Already some time ago I wrote a blog on how to connect your SAP S/4HANA Cloud to SAP Cloud Platform (https://blogs.sap.com/2016/10/19/s4hana-extensibility-connect-sap-s4hana-cloud-sap-hana-cloud-platform-hcp/ ). In this “follow-up” blog, I am trying to give some very basic recommendations on how to use which services.
In principle, the (OData) services that are available on SAP S/4HANA Cloud are:
- SAP OData services (exposed via SAP Communication Scenarios, listed on the SAP API Business Hub. https://api.sap.com/ )
- Custom OData services created via Custom CDS Views (exposed via Custom Communication Scenarios)
- Custom OData services created via Custom Business Objects (exposed via Custom Communication Scenarios)
How can you consume these services on SAP Cloud Platform? The answer to this question has two dimensions:
The first dimension is the authentication type, here you can distinguish between:
- Authentication via technical (communication) user (basic authentication via user/password) or client certificate:
- In this case, the service runs with the communication user in SAP S/4HANA Cloud
- Authentication via principal propagation (OAuth SAML Bearer Token Grant):
- In this case, the service runs with the calling business user in SAP S/4HANA Cloud.
- Pre-requisite for this is that the SAP CP account and the SAP S/4HANA Cloud tenant have a trust relation to the same identity provider (= users are known in the SAP CP account and the SAP S/4HANA Cloud tenant) and there is a trust relation configured between SAP CP account and the SAP S/4HANA Cloud tenant (https://help.sap.com/viewer/233fb3f82e484f75ab3511fccd46d101/Cloud/en-US ).
The second dimension is the layer, in which it is consumed:
- The service is consumed by a service on SAP CP, which combines data from different sources and which is again exposed as a (OData) service on SAP CP. To build this services, SAP provides:
- the ABAP Environment on SAP CP (https://blogs.sap.com/2018/09/04/sap-cloud-platform-abap-environment/ , https://cloudplatform.sap.com/enterprise-paas/abap.html )
- SAP CP Integration Services (for integration use cases)
- The service is consumed directly by a UI (created with SAP Web IDE)
Having this said, here comes the matrix of available/recommended combinations along these dimensions:
- SAP does not recommend using SAP OData services directly in a UI, because these services are APIs designed for system-to-system communication and have a broad scope and are too powerful for using them directly in a UI.
- (2) It is also not recommended to use a service in a UI together with a technical (communication) user or client certificate
- (3) SAP OData services can be used with a technical (communication) user or client certificate. Some SAP communication scenarios can be used also with principal propagation (examples: Business Partner, SAP_COM_0008, and Product Master SAP_COM_0009, see also: Best Practice Document on Master Data Integration, https://rapid.sap.com/bp/#/scopeitems/1RO ).
- (4) Custom OData services created via Custom Business Objects can be used directly in a UI. If you want to create the UI using SAP Web IDE, you must configure the communication scenario for SAP Web IDE integration (SAP_COM_0013, https://help.sap.com/viewer/f544846954f24b9183eddadcc41bdc3b/1808.500/en-US/35750d8db7e646f7926406151696bf35.html ). Please note that this communication scenario can only be used for this purpose.