SAP Task Center setup for S/4HANA On-Premise

Introduction:

The SAP Task Center service enables integration with various SAP applications to provide a single entry point for end users to access all their assigned approval tasks. The tasks can be accessed by end users through the SAP Task Center Web application

This blog details integration of Task Center in BTP with S/4HANA on-premise.

Prerequisites:

• SAP BTP Cloud Foundry environment
• Task Center service in BTP
• Launchpad service in BTP
• Identity Authentication service (IAS)
• Identity Provisioning service (IPS)
• SAP Cloud Connector
• SAP S/4HANA On-premise

The integration of SAP Task center with On-Premise S/4HANA involves the below listed activities

1. Task Center configuration with S/4HANA On-Premise system.
2. Update user UUID from IAS to S/4HANA user.
3. Integration of My inbox app with SAP BTP Launchpad service
4. Configure Launchpad site and Role Assignment

1.   Task Center configuration with S/4HANA On-Premise system

1.1   Deployment of Task Center & Launchpad Service in BTP

SAP Task center is available on BTP Cloud Foundry environment only. Establish trust between Identity Provider and subaccount of Task center.

Run the Booster setup for Task center to complete the Automatic setup of Task Center, which creates the sample destinations for the SAP Solutions to be connected with sample values for the properties and subscription to the SAP Launchpad service application. Refer to the help document to run booster setup.

1.2   SAP Launchpad service configuration for Task Center

1.2.1.   Navigate to Instance and Subscriptions in BTP, Select the Launchpad Service and click Go to Application to access the Site Manager

1.2.2.   Update the content of Launchpad service from Site manager and add the apps to My Content.

1.2.3.   Create new Group and Role in Site Manager for Task center and Task Center Administration.

1.2.4.   Create a new site for Task center application and add the Task Center Role.

1.3   Cloud connector setup for Task Center and S/4HANA On-Premise

The cloud connector is used to connect Task Center with On-Premise S/4HANA. The cloud connector must be configured to use UUID of the user as subject pattern for Principal Propagation to S/4HANA.

Note: In case the cloud connector is currently configured with different subject pattern for Principal Propagation (for example, e-mail), use other cloud connector with user UUID as the subject pattern for Task center to communicate with S/4HANA.

1.3.1.   Configure the BTP CF subaccount in Cloud Connector

1.3.2.   Create http connection to backend S/4HANA with Principal Propagation using X.509 Certificate (strict usage). In the URL path section, allow access to /sap/opu/odata4/sap/ path and sub path.

1.3.3.   Navigate to configuration menu in SAP Cloud Connector, Select On-Premise section to generate system certificate and CA certificate. It can be Self signed or CA signed certificate.

1.3.4.   In the Principal Propagation section, Configure the “user_uuid” as the subject pattern and download the sample certificate.

1.4  Configuration in S/4HANA system

In S/4HANA System, execute the SPRO transaction, choose SAP Reference IMG -> SAP NetWeaver ->  Application Server -> Business Management  -> SAP Business Technology Platform Integration -> SAP Task Center Integration

Execute the below tasks under the SAP Task Center Integration sections.

Note: The configuration path may differ based on S/4HANA versions

1.4.1.   Publish the OData V4 service group on the S/4HANA system for the below services (Tcode /IWFND/V4_ADMIN),

• API_TASK_SPI_REPLICATION
• API_TASK_SPI_DETAILS

1.4.2.   Create a role for Task Pull Service and assign it to Service User in S/4HANA

1.4.3.   Create role for Task Detail Service and assign the role to S/4HANA business users

1.4.4.   Execute STRUST transaction and upload the Cloud Connector system certificate (in section 1.3.3) into SAP Server Standard PSE.

1.4.5.   Execute CERTRULE transaction, upload the generated sample certificate from Cloud Connector (in section 1.3.4) and create rule with User UUID as the identifier.

