user experience. Remember, SuccessFactors provides a wealth of resources to further customize and optimize the notification system. Dive deeper and unlock the full potential of this powerful communication tool!

Additional information on creating story report: Creating a Story Report | SAP Help Portal

Reporting on System Email Notifications: Reporting on System Email Notifications | SAP Help Portal

Preparing for SAP Identity Management’s End-of-Maintenance in 2027

2024-02-06T10:43:55.073000+01:00

Maintenance for SAP Identity Management (SAP IDM), our on-premises tool for managing the identity lifecycle, will end in 2027. Extended maintenance will be available until 2030. This extension is intended to give your organization ample time to plan and execute a well-considered migration strategy.

There are several topics for SAP IDM customers to consider.

SAP Cloud Identity Services are the center point of SAP’s IAM strategy, relying on widely established industry standards such as Security Assertion Markup Language (SAML), OpenID Connect (OIDC), X.509 certificates and System for Cross-Domain Identity Management (SCIM). Their focus is to simplify system integration and help ensure security and compliance while providing a seamless user experience.

With SAP Cloud Identity Services it is easy to integrate SAP Cloud applications with an existing IAM system infrastructure. SAP Cloud Identity Services provides a central integration point that enables a single one-time integration to support extended partner identity scenarios for SAP Cloud solutions.

You can find more details in the System Integration Guide for SAP Cloud Identity Services.

Furthermore, recognizing the importance of seamless integration within the identity and access management landscape, SAP is committed to further enhance SAP Cloud Identity Services and SAP Cloud Identity Access Governance. These enhancements are designed to facilitate integration with other partner identity management solutions, like Microsoft Entra ID, that provide a comprehensive approach to enterprise-wide identity and access scenarios.

Microsoft and SAP are actively collaborating to develop guidance that enables customers to migrate their identity management scenarios from SAP Identity Management to Microsoft Entra ID. Microsoft Entra ID offers a universal identity platform that provides your people, partners, and customers with a single identity to access applications and collaborate from any platform and device. This work and partnership are in progress; stay tuned for updates and blogs with details about our collaboration efforts

Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition

2024-03-12T21:50:19.874000+01:00

Introduction

As a cloud solution, SAP S/4HANA Cloud Public Edition undergoes major upgrades every six months, in February and August each year. Besides introduction of new innovations, there are many changes in the Identity and Access Management (IAM) area as well. After going-live and implementation consultants leaving the project, most customers overlooked the IAM area due to lack of resources and expertise. I am going to fill this gap with two related blogs.

The first blog Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition intends to explain what you need to do before a major upgrade. Besides replacing deprecated Business Catalogs with their successors, the primary effort lies in understanding what is to be changed around Business Roles, especially those roles already used in the Production Tenant. Some decisions are to be made together with business users from the line of business.

The second blog (this blog) explains the adaptation work of Business Roles after a major upgrade with examples. You need to roll up the sleeves to get the job done in the system.

Authorization Building Blocks

The authorization structure within the SAP S/4HANA Cloud Public Edition is built on top of building blocks called Restriction Type Fields, Restriction Types, Business Catalogs, Business Role Templates, and Business Roles which are assigned to business users. These building blocks form a Hierarchy of Authorization Components (see below Figure).

Hierarchy of Authorization Components

Among these authorization components within the hierarchy, any changes at the lower levels cause a ripple effect to the components at a higher level. Following Permutations and Combinations theory, the final possible changes at the Business Role level could be exponential. In one case I have 11,000+ possible changes to the Business Roles. That is a lot to deal with.

Since many changes in Restriction Types and Business Catalogs are not being used in customer's systems, it is a waste to deal with all these changes. I will deal with the changes more from the Business Role perspective, and only focus on those in-use business roles in this blog. This way we can reduce the volume of work dramatically.

Ripple Effect of Authorization Component Changes

Review Business Role Related Changes

Luckily, there is an app called Manage Business Roles after Upgrade, which helps us to review the changes at different levels within the hierarchy. I usually use this app to explore all the changes but make changes in other apps to be discussed shortly.

Note 1: In the SAP Fiori Apps Reference Library, the app is marked as deprecated from 2308 Release. This is not correct. The app has no plan to be retired.

Note 2: The screenshots within this blog are from a Starter System but marked as “Test VHE/100”. At a customer site, we should conduct all of business user role adaptation work in the Customizing Tenant, then creating a transport to transfer changes to Test and Production tenants.

Note 3: If your system has been used for several years, AND you haven’t done any adaptation work after several past upgrades, it could take some time to bring the data up when launching the Manage Business Roles after Upgrade app.

The App Manage Business Roles after Upgrade

To explore the changes, you can explore from five different perspectives, hence the five tabs: Restriction Types, Business Catalog Dependencies, Deprecated Business Catalogs, Business Role Templates, and Affected Business Roles.

Restriction Types – This tab (refer to above figure) lists all the changed Restriction Types and their affected Business Catalogs. For example, the Restriction Type Access to Price Elements has three line-items, each represents a unique change (adding a restriction type for Write and Read, adding a restriction type for Read, removing a restriction type) and its impact to a set of business catalogs. If you want to know its further impact to the business roles, you can follow the “>” sign to get below figure. Here three affected business roles are listed.

Impact of Restriction Type Access to Price Elements to the Business Roles

Business Catalog Dependencies – This tab lists business catalog dependency change, either a new dependency is added, or an existing dependency is removed. In the following figure, I use the filter Change = Dependencies removed to list those business catalogs having dependencies removed.

Business Catalogs with Dependencies Removed

The impact of this change can also be observed by selecting the business catalog and click the “>” icon. The below figure shows one business role BR_OVERHEAD_ACCOUNTANT which is affected by removing a dependency in the business catalog Worker – Payment Information Display (the last business catalog in the above figure). The required business catalog ID was SAP_CMD_BC_BP_DISP_PC.

Affected Business Role from Removing Dependency in Business Catalog Worker – Payment Information Display

Note: When the business catalog A has a dependency on B, the business role using A should also contain B as a prerequisite. Sometimes you see B in one business role but not other, although both contain A. The reason is that some dependency is optional. The optional dependency is sometimes not marked clearly.

Deprecated Business Catalogs – This tab delivers two important information: First, at which release the deprecation was announced. For example, the deprecation of the Business Catalog SAP_FIN_BC_FCCO_ADMIN_PC was announced at Release 2308. Second, if the deprecated business catalog has a successor or not. For example, the deprecation of the Business Catalog SAP_FIN_BC_FCCO_ADMIN_PC has no successor. However, the deprecation of the Business Catalog SAP_HCM_BC_EMP_DSP_PC has a successor SAP_WFD_BC_EMP_DSP_PC. In fact, this business catalog name change is caused by naming change from Human Capital Management (HCM) to Worker Force Deployment (WFD).

List of Deprecated Business Catalogs

Similarly, the impact of this change can also be observed by selecting the business catalog SAP_HCM_BC_EMP_DSP_PC and click the “>” icon. Five business roles are affected.

Affected Business Roles after Changing in Business Catalog SAP_HCM_BC_EMP_DSP_PC

By looking at the column Deprecated with Release, you will notice the release version range is quite wide, from earliest of 2105 to latest 2402. All deprecated objects (apps, business catalogs, business role templates) will be removed in six months, i.e., during next major upgrade. Why it is not the case here? Let’s look at the business catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC, which was declared to be deprecated in Release 2105. By exploring Affected Business Roles, we learn that due to the usage of it within the Business Role Z_Test, the Business Catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC cannot be removed in the system.

The Business Role Z_Test Causes Business Catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC Cannot Be Deprecated

If we remove the Business Catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC from the Business Role Z_Test, the business catalog should be deleted during next upgrade.

Lesson Learned: If we adapt business catalog changes promptly after each major upgrade, we won’t have very old deprecated business catalogs sitting in our system.

Business Role Templates – We usually recommend our customers to make a new business role by copying from a standard SAP Business Role Template. Over the time, this template has been changed to accommodate the new features and functions. But the copied role won’t reflect this change; in other words, it keeps the outdated content from the original template. However, the system keeps track of those business roles copied from the original business role template. When the template content changes, this tab lists these templates so that you can make adaptation to your business roles accordingly.

List of Business Role Templates Different from Their Copied from Business Roles

The impact of this template change can be observed. For example, we select Business Role Template Administrator - Accounts Payable and Receivable (FI-CA), click the “>” icon, and an affected business role BR_ADMIN_APR_FICA is displayed. You can explore what has changed by selecting this business role, and hit the button Compare with Business Role Template.

