Skip to Content
Technical Articles
Author's profile photo Somaskandan Kuppusamy

SAP Task Center setup for S/4HANA On-Premise

Introduction:

The SAP Task Center service enables integration with various SAP applications to provide a single entry point for end users to access all their assigned approval tasks. The tasks can be accessed by end users through the SAP Task Center Web application

This blog details integration of Task Center in BTP with S/4HANA on-premise.

Prerequisites:

  • SAP BTP Cloud Foundry environment
  • Task Center service in BTP
  • Launchpad service in BTP
  • Identity Authentication service (IAS)
  • Identity Provisioning service (IPS)
  • SAP Cloud Connector
  • SAP S/4HANA On-premise

The integration of SAP Task center with On-Premise S/4HANA involves the below listed activities

  1. Task Center configuration with S/4HANA On-Premise system.
  2. Update user UUID from IAS to S/4HANA user.
  3. Integration of My inbox app with SAP BTP Launchpad service
  4. Configure Launchpad site and Role Assignment

1.   Task Center configuration with S/4HANA On-Premise system

1.1   Deployment of Task Center & Launchpad Service in BTP

SAP Task center is available on BTP Cloud Foundry environment only. Establish trust between Identity Provider and subaccount of Task center.

Run the Booster setup for Task center to complete the Automatic setup of Task Center, which creates the sample destinations for the SAP Solutions to be connected with sample values for the properties and subscription to the SAP Launchpad service application. Refer to the help document to run booster setup.

1.2   SAP Launchpad service configuration for Task Center

1.2.1.   Navigate to Instance and Subscriptions in BTP, Select the Launchpad Service and click Go to Application to access the Site Manager

1.2.2.   Update the content of Launchpad service from Site manager and add the apps to My Content.

1.2.3.   Create new Group and Role in Site Manager for Task center and Task Center Administration.

1.2.4.   Create a new site for Task center application and add the Task Center Role.

1.3   Cloud connector setup for Task Center and S/4HANA On-Premise

The cloud connector is used to connect Task Center with On-Premise S/4HANA. The cloud connector must be configured to use UUID of the user as subject pattern for Principal Propagation to S/4HANA.

Note: In case the cloud connector is currently configured with different subject pattern for Principal Propagation (for example, e-mail), use other cloud connector with user UUID as the subject pattern for Task center to communicate with S/4HANA.

1.3.1.   Configure the BTP CF subaccount in Cloud Connector

1.3.2.   Create http connection to backend S/4HANA with Principal Propagation using X.509 Certificate (strict usage). In the URL path section, allow access to /sap/opu/odata4/sap/ path and sub path.

1.3.3.   Navigate to configuration menu in SAP Cloud Connector, Select On-Premise section to generate system certificate and CA certificate. It can be Self signed or CA signed certificate.

1.3.4.   In the Principal Propagation section, Configure the “user_uuid” as the subject pattern and download the sample certificate.

1.4  Configuration in S/4HANA system

In S/4HANA System, execute the SPRO transaction, choose SAP Reference IMG -> SAP NetWeaver ->  Application Server -> Business Management  -> SAP Business Technology Platform Integration -> SAP Task Center Integration

Execute the below tasks under the SAP Task Center Integration sections.

Note: The configuration path may differ based on S/4HANA versions

1.4.1.   Publish the OData V4 service group on the S/4HANA system for the below services (Tcode /IWFND/V4_ADMIN),

  • API_TASK_SPI_REPLICATION
  • API_TASK_SPI_DETAILS

1.4.2.   Create a role for Task Pull Service and assign it to Service User in S/4HANA

1.4.3.   Create role for Task Detail Service and assign the role to S/4HANA business users

1.4.4.   Execute STRUST transaction and upload the Cloud Connector system certificate (in section 1.3.3) into SAP Server Standard PSE.

1.4.5.   Execute CERTRULE transaction, upload the generated sample certificate from Cloud Connector (in section 1.3.4) and create rule with User UUID as the identifier.

