Administration Guide for SAP Entitlement Management

Administration Guide | CONFIDENTIALDocument Version: 1.0 – 2021-05-15

Administration Guide for SAP Entitlement Management

© 2

021 S

AP S

E or

an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.1 Useful Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 Getting Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3 Technical Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1 Minimum Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.2 Internet Connection and Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113.3 Browsers and Browser Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113.4 Maximum Allowed Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Additional Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5 Onboarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

6 Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166.1 Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176.2 Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186.3 Outbound Enablement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Configuring in Upstream System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Configuring the HANA Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Configuring the Integration Package in the CPI System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Creating a Destination in the Entitlement Management System (DevOps). . . . . . . . . . . . . . . . . . 25Creating a Communication Channel (Customer Administrator). . . . . . . . . . . . . . . . . . . . . . . . . 26Checking Outbound Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6.4 Get the OAuth Access Token (Postman). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.5 Get the OAuth Access Token (Client Certificate). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286.6 Process Integration with SAP S/4HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.7 Integration with SAP S/4HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Install and Configure SAP Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration. . . . . . . . . . . . . . . . . . . 34Add SAP S/4HANA Credentials to SAP BTP Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration. . . . . . . . . . . . . 35Replicate Sales Order from SAP S/4HANA via IDoc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Push Customer Data to Entitlement Management from S/4HANA. . . . . . . . . . . . . . . . . . . . . . . 44Push Offering to Entitlement Management from S/4HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Pull Customer Data from S/4HANA to Entitlement Management. . . . . . . . . . . . . . . . . . . . . . . . 54

2 CONFIDENTIALAdministration Guide for SAP Entitlement Management

Content

Pull Offering from S/4HANA to Entitlement Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging. . . . . . . . . . . . . . . . . .60Extend the Standard Integration Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.8 Integration with SAP Analytics Cloud (SAC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656.9 Integration with SAP Subscription Billing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Create a Service Key of SAP Entitlement Management OAuth2. . . . . . . . . . . . . . . . . . . . . . . . . . 71Activate Outbound Events in SAP Subscription Billing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Define Queue and Subscribe to SAP Subscription Billing Events. . . . . . . . . . . . . . . . . . . . . . . . . 72Add SAP Event Mesh Credentials in SAP Cloud Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .73Add SAP Entitlement Management OAuth2 Credentials to SAP Cloud Integration. . . . . . . . . . . . 74Add SAP Subscription Billing OAuth2 Credentials to SAP Cloud Integration. . . . . . . . . . . . . . . . . 75Configure Value Mapping between Event Type and Business Event. . . . . . . . . . . . . . . . . . . . . . . 76Replicate Subscription from SAP Subscription Billing via SAP Event Mesh. . . . . . . . . . . . . . . . . . 76Extend the Standard Integration Flow for Subscription Billing. . . . . . . . . . . . . . . . . . . . . . . . . . .79

6.10 Integration with SAP Commerce Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796.11 Integration with Subscription Order Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Create a Service Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81Create an OAuth2 2.0 Client Profile in the AS ABAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82Document Distribution Step Type Class Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configure an OAuth 2.0 Client in the AS ABAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Create a Destination for Entitlement Generation API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

7 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927.1 Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937.2 Managing Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947.3 Role Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .957.4 Change User API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

8 Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1058.1 SAP Fiori Launchpad Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1058.2 Application Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078.3 Transport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088.4 Subscribe and Configure EMS Alert Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

9 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1159.1 User Administration, Authentication, and Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

User Administration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

9.2 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219.3 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1219.4 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Administration Guide for SAP Entitlement ManagementContent CONFIDENTIAL 3

Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1239.5 Audit Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249.6 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127User Consent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Change Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Information Retrieval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

10 Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13210.1 Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13210.2 Subscribe SAP Entitlement Management on SAP BTP Cockpit. . . . . . . . . . . . . . . . . . . . . . . . . . . 13310.3 Set Up Trust Between SAP BTP Subaccount and SCI Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13610.4 Configure Roles on the SAP BTP Cockpit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14310.5 Configure Destination Under SAP BTP Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144


Content

1 Overview

This administration guide describes the steps you need to perform, as an administrator, to set up and run SAP Entitlement Management.

For more information about using the functions and features provided by SAP Entitlement Management, refer to the SAP Entitlement Management System Application Help.

Administration Guide for SAP Entitlement ManagementOverview CONFIDENTIAL 5

https://help.sap.com/viewer/c8403d8ad9334b2094b81ed605020727/2105/en-US/5053375b5b42425b9abe7a7ae5caaf10.html

SAP Business Technology Platform Framework


Overview

System Settings

System settings include configurations such as the logo of SAP Entitlement Management, default system language, maximum upload file size, corporate time zone, and so on. These are optional, and can only be configured by the business administrator.

Administration Guide for SAP Entitlement ManagementOverview CONFIDENTIAL 7

2 Getting Started

Be sure to read the information in the topics in this section before you get started with SAP Entitlement Management.

Useful Links [page 8]The following resources provide access to more information about general topics, such as software downloads, customer incidents, or high availability.

Getting Support [page 9]If you encounter any problems with SAP Entitlement Management, report an incident on the SAP Support Portal.

2.1 Useful Links

The following resources provide access to more information about general topics, such as software downloads, customer incidents, or high availability.

Resource Where to Find It

User assistance for SAP Entitlement Management http://help.sap.com/ems

This link is specific to the Help for SAP Entitlement Management. All other links in this table take you to general SAP information.

Information about creating customer incidents http://support.sap.com/incident

SAP Notes search http://support.sap.com/notes

SAP Software Download Center http://support.sap.com/swdc

Product Availability Matrix http://support.sap.com/pam

Sizing http://www.sap.com/sizing

Security http://www.sap.com/security

Performance http://www.sap.com/performance.html

Information about support package stacks, latest software versions and patch level requirements

http://support.sap.com/sp-stacks

Parent topic: Getting Started [page 8]


Getting Started

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fincident

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fnotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fswdc

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fpam

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fsizing

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fsecurity

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fperformance.html

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fsp-stacks

Related Information

Getting Support [page 9]

2.2 Getting Support

If you encounter any problems with SAP Entitlement Management, report an incident on the SAP Support Portal.

To report an incident, go to the SAP Support Portal at http://support.sap.com/incident . The relevant component is LOD-EMS.

Parent topic: Getting Started [page 8]

Related Information

Useful Links [page 8]

Administration Guide for SAP Entitlement ManagementGetting Started CONFIDENTIAL 9

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fincident

3 Technical Prerequisites

Before you start to use SAP Entitlement Management, check the requirements and recommendations in this section.

Minimum Hardware Requirements [page 10]This section provides the minimum hardware requirements for accessing and using SAP Entitlement Management.

Internet Connection and Network Requirements [page 11]This section lists the basic connection requirements for SAP Entitlement Management.

Browsers and Browser Settings [page 11]This section details the browser settings needed for the proper functioning of SAP Entitlement Management.

Maximum Allowed Attributes [page 12]This section describes the limitations with regards to defining attributes in the SAP Entitlement Management system.

3.1 Minimum Hardware Requirements

This section provides the minimum hardware requirements for accessing and using SAP Entitlement Management.

● Processor: Intel Core 2 Duo (2.3 GHz) or better● Memory: 4GB or more

Parent topic: Technical Prerequisites [page 10]

Related Information

Internet Connection and Network Requirements [page 11]Browsers and Browser Settings [page 11]Maximum Allowed Attributes [page 12]


Technical Prerequisites

3.2 Internet Connection and Network Requirements

This section lists the basic connection requirements for SAP Entitlement Management.

● Upstream: 2 Mbps● Downstream: 2 Mbps● Latency: 200s or better


Related Information

Minimum Hardware Requirements [page 10]Browsers and Browser Settings [page 11]Maximum Allowed Attributes [page 12]

3.3 Browsers and Browser Settings

This section details the browser settings needed for the proper functioning of SAP Entitlement Management.

Browser Versions

SAP performs manual and automated testing on the supported and recommended browsers. Recommended browsers provide better performance and usability. Later versions of the recommended browser should be compatible, but have not yet been tested.

Use the latest, stable version of the recommended browsers. Please be aware that some browsers download and apply updates automatically. SAP makes every effort to test and support the most recent, stable versions of all recommended browsers.

SAP Entitlement Management solution has tested the browser versions mentioned in the table below.

Administration Guide for SAP Entitlement ManagementTechnical Prerequisites CONFIDENTIAL 11

Recommended Browsers : SAP Entitlement Management system - Fiori Client for Desktops

Browser support by operating system for desktops and laptops

Platform Operating System Recommended Browser Supported

Microsoft Windows Windows 7 Google Chrome Google Chrome

Windows 8.1 Google Chrome Google Chrome

Windows 10 Google Chrome Google Chrome

Microsoft Edge

Apple Mac OS X 10.X Apple Safari (latest version) Apple Safari (latest version)


Related Information

Minimum Hardware Requirements [page 10]Internet Connection and Network Requirements [page 11]Maximum Allowed Attributes [page 12]

3.4 Maximum Allowed Attributes

This section describes the limitations with regards to defining attributes in the SAP Entitlement Management system.

There is an upper limit on the number of attributes you can define per data type in the Entitlement Management system.

● 200 attributes with String type, not including tables and lists● 100 attributes with List type● 100 attributes with Table type● 100 attributes with Number type, including integers and decimals● 30 attributes with Date type● 30 attributes with Boolean type

NoteThese are the maximum allowed attributes in the whole system, and not per Entitlement Model.


Technical Prerequisites


Related Information

Minimum Hardware Requirements [page 10]Internet Connection and Network Requirements [page 11]Browsers and Browser Settings [page 11]

Administration Guide for SAP Entitlement ManagementTechnical Prerequisites CONFIDENTIAL 13

4 Additional Software

Working with SAP Entitlement Management system doesn't require any additional software.


Additional Software

5 Onboarding

Since SAP Entitlement Management is an SAP BTP SaaS Cloud application, the onboarding process for this is the same as other SAP Busintess Technology Platform applications, and can be depicted by the following graphic.

Onboarding Process for SAP Entitlement Management

Note: The above graphic was designed prior to the our rebranding changes related to SAP technology were announced in January 2021.

More Information

For information about the onboarding process, see the SAP Business Technology Platform documentation under Getting Started in the Cloud Foundy Environment.

Administration Guide for SAP Entitlement ManagementOnboarding CONFIDENTIAL 15

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/b328cc89ea14484d9655b8cfb8efb508.html?q=Getting%20Started%20with%20the%20Cloud%20Foundry%20Environment

6 Integration

You can integrate SAP Entitlement Management with SAP S/4HANA, ECC, Revenue Cloud, Hybris Billing, Subscription Billing, SAP Commerce Cloud, and other systems with SAP Business Technology Platform Integration.

SAP Business Technology Platform Integration is hosted on the SAP Cloud. It facilitates the integration of business processes that span different departments, organizations, or companies. For all integration between SAP Entitlement Management and other systems, SAP BTP is the recommended mid-ware.

For more information on SAP BTP, please refer to SAP Business Technology Platform(SAP BTP) on the SAP Help Portal.

The following figure depicts the flow of data between SAP Entitlement Management and the Upstream system.

General Process between Entitlement Management system and Upstream system

Master Data [page 17]

Logging and Tracing [page 18]

Outbound Enablement [page 19]

Get the OAuth Access Token (Postman) [page 27]This request obtains an OAuth Token for use in subsequent calls to the SAP Entitlement Management API.

Get the OAuth Access Token (Client Certificate) [page 28]This request obtains an OAuth Token for use in subsequent calls to the SAP Entitlement Management API.

Process Integration with SAP S/4HANA [page 30]

Integration with SAP S/4HANA [page 31]


Integration

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/6a2c1ab5a31b4ed9a2ce17a5329e1dd8.html

Integration with SAP S/4HANA enables you to transfer customer, material, business event, and sales order data to SAP Entitlement Management via SAP Business Technology Platform.

Integration with SAP Analytics Cloud (SAC) [page 65]For SAP Analytics Cloud (SAC) to be able to integrate with SAP Entitlement Management, specific integration steps need to be completed.

Integration with SAP Subscription Billing [page 70]Data can be transferred from SAP Subscription Billing to SAP Entitlement Management.

Integration with SAP Commerce Cloud [page 79]The integration of SAP Entitlement Management with SAP Commerce Cloud enables customers to view their entitlements on the storefront.

Integration with Subscription Order Management [page 80]This integration topic describes the necessary steps which are required to make ODI work for SAP Entitlement Management.

6.1 Master Data

Offering

Definition

An offering is a commodity that is the object of the business activity of a company and that serves to generate value for the company. It can be tangible or intangible. Offerings in SAP Entitlement Management are not editable. The offering data is replicated from the source system through a communication channel.

Use

The offering master data is used to support authentication, mapping, variant, entitlement repository, and reporting.

ExampleYou use offering mapping to map an entitlement model.

You can perform the following:

● Find offerings by using the search feature● Manually sync offering master data from the source system

Structure

The offering master data contains information required to represent an offering, such as the offering identifier, name, source system, and offering type.

Administration Guide for SAP Entitlement ManagementIntegration CONFIDENTIAL 17

Customer

DefinitionA customer is a commodity that is the object of the business activity of a company or person, and that serves to be the target or the owner of the entitlement. Customers in SAP Entitlement Management are not editable. The customer data is replicated from the source system through a communication channel.

UseThe customer master data is used to support authentication, variant, entitlement repository, and reporting.

ExampleYou use the customer condition to switch between different variants.

You can perform the following:

● Find customers by using the search feature● Manually sync the customer master data from the source system

StructureThe customer master data contains information required to represent a customer, such as the customer identifier, name, source system, and customer group.

Parent topic: Integration [page 16]

Related Information

Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.2 Logging and Tracing

All inbound and outbound activity in SAP Entitlement Management will be recorded within the Entitlement Management system. The communication monitor tile lists a record of all these activities.


Integration

● Logs are mainly used by administrators to monitor communication operations and to perform error analysis. Therefore, logs are always switched on and get written automatically. They have predefined granularity (severity) that cannot be modified at runtime. Logs are typically written to categories which are specific to problem areas.In SAP Entitlement Management, the Log button in the communication records will be enabled if any error occurs. On clicking the Log button, a popup window will show execution logs, including the error messages, in a sequence.

● Traces are mainly used by developers or support (engineers) to record and analyze the occurrence of the data flow at runtime. Therefore, tracing is normally turned off. Traces can be switched on if a problem has occurred and a detailed analysis of a distinct aspect of the portal is necessary.Steps to enable traces:○ Switch on Trace in the system settings.○ Trigger communication activities through upstream (order system, provisioning system), reprocess

failed communication records, or create a new outbound background job.○ Refresh all the monitor records, select inbound record of entitlement generation and click on the

Export Trace button. On doing this, all trace details will be downloaded to a JSON file. For example, the parameters and response for the main steps of the inbound process will be listed in a sequence.


Related Information

Master Data [page 17]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.3 Outbound Enablement

Following are the steps to be followed to complete the outbound enablement:

1. Configuring in Upstream System [page 20]2. Configuring the HANA Cloud Connector [page 23]3. Configuring the Integration Package in the CPI System [page 24]4. Creating a Destination in the Entitlement Management System (DevOps) [page 25]


5. Creating a Communication Channel (Customer Administrator) [page 26]6. Checking Outbound Data [page 27]


Related Information

Master Data [page 17]Logging and Tracing [page 18]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.3.1 Configuring in Upstream System

Syncing the Master Data via OData Service Scenario [page 20]

Sending the Sales Order to the Entitlement Management System via IDoc Scenario [page 22]

6.3.1.1 Syncing the Master Data via OData Service Scenario

Context

NoteThe SAP S/4HANA system is used in this example.


Integration

Procedure

1. Look up the OData service address for the commercial product and customer.2. Export the EDMX file of the OData service, as follows:

a. Run the transaction code /n/IWFND/GW_CLIENT.b. Fill in /sap/opu/odata/sap/MD_C_PRODUCT_MAINTAIN_SRV/$metadata as the request URL.

c. Choose More Metadata Display in Browser .

Looking up the OData Service

Task overview: Configuring in Upstream System [page 20]

Related Information

Sending the Sales Order to the Entitlement Management System via IDoc Scenario [page 22]


6.3.1.2 Sending the Sales Order to the Entitlement Management System via IDoc Scenario

Context

NoteFor detailed information, refer to .

Procedure

1. Maintain the configuration for IDoc.2. Configure the SSL Certificate.3. Follow these steps to configure RFC:

a. Execute the transaction SM59.b. Choose HTTP Connections to External Server.c. Click on Create.d. Provide the RFC settings.e. Choose Logon & Security, and fill in the basic authentication with the user credentials.

RFC Configuration


Integration

Task overview: Configuring in Upstream System [page 20]

Related Information

Syncing the Master Data via OData Service Scenario [page 20]

6.3.2 Configuring the HANA Cloud Connector

Context

This step is required for the sync scenario.

Procedure

1. Install HANA Cloud Connector in the server.

NoteInformation regarding configuration for Cloud Connector and CPI is available on the Administrator page for HANA Cloud Connector.

