Indentity and Access Management - FAQ
Identity and Access Management - FAQ
The following is a summary of the steps you need to take in Identity and Access Management. For detailed information, see the application help or the Web Assistant within the apps.
WHAT DO I NEED TO USE IBP AS AN ADMINISTRATOR?
First, you need a customized URL for SAP Integrated Business Planning and the administrator credentials that you can use to log on to IBP. You can find all of this information in an email sent to the IT contact named in the IBP contract:
Second, you need a customized URL for the SAP Cloud Identity Administration Console. You can find this information in a second email sent to the IT contact named in the IBP contract:
If it was not you who received this email, the person who received it can create an administrator user for you in IBP, upload it to SCI, and then SCI will send a similar email to you as well.
WHAT ARE THE PREREQUISITES FOR AUTHENTICATING IBP USERS?
The prerequisites depend on the identity provider you are using:
- If you wish to use SAP Cloud Identity service (SCI), you must create all users there as well. You can create users in SCI either manually or by uploading the IBP users you created.
- If you wish to use a corporate identity provider (IdP) you must create all users there as well, configure it as a trusted IdP, and choose it in SCI to be used as the identity provider.
For details, see Step 3 under HOW CAN I CREATE A NEW USER.
WHAT IS THE PASSWORD POLICY IN IBP?
The use of passwords in SAP Integrated Business Planning is defined by the enterprise password policy applied in SCI.
For more information, see https://help.hana.ondemand.com/, under SAP Cloud Identity Service > Operation Guide > Configure Applications > Set a Password Policy for an Application.
CAN AN ADMINISTRATOR CHANGE THE PASSWORD OF OTHER USERS?
No. The administrator can only set the initial passwords or just send activation e-mails while creating the business users:
Later only the user can change his password. This can be done on the Logon screen of SCI via Forgot Password:
HOW CAN I CREATE A BUSINESS USER?
- Create an employee in the system:
- Open the Maintain Employee app.
- Click Add.
- Fill in the required fields. For Employee ID, enter the unique name or ID generally used at your organization to identify the employee.
2. Create a business user based on the employee:
- Open the Maintain Business Users app.
- Click Create.
- Search for the employee you just created and select it.
d. The business user is created immediately. Look it up in the list of all users and open it for editing by clicking anywhere in its line.
e. Fill in the required fields.
The User ID is provided by the system automatically. It is also displayed in the User Name field but there you must replace it with the login name defined for that user in the corporate identity provider. If you are not using a corporate identity provider, you can leave the user name as it is, or you can replace it with the Employee ID, for example.
3. If you are using SCI, proceed as follows:
a. Remain in IBP and download the list of users into a CSV file using the Download button in the Maintain Business Users app.
b. Log on to the Cloud Identity Administration Console of SCI and upload the CSV file using the Import Users app:
The user will receive an email with a URL that directs them to the SCI logon screen:
After activation, the user can choose a password for SCI. Once they log on to SCI, they are automatically redirected to SAP Integrated Business Planning.
If you are using a corporate IdP, proceed as follows:
- Create the same user in the corporate IdP.
b. Log on to the SAP Cloud Identity Administration Console in SCI.
c. Open the Corporate Identity Providers app and add your corporate IdP the set of trusted identity providers.For more information, see the application help for SCI.
d. Open the Applications app.
e. Select the URL for IBP.
f. Click Identity Provider under Authenticating Identity Provider.
g. Choose your corporate IdP from the list.
Your corporate IdP is now configured to act as a proxy for SCI. As a result, the users are copied to the corporate IdP automatically.
HOW CAN I LIMIT THE APPS THAT A PERSON CAN USE?
- Open the Maintain Business Roles app in IBP.
- Create a business role:
- Click New.
- Fill in the required fields.
3. Assign those business catalogs to the role that provide access to the required apps:
- Click the Assigned Business Catalogs tab
- Click Add.
c. Select the business catalogs you want to assign.
d. Click OK or Apply. If you click Apply, the window remains open and you can continue adding more business catalogs.
e. Click Activate on the main screen of the app. Without activation, the role is not generated and not assigned to business users in the backend.
The status of the business role can be seen on the right hand side at the top of the screen.
4. Assign the business user you created for the person to the business role that provides access to the required apps:
- Click the Assigned Business Users tab.
- Click Add.
c. Select the business user you want to assign.
d. Click OK or Apply.
If the business role already exists when you create or edit the business user, you can also choose a different approach:
- Open the Maintain Business Users app.
- Select the business user to which you want to assign the business role.
- Click Add at the top of the Assigned Business Roles section.
d. Choose the required business role.
e. Click OK or Apply.
CAN I DOWNLOAD THE CONTENT OF A BUSINESS ROLE?
