Cloud Integration Made Easy: Xiting Central Workflows (XCW) Meets SAP Cloud
Discover our innovative approach for the seamless integration of Xiting Central Workflows (XCW) into the SAP Cloud. Our new service pack provides a fast and effective way to manage and automate the ID lifecycle in combination with our XCW and SAP Cloud Identity Services.
Table of Contents
Status Quo
Our solution XCW is known as a lean tool for managing and documenting user and authorization changes in the AS ABAP and S/4HANA environment. It offers multi-stage procedures for requesting and approving changes, which are processed using SAP standard workflows.
The simple integration into existing systems offers considerable added value for organizations that want to manage their SAP landscape efficiently and securely. XCW centralizes the administration of user master data and role assignments, supports role ownership concepts, deputy rules and multi-level escalations. SAP HCM, Active Directory (read-only via LDAP) and external tools can also be used as source systems. SAP roles are also checked for critical authorizations and SoD conflicts via XAMS CRAF. Operation is convenient via SAP GUI and Fiori interfaces.
The Idea
With Service Pack 5, XCW expands its functionality to include business roles, which serve as containers for technical roles from various ABAP systems. Requests for these roles can be made via the UI5 front end and the SAP GUI and go through an approval process that is checked by the business role owner and, if necessary, the risk manager.
Our approach uses the XCW central system (CDL) or the existing CUA system as a central source system to enable the management and provisioning of user accounts and authorization roles for On-Prem ABAP & S/4HANA.
We are now also applying this principle to integrate SAP cloud systems in combination with SAP Cloud Identity Services. In the SAP on-prem systems, the authorization roles typically include specific access rights for the SAP applications. However, there are also “empty” authorization roles that do not have their own access rights, but merely serve as substitutes for authorization roles in other systems.
These roles are implemented because a direct implementation is not possible due to different authorization concepts in the cloud world. In the XCW central system/ZBV, the ownership of these roles is therefore defined by user accounts, supported by workflows.
The Overall Picture
The combined use of XCW with SAP Cloud Identity Services offers significant advantages. By providing all SAP Cloud users from a single source of truth (SSoT) for user data – the XCW central system/ZBV – centralized management is made possible.
All desired users and their role assignments are provisioned from this system into the Identity Directory (IdDS) of SAP Cloud Identity Services and are therefore available in the Identity Authentication Service (IAS). This is done using the Identity Provisioning Services (IPS), which keeps the users and role assignments synchronized. The IPS is connected to the XCW central system/ZBV via the SAP Cloud Connector.
All users that are managed for SAP cloud applications (SaaS) and BTP subaccounts/services in XCW are mapped using a dummy role concept, e.g. with the prefix Cloud_xxx. These roles are assigned to users via XCW business roles. The application, release and assignment are based on the established and customizable approval processes.
These roles and all users assigned to these roles are then mapped in the SAP Cloud Identity Services, creating corresponding user accounts including groups in the SAP Cloud Identity Services of the Identity Directory.
The user accounts and their role assignments are provisioned from the Identity Directory to the specific tenants/services in the SAP cloud via additional IPS jobs. The logic is controlled by naming conventions for the role names. This enables the centralization of authentication processes for all SAP cloud applications and creates the basis for the automation of user lifecycle processes.
Start a new era of hybrid identity management with us and benefit from centralized, efficient management of your SAP and cloud systems.
Technical details
- Central system/ZBV: First source (all SAP users and roles/groups in central administration)
- Dummy roles: E.g. with prefix “Cloud_xxx”, assigned via XCW business roles
- Release processes: Integrated in XCW
- Mapping: Empty PFCG roles to groups and users in SAP Cloud Identity Services (IdDS)
- Identity Directory: Second source for distribution to BTP/SaaS through IPS jobs
- Provisioning: IPS jobs for BTP & SaaS
Prerequisites
- SAP Cloud Identity Services Tenant(s)
- SAP Cloud Connector(s)
- Xiting Central Workflows (XCW) (central system or CUA)
- Existence of all SAP users in the central system or CUA
- Consistent naming concept for cloud (dummy) roles
- Unique identifier for each SAP user, ideally the e-mail or a personnel number
- Optional: User creation via LDAP search in XCW
Advantages
- Central administration and provisioning of user accounts for on-prem ABAP & S/4HANA as well as cloud systems via XCW.
- Multi-level, job-controlled provisioning of user accounts and roles in the SAP Cloud Identity Services (CUA/CDL > IdDS) and to connected SAP BTP accounts or SAP cloud applications (IdDS > BTP/SaaS) via the Identity Provisioning Service.
Conclusion
With the new Service Pack 5 enhancement, XCW now also integrates SAP cloud systems and provides centralized management and automation of user lifecycles. This enables seamless, secure and efficient management of SAP and cloud systems from a single source.
Do you have specific questions about our solution?
Webinar: SAP Solution Day about Xiting Central Workflows
If you would like to experience this new feature as part of the new XCW Service Pack 5 live, we recommend our free webinar on āUser and Role Administration with Xiting Central Workflowsā. The next webinar date is part of the webinar series: āSAP Solution Dayā and is aimed at all SAP, XAMS and XCW users and interested persons.
With a security-minded approach, Carsten has international project and IT security experience in many industries. He has been working in IT-Security since 2001, specializing in SAP security since 2010. He is a subject matter expert for SAP Single Sign-On 3.0 and a trainer for the WDESSO course. His current focus is on supporting customers in solving authentication and security challenges within hybrid SAP landscapes, as well as designing and implementing holistic authentication concepts. Carsten is an ISACA CISA and a former MCP and RHCE with an ISP background, and he looks at security from different angles. He also translates between SAP and IT security vocabulary.
Carsten has in-depth experience in multi-vendor architectures and MSFT/Azure components, dealing with all the requirements concerning SAML 2.0, OAuth, OpenID Connect, SCIM, X.509 CBA & PKI, MFA, SAP SSO, and Secure Network Communications, Kerberos/SPNEGO, data security and encryption, as well as digital signatures.
Carsten is experienced in SAP on-premises components such as S/4HANA, ABAP, and Java, as well as security solutions like SSO 3.0. Since 2019, he has focused on SAP-Cloudified environments, specifically the SAP Cloud Identity Services and SAP BTP, as well as SaaS integrations concerning IAM. He deals with hybrid SAP security in conjunction with Azure Active Directory, ADDS, ADFS, ADCS, Reverse Proxies/WAF, SAP Web Dispatcher, SAP Cloud Connector, third-party products, and infrastructure components.
- Cloud Integration Made Easy: Xiting Central Workflows (XCW) Meets SAP Cloud - 30. July 2024
- From Nostalgia to Excitement: The Impending End of SAP IDM - 15. March 2024
- 2024 SAP Cloud Identity Services & IAM Portfolio: Whatās New? - 23. February 2024
