2608632 - Frequently Asked Questions on Identity and Access Management

This document covers some basic and frequently asked questions regarding Identity and Access Management.

• SAP Cloud for Customer.
• SAP Business ByDesign.

1. Where to find the Identity and Access Management (IAM) Views?

You can find it following this path:

• In Business ByDesign: Application and User Management Work Center > User And Access Management.
• In Cloud for Customer: Administrator > Users.

 

2. How do business roles work?

A business role defines a set of work centers and its associated views, including restriction rules. You can use this to provide a determined collection of access rights to several users at once.

Once you provide a Business Role to a user, they becomes Active Business Users, hence you can only assign Business Role to a user who needs to be activated immediately and not in future.

 

3. How to manually update the access rights of a business user?

You need to go to Business User view, find the specific business user and click the Edit button, then select the Access Rights option. Once the new window opens, you will have the ability to manage the access rights manually for this specific business user, if he or she is not assigned to a business role (access provided by business role render individual access rights irrelevant).

If the user has business roles assigned and you still wish to edit the access rights of this user individually, click Edit Without Business Roles to unassign all of this user's business roles at once.

 

4. What is Identity and Access Management (IAM)?

Identity and Access Management means a combination of employee records, business users, business roles and access restrictions where you can customize and control users' access to your solution.

5. How to properly update the access rights of a business user?

Once you made the required changes to a business user, you will need to go to Business Users view and click the Update Access Rights button, then select option Update All Users. This way you are ensuring the update background job is triggered.

6. How to restrict a specific action with a business role (for example, business users shouldn't be able to synchronize Appointments with Outlook or disable the Inactive button)?

Only in the Cloud for Customer product, using a business role, you can restrict access for some actions within a view or hide fields and buttons.

Follow the steps below:

1. Go to the Business Roles view.
2. Search the specific business role.
3. Click Edit.
4. Go to the Field & Actions tab
5. Add a row under Business Action Restrictions.
6. It will display which actions can be restricted or hidden in the system using this option.

 

7. What is access context and how it is defined?

The access context is maintained on a business object level and cannot be edited or customized. For example, if the access context for a particular object is Employee, you cannot enhance the access context by adding additional criteria such as Sales Organization. You can check further details on step Maintaining Access Context in the SAP Administrator Guide.

8. What are restriction rules and how to define them?

Restriction rules will appear once you selected to restrict access for a particular view. After that, you will be able to select a predefined restriction rule. You can find a list of them on step Overview of Restriction Rules in the SAP Administrator Guide.

9. Which access right has priority if you have defined accesses that are overlapping: Read or Write?

Whenever you are setting a view with Write access, it will apply to all other views with the same floorplan. This means if you set a work center view with Write access and another with only Read (or even Restricted) access, but they are both on the same floorplan, the Write access will overwrite the others and be applied to both work center views.

10. Is it possible to create a technical user and change their passwords?

The technical users which come out of the box with the system cannot be edited. To change their password, the technical user needs to be used by some communication arrangement, making it possible to change the password following this path:

1. Go to the Communication Arrangement view.
• In Business ByDesign: Application and User Management > Communication Arrangements.
• In Cloud for Customer: Administrator > General Settings, under the Integration section.
2. Find the relevant communication arrangement for this scenario.
3. Click the Edit button.
4. Navigate to the Technical Data tab.
5. Click the Edit Credentials button.

 

11. How to change the password of a business user?

Once you find the specific business user, you need to click the Edit button, then select the Attributes option. A new window will show up and under the User Data section, you will be able to maintain a new value for the Password field.

Please note that, if you wish to change the password of your own user, you can only do it in the logon screen — kindly checked Knowledge Base Articles 2817732 (C4C) and 2787201 (ByD) for more details.

 

12. How to unlock or lock a business user?

Once you find the specific business user, you need to click the Edit button, then select the Attributes option. A new window will show up and under the User Data section, you will be able to check or uncheck the User Locked box.

 

13. How to change the validity date of a Business User?

Once you find the specific business user, you need to click the Edit button and then select the Attributes option. A new window will show up and under the User Data section, you will be able to change the Valid From/Valid To dates of the business user.