2. Add a cloud account.3. Add access control.4. Add internal host of S/4HANA.5. Add a resource for OData.

6. Check the connectivity in HCI account through the Cockpit.


6.3.3 Configuring the Integration Package in the CPI System

Context

NoteThis information has already been provided as a template.

Procedure

1. Download the integration package from the CPI system.2. Configure parameters as per your requirement and the system information provided.3. If any response is expected, map the response of the required web service to the expected structure in the

Entitlement Management system, for which schema can be exported from the interface tail, such as Customer Offering master data interface.

4. Save the above configuration, and deploy to CPI.5. Send the endpoint of your integration projects to the DevOps Team, including the following information:

○ Endpoint to sync commercial product information○ Endpoint to sync customer data○ Endpoint to receive outbound information from the Entitlement Management system○ User credentials to login to the CPI system, because CPI uses basic authentication while accessing all

endpoint information.


Integration

6.3.4 Creating a Destination in the Entitlement Management System (DevOps)

Prerequisites

Customer must have already sent you the CPI Information.

Procedure

1. Create a destination under Destination Configuration. Provide the following details:○ Name: This is an important field and must have the identical value across the entire GA.

TipMake a note of the name for usage later in the configuration process.

○ Type: Select HTTP from the drop down, for the CPI endpoint.○ URL: It is recommended to use the host of the endpoint itself, because all endpoints may have the

same CPI but a different sub-path.○ Authentication: Select BasicAuthentication from the drop down list, and provide a User and Password

for every subsequent change.

Destination Configuration

2. Create destination mapping in the onboarding service. (DevOps)


POST: https://ems-onboarding-admin-service-dev.cfapps.sap.hana.ondemand.com/destinations

Data:

{ "tenantId": "sap-csc-cd", "destinationName": "EMS_DEV_HCI_VLAB" – which is created in Destination}

3. Send the destination information to the customer.

6.3.5 Creating a Communication Channel (Customer Administrator)

Procedure

1. Get the destination information from DevOps.2. Create a communication channel with the destination.3. Configure the Path, which should be the URL part of the endpoint (except the host part, which has already

been configured in the destination).

Creating a New Communication Channel


Integration

https://ems-onboarding-admin-service-dev.cfapps.sap.hana.ondemand.com/destinations

6.3.6 Checking Outbound Data

Context

NoteCommunication channel for outbound data has been configured. If your login attempt fails, contact the administrator of the CPI tenant.

Procedure

1. Login to the CPI monitor.Lets take the example: https://d5001-tmn.hci.us2.hana.ondemand.com/itspaces/.

2. Go to the Monitor tab from the left sidebar.3. Click on Data Stores.

The data store name can be OutboundMsgFromEMS, for example.4. Choose the entry from the rihgt error, according to the time, and click on Download.5. Extract and open the zipped file to check the content.

6.4 Get the OAuth Access Token (Postman)

This request obtains an OAuth Token for use in subsequent calls to the SAP Entitlement Management API.

Context

The OAuth Token is valid for 43199 seconds (12 hours). After that time, you will need to generate a new token.

The Authorization End-Point is taken from the XSUAA Service URL, which is obtained from the Service Key created to access the SAP Entitlement Management API. Follow these steps to obtain the access token:

Procedure

1. Go to the Cloud Foundry space created in Create Subaccount and Cloud Foundry Space.


https://d5001-tmn.hci.us2.hana.ondemand.com/itspaces/

https://d5001-tmn.hci.us2.hana.ondemand.com/itspaces/

https://help.sap.com/viewer/fb95f4cf368448be94f0eaed1583f491/SHIP/en-US/7c07b5f3362c440ea91d19274b2f160b.html

2. Go to Service Marketplace EMSOAuthService tile.3. Create New Instance and create New Service Key.4. In Postman, go to Authorization and select and find and select theOAuth 2.0 as the Type.5. Click Get New Access Token.6. Enter a name in the Token Name field.7. and find and selectEnter the Authorization Endpoint URL (sburl) you received from the Service Key in the

Auth URL field.8. Enter the Token Endpoint URL (<url>/oauth/token) you received from the Service Key in the Access Token

URL field.9. Enter the ID and Secret you received from the Service Key in the Client ID and Client Secret fields.10. Select Client Credentials for the Grant Type.11. Click Request Token.

You have now created a token. Postman will use it for each request to the SAP Entitlement Management REST API.

Task overview: Integration [page 16]

Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.5 Get the OAuth Access Token (Client Certificate)

This request obtains an OAuth Token for use in subsequent calls to the SAP Entitlement Management API.

Context

The token is valid for 43199 seconds (12 hours). After that time, you will need to generate a new token.


Integration

The client certificate flow requires valid X.509 certificate for authentication; customers should upload the certificate during EMSOAuthService creation. The currently supported CA is DigiCert G2.

The Authorization End-Point is taken from the XSUAA Service URL, which is obtained from the Service Key created to access SAP Entitlement Management API. Follow the steps below to obtain the access token:

Procedure

1. Go to the SAP BTP subaccount and create a space if you don’t have any one following: Create Spaces.

2. Go to Services Instances and Subscriptions and select EMSOAUTHService to create a service instance with the default plan following: Creating Service Instances in Cloud Foundry.

3. Create Service Key of the instance created; specify the parameters in JSON format during service key creation. For example:

4. When you view the service key, you can check the certificate part in the service key credentials to see if it is valid.

5. Once the service key with X.509 certificate created successfully, you can use client certificate to get the OAuth2 token. This is the example by curl:

6. You can get the valid token from the response for triggering EMS external API.+


Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]


https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/2f6ed22ccf424dae84345f4500c2d8ea.html

https://help.sap.com/viewer/09cc82baadc542a688176dce601398de/Cloud/en-US/6d6846def3c443aa9f83d127353147ce.html

Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.6 Process Integration with SAP S/4HANA

Cloud Connector

SAP Cloud Connector is mainly established as a tunnel between the on premise system and the SAP Cloud Platform.

Cloud connector must be installed, if there are scenarios wherein any request/message is sent from CPI to the on premise system.

For more information please refer to SAP Cloud Platform Connectivity on the SAP Help Portal.

Communication Channel

SAP Entitlement Management can send outbound data to inform the external system.

The communication channel is used to define the relationship between the outbound interface and the external target endpoint.

Integration Process

Master Data Synchronization● Install cloud connector to expose the SAP S/4 HANA system, if the master data is received from SAP S/4

HANA on premise. To establish a tunnel between the on premise system and SCP, SAP Cloud Connector is recommended.

● Create iflow in CPI to forward the master data synchronization request to SAP S/4 HANA.● Configure the CPI iflow URL as the endpoint of the communication channel for master data source.● In the customer/production master tail, click on the Sync button to forward the query request to SAP S/4

HANA through CPI. After data is queried from SAP S/4 HANA, iflow will map the source system master data to the Entitlement Management system master structure and send it back to Entitlement Management structure.

Entitlement Generation● Extend the entitlement generation interface, if needed.● Export the entitlement generation interface schema and inbound payload template.


Integration

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/57ae3d62f63440f7952e57bfcef948d3.html

● Export the IDOC template and schema from SAP S/4 HANA.● Create the iflow in CPI to receive IDOC from SAP S/4 HANA and convert it to the entitlement generation

interface structure.● Configure the CPI iflow URL in SAP S/4 HANA IDOC configuration.● After a sales order is created, an IDOC will be fired. Sales order information will be sent to the Entitlement

Management system through the CPI iflow.● If the generated entitlement information is needed:

○ Use cloud connector to expose the receiver API in the SAP S/4 HANA system. Create an iflow to forward the message from the Entitlement Management system to SAP S/4 HANA.

○ Configure the iflow URL as the endpoint of the entitlement generation response interface communication channel.All generated entitlements will be sent back to SAP S/4 HANA after entitlement generation process is finished.

Integration with any other cloud system is similar.


Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.7 Integration with SAP S/4HANA

Integration with SAP S/4HANA enables you to transfer customer, material, business event, and sales order data to SAP Entitlement Management via SAP Business Technology Platform.

Before integration with SAP S/4HANA can take place, you must configure and enable two important items:

● SAP BTP must be configured and service keys must be created to give the integration process access to the SAP Entitlement Management APIs.

● Enterprise Event in SAP S/4HANA must be enabled. For details, see Enterprise Event Enablement in the SAP Help Portal.

Install and Configure SAP Cloud Connector [page 32]


https://help.sap.com/viewer/810dfd34f2cc4f39aa8d946b5204fd9c/2020.001/en-US/c200f98fadb64ff1828ed5696c86fca2.html

Serving as a link between SAP Business Technology Platform (SAP BTP) applications and on-premise systems, SAP Cloud Connector runs as an on-premise agent in secured networks.

Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]

Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]

Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]

Replicate Sales Order from SAP S/4HANA via IDoc [page 36]

Push Customer Data to Entitlement Management from S/4HANA [page 44]

Push Offering to Entitlement Management from S/4HANA [page 49]

Pull Customer Data from S/4HANA to Entitlement Management [page 54]

Pull Offering from S/4HANA to Entitlement Management [page 57]

Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]

Extend the Standard Integration Flow [page 64]


Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.7.1 Install and Configure SAP Cloud Connector

Serving as a link between SAP Business Technology Platform (SAP BTP) applications and on-premise systems, SAP Cloud Connector runs as an on-premise agent in secured networks.

Context

Before you can use SAP Cloud Connector to link SAP S/4HANA and SAP BTP, ensure that you have installed SAP Cloud Connector. For more information on installation, see the Installation topic in the SAP BTP


Integration

Connectivity Guide at: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/57ae3d62f63440f7952e57bfcef948d3.html.

After installing Cloud Connector and starting the Cloud Connector daemon, you can log on to the daemon and perform required configurations to make your Cloud Connector operational. For more information, see the Initial Configuration topic in the SAP BTP Connectivity Guide at: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/db9170a7d97610148537d5a84bf79ba2.html.

In addition, specify the SAP S/4HANA OData service that can be accessed by integration flows using HTTP. For more information, see the Configure Access Control (HTTP) topic in the SAP BTP Connectivity Guide at: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e7d4927dbb571014af7ef6ebd6cc3511.html.

Procedure

1. Add Subaccount in SAP Cloud Sonnector.2. Set Location ID.

3. Under Cloud to On-Premise ACCESS CONTROL , add Mapping Virtual to Internal System.4. Specify the following:

a. Back-end Type: ABAP Systemb. Protocol: HTTPSc. Internal Host: S/4HANA host named. Internal Port: S/4HANA port numbere. Virtual Host: Virtual host name will be configured in integration flowf. Virtual Port: Virtual Port number will be configured in integration flow

5. Add resource access:a. URL Path: /b. Access Policy: path and all sub-paths

Task overview: Integration with SAP S/4HANA [page 31]

Related Information

Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]




https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/db9170a7d97610148537d5a84bf79ba2.html

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/db9170a7d97610148537d5a84bf79ba2.html

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e7d4927dbb571014af7ef6ebd6cc3511.html



Extend the Standard Integration Flow [page 64]

6.7.2 Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration

Procedure

1. In the navigation panel, choose Monitor, and access Security Material in the section Manage Security.

2. Choose Add OAuth2 Credential .3. Specify the following fields in the Add OAuth2 Credentials dialog box:

Name Credential Name

Grant Type Client Credentials

Token Service URL Token Service URL from SAP Business Technology Platform Enterprise Messaging service key

Client ID Client ID from SAP Business Technology Platform Enterprise Messaging service key

Client Secret Client Secret from SAP Business Technology Platform Enterprise Messaging service key

Client Authentication Send as Request Header

Include Scope Un-checked


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]


Integration

6.7.3 Add SAP S/4HANA Credentials to SAP BTP Integration

Procedure

1. Access Security Material and choose Add User Credentials .2. Enter a name for the credential and enter a user name and password that has authorization to access the

SAP S/4HANA back-end system.


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]

6.7.4 Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration

Procedure

1. Create a service instance of “SAP Entitlement Management OAuth Service” in SAP Business Technology Platform cockpit.

2. Create a service key in the service instance you created in Step 1.

3. Access Security Material and choose Add OAuth2 Credential .4. Specify the following fields in the Add OAuth2 Credentials dialog box:




Token Service URL Token Service URL from SAP Entitlement Management OAuth service key

Client ID Client ID from SAP Entitlement Management service key

Client Secret Client Secret from SAP Entitlement Management service key




Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]

6.7.5 Replicate Sales Order from SAP S/4HANA via IDoc

Replicating the sales order from SAP S/4HANA to SAP Entitlement Management via IDoc consists of first configuring the SAP Business Technology Platform Integration Settings and then configuring the back-end system.

Configure SAP BTP Integration Settings to Replicate Sales Orders via IDoc [page 37]Configuring the SAP BTP integration settings to allow for replication of sales order data from SAP S/4HANA via IDoc requires the setup of the Sender tab, two Receiver tabs, and the More tab.

Configure the Back-End System [page 38]Configuring the back-end system to allow for replication of sales order data from SAP S/4HANA via IDoc is a multi-part process.

Parent topic: Integration with SAP S/4HANA [page 31]


Integration

Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]

Configure SAP BTP Integration Settings to Replicate Sales Orders via IDoc [page 37]Configure the Back-End System [page 38]

6.7.5.1 Configure SAP BTP Integration Settings to Replicate Sales Orders via IDoc

Configuring the SAP BTP integration settings to allow for replication of sales order data from SAP S/4HANA via IDoc requires the setup of the Sender tab, two Receiver tabs, and the More tab.

Context

Note that within the standard integration flow there’s a message mapping. Since we couldn’t find a proper field from the upstream system to map to as the “SourceSystem”, we assume that our upstream system SourceSystem is a constant “Dummy” field. Also, another field, ItemValidFromalways contains the current date. So, for both of these fields, you must do some enhancement in your Post-Exit integration flow.

Procedure

1. Set up the following on the Sender tab.

Field Value

Address /replicate/salesorder

Body Size (in MB) 40

Attachments Size (in MB) 100

2. Set up the following on the Receiver tab for SAP Entitlement Management.


Field Value

Address Entitlement Generation API URL

Authentication OAuth2 Client Credential

Credential Name EMS OAuth2 credential name created in Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]

Timeout (in ms) 60000

3. Set up the following on the Receiver tab for ReplicateEntitlementExtensionProcessExit.

Field Value

Address /EMS/ReplicateSalesOrderViaEvent_PostExit

4. Set up the following on the More tab.

Field Name Value Comments

Type All Parameters

Extension Implemented True or False True - means you would like to extend the standard iflow, and already created your own iflow with ProcessDirect sender Adapter

Task overview: Replicate Sales Order from SAP S/4HANA via IDoc [page 36]

Related Information

Configure the Back-End System [page 38]

6.7.5.2 Configure the Back-End System

Configuring the back-end system to allow for replication of sales order data from SAP S/4HANA via IDoc is a multi-part process.

To enable entitlement generation from SAP S/4HANA to SAP Entitlement Management using an integration flow, you need to configure some settings in the back-end system, in the following order:

1. Set Up an RFC Connection [page 39] - The RFC connection determines the target integration flow for the IDoc.

2. Define a Logical System [page 40] - The logical system represents the system that sends or receives data.3. Define a Port for the RFC Connection [page 41] - You need a port that links to the RFC connection that

you created.4. Define Partner Profiles [page 42] - You need a valid partner profile when using IDocs to transfer data.


Integration

5. Configure a Distribution Model [page 43] - The distribution model specifies the data to be replicated from the back-end system.

6. Maintain Condition Records for the Output Type BA00 [page 44] - Condition records specify what kind of sales order to be replicated from the back-end system.

1. Set Up an RFC Connection [page 39]2. Define a Logical System [page 40]3. Define a Port for the RFC Connection [page 41]4. Define Partner Profiles [page 42]5. Configure a Distribution Model [page 43]6. Maintain Condition Records for the Output Type BA00 [page 44]

Parent topic: Replicate Sales Order from SAP S/4HANA via IDoc [page 36]

Related Information

Configure SAP BTP Integration Settings to Replicate Sales Orders via IDoc [page 37]

6.7.5.2.1 Set Up an RFC Connection

Context

The RFC connection determines the target integration flow for the IDoc.

Procedure

1. In the back-end system, run transaction SM59.

2. Choose HTTP Connections to External Server Create .3. 3. In the RFC Destination field, enter a unique identifier for the RFC destination.4. On the Target Settings tab, enter values for the following:


Field Value

Host The runtime URL for your target system tenant. The URL is contained in the endpoint from SAP Business Technology Platform Integration.

Note: Do not include "https://" in the URL.

Port 443

Path Prefix /cxf/generate/salesorder

Proxy Host Your proxy address

Proxy Service The port for your proxy service

Proxy PW Status Is initial

5. On the Logon & Security tab, enter values for the following:

Field Value

Basic Authentication User with access to SAP Business Technology Platform Integration

SSL Active

SSL Certificate Default SSL Client

Task overview: Configure the Back-End System [page 38]

Next task: Define a Logical System [page 40]

6.7.5.2.2 Define a Logical System

Context

The logical system represents system that sends or receives the data.

