C_S4CPR_2408 System Landscapes and Identity Access Management

System Landscapes and Identity Access Management Detailed Explanation

System Landscapes and Identity Access Management (IAM) focuses on understanding the architecture of SAP S/4HANA Cloud and managing user roles and access securely.

1. SAP System Landscapes – How the SAP environment is structured.
2. Identity and Access Management (IAM) – How to manage users, roles, and system access effectively.

4.1 SAP System Landscapes

A system landscape in SAP refers to the arrangement of different systems required to implement, test, and run SAP S/4HANA Cloud. This architecture ensures a smooth and controlled deployment while enabling configuration, testing, and live operations.

4.1.1 Overview of System Landscape in Cloud ERP

In SAP S/4HANA Cloud, there is a three-system landscape to support implementation and operations. Each system serves a specific purpose:

1. Development System (DEV):

   • The DEV system is where all configurations and extensibility activities take place.
   • Key tasks include:
     • Configuring business processes using SAP Central Business Configuration (CBC).
     • Setting up workflows, master data structures, and organizational hierarchies.
     • Building extensions (e.g., adding custom fields) without modifying standard code.

   Example Task: Configuring a new Approval Workflow for purchase requisitions.

2. Quality Assurance System (QAS):

   • The QAS system is used for testing and validating configurations and processes before moving to production.
   • Key tasks include:
     • Testing configured business processes (e.g., procurement workflows).
     • Conducting User Acceptance Testing (UAT) with end-users.
     • Identifying and resolving issues through iterative fixes.

   Example Task: Validating that a purchase order (PO) approval workflow functions correctly by simulating different approval steps.

3. Production System (PRD):

   • The PRD system is the live environment where real business transactions occur.
   • Key characteristics include:
     • Used by end-users to perform day-to-day operations (e.g., create purchase orders, post invoices).
     • Real-time processing of data with no changes or testing allowed.
   • Any errors or updates must first be addressed in DEV → QAS before moving to PRD.

   Example Task: Posting a supplier invoice after goods have been received in the live environment.

Key Takeaways for Beginners:

• The three-system landscape ensures changes are thoroughly tested before they affect live operations.
• Changes flow sequentially: DEV → QAS → PRD.

4.1.2 Central Business Configuration (CBC)

SAP Central Business Configuration (CBC) is a cloud-based tool used to configure SAP S/4HANA Cloud. It centralizes the setup process and ensures consistency across the system landscape.

Key Features of CBC:

1. Guided Configuration Steps:

   • CBC provides step-by-step guidance to configure business processes.
   • Example: Configuring the procurement workflow or organizational hierarchy.

2. Cross-System Configuration Consistency:

   • Changes made in the Development System are automatically synchronized to the QAS and PRD systems once transported.
   • Ensures uniformity across the system landscape.

3. Change Management for Iterative Configurations:

   • CBC allows you to manage configurations in iterations (phases).
   • Example: Configure core procurement processes first and later add advanced features.

4.1.3 Transport Mechanism

The transport mechanism refers to the process of moving configurations and changes from one system to another in a controlled manner.

How the Transport Mechanism Works:

1. Development System (DEV):

   • All configurations, enhancements, and changes are performed in DEV.

2. Quality Assurance System (QAS):

   • Changes are transported from DEV to QAS for testing.
   • Functional and user acceptance testing (UAT) is performed here.

3. Production System (PRD):

   • Once tested and approved in QAS, the changes are transported to PRD.
   • Changes become live and are used for real business operations.

Key Steps in the Transport Process:

1. Perform changes in the DEV system.
2. Create a transport request to document the changes.
3. Move the transport request to QAS and validate it through testing.
4. Approve and move the transport request to PRD for live use.

4.2 Identity and Access Management (IAM)

Identity and Access Management (IAM) ensures that users can securely access SAP S/4HANA Cloud based on their roles and responsibilities. It also ensures compliance with data protection and security policies.

4.2.1 SAP Identity Authentication Service (IAS)

SAP Identity Authentication Service (IAS) simplifies and secures user authentication.

Key Features of IAS:

1. Single Sign-On (SSO):

   • Enables users to log in once and access multiple SAP systems and applications seamlessly.
   • Reduces the need to remember multiple passwords.

2. Integration with Corporate Identity Providers:

   • SAP IAS integrates with external identity providers like Microsoft Azure Active Directory (Azure AD).
   • Allows businesses to use their existing corporate login credentials.

3. Enhanced Security:

   • Supports multi-factor authentication (MFA) for additional layers of security.