 

14. How to define the time zone of a business user?

Once you find the specific Business User, you need to click the Edit button and then Attributes. A new window will show up and under the Regional Settings section, you will be able to specify the time zone. This is usually defined by a specific algorithm from the system itself — you can find more details about the logic behind this by checking the Defaulting regional settings when creating business users blog post.

 

15. How to generate a new password for a business user?

To generate a new password for a business user, you need to click the Edit button and then Attributes. Under the Actions button, there will be the option to Generate Password.

 

16. What is the difference between a business user and a technical user?

The business user is used for an Employee and can be used for daily work: creating and handling master data, business transaction documents, and so on. The technical user is a non-interactive user, predefined by the system for technical operations like background jobs or credentials for communication arrangements.

 

17. What to do if the password is not being received after using the Forgot Your Password tool?

In order to receive the token for resetting a password, the users must have their e-mail addresses maintained in the system — if no e-mail address is maintained or the address maintained for receiving the token does not match exactly the address registered in the system, the token will not be sent. Also, make sure that the e-mail address is unique — if multiple business users have the same e-mail address, the system will not send the password.

Lastly, if you are working on a test tenant, please check whether you have selected the option to send all emails to a determined e-mail address. In this case, all outbound e-mails sent from the system will be going to this test e-mail address, including password reset tokens. To check if this option is maintained, please follow the steps below:

1. Go to the Business Configuration work center.
2. Access the Overview work center view.
3. Search and open fine-tuning activity E-Mail and Fax Settings.
4. Click the link for E-Mail and Fax Settings.
5. Under E-Mail and Fax Delivery in a Non-Productive System section, check if the option "Send all e-mails to this address" is selected.

Note: Forgot Password Emails can be triggered only once in 10 minutes duration

 

18. What is the difference between the Restricted, Read and Write accesses?

Check the table below:

Restricted	The user will have access only to specific data and it will depend on the Access Context and the Restriction Rule defined for it.
Unrestricted	The user will have access to all business data related to the View.
No Access	This is only available for Write Access and means that the user will not be able to change or put data.

 

19. How to find the changes done to the access rights of a business user?

Once you find the specific business user, you need to click the Edit button and then select the Access Rights option. In the new window that show up, navigate to the Changes tab to check the logs.

 

20. What is the function of the Segregation of Duty (SoD)?

Segregation of Duty is a function to verify, in case of business users assigned to multiple work centers, if there is any conflict in their access Rights that could cause a violation or a fraud. The SoD will appear to the administrator user, so process controls can be implemented to mitigate possible risks.

 

21. Why is the access restriction not working as expected for a user?

If the user is assigned to PDI_DEVELOPMENT access, data from all work centers will be available for this user. Unrestricted PDI_DEVELOPMENT access overwrites all access restrictions.

After restricting write access to all the workcenter/views, if the user is still able to edit a view, then the cause is that user is also assigned to the PDI_ADMINISTRATION view of work center PDI_PARTNER_DEVELOPMENT.

The reason this happens is because unrestricted access is necessary for development of PDI solutions. According to the documentation of the Cloud Applications Studio, those work center views shall not be assigned to regular business users because of this fact.

 

22. Why are business users not displayed in the value help of the Users Responsible field of a business role?

You must first assign the business users with the respective work centers and views which are of the relevant business role before they become eligible to be set as users responsible for the same.

 

23. Why is access restriction not working for organization unit as expected?

If this user is not a part of the required organization unit, the users will not be able to access the assigned roles. See Knowledge Base Article 2749403 for further information.

 

24. Is it possible to set access restrictions for attachments?

Access restrictions on attachments are currently not supported.

 

25. Is there any way to lock/unlock multiple users at once?

Yes. It is possible to lock/unlock users massively by selecting multiple users and clicking the Lock User/Unlock User option. Besides that, it is not possible to perform this action via any other tool, such as data migration or web services.

 

26. Can technical/support users in a system be deactivated/deleted?

Neither technical nor support users can be deleted. As far as deactivation goes, it is possible to restrict a business user's validity — once its validity period has expired, it will no longer be active. For instructions on how to change a business user's validity, please check question #13.