Procedure

1. In the back-end system, run transaction BD54.2. Switch to edit mode and select OK on the Cross-client screen.3. Choose New Entries.4. Enter a name and description for your logical system.5. Save your changes.


Integration


Previous task: Set Up an RFC Connection [page 39]

Next task: Define a Port for the RFC Connection [page 41]

6.7.5.2.3 Define a Port for the RFC Connection

Context

You need a port that links to RFC connection that you created in Set Up an RFC Connection [page 39].

Procedure

1. In the back-end system, run transaction WE21.

2. Choose Ports XML HTTP Create .3. Enter values for the following:

Field Value

Port A unique identifier for the port

RFC Destination Identifier for the destination you created in the procedure to set up an RFC connection

Context Type Text/XML

HTTP Version Version 1.0

SOAP Protocol Checked


Previous task: Define a Logical System [page 40]

Next task: Define Partner Profiles [page 42]


6.7.5.2.4 Define Partner Profiles

Context

You need a valid partner profile when using IDocs to transfer data.

Procedure

1. In the back-end system, run transaction WE20.

2. Choose Partner Profiles Partner Create .3. To define partner profiles, enter values for the following:

Field Value

Partner No. The name of an existing logical system, or a new logical system

Partner Type LS

Ty. US

Processor Processor for post-processing

Lang Language for the partner profile

4. To specify outbound parameters, under Partner Type LS choose the partner that represents SAP Business Technology Platform Integration, select Create outbound parameter, and then enter values for the following:

Field Value

Message Type ORDERS

Receiver Port Your receiver port - the value is the unique identifier that you chose in the procedure to define a port for the RFC connection.

Output Mode Collect IDocs or Pass IDoc Immediately

Basic Type ORDERS05

Application in Message Control tab V1

Message Type in Message Control tab BA00

Process Code in Message Control tab SD10

Change Message in Message Control tab Checked or Un-checked



Integration

Previous task: Define a Port for the RFC Connection [page 41]

Next task: Configure a Distribution Model [page 43]

6.7.5.2.5 Configure a Distribution Model

Context

The distribution model specifies the data to be replicated from the back-end system.

Procedure

1. In the back-end system, run transaction BD64.

2. Choose Switch to Edit mode Create Model View .3. Enter a short text and a technical name for the model view.4. If necessary, change the start and end dates.5. Choose Add Message Types and enter values for the following:

Field Value

Model View Name for the model view

Sender Partner that represents the back-end system

Receiver Partner that represents the SAP BTP Integration

Message Type ORDERS


Previous task: Define Partner Profiles [page 42]

Next task: Maintain Condition Records for the Output Type BA00 [page 44]


6.7.5.2.6 Maintain Condition Records for the Output Type BA00

Context

Condition records specify what kind of sales order will be replicated from the back-end system.

Procedure

1. In the back-end system, run transaction NACE.2. Choose V1 and click Condition Records.3. Choose BA00 and click Condition Records.4. Choose your key combination and click OK.5. Maintain your entries, and Save your changes.


Previous task: Configure a Distribution Model [page 43]

6.7.6 Push Customer Data to Entitlement Management from S/4HANA

This section describes how to replicate customer master data from SAP S/4HANA to SAP Entitlement Management.

Configure SAP BTP Integration to Push Customer Data [page 45]

Configure SOA Manager to Push Customer Data [page 46]

Configure Data Replication Framework for Customer Data [page 48]


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]


Integration

Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]

6.7.6.1 Configure SAP BTP Integration to Push Customer Data

Context

To push customer data from SAP S/4HANA to SAP Entitlement Management, you need to configure integration in SAP Business Technology Platform Integration web application.

NoteWithin the standard integration flow, we could not find a proper field from SAP S/4HANA to map to ValidTo, so we set ValidTo to the current date. If you would like to rewrite the logic of the "ValidTo" logic, you can define your logic in the Post-Exit integration flow.

Procedure

1. Set up the following on the Sender tab:

Field Value

Address /replicate/customer



2. Set up the following on the Receiver tab for Entitlement Management:

Field Value

Address EMS Customer Account Synchronization API URL

Authentication OAuth2 Client Credentials


Field Value

Credential Name Enter your credential name in CPI Security Material


3. Set up the following on the Receiver tab for ReplicateCustomerExtensionProcessExit:

Field Value

Address /EMS/ReplicateCustomer_PostExit

4. Set up the following on the More tab:

Field Value Comments

Type All Parameters

Extension Implemented True or False True means you would like to extend the standard iflow, and already created your own iflow with ProcessDirect sender Adapter

Task overview: Push Customer Data to Entitlement Management from S/4HANA [page 44]

Related Information

Configure SOA Manager to Push Customer Data [page 46]Configure Data Replication Framework for Customer Data [page 48]

6.7.6.2 Configure SOA Manager to Push Customer Data

Context

Configure settings in SAP S/4HANA to set up the business partner master data replication from SAP S/4HANA to SAP Entitlement Management. The SOA Manager is used to administer and configure service providers and consumer proxies for a local system.


Integration

Procedure

1. Start the transaction SOAMANAGER.2. On the Service Administration tab, select Web Service Configuration.3. Search for the following Object name and perform the procedures below.

Object Name: CO_MDG_BP_RPLCTRQ

Description: Business Partner Data Replication

4. Select the entry and choose Create Manual Configuration .5. Enter the Logical Port Name (for example, LP_<system name that you are connecting to>).6. Select the Logical Port is Default check box.7. Enter the description (for example, For Business Partner Data Replication).8. Click Next.

a. For Basic Authentication:

By default, the User ID / Password option is selected.

Enter the SAP Cloud Platform Integration User ID and password to connect to SAP Business Technology Platform Integration tenant.

b. For Certificate-based Authentication:

Choose the X.509 Client Certificate option.

Choose the value help on the SSL Client PSE of transaction STRUST field.

Choose the PSE in which the Client certificate issued by CA supported by SAP Business Technology Platform Integration is stored.

9. Click Next.10. Enter the SAP Business Technology Platform Integration operation server node URL in the URL field and

append it with /cxf and the Address endpoint as configured in the Sender tab of your integration flow. It should look like: <https://XXXXXXX-iflmap.sap.hana.ondemand.com:443/cxf/replicate/customer>.

11. Enter Proxy information, if necessary.12. Click Next.

Field Value

RM Protocol SAP RM

Message ID Protocol SAP Message ID

13. Click Finish.


Related Information

Configure SAP BTP Integration to Push Customer Data [page 45]


Configure Data Replication Framework for Customer Data [page 48]

6.7.6.3 Configure Data Replication Framework for Customer Data

Context

Configure settings in SAP S/4HANA to set up the product master data replication to SAP Entitlement Management.

In SAP S/4HANA, define the target system and data for the replication.

Procedure

1. Configure the data replication framework.

a. Open transaction DRFIMG. Choose Data Replication Define Custom Settings for Data ReplicationDefine Technical Settings Define Technical Settings for Business Systems .

b. Choose New Entries and define your business system for receiving messages from SAP S/4HANA. Fill in the fields with the following data:

Business System: Define an ID for SAP Entitlement Management. The system ID can be free text but should not exceed 10 characters.

Save your changes.

c. Under Define Bus. Systems BOs Communication Channel , select the Replication via Services channel. Save your changes.

2. Define the replication model.

a. Choose Data Replication Define Custom Settings for Data Replication Define Replication Model .

b. Choose New Entries and enter a name and description for your replication model. Indicate the number of Log Days after which an application log expires. Save your changes.

c. In the Prompt for Customizing request, choose an existing customizing request or create a new one.d. Under Assign Outbound Implementation, choose New Entries. Select 986_3 for Outbound

Implementation. Save your changes.e. Under Assign Target Systems for Repl. Model/Outb. Impl., choose the Business System that you

created earlier. Save your changes.f. Under Assign Outbound Parameter, select the outbound parameter PACK_SIZE_BULK and add the

number for Outbound Parameter Value. Save your changes3. Activate the replication model.


Integration

Choose Data replication Define Customer Settings for Data Replication Define Replication Model <your replication model> Active .

4. Add the trigger for the web service call.

a. Open transaction SPRO. Choose SAP Reference IMG Cross-Application Components SAP Business Partner Data Distribution Activate Function Modules .

b. Select the MDG_BS_BP_OUTBOUND_DRF function module and select Call. Save your changes5. Check the activation.

a. Open transaction SM30.b. Enter BSSOAV_WS_ACTIVE in Table/View and choose Maintain.c. If the BSS_WS_ACTIVE entry doesn't appear as active, choose New Entries and select Active. Save

your changes.


Related Information

Configure SAP BTP Integration to Push Customer Data [page 45]Configure SOA Manager to Push Customer Data [page 46]

6.7.7 Push Offering to Entitlement Management from S/4HANA

This section describes how to replicate offering data from SAP S/4HANA to SAP Entitlement Management.

Configure SCP Integration to Push Offering [page 50]

Configure SOA Manager to Push Offering [page 51]

Configure Data Replication Framework for Offering Data [page 53]


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]


Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]

6.7.7.1 Configure SCP Integration to Push Offering

Context

To push offering data from SAP S/4HANA to SAP Entitlement Management, you need to configure integration in SAP Business Technology Platform Integration web application.

NoteIn our integration flow, flow, there is message mapping. The field Description of the metadata maps to the filed OfferingName. However, OfferingName does not support multi-language. So, before Description maps to OfferingName you should filter Description within your extension integration flow to let it occur only once.

Procedure


Field Value

Address /replicate/offering



2. Set up the following on the Receiver tab for Entitlement Management:

Field Value

Address EMS Offering Synchronization API URL


Credential Name EMS OAuth Credential name defined in Configure SCP Integration to Push Offering [page 50]


3. Set up the following on the Receiver tab for ReplicateOfferingExtensionProcessExit:


Integration

Field Value

Address /EMS/ReplicateOffering_PostExit



Type All Parameters


Task overview: Push Offering to Entitlement Management from S/4HANA [page 49]

Related Information

Configure SOA Manager to Push Offering [page 51]Configure Data Replication Framework for Offering Data [page 53]

6.7.7.2 Configure SOA Manager to Push Offering

Context

Configure settings in SAP S/4HANA to set up the product master data replication from SAP S/4HANA to SAP Entitlement Management.

The SOA Manager is used to administer and configure service providers and consumer proxies for a local system.

Procedure

1. Start the transaction SOAMANAGER.2. On the Service Administration tab, select Web Service Configuration.3. Search for the following Object name and perform the procedures below.

Object Name: CO_MDM_PRD_BULK_REPL_REQ_OUT

Description: Product Data Replication


4. Select the entry and choose Create Manual Configuration .5. Enter the Logical Port Name (for example, LP_<system name that you are connecting to>).6. Select the Logical Port is Default check box.7. Enter the description (for example, For Product Data Replication).8. Click Next.

a. For Basic Authentication:

By default, the User ID / Password option is selected.

Enter the SAP Cloud Platform Integration User ID and password to connect to SAP Business Technology Platform Integration tenant.

b. For Certificate-based Authentication:

Choose the X.509 Client Certificate option.

Choose the value help on the SSL Client PSE of transaction STRUST field.

Choose the PSE in which the Client certificate issued by CA supported by SAP Business Technology Platform Integration is stored.

9. Click Next.10. Enter the SAP Business Technology Platform Integration operation server node URL in the URL field and

append it with /cxf and the Address endpoint as configured in the Sender tab of your integration flow. It should look like: <https://XXXXXXX-iflmap.sap.hana.ondemand.com:443/cxf/replicate/offering>.

11. Enter Proxy information, if necessary.12. Click Next.

Field Value

RM Protocol SAP RM

Message ID Protocol SAP Message ID

13. Click Finish.


Related Information

Configure SCP Integration to Push Offering [page 50]Configure Data Replication Framework for Offering Data [page 53]


Integration

6.7.7.3 Configure Data Replication Framework for Offering Data

Context

Configure settings in SAP S/4HANA to set up the product master data replication to SAP Entitlement Management.

In SAP S/4HANA, define the target system and data for the replication.

Procedure

1. Configure the data replication framework.

a. Open transaction DRFIMG. Choose Data Replication Define Custom Settings for Data ReplicationDefine Technical Settings Define Technical Settings for Business Systems .

b. Choose New Entries and define your business system for receiving messages from SAP S/4HANA. Fill in the fields with the following data:

Business System: Define an ID for SAP Entitlement Management. The system ID can be free text but should not exceed 10 characters.

Save your changes.

c. Under Define Bus. Systems BOs , select 194 for BO Type and select Sys. Filt. Save your changes.

d. Under Define Bus. Systems BOs Communication Channel , select the Replication via Services channel. Save your changes.

2. Define the replication model.

a. Choose Data Replication Define Custom Settings for Data Replication Define Replication Model .

b. Choose New Entries and enter a name and description for your replication model. Indicate the number of Log Days after which an application log expires. Save your changes.

c. In the Prompt for Customizing request, choose an existing customizing request or create a new one.d. Under Assign Outbound Implementation, choose New Entries. Select 194_3 for Outbound

Implementation. Save your changes.e. Under Assign Target Systems for Repl. Model/Outb. Impl., choose the Business System that you

created earlier. Save your changes.f. Under Assign Outbound Parameter, select the outbound parameter PACK_SIZE_BULK and add the

number for Outbound Parameter Value. Save your changes3. Activate the replication model.

Choose Data replication Define Customer Settings for Data Replication Define Replication Model <your replication model> Active .



Related Information

Configure SCP Integration to Push Offering [page 50]Configure SOA Manager to Push Offering [page 51]

6.7.8 Pull Customer Data from S/4HANA to Entitlement Management

This section describes how to pull customer master data from SAP S/4HANA to SAP Entitlement Management.

Configure SAP BTP Integration to Pull Customer Data [page 55]

Configure Communication Channel to Pull Customer Data [page 56]


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]


Integration

6.7.8.1 Configure SAP BTP Integration to Pull Customer Data

Context

To pull customer data from SAP S/4HANA to SAP Entitlement Management, you need to configure integration in SAP Business Technology Platform Integration web application.

Procedure

1. Set up the following in the Sender tab:

Field Value

Address /sync/customer

CSRF Protected Un-checked

2. Set up the following on the Receiver tab for S/4HANA:

Field Value

Address http://{virtual address in cloud connector}/sap/opu/odata/sap/MD_CUSTOMER_MASTER_SRV_01

Proxy Type On-Premise

Location ID

Authentication Basic

Credential Name S4HANA Credential name defined in Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]


Custom Query Option Define your own query condition

Page Size 1000

Timeout (in min) 1

3. Set up the following on the Sender tab for SyncCustomerExtensionProcessExit:

Field Value

Address /EMS/SyncCustomer_PostExit




Type All Parameters


Task overview: Pull Customer Data from S/4HANA to Entitlement Management [page 54]

Related Information

Configure Communication Channel to Pull Customer Data [page 56]

6.7.8.2 Configure Communication Channel to Pull Customer Data

Context

In order to sync customer master data from SAP Entitlement Management by using current integration flow, you have to configure the SAP Entitlement Management communication channel.

Procedure

Configure the following fields in the SAP Entitlement Management Communication Channel:

Field Value

Communication Channel Name Name of the communication channel

Description Description of your communication channel

EMS Interface Name Request Customer Master Data

EMS Interface Code Request_Customer_Master_Data

Destination Name Name of your destination

Destination URL The runtime URL for your target system tenant. The URL is contained in the endpoint from the SAP Business Technology Platform Integration.


Integration

Field Value

Path /http/sync/customer

CSRF-Token Enabled Un-check

Path to Fetch Token

Status Active

Task overview: Pull Customer Data from S/4HANA to Entitlement Management [page 54]

Related Information

Configure SAP BTP Integration to Pull Customer Data [page 55]

6.7.9 Pull Offering from S/4HANA to Entitlement Management

This section describes how to pull material from SAP S/4HANA to SAP Entitlement Management.

Configure SAP BTP Integration to Pull Offering [page 58]

Configure Communication Channel to Pull Offering [page 59]


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]Extend the Standard Integration Flow [page 64]


6.7.9.1 Configure SAP BTP Integration to Pull Offering

Context

To pull offering from S/4HANA, you need to configure integration flow in SAP Business Technology Platform Integration web application.

Procedure

1. Set up the following in the Sender tab:

Field Value

Address /sync/offering

CSRF Protected Check or un-check

2. Set up the following on the Receiver tab for S/4HANA:

Field Value

Address http://{virtual address in cloud connector}/sap/opu/odata/sap/MD_C_PRODUCT_MAINTAIN_SRV


Location ID


Credential Name S4HANA Credential name defined in Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]


Custom Query Option Define your own query condition

Page Size 1000

Timeout (in min) 1

3. Set up the following on the Sender tab for SyncOfferingExtensionProcessExit:

Field Value

Address /EMS/SyncOffering_PostExit



Integration


Type All Parameters


Task overview: Pull Offering from S/4HANA to Entitlement Management [page 57]

Related Information

Configure Communication Channel to Pull Offering [page 59]

6.7.9.2 Configure Communication Channel to Pull Offering

Context

In order to sync material master data from SAP Entitlement Management by using current integration flow, you have to configure SAP Entitlement Management communication channel.