1.4.6   Add the below listed parameter in default profile of S/4HANA system and restart the system.

  1. login/certificate_mapping_rulebased – 1
  2. icm/trusted_reverse_proxy_0 – SUBJECT=”CN=vmw6281.wdf.sap.corp, OU=PM, O=SAP, C=DE”, ISSUER=”CN=priv.root.ca, OU=PM, O=SAP, C=DE”

1.5   Destination creation at BTP Subaccount

1.5.1   Create destination in BTP to connect IAS

Configure the IAS destination in BTP to connect the identity directory of Identity Authentication and retrieve the required information about the end users. This is required for all SAP application integration with Task Center.

1.5.1.1.  Create an Administrator user in IAS and generate the certificate for the administrator user in IAS.

1.5.1.2.  Upload the generated certificate of IAS Administrator in the destination section of SAP BTP CF sub account.

1.5.1.3.  Update the IAS url in Identity_Authentication_Connectivity_IDS destination in BTP subaccount and use the IAS user certificate for authentication.

1.5.2.   Create a destination in BTP to connect S/4HANA

Clone the sample S/4HANA destination and update the virtual host, virtual port  and location ID from the registered cloud connector. Use Basic Authentication with SAP Service user credentials created in section 1.4.3.

Update the below additional properties

  • tc.enabled – True (To enable the Task center for the destination)
  • tc.ui.group – Name of the application in Task center tile
  • tc.ui.lable – Sub name of task

2.   Update user UUID in S/4HANA

For integration scenarios with SAP applications, such as SAP Task Center, you need a common identifier for the users in your system landscape. In this scenario, the common identifier is the Global User ID which acts as a correlation attribute. This UUID value uniquely identifies a user across the landscape and helps the SAP Task Center application to relate tasks assigned to respective users from different backend systems.

SAP Task center must be integrated with Identity Authentication service (IAS) and Identity Provisioning service (IPS) to generate and distribute Global User ID. In this case, the attribute is automatically generated by Identity Authentication at user creation. Its value is populated in the User UUID field for every newly created, imported or provisioned user. After that, Identity Provisioning distributes it to various SAP applications

Not only the Task approvers but all the users in S/4HANA must be available in IAS. The user UUID of the respective users in IAS must be updated back to S/4HANA. Otherwise “created by” user information field of the task will not be available in Task center application

In Identity provisioning System, use system type as “SAP Application Server ABAP” to provision the user UUID information to S/4HANA system.

2.1   Cloud connector setup for IPS and S/4HANA On-premise

Follow the below step to create RFC Destination in IPS subaccount to connect backend S/4HANA.

Note: This destination setup is required only when we use SAP Application Server ABAP type in IPS configuration. For rest of the connection types in IPS, the parameter values defined in the property tab is used for connection.

2.1.1.   Configure the IPS subaccount in Cloud Connector.

2.1.2.   Create Cloud To On-Premise connection to backend system using RFC Protocol.

2.1.3.   Add the below BAPI as prefix in the resources section of backend connection.

  • PRGN_ROLE_GETLIST
  • BAPI_USER_GETLIST
  • BAPI_USER_GET_DETAIL
  • BAPI_USER_CREATE1
  • BAPI_USER_ACTGROUPS_ASSIGN
  • IDENTITY_MODIFY
  • BAPI_USER_DELETE
  • PRGN_ACTIVITY_GROUPS_LOAD_RFC

2.1.4.   Switch to the subaccount of IPS, create a destination of type RFC to connect S/4HANA system. Use Basic authentication to connect the backend system.

Add the below additional properties:

  • Jco.client.ashost – Virtual host defined in Cloud connector destination
  • Jco.client.client – Client number of SAP system
  • Jco.client.sysnr – System number of SAP system

2.2.   Create/Update users in IAS from S/4HANA

IAS acts as central repository of users for multiple applications (like S/4HANA, SuccessFactors, Concur, Ariba etc) registered to it. The login name and email ID is used as the unique attributes to connect IAS.

There are two scenarios to update the user UUID to S/4HANA system,

Scenario 1 -> Users in IAS are created from different applications (Eg SuccessFactors, CONCOR) using IPS Sync jobs and users in S/4HANA system is yet to be synchronized with IAS.

This scenario is further classified into two segments based on the Identical or non-identical user name and email address.

Scenario 1.1: Identical Login Name and Email address:

If the login name and email id of the user is identical for all the applications integrated to IAS, then the process is straight forward.

