Merge pull request #213427 from kalyaninamuduri/patch-20

v-stsavell · web-flow · commit e167b6c49b9e · 2022-10-03T15:04:54.000-05:00
Update register-existing-system.md
diff --git a/articles/center-sap-solutions/register-existing-system.md b/articles/center-sap-solutions/register-existing-system.md
@@ -26,15 +26,13 @@ In this how-to guide, you'll learn how to register an existing SAP system with *
 - Check that you're trying to register a [supported SAP system configuration](#supported-systems)
 - Check that your Azure account has **Contributor** role access on the subscription or resource groups where you have the SAP system resources.
 - Register the **Microsoft.Workloads** Resource Provider in the subscription where you have the SAP system.
+- A **User-assigned managed identity** which has **Contributor** role access to the Compute, Network and Storage resource groups of the SAP system. ACSS service uses this identity to discover your SAP system resources and register the system as a VIS resource.
 - Make sure each virtual machine (VM) in the SAP system is currently running on Azure. These VMs include:
     - The ABAP SAP Central Services (ASCS) Server instance
     - The Application Server instance or instances
     - The Database instance for the SAP system identifier (SID)
 - Make sure the **sapstartsrv** process is currently running on all the VMs in the SAP system.
     - Command to start up sapstartsrv process on SAP VMs: /usr/sap/hostctrl/exe/hostexecstart -start
-- Grant the ACSS application **Azure SAP Workloads Management**  **Contributor** role access to the resource groups for the SAP system. There are two options:
-    - If your Azure account has **Owner** or **User Access Admin** role access, you can automatically grant access to the application when registering the SAP system.
-    - If your Azure account doesn't have **Owner** or **User Access Admin** role access, you can [enable access for the ACSS application](#enable-acss-resource-permissions) as described later.
 - Grant access to your Azure Storage accounts from the virtual network where the SAP system exists. Use one of these options:
     - Allow outbound internet connectivity for the VMs.
     - Use a [**Storage** service tag](../virtual-network/service-tags-overview.md) to allow connectivity to any Azure storage account from the VMs.
@@ -60,47 +58,17 @@ The following SAP system configurations aren't supported in ACSS:
 
 ## Enable ACSS resource permissions
 
-When you register an existing SAP system as a VIS, ACSS needs **Contributor** role access to the Azure subscription or resource group in which the SAP system exists. Before you register an SAP system with ACSS, either [update your Azure subscription permissions](#update-subscription-permissions) or [update your resource group permissions](#update-resource-group-permissions).
+When you register an existing SAP system as a VIS, ACSS service needs a **User-assigned managed identity** which has **Contributor** role access to the Compute, Network and Storage resource groups of the SAP system. Before you register an SAP system with ACSS, either [create a new user-assigned managed identity or update role access for an existing managed identity](#setup-user-assigned-managed-identity).
 
-ACSS uses this role access to install VM extensions on the ASCS, Application Server and DB VMs. This step allows ACSS to discover the SAP system components, and other SAP system metadata. ACSS also needs this same permission to enable SAP system monitoring and management capabilities.
+ACSS uses this user-assigned managed identity to install VM extensions on the ASCS, Application Server and DB VMs. This step allows ACSS to discover the SAP system components, and other SAP system metadata. ACSS also needs this user-assigned managed identity to enable SAP system monitoring and management capabilities.
 