Procedure

Configure the following fields in the SAP Entitlement Management Communication Channel:

Field Value

Communication Channel Name Name of the communication channel

Description Description of your communication channel

EMS Interface Name Request Offering Master Data

EMS Interface Code Request_Offering_Master_Data

Destination Name Name of your destination

Destination URL The runtime URL for your target system tenant. The URL is contained in the endpoint from the SAP Business Technology Platform Integration.

Path /http/sync/offering


Field Value

CSRF-Token Enabled Un-check

Path to Fetch Token

Status Active

Task overview: Pull Offering from S/4HANA to Entitlement Management [page 57]

Related Information

Configure SAP BTP Integration to Pull Offering [page 58]

6.7.10 Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging

Replicating the sales order from SAP S/4HANA to SAP Entitlement Management via SAP BTP Enterprise Messaging consists of first enabling the enterprise events in SAP S/4HANA and then configuring the SAP BTP Integration to replicate the sales orders.

Enable Enterprise Events in SAP S/4HANA [page 61]In order to enable Enterprise Events in SAP S/4HANA, you must configure the settings in SAP S/4HANA to push events to the channel.

Configure SAP BTP Integration to Replicate Sales Orders via Enterprise Messaging [page 61]Configuring the SAP BTP integration settings to allow for replication of sales order data from SAP S/4HANA via Enterprise Messaging requires the setup of the Sender tab, two Receiver tabs, and the More tab.


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]


Integration

Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Extend the Standard Integration Flow [page 64]

Enable Enterprise Events in SAP S/4HANA [page 61]Configure SAP BTP Integration to Replicate Sales Orders via Enterprise Messaging [page 61]

6.7.10.1 Enable Enterprise Events in SAP S/4HANA

In order to enable Enterprise Events in SAP S/4HANA, you must configure the settings in SAP S/4HANA to push events to the channel.

For details, see https://help.sap.com/viewer/810dfd34f2cc4f39aa8d946b5204fd9c/latest/en-US/c200f98fadb64ff1828ed5696c86fca2.html .

Currently this iflow only supports the following two event types:

● sap.s4.beh.salesorder.v1.SalesOrder.Created.v1● sap.s4.beh.salesorder.v1.SalesOrder.Changed.v1

Parent topic: Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]

Related Information

Configure SAP BTP Integration to Replicate Sales Orders via Enterprise Messaging [page 61]

6.7.10.2 Configure SAP BTP Integration to Replicate Sales Orders via Enterprise Messaging

Configuring the SAP BTP integration settings to allow for replication of sales order data from SAP S/4HANA via Enterprise Messaging requires the setup of the Sender tab, two Receiver tabs, and the More tab.

Context

To enable sales order replication via SAP Business Technology Platform Enterprise Messaging from SAP S/4HANA to SAP Entitlement Management, you need to configure integration in SAP Business Technology Platform Integration web application.


https://help.sap.com/viewer/810dfd34f2cc4f39aa8d946b5204fd9c/latest/en-US/c200f98fadb64ff1828ed5696c86fca2.html

https://help.sap.com/viewer/810dfd34f2cc4f39aa8d946b5204fd9c/latest/en-US/c200f98fadb64ff1828ed5696c86fca2.html

Procedure

1. Set up the following on the Sender tab.


Sender Sender

Adapter Type AMQP

Host Host of uri whose protocol is amqp10ws in SAP Enterprise Messaging service key

wss://<<host>> /protocols/amqp10ws

Port 443

Path Path of uri whose protocol is amqp10ws in SAP Enterprise Messaging service key

wss://<<Host>><<Path>>


Credential Name SAP Enterprise Messaging OAuth2 Credential name defined in Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]


2. Set up the following on the Receiver tab for Entitlement Management.

Field Value

Address Entitlement Generation API URL

Authentication OAuth2 Client Credential

Credential Name EMS OAuth2 credential name created in Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]


3. Set up the following on the Receiver tab:

Field Value

Receiver S4HANA

Adapter Type HCIOData

S/4HANA Address http://{virtual address in cloud connector}/


Location ID Location ID which you defined in SAP Cloud Connector


Credential Name S/4HANA Credential name defined in Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]


Integration

Field Value


S/4HANA Client S/4HANA Client Number

Field Value

Receiver EMS

Adapter Type HTTP

Entitlement Generation API URL https://{host of entitlement generation API URL}


Credential Name EMS OAuth2 Credential name defined in Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]

Field Value

Receiver ExitReceiver

Adapter Type ProcessDirect

Address /EMS/ReplicateSalesOrderViaEvent_PostExit

4. Set up the following on the More tab.


Type All Parameters

Extension Implemented True or False True - means you would like to extend the standard iflow, and already created your own iflow with ProcessDirect sender Adapter

Task overview: Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]

Related Information

Enable Enterprise Events in SAP S/4HANA [page 61]


6.7.11 Extend the Standard Integration Flow

Context

To extend standard integration flow, add your customized logic such as mapping, and fetch additional data.

In the standard integration flow, there are several fields (such as: valid from, valid to, and source system) that you need map to your fields.

Procedure

1. Create a new integration flow in an integration package.2. Choose ProcessDirect as your send adapter, and select one of following addresses:

Address Description

/EMS/ReplicateSalesOrderViaEvent_PostExit To extend iflow – Replicate Sales Order from SAP S4HANA via IDoc

/EMS/SyncCustomer_PostExit To extend iflow – Pull Customer From S4HANA to EMS

/EMS/SyncOffering_PostExit To extend iflow – Pull Offering From S4HANA to EMS

/EMS/PushCustomer_PostExit To extend iflow – Push Customer To EMS From S4HANA

/EMS/ReplicateOffering_PostExit To extend iflow – Push Offering To EMS From S4HANA

/EMS/ReplicateSalesOrderViaEvent_PostExit To extend iflow – Replicate Sales Order from SAP S4HANA via SAP Cloud Platform Enterprise Messaging

3. Add your logic in integration iflow and save your changes.4. Deploy your integration flow.5. Configure the standard integration flow that you would like to extend. Click the More tab and set Extension

Implemented to True. Then deploy the integration flow.


Related Information

Install and Configure SAP Cloud Connector [page 32]Add SAP BTP Enterprise Messaging Credentials in SAP BTP Integration [page 34]Add SAP S/4HANA Credentials to SAP BTP Integration [page 35]Add SAP Entitlement Management OAuth2 Credentials to SAP BTP Integration [page 35]Replicate Sales Order from SAP S/4HANA via IDoc [page 36]


Integration

Push Customer Data to Entitlement Management from S/4HANA [page 44]Push Offering to Entitlement Management from S/4HANA [page 49]Pull Customer Data from S/4HANA to Entitlement Management [page 54]Pull Offering from S/4HANA to Entitlement Management [page 57]Replicate Sales Order From S/4HANA via SAP BTP Enterprise Messaging [page 60]

6.8 Integration with SAP Analytics Cloud (SAC)For SAP Analytics Cloud (SAC) to be able to integrate with SAP Entitlement Management, specific integration steps need to be completed.

Procedure

1. Configure the SAML Identity Provider in SAC. Make sure is its the same IDP of EMS Configuration and the same login credential SAML user attribute.

For SAML configuration, see: https://www.sapanalytics.cloud/guided_playlists/user-management-identity-provider-idp/

2. Create the SAC connection to the Entitlement Management system.


http://help.sap.com/disclaimer?site=https%3A%2F%2Fwww.sapanalytics.cloud%2Fguided_playlists%2Fuser-management-identity-provider-idp%2F

http://help.sap.com/disclaimer?site=https%3A%2F%2Fwww.sapanalytics.cloud%2Fguided_playlists%2Fuser-management-identity-provider-idp%2F

3. Go to the Connection page and add a new datasource.

Select Connection to Live Data and SAP HANA.


Integration

Host: xxx.ems.cfapps.eu10.hana.ondemand.com/sac is your tenant URL with "/sac" suffix.

HTTPS Port: 443

Authentication Method: SAMLL Single Sign On4. Create the SAC Model.


Select Get Data from a Datasource and click Live Data Connection. Use the connection created with the Data Source EntitlementListViewForSAC.

5. Design your model with dimensions and measures.


Integration

Replace the Column ID with the actual attribute code that can be retrieved from the Entitlement Attribute Query API. Hide all extension fields that are not needed.

6. Save the model using the name EntitlementData. This will be used by EMS sample stories.

7. Create SAC stories as an Entitlement Analytics Report with the model you created. You can define the chart/table type, measures, and dimensions.

For details, you can follow the SAC guide: https://www.sapanalytics.cloud/guided_playlists/what-if-analysis/



http://help.sap.com/disclaimer?site=https%3A%2F%2Fwww.sapanalytics.cloud%2Fguided_playlists%2Fwhat-if-analysis%2F

http://help.sap.com/disclaimer?site=https%3A%2F%2Fwww.sapanalytics.cloud%2Fguided_playlists%2Fwhat-if-analysis%2F

Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.9 Integration with SAP Subscription Billing

Data can be transferred from SAP Subscription Billing to SAP Entitlement Management.

You can find detailed information on the integration in the SAP Subscription Billing documentation: Integration with SAP Entitlement Management.

1. Create a Service Key of SAP Entitlement Management OAuth2 [page 71]When integrating SAP Entitlement Management with SAP Subscription Billing, you must first create a service key.

2. Activate Outbound Events in SAP Subscription Billing [page 72]Once you activate outbound events, you can receive events sent outwards from SAP Subscription Billing through SAP Event Mesh.

3. Define Queue and Subscribe to SAP Subscription Billing Events [page 72]You can subscribe to SAP Subscription Billing Events.

4. Add SAP Event Mesh Credentials in SAP Cloud Integration [page 73]Next in the integration process, you must add SAP Event Mesh credentials.

5. Add SAP Entitlement Management OAuth2 Credentials to SAP Cloud Integration [page 74]Once you have added the SAP Event Mesh Credentials, you need to add the SAP Entitlement Management OAuth2 credentials.

6. Add SAP Subscription Billing OAuth2 Credentials to SAP Cloud Integration [page 75]After you have added the SAP Entitlement Management Credentials, you need to add the SAP Subscription Billing OAuth2 credentials.

7. Configure Value Mapping between Event Type and Business Event [page 76]You can use this value mapping to map event type from SAP Subscription Billing to Business Event in SAP Entitlement Management.

8. Replicate Subscription from SAP Subscription Billing via SAP Event Mesh [page 76]You can replicate subscriptions via the SAP Event Mesh.

9. Extend the Standard Integration Flow for Subscription Billing [page 79]You have an option to extend the standard integration flow.


Integration

https://help.sap.com/viewer/a78a4be305be4dbc903bd826a1aba456/latest/en-US/711f49a54b2144a7a363a45a6fd59618.html

https://help.sap.com/viewer/a78a4be305be4dbc903bd826a1aba456/latest/en-US/711f49a54b2144a7a363a45a6fd59618.html


Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Commerce Cloud [page 79]Integration with Subscription Order Management [page 80]

6.9.1 Create a Service Key of SAP Entitlement Management OAuth2

When integrating SAP Entitlement Management with SAP Subscription Billing, you must first create a service key.

Context

The service key contains the information of the OAuth2 client ID and client secret. These will be used to access the APIs of SAP Entitlement Management.

Procedure

1. Open the SAP BTP cockpit which is used to subscribe SAP Entitlement Management.2. Create a service instance of SAP Entitlement Management OAuth Service.3. Create a service key for the service which you just created.4. Note the client ID, client secret, and OAuth token URL as you will need this information later in the

integration process.

Task overview: Integration with SAP Subscription Billing [page 70]


Next task: Activate Outbound Events in SAP Subscription Billing [page 72]

6.9.2 Activate Outbound Events in SAP Subscription Billing

Once you activate outbound events, you can receive events sent outwards from SAP Subscription Billing through SAP Event Mesh.

Context

For more details about event, you can check Events.

Procedure

1. Select Business Configuration.2. Select Integration Settings.3. Click the toggle button Activate Outbound Events.4. Click Save to save your changes.


Previous task: Create a Service Key of SAP Entitlement Management OAuth2 [page 71]

Next task: Define Queue and Subscribe to SAP Subscription Billing Events [page 72]

6.9.3 Define Queue and Subscribe to SAP Subscription Billing Events

You can subscribe to SAP Subscription Billing Events.

Context

To find available events and topic names, you can access the SAP Subscription Billing Events .


Integration

http://help.sap.com/disclaimer?site=https%3A%2F%2Fapi.sap.com%2Fevent%2FSAPSubscriptionBillingBusinessEvents_SubscriptionEvents%2Fresource

Procedure

1. In the SAP BTP Cockpit, navigate to your subaccount.2. Select Subscriptions from the navigation pane on the left, then click Enterprise Messaging tile.3. Choose Go to Application.4. Choose your message client, then choose the Queue tab.5. Click Create.6. Under Actions, choose Queue Subscriptions to create a new queue subscription associated with the

selected queue. Enter a topic or topic pattern name, and choose Add.


Previous task: Activate Outbound Events in SAP Subscription Billing [page 72]

Next task: Add SAP Event Mesh Credentials in SAP Cloud Integration [page 73]

6.9.4 Add SAP Event Mesh Credentials in SAP Cloud Integration

Next in the integration process, you must add SAP Event Mesh credentials.

Procedure

1. In the navigation panel, choose Monitor, and access the Security Material in the Manage Security section.

2. Choose Add OAuth2 Credential .3. Specify the following fields in the Add OAuth2 Credential dialog box:



Token Service URL Token Service URL from SAP Event Mesh service key

Client ID Client ID from SAP Event Mesh service key

Client Secret Client Secret from SAP Event Mesh service key





Previous task: Define Queue and Subscribe to SAP Subscription Billing Events [page 72]

Next task: Add SAP Entitlement Management OAuth2 Credentials to SAP Cloud Integration [page 74]

6.9.5 Add SAP Entitlement Management OAuth2 Credentials to SAP Cloud Integration

Once you have added the SAP Event Mesh Credentials, you need to add the SAP Entitlement Management OAuth2 credentials.

Procedure

1. Create a service instance of SAP Entitlement Management OAuth Service in SAP Business Technology Platform Cockpit.

2. Create a service key in the service instance you just created.

3. Access Security Material and choose Add OAuth2 Credential .4. Specify the following fields in the Add OAuth2 Credential dialog box:



Token Service URL Token Service URL from SAP Entitlement Management OAuth service key

Client ID Client ID from SAP Entitlement Management OAuth service key

Client Secret Client Secret from SAP Entitlement Management OAuth service key




Previous task: Add SAP Event Mesh Credentials in SAP Cloud Integration [page 73]

Next task: Add SAP Subscription Billing OAuth2 Credentials to SAP Cloud Integration [page 75]


Integration

6.9.6 Add SAP Subscription Billing OAuth2 Credentials to SAP Cloud Integration

After you have added the SAP Entitlement Management Credentials, you need to add the SAP Subscription Billing OAuth2 credentials.

Context

For reference, you can see the SAP BTP Configuration Guide.

Procedure

1. Create a service instance of SAP Subscription Billing (API Service) in SAP Business Technology Platform Cockpit.

2. Find the service key that is created following the Enable Access section of the SAP BTP Configuration Guide.

3. Access Security Material in SAP CPI and choose Add OAuth2 Credential .4. Specify the following fields in the Add OAuth2 Credential dialog box:



Token Service URL Token Service URL from SAP Subscription Billing (API Service) service key

Client ID Client ID from SAP Subscription Billing (API Service) service key

Client Secret Client Secret from SAP Subscription Billing (API Service) service key




Previous task: Add SAP Entitlement Management OAuth2 Credentials to SAP Cloud Integration [page 74]

Next task: Configure Value Mapping between Event Type and Business Event [page 76]


https://help.sap.com/doc/5fd179965d5145fbbe7f2a7aa1272338/2021-05-05/en-US/PlatformConfiguration.pdf

6.9.7 Configure Value Mapping between Event Type and Business Event

You can use this value mapping to map event type from SAP Subscription Billing to Business Event in SAP Entitlement Management.

Context

You can find the event type from the payload of the Event.

Procedure

1. On the Design tab, navigate to the package SAP Entitlement Management with SAP Subscription Billing.

2. Choose Artifacts Value Mapping between Event Type and Business Event and then choose ActionsConfigure .

3. Click Add to add the entry.4. Click Save and then click Deploy to deploy your value mapping.


Previous task: Add SAP Subscription Billing OAuth2 Credentials to SAP Cloud Integration [page 75]

Next task: Replicate Subscription from SAP Subscription Billing via SAP Event Mesh [page 76]

6.9.8 Replicate Subscription from SAP Subscription Billing via SAP Event Mesh

You can replicate subscriptions via the SAP Event Mesh.

Context

This iFlow is used to replicate the subscription to SAP Entitlement Management based on the events to which you subscribed in your queue of SAP Event Mesh.


Integration

Procedure

1. On the Design tab, navigate to the package SAP Entitlement Management with SAP Subscription Billing.

2. Choose Artifacts Replicate Subscription from SAP Subscription Billing via SAP Event Mesh and then choose Actions Configure .



