Skip to Content

Provision Users into your SAP BTP ABAP Environment

Requires Customer/Partner License
Provision and authorize users for ABAP development via Cloud Identity Services in one or more target systems
You will learn
  • How to create and group developer identities in your SAP Cloud Identity Services - Identity Authentication tenant
  • How to enable identity provisioning in your Identity Authentication service tenant
  • How to configure and run identity provisioning
  • How to connect Eclipse with the ABAP environment
LiebherrUlrike LiebherrSeptember 13, 2022
Created by
Liebherr
February 3, 2022
Contributors
Liebherr

Prerequisites

  • You have installed and set up ABAP Development Tools for Eclipse, see https://tools.hana.ondemand.com/#abap
  • You have an SAP Business Technology Platform customer subaccount and have prepared the following
    • Subscription to Cloud Identity Services
    • Established trust to your SAP Cloud Identity Services - Identity Authentication tenant, see ABAP Environment Documentation: Setup of a Custom Identity Service
    • Created an ABAP environment service instance for custom development with
      • An SAP Fiori launchpad business role for custom ABAP development created from template SAP_BR_DEVELOPER
      • A service key for ADT integration
  • You have one or more users with authorization for
    • User and Group Management in your SAP Cloud Identity Services - Identity Authentication tenant
    • Communication Management in your ABAP environment service instance (business catalog ID SAP_CORE_BC_COM or business role template ID SAP_BR_ADMINISTRATOR)

Additional information:

  • Step 1

    To create your development user’s identity in your Identity Authentication service tenant, log on with your User Management Administrator to your Identity Authentication tenant’s administration UI (URL ends with path /admin, for example https://rapworkshop.accounts.ondemand.com/admin).

    1. Navigate to Users & Authorizations > User Management.

      Open User Management in Identity Authentication service tenant
    2. Select Add User to start the creation process of a user.

      Press Add button for new user
    3. Fill the personal information for the user and select Save.

      Configure properties of new user
    4. The new user is now displayed in the list of users.

      List entry for new user

    Note that the Identity Authentication service user will receive an email to activate the account before being able to log on with a local user somewhere for the first time.

  • Step 2

    To bundle developers users, create a corresponding user group in the Identity Authentication service tenant and assign the users to it.

    1. Navigate to Users & Authorizations > User Groups and select Create.

      Start User Group creation
    2. In the Create Group dialog enter a Name and Display Name and select Create.

      For the group name, please use the identical name you have set for the business role in your ABAP environment (created from template SAP_BR_DEVELOPER, see prerequisites).

      Configure properties of new group
    3. To add users to the group select Add.

      Start user adding to group
    4. Search for the user that you have created earlier, select it, and choose Save.

      Save User Group
    5. The user is now displayed in the user group list.

      List entry for user in group
  • Step 3

    Authorize an Administrator user for Identity Provisioning Management.

    Navigate to Users & Authorizations > Administrators choose the Administrator user, slide the toggle button for Manage Identity Provisioning to ON and select Save.

    Set Identity Provisioning Management
  • Step 4

    Identity provisioning requires to configure a so-called source system for user and user group data.

    1. Log on with your Identity Provisioning Manager user to your Identity Authentication service tenant’s identity provisioning UI (URL ends with path /ips, for example https://rapworkshop.accounts.ondemand.com/ips).

    2. Select the Source Systems tile.

      Source System Tile
    3. To start the creation, select Add.

      Add Source System button
    4. To simplify the system creation and to reduce the risk of errors, this tutorial provides a template JSON file for the source system. Download ips_system_template_source.json locally.

    5. Define the system by uploading the JSON file via Browse in the Identity Provisioning service source system UI.

      Browse for source system template file
    6. Adapt the values to your needs and provide the mandatory value for URL as shown below.

      Alternatively, you can configure everything manually.

      Details:

      Label Value
      Type Identity Authentication
      System Name For example My Identity Authentication service ABAP Developers

      Properties:

      Name Value
      Type HTTP
      ProxyType Internet
      URL your Identity Authentication service tenant URL, for example https://rapworkshop.accounts.ondemand.com
      Authentication ClientCertificateAuthentication
      ias.user.filter groups.display eq "BR_IPS_TUTORIAL_DEVELOPER"
      ias.group.filter displayName eq "BR_IPS_TUTORIAL_DEVELOPER"
    7. Save your changes.

    8. Switch to the Outbound C… (C… like Certificate) tab and Download the certificate for later usage.

      Download certificate of source system
    9. Save again.

  • Step 5

    In this example the Identity Authentication service itself is used as a source for users and user groups that can be provisioned to other systems.
    To allow identity provisioning to read users and groups from the Identity Authentication service, you need a technical user with corresponding permissions.

    1. Navigate to Users & Authorizations > Administrators.

    2. Select Add and choose System.

      Start Administrator creation
    3. Provide a Name for the system, for example ips_tutorial_admin.
      Make sure to only set authorizations for Read Users and Manage Groups which are both needed to read users and groups during identity provisioning, Save your changes.

      Configure Administrator Authorizations
    4. Navigate to Configure System Authentication > Certificate.