In this scenario the user already exists in IAS, so we create or update the user in S/4HANA and also update the UUID of the user form IAS to S/4HANA using IPS jobs. Please note that Login name of S/4HANA alone is supported and can be used as unique attribute between IAS and S/4HANA to sync IAS user details and UUID with user in S/4HANA.

Scenario 1.2: Different Login name and same Email address:

Assume that, the login name of S/4HANA User and SuccessFactors users(or user from other application) is different but has the same email address maintained in both the applications. IAS has existing user master record based on SuccessFactors.

In this scenario IAS User detail/UUID can’t be updated to S/4HANA system because the login name in IAS does not match with the login name of user in S/4HANA. So S/4HANA login name need to be updated against the respective IAS users in other user master fields like display name or custom attribute.

IPS sync jobs using Put operation completely replaces the existing user details in IAS with user details of S/4HANA which leads to inconsistencies in IAS user master. The other application which relay on IAS for user authentication will end up in access issues.

To avoid this issue, IPS jobs with patch operation must be used which make sure no information of existing IAS user gets changed and it just patch the login name in other field(like display name or custom attribute)  to identify the user in S/4HANA

Scenario 2 -> Users are not available in IAS

Create the users in IAS manually or by using IPS provisioning from S/4HANA and push the respective UUID details of IAS user back to S/4HANA through another IPS provisioning job.

The above discussed scenarios are purely for better understanding of the ways and means in which users in IAS can updated using Identity Provisioning jobs.

2.3.   Create/Update users in IAS for TASK Center Integration

For the task center integration in this blog, we used two IPS jobs. First IPS job to patch S/4HANA login name in display name field in IAS user master data and second IPS job is used to update the respective UUID field of IAS user to S/4HANA user.

2.3.1.   IPS Transformation from S/4HANA to IAS:

  1. In IPS, add a source system with ABAP application server type and select the RFC destination created in IPS subaccount.
  2. Two user groups are created in IAS. One for S/4HANA users and other for Task center approvers based on role assignment in S/4HANA system though IPS jobs.
  3. S/4HANA users Login name will be updated in display name field of users in IAS.
  4. Email Id is used as unique attribute in target transformation to provision the details to users in IAS.

Note: Transformation logic is subject to change based on the business requirement.

2.3.1.1.   S/4HANA Source Transformation:

Below transformation logic read the users in S/4HANA and assign the user to respective user group in IAS (i.e) S/4HANA users get assigned to S/4HANA_USER group  and Task approvers will be assigned to TASKCTR group in IAS,  based on their role assignment in S/4HANA system

2.3.1.2.   S/4HANA source Parameters:

2.3.1.3.   IAS Target Transformation:

If user exists in IAS, Below transformation logic perform patch operation to update SAP login name in display name field of IAS or create the new user if the user is not available in IAS.

Patch operation is supported for IAS system, check the IPS guide for more details on the supported system.

Set the parameter scim.support.patch.operation to true

Add the below transformation to perform Patch operation

           {
                "constant": true,
                "targetVariable": "is.scim.patched.entity",
                "scope": "patchEntity"
            },
            {
                "constant": "urn:ietf:params:scim:api:messages:2.0:PatchOp",
                "targetPath": "$.schemas[0]",
                "scope": "patchEntity"
            },

Patch operation is performed based on correlation attribute, User name or email Id can be used. In this scenario user name in IAS is different from the one in S/4HANA system, so email ID is used.

            {
                "constant": "emails.value",
                "targetVariable": "entityCorrelationAttributeName"
            },
            {
                "sourcePath": "$.emails[0].value",
                "targetVariable": "entityCorrelationAttributeValue"
            },

Below logic perform Patch operation of Login name in Display name field of IAS. S/4HANA Login name will be updated in display name field in IAS with below transformation.

            {
                "condition": "$.userName EMPTY false",
                "constant": "add",
                "targetPath": "$.Operations[0].op",
                "scope": "patchEntity"
            },
            {
                "condition": "$.userName EMPTY false",
                "constant": "displayName",
                "targetPath": "$.Operations[0].path",
                "scope": "patchEntity"
            },
            {
                "sourcePath": "$.userName",
                "optional": true,
                "targetPath": "$.Operations[0].value",
                "scope": "patchEntity"
            },

To patch more than one field, add the corresponding logic to each field and change the Operations[1].op count accordingly.

