Skip to end of metadata
Go to start of metadata

Content

Below is a list of the most frequently asked questions regarding Identity and Access Management in SAP Integrated Business Planning for Supply Chain:

What do I need to use IBP as an administrator? 

You need a customized URL for the SAP Cloud Identity Administration Console. You can find this information in the email sent to the IT contact named in the IBP contract:

On SAP Cloud Identity Administration Console, an initial administrator user is created, which can be used to set-up the IBP system.

If it was not you who received this email, the person who received it can create an administrator user for you in IBP, upload it to IAS, and then IAS will send a similar email to you as well.

What are the prerequisites for authenticating IBP users? 

The prerequisites depend on the identity provider you are using:

  • SAP Cloud Identity Authentication service (IAS) – If you wish to use SAP Cloud Identity Authentication service (IAS), you must create all users there as well. You can create users in IAS either manually or by uploading the IBP users you created.
  • Corporate identity provider (IdP) – If you wish to use a corporate identity provider (IdP) you must create all users there as well, configure it as a trusted IdP, and choose it in IAS to be used as the identity provider.

For more details, see Step 3 under 'How can I create a business user?'.

What is the password policy in IBP? 

The use of passwords in SAP Integrated Business Planning is defined by the enterprise password policy applied in IAS.

For more information, see SAP Help Portal, under SAP Cloud Platform Identity Authentication Service > Operation Guide > Configure Applications > Set a Password Policy for an Application.

Can an administrator change the password of other users?

No. The administrator can only set the initial passwords or just send activation e-mails while creating the business users:

Later only the user can change his password. This can be done on the Logon screen of IAS via Forgot Password:


How can I create a business user?

  1. First you need to create an employee in the system.

You can create just one employee at a time the following way: 

a. Open the Maintain Employees app.

b. Click Create.

c. Fill in the required fields. For Employee ID, enter the unique name or ID generally used at your organization to identify the employee.

You can create more than one employee at a time in the following way: 

a. Select Import above the list of employees.

b. In the window that opens, choose a delimiter for the CSV file and select the Download Template link.

c. Add your employees to an Excel worksheet according to the downloaded template and save the file in CSV format using the chosen delimiter (comma or semicolon). Make sure that you specify a unique email address for each employee.

d. Select Browse, look up your CSV file and choose Import.

2. Create a business user based on the employee:

a. Open the Maintain Business Users app.

b. Click New.

c. Search for the employee you just created and select it. The business user is created immediately.

d. Fill in the required fields. The User ID is provided by the system automatically. It is also displayed in the User Name field but there you must replace it with the login name defined for that user in the corporate identity provider. If you are not using a corporate identity provider, you can leave the user name as it is, or you can replace it with the Employee ID, for example. 

e. Assign any required business role to the user you created. To do so, choose Add and select the business roles from the list that opens. . Remain in IBP and download the list of users into a CSV file using the Download button in the Maintain Business Users app.

3/a. If you are using IAS, proceed as follows:

i. Remain in IBP and download the list of users into a CSV file using the Download button in the Maintain Business Users app.


ii. Log on to the Cloud Identity Administration Console of IAS and upload the CSV file using the Import Users app: 

The user will receive an email with a URL that directs them to the IAS logon screen:

After activation, the user can choose a password for IAS. Once they log on to IAS, they are automatically redirected to SAP Integrated Business Planning.

3/b. If you are using a corporate IdP, proceed as follows:

Create the same user in the corporate IdP.

i. Log on to the SAP Cloud Identity Administration Console in IAS.

ii. Open the Corporate Identity Providers app and add your corporate IdP in the set of trusted identity providers. For more information, see the application help for IAS.

iii. Open the Applications app. 

iv. Select the URL for IBP.

v. Click Conditional Authentication.

vi. Under Default Authenticating Identity Provider, choose your corporate IdP from the list.

Your IAS is now configured to act as a proxy for your corporate IdP.  As a result, the users will be authenticated using the corporate IdP. 

How can I limit the apps that a person can use? 

  1. Open the Maintain Business Roles app in IBP.
  2. Create a business role as follows:
    1. Click New
    2. Fill in the required fields.

3. Assign those business catalogs to the role that provide access to the required apps:

a. Click the Assigned Business Catalogs tab.

b. Click Add.

c. Select the business catalogs you want to assign.

     

d. Click OK or Apply. If you click Apply, the window remains open and you can continue adding more business catalogs.

e. Click Save on the main screen of the app to activate it. 

4. Assign the business user you created for the person to the business role that provides access to the required apps:

a. Click the Assigned Business Users tab.

b. Click Add.

c. Select the business user you want to assign.

d. Click OK or Apply.