Compare Affected Business Role with Its Business Role Template

In this example, there is only one business role copied from the template. In other cases, there might be multiple roles listed as they are all copied from the same template.

In the next section, I will discuss in detail how to execute the comparison and take the necessary actions to do the business role adaptation.

Affected Business Roles – Remember the term Permutations and Combinations I mentioned above? Here it is. There are over 6290 line-items in this tab. It lists all the business roles being affected one way or another, each change is a line-item. The Business Role AP_PARK has 12-line items.

List of Affected Business Roles

From the Filter Changed Object Type, it lists three types: Restriction Type, Business Catalog and Business Role Template. Any changes in one or more of these types result a change in the business role. Among them, Restriction Type causes most changes (5602 to be precise), Business Catalog (608) and Business Role Template (69), respectively.

By downloading this list to an Excel file, and remove duplicated Business Role names, I found out there are 133 unique business roles. That is a big reduction from 6290. You can breathe much easier now.

In addition, let’s take a closer look at the business role AP_PARK by clicking the hyperlink. It opens the Maintain Business Roles app which I will go in detail soon.

Maintain Business Role AP_PARK

Click on the button Display Changes After Upgrade. You will see Changes after Upgrade section on the right-hand side. There are four changed areas:

Restriction Types
Business Catalog Dependencies
Deprecated Business Catalogs
Business Role Template (not shown here)

There is a long list of changed Restriction Types, but nothing is listed at the Business Catalog Dependencies and Deprecated Business Catalogs. So, our attention only needs to be on the Restriction Types.

Changes after Upgrade

Click on the hyperlink Display Restrictions. It turns out no restriction types are set for this business role, or the “Business Role is Unrestricted” as declared/displayed in the below figure.

Unrestricted Business Role AP_PARK

Now we can comfortably draw a conclusion: the changes to the business role AP_PARK all occurs in restriction types; since the role AP_PARK doesn’t set any restrictions; we don’t need to do any adaptation. Hurray!

Only work left to do is editing this role, doing nothing, then save it. This will remove this business role off from our to do list. The below figure shows most line-items for the business role AP_PARK are gone as expected. The only remaining change is a restriction type to be phased out within business catalog SAP_MM_BC_INV_PARK_PC.

The Affected Business Roles List without AP_PARK

Note: After a major upgrade, you can see which business roles are affected in the Manage Business Role Changes after Upgrade app, or see the button Display Changes after Upgrade in the Maintain Business Roles app. However, as soon as you edit this business role and save it (repeat, save it), these indications disappear. They only display once.

Adapt Business User Role Related Changes

After the exploration work discussed above, we are entering the phase of adaptation and adoption in three areas with their relevant apps: Business Catalogs, Business Role Templates and Business Roles.

From a broad sense, the word adaptation and adoption are different. I found a good explanation in this article:

Adapt vs Adopt:

Adapt is used either when a change is made to make something more suitable for a particular use or when adjusting to a new place. Adopt is used when something is taken over, chosen, accepted or approved by choice.

Following this definition, we will adopt SAP defined objects like Business Catalogs and Business Role Templates and adapt user defined objects like Business Roles.

Business Catalog Adoption Using Business Catalogs App

You can access Business Catalogs app by two ways: using the app finder at the top of the screen or following the Space Administration to Page Identity and Access Management. I choose the later approach. In the Section Insights, you can find the Business Catalogs app.

Business Catalogs app within Insights Section of the Identity and Access Management Page

There is a number 30 on the app. It indicates 30 deprecated business catalogs are still in use. That is our target.

After opening the Business Catalogs app, it shows 2418 entries. This number differs from systems to systems. Basically, the more scope items you activate in the Central Business Configuration (CBC), the more authorization objects you get, including business catalogs.

Applying filter Status= Deprecated, you will see 63 entries. Then add another filter Used in Business Roles and make the value to be larger than and equal to 1, now you get 30 deprecated business catalogs used in at least one business role. This matches the number shown above.

Business Catalogs app

For our interest after a major upgrade, we only pay attention to these deprecated business catalogs in use by one or more business roles. For those deprecated but not in use business roles, we are not concerned as they will be removed during next major upgrade.

Among those deprecated business catalogs, we can either replace them with their successors, or remove them from the business roles if no successor is listed.

Let’s investigate several of these business catalogs as examples. First, make sure your screen is wide enough to display all the columns. Otherwise, you will see the More button, which can be used to add two columns Used in Business Roles and Used in Business Role Templates if your screen is not wide enough.

Include All Columns in Business Catalogs app

Example 1: Business Catalog Electronic Payment Integration for China (EPIC) - Configuration (Deprecated)

On the screen you can see this business catalog has zero successor and one business role.

Business Catalog Electronic Payment Integration for China (EPIC)

Check the business role Z_TEST, it has 23 business catalogs assigned, but no user is assigned. Obviously, it was used one time as a test business role but abandoned afterwards. The business catalog we are working on was clearly marked as Deprecated with 2105. We should do the garbage collection job: deleting this business role. During next major upgrade, since no more business role is using this business catalog, it will be removed from the system.

Business Role Z_TEST

Another garbage cleaning option is to use the command Adopt Change within Business Catalogs app. It effectively adapts the business role Z_TEST. This removes the no-successor business catalog from the business role as shown in below figure. The troublemaking business catalog is gone. The number of business catalogs is reduced from 23 to 22.

Business Role Z_TEST without the Deprecated Business Catalog

Example 2: Business Catalog Resource Management (Basic) - Project Based Services (Deprecated)

This business catalog is relatively simple. It has one successor and used in one business role (BR_RESOURCE_MANAGER). All we need to do is replacing the deprecated business role with its successor by selecting the business role Resource Manager and click the Adopt Changes button. The system takes care of the replacement.

Replace a Deprecated Business Catalog with Its Successor within the Business Role BR_RESOURCE_MANAGER

Example 3: Business Catalog Employee - Display (Deprecated)

Many times, to meet the requirements of new naming convention, SAP changes the business catalog ID name. This business catalog has an old ID SAP_HCM_BC_EMP_DSP_PC. Its new ID is SAP_WFD_BC_WRK_DSP_PC. That’s the reason for deprecation. We can select all five business roles and click on the Adopt Changes button.

Replace a Deprecated Business Catalog with Its Successor within Multiple Business Roles

Note: When executing the Adopt Changes button, I noticed that only the top three roles were adapted (although the message says all of them were adapted). I had to adapt again for the remaining two business roles. It should not behave this way.

SAP Business Role Template Adoption Using Business Role Templates App

When opening Business Role Templates app, we pay attention to two criteria: in-use and different from business role templates.

In-use is measured in the column “Business Roles”, which can be filtered out by applying Filter Business Roles=In Use. That reduces the total number of listing templates from 252 to 101.

As a best practice, we advise our customers to create user roles by copying from SAP Business Role Templates for the easy of creation and maintenance. While doing that, the system keeps track of those roles created from role templates. Over the time, SAP changes the business role templates, and our in-use business roles are no longer in sync with the latest version of the templates. This is reflected in the column “Different from Business Roles”.

To find out those business role templates we are interested in, we set the Filter Show Business Role Templates = Different from Business Roles.

Sort out In-Use Business Role Templates “Different from Business Roles”

Now the total number of listing templates is further reduced from 101 to 55.

Next filter to apply is Changed Since. If we keep on adopting the template changes at each major upgrade, there should not be so many templates Different from Business Roles. This system is at Release 2402. Any changes should happen after 2308 upgrade. Let’s apply the Filter Changed Since= 08/01/2023. Now the total number of listing templates is 21. Much less templates to work with!

List of Business Role Templates to Work With

Note: In your own system, try to tackle all those old and new Business Role Templates Different from Business Roles, so that they won’t show up again after next major upgrade. I purposely filter out those templates changed before 2308 upgrade to get my point across.

Let’s look at two examples:

Example 4: Business Role Template Maintenance Planner SAP_BR_MAINTENANCE_PLANNER

This template only has one in-use business role. You can access it by clicking “>” icon. Select the role and hit Compare button.

Compare a Business Role with its Business Role Template

Currently, the template SAP_BR_MAINTENANCE_PLANNER has 58 business catalogs, but the business role BR_MAINTENANCE_PLANNER has 56 business catalogs. This can be observed by scrolling down the business catalog list. Two check boxes are empty in the Business Role column. You can select the check box individually, or hit button Apply All. Don’t forget to hit Save button to take effect.

Sync Business Role Template and Business Role

Note: It is up to your business scenario if you want to add above business catalogs into your business role. If added, new apps might appear as desired. If not added this time, this template will show up again as “Different from Business Roles” after next major upgrade. Make a proper documentation as a future reference.