      Configure certificate
    5. Browse for the certificate of the source system and Save the technical user again.

      Upload source system’s certificate to technical user

    Now the technical user can be authenticated via the certificate sent by the Identity Provisioning service and has the authorizations to read users and groups in Identity Authentication service tenant.

  • Step 6

    Identity provisioning requires to configure a so-called target system for user and user group data.
    In this example, the target systems is an ABAP system in SAP BTP.

    1. Log on with your Identity Provisioning Manager user to your Identity Authentication tenant’s identity provisioning UI (URL ends with path /ips, for example https://rapworkshop.accounts.ondemand.com/ips).

    2. Select the Target Systems tile.

      Source Target Tile
    3. To start the Creation, select Add.

      Add Target System button
    4. To simplify the system creation and reduce the risk of errors, this tutorial provides a template JSON file for the source system. Download ips_system_template_target.json locally.

    5. Define the system by uploading the JSON file via Browse in the Identity Provisioning service target system UI.

      Browse for target system template file
    6. Adapt the values to your needs and provide the mandatory value for URL as shown below.

      Alternatively, you can configure everything manually.

      Details:

      Label Value
      Type SAP BTP ABAP environment
      System Name For example My ABAP instance
      Description For example System to receive provisioned Developer Users
      Source System Choose the one created earlier from the dropdown

      Properties:

      Name Value
      Type HTTP
      ProxyType Internet
      URL The API URL of your ABAP environment
      Authentication ClientCertificateAuthentication
      Identity Provisioning ips.date.variable.format yyyy-MM-dd
    7. Save your changes.

    8. Switch to the Outbound C… (C… like Certificate) tab and Download the certificate for later usage.

      Download certificate of target system
    9. Save again.

  • Step 7

    To enable the Identity Authentication service to create users and assign business roles in the target system, that system has to provide the corresponding authorization to the Identity Authentication service. This has to be done in the launchpad of your ABAP environment instance with the user that is authorized to use the Communication Management apps.

    1. Open the Maintain Communication Users app.

      Open Maintain Communication Users app
    2. Select New.

      Select an option to create a new user
    3. Enter a User Name for example, IPS_TUTORIAL_USER, enter a Description, Upload the certificate from the Identity Provisioning service target system, and select Create.

      Maintain and create user
    4. Open the Communication Systems app.

      Open Communication Systems app
    5. Select New.

    6. Enter a System ID and System Name, for example IPS_TUTORIAL_SYSTEM in the opening pop up and select Create.

      Create system
    7. In the object page of the new communication system under General > Technical Data, mark the checkbox to make the communication system Inbound Only.

      Set system as Inbound Only
    8. Under Users for Inbound Communication, select the + to add a user. In the opening pop up, select the communication user you created earlier and choose OK so that the pop up closes.

      Add inbound user to system and save
    9. Save the system.

    10. Open the Communication Arrangements app.

      Open Communication Arrangements app
    11. Select New.

    12. A pop up for the creation of a new communication arrangement opens, where you have to select scenario Identity Provisioning Integration SAP_COM_0193. This communication scenario exposes all the needed services for identity provisioning integration.

      Select communication scenario SAP_COM_0193
    13. Select Create.

      Save the communication arrangement
    14. Save the communication arrangement.

    Now the communication user can be authenticated via the certificate sent by Identity Provisioning service and has the authorization to create users and assign roles.

  • Step 8

    After the source and target Systems have been created and connected with each other you can run the Identity provisioning.

    1. Switch to Source Systems.

      Navigate from Target System to Source Systems
    2. Open your source system and select the Jobs tab.

    3. Choose Run Now.

      Run Identity Provisioning Job
    4. To check the status of the job run, select Job Logs from the navigation pane.

      Navigate to Job Logs
    5. Search for your log by checking the source system name and time and make sure the status is Success.

      Job finished successfully

    If the run did not finish successfully, you can navigate to the log and follow the instructions there to analyze and solve the problem. See also Guided Answers: Identity Provisioning Troubleshooting.

  • Step 9

    Now that the Developer user has been provisioned and authorized in the ABAP environment for ABAP development, you can connect the user to the system by using ABAP Development Tools for Eclipse.

    1. Open your Eclipse and navigate to File > New > Project.

      Start project creation in eclipse
    2. Choose ABAP Cloud Project and select Next.

      Choose to create ABAP Cloud project
    3. Choose SAP BTP ABAP Environment > Use a Service Key and select Next.

      Choose to create from service key
    4. Paste the service key for Eclipse integration (see prerequisites).

      Paste Service Key for ADT usage
    5. Copy Logon URL to Clipboard.

      Copy Logon URL to Clipboard
    6. Enter the credentials of the Developer User and log on.

      Log on with provisioned developer
    7. A success message is displayed and the browser window can be closed.

      Log on for ADT succeeded
    8. In the project wizard in Eclipse, check the ABAP environment and user data, that are displayed in the Service Instance Connection dialog and select Finish.

      Finish ABAP Cloud project creation
    9. The new project is displayed and you can start developing.

      See ABAP Cloud project in ADT navigation
  • Step 10

    How many users are needed to let the identity provisioning process run?

Back to top