Dear Reader,

Followed by the blogpost series on S/4HANA Cloud 3SL onboarding (which will take you through the simplified steps you need to perform while onboarding S/4HANA Cloud 3SL onboarding and initial system set-up), this is the third blogpost on the series. 

Here, we'll discuss on how you would provision a Central Business Configuration tenant and upon receiving it, how would you perform initial setup tasks to enable users for their daily work.

Hope this will help you in some extent while to catch up with the forthcoming S/4HANA 3SL challenges this year.

Pre-requisites: Before starting, I'm assuming that you are already familiar with S/4HANA Cloud 3SL system landscape and components. There are multiple blogposts, learning materials are available one click away, my advice would be to go through them before reading the blogpost series. If you are looking for a bit elaborated synopsis, I highly recommend going through this learning content: Onboarding with SAP Activate for SAP S/4HANA Cloud, Public Edition | SAP Learning. I also hope, since you are here, you have already hovered on the initial blogposts of this series :

• https://blogs.sap.com/2023/12/17/s4-hana-cloud-3sl-onboarding-and-initial-system-set-up-series/
• Receive order confirmation mail and set-up SAP for Me | SAP Blogs

Contents: Here, we'll discuss on how you would provision a Central Business Configuration tenant and upon receiving it, how would you perform initial setup tasks to enable users for their daily work. Sequentially, we'll see how this can be achieved:

Provision CBC tenant from SAP for Me: I am assuming you already have access to SAP for Me. Go to Systems & Provisioning section -> Provisioning tab and trigger auto-provisioning of CBC by clicking 'Start Provisioning' button. At this moment, you don't have any SAP Cloud Identity Service available, hence it will create a new one and bundle it with the CBC & subsequent non-prod tenants.

In the provisioning status card, you'll see the status as submitted till it is ready.

Get HO mails : Once the tenant is provisioned, you'll receive two mails as a part of the onboarding bundle i.e. :

• The first mail  would contain the details of your SAP Cloud Identity Services tenant. It will have the CIS tenant info, activation URL, admin URL & some relevant KBA info.

• The second mail would contain the detail of your CBC tenant. This is your CBC handover mail. It will contain your customer number, CBC system number, Tagged identity services tenant details and CBC home URL.

Activate CIS :

• Open the CIS handover mail and click into the activation URL. In the activation UI, you'll be asked to set your password, set it and continue.

• You have now your bundled CIS activated.

• Continue and explore your CIS admin console.

Check Subject Name Identifier: The subject name identifier is a profile attribute that Identity Authentication sends to the SAP Central Business Configuration application. The application then uses this attribute to identify the user. Setting this subject name identifier is an automated task. But in order to ensure that the users can log on to the SAP Central Business Configuration system with the correct subject name identifier, open the CIS admin console and go to Bundled application -> SAP CBC -> Trust tab -> Single Sign-on -> Subject Name Identifier -> Basic Configuration and verify if the basic attribute is set as 'Login Name'.

Run IPS Job for Pushing Roles: To replicate the required roles/user groups from the SAP Central Business Configuration tenant to your Identity Authentication tenant, and job runs automatically in the Identity Provisioning service. This is also automated, but you need to verify if already have all the required user groups available in your CIS tenant. Verify the groups availability by visiting CIS -> Users & Authorizations -> User management -> Groups and validate the listing. It should be as follows:

If you see one or the other roles are missing here, go ahead the run the IPS job manually. Go to CIS -> Identity Provisioning -> Source Systems -> CBC Source System entry (The name starts with CBC*) -> Jobs tab -> Jobs Type : Read Job -> Run Now

You may check the provisioning logs if you want to verify the completion status.

Provide Access Rights to Initial User: In the previous section, we saw the authorization groups. Each group covers different levels of access rights for the SAP Central Business Configuration system. As per the project requirement, assign them to the initial user/your user. During the IPS job run, the project manager role (SAP_CBC_CONSUMPTION_PROJECT_LEAD) is automatically assigned to the initial administration user. This role grants you as administrator, access to the SAP Central Business Configuration system.

Go to CIS -> Users & Authorizations -> User Management -> Select initial admin user -> Groups -> Assign

Run IPS Job for User Provisioning: To replicate users from your Identity Authentication tenant to SAP Central Business Configuration, you have to run a job in the Identity Provisioning service. This IPS job pushes the newly created users to CBC from IAS.

Go to CIS -> Identity Provisioning -> Source Systems -> Bundled IAS (The name starts with IAS-<part of CBC link>*) -> Jobs -> Jobs Type : Read Job -> Run Now

Verify CBC Access : Now, you should have access to CBC. Launch CBC by the URL(received in HO mail) and after IAS authentication, it should take you the home page.

CBC project configuration is a completely separate, I did not cover this here.

This concludes this blogpost. Next, continue to see the subsequent blogpost of this series.

Provisioning SAP S/4HANA Cloud Starter System and complete the initial set-ups on user onboarding (coming soon).

See you there 🙂