Example 5: Business Role Template Cost Accountant – Overhead SAP_BR_OVERHEAD_ACCOUNTANT

This template has three business roles. The first role matches the template completely, and the third role left many business catalogs out purposely. To adapt these business roles, you need to consult the business users carefully to make the right decision. Ideally, document your findings and solutions so that you don’t need to go back to them after next major upgrade.

Compare Three Business Roles with Their Role Templates

Business Role Adaptation Using Maintain Business Roles Apps

As our primary goal after a major upgrade is adapting business roles, the Maintain Business Roles app is the tool.

Identify Changed Business Roles in the Maintain Business Roles

When we first launch the Maintain Business Roles app, make sure we select two columns Business Catalog Deprecation Count and Changes after Upgrade as shown above. Then sort the data by the column Business Catalog Deprecation Count. This highlights those business roles we need to adapt either with deprecated business catalogs, or changes in Restriction Types. Let’s look one example:

Example 6: Business Role General Ledger Accountant BR_GL_ACCOUNTANT

By clicking on the Display Changes After Upgrade button, we can see the following changes and potential action items:

Restriction types: many restriction types have been added or removed. ->> We need to go to Edit them.
There is one dependent business catalog is added. ->> Make sure this dependent business catalog is part of the business role definition.
There are four business catalogs deprecated without successors. ->> Make sure they are removed.
Business Role Template is different from Business Role ->> Do a comparison and make necessary adjustment.

Changes after Upgrade in Business Role General Ledger Accountant BR_GL_ACCOUNTANT

After having a good overview about potential changes, we click on Edit à Manage Change After Upgrade. On the right section Changes After Upgrade, we can expand four areas and take necessary actions.

Business Catalog Dependencies: Select SAP_FIN_BC_SRF_RUN_PC and click on Adopt Changes. The required business catalog SAP_FIN_BC_MWTI_COMMON_PC is added to the business role definition, together with SAP_FIN_BC_SRF_RUN_PC. Now total business catalog number increases to 42 from 41.

Take Adopt Changes Action to Business Catalog Dependencies and Deprecated Business Catalogs

Deprecated Business Catalogs: Select four deprecated business catalogs SAP_FIN_BC_FCCO_XXX and click on Adopt Changes. These four business catalogs are removed. Now total business catalog number decreases to 38 from 42.

Changes Made to the Business Role after Adopt Changes Actions

Restriction Types: Click on Maintain Restrictions button. Only Read, Value Help is restricted. By selecting Read Restrictions as a filter and choosing Restriction Types one by one, I don’t see any values in the Restriction Fields. I could change Read, Value Help to be unrestricted, but it is better to talk with business users and administrators how this business role was defined. Take a note of the reason for future reference purpose.

Note: When I save this business role, I get a warning message: “Business Role BR_GL_ACCOUNTANT contains not maintained read restrictions”. It is another indication this restriction should be removed.

Business Role Template: We can still see a note there “Business role is different from template”. Using the Business Role Templates app to do a final comparison with the template SAP_BR_GL_ACCOUNTANT, we see the following:
- Two new business catalogs are in the template, but not the business role. We need to add them after consulting with business users.
- Five business catalogs at the bottom are “not included” in the template, we should deselect them after consulting with business users. The bottom four business catalogs are deprecated. We just removed them in our previous discussion.
- There are two more business roles Z_BR_GL_ACCOUNTANT_REQ and Z_BR_GL_ACCOUNTANT, we can do a similar investigation.

Comparing Business Role BR_GL_ACCOUNTANT with Its Template SAP_ BR_GL_ACCOUNTANT

Restriction Types of the Business Role BR_GL_ACCOUNTANT

Create a Transport to Transfer Changes to Test and Production Tenants

After all the business role adaptation has been made in the Customizing Tenant on the Development System, we need to create a transport to transfer them to the Test and Production Tenants. This is accomplished by creating a new software collection in the Export Software Collection app.

Create a Business Role Adaptation Transport

After the transport is created, click on Add Items button. Using the filter features to select those relevant business roles:

Type: Business Role (IAM_BROL)
Last Changed By: George Yu

The business role BR_GL_ACCOUNTANT is one of those changed ones.

Selecting Business Roles to be Included in the Transport

Now this software collection “Biz Role Transport 1” containing business role BR_GL_ACCOUNTANT is ready to be exported.

The Software Collection Containing Business Role BR_GL_ACCOUNTANT

Conclusion

This blog explained and demonstrated why and how to adapt business roles after a major upgrade. It is a necessary step to keep business roles in-sync with the latest and the greatest of the SAP S/4HANA Cloud Public Edition, especially in the Identity Access Management area. When working on adaptation, focusing on the Business Roles, especially those in-use roles to limit the scope of your work. Any changes in Restriction Types and Business Catalogs can be overlooked as long as they are not be assigned to your business roles.

References

SAP Help: Manage Business Role Changes After Upgrade
SAP Activate Methodology: SAP S/4HANA Cloud identity and Access Management (IAM) Release Activities – 3SL
Blog: Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition
Blog: User Management in a Nutshell for the SAP S/4HANA Cloud, public edition
Blog: Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition
Blog: (this blog) Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition

Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition

2024-03-20T15:42:54.072000+01:00

Introduction

The first blog (this one) intends to explain what you need to do before a major upgrade. Besides replacing deprecated Business Catalogs with their successors, the primary effort lies in understanding what is to be changed around Business Roles, especially those roles already used in the Production Tenant. Some decisions are to be made together with business users from the line of business.

The second blog Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition explains the adaptation work of Business Roles after a major upgrade with examples. You need to roll up the sleeves to get the job done in the system.

Note: For the ease of discussion, I am using a system E7Z/100 at 2308 Release before upgrading to 2402 Release unless noted in this blog. In contrast, I use a system just upgraded to 2402 in the second blog.

Building Blocks of Business Roles

Hierarchy of Authorization Components

Since many changes in the Restriction Types and Business Catalogs are not being used in customer's systems, it is a waste time to deal with all these changes. I will deal with the changes more from the Business Role perspective, and only focus on those in-use-in-your-P-Tenant Business Roles in this blog. This way we can reduce the volume of work dramatically.

Process of Adapting Business Roles during a Major Upgrade

The major upgrade process starts from a Test Tenant, and then move to the Development and Production Tenants three weeks later. Before, during and after a major upgrade, we have a list of tasks to perform from IAM perspective. They are all illustrated in the below figure.

Process of Adapting Business Roles during a Major Upgrade

This blog focuses on the tasks before the upgrade:

Check and replace deprecated Business Catalogs in D/T/P Tenants
Identify the preliminary IAM changes via What’s New Viewer
Identify the preliminary IAM changes via SAP Note 2975653

The tasks after the upgrade is described in the sister blog Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition.

Replace Deprecated Business Catalogs

After opening Business Catalogs app, we need to set the filter Status= Deprecated. In this system, I have 13 deprecated Business Catalogs, all announced in 2308 Release. That means all of them will be deprecated during 2402 upgrade. Among them, four of them are not used in any Business Roles. For them, I don’t need to do anything. The upgrade process will remove them automatically.

Find Deprecated Business Catalogs

The Business Catalogs need my attention are those used in the Business Roles. If I don’t replace them, or still use them in the Business Roles, the system won’t deprecate them according to the schedule. For example, the below figure shows deprecated Business Catalogs belong to different releases, some is as early as 2108 Release (the example is from a 2402 Release system). You need to clean them up at each upgrade!

Deprecated Business Catalogs from Early Releases

Let’s work on several Business Catalogs as an example.

Business Catalog End to End Implementation Experience - Feature Management (Deprecated)

When we open this Business Catalog, we notice the following info.

Deprecated with Release: 2308
Successors: 1
Used in Business Roles: 1
Used in Business Role Templates: 0

Deprecated Business Catalog SAP_CA_BC_FM_DAD_PC

That tells us we need to replace the deprecated Business Catalog SAP_CA_BC_FM_DAD_PC with its successor SAP_CA_BC_IC_LND_FTG_PC (under tab Successors) in the Business Role BR_BPC_EXPERT.

To replace this deprecated Business Catalog, I select the Business Role BR_BPC_EXPERT, and hit Adopt Changes button. The Business Catalog is replaced within the Business Role BR_BPC_EXPERT. The Business Catalogs app shows zero in Used in Business Roles list afterwards.

No more Business Role Using Business Catalog End to End Implementation Experience - Feature Management (Deprecated)

Business Catalog Extensibility - Situation Handling (Deprecated)

When we open this Business Catalog, we notice the following info.

