SAP Knowledge Base Article - Public

3405942 - FAQs about Identity Provisioning Service in S/4HANA Public Cloud

Symptom

You have question related to below Identity Provisioning Services topics for S/4HANA Public Cloud Customers,

Environment

SAP S/4HANA Cloud Public Edition

Resolution

Identity Provisioning General Information and Configuration

  1. What does Identity Provisioning provide/ What are the benefits of Identity Provisioning?

    Identity Provisioning Manages identity lifecycle processes for cloud and on-premises systems. Identity Provisioning automates the provisioning of user identities and authorizations to different cloud and on-premises applications. It streamlines processes like user and group provisioning, filtering, and job logging. It helps you provision identities and their authorizations to various cloud and on-premises business applications.

  2. Are there any restrictions or prerequisites for using Identity Provisioning?

    Prerequisites include obtaining a tenant, either a bundle or standalone tenant, to use Identity Provisioning. Also, one restriction is that Local Identity Directory is not available in bundle tenants running in Neo environment.

  3. What are the key features of Identity Provisioning?

    Identity Provisioning offers features like user and group provisioning, user and group filtering, full and delta read modes, job logging, notifications, and the ability to encrypt data using your organization's keys.

  4. How can I track the status of provisioning jobs in Identity Provisioning?

    You can view, and export job logs from the Identity Provisioning administration console, which provides details about job status and the entities that have been provisioned

  5. How does Identity provisioning landscape look like?

    There are two types of tenants: bundle tenants and standalone tenants.

    A bundle tenant is provided with preconfigured provisioning systems relevant to bundled SAP cloud solutions. It differs from standalone tenants in terms of pricing (Identity Provisioning is free in bundle tenants), connectors availability, and access to SAP BTP cockpit.

    Customers are entitled to two Identity Provisioning bundle tenants—one for testing and one for productive purposes. These come preconfigured with the SAP cloud solution(s) they have purchased.

    A standalone tenant allows users to use Identity Provisioning as a separate product. It can be used for provisioning users and groups to and from all supported systems by Identity Provisioning service. The access and operation of a standalone tenant vary depending on whether it runs on SAP Cloud Identity Services infrastructure or SAP BTP, Neo Environment. 

    The service is no longer sold as a standalone product since October 20, 2020. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.

  6. What is the concept of supported systems in Identity Provisioning?

    The Identity Provisioning service supports provisioning of users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.

    Customers can learn more on source, target and proxy systems from SAP Cloud Identity Services - Identity Provisioning

User Setup and Access

  1. How to get access for a bundle tenant?

    The way you obtain a bundle tenant depends on the SAP cloud solution you have purchased. It can be an automatic process or a manual one (by creating an incident)
    Please refer Obtain a Bundle Tenant help document for details.

  2. How do I do the initial setup of the bundle tenant?

    To Set up the systems for your provisioning scenario and run the provisioning jobs customers need to follow the below: Initial Setup of Bundle Tenants.

  3. I need admin rights for Identity Provisioning bundle tenant & I need to ask the initial (or a secondary) administrator for the bundle tenant, but I don't know who they are?

    All your Identity Provisioning and Identity Authentication tenants can be viewed by using the SAP Cloud Identity Services - Tenants application. You can access it at the following URL: https://iamtenants.accounts.cloud.sap/. This tool displays the tenant administrators, the type of your tenant (test or productive), the date it was created, and the region where it is available.

    If IPS tenant is running on Cloud Identity Service Infrastructure, you may ask IAS administrator for help.

    If you still struggle and can't find any administrator yourself, create an incident for component BC-IAM-IPS and request the contacts of the initial tenant administrator.

  4. I am the initial administrator of your Identity Provisioning bundle tenant, ( or another admin user has granted you such permissions). Now, other users have asked me to grant them admin permissions too, but I don't know how to do it, or what tool to use?

    For IPS running in Neo environment, open the Identity Provisioning admin console and choose the Authorizations tile. It allows you to grant admin rights to as many additional users as you want.

    For IPS running on Cloud Identity Service Infrastructure, open IAS administration console and navigate to Users & Authorizations -> Administrators, add user and assign Manage Identity Provisioning role.

    To learn more you can refer to Manage Authorizations (Bundles)

  5. As an administrator, how can I set up the Identity Provisioning service so that entities from a source system are easily transferred to a target system/ How do I add or delete or edit system in Identity Provisioning?

    Customers can follow the link to set up the Identity Provisioning Service: https://help.sap.com/docs/identity-provisioning/identity-provisioning/operations?version=Cloud

  6. I choose to select add option to create a new system. But a warning message appears, saying that the maximum number of source or target systems allowed for my subaccount has reached. How to proceed further?