1.4.6   Add the below listed parameter in default profile of S/4HANA system and restart the system.

1. login/certificate_mapping_rulebased – 1
2. icm/trusted_reverse_proxy_0 – SUBJECT=”CN=vmw6281.wdf.sap.corp, OU=PM, O=SAP, C=DE”, ISSUER=”CN=priv.root.ca, OU=PM, O=SAP, C=DE”

1.5   Destination creation at BTP Subaccount

1.5.1   Create destination in BTP to connect IAS

Configure the IAS destination in BTP to connect the identity directory of Identity Authentication and retrieve the required information about the end users. This is required for all SAP application integration with Task Center.

1.5.1.1.  Create an Administrator user in IAS and generate the certificate for the administrator user in IAS.

1.5.1.2.  Upload the generated certificate of IAS Administrator in the destination section of SAP BTP CF sub account.

1.5.1.3.  Update the IAS url in Identity_Authentication_Connectivity_IDS destination in BTP subaccount and use the IAS user certificate for authentication.

1.5.2.   Create a destination in BTP to connect S/4HANA

Clone the sample S/4HANA destination and update the virtual host, virtual port  and location ID from the registered cloud connector. Use Basic Authentication with SAP Service user credentials created in section 1.4.3.

Update the below additional properties

• tc.enabled – True (To enable the Task center for the destination)
• tc.ui.group – Name of the application in Task center tile
• tc.ui.lable – Sub name of task

2.   Update user UUID in S/4HANA

For integration scenarios with SAP applications, such as SAP Task Center, you need a common identifier for the users in your system landscape. In this scenario, the common identifier is the Global User ID which acts as a correlation attribute. This UUID value uniquely identifies a user across the landscape and helps the SAP Task Center application to relate tasks assigned to respective users from different backend systems.

SAP Task center must be integrated with Identity Authentication service (IAS) and Identity Provisioning service (IPS) to generate and distribute Global User ID. In this case, the attribute is automatically generated by Identity Authentication at user creation. Its value is populated in the User UUID field for every newly created, imported or provisioned user. After that, Identity Provisioning distributes it to various SAP applications

Not only the Task approvers but all the users in S/4HANA must be available in IAS. The user UUID of the respective users in IAS must be updated back to S/4HANA. Otherwise “created by” user information field of the task will not be available in Task center application

In Identity provisioning System, use system type as “SAP Application Server ABAP” to provision the user UUID information to S/4HANA system.

2.1   Cloud connector setup for IPS and S/4HANA On-premise

Follow the below step to create RFC Destination in IPS subaccount to connect backend S/4HANA.

Note: This destination setup is required only when we use SAP Application Server ABAP type in IPS configuration. For rest of the connection types in IPS, the parameter values defined in the property tab is used for connection.

2.1.1.   Configure the IPS subaccount in Cloud Connector.

2.1.2.   Create Cloud To On-Premise connection to backend system using RFC Protocol.

2.1.3.   Add the below BAPI as prefix in the resources section of backend connection.

• PRGN_ROLE_GETLIST
• BAPI_USER_GETLIST
• BAPI_USER_GET_DETAIL
• BAPI_USER_CREATE1
• BAPI_USER_ACTGROUPS_ASSIGN
• IDENTITY_MODIFY
• BAPI_USER_DELETE
• PRGN_ACTIVITY_GROUPS_LOAD_RFC

2.1.4.   Switch to the subaccount of IPS, create a destination of type RFC to connect S/4HANA system. Use Basic authentication to connect the backend system.

Add the below additional properties:

• Jco.client.ashost – Virtual host defined in Cloud connector destination
• Jco.client.client – Client number of SAP system
• Jco.client.sysnr – System number of SAP system

2.2.   Create/Update users in IAS from S/4HANA

IAS acts as central repository of users for multiple applications (like S/4HANA, SuccessFactors, Concur, Ariba etc) registered to it. The login name and email ID is used as the unique attributes to connect IAS.