 

27. In security policíes, how can you set the Maximum Password Validity to be unlimited?

If you do not maintain any value in the field Maximum Password Validity, then the maximum validity of a password becomes unlimited.

 

28. Is it possible to restrict report views based on employees?

Reports can only be restricted based on the work center assigned in the report.

 

29. Is there a restriction which can be imposed to not reset an administrator's password?

All users having authorization to user administrator activities are treated the same. Hence, this restriction is currently not possible.

 

30. Is it possible to track Change Log history of password change?

Changes to password happen at basis layer unlike other business object content, which happens at ESF control level. So, change log history of password change is not possible.

 

31. What is MFA? Is there a way to enable MFA?

MFA is Multi-factor Authentication, a secure authentication method that requires employees to enter their account password and a PIN to access their files and applications online.

• Multi-factor Authentication feature is supported in Cloud for Customer. You can refer to the blog post 5 reasons to use Multi-Factor Authentication on SAP C4C for more information.

• Multifactor authentication is not supported in Business ByDesign. However, customer scan set up single sign-on and use one of the many identity providers which support the multi-factor authentication feature.

 

32. Why is the quick search not working in the Business Roles OWL?

The Quick search in Business Roles OWL requires either the complete Business Role ID or search with wildcards (*).
Example: If you have to search for a business role whose ID is XXX YYY, you can search this either as XXX YYY, *XXX* or *YYY*. Search engine will not fetch it as a result with the search term is only XXX or YYY.

 

33. Is it possible to restrict Write access for Code List Restriction?

Restriction of write access for Code List Restriction is currently not supported.

 

34. How to unsubscribe from the e-mail notification triggered for business role changes?

Currently, it is not possible to unsubscribe from this notification.

 

35. Why does it show the number of failed logon attempts after a successful logon?

All users which have unsuccessful password logon attempts will get this popup window. The idea behind a counter for failed password logon attempts is that passwords can be guessed (not only stolen) and thus it is necessary to limit the number of permissible failed logon attempts. Unfortunately, the system cannot differentiate between accidental typos of the legitimate user and attempts of an attacker to guess your password. Hence, the system will make an alert to inform you that there have been failed password logon attempts to your user ID. This is set to a maximum of five attempts — when the user enters the incorrect password more than five times, the password gets locked.

 

36. Business user keeps getting auto locked after changing the password.

There could be multiple reasons for the same, few of reasons are as listed below:

1. The old password is saved in the browser, hence even after the password is changed the browser is still trying to login with the old saved credentials
2. The user credentials are being used in some communication scenario. After changing the password, some client was continuously trying to login with the old password and this results in the password getting locked due to multiple incorrect logon attempts.

 

37. Unable to find changes done to a Business Role in the Change tab.

Change history is currently not enabled for these nodes of the IDENTITY_BUSINESS_ROLE Business Object. This is the reason why change history is not getting recorded under the Changes tab.

 

38. Is it possible to check when a specific business user's password expires?

Currently, there is no possibility to check this in the UI.

 

39. If a business user is assigned to a security policy that had a maximum password validity of, for example, 365 days and this is then updated to maximum validity of 730 days, will this change make the user start from day zero until 730 completely or discount the days already past?

The password validity is always checked from the date when the password was reset previously. Irrespective of the change in the security policy, it will not change.

 

40. What is the user DELAY_LOGON used for?

The DELAY_LOGON user is used for message based authentication in web services.

 

41. What is the Work Center SAVE_POST_PROCESSING?

SAVE_POST_PROCESSING is a technical Work center view to grant Authorization for Save Post Processing for technical users, which means to basically enable technical users to perform certain operations.

 

42. Whenever a user’s validity expires, will the user be locked or not?

If the user’s validity period is expired then from framework’s side, user will not be automatically locked.

 

43. Which Hash Algorithm is used by SAP C4C to store passwords in the system?

The Hash Algorithm used is SHA 1 with 1024 iterations.

 

44. Is it possible to get Read access for association RoleAssignment of the Business Object Identity to be Public Solution Model (PSM) released in order to read the assigned Business Roles of the Business Users ?