Deprecated with Release: 2308
Successors: 1
Used in Business Roles: 1
Used in Business Role Templates: 0

Deprecated Business Catalog SAP_CA_BC_EXT_SIT_PC

That tells us we need to replace the deprecated Business Catalog SAP_CA_BC_EXT_SIT_PC with its successor SAP_CORE_BC_EXT_SIT_PC in the Business Role BR_EXTENSIBILITY_SPEC.

This time I show a different way of replacing the deprecated Business Catalog, i.e., using the Maintain Business Roles app.

To replace the deprecated Business Catalog, click on the Used in Business Roles tab, then click on the hyperlink of the Business Role ID. This opens the Maintain Business Roles app. Hit Edit button, then Manage Changes After Upgrade button.

Manage Changes After Upgrade within Maintain Business Roles app

In the opened window, on the right-hand side, there is a section called Changes After Upgrade. There are four possible change areas. For this Business Role, only change occurs at the Business Catalog SAP_CA_BC_EXT_SIT_PC. By selecting the Business Catalog and hit Adopt Changes button, the system replaces this deprecated Business Catalog with its successor.

Adopt Changes to Deprecated Business Catalog

After the replacement, the successor Business Catalog is showing up in the Assigned Business Catalogs list, Extensibility – Situation Handling SAP_CORE_BC_EXT_SIT_PC. There is no more entries under the section Deprecated Business Catalogs. Total number of assigned Business Catalogs remains 26. The replacement is a success.

Successor Business Catalog is showing up in the Assigned Business Catalogs list

Finally, don’t forget to hit the Save button to complete this change. After the Save action, this business role is no longer on the after-upgrade to-do list, and the hyperlink Manage Changes After Upgrade is permanently grayed out.

Business Catalog Sales - Customer 360 View Display (Deprecated)

When we open this Business Catalog, we notice it is more complicated:

Deprecated with Release: 2308
Restriction Types: 8
Dependencies: 8
Successors: 1
Used in Business Roles: 1
Used in Business Role Templates: 0

About Restriction Types, what they are and how to use them, please refer to my blog Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition.

Dependencies mean when we use the Business Catalog SAP_SD_BC_CUST_SLSOVP_DSP_PC, it requires another Business Catalog to be present. In this case, there are eight Business Catalogs required.

Dependencies of the Business Catalog SAP_SD_BC_CUST_SLSOVP_DSP_PC

Since there are dependencies this time, you are prompted to confirm adding dependencies to the successor Business Catalog when hit the Adopt Changes button.

Confirm Adding Dependencies to the Successor Business Catalog

Note: There are two types of dependencies: mandatory and optional. For mandatory dependency, you can see both the Business Catalog and its required Business Catalog present in the Business Role definition. For optional dependency, you might not see the required Business Catalog.

By repeating above procedures to work with each deprecated Business Catalog, eventually I replaced all in-use deprecated Business Catalogs with their corresponding successors. The deprecated Business Catalogs are no longer used in the Business Roles.

No more Deprecated Business Catalogs Are Used in the Business Roles

Check What’s New Documentation

Four weeks before the Test Tenant upgrade, we advise our customers to check the What’s New Viewer for the next release to find out the forthcoming new features. There are several filters need to be set as following:

Valid as of: SAP S/4HANA Cloud 2402
This document: IAM

Now you can find all IAM related changes for Release 2402 in the What’s New Viewer.

What’s New Viewer

Under Type, you have six possibilities:

Changed
Deleted
Deprecated
Mandatory task after upgrade
Must know
New

The purpose of What's New Documentation gives users a heads-up, so that you can start conversation with your business users on possible impact. You can use this Documentation together with the Excel worksheets to be discussed soon.

Identify Your Business Roles Impacted by IAM Changes

The SAP Note 2975653 Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud is a central note about IAM changes for the SAP S/4HANA Cloud Public Edition. Within this note, it lists all relevant SAP Notes for each Release. For example, SAP Note 3404825 is for Release 2402.

The primary content of this document consists of two Excel files, and you need to download them:

Delta_S4CE_2402-2308.xlsx
Delta_S4CE_BR_2402-2308.xlsx

The first file lists IAM changes introduced with the new Release 2402 from Release 2308 which affect applications, Business Catalogs, Business Role Templates, Restriction Type assignments, Spaces and Pages, and Page Templates. This list is not customer specific but applies to all customers.

The content of the file is explained in the following table:

List of Worksheets	Content Explanation
ChangeHistory	Shows updates made to the spreadsheet after RTC
BCsNew	Changes to objects not yet assigned to any Business Role, contains new Business Catalogs released with SAP S/4HANA Cloud release.
BRTsNew	Changes to objects not yet assigned to any Business Role
BCsDeleted	Contains Business Catalogs that have been removed with SAP S/4HANA Cloud release and can’t be used any longer.
BRTsDeleted	Contains Business Role Templates that have been removed with SAP S/4HANA Cloud release and can’t be used any longer.
BCsPriceCategoryChanged	Contains Business Catalogs with changed user price category compared to previous SAP S/4HANA Cloud release.
AppsAdded	Contains newly added applications to Business Catalogs released with SAP S/4HANA Cloud release
AppTitlesRenamed	Contains applications with changed titles compared to previous SAP S/4HANA Cloud release.
AppsDeprecated	Contains applications that have been set to the status "deprecated" with SAP S/4HANA Cloud release.
AppsDeleted-Moved	Contains Business Catalogs from which applications have been deleted with SAP S/4HANA Cloud release. There's an entry in the spreadsheet for each deleted application. Note that this refers both to applications that have been removed from SAP S/4HANA Cloud, but also those that have been removed from a specific Business Catalog but may still exist in other Business Catalogs.
BCsRenamed	Contains Business Catalogs with changed descriptions compared to previous SAP S/4HANA Cloud release.
DepBCsAdded	Contains Business Catalogs to which dependent Business Catalogs were added with SAP S/4HANA Cloud release.
DepBCsRemoved	Contains Business Catalogs from which dependent Business Catalogs were removed with SAP S/4HANA Cloud release.
BCsDeprecated	Contains Business Catalogs that have been set to the status "deprecated" with SAP S/4HANA Cloud release.
RTsNew-Changed	Contains changes of restriction type assignments to Business Catalogs. This can be restriction types that have been newly assigned to a Business Catalog or restriction types that were assigned before SAP S/4HANA Cloud release but where the exposure has changed. For example, a restriction type was assigned for “Read” and is now also available for “Write”.
RTsDeleted	Contains Business Catalogs from which restriction types have been deleted with SAP S/4HANA Cloud release.
BGsChanges	Contains Business Catalogs with changes in the associated business groups compared to previous SAP S/4HANA Cloud release. It also contains business groups that have been deleted from a Business Catalog with SAP S/4HANA Cloud release.
BRTsRenamed	Contains Business Role Templates with changed descriptions compared to previous SAP S/4HANA Cloud release.
BRTsBCsAdded	Contains Business Role Templates to which Business Catalogs were added with SAP S/4HANA Cloud release.
BRTsBCsRemoved	Contains Business Role Templates from which Business Catalogs were removed with SAP S/4HANA Cloud release.

The second Excel file lists the IAM changes related to Business Roles only. This is the file we should focus on because we will insert our own data to create a true picture where we are in terms of IAM changes.

List of Worksheets	Content Explanation
ChangeHistory	Shows updates made to the spreadsheet after RTC
Customer_BRBC	App IAM Information System -> Business Role - Business Catalog: download the content and add it in this sheet
Customer_BR	Copy/Paste the columns Business Role and Business Role ID from sheet Customer_BRBC and remove duplicates (Data -> Remove duplicates)
Customer_BRBRT	App IAM Information System -> Business Role - Business Role Template: Download the content and add it in this sheet
BRsChanged	Overview of affected Business Roles by changes
BCsNew	Changes to objects not yet assigned to any Business Role, contains new Business Catalogs released with SAP S/4HANA Cloud release.
BRTsNew	Changes to objects not yet assigned to any Business Role
BCsDeleted	Contains Business Catalogs that have been removed with SAP S/4HANA Cloud release and can’t be used any longer.
BRTsDeleted	Contains Business Role Templates that have been removed with SAP S/4HANA Cloud release and can’t be used any longer.
BCsPriceCategoryChanged	Contains Business Catalogs with changed user price category compared to previous SAP S/4HANA Cloud release.
AppsAdded	Contains newly added applications to Business Catalogs released with SAP S/4HANA Cloud release
AppTitlesRenamed	Contains applications with changed titles compared to previous SAP S/4HANA Cloud release.
AppsDeprecated	Contains applications that have been set to the status "deprecated" with SAP S/4HANA Cloud release.
AppsDeleted-Moved	Contains Business Catalogs from which applications have been deleted with SAP S/4HANA Cloud release. There's an entry in the spreadsheet for each deleted application. Note that this refers both to applications that have been removed from SAP S/4HANA Cloud, but also those that have been removed from a specific Business Catalog but may still exist in other Business Catalogs.
BCsRenamed	Contains Business Catalogs with changed descriptions compared to previous SAP S/4HANA Cloud release.
DepBCsAdded	Contains Business Catalogs to which dependent Business Catalogs were added with SAP S/4HANA Cloud release.
DepBCsRemoved	Contains Business Catalogs from which dependent Business Catalogs were removed with SAP S/4HANA Cloud release.
BCsDeprecated	Contains Business Catalogs that have been set to the status "deprecated" with SAP S/4HANA Cloud release.
RTsNew-Changed	Contains changes of restriction type assignments to Business Catalogs. This can be restriction types that have been newly assigned to a Business Catalog or restriction types that were assigned before SAP S/4HANA Cloud release but where the exposure has changed. For example, a restriction type was assigned for “Read” and is now also available for “Write”.
RTsDeleted	Contains Business Catalogs from which restriction types have been deleted with SAP S/4HANA Cloud release.
BRTsRenamed	Contains Business Role Templates with changed descriptions compared to previous SAP S/4HANA Cloud release.
BRTsBCsAdded	Contains Business Role Templates to which Business Catalogs were added with SAP S/4HANA Cloud release.
BRTsBCsRemoved	Contains Business Role Templates from which Business Catalogs were removed with SAP S/4HANA Cloud release.

The worksheets of the file Delta_S4CE_BR_2402-2308.xlsx are divided into three groups:

Orange Colored Worksheets: were blank and for user input.
Green Colored Worksheets: show analysis results based on user input. In fact, only the worksheet BRsChanged is customer dependent. Other four worksheets are provided by SAP.
Gray Colored worksheets: store changed IAM information for the upcoming release.

Here is the idea of this Excel file. As the file name suggests, this file is to create a list of the Business Roles changed from 2308 to 2402, and the causes of the change. To achieve that, we need to create a list of existing Business Roles in the customer production system. Based on known facts from SAP, i.e., the changes in applications, Business Catalogs, Business Role Templates, Restriction Type assignments, we can create an impact list in the worksheet BRsChanged.

Here are the steps to create a list of changed Business Roles:

Step 1: open IAM Information System app. Go to Business Role - Business Catalog tab. This tab shows the relationship between Business Roles and underlining Business Catalogs. There are 1275 entries. Download the entire list to an Excel file by clicking the Export Table button. Copy the data into the worksheet Customer_BRBC.

Business Roles vs. Business Catalogs Tab

Step 2: Go to Business Role - Business Role Template tab. This tab shows the relationship between Business Roles and SAP delivered Business Role Templates. There are 49 entries. Download the entire list to an Excel file by clicking the Export Table button. Copy the data into the worksheet Customer_BRBRT.

Business Roles vs. SAP delivered Business Role Templates

Step 3: Go to the worksheet Customer_BRBC, copy the column Business Role and Business Role ID and paste to the worksheet Customer_BR. In the worksheet Customer_BR, remove duplicated entries to make a list of unique existing Business Roles. You can achieve this by following the command of Data → Data Tools → Remove Duplicates. The result is a list of Business Roles in the system. There are 51 entries in this case, a huge reduction from 1275 entries in the worksheet Customer_BRBC.

List of Existing Unique Business Roles in the System

Step 4: Based on your input, the embedded functions in the Excel file create the content of the worksheet BRsChanged. By opening the worksheet BRsChanged, we can see some Business Roles are changed and causes of the changes, such as BR_MAINT_SUPERVISOR; some Business Roles have no changes at all, such as BR_PRODN_OPTR_LEAN_MFG; some Business Roles are not derived from a Business Role Template but still got impact from Restriction Type change, such as YU_TEST_ROLE.

List of Changed Business Roles

Each column from C to O represents one of the available worksheets in the Excel file. These columns are divided into four categories, each category represents one object (I changed the color of categories for the easy viewing in the Excel worksheet):

Business Role Template (Columns C and D)
Business Role (Columns E to I)
App (Columns J to M)
Description Renamed (Columns N and O)

Row 3 gives a short description about what happened to that object. For example, Column C is for adding Business Catalogs to the Business Role Template; and Column D is for removing Business Catalogs from the Business Role Template. Row 4 displays the number of affected Business Roles by the change described in Row 3.

The entry “Yes” indicates that for this Business Role a change has occurred. By clicking on the cell, you can see an IF statement to identify if this Business Role is listed in the worksheet RTsNew-Changed:

=IF([@[Business Role ID]]="","",IF(COUNTIF('RTsNew-Changed'!A:A,CONCAT("*",A36,"*"))>0,"Yes","No"))

By clicking on the hyperlink name (Row 5), it jumps to the worksheet which contains more detailed information in a specific category, for example worksheet RTsNew-Changed.

To further utilize this worksheet for preparing the forthcoming upgrade, you can continue the following work on each category.

Category Business Role Templates, look at worksheets BRTsBCsAdded and BRTsBCsRemoved

In Column Business Role ID, use the filter to remove “Blanks” to see which Business Roles are affected by adding or removing Business Catalogs.

Category Business Role, look at worksheet RTsNew-Changed

Filter Business Roles existing in the Production Tenant (remove Blanks in the Business Role ID Column) and set filter in Column Type of Change to “New”. This displays all the Business Roles with newly assigned restriction types.
Set the filter in Column Phase-in to “No” to list Restriction Type changes which take effect immediately after the upgrade. If “Yes”, that means these changes won’t take effect immediately after the upgrade.
All unmaintained Restriction Types should be maintained directly after the upgrade (including Phase-In Restriction Types). The IAM Key Figures app can be used to check for undefined restrictions in P tenant.

Category App, look at worksheets AppsAdded, AppsDeprecated, and AppsDeleted-Moved

Filter out “Blanks” in the Column Business Role ID to identify those roles with the impact. The changes in Apps are mostly driven by the Business Catalog changes.
Before the upgrade, review the results in these worksheets with the business users to discuss the impact.

New Scopes (Optional service for Line of Business)

In worksheet AppsAdded, filter the Column Business Role ID to “Blanks” to see which apps are not assigned to any Business Role. Use Column Application Component to relate the Apps to the Line of Business.
In worksheet BRTsBCsAdded, filter the Column Business Role ID to “SAP_BR_BPC_EXPERT” to list all configuration Business Catalogs newly added with this release. Use the Columns Application Component2, Country2, Scope Items2 to relate the Business Catalogs to the Line of Business.
Before the upgrade, review the results in these worksheets with the business users to discuss the impact.

Conclusion

This blog explained general process of a major upgrade for the SAP S/4HANA Cloud Public Edition from the IAM perspective. Besides replacing deprecated business catalogs, your primary focus is to identify the to-be-changed Business Roles and plan on the changes after the upgrade. Close collaboration with business users is a must.

References

SAP Help: Manage Business Role Changes After Upgrade
SAP Activate Methodology: SAP S/4HANA Cloud identity and Access Management (IAM) Release Activities – 3SL
Blog: Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition
Blog: User Management in a Nutshell for the SAP S/4HANA Cloud, public edition
Blog: Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition (this blog)
Blog: Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition

SAP IdM migration guidelines to help you on your upcoming IAM journey

2024-03-25T14:21:37.058000+01:00

Let me introduce to you the ROIABLE SAP IdM Migration Guidelines. Your one-stop information guide on important features, concepts and technicalities around an SAP IdM migration. With 94 topics covered, the guide encapsulates 15 years’ experience of SAP IdM implementations, operations, and enterprise support.

The content is future product agnostic, meaning you should be able to apply the explained concepts to any selected IAM of choice. Surely some will have advantages over others in certain areas, but using the above comprehensive guide, you will, at least, be able to ask all the right questions, when it comes to selecting the successor of SAP IdM.

Each topic is structured similarly, color-coded based on the category which it fits. The top left part is reserved for its number, name, and abbreviation. On the left, you can find a summary of its usage within the scope of SAP IdM, while on the right is a recommendation of how this particular topic should be migrated or not onto your future IAM platform. At the bottom you can find related topics to continue browsing the document or respectively return to the overview slide using the home button.

The various topics covered spread over 10 categories, which only shows the wide diversity to be considered when taking care of your SAP IdM migration. The document is still work in progress, but there are already released topics, which you can find here.