 If the business role already exists when you create or edit the business user, you can also choose a different approach:

a. Open the Maintain Business Users app.

b. Select the business user to which you want to assign the business role.

c. Click Add at the top of the Assigned Business Roles section.

d. Choose the required business role.

e. Click OK or Apply.

Can I download the content of a business role?

The Maintain Business Roles app shows the content of business roles, and you can download them in a file. You can upload the file in a new system and the roles will be created in the new system.

How can I limit what data a person can see in the apps?

  1. Open the Maintain Business Roles app.
  2. Click Edit.
  3. Select a business role that is assigned to the business user you created for the person in question.
  4. Click Maintain Restrictions at the top of the screen.

 

5. Specify the rights for read and/or write access. For read access, you can choose Restricted or Unrestricted. For write access, you can also choose No Access.

                

For example, you can specify restricted write access for one planning area only.

Note that the default restriction values are the following:

  • Read: Unrestricted
  • Write: No access

6. Specify restriction values for the access types you set as Restricted:

a. Look up the relevant restriction area. For example, if you want a certain key figure to be visible only in one specific planning area, look up the Key Figures restriction area.

 Note

If you can’t see a restriction area on the screen, it is not available for the catalogs you assigned to that business role.

b. Choose the values for the various fields within the restriction area. For example, if you want the key figures to be editable, do the following:

i. Choose the pencil icon next to Planning Area.

ii. Select the name of the planning area that you want to provide write access to.

iii. Click OK.

Note

The restrictions are eventually added up - a business user has access to everything that the business roles assigned to it have access to.

7. Add new restriction areas (optional).

For example, if you want to specify that a business role should have write access to two different key figures in two different planning areas, you need to add the Key Figure restriction area to that business role twice (or once more if it is listed for that role by default).

How can I restrict the available data by master data type attributes? 

  1. Open the Manage Permission Filters app.
  2. Click New.
  3. Specify general information and some filter criteria. For example, if you want a person to only see information related to the PFA product family, specify in the filter that the PRDFAMILY should be equal to PFA.

           

4. Click Save.
5. Open the Maintain Business Roles app.
6. Click a business role that is assigned to the business user you created for the person in question.
7. Set the Read access type as Restricted.
8. Look up the General restriction area in the Read section.

 

 Note

If you can’t see this restriction area on the screen, it is not available for the catalogs you assigned to that business role.

 9. Choose the pencil icon next to Permission Filter ID field.

10. Select the name of the permission filter that you want to apply.

11. Click OK.

Are any standard business roles delivered with IBP? 

SAP delivers only business roles templates. You can find them in the Business Roles Templates App and can use them in the Maintain Business Roles app after choosing Create from Template on the main page.

Can I edit the tile groups on the Fiori Launchpad? 

Yes and no. IBP is delivered with predefined business catalogs that allow access to the tiles and through them the apps. By adding business roles to a business user you can add tiles to their launchpad. You can also personalize your own launchpad by adding new groups or changing the content of the groups. However, you cannot change the launchpad the same way for other users.

How can I assign permission filters to business users? 

You can assign permission filters to users in several ways:

  • By direct user assignment to individual users (in the Permission Filters app)
  • By indirect user assignment
  • To user groups (in the Permission Filters app) 
  • To business roles (in the Maintain Business Roles app)
  • First assign the filter to the business role in the form of a restriction, then assign the business role to the business user.

You can assign multiple permission filters to a single user at once. All of those filters are combined to give the user access to all the data defined by the union of the sets of attribute combinations that each of them allows.

I am using a Corporate Identity Provider. Do I have to upload users to IAS? 

No. If you configure your identity provider to act as a proxy for IAS, the users are copied to the corporate identity provider automatically. For more information, see the 2nd part of Step 3 in the answer to the question 'How can I create a business user?'.

Do users need a Corporate Identity Provider to log on to IBP? 

No. IBP provides access to SAP Cloud Identity Authentication service (IAS), which allows users to authenticate themselves without SSO or some other corporate identity provider.

What are the different ways of provisioning a user in the SAP IBP system?  

Users can be provisioned in the SAP IBP system using the following methods:

  • Creating a single user – Create a user via Maintain Employee and Maintain Business User Apps in the SAP IBP system.
  • Mass upload of users – Upload a CSV file via Maintain Employee App in the SAP IBP system. This will create an employee and corresponding business user within the SAP IBP System.
  • SOAP Service - The communication scenario Identity Management Integration (SAP_COM_0093) allows you to provision business users and assign roles to business users from an External Identity Management System. SOAP services - MANAGEBUSINESSUSERIN and QUERYBUSINESSUSERIN are available for this purpose. Check SAP API hub for more details (https://api.sap.com/api/MANAGEBUSINESSUSERIN/overview).
  • SAP Cloud Platform Identity Provisioning Service - The communication scenario SAP Cloud Platform Identity Provisioning Integration (SAP_COM_0193) allows you to connect SAP Cloud Platform Identity Provisioning Service with SAP Integrated Business Planning.