2.3.1.4.   IAS Target Parameters:

2.4.   Update the SAP Global user ID(UUID) in S/4HANA

2.4.1.   IPS Transformation from IAS to S/4HANA:

  1. In IPS, Add a source system as IAS and read the users from S/4HANA user groups.
  2. Add ABAP application server type as a Target system and select the RFC destination.
  3. In the target system transformation logic, all the fields are ignored except the UUID field, so UUID will only be updated to S/4HANA users.
  4. UUID assignment to S/4HANA users can be checked in USR_BY_GLOBALUID and USR_TO_GLOBALUID Table in S/4HANA and user change documents for the respective user.

2.4.1.1.   IAS Source transformation:

Read the users from group and map the display name to user name to identify the user in S/4HANA, ABAP functional module will use this input and update the user UUID data to respective users.

2.4.1.2.   IAS Source system parameters:

Set the below parameter to read the users from group,

Ias.user.filter – group.display eq “S/4HANA_User”

2.4.1.3.   S/4HANA system Target transformation:

Ignore the remaining fields except the user UUID in the transformation used to update S/4HANA. IPS job uses the RFC destination and BAPI to update the user UUID field.

2.4.1.4.   S/4HANA Target parameters:

3.   Integration of My inbox app with SAP BTP launchpad service

More details about the task created in S/4HANA can be displayed by integrating My Inbox application in Task Center. And by doing so, Task center displays the additional details using the iframe URL embedded with the task details.

In the below screenshot the iframe URL embedded with task is highlighted in green.

Note

Refer to the blog for more details on integrating My Inbox on-premise application with BTP Launchpad.

4.   Configure Launchpad site and Role Assignment

Launch Site Manager in Launchpad Service to add the My inbox role along with Task center site created in step 1.2.3 or add the role in another site and maintain the site details in S/4HANA as mentioned in step 4.1.

4.1.   Configure the Launchpad Site details in S/4HANA

To integrate My Inbox application with Task center, update the My inbox site details of launchpad service in below mentioned path in S/4HANA system.

Launch SPRO Tcode -> choose SAP Reference IMG -> SAP NetWeaver ->  Application Server -> Business Management  -> SAP Business workflow  -> Basic settings (Workflow system) -> Maintenance of URL Settings

4.2.  Role mapping to users in IAS

Task Center Operator role and My inbox role to be assigned to respective IAS users to execute their activity in Task Center.

Roles in BTP has been mapped to user groups in IAS (Refer step 2.2). Through which Users in the respective IAS group will inherit the BTP roles.

Task Center Administration role is assigned to the Administrator to check the connectivity status of all application.

5.   Troubleshooting steps:-

  1. Can’t have more than one S/4HANA destination for same system to avoid duplicate tasks.
  2. Check the note 2975987 for required Support Package detail information for S/4HANA version and implement the note 3160475, prerequisite notes if required.
  3. Check the principal propagation setup for any approval related issues.
  4. Update On-premise My Inbox version to latest patch level

Perform below checks if the task is not available for the user in Task Center

  • User Id should be active in S/4HANA system and Fiori front end system (for HUB based fiori setup) with valid password.
  • Provide necessary RFC access for HUB based Fiori setup to open the tasks.
  • Repopulate the cache in Task center, To clear the cache in Task Center, remove the parameter tc.enabled from BTP destination for S/4HANA. Wait till the system gets removed from Task Center Administration tile and again add the parameter to back destination.
  • Compare the user UUID between IAS and S/4HANA.
  • Use the postman API to export the task details from Task Center, check the respective task with assigned Processor ID.

https://api.one-inbox-service-sap.cfapps.eu10.hana.ondemand.com/task-center-service/v1/export

6.   Conclusion

Hope this blog helps you to understand the concepts and steps involved in Integrating Task Center service in BTP with S/4HANA on-premise. Task center highly optimises the work of an end user or an approver, where the request from various system can be managed from single window and this feature helps to enhances the user experience and productivity to a greater extent.