Sender EnterpriseMessaging

Adapter Type AMPQ

Host Host of URI whose protocol is amqp10ws in SAP Event Mesh service key

wss://<<host>> /protocols/amqp10ws

Port 443

Path Path of URI whose protocol is amqp10ws in SAP Event Mesh service key

wss://<<Host>><<Path>>


Credential Name SAP Event Mesh OAuth2 Credential Name

Queue Name Queue name which you created in SAP Event Mesh

4. Set up the following on the Receiver tab:


Receiver SubscriptionBilling

Adapter Type HTTP

URL of Subscription Billing URL of Subscription Billing Such as: https://eu10.revenue.cloud.sap/api

Credential Name OAuth2 Client credential name of SAP Subscription Billing



Field Name Value

Receiver EMS

Adapter Type HTTP

Address URLEntitlement Generation API

Credential Name OAuth2 Client credential name of SAP Entitlement Management


Field Name Value

Receiver ExitReceiver

Adapter Type ProcessDirect

URL /EMS/ReplicateSubscriptionViaEvent_PostExit



Type All Parameters

Extension Implemented True or False True: means you would like to extend the standard iflow, and already created your own iflow with ProcessDirect sender Adapter

Source System The source system created in SAP Entitlement Management


Previous task: Configure Value Mapping between Event Type and Business Event [page 76]

Next task: Extend the Standard Integration Flow for Subscription Billing [page 79]


Integration

6.9.9 Extend the Standard Integration Flow for Subscription Billing

You have an option to extend the standard integration flow.

Context

To extend standard integration flow, add your customized logic such as mapping, and fetch additional data.

Procedure

1. Create a new integration flow in an integration package.2. Choose ProcessDirect as your send adapter, and select one of the addresses below:

Address Description

/EMS/ReplicateSubscriptionViaEvent_PostExit To extend iflow – Replicate Subscription between SAP Entitlement Management and SAP Subscription Billing via SAP BTP Enterprise Messaging

3. Add your logic in integration iflow and click Save to save your changes.4. Deploy your integration flow.5. Configure the standard integration flow which you would like to extend. Select the More tab and set

Extension Implemented to True. Then deploy integration flow.


Previous task: Replicate Subscription from SAP Subscription Billing via SAP Event Mesh [page 76]

6.10 Integration with SAP Commerce Cloud

The integration of SAP Entitlement Management with SAP Commerce Cloud enables customers to view their entitlements on the storefront.

You can find detailed information on the integration in the SAP Commerce Cloud documentation at: https://help.sap.com/viewer/f1a442a5d4664fa08fee7b182df437f5/2005/en-US



https://help.sap.com/viewer/f1a442a5d4664fa08fee7b182df437f5/2005/en-US

https://help.sap.com/viewer/f1a442a5d4664fa08fee7b182df437f5/2005/en-US

Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with Subscription Order Management [page 80]

6.11 Integration with Subscription Order Management

This integration topic describes the necessary steps which are required to make ODI work for SAP Entitlement Management.

This topic won’t cover any business configuration. See the appropriate documentation for full details on the ODI Framework.

Prerequisites:

● You have synced master data to SAP Entitlement Management.○ If you would like to use DRF to push master data (offering, customer) to SAP Entitlement Management,

please refer to Push Customer Data to Entitlement Management from S/4HANA [page 44] and Push Offering to Entitlement Management from S/4HANA [page 49].

○ If you would like to pull master data from Subscription Order Management to SAP Entitlement Management, please refer to Pull Customer Data from S/4HANA to Entitlement Management [page 54] and Pull Offering from S/4HANA to Entitlement Management [page 57].

● • You have completed the necessary configuration in SAP Entitlement Management, such as: Offering-Entitlement Modeling Mapping, Rule Set, and so on.

1. Create a Service Key [page 81]When integrating SAP Entitlement Management with Subscription Order Management, you must first create a service key.

2. Create an OAuth2 2.0 Client Profile in the AS ABAP [page 82]Once you have created a service key, you need to create an OAuth2 client profile.

3. Document Distribution Step Type Class Implementation [page 83]The final step for integrating with Subscription Order Management is to document distribution step type class implementation.

4. Configure an OAuth 2.0 Client in the AS ABAP [page 89]Once you have created an OAut2 client profile, you must configure the OAuth 2.0 Client.

5. Create a Destination for Entitlement Generation API [page 90]


Integration

https://help.sap.com/viewer/4aa273cf7f3a4ecea4a7cc3195e6164e/7.0.4.14/en-US/42ee3ed5-5ae1-46ff-9f84-8b015bcfe151.html

As part of the integration with Subscription Order Management, you must create a destination for Entitlement Generation API.


Related Information

Master Data [page 17]Logging and Tracing [page 18]Outbound Enablement [page 19]Get the OAuth Access Token (Postman) [page 27]Get the OAuth Access Token (Client Certificate) [page 28]Process Integration with SAP S/4HANA [page 30]Integration with SAP S/4HANA [page 31]Integration with SAP Analytics Cloud (SAC) [page 65]Integration with SAP Subscription Billing [page 70]Integration with SAP Commerce Cloud [page 79]

6.11.1 Create a Service Key

When integrating SAP Entitlement Management with Subscription Order Management, you must first create a service key.

Context

The service key contains the information of the OAuth2 client ID and client secret. These will be used to access the APIs of SAP Entitlement Management.

Procedure

1. Open the SAP BTP cockpit which is used to subscribe SAP Entitlement Management.2. Create a service instance of SAP Entitlement Management OAuth Service.3. Create a service key for the service which you just created.4. Note down the client ID, client secret, and OAuth token URL as you will need this information later in the

integration process.

Task overview: Integration with Subscription Order Management [page 80]


Next task: Create an OAuth2 2.0 Client Profile in the AS ABAP [page 82]

6.11.2 Create an OAuth2 2.0 Client Profile in the AS ABAP

Once you have created a service key, you need to create an OAuth2 client profile.

Context

An OAuth2 client profile in the AS ABAP lists the OAuth 2.0 scopes you want to access with in the service provided.

Procedure

1. Execute Transaction SE80.2. Select Development Object from the drop down list.

3. To create a development object in the custom namespace, choose Create OAuth 2.0 Client Profile in the context menu of the object name.

4. Enter the object name in the Client Profile field of the popup dialog.5. Select DEFAULT as the Type of Service Provider.6. Save your changes.


Previous task: Create a Service Key [page 81]

Next task: Document Distribution Step Type Class Implementation [page 83]


Integration

6.11.3 Document Distribution Step Type Class Implementation

The final step for integrating with Subscription Order Management is to document distribution step type class implementation.

Context

A class will be used to map subscription contract item data to Entitlement data and post the Entitlement data to SAP Entitlement Management.

Procedure

1. Execute Transaction SE24.2. Create a class inheriting from CL_CRM_ISX_ORDER_MSG_DIST_TYPE in customer namespace.3. Redefine method IF_CRM_ISX_ORDER_MSG_DIST_TYPE~EXECUTE.4. Define a data structure of Entitlement based on the XSD file via Export XSD for Entitlement Generation API.5. Read subscription contract item data, and header data, map to data structure of Entitlement.6. Transform ABAP data structure to JSON, which is required by Entitlement Generation API.

a) Create an XSLT transformation via Transaction STRANS.

b) Write your logic to transform, such as:

<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:sap="http://www.sap.com/sapxsl" xmlns:asx="http://www.sap.com/abapxml" xmlns:f="fct" exclude-result-prefixes="f asx" version="1.0"> <xsl:template match="/"> <object>  <object name="Inbound_Interface_Entitlement_Generation"> <object name="Inbound_Interface_Entitlement_Generation"> <str name="SourceSystem"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/SOURCE_SYSTEM"/> </str> <str name="GenerationMethod"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/GENERATION_METHOD"/> </str> <str name="CustomerID"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/CUSTOMER_ID"/> </str> <str name="CustomerName"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/CUSTOMER_NAME"/> </str> <str name="DistributorID"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/DISTRIBUTOR_ID"/>


</str> <str name="ThirdPartyID"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/THIRD_PARTY_ID"/> </str> <str name="CustomerSystem"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/CUSTOMER_SYSTEM"/> </str> <str name="OfferingSystem"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/OFFERING_SYSTEM"/> </str> <str name="CreatedBy"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/CREATED_BY"/> </str> <str name="SalesOrganization"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/SALES_ORGANIZATION"/> </str> <str name="SalesGroup"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/SALES_GROUP"/> </str> <str name="SalesOffice"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/SALES_OFFICE"/> </str> <str name="DistributionChannel"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/DISTRIBUTION_CHANNEL"/> </str> <str name="DocumentCategory"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/DOCUMENT_CATEGORY"/> </str> <str name="DocumentType"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/DOCUMENT_TYPE"/> </str> <str name="DocumentNumber"> <xsl:value-of select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/DOCUMENT_NUMBER"/> </str> <array name="Item"> <xsl:for-each select="asx:abap[1]/asx:values[1]/ENT_LIST[1]/ITEM/*"> <object> <str name="ItemNumber"> <xsl:value-of select="ITEM_NUMBER"/> </str> <str name="ItemCategory"> <xsl:value-of select="ITEM_CATEGORY"/> </str> <str name="OfferingID"> <xsl:value-of select="OFFERING_ID"/> </str> <str name="OfferingName"> <xsl:value-of select="OFFERING_NAME"/> </str> <str name="OfferingCategory"> <xsl:value-of select="OFFERING_CATEGORY"/> </str> <str name="Quantity"> <xsl:value-of select="QUANTITY"/> </str> <str name="UOM">


Integration

<xsl:value-of select="UOM"/> </str> <str name="ItemValidFrom"> <xsl:value-of select="ITEM_VALID_FROM"/> </str> <str name="ItemValidTo"> <xsl:value-of select="ITEM_VALID_TO"/> </str> <str name="BusinessEvent"> <xsl:value-of select="BUSINESS_EVENT"/> </str> <!—-if you would like to keep the parent-child relationship, parent is the extension field in SAP Entitlement Management, then you can use it in rule set. --> <str name="parent"> <xsl:value-of select="PARENT"/> </str> </object> </xsl:for-each> </array> </object> </object> </object> </xsl:template></xsl:transform>

c) Use the following sample code to transform to JSON:

* convert abap structure into json via xslt transformation lr_xml_writer = cl_sxml_string_writer=>create( type = if_sxml=>co_xt_json encoding = 'utf-8' ). ASSIGN lr_xml_writer TO <fs_json>. CALL TRANSFORMATION <your name of xslt transformation> SOURCE ent_list = <your data structure> RESULT XML <fs_json>. IF lr_xml_writer IS NOT INITIAL. lv_xstr = lr_xml_writer->get_output( ).* convert xstring to string CREATE OBJECT lr_converter EXPORTING incode = '4110' EXCEPTIONS invalid_codepage = 1 internal_error = 2 OTHERS = 3. IF sy-subrc EQ 0. CALL METHOD lr_converter->convert EXPORTING inbuff = lv_xstr outbufflg = 0 IMPORTING outbuff = lv_payload. ENDIF. ENDIF.

7. Create cl_http_client instance by destination which you created in previous step:

CALL METHOD cl_http_client=>create_by_destination EXPORTING destination = <name of your destination> IMPORTING client = DATA(lr_http_client) EXCEPTIONS argument_not_found = 1


destination_not_found = 2 destination_no_authority = 3 plugin_not_active = 4 internal_error = 5 OTHERS = 6.

8. Fetch OAuth token, and set to instance of CL_HTTP_CLIENT:

* set OAuth2 CALL METHOD cl_oauth2_client=>create EXPORTING i_profile = <OAuth2 client name> RECEIVING ro_oauth2_client = DATA(lr_auth2_client). * trigger client credential flow CALL METHOD lr_auth2_client->execute_cc_flow. * set token to http client CALL METHOD lr_auth2_client->set_token EXPORTING io_http_client = lr_http_client .

9. Create CL_REST_HTTP_CLIENT instance based on CL_HTTP_CLIENT instance which you instantiated in previous step, and post data to SAP Entitlement Management:

DATA(lr_rest_client) = NEW cl_rest_http_client( lr_http_client ). DATA(lr_http_request) = lr_rest_client->if_rest_client~create_request_entity( ).lr_http_request->set_content_type( iv_media_type = if_rest_media_type=>gc_appl_json ).lr_http_request->set_string_data( lv_payload )lr_rest_client->if_rest_resource~post( lr_http_request ).

10. Get response data from SAP Entitlement Management, and transform JSON to ABAP data structure:

a) Get response data from cl-rest_http_client instance:

DATA(lr_http_response) = lr_rest_client->if_rest_client~get_response_entity( ). DATA(lv_status) = lr_http_response->get_header_field( '~status_code' ).DATA(lv_body) = lr_http_response->get_string_data( ).

b) Transform JSON data to ABAP data structure:

1. Create an XSLT transformation via Transaction STRANS.

2. Define transform logic:

<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:sap="http://www.sap.com/sapxsl" xmlns:asx="http://www.sap.com/abapxml" xmlns:f="fct" exclude-result-prefixes="f asx" version="1.0"> <xsl:strip-space elements="*"/> <xsl:template match="/"> <asx:abap> <asx:values> <LT_RESP> <item> <STATUS> <xsl:value-of select="object/object[@name='data']/str[@name='Status']"/> </STATUS> <RESPONSE> <item> <SOURCE_SYSTEM> <xsl:value-of select="object/object[@name='data']/object[@name='Response']/str[@name='SourceSystem']"/> </SOURCE_SYSTEM>


Integration

<SOURCE_DOCUMENT_ID> <xsl:value-of select="object/object[@name='data']/object[@name='Response']/str[@name='SourceDocumentID']"/> </SOURCE_DOCUMENT_ID> <ERROR_MESSAGES> <xsl:for-each select="object/object[@name='data']/object[@name='Response']/array[@name='ErrorMessages']/object"> <item> <MESSAGE> <xsl:value-of select="str[@name='Message']"/> </MESSAGE> </item> </xsl:for-each> </ERROR_MESSAGES> <ENTITLEMENTS> <xsl:for-each select="object/object[@name='data']/object[@name='Response']/array[@name='Entitlements']/object"> <item> <ENTITLEMENT_GUID> <xsl:value-of select="str[@name='EntitlementGuid']"/> </ENTITLEMENT_GUID> <ENTITLEMENT_NO> <xsl:value-of select="num[@name='EntitlementNo']"/> </ENTITLEMENT_NO> </item> </xsl:for-each> </ENTITLEMENTS> </item> </RESPONSE> <MESSAGES> <xsl:for-each select="object/array[@name='messages']/object"> <item> <MESSAGE> <xsl:value-of select="str[@name='message']"/> </MESSAGE> <TYPE> <xsl:value-of select="str[@name='type']"/> </TYPE> <REF_FIELD> <xsl:value-of select="str[@name='ref_field']"/> </REF_FIELD> </item> </xsl:for-each> </MESSAGES> </item> </LT_RESP> </asx:values> </asx:abap> </xsl:template></xsl:transform>

c) Define an internal table called LT_RESP which will be used to store the response data returned from SAP Entitlement Management. NOTE: If your internal table name is not called LT_RESP, you must replace LT_RESP with your internal table name in the previous transformation content.

d) Call transformation.

CALL TRANSFORMATION <your name of xslt transformation> SOURCE XML lv_body RESULT lt_resp = lt_resp.

e) Parse internal table L_RESP, and write log to ODI Framework:

READ TABLE lt_resp INDEX 1 INTO ls_resp. IF lv_status EQ 200 AND sy-subrc EQ 0 AND ls_resp-status EQ 'SUCCESS'.


cv_execution_state = if_crm_isx_order_msg_dist_cust=>gc_state_executed. READ TABLE ls_resp-response INDEX 1 ASSIGNING <fs_response>. IF sy-subrc EQ 0. LOOP AT <fs_response>-entitlements ASSIGNING FIELD-SYMBOL(<fs_entitlement>). AT FIRST. lv_lines = lines( <fs_response>-entitlements ). CONCATENATE 'There are ' lv_lines 'entitlements got generated in SAP Entitlement Management' INTO lv_text SEPARATED BY ' '. io_log_access->add_message_free_text( iv_type = 'I' iv_text = lv_text ). ENDAT. CONCATENATE 'Entitlement - ' <fs_entitlement>-entitlement_no 'was created in SAP Entitlement Management' INTO lv_text SEPARATED BY ' '. io_log_access->add_message_free_text( iv_type = 'I' iv_text = lv_text ). ENDLOOP. ELSE. ENDIF. ELSEIF sy-subrc EQ 0 AND ls_resp-status NE 'SUCCESS'. cv_execution_state = if_crm_isx_order_msg_dist_cust=>gc_state_failed. READ TABLE ls_resp-response INDEX 1 ASSIGNING <fs_response>. IF sy-subrc EQ 0. LOOP AT <fs_response>-error_messages ASSIGNING FIELD-SYMBOL(<fs_error_msg>). lv_text = <fs_error_msg>-message. io_log_access->add_message_free_text( iv_type = 'E' iv_text = lv_text ). ENDLOOP. IF sy-subrc NE 0. LOOP AT ls_resp-messages ASSIGNING FIELD-SYMBOL(<fs_message>). lv_text = <fs_message>-message. io_log_access->add_message_free_text( iv_type = <fs_message>-type iv_text = lv_text ). ENDLOOP. ENDIF. ENDIF. ELSE. cv_execution_state = if_crm_isx_order_msg_dist_cust=>gc_state_failed.ENDIF.

f) Save and activate your changes.11. SOM configuration:

a) Execute Transaction SOMSPRO.

b) Go to Service Transactions Settings for Subscription Transactions Document DistributionDefine Settings for Document Distribution .

c) Click Step Types, then click New Entries and append one entry:

Field Value

Step Type Provide unique value of your step type

Document Distribution Step Type Provide a description for this step type

Category P1

Batch Uncheck


Integration

Field Value

Document Distribution Step Type Class Enter the class name which you created in previous step

d) Click Schema Definition. If you want to reuse a scheme, choose your schema. Click Schema Steps and add the step type that you created in the previous step.

e) Click Schema Determination then click New Entries and add one entry:

Field Value

Transaction Type Transaction Type of your subscription order

Item Cat. Item Category of subscription contract record, such as PRCR

Document Dist. Determination Class CL_CRM_ISX_ORDER_MD_DET_DFLT

f) Click Schema Assignment, then click New Entries and append one entry:

Field Value

Schema Provide the schema that you configured or created in the previous step

Default Checked

g) Save your changes.