The Maintain Business Roles app shows the content of business roles, but there is no way to download them. You can copy them in order to create new roles, which are based on the content of the source role.
HOW CAN I LIMIT WHAT DATA A PERSON CAN SEE IN THE APPS?
- Open the Maintain Business Roles app.
- Select a business role that is assigned to the business user you created for the person in question.
- Click Maintain General Restrictions at the bottom of the screen.
4. Specify the rights for read and/or write access. For read access, you can choose Restricted or Unrestricted. For write access, you can also choose No Access.
For example, you can specify restricted write access for one planning area only.
Note that the default restriction values are the following:
- Read: Unrestricted
- Write: No access
5. Specify restriction values for the access types you set as Restricted:
- Look up the relevant restriction area. For example, if you want a certain key figure to be visible only in one specific planning area, look up the Key Figures restriction area.
a. If you can’t see a restriction area on the screen, it is not available for the catalogs you assigned to that business role.
b. Choose the values for the various fields within the restriction area. For example, if you want the key figures to be editable,
do the following:
i. Choose the pencil icon next to Planning Area.
ii. Select the name of the planning area that you want to provide write access to.
iii. Click OK.
The restrictions are eventually added up - a business user has access to everything that the business roles assigned to it have access to.
6. Add new restriction areas (optional).
For example, if you want to specify that a business role should have write access to two different key figures in two different planning areas, you need to add the Key Figure restriction area to that business role twice (or once more if it is listed for that role by default).
HOW CAN I RESTRICT THE AVAILABLE DATA BY MASTER DATA TYPE ATTRIBUTES?
- Open the Visibility Filters app.
- Click Create.
- Specify general data and some filter criteria. For example, if you want a person to see only those data that are related to the PFA product family, specify in the filter that the PRDFAMILY should be equal to PFA.
4. Click Save.
5. Open the Maintain Business Roles app.
6. Click a business role that is assigned to the business user you created for the person in question.
7. Set the Read access type as Restricted.
8. Look up the General restriction area in the Read section.
If you can’t see this restriction area on the screen, it is not available for the catalogs you assigned to that business role.
9. Choose the pencil icon next to Visibility Filter ID field.
10. Select the name of the visibility filter that you want to apply.
11. Click OK.
ARE ANY STANDARD BUSINESS ROLES DELIVERED WITH IBP?
No. As an administrator, you define the business roles that the employees may need at your organization.
CAN I EDIT THE TILE GROUPS ON THE LAUNCHPAD?
You can personalize your own launchpad but cannot configure others’. The predefined business catalogs allow access to the tiles and through them the apps. By adding business roles to a business user with various catalogs assigned to them, you can add tiles to the launchpad of that user. You can also personalize your own launchpad by adding new groups or changing the content of the groups.
HOW CAN I ASSIGN VISIBILITY FILTERS TO A USER?
You cannot assign visibility filters directly to a business user, only to a business role. First assign the filter to the business role in the form of a restriction, then assign the business role to the business user.
I AM USING A CORPORATE IDENTITY PROVIDER. DO I HAVE TO UPLOAD USERS TO SCI?
No. If you configure your identity provider to act as a proxy for SCI, the users are copied to the corporate identity provider automatically. For more
information, see the 2nd part of Step 3 under HOW CAN I CREATE A BUSINESS USER.
DO USERS NEED A CORPORATE IDENTITY PROVIDER TO LOG ON TO IBP?
No. IBP provides access to SCI, which allows users to authenticate themselves without SSO or some other corporate identity provider.
Issue: I created a new employee in IBP, then created a new business user for the employee, and I uploaded the user to SCI. Yet the employee did not receive a notification email from SCI.
Solution: Check if the email address you entered for the employee is correct. If it is not, delete both the business user and the employee and create them again from scratch. If the email is correct, there is probably a technical issue - please delete the user in the User Management app of SCI and create it there again.
Issue: When logging in, I am sometimes taken to the IBP logon page, sometimes to SCI.
Solution: Make sure you are using the right URL as stated in the onboarding email.
Issue: I am having problems when trying to log on to IBP or SCI.
Solution: Clear the cache of the web browser.
Issue: I changed an email in the Maintain Employee app but received an error message saying that the employee ID already exists.
Solution: Delete the employee and create it again. Always make sure you enter the correct email when you create an employee.
Issue: I am having problems when trying to create a business user.
Solution: Make sure the employee ID you entered in the Maintain Employee app is identical with the user name you entered in the Maintain Business Users app.
Issue: I cannot get to the SCI logon page from IBP.
Solution: Refresh your web browser.
Issue: I downloaded the list of business users in the Maintain Business Users app but it does not contain all users.
Solution: Make sure you did not delete the employees that the missing business users are based on. Always delete the business users before deleting the corresponding employees.