4.2.2 SAP Identity Provisioning Service (IPS)

SAP Identity Provisioning Service (IPS) automates the process of assigning roles and permissions to users.

Key Features of IPS:

1. Automated User Provisioning:

   • Automatically assigns roles to users based on their organizational roles or job functions.
   • Example: Assign the “Buyer” role to all users in the procurement department.

2. De-Provisioning of Users:

   • Ensures that access is revoked when employees leave the organization or change roles.

3. Synchronization Across Systems:

   • Roles and permissions are synchronized across SAP and non-SAP systems.
   • Example: Changes in a user’s role in Azure AD are reflected in SAP S/4HANA Cloud.

4.2.3 Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) ensures that users can only access applications and data relevant to their job responsibilities.

Types of Roles in SAP S/4HANA Cloud:

1. Business Roles:

   • Provide access to specific SAP Fiori apps based on user tasks.
   • Examples:
     • Buyer Role: Access to procurement apps like "Manage Purchase Orders" or "Monitor Purchase Requisitions."
     • Accounts Payable Clerk Role: Access to finance apps like "Manage Supplier Invoices."

2. Technical Roles:

   • Provide system-level permissions for IT administrators.
   • Examples: Roles for managing user access, system configurations, or integration settings.

How RBAC Works:

1. Assign SAP-Delivered Roles:

   • SAP provides pre-configured roles aligned to business processes.
   • Example: Assign the standard “Buyer” role to procurement users.

2. Create Custom Roles:

   • Use the Maintain Business Roles app to create new roles tailored to specific needs.
   • Example: A custom “Regional Buyer” role with restricted access to specific plants.

3. Monitor Role Assignments:

   • Regularly review and monitor user roles to ensure compliance.
   • Use audit logs to track user access activities.

4.2.4 Key Configuration Tasks in Identity and Access Management (IAM)

Effective IAM configuration is essential to ensure that users in SAP S/4HANA Cloud have appropriate access to perform their tasks while maintaining data security and compliance. Below are the key configuration tasks for user and role management:

1. Assign SAP-Delivered Business Roles to Users

SAP provides predefined business roles that align with standard business processes. These roles grant users access to specific SAP Fiori applications based on their job responsibilities.

Steps to Assign SAP-Delivered Roles:

1. Access the Maintain Business Roles App:

   • Use the SAP Fiori app "Maintain Business Roles" to manage roles.

2. Search for SAP-Delivered Roles:

   • Example roles for procurement:
     • SAP_BR_BUYER: Provides access to buyer-related apps like "Manage Purchase Orders" and "Monitor Purchase Requisitions."
     • SAP_BR_AP_CLERK: For accounts payable clerks to manage supplier invoices.

3. Assign Roles to Users:

   • Go to "Maintain Business Users" and assign the appropriate roles to the selected user(s).
   • Example: Assign the "SAP_BR_BUYER" role to all users in the procurement team.

4. Test Role Assignments:

   • Log in with a test user and verify that the assigned Fiori apps are accessible.

2. Create Custom Business Roles

Sometimes, standard SAP roles may not completely meet your organization’s requirements. You can create custom roles tailored to specific needs.

Steps to Create a Custom Role:

1. Access the Maintain Business Roles App:

   • Use the "Maintain Business Roles" app to start creating a new role.

2. Copy an Existing Role (Optional):

   • Start with a standard SAP-delivered role as a template to save time.
   • Example: Copy "SAP_BR_BUYER" and adjust it to create a “Regional Buyer” role.

3. Adjust Role Permissions:

   • Define or restrict access to specific apps:
     • Add new Fiori apps by selecting them from the catalog.
     • Remove unnecessary apps to ensure users see only relevant tasks.

4. Add Restrictions (Optional):

   • Use "Restrict Access" to limit data visibility.
   • Example: Allow a buyer to create purchase orders only for a specific plant.

5. Test the Custom Role:

   • Verify the new role with test users to ensure that permissions and restrictions work as expected.

3. Monitor User Activities and Access Logs

Monitoring user activities is essential for maintaining system security and compliance. SAP S/4HANA Cloud provides tools to track user access and detect any unauthorized activities.

Key Tasks for Monitoring:

1. Review User Access Logs:

   • Use the "Monitor Business Users" app to view user activities.
   • Identify users who accessed specific apps and perform audits.

2. Compliance Audits:

   • Regularly review assigned roles to ensure they align with job responsibilities.
   • Example: Verify that only authorized users have access to financial data.

3. Track Changes:

   • Keep logs of changes made to roles and user permissions.