    The reason for the above error is by default, you are allowed to create up to 20 source and 50 target systems for your subaccount.

     As a solution the following steps can be followed:

    1. Check if there is a system that is no longer relevant to your business scenario.
    2. If you think you might still need it in future, export it first as a JSON or a CSV file.
    3. Delete that system from the UI.
    4. Add a new source/target system.

    If your business case requires more productive source systems, create an incident for component BC-IAM-IPS to request the number of additional systems. In the incident, specify also:

    • The IDs of your global account and subaccount, or your bundle tenant.
    • If your IPS tenant is running on Cloud Identity Service Infrastructure, provide tenant URL.

    To which region your account/tenant belongs. You can find it in this list: (Discovery Center) Identity Provisioning -> Service Plan.

  7. A previously enabled system (source, target, or proxy) is now disabled. You choose the '' icon to edit the system status. '' The  Enable button is inactive (greyed out). What has caused this?

    The root causes of the above mentioned problem and the solution are as follows:

    1. A particular system( (Bundle/ Standalone) is disabled because it uses a feature that was only temporarily enabled.
    Solution: If you still need this feature, you can request it again by contacting the Support team. Create an incident for component BC-IAM-IPS. In the incident, specify also:

    •The IDs of your global account and subaccount, or your bundle tenant.
    •To which region your account/tenant belongs. You can find it in this list: (Discovery Center) Identity Provisioning -> Service Plan

    2. Customers use the Identity Provisioning service as part of an SAP cloud solution. The systems belonging to the relevant bundle are disabled, indicating that the license for the relevant product has expired.
    Solution: To enable your inactive systems and continue using them, extend your bundle license.

    3. A particular system(Standalone) is disabled because it's available only when Beta features are enabled.
    Solution: Beta features might be disabled for your subaccount. To verify this, follow the steps below:

    1.In the SAP BTP cockpit, navigate to your global account.
    2.On your subaccount tile, choose Edit.
    3.For Beta Features, select the Enable checkbox.
    4.Refresh the Identity Provisioning admin console to see if the disabled system is now available.

  8. Beta features are disabled for my subaccount due to which my system is disabled. What is the workaround?

    A particular system is disabled because it's available only when Beta features are enabled.

    Beta features might be disabled for your subaccount. To verify this, follow the steps below:

    1. In the SAP BTP cockpit, navigate to your global account.
    2. On your subaccount tile, choose (pen icone) Edit.
    3. For Beta Features, select the Enable checkbox.
    4. Refresh your Identity Provisioning admin console to see if the disabled system is now available
  9. How do I do the initial setup of a standalone tenant in Identity Provisioning?

    Customers can refer: https://help.sap.com/docs/identity-provisioning/identity-provisioning/standalone-tenants?version=Cloud for the initial setup of the standalone tenant.

User Onboarding in IPS

  1. How to create users and manage authorizations in Identity Provisioning?

    To create users and manage authorizations customers can follow the below link:

    https://help.sap.com/docs/identity-provisioning/identity-provisioning/manage-authorizations?version=Cloud

  2. How do I manage the Provisioning Jobs?

    You can start and stop a provisioning job from the Identity Provisioning user interface (UI) or from an API client by using the Identity Provisioning tenant admin API.

    Customers can follow the below links for the same:

    https://help.sap.com/docs/identity-provisioning/identity-provisioning/start-and-stop-provisioning-jobs?version=Cloud

    https://help.sap.com/docs/identity-provisioning/identity-provisioning/run-provisioning-jobs-via-api?version=Cloud


  3. What should be the solution if enabling the identity Provisioning service fails?

    There might be different reasons for failed enabling. The most common ones are,

    1. The Identity Provisioning service is currently down – In this case the solution create an incident for component BC-IAM-IPS and we'll investigate the issue.
    2. In your global account, you have enabled the Identity Provisioning for two subaccounts, and you're trying to enable it for a third one. You are not allowed to do this because, by default, you can enable the service only for two subaccounts per global account – In his case the solution is if you have already enabled the service for two subaccounts, and want to raise the quota for your global account to three or more subaccounts, create an incident for component BC-IAM-IPS. Request the number of additional subaccounts. 

    In the created incident, also specify:

    The IDs of your global account and subaccount.
    To which region your account belongs. You can find it in this list: (Discovery Center) Identity Provisioning-> Service Plan.