Previous task: Create an OAuth2 2.0 Client Profile in the AS ABAP [page 82]

Next task: Configure an OAuth 2.0 Client in the AS ABAP [page 89]

6.11.4 Configure an OAuth 2.0 Client in the AS ABAP

Once you have created an OAut2 client profile, you must configure the OAuth 2.0 Client.

Context

The configuration of an OAuth 2.0 Client in the AS ABAP ensures that users can access applications by a service provide.


Procedure

1. Execute Transaction OA2C_CONFIG.2. To create an OAuth 2.0 client, choose Create. A popup with the configuration UI displays.3. Select the OAuth 2.0 client profile you created earlier. The OAuth 2.0 client profile already contains the

service provider type.4. Enter the OAuth 2.0 Client ID and click OK.5. Enter the OAuth 2.0 client secret.6. Enter the Authorization Endpoint: <oauth2 url without “https://”> + /oauth/authorize

For example: qa-test.authentication.sap.hana.ondemand.com/oauth/token7. For Resource Access Authentication, select Header Field.8. For Selected Grant Type, select Client Credentials.9. Click Save to save your changes.


Previous task: Document Distribution Step Type Class Implementation [page 83]

Next task: Create a Destination for Entitlement Generation API [page 90]

6.11.5 Create a Destination for Entitlement Generation API

As part of the integration with Subscription Order Management, you must create a destination for Entitlement Generation API.

Context

A destination will be used to provide API host and path prefix, which will be used to post data to SAP Entitlement Management via ODI Framework.

Procedure

1. Execute Transaction SM59.

2. Go to HTTP Connections to External Server Create .3. In the RFC Destination field, enter a unique identifier for the RFC destination.4. On the Target Settings tab, enter values for the following.


Integration

Field Value

Host This is the runtime URL for Entitlement Generation API. The URL can be found in tile Explore APIs in SAP Entitlement Management.

Note: Don’t include https:// in the URL

Port 443

Path Prefix /sap/ems/api/inboundinterfaceentitlementgeneration

Proxy Host Your proxy address

Proxy Service The port for your proxy service

Proxy PW Status Is Initial

5. On the Logon & Security tab, enter values for the following.

Field Value

Logon with User Select "Do Not Use a User"

SSL Active

SSL Certificate Default SSL Client


Previous task: Configure an OAuth 2.0 Client in the AS ABAP [page 89]


7 User Management

This section describes how to configure user management for SAP Entitlement Management.

Overview of User Management

There are mainly three parts for user management:

1. Identity provider (IdP)SAP Cloud Platform supports SAML 2.0 identity providers, and you have the option to use SAP Cloud Platform Identity Authentication Service (SCI) or any SAML 2.0 identity provider. You must configure your own custom SAML 2.0 identity provider and establish trust between your SAP Cloud Platform subaccount and the identity provider.The trust configuration consists of the following parts:

Trust Configuration

Configuration Procedure

Configuring trust in a subaccount Establish Trust with an SAML 2.0 Identity Provider in a Subaccount

Configuring trust in an SAML 2.0 identity provider Register SAP Cloud Platform Subaccount in the SAML 2.0 Identity Provider

Trust and Federation with SAML 2.0 Identity Providers

2. XSA UAA


User Management

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7c6aa87459764b179aeccadccd4f91f3.html#loioaedb8eed952b41c4b87c50b92bf651e4

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7c6aa87459764b179aeccadccd4f91f3.html#loioaedb8eed952b41c4b87c50b92bf651e4

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7c6aa87459764b179aeccadccd4f91f3.html#loio347cc6991eda439ea7d87ef1311913bf

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7c6aa87459764b179aeccadccd4f91f3.html#loio347cc6991eda439ea7d87ef1311913bf

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/cb1bc8f1bd5c482e891063960d7acd78.html

The User Account and Authentication (UAA) component provides a programming model for business applications. It is the central infrastructure component of the runtime platform for business user authentication and authorization management. The users are stored in identity providers.

3. Security Programming Model of SAP Entitlement Management systemThis is defined and provided by the application internally.

Security Considerations [page 93]This chapter discusses the security considerations associated with user management in SAP Entitlement Management.

Managing Authentication and Authorization [page 94]This section describes the tasks of administrators in the Cloud Foundry environment of SAP Business Technology Platform (SAP BTP). Administrators ensure user authentication and assign authorization information to users or user groups.

Role Model [page 95]This section lists the role templates provided by SAP Entitlement Management system.

Change User API [page 103]Change User API for SAP Entitlement Management.

7.1 Security Considerations

This chapter discusses the security considerations associated with user management in SAP Entitlement Management.

The Cloud Foundry environment provides platform security functions such as business user authentication, authentication of applications, authorization management, trust management, and other security functions on which the user management of SAP Entitlement Management is based.

For more detailed descriptions of these functions, refer to the links listed in the following table:

Information on Platform Security Functions

Function References

Identity Federation Trust and Federation with Identity Providers

Access Management in the Cloud Foundry environment of SAP BTP, including the User Account and Authentication service

Managing Access Policies, Cloud Foundry Environment

The Cloud Foundry environment of SAP Business Technology Platform adopts common industry security standards in order to provide flexibility for customers through a high degree of interoperability with other vendors.

Parent topic: User Management [page 92]

Administration Guide for SAP Entitlement ManagementUser Management CONFIDENTIAL 93

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/cb1bc8f1bd5c482e891063960d7acd78.html?q=identity%20federation%20cloud

https://help.sap.com/viewer/b0d5f33be6644278b8d333da03fc6456/IAT/en-US/7db3c87f6c744016b7eed9838912e123.html?q=access%20management%20in%20Cloud%20Foundry

Related Information

Managing Authentication and Authorization [page 94]Role Model [page 95]Change User API [page 103]

7.2 Managing Authentication and Authorization

This section describes the tasks of administrators in the Cloud Foundry environment of SAP Business Technology Platform (SAP BTP). Administrators ensure user authentication and assign authorization information to users or user groups.

At first, you determine the security administrators for your subaccount. Since identity providers provide the users or user groups, you then make sure that there is a trust relationship between your subaccount and the identity provider. This is a prerequisite for authentication. Now you can manage the authorizations of the business users.

● AuthenticationIn the Cloud Foundry environment of SAP BTP, identity providers provide the business users. If you use external SAML 2.0 identity providers, you must configure the trust relationship using the cockpit. The respective subaccount must have a trust relationship with the SAML 2.0 identity provider. Using the cockpit, you, as an administrator of the Cloud Foundry environment, establish this trust relationship.

● AuthorizationIn the Cloud Foundry environment, application developers create and deploy application-based authorization artifacts for business users. Administrators use this information to assign roles, build role collections, and assign these collections to business users or user groups. In this way, they control the users' permissions.

Setting Up Authorization Artifacts (Administrators)

Step Task User Role Tool

1 Use an existing user role or create a new one using role templates

Maintain Roles for Applications

Administrator of the Cloud Foundry environment

SAP Cloud Platform cockpit

2 Create a role collection and assign roles to it

Maintain Role Collections



3 Assign the role collections to SAML 2.0 user groups




User Management

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7596a0bdab4649ac8a6f6721dc72db19.html

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7596a0bdab4649ac8a6f6721dc72db19.html

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/d5f1612d8230448bb6c02a7d9c8ac0d1.html

Step Task User Role Tool

4 Assign the role collection to the business users provided by an SAML 2.0 identity provider

Map Role Collections to SAML 2.0 User Groups




Related Information

Security Considerations [page 93]Role Model [page 95]Change User API [page 103]

7.3 Role Model

This section lists the role templates provided by SAP Entitlement Management system.

Role Template Scope Accessible Tiles Available Attributes Authorization Check

EM-Admin All tiles User with this role can process all actions in accessible tiles.

SysAdmin sys_read

sys_write

Maintain System Settings

Maintain Validity for Users

User with this role can process all actions in accessible tiles.

TransportAdmin sys_transport Transport Configura-tions Across Tenants

User with this role can transport configura-tion data to target system, but cannot maintain target system.


https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/51acfc82c0c54db59de0a528f343902c.html

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/51acfc82c0c54db59de0a528f343902c.html


TransportTargetMaintain

trans_tgt_mt Transport Configura-tions Across Tenants

Combine this role and TransportAdmin, user can configure transport target system and transport configura-tion data to target system.

MigrationAdmin sys_migration Import/Export Entitlements


ConfigDisplay config_read Configure Entitlement Master Data

Explore Entitlement Model for Offering

User with this role can read all information in accessible tiles.

User with this role can also download mapping and rule set content.

ConfigAdmin config_read

config_write

Configure Entitlement Master Data

Explore Entitlement Model for Offering


IntegrationDisplay int_read Explore APIs

Maintain Remote Communication


User with this role can also export interface templates.

IntegrationAdmin int_read

int_write

Explore APIs

Maintain Remote Communication


BackgroundJobDisplay job_read Define Background Jobs



User Management


BackgroundJobAdmin job_read

job_write

Define Background Jobs

Combine this role and IntegrationDisplay, user can process all actions in accessible tile.

This role itself cannot grant background job creation/edit permission.

MonitoringDisplay mntr_read Monitor API Calls User with this role can read all information in accessible tiles. User with this role can also download monitoring log.

MonitoringAdmin mntr_read

mntr_exe

Monitor API Calls User with this role can process all actions in accessible tiles.

ProductDisplay product_read View Offerings User with this role can read all information in accessible tiles.

CustomerDisplay customer_read View Customers User with this role can read all information in accessible tiles.

SyncData sync Combine this role with ProductDisplay and CustomerDisolay to allow user sync master data and change customer validity.

This role alone does not grant any permission.

FolderDisplay folder_read Configure Folders folder_customerGrp

folder_customerId

User with this role can read folders under corresponding customer in accessible tiles.



FolderOperator folder_read

folder_write

Configure Folders folder_customerGrp

folder_customerId

User with this role can maintain folders under corresponding customer in accessible tiles.

EntlDisplay entl_read Maintain Customer Entitlements

entl_read_productId

entl_read_productCategory

entl_read_customerId

entl_read_customerGrp

entl_read_srcSys

entl_read_folderCode

entl_read_distributorId

entl_read_entModel

entl_read_entType

User with this role can read entitlement with corresponding attribute value.

User also has access permission of entitlement under all sub folder of entl_read_folderCode.

EntlOperater cons_write Maintain Customer Entitlements

Entitlement Consumption

entl_change_productId

entl_change_productCategory

entl_change_customerId

entl_change_customerGrp

entl_change_srcSys

entl_change_folderCode

entl_change_distributorID

entl_change_entModel

entl_change_entType

This role defines range of entitlements which user can read and modify.

This role alone does not grant any access permission.

EntlReadThirdParty Maintain Customer Entitlements

entl_read_thirdPartId

EntlChangeThirdParty Maintain Customer Entitlements

entl_chng_thirdPartyId


User Management


EntlEdit entl_write Maintain Customer Entitlements

Combining this role and EntlOperator, the user can edit a certain range of entitlements.

EntlSplit entl_split Maintain Customer Entitlements

Combining this role and EntlOperator, the user can split a certain range of entitlements.

When the user tries to assign splitting entitlement into an existing folder, he must have folder_read_customerGrp/folder_read_customerId permission for corresponding customer.

If the user wants to create a new group and assign the splitting entitlement, he must have folder_write_customerGrp/folder_read_customerId for corresponding customer.

EntlCreate entl_create Maintain Customer Entitlements

Combining this role and EntlOperator, the user can edit a certain range of entitlements.

EntlChangeStatus entl_status Maintain Customer Entitlements

Combining this role and EntlOperator, the user can change status of certain range of entitlements.



EntlReassign entl_reassign Maintain Customer Entitlements

Combining this role and EntlOperator, the user can reassign a certain range of entitlements.

When user tries to assign entitlement into an existing folder, he must have folder_read_customerGrp/folder_read_customerId permission for corresponding customer.

EntlTransfer entl_transfer Maintain Customer Entitlements

Combining this role and EntlOperator, the user can transfer a certain range of entitlements.

MultitenancyCallbackRoleTemplate

Callback LPS Onboarding Used for onboarding process, there is no necessary for customer to assign this role

Report report_read You can see the tile on the home page, and It should work with EntlDisplay. So please make sure you have both in one role collection if you want to access the report.

Notes for development team:

API should filter data base-on attributes in EntlDisplay.

EventDisplay event_read Define Entitlement Events

Display the event list and details


User Management


EventEdit event_write Define Entitlement Events

Update event and delete event

EvtMntrDisplay evtMntr_read Monitor Event Logs Display event monitor list

EvtMntrOperator evtMntr_exe Monitor Event Logs Delete event monitor

SuperAdmin super_admin Obsolete

ProductEnhance product_enhance View Offering Maintain extension fields for the offering

CustomerEnhance customer_enhance View Customer Maintain extension fields for customer

DelLogDisplay delLog_read Monitor Entitlement Deletion Log

View the entitlement deletion log

Reserved Characters in Role Attribute Value Configuration

The following indicators are the supported attribute values:

● * (asterisk): Stands for full permission. It denotes that all vaules of the attributes are to be fetched, and there is no limit.

● $null: Stands for no permission.● $blank: Represents value of empty string or null.● , (comma): Used to separate multiple values.

The table below describes the order of priority which shall be followed while dealing with multiple indicators.

Configuration Sample Priority

$null $null

A, *, B, $blank, $null *

A, B, $blank, $null A, B, $blank

A, B, $null A, B

The * must always have the highest priority, such as [A, *, B, $blank, $null], but for all, it should be * >[ others, $blank] > $null.

Note$blank, $null are restricted characters for the Entitlement Management system. $blank stands for XXX, which is null in the database.


MDM UAA Configuration

There are two sets of role attributes representing access permission on Entitlement records based on master data: attributes for customer and attributes for offering.

● customer: 1700001:S/4, 1700002, 1700003● customer group: GROUPA● source system: *

Attributes for Customer:

● Customer attributes are always configured as customerid:customersourcesystem or customerid.● The union of customer group configured in customerGrp and customer ID configured in customerId

defines entitlements under which customers could be accessed by corresponding role.● If * is configured in either customerGrp or customerId, the corresponding role have no restriction

regarding customer of entitlement.● If $null is configured in either customerGrp or customerId, the attribute with value $null will be ignored

in access permission check.● If there is no colon after customersourcesyetem (170001:)，then only customerId (170001) is used as

a filter condition. Instead, if there is no value before customerid (:S/4), then treat it as $null. Attributes distributorId, thirdPartyId, and productId can be configured in the same manner.

● The source system stands for source system of entitlements only; it has no effect on the customer.

Example

ID:SourceSystem Result

$blank:S/4 $blank

$null:S/4 $null

*: $null $null

A:$blank $null

A:$* $null

170001: 170001

:S4/F $null

170001:: $null

::s4 $null

NoteIf the source system contains $, then treat it with illegal data equal to $null.


User Management

Attributes for Offering:

The union of offering category configured in productCategory and offering ID configured in productId defines entitlements under which offering could be accessed by corresponding role. The configuration pattern and access permission check rule is the same as customer.

Authorization Check for Creating an Associated Entitlement Manually

To enable the Create Associated Entitlement button in the Entitlement Detail page, you must have the following authorizations:

● Right to edit the current entitlement● Right to create a new entitlement

To have these rights, a user must have the following three roles assigned, with the proper attribute values configured:

● EntlCreate● EntlEdit● EntlOperator


Related Information

Security Considerations [page 93]Managing Authentication and Authorization [page 94]Change User API [page 103]

7.4 Change User API

Change User API for SAP Entitlement Management.

