I know how to enable Communication Systems, -Arrangements and so on in S/4HANA Cloud Essentials to communicate with OData APIs. I like the process here.
Now I have an S/4HANA Single Tenant Edition, that behaves more like an OnPrem System. I did not really find a guide how to set up communication to consume APIs from SCP. Seems like people are using a Standard User with Basic Auth what seems a bit unsecure.
Is there the same concept with communication system and arrangement in S/4Hana onPrem or STE? Alternatively how to consume APIs without using standard users? What is best practice here? Is there an OAuth Server for example?
Thank you in advance!
First point about authorizations: it is recommended to create custom granular roles for each task and not by template, like you want.
To guess which authorizations are needed for which app, go to Fiori Apps Library and find target app, then go to the bottom and you will see a list of business-catalogs and by clicking on business-catalog you can see which operations it allows doing. Quite thoroughly the process of picking and assigning roles is described here.
Second point about authentication: the best and the most flexible way of consuming S4HANA API is to use business-user you created on the previous step. Here is a breakdown between using tech and business users and why you shouldn't use the latter:
So the SAP-recommended way of authenticating to S4HANA is business-user with granular permissions and OAuth2SAMLBearerAssertion authentication.
The process is multi-step and requires:
Read about the process in more detail here