Stay tuned for the full release and its respective announcement. Till then, make sure to check the link above regularly for newly uploaded content.

Retain investment, stay compliant and embrace the cloud!

Integrating IBM Security Verify with SAP Cloud Identity Services in SAP BTP

2024-04-02T10:29:43.856000+02:00

This blog delves into the technical aspects of integrating IBM Security Verify with SAP Cloud Identity Services (CIS) in SAP Business Technology Platform (BTP) as a proxy.

SAP CIS offers a suite of solutions for managing user identities, access controls, and application integrations across the IT landscape. Conversely, IBM Security Verify provides identity governance, workforce and Customer Identity Access Management (CIAM), and privileged account controls through automated, cloud-based, and on-premises capabilities. By integrating these platforms, organisations can leverage their combined strengths to establish a secure business environment. This integration enhances operational control, regulatory compliance, and user experience in the digital era.

IBM Security Verify supports various authentication methods, including passwordless, fingerprints, and one-time passcodes, ensuring flexibility and robustness against unauthorised access. Meanwhile, SAP Cloud Identity Services serves as a comprehensive Identity and Access Management solution which is available in SAP BTP.

The integration process involves configuration updates in SAP CIS and IBM Security Verify to enable authentication utilising standard protocols supported by both components, such as SAML 2.0. Organisations must ensure they have the necessary admin privileges or access rights for editing configurations before initiating the integration procedure. Collaboration between the organisation and SAP is required for the integration, with most of the effort undertaken by the organisation.

Reference Architecture

The diagram represents a SAP Cloud Identity Service that integrates with IBM Security Verify though which various SAP BTP application(s), SAP SaaS solution(s) and on-premises application(s) can be accessed. It demonstrates user sign-in via IBM Security Verify which allow possible passwordless, bio-metric or multi-factor authentication (MFA) using mobile devices for fast application access and pleasing user-experience.

Prerequisites

SAP Cloud Identity Services(for trial instance check this link)
IBM Security Verify (for trial instance check this link)
A smartphone with IBM Security Verify App

Configurations and Settings in IBM Security Verify

When a user logs in, home screen as shown below will be displayed.

Now on the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.

Fill the necessary details under “General” section as below and save the details.

Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab, which is under “Services”.

Upload the metadata file which you have recently saved on your device to IBM Verify dashboard

Configurations and Settings in SAP Cloud Identity Services

Now, get back to SAP BTP and navigate to “Instances and Subscriptions.”

Now, enable the “Cloud Identity Services” if it’s not and once done it will be accessible as below:

Once you click on “Cloud Identity Services”, you will be redirected to the login screen of the SAP authentication screen as shown below

After successful login, you can see the home screen of Cloud identity service. Go to the “Identity Providers” as highlighted below

Click on the Corporate Identity providers and create new identity provider

Once the new identity provider is added successfully, click on the identity provider type and select SAML 2.0 compliant as shown below

Go to the SAML configuration section and fill in the information as shown below.

You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to “Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Service as highlighted below:

Click on the Trusting application section and add SAP BTP trial sub-account.

Now, navigate back to SAP BTP cockpit and establish the trust configuration which is under “Security” section for the cloud identity application as shown in the below screenshots.

Select “Establish Trust”

You will see the below steps once you click on establish trust. As a first step, choose tenant and click on next.

After selecting a tenant in the next step choose the domain for your SAP Cloud identity services application.

Click on the next button and configure parameters as shown in below screenshot.

Click on the next button and make a final review of the setup you have done while establishing the trust. Then click on the finish button and save the details.

Once done, you can see the new active trust configuration as shown below.

To provide access to the user, click on the Users section which is inside the “Security” section on the left menu.

Click on the user and assign role collection to the user as shown below.

You can select different roles and assign them to the user. Here we have added three roles to the user. After selecting all the roles, click on the “Assign role collection” button and save the details.

We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s test it now by opening the SAP business studio application as shown below.

How does it work? Let’s Check.

Log into SAP BTP Cockpit and Navigate to “Instances and Subscriptions” under “Services” as highlighted below:

It will redirect to the sign in options screen of the SAP. Here, select SAP cloud identity service as an identity provider.

Once you select, it will redirect to the verify sign in option screen for a authentication. Here you can select a different sign in option for Verify or can log in with IBM id/Cloud directory.

Enter your IBMid for log in and click the continue button.

It will redirect you for w3 authentication screen where you can enter your w3 id & password.

Once you click on sign in, you will see below screen of SAP business application studio.

Click on the “OK” button and you will be redirected to the SAP Business Application Studio home screen.

Conclusion

To summarise, combining IBM Security Verify with SAP Cloud Identity Services via SAML 2.0 provides a strong solution for organisations wishing to:

Enhance security: By implementing multi-factor authentication and centralised user management, businesses may greatly minimise the risk of unauthorised access to vital data and applications.

Improve the user experience: SAML 2.0 integration offers single sign-on, which allows users to access various applications with a single login, eliminating login fatigue and increasing overall user experience.

Simplify identity management: Consolidating identity management across several platforms allows organisations to streamline administration operations and reduce the complexity of managing user access.

Overall, this integration enables organisations to achieve a balance between strong security and a user-friendly interface, building trust and confidence in this digital era.

Streamlining User Provisioning from IBM Verify to SAP Cloud Identity Services

2024-05-08T12:57:02.652000+02:00

SAP Cloud Identity Services (CIS), part of SAP BTP, can be used to integrate Identity Access Management (IAM). In our last blog, we discussed the integration of SAP Cloud Identity Services (CIS) with IBM Security Verify, and now we're taking the next step in this integration. User provisioning is the process of setting up new user accounts in a system or application. In this blog, we will explore a common use case - - transitioning user provisioning from IBM Verify to SAP Cloud Identity Services, and how this transition can streamline operations and enhance security.

The Challenge of User Provisioning

User provisioning is the process of granting and controlling access to resources within an organisation’s information technology infrastructure. Historically, on-boarding or off-boarding users has been a laborious and time-consuming procedure that frequently required numerous processes across multiple systems. As businesses embrace cloud solutions, the complexity of user provisioning has grown, necessitating automated and integrated approaches.

Transitioning from IBM Verify to SAP Cloud Identity Services

IBM Verify is a comprehensive identity and access management system that includes multi-factor authentication (MFA) and adaptive access control, while SAP Cloud Identity Services offers identity lifecycle management, single sign-on (SSO), and access governance features. Integrating these two systems can help organisations automate and streamline user provisioning operations, while also improving security and user experience.

How does it work?

The diagram shows that IBM Security Verify acts as a central user management system. It creates user accounts and manages their attributes, and also provisions them (or creates them) in SAP Cloud Identity Services, potentially syncing relevant user attributes. Selected attributes from Verify are mapped to specific target attributes in SAP Cloud Identity Services, ensuring consistent user information across both systems. SCIM, a standardised protocol, enables communication between Verify and SAP Cloud Identity Services. On the left side of the diagram, IBM Security Verify acts as a SCIM server, receiving requests for user management and then modifying the target directory as needed. This streamlines user creation and ensures consistent user information across both systems.

Prerequisites

SAP Cloud Identity Services (for trial instance check this link)
IBM Security Verify (for trial instance check this link)
A smartphone with IBM Security Verify App

Configurations and Settings in IBM Security Verify and SAP Cloud Identity Services

Log into IBM Security Verify as an administrator

When a user logs in, the home screen as shown below will be displayed.

On the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.

Fill in the necessary details under “General” section as below and save the details.

Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab which is under “Services.”

You have to enable the cloud identity services application.

Once enabled, it will look as below. Now, click on Cloud Identity Services application and you will be redirected to the login screen of the SAP authentication screen as shown below.

After a successful login, you can see the home screen of Cloud identity Services. Go to the “Identity Providers” as highlighted below :

Click on the Corporate Identity providers and create new identity provider.

Once the new identity provider is successfully added, click on the identity provider type and select SAML 2.0 compliant, as shown below:

Go to the SAML configuration section and fill in the information as shown below:

You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to the “Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Services as highlighted below:

Click on the Trusting application section and add SAP BTP trial subaccount.

Establish the trust configuration, which is under the “Security” section for the cloud identity application as shown in the below screenshots.

You will see the below steps once you click on establish trust. In the first step, choose tenant and click on the next.

After selecting a tenant, choose domain for your SAP Cloud Identity Services application.

Click on the next button and configure parameters as shown in the below screenshot.

Click on the next button and review the setup that you have done while establishing the trust. Finally, click on the finish button and save the details.