Please feel free to post your questions in comment section or in SAP Community for SAP Task Center.

Assigned Tags

      15 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Akshaya Maruthamuthu
      Akshaya Maruthamuthu

      Nice Blog !! Keep posting.

      Author's profile photo Mio Yasutake
      Mio Yasutake

      Great blog, easy to follow!

      Thank you for sharing your knowledge.

      Author's profile photo Mauricio Miao
      Mauricio Miao

      Hi Somaskandan K,

      Thanks for the blog!

      I am almost finishing the configuration of SAP Task Center connected to S/4HANA onpremises, the only thing missed is IPS config!

      When I tested the My Inbox application embeeded inside the SAP Task Center I noticed that the links are not working properly, because They try to open an URL that points to the webgui of our S/4HANA system which is not exposed to the internet of course, so once the user click on the link, he is getting an error 403.

      I exposed the My Inbox using Content Federation, do you know if there is something I can do to make the link tab work using the cloud connector instead of direct access to our S/4 onprem?

      It is courios that the attachment tab is working fine, somehow the application is identifying that it should use the run time connection of the content federation service instead of the S/4 Fiori Launchpad URL.

      There is a "magic" happening in the attachment tab that is not happening in the link tab.

      How is your link tab behavior in the example you presented above in the blog?

      Regards,

      Mauricio

      Author's profile photo Somaskandan Kuppusamy
      Somaskandan Kuppusamy
      Blog Post Author

      Hi Mauricio,

      Using My inbox application we able to access only  attachments form backend and the link directly points to application server. It cannot be exposed or routed through cloud connector.

      Based on my understanding this can be mitigated by exposing the respective on-premise content to BTP through content federation, configuring the task/object field parameters of Launchpad application in Workflow parameter metadata (SWFVISU) transaction. By doing so the content of the on-premise application can be accessed from BTP My inbox. But this possibility has to be confirmed by fiori/abap developer.

      The host and port details in the Link section in the My inbox can be customized as per the steps mentioned in 2519744 note.

      Thanks!!!

      Author's profile photo Mauricio Miao
      Mauricio Miao

      Hi Somaskandan K

      Another issue that I am facing which is quite difficult to solve.

      I am sending the users from IAS to S/4HANA the exact same way you did here.

      The IAS reading is working fine, but when IPS is executing the step to update the data in our S/4HANA system it is failing with following error:

      user:f7764bfc-xxxx-4ab5-xxxx-d4e3b338xxxx,

      system=S4Q,

      time=2022-12-20T19:59:06.823+00,

      error=java.lang.IllegalArgumentException: Cannot acquire user details using NULL username,

      content={"LOCK":"U","SAPUSER_UUID":{"SAP_UID":"f7764bfc-xxxx-4ab5-xxxx-d4e3b338xxxx"},"USERNAME":"VYAMXXX"}

      I tried everything in the transformation but nothing fixed this issue, and does not look like a transformation error because the content has the username filled correctly.

       

      My transformation is like below:

      {
      "user": {
      "skipOperations": [
      "create",
      "delete"
      ],
      "mappings": [
      {
      "sourceVariable": "entityIdTargetSystem",
      "targetPath": "$.USERNAME"
      },
      {
      "sourcePath": "$.userName",
      "targetPath": "$.USERNAME"
      },
      {
      "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']",
      "optional": true,
      "targetPath": "$.SAPUSER_UUID.SAP_UID"
      },
      {
      "constant": "updateEntity",
      "targetVariable": "operationTypeVariable"
      },
      {
      "constant": "createEntity",
      "targetVariable": "operationTypeVariable",
      "scope": "createEntity"
      },
      {
      "condition": "$.active == false && '${operationTypeVariable}' == 'createEntity'",
      "constant": "X",
      "targetPath": "$.LOCK_LOCALLY"
      },
      {
      "condition": "'${operationTypeVariable}' == 'updateEntity'",
      "constant": "U",
      "targetPath": "$.LOCK"
      },
      {
      "condition": "$.active == false && '${operationTypeVariable}' == 'updateEntity'",
      "constant": "L",
      "targetPath": "$.LOCK"
      }
      ]
      }
      }

      Do you have any clue please?