The Identity business object is a critical business object and several parts of the business object are not relevant for Public Solution Model (PSM) read, which includes the RoleAssignment node, due to the kind of information stored in the node. Identity business object is not ready for PSM release. The transformation definition (library) IdentityUtilities — with two separate libraries GetAssignedBusinessRoles and GetAssignedRoles — have been exposed, which you may use for your business requirement.

 

45. User is getting locked frequently.

The user is getting locked by the kernel after it is unlocked because of failed login attempts with incorrect password.

First thing we would suggest is to check if this user is used in any web services and to check if there could be places where some client is trying to log in with persisted (old) password. If that does not solve the issue as well, the second thing we suggest as a quick remedy is to change the User ID to something else so that the incorrect logon attempts do not affect this user anymore.

46. In the clone data from Production to Testing process , the Single Sign On setting is deactivated automatically. 

You need to reconfigure the Single Sign On setting and activate after Tenant Copy, this is designed system behavior.

47. What is the limit of business roles that can be created in the system?

 The system does not implement a fixed limit on how many business roles can be created, since the access policies are generated at a user level (regardless of whether the access configuration is coming from a business role or an individual access configuration). However the amount of business roles may still impact the performance of related screens due to standard UI constraints.

48. Is there a way to change the User ID of a user with web service?

At present, there is no options to Mass Change Business User ID. The available option is to perform manually

49. Is there a way to query the business role of an employee via web service?

From IAM side there is no web service to get business roles of users. There is already a influence idea, please up vote - https://influence.sap.com/sap/ino/#/idea/117573

50. Do we have a Auto locking of Business User feature in ByD ? This feature is available in C4C

This feature is not available in ByD

51. Is it possible to change the Security Policy of a Technical User?

No, it is not possible to change the security policy of a technical user. To change the password, refer Q10

52. Would it be possible to check the security policy settings for technical users?

At present, it is not possible to get this detail by the user. For S_TECHNICAL_USER policy, minimum password length is 30 characters. It should have at least 1 digit, 1 lowercase, and 1 uppercase character.

53. Is it possible to change the Time Zone of a Technical User?

It is not possible to change the time zone of Technical Users. The timestamp of a technical user is always stored in UTC and not based on the user time zone. Whenever this data is accessed via any UI then the same will be converted based on the user time zone.

54. Is it possible to get User logon history?

No, There is no such report to get the user logon history of any users. Note: The report User Logon Details cannot provide the logon history of users.

55. Is it possible to reset multiple user password in one go with specific password?

No, It is not possible. Password should be set / generated separately.

56. You are unable to change Time zone of Technical User.

In ByDesign/Cloud for Customer systems, the timestamp is always stored in UTC and not based on the user time zone. Whenever this data is accessed via any UI then the same will be converted based on the user time zone.
Hence, you cannot update the timezone of the Technical User.
Timezones can be changed for a Tenant and not a Technical User specifically.

Note: You can explore to check for any possibility in SDK for this requirement as SAP does not provide this customization.

57. How to remove password lock of a Technical User?

1. Go to Application and User Management work center
2. Go to Support and Technical Users view
3. Search and Highlight the locked user
4. Select Unlock button

58. Is it possible to remove a Business User who is inactive?

No, It is not possible remove a Business User

59. Is it possible to have two Business Users for an Employee?

No, Business User and Employee are always 1:1 relation

60. What does "Unused Productive Password Validity" field means in Security Policy.

Unused Productive Password Validity field means that if a user does not login for a certain period, it is necessary to change the password when user login to Tenant again.

 

FAQ, Business User, Business Role, Access Restriction, Password, Restriction, Write, Read, Access Context, Access Rule, Technical User, Initial User, IAM, Access Right, number of failed logon attempts, counter for failed password logon attempts, limit the number of permissible failed logon attempts, gescheiterte Anmeldeversuche, richtiges Password eingegeben, IAM FAQ   , KBA , faq , business user , business role , access restriction , password, restriction , access context , access rule , technical user , initial user , iam , access rights , SRD-CC-IAM , Identity & Access Management , How To

SAP Business ByDesign all versions ; SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions