Centralized and Automated User Management for SAP Systems

Most organizations rely on SAP for the management of critical business processes and data, which requires strict controls over access and identity management throughout their IT environment while still ensuring security/compliance standards. As organizations scale and expand integrations with customers, vendors, partners, the number of users also increase. This necessitates securing sensitive information from unauthorized access or tampering.

SAP systems user management often becomes challenging and complex as the security demands rise. Additionally, ensuring transparency in Identity and Access Management in SAP-ABAP systems often requires high administrative costs. This complexity introduces a high risk of errors, more so when repetitive manual intervention like creating, authorizing, or locking users is required.

Many organizations rely on SAP’s Central User Administration (CUA), which eliminates the need for local user management. However, since SAP is no longer actively developing CUA, features like workflows and self-services are unavailable.

Xiting Central Workflows (XCW) addresses this issue and allows organizations to optimize user management in SAP-ABAP systems with standardized workflows, role assignment/removal, user creation including role assignment, and password self-services. XCW works in three scenarios: independently of CUA, alongside CUA, or locally in individual systems. You can fully customize workflows to meet your company’s needs without reinventing the wheel, like introducing multi-level approvals or role owner concepts. The business role concept simplifies workflow usage even further.

XCW integrates seamlessly with SAP standards, without changing the core system and provides a streamlined solution for user management, along with a password self-service web service. Using SAP Fiori interfaces, XCW offers a modern user experience with real-time workflow overviews on dashboards. XCW also simplifies and automates processes, creating functional separation between applicant, approver, and executor. With XAMS CRAF integration, you can analyze roles and users for critical permissions. Business roles enable cross-system permissions managed within XCW customization, so end users will only need to request business roles, easily found via a simple search.

Xiting has recently integrated Xiting Central Workflows (XCW) into the SAP Cloud with the new Service Pack 5 enhancement. This allows organizations to manage and automate the ID lifecycle efficiently. Integrating XCW with SAP Cloud Identity Services allows organizations to allocate all user data into a central single source of truth (SSoT). Identity Provisioning Services (IPS) are used to synchronize data between XCW and IdDS, where users with their respective role assignments get provisioned from the Identity Directory (IdDS) into the Identity system using services which is synchronized by the SAP Cloud Connector. Roles for SAP cloud applications and BTP subaccounts are mapped using a dummy role concept with specific naming conventions (Cloud_xxx prefix). XCW manages this selection via XCW business roles and associated approval processes. This mapping of roles and users is reflected in the Identity Directory as user accounts and groups in SAP Cloud Identity Services. These user accounts and role assignments from the Identity Directory are then surfaced into specific tenant and service-side jobs defined in IPS. This centralized approach provides a more unified authentication system for all SAP cloud applications and also forms the basis from which user lifecycle management can be automated.