Can we use an external identity provider to authenticate users, and if so, do we still need SAP Cloud Identity Authentication Service?

You can use an external identity provider to authenticate users. In this case, you must configure SAP Cloud Identity Authentication Service in a proxy mode to redirect the authentication to an external identity provider. For more details see Corporate Identity Providers.

What is the difference between User ID and User Name? 

User ID is a technical ID - CBXYZ, generated by the IBP system. The User Name is like an alias, and it is used in IAS or in the corporate IdP.

What is the difference between Communication Scenario SAP_COM_0093 and Communication Scenario SAP_COM_0193?

Communication Scenario SAP_COM_0093 is valid for provisioning users and business roles assignments in SAP IBP via SOAP Service.

Communication Scenario SAP_COM_0193 is used exclusively for provisioning users in SAP IBP via SAP Cloud Platform Identity Provisioning Service product.

Do you support SAP IBP and SAP Governance, Risk and Compliance (SAP GRC) integration scenario?

No.  SAP IBP is a cloud product and can’t be integrated with SAP Governance, Risk and Compliance (SAP GRC).

Do you support SAP IBP and SAP Cloud Identity Services - Identity Provisioning (IPS) integration scenario? 

Yes.  Users can be provisioned in SAP IBP system via SAP Cloud Identity Services - Identity Provisioning (IPS). Communication Scenario SAP_COM_0193 is used for this purpose.

As of IBP release 2108, IPS is included with the IBP standard subscription.  IPS tenants are not automatically provisioned, but must be requested by the customer if needed.  You can find more information on this topic at Integrating Identity Provisioning Service with SAP IBP - SAP Help Portal

Do you support SAP and SAP Identity Access Governance integration scenario?

Yes. You can find more information on this topic at Integrating SAP Cloud Identity Access Governance with SAP IBP - SAP Help Portal.

Do you support SAP IBP and SAP JAM integration?

Yes. You can find detailed information on this topic at SAP JAM Integration Guide.

Can we restrict the number of  users which are provisioned to JAM?

You can restrict the users which are provisioned to JAM if you use SAP Cloud Platform Identity Provisioning Service

For detailed information see the section on Limiting the Set of Provisioned Users under Provisioning Users to SAP JAM.

How can I download the list of IBP Business Users?

The Maintain Business Users Fiori app provides a list of IBP Business Users and you can download this information.

How can I see SAP Delivered Business Catalogs?

All the business catalogs delivered by SAP can be viewed in the Business Catalogs Fiori App.

How do I find information about which Fiori Apps (IBP Applications) are assigned to a business catalog?

The Business Catalogs and IAM Information System Fiori Apps provide this information.

How can I see SAP delivered Business Role Templates?

All the business role templates delivered by SAP can be viewed in the ‘Business Role Template’ Fiori App.

As an initial set-up, we have uploaded users in SAP Identity Authentication Service and we now want to onboard additional users; what will happen to the existing users?

Additional new users will be created. Existing users will remain unchanged. If you upload the existing user information again, the old information in the SAP system will be overwritten.

How can I see the SAP technical users in my SAP IBP system?

The Display Technical Users Fiori App provides the list of SAP technical users.

How can I run an authorization trace in the SAP IBP system?

The Display Authorization Trace Fiori App can be used to run authorization trace.

Can we restrict the validity of a business role?

You can’t restrict the validity of a business role. However, you can restrict the validity of a business user.

Can we perform SOD/Risk analysis for IBP Roles?

Yes.

Can we transport IBP business roles from a test to a production system?

Transport of business roles is not supported in IBP. In the Maintain Business Role App, you can download the roles from the test system to a file and upload them in the production system via the same App.

Where can I find information about the relationship between applications, business roles, business catalogs and business users?

The IAM Information System Fiori app provides this information.

Can we transport permission filters?

Yes, you can transport permission filters via the Transport Model Entities App.

Can we transport attribute permission filters?

Yes, you can transport attribute permissions via the Transport Model Entities app.

How are the business role restrictions different from permission filters?

Business role restrictions and permission filters works together. The user always needs write access for key-figures in the role restriction. In permission filter, you can restrict this further by defining the Write Filter criteria.

Is there a way to trace the permission filter restriction?

No. 

Can a Business User log in to the Excel Add-in?