      Regards

      Mauricio

       

      Author's profile photo Somaskandan K
      Somaskandan K

      Hi Mauricio Miao,

      Do not skip create operation, ignore password fields/information in the transformation and check the status.

      {
      "user": {
      "skipOperations": [
      "create",
      "delete"
      ],

      Thanks

      Author's profile photo Mauricio Miao
      Mauricio Miao

      Hi Somaskandan K

      Removing the create operation solved the issue, I did not understood why but no problems, the important thing is that it worked.

      But now It is generating another error:

      error=com.sap.cloud.ips.connectors.api.ConnectorException: Connector cannot process more entities due to irreparable error Caused by: com.sap.cloud.ips.connector.exception.ProvisioningRuntimeException: com.sap.conn.jco.JCoException: (102) JCO_ERROR_COMMUNICATION: Initialization of repository destination S4HANA failed: Opening connection to backend failed: Timed out waiting for tunnel to open for tunnelId account:///c5fbd894-3058-41a2-9b83-6651xxxxxxx/XXXXXXXIPSQA

      My RFC connection in my BTP subaccount is fine as far as I know:

       

      What am I missing now please? I think I am almost there.

       

      Regards

      Mauricio

       

      Author's profile photo Somaskandan K
      Somaskandan K

      Hi Mauricio,

      Add the BAPI as prefix in path during Cloud Connector setup as mentioned and check the status, hopefully the backend user has sufficient permission with role SAP_BC_JSF_COMMUNICATION_RO and access.

      Thanks

      Author's profile photo Mauricio Miao
      Mauricio Miao

      Hi Somaskandan K,

      The issue is solved, the IPS is working fine now, it was an IP address that was blocked in our proxy server.

      Thanks for the help.

      Regards,

      Mauricio

      Author's profile photo Mauricio Miao
      Mauricio Miao

      Hi Somaskandan K,

      One last point, regarding the inbox that is displayed inside the iframe, in my case it is presenting all the buttons, which is kind of weird because Task Center already provide the buttons, so They appear duplicated.

      I saw that in your screenshot it is not happening, you were able to hide all the buttons, I thought that it was the parameter "showFooter=false" that made the magic happen, but in my case it did not work.

      How did you do that please?

      My URL settings

      URL%20settings

      URL settings

      But my Task Center is not looking good 🙁

      my%20task%20center

      my task center

      Regards

      Mauricio

       

       

      Author's profile photo Somaskandan K
      Somaskandan K

      Hi Mauricio

      Update your On-premise My inbox application version with latest patch(1.27.20), believe this will fix the issue. If not it needs to be raised to SAP product team.

      Thanks,

      Author's profile photo Abhishek Virendra Tiwari
      Abhishek Virendra Tiwari

      Hello Somaskanda.

       

      Really thanks for your blog. It was super helpful.

      Just one issue in my One Task Center. I cannot see the Approve/Reject button.

      Instead I see number like 0001/0002. Is this issue related to workflow created or this is something I need to check on One Task Center side.

       

      For Action in Task.

       

      Many Thanks,

      Abhishek Tiwari

      Author's profile photo Somaskandan K
      Somaskandan K

      Hi Abhishek,

      Thanks, action button is based on workflow only, there are some tasks with no action items like update own profile in SuccessFactors. So check the valid approval related workflow scenarios like leave request or PR approval request with Task center and also change the theme and check the status of button for any UI theme related issues.

      Regards,

      Somaskandan K

      Author's profile photo Abhishek Virendra Tiwari
      Abhishek Virendra Tiwari

      Thank you so much Somaskandan,

      It really was workflow issue.

       

      Adding another question here :).

      Can I open worklist directly in the backend(like we do in MyInbox ) using Open Task instead of redirecting to My Inbox?

       

      Many Thanks,

      Abhishek Tiwari

      Author's profile photo Somaskandan K
      Somaskandan K

      No, cant open backend system directly from Task center for On-premise S/4HANA, it cannot be exposed or routed through cloud connector, CC is used to get the data only.

      But cloud applications (like SuccessFactors, Concur, S/4HANA Cloud) can access using Open task button from Task center.

      Thanks,

      Somaskandan K