NoteThese APIs should request client credentials token per tenant.

1. Change user account (user name).

Request URL: https://<host of onboarding service>/ui-tenant/user

Request method: PUT

Request payload: { "userName":"<>", "pwd":"<>" }


Response status: 200 OK

2. Reset Password.

Request URL: https://<host of onboarding service>/ui-tenant/reset

Request method: PUT

Request payload: { "userName":"<>", “oldPwd”:”<>”, "pwd":"<>" }

Response status: 200 OK

3. Check change history.

Request URL: https://<host of onboarding service>/ui-tenant/change-log

Request method: GET

Response body:

[ { "guid": "04424c8141de4700814649a2d57e20c1", "tenantId": "demo-t1", "userName": "<>", "operation": "Technical User Account Changed", "resetAt": 1550562033906 }, { "guid": "1689eef825e9431ba06f1ae7198591cc", "tenantId": " demo-t1", "userName": "<>", "operation": "Technical User Password Changed", "resetAt": 1550562075530 } ]


Related Information

Security Considerations [page 93]Managing Authentication and Authorization [page 94]Role Model [page 95]


User Management

8 Business Configuration

The Business Configuration section describes the SAP Entitlement Management environment, the basic configurations needed, and supports the users in navigating through the system.

SAP Fiori Launchpad Integration [page 105]The portal service of SAP Business Technology Platform is being used in SAP Entitlement Management system to promote flexibility and user experience.

Application Help [page 107]

Transport [page 108]In order to transport configuration contents from the source system to the target system, you must maintain mandatory configurations for your source tenant.

Subscribe and Configure EMS Alert Notification [page 109]The Alert Notification feature settings in SAP Entitlement Management require you to configure the Alert Notification serive in SAP Cloud Cockpit.

8.1 SAP Fiori Launchpad Integration

The portal service of SAP Business Technology Platform is being used in SAP Entitlement Management system to promote flexibility and user experience.

● SAP Entitlement Management System Launchpad

Administration Guide for SAP Entitlement ManagementBusiness Configuration CONFIDENTIAL 105

SAP Entitlement Management System Launchpad

The primary place where a user will look for applications is the home page. This is the heart of the SAP Fiori Launchpad and the starting place for the user.The page features tiles that allow the user to launch apps, and which may also show additional information. The page can be personalized and tiles can be added, removed, or bundled in groups. Since the Launchpad is role-based, only apps relating to the user's role are displayed.

● Me Area

SAP Firori Launchpad Me Area


Business Configuration

The Me Area is located off-screen to the left on the SAP Fiori Launchpad. In order for the Me Area to slide into view, the user must click on the profile image located on the top left corner of the screen, which is always available from every screen.While most actions in the Me Area are available independently of the current context, some of the actions are directly tied to the content shown in the main content area. These include:○ The user's profile○ Settings and preferences○ A catalog of available apps (the app finder)○ Tools to personalize the current content in the main area

● In-app Help

Web Assistant

In-app Help is a kind of online help. Users can click the Help button. Then, the Web Assistant becomes available as in the above figure.

Parent topic: Business Configuration [page 105]

Related Information

Application Help [page 107]Transport [page 108]Subscribe and Configure EMS Alert Notification [page 109]

8.2 Application Help

Refer to the Application Help for SAP Entitlement Management for more details on Business Configuration.


https://help.sap.com/viewer/c8403d8ad9334b2094b81ed605020727/2105/en-US/5053375b5b42425b9abe7a7ae5caaf10.html


Related Information

SAP Fiori Launchpad Integration [page 105]Transport [page 108]Subscribe and Configure EMS Alert Notification [page 109]

8.3 Transport

In order to transport configuration contents from the source system to the target system, you must maintain mandatory configurations for your source tenant.

Transport between Source Tenant and Target Tenant

To transport the configuration contents from the source system to the target system, do the following for your source tenant.

Access: com.sap.ems.db.central::Security.Tenant, and maintain the following in your source tenant:

● UserName (Technique User Name)● Password (Technique User Password)● TenantID (Target system tenantId)


Related Information

SAP Fiori Launchpad Integration [page 105]Application Help [page 107]Subscribe and Configure EMS Alert Notification [page 109]



8.4 Subscribe and Configure EMS Alert Notification

The Alert Notification feature settings in SAP Entitlement Management require you to configure the Alert Notification serive in SAP Cloud Cockpit.

Context

Use the Alert Notification Service (ANS) to configure the alert subscription, conditions, and action of the alert.

Procedure

1. 1. Go to the Cloud Foundry space created in Create Subaccount and Cloud Foundry Space.2. Go to the Service Marketplace, locate and select the Alert Notification tile.

3. Create a new service instance and go to the Service Instance page.


https://help.sap.com/viewer/fb95f4cf368448be94f0eaed1583f491/SHIP/en-US/7c07b5f3362c440ea91d19274b2f160b.html

4. Select the ANS instance you just created and select See here in the upper right part of the window.5. Go to the Subscription tab and create a new subscription.

6. Create the condition and assign it to this subscription. You can set the value condition yourself (e.g., set "resource.resourceName" equal to "SAP Entitlement Management") and for the event details, you can refer to the Technical Details section.



7. Create an action for this subscription (e.g., Mail, etc.).

8. If you are using mail as the alert notification action, enter the Email Address and other mandatory fields. You can also use the email template provided by EMS event. You can refer to the Technical Details section and the ANS Help document for details.


https://help.sap.com/viewer/5967a369d4b74f7a9c2b91f5df8e6ab6/Cloud/en-US/7661126c52304df3bec19d5b2ffbc15a.html

9. When you are finished with the configuration settings, selecte Create.10. Go to the SAP Entitlement Management System Settings and configure the alert notification.



Next Steps

The following table contains the properties and values of the SAP Entitlement Management event that can be matched by SAP Cloud Platform Alert Notification.

Technical Details

Event Property Value

eventType FailedLifecycleManagementOperation

severity ERROR

category EXCEPTION

subject Entitlement Management Operation Failure Alert

body This is to notify you that following operations have failed.

Failed Background Job: {variable}

Failed Event: {variable}

Failed API calls: {variable}

Please check in entitlement management system for more details.

Background Jobs (with hyperlink)

Events (with hyper link)

API Calls (with hyper link)

resource.subAccount {your SCP subaccount GUID}

resource.resourceGroup {your SCP subaccount GUID}

resource.resourceType ERROR_ALERT

resource.resourceName SAP Entitlement Management

tags.failedEvents Name(Trace ID: 11), Name(Trace ID: 12)

tags.failedBackgroundJobs JobName(Log ID: 1), JobName(Log ID: 2)

tags.failedAPICalls APIName(Log ID: 1), APIName(Log ID: 2)

tags.monitorEventLogsUrl URL of your system

tags.defineBackgroundJobsUrl URL of your system

tags.monitorAPICallsUrl URL of your system

Task overview: Business Configuration [page 105]


Related Information

SAP Fiori Launchpad Integration [page 105]Application Help [page 107]Transport [page 108]



9 Security

SAP Entitlement Management is run on the SAP Cloud Platform Cloud Foundry Environment. Therefore, the corresponding security guides also apply to the solution. These guides are available at the SAP Cloud Platform.

User Administration, Authentication, and Authorizations [page 115]

Session Security Protection [page 121]There are many types of session-based attacks, such as impersonation, where a malicious user attempts to access another user’s session by posing as that user.

Network and Communication Security [page 121]

Data Storage Security [page 122]

Audit Log [page 124]SAP Entitlement Management uses the SAP Business Technology Platform (SAP BTP) Audit Log service to store the system settings audit log and the log can be retrieved in the Audit Log Viewer.

Data Protection and Privacy [page 125]

9.1 User Administration, Authentication, and Authorizations

SAP Entitlement Management uses the user management, authentication and authorization mechanisms provided by the SAP Business Technology Platform Cloud Foundry Environment, in particular Platform Identity Provider and User Account & Authentication Service of the Cloud Foundry Environment. Therefore, the security recommendations and guidelines for user administration, authentication and authorizations are as described in the SAP Cloud Platform Identity Provider Security Guide.

For security considerations relating to user administration, authentication and authorizations, see User Management [page 92].

Parent topic: Security [page 115]

Related Information

Session Security Protection [page 121]Network and Communication Security [page 121]Data Storage Security [page 122]Audit Log [page 124]Data Protection and Privacy [page 125]

Administration Guide for SAP Entitlement ManagementSecurity CONFIDENTIAL 115

https://help.sap.com/CP

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/80edbe70b8f3478d8a59c21a91a47aa6.html

9.1.1 User Administration Tools

SAP Business Technology Platform Identity Provider is used for user management in SAP Entitlement Management.

9.1.2 Authorizations

This section discusses the recommendations and guidelines for user authorization, and also lists the various role templates relevant to SAP Entitlement Management.

Role and Authorization Concept [page 116]

Role Templates [page 116]

9.1.2.1 Role and Authorization Concept

SAP Entitlement Management uses the authorization concept provided by User Account and Authentication Service. Therefore, the recommendations and guidelines for authorization as described in the User Account and Authentication Service Security Guide also apply to SAP Entitlement Management.

Parent topic: Authorizations [page 116]

Related Information

Role Templates [page 116]

9.1.2.2 Role Templates

The following role templates are defined and delivered in SAP Entitlement Management Solution:

List of Role Templates Delivered

Role Template Scope Tiles Attributes Authorization Check

BackgroundJobAdmin

job.read

job.write

Background job User with this role can process all actions in accessible tiles.


Security

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/51ec15a8979e497fbcaadf80da9b63ba.html

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/51ec15a8979e497fbcaadf80da9b63ba.html


BackgroundJobDisplay

job.read Background job User with this role can read all information in accessible tiles.

ConfigAdmin config.read

config.write

Value list

Attribute

Entitlement Model

Consumption form

Geolocation

Status

Status Model

Generation Process

Variant

Mapping


ConfigDisplay config.read Value list

Attribute

Entitlement Model

Consumption form

Geolocation

Status

Status Model

Generation Process

Variant

Mapping


For consumption form, user with this role can export the content.

CustomerDisplay

customer.read Customer User with this role can read all information in accessible tiles.

EM_Admin All scopes All attributes with "*" value

User with this role has full authorization, which is used for system administrator or dev/test purpose.

This Role Template helps you to set up system quickly without adding all templates one by one.

EntlChangeStatus

entlRepo.status Entitlement Repository Combining this role and EntlOperater, the user can change the status of certain range of Entitlements.



EntlDisplay entl.read Entitlement Repository entl.read.productId

entl.read.productCategory

entl.read.customerId

entl.read.customerGroup

entl.read.srcSys

entl.read.folderCode

entl.read.distributorId

entl.read.entModel

entl.read.entType

User with this role can read Entitlements with corresponding attribute value.

User also has access permission of Entitlement under all sub folders of entl.read.folderCode.

EntlEdit entlRepo.write Entitlement Repository Combining this role and EntlOperater, user can edit a certain range of Entitlements.

EntlOperater Entitlement Repository entl.change.productId

entl.change.productCategory

entl.change.customerId

entl.change.customerGroup

entl.change.srcSys

entl.change.folderCode

entl.change.distributorId

entl.change.entModel

entl.change.entType

This role defines a range of Entitlements which the user can read and modify.

Note that tthis role alone does not grant any access permission.


Security


EntlRessign entlRepo.ressign Entitlement Repository Combining this role and EntlOperater, user can reassign a certain range of Entitlements.

When the user tries to assign the Entitlement into an existing folder, he or she must have folder.read.customerGrp/folder.read.customerIdpermission of the corresponding customer.

EntlSplit entlRepo.split Entitlement Repository Combining this role and EntlOperater, user can split a certain range of Entitlements.

When the user tries to assign splitting Entitlements into an existing folder, he or she must have folder.read.customerGrp/folder.read.customerIdpermission of the corresponding customer.

If the user wants to create a new group and assigned the splitting Entitlement, he or she must have folder.write.customerGrp/folder.read.customerId of the corresponding customer.

EntlMerg entlRepo.merge Entitlement Repository Combining this role and EntlOperater, the user can merge a certain range of Entitlements.

When the user tries to assign merging Entitlements into an existing folder, he or she must have folder.read.customerGrp/folder.read.customerIdpermission of the corresponding customer.

If the user wants to create a new group and assign the merging Entitlement, he or she must have folder.write.customerGrp/folder.read.customerIdpermission of the corresponding customer.

FolderDisplay folder.read Folder folder.customerGrp

folder.customerId

folder.srcSys

User with this role can read folders under the corresponding customer in accessible tiles.



FolderOperater folder.read

folder.write

Folder folder.customerGrp

folder.customerId

folder.srcSys

User with this role can maintain folders under the corresponding customer in accessible tiles.

IntegrationAdmin

int.read

int.write

Interface Communication channel


IntegrationDisplay

int.read Interface Communication channel


MigrationAdmin

sys.migration Migration User with this role can process all actions in accessible tiles.

MonitoringAdmin

mntr.read

mntr.exe

Communication monitoring

Simulation


MonitoringDisplay

mntr.read Communication monitoring

Simulation


ProductDisplay product.read Commercial Product User with this role can read all information in accessible tiles.

SyncData sync Combining this role with ProductDisplay and CustomerDisplay allows the user to sync master data.

This role alone does not grant any permission.

SystAdmin(IT) sys.read

sys.write

System Setting User with this role can process all actions in accessible tiles.

TechAdmin(Basis)

sys.transport Transport User with this role can process all actions in accessible tiles.

TechUser uaa.resoucres

You can configure your own role and role collection with the role templates listed in the table above.

Parent topic: Authorizations [page 116]


Security

Related Information

Role and Authorization Concept [page 116]

9.2 Session Security Protection

There are many types of session-based attacks, such as impersonation, where a malicious user attempts to access another user’s session by posing as that user.

These types of attacks require that the malicious user obtains a valid session identifier, as this is the minimum amount of information required for identification.

The sessions of SAP Entitlement Management system are managed using cookies in the SAP Business Technology Platform. The solution supports CSRF prevention implemented by SAP or customer target systems, using a CSRF token that is read from the server and used for subsequent write requests.


Related Information

User Administration, Authentication, and Authorizations [page 115]Network and Communication Security [page 121]Data Storage Security [page 122]Audit Log [page 124]Data Protection and Privacy [page 125]

9.3 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats, based on software flaws (at both the operating system level and application level) or network attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for SAP Entitlement Management system is based on the topology used by the SAP Business Technology Platform (SAP BTP). Therefore, the security guidelines and recommendations described in the SAP Business Technology Platform Security Guide also apply to this solution.


Network Security

Network security ensures that access to information and the application is granted only to authorized persons or organizations, and only for a specific business purpose.

Communication Security

SAP Entitlement Management system uses HTTPS as a communication protocol and it uses SAP BTP User Account and Authentication Service to ensure secure session management.


Related Information

User Administration, Authentication, and Authorizations [page 115]Session Security Protection [page 121]Data Storage Security [page 122]Audit Log [page 124]Data Protection and Privacy [page 125]

9.4 Data Storage Security

This section describes how data is stored for SAP Entitlement Management and what security measures are in place.

Data Storage [page 123]

Data Protection [page 123]


Related Information

User Administration, Authentication, and Authorizations [page 115]Session Security Protection [page 121]Network and Communication Security [page 121]Audit Log [page 124]


Security

Data Protection and Privacy [page 125]

9.4.1 Data Storage

Following are the three kinds of data stored in the SAP Entitlement Management system:

● Transaction data● User account● MME object

User account data is saved in IDP. The rest of the data is stored in the Cloud Foundry HANA database.

Parent topic: Data Storage Security [page 122]

Related Information

Data Protection [page 123]

9.4.2 Data Protection

User account is stored in IDP, which provides access to the SAP Entitlement Management system or personal data.

Parent topic: Data Storage Security [page 122]

Related Information

Data Storage [page 123]


9.5 Audit Log

SAP Entitlement Management uses the SAP Business Technology Platform (SAP BTP) Audit Log service to store the system settings audit log and the log can be retrieved in the Audit Log Viewer.

The audit log service provides four categories of messages: audit.security-events, audit.configuration, audit.data-access, and audit.data-modification. Entitlement Management system settings audit log is logged with category audit.configuration.

Prerequisites

Before you can view the system settings audit logs, there are two things that you must first configure.

Audit Log Viewer - The Audit Log Viewer Service must be subscribed. Go to the SAP BTP cockpit Subscriptions tab and subscribe the Audit Log Viewer.

Auditlog_Auditor RoleSecurity Role Collections tab to add the roles to the corresponding User.


Security

View System Settings Audit Logs

Once the Audit Log Viewer is subscribed and configured, click Go to Application - The role Auditlog_Auditor must be added to the auditlog-management and auditlog-viewer applications. Go to the SAP BTP cockpit to access the Audit Log Viewer. After you log in as an authorized user, you can click Reload to retrieve the audit logs. Once retrieved, you can filter the logs by time and log keywords.

Entitlement Management provides the system settings log with the category audit.configuration. The audit log record shows who changed the system settings and when, which fields were changed, and the old and new value of the changed fields.