In order to log-in into the Excel Add-in,  the following conditions must be satisfied:

  • User must be assigned to a permission filter for the planning area or in the business, role restriction filed for the permission filter should be set to ‘Unrestricted’
  • User must be assigned a role with defined restrictions for key figures of the planning area
  • The required restriction types for logging into Excel Add-in are delivered in the business catalog SAP_IBP_BC_EXCEL_ADDIN_PC (Basic Planning Tasks).

Can a user have display only access to the Maintain Business Roles or Maintain Business Users Apps?

Yes. You create a business role with the business catalogs SAP_CORE_BC_IAM_RM (Identity and Access Management - Role Management) and  SAP_CORE_BC_IAM_UM (Identity and Access Management - User Management) and set the Read  Access to Unrestricted and Write Access to No Access. Assign the role to the user.

Can we download information related to employees?

Download functionality is available in the Maintain Business User Fiori App in the SAP IBP system.

What is the relationship between IAS user groups, custom attributes and IBP business role user assignments? 

An IAS system can be assigned to multiple service providers in the IdP landscape, meaning that the same IAS can serve as an authentication service for an IBP test tenant, an IBP sandbox tenant, and other SAP cloud services such as S4/HANA. The user group concept in IAS has been developed for assigning a collection of users to a single group, which can be used for altering the authentication flow based on the group the user belongs to (e.g.: requiring MFA from a user of one group, while not requiring it from the user of another). In contrast, IBP business user groups are used for providing authorization assignments to users who have already been authenticated in a specific IBP system.

These concepts, though they have similar naming, work at different levels on your IAM landscape.

Troubleshooting


Issue: I created a new employee in IBP, then created a new business user for the employee, and I uploaded the user to IAS. Yet the employee did not receive a notification email from IAS.

Solution: Check if the email address you entered for the employee is correct. If it is not, delete both the business user and the employee and create them again from scratch. If the email is correct, there is probably a technical issue - please delete the user in the User Management app of IAS and create it

there again.


Issue: When logging in, I am sometimes taken to the IBP logon page, sometimes to IAS.

Solution: Make sure you are using the right URL as stated in the onboarding email.


Issue: I am having problems when trying to log on to IBP or IAS.

Solution: Clear the cache of the web browser.


Issue: I changed an email in the Maintain Employee app but received an error message saying that the employee ID already exists.

Solution: Delete the employee and create it again. Always make sure you enter the correct email when you create an employee.


Issue: I am having problems when trying to create a business user.

Solution: Business users can be created in IBP from any Employee, without an existing Business User. To create a Business User, you have to create an Employee first, with the Maintain Employees app, then follow the instructions in How can I create a business user?. If the list is empty, then all employees have been linked to Business Users in your system.


Issue: I cannot get to the IAS logon page from IBP.

Solution: Refresh your web browser.


Issue: I downloaded the list of business users in the Maintain Business Users app but it does not contain all users.

Solution: Make sure you did not delete the employees that the missing business users are based on. Always delete the business users before deleting the corresponding employees.


  • No labels

4 Comments

  1. Great Page. May I ask, what the relationship (if any) from IAS Groups and Custom Attributes towards Business Roles in IBP is? I'm looking at Configuring Identity Federation and am wondering if this groups and attributes for application is something we need to look into or if this is not used by IBP at all.

    1. Hi Jens! There is no relationship between IAS User Groups and User Groups on the IBP side, and the Custom Attributes are not checked by IBP, only the Subject Name Identifier is used. I've added a new section regarding this question: Identity and Access Management - FAQ - Supply Chain Management (SCM) - Community Wiki (sap.com).

  2. Hi again,

    we currently plan to create the users in IBP manually but we are using a corporate IdP. Would it be wise ...

    1. to use our peronnel number out of SAP HCM for Employee ID e.g. 00012345 (as that is pretty much immutable e.g. not changed as result of a marriage etc)
    2. then change the User Name in Business User to an actual (Windows) username recognized by our corporate IdP e.g DOEJOHN, even if that is not matching the Employee ID, violating your rule above

      Make sure the employee ID you entered in the Maintain Employee app is identical with the user name you entered in the Maintain Business Users app.


    3. Would it be a problem if the Busines User "User Name" changes e.g. on marriage from DOEJOHN to PUBLICJOHN?

    Many thanks and kind regards

    Jens

    1. Hi Jens,

      1.  Yes, that's perfectly reasonable for Emplyee ID.
      2.  Matching the User Name and the Employee ID is not required. I updated the wiki, thank you for pointing out that one.
      3.  As far as you change it on the Identity Provider side too, it's not a problem. The IdP username and the IBP user name has to match, because those two values will be compared when the user tries to authenticate.


      Best regards,

      Bendeguz