Once done, you can see the trust new active trust configuration as shown below:

Now go back to IBM Security Verify and click on “Sign-on” section, then select “Use metadata” checkbox. It will allow us to upload the metadata file which we have downloaded from SAP BTP as shown below:

Upload the metadata file which you have recently saved on your device to IBM Verify dashboard.

Now go to the “Account lifecycle” tab and add SCIM URL, Username and password detail as shown in below image. You can get all the details from SAP Cloud Identity Services application page.

To get SCIM URL, go to SAP CIS and get the URL details from the browser and add “SCIM” at the end of URL.

After adding the above details, scroll down and you can see “Attribute mapping” section. Click on the checkbox for which attribute you want to map from IBM Verify to SAP CIS and want to keep updated. Here we have checked email. Save this detail once changes are completed.

We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s add user with attribute into Verify and check if it is mapped to Cloud Identity Users dashboard.

Go to the Users tab under the “Directory” section on the left side of the verify dashboard and click on the “Add User” button as shown in below screenshot.

Fill out the necessary information for the user as mentioned in the below image and click on the “Save” user tab.

Scroll down and you can add more detail about the user. Here we have added an email ID, mobile number and user company details.

Once done, click on the Save button and the user detail will be saved.

Open the Cloud Identity Services application and go to the user section to check whether the newly-created user from Verify is mapped.

Click on the “Instance and subscription” section from the “Services” section on the left menu, and once the application list is shown, click on the Cloud Identity Services application as shown below.

When the new application is loaded, click on the “User Management” tile and all the user list will be displayed.

As you can see in the below screenshot, a new user is created, which is added from Verify and mapped into SAP Cloud Identity Services. Also, the user detail is mapped into Cloud Identity Services.

Conclusion

Effective user provisioning is critical to maintaining security, compliance, and operational efficiency. Centralising identity management, improving security, and streamlining administration activities enables organisations to successfully manage user identities and access controls across their entire IT infrastructure. Embracing integrated identity management solutions is more than just convenient - - it is a strategic need for businesses looking to flourish in an increasingly linked and security-conscious environment.

More information:

Refer to our another blog on SAP Cloud Identity Service integration with IBM Security Verify.

If you have any question or query about SAP BTP please refer to SAP Community and for any question or query about IBM Security Verify refer to IBM Security Verify Community

[SSO] [SF] (Single Sign-On) for SAP SuccessFactors

2024-05-11T06:44:44.370000+02:00

IAS Tenant preparation: Log onto Identity Authentication service

Navigate to Identity provisioning > Source > Properties > sf.user.filter make it (active eq "true")
Navigate to Identity provisioning > Source > Outbound Certificates and make sure that the certificate is valid, if not generate a new one and delete the old one and activate the automatic generation
Go to Identity provisioning > Target > Outbound Certificates and make sure that the certificate is valid, if not generate a new one and delete the old one and activate the automatic generation

Note: If the IAS tenant links were not provided from SAP, you can activate from the Upgrade Center, and after completing the configuration, testing and activation will be done again from the Upgrade Center

Created trust between Azure Active Directory and Identity Authentication service

Step 1: Download Identity Authentication service tenant metadata

Navigate to Applications and resources > Tenant Setting > Single Sign-On > SAML 2.0 Configuration and download the IAS Meta data file

Download the metadata file.

Step 2: Create enterprise application in Azure Active Directory

Navigate to the Enterprise applications, Click New application.

Azure Active Directory has templates for a variety of applications, one of them is the SAP Cloud Platform Identity Authentication Service. Search for this and select it.

A new column on the right side will appear to give the application a name. Give the application a name and click Add.

Go to Single sign-on and select SAML as Single-Sign On method.

STEP 3: Upload the IAS tenant metadata file you get from the step 1

Select the application you just created, Click Upload metadata to upload the metadata file from Identity Authentication service.

All the details are now taken from the metadata file. There’s nothing to do for you other than saving the details. Therefore, click Save.

STEP 4: Download single sign-on metadata from Azure Active Directory

Download the federation metadata as shown below.

With this information we can setup the trust between Azure Active Directory and Identity Authentication service.

Step 5: Create corporate identity provider in IAS

Go back to IAS and navigate to Identity provider > Create > Microsoft ADFS / Entra AD (SAML 2.0) Type

STEP 6: Upload Azure Active Directory federation metadata file

Click SAML 2.0 Configuration and to upload the recently downloaded federation metadata from Azure Active Directory.

Choose the file from your local file system.

All fields below are automatically going to be filled due to the information provided through the uploaded file.

Click Save at the top of the page.

STEP 6: Add a new user in the Users and groups Microsoft Azure application

Go back to your overview of enterprise applications in Microsoft Azure AD and click your application. Add a new user by clicking Add user in the Users and groups submenu, as shown on the screenshot.

By hitting the result tile, you select the user, which should appear under Selected members panel. Finish your user assignment with clicks on Select and Assign.

Congrats Now you created trust between Azure Active Directory and Identity Authentication service.

IAS Tenant Final Preparation:

Navigate to Identity provisioning > Source > Jobs and run now read job to get all users from SF then schedule the job for future new hires.

Navigate to Applications and resources > Applications > SuccessFactors > Conditional Authentication and create a rule for all domains you need it to access the system from the identity provider you created... this step will define the domains witch will access as SSO, any other domain will access from the default identity provider.

Set the Default Identity Provider as Identity Authentication.

Navigate to Identity provider > Identity Federation > switch On Use Identity Authentication user store and Switch On User Access

Now you can test and be sure that the user you are try to test with is already added to the SF tenant.

Hope you enjoy the process.

Thanks

Ahmed Aranda

Your Sherlock Homes - How to Find Missing Business Catalogs?

2024-05-17T04:13:00.535000+02:00

Introduction

In my previous blogs (see references), I talked about Business Catalogs, Business Roles and Fiori application authorizations; the concept and what to do during an upgrade. While browsing the questions raised in the SAP Community, one question got my attention (I borrowed the title to be my blog title):

Hello!

I'm looking for business catalogs below.

According to the Fiori Apps Reference Library, they are necessary for accessing some apps we want to use. However, even scope item (2XT) is activated, they aren't show on the business roll setting screen.

Could someone tell me how to find or set up missing business catalogs?

-----------------------------------------------------------------------------------------------

Missing Catalogs and Application that we would like to use↓

Catalogs:

SAP_MM_BC_CPO_PROCESS_PC

SAP_PRC_BC_PURCHASER_CPC

SAP_PRC_BC_PURCHASER_CRFQ

SAP_PRC_BC_PURCHASER_SRC

Applications:

F3292 'Manage Purchase Orders Centrally'

F6634 'Manage Central Supplier Confirmations'

F3676 'Monitor Purchase Order Items Centrally'

F3144 'Manage Central Purchase Contracts'

In summary, here is this community member’s ask: I want to access four purchase related apps. They are supposed to be controlled by four business catalogs, but I cannot find those business catalogs in my system.

I put on Sherlock Holmes’ hat, rolled up my sleeves and started a quick investigation.

Step 1: Conduct Investigation in the SAP Fiori Apps Reference Library

Whenever talking about Fiori apps, their functions as well authorizations to them, the SAP Fiori Apps Reference Library is my first resource. By browsing through SAP Fiori Apps Reference Library, I can find the Business Catalogs and Business Role Templates associated with these four apps, listed in the below table.

App	Business Catalogs	Business Role Templates
F3292 'Manage Purchase Orders Centrally'	SAP_MM_BC_CPO_PROCESS_PC	SAP_BR_CENTRAL_PURCHASER
F6634 'Manage Central Supplier Confirmations'	SAP_MM_BC_CSC_PROCESS_PC	SAP_BR_CENTRAL_PURCHASER
F3676 'Monitor Purchase Order Items Centrally'	SAP_MM_BC_CPO_PROCESS_PC	SAP_BR_CENTRAL_PURCHASER
F3144 'Manage Central Purchase Contracts'	SAP_MM_BC_CPC_PROCESS_PC SAP_MM_BC_CRFQ_PROCESS_PC SAP_MM_BC_SRC_PROCESS_PC	SAP_BR_CENTRAL_PURCHASER SAP_BR_SOURCING_MANAGER

This investigation reveals the following:

3 out of 4 apps can be accessed if a user has a Business Role created from the template SAP_BR_CENTRAL_PURCHASER, although each app requires one or more different Business Catalogs.
All Business Catalogs have a prefix of SAP_MM_BC_xxx. None of them has a prefix of SAP_PRC_BC_PURCHASER_xxx. Where are the later ones coming from?
The App Manage Central Purchase Contracts can be accessed by assigning a Business Role derived from either one of two Business Role Templates; and three Business Catalogs grant the access to the app.
There are four unique Business Catalogs listed above.
A Business Role derived from the template SAP_BR_CENTRAL_PURCHASER can access 44 apps, including the four apps in our investigation. This is a super Business Role Template.