-### Update subscription permissions
+### Setup User-assigned managed identity
 
-To update permissions for an Azure subscription:
+To provide permissions to the SAP system resources to a user-assigned managed identity:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for and select **Subscriptions** in the Azure portal's search bar.
-1. On the **Subscriptions** page, select the name of the subscription where the SAP system exists.
-1. In the subscription's sidebar menu, select **Access control (IAM)**.
-1. On the **Access control (IAM)** page menu, select **Add role** &gt; **Add role assignment**.
-1. On the **Role** tab of the **Add role assignment** page, select the **Contributor** role in the table.
-1. Select **Next**.
-1. On the **Members** tab, for **Assign access to**, select **User, group, or service principal**.
-1. For **Members**, select **Select members**.
-1. In the **Select members** pane, search for **Azure SAP Workloads Management**.
-1. Select the ACSS application in the results.
-1. Select **Select**.
-1. Select **Review + assign**.
-
-### Update resource group permissions
-
-To update permissions for a resource group:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for and select **Resource groups** in the Azure portal's search bar.
-1. On the **Resource groups** page, select the name of the resource group where the SAP system exists.
-1. In the resource group's sidebar menu, select **Access control (IAM)**.
-1. On the **Access control (IAM)** page, select **Add** &gt; **Add role assignment**.
-1. On the **Role** tab of the **Add role assignment** page, select the **Contributor** role in the table.
-1. Select **Next**.
-1. On the **Members** tab, for **Assign access to**, select **User, group, or service principal**.
-1. For **Members**, select **Select members**.
-1. In the **Select members** pane, search for **Azure SAP Workloads Management**.
-1. Select the ACSS application in the results.
-1. Select **Select**.
-1. Select **Review + assign**.
-
-Then, repeat the process for any other resource groups where the SAP system exists.
+1. Create a new user-assigned managed identity if needed or use an existing one.
+1. Assign **Contributor** role access to the user-assigned managed identity on all Resource Groups in which the SAP system resources exist. That is, Compute, Network and Storage Resource Groups.
+1. Once the permissions are assigned, this managed identity can be used in ACSS to register and manage SAP systems.
 
 ## Register SAP system
 
@@ -117,9 +85,8 @@ To register an existing SAP system in ACSS:
     1. For **SID name**, enter the SID name.
     1. For **SAP product**, select the SAP system product from the drop-down menu.
     1. For **Environment**, select the environment type from the drop-down menu. For example, production or non-production environments.
-    1. For **Method to grant permission**, select your preferred method to grant Azure access to the related subscriptions and resource groups.
-        - If you choose **Automatic**, ACSS has access to the entire Azure subscription where the ASCS VM exists. To use this option, your Azure account also must have **User Access Admin** or **Owner** role access.
-        - If you choose **Manual**, you have to manually grant access to the resource group(s) where the SAP system exists. For more information, see the [resource permissions explanation](#enable-acss-resource-permissions).
+    1. For **Managed identity source**, select **Use existing user-assigned managed identity** option.
+    1. For **Managed identity name**, select a **User-assigned managed identity** which has **Contributor** role access to the [resources of this SAP system.](#enable-acss-resource-permissions)
     1. Select **Review + register** to discover the SAP system and begin the registration process.
 
         :::image type="content" source="media/register-existing-system/registration-page.png" alt-text="Screenshot of ACSS registration page, highlighting mandatory fields to identify the existing SAP system." lightbox="media/register-existing-system/registration-page.png":::
@@ -142,7 +109,7 @@ The process of registering an SAP system in ACSS might fail for the following re
     - Command to start up sapstartsrv process on SAP VMs: /usr/sap/hostctrl/exe/hostexecstart -start
 - At least one Application Server and the Database aren't running for the SAP system that you chose. Make sure the Application Servers and Database VMs are in the **Running** state.
 - The user trying to register the SAP system doesn't have **Contributor** role permissions. For more information, see the [prerequisites for registering an SAP system](#prerequisites).
-- The ACSS service doesn't have **Contributor** role access to the Azure subscription or resource groups where the SAP system exists. For more information, see [how to enable ACSS resource permissions](#enable-acss-resource-permissions).
+- The user-assigned managed identity doesn't have **Contributor** role access to the Azure subscription or resource groups where the SAP system exists. For more information, see [how to enable ACSS resource permissions](#enable-acss-resource-permissions).
 
 There's also a known issue with registering *S/4HANA 2021* version SAP systems. You might receive the error message: **Failed to discover details from the Db VM**. This error happens when the Database identifier is incorrectly configured on the SAP system. One possible cause is that the Application Server profile parameter `rsdb/dbid` has an incorrect identifier for the HANA Database. To fix the error:
 