  4. What should I do if The Identity Provisioning Tile is missing in the Cockpit?

    Your access to the IdentityProvisioning tile in SAP BTP cockpit depends mostly on the type of product you have purchased. You have one of the following:

    • Identity Provisioning service integrated (bundled) in an SAP cloud product
    • Identity Provisioning service as a standalone product

    In case of bundled tenant the if the problem structure looks like:

    1. You already have a production global account and use at least one subaccount for non-identity provisioning purposes (that is, other services and cloud tasks).
    2. After purchasing an SAP cloud product, you request and receive access to the Identity Provisioning service. You can open the Identity Provisioning admin console by using two URLs related to two subaccounts (one for testing purposes and one for productive use). These subaccounts are new, and not to be confused with any you already have.
    3. You try to access the Identity Provisioning tile via the cockpit, using your "previous" subaccount:
      • In the cockpit, you choose the previous subaccount.
      • From the left-side navigation, you choose Services.
      • You don't see a Provisioning Service tile.  

    Even though you have obtained the Identity Provisioning service as part of a bundle product, it's not bound to your previous subaccount. The service is bound only to the subaccounts you’ve received from SAP, which have been specifically created for your Identity Provisioning scenarios.

    Also, you won't be able to select the Provisioning Service tile from either of these two subaccounts. That's because you're not intended to control the service from the cockpit.

    In case of standalone tenant: Make sure you use the correct (sub)account that is bound to your Identity Provisioning license.
    And follow below steps,

    1. Log on to the SAP BTP cockpit: https://<region>.hana.ondemand.com.
    2. Go to your global account and choose your subaccount. 
    3. From the navigation area, choose Services.
    4. Browse through this page and find the Extension Suite – Development Efficiency section.
    5. You should see an Identity Provisioning tile.
    6. The default status of the service is Not enabled. Choose Enable.

    If you are still not able to access the tile, Your problem requires deeper analysis by SAP. Please create an incident for component BC-IAM-IPS.

    In the incident, specify also:

    • The IDs of your global account and subaccount, or your bundle tenant.
    • To which region your account/tenant belongs. You can find it in this list: (Discovery Center) Identity Provisioning-> Service Plan

  5. When I access the Identity Provisioning admin Console, I can see the source system and the target system tab but the Proxy systems tab is missing!

    The Proxy Systems tile is not displayed by default in the past, create an incident to component BC-IAM-IPS to request this tile.

    In the incident, specify the URL of IPS tenant.

     Once the feature has been activated, the Home page of your Identity Provisioning admin console should show the Proxy systems tab.

  6. How my target system is synchronized with my source system?

    When you set up your systems and start a manual or scheduled provisioning job, the standard behaviour of the process reads all the entities from the source system. This mode prevents data loss and always keeps your target system synchronized with the source. You can also choose to optimize the amount of retrieved data and read only the updated entities (new, updated, deleted). For more information about these modes, see Manage Full and Delta Read.

    To keep source and target systems completely synchronized, you can use the Resync type of provisioning job.

  7. While triggering provisioning job(scheduled/manual) the job finishes successfully but some entities(users or groups) have not been updated. What is the workaround in such cases?

    A: In some cases, though, specific entities should be updated or deleted, but during the provisioning job they are not read at all. They are therefore not updated in the target system.

    The possible reason can be you might have set special conditions or expressions in your transformations. As a solution the following steps can be followed:

    1. Make sure that no special conditions or expressions (ignore or skip Operations) are set in the JSON transformation.
    2. Run again a Read or Resync provisioning job.
    3. Check to see if the relevant entities have been updated in the target system.

    If entities are still not updated:

    Your problem requires deeper analysis by SAP. Please create an incident for component BC-IAM-IPS.  

    In the incident, please provide IPS tenant URL, system exports for source/target systems and job logs as described in KBA 2719566.

  8. My business case requires to delete some entities (users or groups) from both the source and the target system. After deleting these entities from the source system, a provisioning job (manual or scheduled) is run. The job completes successfully but the entities are not deleted.

    The reason for the above error case can be: You either have set special conditions in your transformations, or have missed to add the ips.delete.existedbefore.entities property in your target system configuration.

    Note: If the property ips.delete.existedbefore.entities has not been added before the job attempting the deletion is run, adding it later will not resolve the problem.

    Resolving this issue depends on whether you have added the ips.delete.existedbefore.entities property in your target system before or after running the job attempting the deletion.

    The property is added before running the provisioning job:
    1. Make sure that no special conditions or expressions are set in the target transformation. That includes  ignore expressionskipOperations (skipping delete), or delete Entity scope.
    2. Run a Read or Resync provisioning job.
    3. Check if the relevant entities have been deleted from the target system.

    The property is added after running the provisioning job:

    If the property is added after the provisioning job finished successfully, entities recognized as "previously existed ones" cannot be deleted from the target system anymore. In this case, you need to delete them from the target system (for example, manually or via script).

    For more information on how to properly delete entities in the target system, see: Manage Deleted Entities

    If the entities are still available in the system:

    Your problem requires deeper analysis by SAP. Please create an incident for component BC-IAM-IPS.  

