Closed ncktz-cbs closed 8 months ago
Thanks a lot for the feedback. Our colleague @ValAta will look into this.
Hi Anna,
any updates on this topic? As we are currently having the discussion how to use the provided IAS tenants in our BTP introduction project, it would be great if an official SAP recommendation could be added to the best practice guide as soon as possible.
Thanks a lot, Nico
Hi @ncktz-cbs, Sorry for the delay. I forwarded this question to the dev team. I'll update you ASAP. BR, Valentin
Hi Nico, Thank you for your patience. Unlike the recommendation for the setup Identity Authentication - S4/HANA Cloud, there is no recommendation for the Identity Authentication - SAP BTP setup. So these trust settings: test subaccount - test or productive tenant, and productive subaccount - test or productive tenant should be fine. BR, Valentin
Hi Valentin,
during the DSAG technology days, we had various discussions with SAP colleagues. They also see the sense of more granular recommendation of the future IAS setup: this includes not only the landscape but also topics such as when user provisioning is required. One of them will reach out to you and explain our expectations in more details, so you could work out these recommendations internally. Please feel free to keep us in the loop if you require any feedback loops.
Thanks a lot Nico
Hi Nico, That will be very helpful. BR, Valentin
Hi Valentin,
Can you plesae reopen this ticket until the described discussion is completed and IAS-specific best practices have been added to the best practice guide?
Thanks a lot Nico
Hi Nico, I misunderstood you. I thought that your colleague was going to reach me through the mail. I reopened the issue again. BR, Valentin
Hi Nico, I hope you are doing well. Do you have any information about the feedback from the DSAG community? No one has contacted me so far. Thanks in advance! Best regards, Valentin
Hi Valentin,
feel free to reach out to your colleague Regine Schimmer. So far, we are still waiting for any suggestions from SAP.
Best regards Nico
@ValAta : This issue has been open for 96 days - do you have any update? Thanks!
Hi @je-hal, I got in touch with the colleagues. They expect to receive a statement from the DSAG BTP / Security workgroup members within a week. After they study the statement, they'll reach me to figure out how to implement it in the documentation. BR, Valentin
Hi Nico, Thanks for feedback document from the DSAG community. These are the action items that we are taking on:
Hi @ncktz-cbs, Just a quick update - you can now provide feedback for the System Integration Guide for SAP Cloud Identity Services on GitHub. BR, Valentin
Thanks, Valentin! As communicated directly to your colleagues, I think it's a great first step into the right direction. Looking forward to additional updates to the best practice guide that adress the remaining open points.
Hi @ncktz-cbs I'll close this issue as we've added a recommendation for SAP Cloud Identity Services as well as a link to the respective onboarding guide. Thanks a lot for your valuable contribution. Anna
https://help.sap.com/docs/btp/best-practices/setting-up-authentication
According to slide 20 of the SAP S/4HANA Cloud 3-system landscape - Onboarding Guide, SAP recommends to connect the non-productive IAS to the non-productive S/4HANA Cloud environments and the productive IAS to the productive S/4HANA Cloud environment and CALM.
Unfortunately, we cannot find any clear recommendation for the IAS setup for BTP. Do you recommend the same setup here (non-productive IAS for non-productive subaccounts, productive IAS for productive accounts)? Even for dev or test environments, we work with ‘productive’ identities. For this reason and from our point of view, these subaccounts should be connected to a productive IAS or at least the productive Azure AD. According to our experience, the non-productive AD is usually just used for internal testing purposes and never connected to any enterprise applications.
If this is SAP’s recommendation, this also means that the configuration effort for groups and groups assignments doubles compared to the setup of just using the productive IAS for all subaccounts that we usually see. Or is there any transport mechanism for delta changes planned from one IAS to another that could reduce these efforts? Alternatively, the groups could be assigned in AD, but as of our understanding SAP’s strategic recommendation is to assign the groups in the IAS and not in AD, is this correct?