4.2.5 SAP Fiori Launchpad Integration

The SAP Fiori Launchpad serves as the central interface for users in SAP S/4HANA Cloud. User access to Fiori apps is controlled by role assignments, ensuring that users only see apps relevant to their job roles.

1. Access Control Through Role Assignments

• How It Works:
  • SAP S/4HANA Cloud uses role-based access control (RBAC) to determine which Fiori apps are available to a user.
  • Roles are linked to Business Catalogs, which group related Fiori apps.

Example:

• A Buyer role (SAP_BR_BUYER) includes:
  • "Manage Purchase Orders"
  • "Create Purchase Requisitions"
  • "Monitor Supplier Performance"

2. Customizing the SAP Fiori Launchpad

1. Personalization for Users:

   • Users can personalize their Fiori Launchpad to:
     • Rearrange tiles.
     • Set favorite apps for easy access.

2. Customizing App Layouts:

   • Administrators can group apps into catalogs and assign them to roles.
   • Example: Create a custom catalog called "Regional Procurement Apps" for regional buyers.

3. Restrict Access to Apps:

   • Use restrictions in the business role to limit app access.
   • Example: Allow users to see purchase orders for their assigned region only.

3. Benefits of Fiori Launchpad Integration

• Simplified Access:

  • Users access all their apps from a single, intuitive interface.

• Improved Security:

  • Role-based access ensures users can only interact with authorized apps and data.

• Productivity:

  • Personalization features allow users to organize their workspace efficiently.

• Consistency:

  • Provides a uniform interface across all devices (desktop, tablet, and mobile).

4.2.6 Key Example: Buyer Role Configuration in SAP Fiori Launchpad

To understand how IAM and the SAP Fiori Launchpad work together, let’s go through an example for a Buyer role:

1. Step 1: Assign the Buyer Role (SAP_BR_BUYER):

   • Navigate to the Maintain Business Roles app.
   • Assign the SAP_BR_BUYER role to a user.

2. Step 2: Verify Role-Based Access in the Launchpad:

   • The user logs into SAP Fiori Launchpad.
   • Available tiles include:
     • "Manage Purchase Orders" – Create and monitor purchase orders.
     • "Monitor Purchase Requisitions" – Track and manage requisitions.
     • "Supplier Evaluation" – View supplier performance data.

3. Step 3: Customize and Test Access:

   • Remove unnecessary apps using restrictions.
   • Test the role with the user to ensure they can perform their tasks effectively.

4. Step 4: Monitor User Activity:

   • Use logs to verify the user’s access and activities.

System Landscapes and Identity Access Management (Additional Content)

This section expands on SAP system landscapes, Identity and Access Management (IAM), emergency access management, segregation of duties, and SAP Fiori Launchpad security to provide a deeper understanding of security and system architecture in SAP S/4HANA Cloud.

1. SAP System Landscapes – Introducing the Four-System Landscape

SAP S/4HANA Cloud Public Edition typically uses a three-system landscape, but for SAP S/4HANA Cloud Private Edition or Hybrid Deployments, a four-system landscape may be implemented.

1.1 Overview of the Four-System Landscape

System	Purpose
Sandbox (SBX) (Optional)	Used for experimentation, proof of concept (PoC), and training without affecting development configurations.
Development (DEV)	Used for system configuration, custom development, and initial testing before moving changes to QAS.
Quality Assurance (QAS)	Used for integration testing, User Acceptance Testing (UAT), and performance validation.
Production (PRD)	The live system where real business transactions are conducted.

1.2 Differences Between Public vs. Private Edition Landscapes

Feature	Public Edition (3-System)	Private Edition (4-System)
Custom Development	Limited to In-App Extensibility	Supports ABAP custom development
Upgrade Control	SAP-managed quarterly updates	Customer controls update schedule
Sandbox Environment	Not included	Recommended for complex deployments
System Modifications	Standardized Fit-to-Standard approach	Custom modifications allowed

1.3 Exam Tip: Understanding System Landscapes

• Be able to identify which systems exist in different deployment models.
• Understand why Sandbox (SBX) is optional in some landscapes.
• Be familiar with how DEV, QAS, and PRD interact in an SAP project.

2. Identity and Access Management (IAM) – Zero Trust Security Model

Zero Trust Security is a modern approach to cybersecurity where access is granted only based on identity verification and strict access policies.

2.1 Key Concepts of Zero Trust in SAP S/4HANA Cloud

Concept	Description	Example
Authentication	Users must verify their identity through Multi-Factor Authentication (MFA) or Single Sign-On (SSO).	SAP IAS (Identity Authentication Service) + Azure AD MFA
Authorization	Access is granted based on roles (Role-Based Access Control, RBAC) and restricted based on conditions.	Users can access SAP only from approved corporate networks.
Continuous Monitoring	User behavior is monitored in real-time to detect unauthorized activities.	SAP Cloud Identity Access Governance (IAG) monitors access patterns.

2.2 Key IAM Technologies

• SAP Identity Authentication Service (IAS) → Provides SSO and MFA.
• SAP Identity Provisioning Service (IPS) → Automates role assignments based on business needs.
• SAP Cloud Identity Access Governance (IAG) → Monitors user activity and access violations.

2.3 Exam Tip: Zero Trust and IAM Security

• Be prepared to explain how SAP IAS and MFA improve security.
• Understand the difference between Authentication (Who are you?) vs. Authorization (What can you do?).
• Expect questions on SAP IAG's role in real-time monitoring.

3. Emergency Access Management (EAM)

SAP provides Emergency Access Management (EAM), also known as Firefighter ID (FFID), for situations where temporary high-level access is required.

3.1 Key Concepts of EAM

Feature	Description
Firefighter ID (FFID)	Provides temporary high-level access for emergency troubleshooting.
SAP Access Control (GRC)	Ensures that FFID usage is logged and audited to prevent abuse.
Emergency Logging & Reports	All EAM access sessions are monitored, recorded, and reviewed.

3.2 Example: EAM in Action

• A Finance Manager cannot normally modify financial reports.
• Due to a critical reporting issue, the manager is granted a temporary Firefighter ID.
• All actions performed under FFID are logged and reviewed by the security team.

3.3 Exam Tip: Emergency Access Management

• Be ready to explain why emergency access should be monitored.
• Expect questions on how SAP GRC logs and audits emergency access.

4. Segregation of Duties (SoD) in SAP S/4HANA Cloud

Segregation of Duties (SoD) prevents fraud and errors by ensuring that one user does not control multiple critical steps in a business process.

4.1 Common SoD Risks and Solutions

Risk	Potential Issue	SoD Solution
A buyer can both create and approve purchase orders.	Fraud risk – Users can approve their own purchases.	Separate Buyer and Approver roles.
A finance user can both create and pay supplier invoices.	Risk of unauthorized payments.	Require dual approval for payments.
A logistics user can modify supplier bank details.	Risk of redirecting payments to fraudulent accounts.	Restrict supplier bank updates to Finance team.

4.2 SAP Tools for SoD Management

• SAP Cloud Identity Access Governance (IAG) → Detects and prevents SoD violations.
• SAP Access Control (GRC) → Defines rules to enforce SoD.

4.3 Exam Tip: Preventing SoD Violations

• Expect questions on how to mitigate SoD risks in procurement and finance.
• Understand which roles should be separated to prevent fraud.

5. SAP Fiori Launchpad – Secure App Access Management

SAP Fiori Launchpad is the primary user interface for SAP S/4HANA Cloud. Security is managed through Business Catalogs and Business Groups.

5.1 Business Catalogs – Controlling App Access

Feature	Description	Example
Business Catalog	A collection of related Fiori apps assigned to a user role.	“Purchase Order Management” catalog includes “Manage Purchase Orders” and “Approve Purchase Requisitions.”
Business Role	A set of permissions defining what a user can do.	“Buyer” role is assigned the “Procurement” Business Catalog.
Restrictions	Limits user access based on company codes, plants, or locations.	Only users in Germany can access German purchase orders.

5.2 Business Groups – Organizing Tiles for Users

Feature	Description	Example
Business Groups	Organizes apps into functional groups for easier navigation.	A Procurement Group contains “Create PR” and “Monitor Suppliers” tiles.

5.3 Location-Based Access Control

• Restrict Fiori app access based on user location (IP-based security policies).
• Prevent logins from unsecured networks (e.g., public Wi-Fi).

5.4 Exam Tip: Fiori App Security

• Expect questions on Business Catalogs vs. Business Roles.
• Be able to explain how access is restricted based on location or company code.

Conclusion

This supplementary knowledge provides a stronger understanding of system landscapes, IAM, EAM, SoD, and Fiori security in SAP S/4HANA Cloud.

Key Takeaways

• Four-System Landscapes are used in Private Edition for additional flexibility.
• Zero Trust Security requires strong authentication, role-based access, and continuous monitoring.
• Emergency Access (EAM) ensures temporary admin access is logged and reviewed.
• Segregation of Duties (SoD) prevents fraud by ensuring critical processes are handled by different users.
• SAP Fiori Launchpad Security uses Business Catalogs and Business Groups to manage app access.