    In the incident, please provide IPS tenant URL, system exports for source/target systems and job logs as described in KBA 2719566.


  9. I have deleted some entities from the source system and have not set any special conditions or expressions (ignoreskip Operations, or delete Entity scope) in the target transformation. The value for property ips.delete.existedbefore.entities is set as true in the target system. After running a provisioning job, the job finishes with error, and the relevant entities have not been deleted from the target system.

    In the job log, you can see that there are failed entities when the job has tried to read them from the source system.

    Solution:

    1. Resolve the failed entities in the source system.
    2. Run again a Read or a Resync provisioning job.
    3. Check if the relevant entities have been deleted from the target system.

  10. Suppose there are some unread entities in the target system, will the provisioning job (read or resync) delete those entities from the target or is there any way I can prevent the same?

    The default behavior of the Identity Provisioning service is:

    1. It reads entities from a source system and provisions (writes) them in a target system.
    2. If, on a next reading job, the service detects that some previously existed entities are now missing, it considers them as deleted (or not active anymore).
    3. Thus, the next provisioning job (Read or Resync) deletes such entities from the target system.

    However! These entities might still be existing and active but are not read because you have set a filter or condition for some business reason.

    To prevent deletion of existing active users in your target system, proceed as follows:

    1. Select your target system in the Identity Provisioning admin console.
    2. Choose the Transformations tab and then Edit.
    3. If you want to keep existing/active users, in the user section, add the following mapping: 

    {

     "constant": false,

     "targetPath": "$.active",

     "scope": "deleteEntity"

     }

    This way, every time you use a filter or a condition, only the relevant filtered entities (users) will be created or updated.

    The rest users will remain as is - not updated but not deleted as well.

     To learn more about this scope and see specific examples for SCIM systems, see: Transformation Expressions -> scope -> delete Entity

  11. After adding a source and a target system in the Identity Provisioning UI (Both systems support provisioning of groups), these systems are correctly set up. For the source one, the default group transformation is used. A provisioning job is started. But in the target system, users are provisioned but groups are missing.

    The reason for the above-mentioned error can be In the source system transformations, group provisioning is disabled (ignored) by default.

    To enable group provisioning, manually change the ignore condition to:

    "group": { 
            "ignore": false,
            "mappings": [
               {
    ...
  12. I added one source and multiple target systems in our Identity Provisioning UI and started a provisioning job. The job fails for one of the multiple target systems.

    Provisioning to one of the target systems may fail due to exception. Those exceptions occur when provisioning to one of the multiple target systems fails, for example, due to connectivity issues. You can try starting the provisioning job again.

Integration of IPS with S/4

  1. I added a source and a target system in your Identity Provisioning UI and started a provisioning job (Read or Resync). In the Job Logs section, the job has finished with error with status code 401 - either in the main Error Message filed, or in the details of a particular failed entity.
    The error looks like the following ones:
    I. In the main Error Message field, you find:  "HTTP operation failed invoking  <system_URL> with statusCode: 401"
    II. In the logs of a failed entity, you find:  "OAuth request failed with status: 401 and body: {"error":"unauthorized","error":"description":"Bad credentials"}"

    This error mostly appears when the credentials of the relevant system are wrong. However, the reason can also be incorrect names or values of the following properties:

    • Authentication (BasicAuthenticationNoAuthenticationClientCertificateAuthentication)
    • ProxyType (InternetOnPremise)
    • Type (HTTPLDAPRFC)
    • URL

    NOTE: These properties and values are case-sensitive.

    Bear in mind the place you've found the error! That means:

    • If the 401 error appears in the main Error Message field - the wrong credentials or incorrect property values are in the source system.
    • If the 401 error appears in the details of a failed entity - the wrong credentials or incorrect property values are in the target system.

     Solution

    Go to the Properties tab of the relevant source or target system and correct the credentials (User and Password), or the other affected properties

  2. Can I use the Identity Provisioning service to create my business users in SAP S/4HANA Cloud Public Edition?

    An identity management-driven user lifecycle is not possible in SAP S/4HANA Cloud Public Edition because HCM integration is active and cannot be deactivated. You need to ensure that the corresponding worker (HR master data) is already available in the SAP S/4HANA Cloud Public Edition system before you run the identity provisioning job to create, update, or delete the business user. For more information about possible implementation scenarios, refer to Identity Management for SAP S/4HANA Cloud Public Edition and Integrated Products.

See Also

https://help.sap.com/docs/identity-provisioning/identity-provisioning/what-is-identity-provisioning?version=Cloud

Keywords

KBA , BC-IAM-IPS , Identity Provisioning Service (IPS) , How To

Product

SAP S/4HANA Cloud Public Edition all versions ; SAP S/4HANA Cloud all versions