Step 2: Conduct Investigation in A Starter System

There are only three Business Role Templates available in a brand-new SAP S/4HANA Cloud Public Edition system. Only after you activated the scopes in the Central Business Configuration (CBC) system, the relevant Business Catalogs and Business Role Templates are transferred from the CBC to the Customization (D-100) and Development Tenants (D-080) of the Development System.

To prepare the Fit-to-Standard Workshop or explore the potential features of the SAP S/4HANA Cloud Public Edition, users activate as many scopes as possible on the Starter System. So, this is the place I will investigate the existence of these Business Catalogs and Apps.

In my Starter System, I have 2198 Business Catalogs, and 260 Business Role Templates. This is more than enough for the investigation.

By using the Business Catalogs app, I found the following:

Three out of four unique Business Catalogs exist in the system, except SAP_MM_BC_SRC_PROCESS_PC.
Considering the Business Catalog SAP_MM_BC_SRC_PROCESS_PC is marked as deprecated from Release 2402 (see below), I don’t need to pay further attention to it.
The Business Catalog SAP_MM_BC_CPO_PROCESS_PC controls five applications, including F3292 Manage Purchase Orders Centrally and F3676 Monitor Purchase Order Items Centrally.

By using the Business Role Templates app, I found the following:

The Business Role Template SAP_BR_CENTRAL_PURCHASER has ten Business Catalogs assigned:

Commodity Management - Commodity Code Migration: SAP_CMM_BC_CMMDTY_MIGRTN_PC

Commodity Management - Commodity Pricing Configuration: SAP_CMM_BC_PRICING_CONFIG_PC

Master Data - Product Display: SAP_CMD_BC_PRODUCT_DSP_PC

Master Data - Supplier Display: SAP_CMD_BC_SUPPLIER_DSP_PC

Material Management - Central Purchasing Analytics: SAP_MM_BC_PUR_CNTRL_ANA_PC

Material Management - Central Supplier Confirmations: SAP_MM_BC_CSC_PROCESS_PC

Materials Management - Central Purchase Contracts: SAP_MM_BC_CPC_PROCESS_PC

Materials Management - Central Purchase Orders: SAP_MM_BC_CPO_PROCESS_PC

Materials Management - Central Purchase Requisitions: SAP_MM_BC_CPR_PROCESS_PC

Materials Management - Central Quotation Processing: SAP_MM_BC_CRFQ_PROCESS_PC

The Business Role Template SAP_BR_SOURCING_MANAGER has five Business Catalogs and all of them have been declared as Deprecated in Release 2402. For that reason, I can suspect this Business Role Template will be deprecated soon as well. In other words, we don’t need to spend any effort on it.

Step 3: Check SAP Note 2975653

Until now I am quite comfortable about which Business Catalog and Business Role Template grant access to these four apps. However, I still don’t have a clue about three Business Catalogs starting with SAP_PRC_BC_PURCHASER_xxx. Is it possible these are the old names, and there are replacement Business Catalogs?

To answer this question, I use the SAP Note 2975653 Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud. This is a central note. For each major release, there is a subsequent note about changes made at that release, from Release 1911 to 2402. One important feature of these notes is an Excel attachment, which lists all the changes made in the areas of Business Catalogs and Business Role Templates (new, changed, deprecated). For example, for 2402 Release, the Excel file is Delta_S4CE_2402-2308.xlsx.

After downloading all the relevant Excel files, I did a search. There are still no Business Catalogs like SAP_PRC_BC_PURCHASER_xxx listed in any of these files. Now I can draw a conclusion that these Business Catalogs might not be there from the beginning, or at least after Release 1911.

Business Catalog SAP_MM_BC_CPO_PROCESS_PC is listed in several Excel files when it contributes to certain Business Role Templates. This proves this Business Catalog is well and alive.

Conclusion

With above investigation, my conclusions are:

Business Catalogs SAP_PRC_BC_PURCHASER_xxx don’t exist, at least from Release 1911.
To access these four apps, just derive a Business Role from the template SAP_BR_CENTRAL_PURCHASER. It has all necessary Business Catalogs to access these apps.
Four unique Business Catalogs provide the access to all four apps:
- SAP_MM_BC_CPO_PROCESS_PC
- SAP_MM_BC_CSC_PROCESS_PC
- SAP_MM_BC_CPC_PROCESS_PC
- SAP_MM_BC_CRFQ_PROCESS_PC

References

Blog: Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition

SAP Community - SAP Identity Management

IAS for ONB2.0 New Hires - 1 (upgrade OData to SCIM)

IAS for ONB2.0 New Hires – 3 (Transformations)

Efficient Employee Grouping in SAP SuccessFactors: Custom Attribute-based Identity Provisioning

{ "condition": "($.custom15 == 'Yes')", "constant": "MFAGROUP", "targetPath": "$.groups[0].value" }, { "condition": "($.custom15 != 'Yes')", "constant": "NO_MFA", "targetPath": "$.groups[0].value" },

Secure your SuccessFactors to IAS/IPS integration by migrating to mTLS cert based authentication

From A to Z: Setup a Starter System of the SAP S/4HANA Cloud, public edition

Introduction

Starter System Landscape

Starter System Landscape

Initial Admin User and System Users

Roles Played by SAP Cloud Identity Services

CBC Tenant Technical Configurations for Starter System

Step 1 - Activate the Initial Admin User in SAP Cloud Identity Services (email)

Step 2 - Configure the Trust Relationship in the IAS Tenant to the SAP CBC Sub-account

Step 3 – Create A “System as a Technical User Administrator” in the IAS tenant

Step 4 - Create Source and Target Systems in IPS

Step 5 - Push Roles from the CBC into IAS as Groups

Step 6 - Provision the Initial Admin User to the CBC Tenant

Step 7 - Login to CBC as the Initial Admin User

Common CBC User Logon Errors

Step 8 - Create Business Users in the Starter System

CBC Project Configurations for Starter System

Create a Starter System Customizing Project

Define Scope Activity

Assign Deployment Target Activity

Confirm Scoping is Completed Activity

Specify Primary Finance Settings Activity

Set Up Organizational Structure Activity

Confirm Scope and Organizational Structure Phase is Completed Activity

Check the Master Data

Create Starter System Development Project

Conclusion

Unleashing the Power of Cloud: A Fun Guide to Automating User Administration - SAP Best Practices Identity Lifecycle Service (IDLS) for SAP Cloud Identity Services (SCI)

Why You Should Jump On Board!

How This Magic Works:

Peek Into A Sample Spellbook:

Predefined Script Functions

patchValues

getValueByEntry

addUserToGroup

deleteUserFromGroup

deleteUser

deleteGroup

getGroups

Prerequisites

The Inside Scoop

How to handle “usernames”, “Global User IDs” and “external IDs” in your landscape?

What is the difference between these attributes and when to use them?

Best practices:

You can find more details in the links bellow:

Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition

Introduction

A Quick Review of Restrictions

Authorization Hierarchy and Restrictions

Access Restrictions with Three Apps

Maintain User Roles App

IAM Information System App

Display Restriction Types App

Maintain Restrictions

An Example of Using Restrictions

Business Scenario

Understand Restrictions in a Business User Role

Display Restriction Types App

Mass Change Restriction Values

Conclusion

SAP ASE HADR Setup for IDM

Configuring SAP Adaptive Server Enterprise HADR for SAP Identity Management 8.0

Introduction

SAP IDM System Installation on Primary and Secondary Hosts:

Installing SAP NetWeaver 7.5 Java “Standard System”

Installing “SAP ASE Database instance for SAP Identity Management System”

Installing SAP Identity Management 8.0 “Standard System”

Shutdown the Java instance (excluding database) on the Standby Host

Installing SAP ASE Data Movement Option

Installing SAP ASE Data Movement Option for the SAP ASE used for SAP NetWeaver Java instance

Installing SAP ASE Data Movement Option for the SAP ASE used for SAP IDM instance

Configuring HADR on Primary Hosts

Prepare response file for executing setuphadr

Execute setuphadr tool to configure HADR on Primary ASE for J50 instance

{
"condition": "($.custom15 == 'Yes')",
"constant": "MFAGROUP",
"targetPath": "$.groups[0].value"
},
{
"condition": "($.custom15 != 'Yes')",
"constant": "NO_MFA",
"targetPath": "$.groups[0].value"
},