Note● The service shows the audit log for the last 30 days.● The role Auditlog_Auditor must be added.● All logs that are logged for the respective subaccount are displayed.

Related information see Audit Log Viewer for the Cloud Foundry Environment.


Related Information

User Administration, Authentication, and Authorizations [page 115]Session Security Protection [page 121]Network and Communication Security [page 121]Data Storage Security [page 122]Data Protection and Privacy [page 125]

9.6 Data Protection and Privacy

This section provides information about how SAP Entitlement Management complies with data protection and privacy guidelines.


https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/e3baa5f1a0c64c44aac8ab3ea3d1b500.html


Related Information

User Administration, Authentication, and Authorizations [page 115]Session Security Protection [page 121]Network and Communication Security [page 121]Data Storage Security [page 122]Audit Log [page 124]

9.6.1 Introduction

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data protection and privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. SAP provides specific features and functions to support compliance with regard to relevant legal requirements, including data protection. SAP does not give any advice on whether these features and functions are the best method to support company, industry, regional, or country-specific requirements. Furthermore, this information should not be taken as advice or a recommendation regarding additional features that would be required in specific IT environments. Decisions related to data protection must be made on a case-by-case basis, taking into consideration the given system landscape and the applicable legal requirements.

NoteSAP does not provide legal advice in any form. SAP software supports data protection compliance by providing security features and specific data protection-relevant functions, such as simplified blocking and deletion of personal data. In many cases, compliance with applicable data protection and privacy laws will not be covered by a product feature. Definitions and other terms used in this document are not taken from a particular legal source.

CautionThe extent to which data protection is supported by technical means depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation.

Generic Fields

You need to make sure that no personal data enters the system in an uncontrolled or non-purpose related way, for example, in free-text fields, through APIs, or customer extensions. Note that these are not subject to the read access logging (RAL) example configuration.


Security

SAP Entitlement Management system does contain personal data that is considered non-sensitive. There are two tables that store personal data: User table and Customer table.

9.6.2 Glossary

The following terms are general to SAP products. Not all terms may be relevant for this SAP product.

Term Definition

Blocking A method of restricting access to data for which the primary business purpose has ended.

Consent The action of the data subject confirming that the usage of his or her personal data shall be allowed for a given purpose. A consent functionality allows the storage of a consent record in relation to a specific purpose and shows if a data subject has granted, withdrawn, or denied consent.

Data subject An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Deletion Deletion of personal data so that the data is no longer available.

End of business Date where the business with a data subject ends, for example, the order is completed, the subscription is canceled, or the last bill is settled.

End of purpose (EoP) End of purpose and start of blocking period. The point in time when the primary processing purpose ends, for example, a contract is fulfilled.

End of purpose (EoP) check A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization, for example, tax auditors.

Personal data Any information relating to an identified or identifiable natural person (a data subject).


Term Definition

Purpose The information that specifies the reason and the goal for the processing of a specific set of personal data. As a rule, the purpose references the relevant legal basis for the processing of personal data.

Residence period The period of time between the end of business and the end of purpose (EoP) for a data set during which the data remains in the database and can be used in case of subsequent processes related to the original purpose. At the end of the longest configured residence period, the data is blocked or deleted. The residence period is part of the overall retention period.

Retention period The period of time between the end of the last business activity involving a specific object (for example, a business partner) and the deletion of the corresponding data, subject to applicable laws. The retention period is a combination of the residence period and the blocking period.

Sensitive personal data A category of personal data that usually includes the following type of information:

● Special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation.

● Personal data subject to professional secrecy● Personal data relating to criminal or administrative of

fenses● Personal data concerning insurances and bank or credit

card accounts

Where-used check (WUC) A process designed to ensure data integrity in the case of potential blocking of business partner data. An application's where-used check (WUC) determines if there is any dependent data for a certain business partner in the database. If dependent data exists, this means the data is still required for business activities. Therefore, the blocking of business partners referenced in the data is prevented.

9.6.3 User Consent

SAP applications ask for consent of the data subject before collecting any personal data. In some cases, the data subject may also be the user. This SAP product provides functionality that allows data subjects to give and withdraw consent to collect and process their personal data. SAP assumes that the user, for example, an SAP customer collecting data, has consent from its data subject (a natural person such as a customer, contact, or account) to collect or transfer data to the solution.


Security

NoteThis section does not apply to SAP Entitlement Management.

9.6.4 Read Access Logging

Read access logging (RAL) is used to monitor and log read access to sensitive data. Data may be categorized as sensitive by law, by external company policy, or by internal company policy. Read access logging enables you to answer questions about who accessed particular data within a specified time frame. Here are some examples of such questions:

● Who accessed the data of a given business entity, for example a bank account?● Who accessed personal data, for example of a business partner?● Which employee accessed personal information, for example religion?● Which accounts or business partners were accessed by which users?

From a technical point of view, this means that all remote APIs and UI infrastructures (that access the data) must be enabled for logging.

In read access logging (RAL), you can configure which read-access information to log and under which conditions. SAP delivers sample configurations for applications. The application component scenario logs data to describe business processes.

NoteThis section does not apply to SAP Entitlement Management.

9.6.5 Change Log

Personal data is subject to frequent changes. Therefore, for review purposes or as a result of legal regulations, it may be necessary to track the changes made to this data. When these changes are logged, you should be able to check which employee made which change, the date and time, the previous value, and the current value, depending on the configuration. It is also possible to analyze errors in this way.

The change for entitlement data will be logged and the change log is provided in the History tab of the Entitlement Detail page in the Entitlement tile.

9.6.6 Information Retrieval

Data subjects have the right to receive information regarding their personal data that is being processed. The information retrieval feature supports you in complying with the relevant legal requirements for data protection by allowing you to search for and retrieve all personal data for a specified data subject. The search results are


displayed in a comprehensive and structured list containing all personal data of the data subject specified, organized according to the purpose for which the data was collected and processed.

The information of entitlement data can be retrieved by calling the "Inbound_Interface_Entitlement_Query" interface. The structured entitlement data can be downloaded in .csv format through the "Export File" function in the Data Migration tile.

9.6.7 Deletion of Personal Data

Simplified Blocking and Deletion

When considering compliance with data protection regulations, it is also necessary to consider compliance with industry-specific legislation in different countries. A typical potential scenario in certain countries is that personal data shall be deleted after the specified, explicit, and legitimate purpose for the processing of personal data has ended, but only as long as no other retention periods are defined in legislation, for example, retention periods for financial documents. Legal requirements in certain scenarios or countries also often require blocking of data in cases where the specified, explicit, and legitimate purposes for the processing of this data have ended, however, the data still has to be retained in the database due to other legally mandated retention periods. In some scenarios, personal data also includes referenced data. Therefore, the challenge for deletion and blocking is first to handle referenced data and finally other data, such as business partner data.

Deletion of Personal Data

The processing of personal data is subject to applicable laws related to the deletion of this data when the specified, explicit, and legitimate purpose for processing this personal data has expired. If there is no longer a legitimate purpose that requires the retention and use of personal data, it must be deleted. When deleting data in a data set, all referenced objects related to that data set must be deleted as well. Industry-specific legislation in different countries also needs to be taken into consideration in addition to general data protection laws. After the expiration of the longest retention period, the data must be deleted.

In SAP Entitlement Management system, there are two kinds of personal data: User data and Customer data. For each type, there is an attribute Valid To, indicating the retention period of User and Customer. By default, Valid To for every user and customer is set as 9999-12-31. You can change this attribute in SAP Entitlement Management. The "Inbound_Interface_Customer_Master" interface API provides an interface upstream system to trigger the deletion of the Customer Master data records. The API information can be reached through the Interface tile. The API URL, request method, and body structure are shown in the Details page, and the body template is accessed via the Export button.

There is a daily background job running to check the validity of Users and deletes data once it has expired.

After deletion, the data will be removed from the Entitlement Management system with no copies saved.

NoteSAP Entitlement Management provides a background job type called “Invalid Customer Data Clearance”. This job can be used to delete invalid customer data and their entitlements. To make this job take effect,


Security

you need to turn on "Allow Entitlement Deletion" in the System Settings. Customers can create the “Invalid Customer Data Clearance” job and configure its run type, run time, and retention period. Once the job is running, it will delete the expired customer data and delete their Entitlements.


10 Operations

The Operations section defines and explains the necessary configurations for proper operation of SAP Entitlement Management.

Monitoring [page 132]SAP Entitlement Management is a SaaS Cloud application, and therefore it follows the standard monitoring process for Cloud applications.

Subscribe SAP Entitlement Management on SAP BTP Cockpit [page 133]Before you can subscribe SAP Entitlement Management on the SAP BTP Cockpit, you must create three Subaccounts, one for the Dev tenant, one for the Test tenant, and one for the Production tenant.

Set Up Trust Between SAP BTP Subaccount and SCI Tenant [page 136]

Configure Roles on the SAP BTP Cockpit [page 143]Once you subscribe SAP Entitlement Management on SAP BTP, you need to configure roles on your new subaccount.

Configure Destination Under SAP BTP Subaccount [page 144]SAP Entitlement Management uses destination as a service to communicate with external systems.

10.1 Monitoring

SAP Entitlement Management is a SaaS Cloud application, and therefore it follows the standard monitoring process for Cloud applications.

See the following link for standard monitoring process for Cloud applications.

Monitor Solutions Using the Cockpit

Parent topic: Operations [page 132]

Related Information

Subscribe SAP Entitlement Management on SAP BTP Cockpit [page 133]Set Up Trust Between SAP BTP Subaccount and SCI Tenant [page 136]Configure Roles on the SAP BTP Cockpit [page 143]Configure Destination Under SAP BTP Subaccount [page 144]


Operations

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/5d5debce48ce42bf9d10ac050d4c2c74.html?q=Using%20log%20in%20cockpit

10.2 Subscribe SAP Entitlement Management on SAP BTP Cockpit

Before you can subscribe SAP Entitlement Management on the SAP BTP Cockpit, you must create three Subaccounts, one for the Dev tenant, one for the Test tenant, and one for the Production tenant.

NoteThe steps are the same regardless of the tenant type.

There are just a few basic steps to take to subscribe SAP Entitlement Management on the SCP Cockpit. You must do these steps three times; once for each tenant.

● Create a new Subaccount● Subscribe the account● Finish the tenant setup

Create a Subaccount

1. Go to the Customer's SAP BTP Global account, and create a new Subaccount.

The Subdomain format should be "company name abbreviation-tenant type" (e.g., companyname-dev, companyname-test, or companyname-prod).

The final tenant URL format will be: https://<Subdomain>.ems.<cf_apps_domain>

Display Name: SaaS Tenant Name

Provider: Hyperscale Provider

Region: Available Data Center

Data Center IaaS Provider Decription

cf-eu10 AWS Default DC for EMEA region customers.

cf-us10 AWS Default DC for America region customers.

cf-us20 Microsoft Azure US West DC with Azure provider.

Subdomain: Subdomain will be part of the tenant URL.

Administration Guide for SAP Entitlement ManagementOperations CONFIDENTIAL 133

Subscribe the Account

2. Go to the new Subaccount you just created and navigate to Subscriptions.

3. In the navigation area of the subaccount created in Step 1, choose Subscriptions.

You should see two application tiles there; one is for Dev and Test Tenant (SAP Entitlement Management (Beta)) and the other is for Production Tenant (SAP Entitlement Management).

Select the one that this Subaccount is for.


Operations

Click Subscribe.

Finish the Tenant Setup

4. Once the Subscribe process above is finished, follow the IDP Trust and Role Definition Guide instructions to finish the tenant setup.


Related Information

Monitoring [page 132]


Set Up Trust Between SAP BTP Subaccount and SCI Tenant [page 136]Configure Roles on the SAP BTP Cockpit [page 143]Configure Destination Under SAP BTP Subaccount [page 144]

10.3 Set Up Trust Between SAP BTP Subaccount and SCI Tenant

NoteYou can find the official documentation on the SAP Help Portal (help.sap.com) in the Custom SAML 2.0 Identity Provider topic at https://help.sap.com/doc/5fd179965d5145fbbe7f2a7aa1272338/2021-05-05/en-US/PlatformConfiguration.pdf

Establish Trust in the SAP BTP Identity Authentication Service

You want to use a SAML 2.0 identity provider, for example SAP Cloud Identity Authentication service. This is where the business users for SAP BTP are stored. In the next step, you must establish a trust relationship with SAP BTP.

You must establish a trust relationship with an SAML 2.0 identity provider in your subaccount in SAP BTP. The following procedure describes how you establish trust in the SAP BTP Identity Authentication service.

1. Go to your subaccount and choose Security Trust Configuration in the SAP BTP cockpit.

2. Select New Trust Configuration.


Operations



3. Enter a Name and add a Description that clearly explains that the trust configuration refers to the Identity Provider.

4. Get the SCI tenant metadata from the following URL:

https://<sci_tenant_name>.accounts.ondemand.com/saml2/metadata?action=download

5. Copy the SAML 2.0 metadata and past it into the Metadata field.


6. Click Parse to validate the metadata. This will automatically fill the Subject and Issuer fields.

7. Click Save to save your changes.

Establish Trust from a SAML 2.0 Identity Provider in a Subaccount

To establish trust with an SAML identity provider, you must assign the identity provider’s metadata file and define attribute mappings. The attributes are included in the SAML 2.0 assertion. With the UAA as SAML service provider, they are used for automatic assignment of UAA authorizations based on information maintained in the identity provider.

1. Open the Administration Console of the SAP BTP Identity Authentication service.

https://<sci_tenant_name>.accounts.ondemand.com/admin/

2. To add a new SAML 20 Identity Provider, click Add ( + ) in the Applications section of Applications & Resources.


Operations

3. Enter a name for the application that clearly identities it as your new Identity Provider and then Save your changes.


4. Select SAML 2.0 Configuration and import the relevant metadata file. Use the metadata file of your Subaccount. The subdomain name is usually identical to the tenant name. The metadata file is in the following location:

https://<sub_domain>.authentication.<cd_domain>/saml/metadata?action=download

For example:

https://<sub_domain>.authentication.eu10.hana.ondemand.com/saml/metadata?action=download

5. Select Name ID Attribute and select E-Mail as the unique attribute and click Save.


Operations

6. Select Assertion Attributes and enter Groups (capitalized) in the Groups user attribute. Click Save.


7. Test the SAML 2.0 configuration. Use the following URL:

https://<sub_domain>.authentication.<cf_domain>/config?action=who

Example:

https://<sub_domain>.authentication.eu10.hana.ondemand.com/config?action=who


Operations

You should see an output page similar to the following:


Related Information

Monitoring [page 132]Subscribe SAP Entitlement Management on SAP BTP Cockpit [page 133]Configure Roles on the SAP BTP Cockpit [page 143]Configure Destination Under SAP BTP Subaccount [page 144]

10.4 Configure Roles on the SAP BTP Cockpit

Once you subscribe SAP Entitlement Management on SAP BTP, you need to configure roles on your new subaccount.

For full details on configuring roles on your subaccount, see the SAP BTP topic Working with Role Collections.


Related Information

Monitoring [page 132]Subscribe SAP Entitlement Management on SAP BTP Cockpit [page 133]Set Up Trust Between SAP BTP Subaccount and SCI Tenant [page 136]Configure Destination Under SAP BTP Subaccount [page 144]


https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/393ea0b222754311884123ce564779bd.html

10.5 Configure Destination Under SAP BTP Subaccount

SAP Entitlement Management uses destination as a service to communicate with external systems.

To enable data to be sent to external systems, first you need to set up destinations and then you must configure the communication channel.

Set Up Destinations

1. Log in to the SAP BTP Cockpit.

2. Select Global Account and then select your Subaccount.

3. Select Destinations from the left panel.

4. Click New Destination.


Operations

5. Enter all necessary field data, according to your business requirements.

6. Click Save to save the new destination.

NoteFor more details, refer to https://help.sap.com/doc/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/1e110da0ddd8453aaf5aed2485d84f25.html

Direct connection from SAP Cloud Connector to Entitlement Management is not released, so Proxy Type for OnPremise is not currently supported.

Configure the Communication Channel

1. Log in to the Entititlement Management system.

2. Open the Communication Channel tile from the System Administration section. If you cannot see the Communication Channel tile, check with your administtrator to ensure you get the required role for access.


https://help.sap.com/doc/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/1e110da0ddd8453aaf5aed2485d84f25.html

https://help.sap.com/doc/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/1e110da0ddd8453aaf5aed2485d84f25.html

3. To create a new communication channel, select the desired interface and destination.

Click Save to save the new communication channel.



Operations

Related Information

Monitoring [page 132]Subscribe SAP Entitlement Management on SAP BTP Cockpit [page 133]Set Up Trust Between SAP BTP Subaccount and SCI Tenant [page 136]Configure Roles on the SAP BTP Cockpit [page 143]


Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.


Important Disclaimers and Legal Information

Administration Guide for SAP Entitlement ManagementImportant Disclaimers and Legal Information CONFIDENTIAL 149

www.sap.com/contactsap

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html

Documents

Administration Guide for SAP Entitlement Management