There are two scenarios to update the user UUID to S/4HANA system,

Scenario 1 -> Users in IAS are created from different applications (Eg SuccessFactors, CONCOR) using IPS Sync jobs and users in S/4HANA system is yet to be synchronized with IAS.

This scenario is further classified into two segments based on the Identical or non-identical user name and email address.

Scenario 1.1: Identical Login Name and Email address:

If the login name and email id of the user is identical for all the applications integrated to IAS, then the process is straight forward.

In this scenario the user already exists in IAS, so we create or update the user in S/4HANA and also update the UUID of the user form IAS to S/4HANA using IPS jobs. Please note that Login name of S/4HANA alone is supported and can be used as unique attribute between IAS and S/4HANA to sync IAS user details and UUID with user in S/4HANA.

Scenario 1.2: Different Login name and same Email address:

Assume that, the login name of S/4HANA User and SuccessFactors users(or user from other application) is different but has the same email address maintained in both the applications. IAS has existing user master record based on SuccessFactors.

In this scenario IAS User detail/UUID can’t be updated to S/4HANA system because the login name in IAS does not match with the login name of user in S/4HANA. So S/4HANA login name need to be updated against the respective IAS users in other user master fields like display name or custom attribute.

IPS sync jobs using Put operation completely replaces the existing user details in IAS with user details of S/4HANA which leads to inconsistencies in IAS user master. The other application which relay on IAS for user authentication will end up in access issues.

To avoid this issue, IPS jobs with patch operation must be used which make sure no information of existing IAS user gets changed and it just patch the login name in other field(like display name or custom attribute)  to identify the user in S/4HANA

Scenario 2 -> Users are not available in IAS

Create the users in IAS manually or by using IPS provisioning from S/4HANA and push the respective UUID details of IAS user back to S/4HANA through another IPS provisioning job.

The above discussed scenarios are purely for better understanding of the ways and means in which users in IAS can updated using Identity Provisioning jobs.

2.3.   Create/Update users in IAS for TASK Center Integration

For the task center integration in this blog, we used two IPS jobs. First IPS job to patch S/4HANA login name in display name field in IAS user master data and second IPS job is used to update the respective UUID field of IAS user to S/4HANA user.

2.3.1.   IPS Transformation from S/4HANA to IAS:

1. In IPS, add a source system with ABAP application server type and select the RFC destination created in IPS subaccount.
2. Two user groups are created in IAS. One for S/4HANA users and other for Task center approvers based on role assignment in S/4HANA system though IPS jobs.
3. S/4HANA users Login name will be updated in display name field of users in IAS.
4. Email Id is used as unique attribute in target transformation to provision the details to users in IAS.

Note: Transformation logic is subject to change based on the business requirement.

2.3.1.1.   S/4HANA Source Transformation:

Below transformation logic read the users in S/4HANA and assign the user to respective user group in IAS (i.e) S/4HANA users get assigned to S/4HANA_USER group  and Task approvers will be assigned to TASKCTR group in IAS,  based on their role assignment in S/4HANA system

2.3.1.2.   S/4HANA source Parameters:

2.3.1.3.   IAS Target Transformation:

If user exists in IAS, Below transformation logic perform patch operation to update SAP login name in display name field of IAS or create the new user if the user is not available in IAS.

Patch operation is supported for IAS system, check the IPS guide for more details on the supported system.

Set the parameter scim.support.patch.operation to true

Add the below transformation to perform Patch operation

           {
                "constant": true,
                "targetVariable": "is.scim.patched.entity",
                "scope": "patchEntity"
            },
            {
                "constant": "urn:ietf:params:scim:api:messages:2.0:PatchOp",
                "targetPath": "$.schemas[0]",
                "scope": "patchEntity"
            },

Patch operation is performed based on correlation attribute, User name or email Id can be used. In this scenario user name in IAS is different from the one in S/4HANA system, so email ID is used.

            {
                "constant": "emails.value",
                "targetVariable": "entityCorrelationAttributeName"
            },
            {
                "sourcePath": "$.emails[0].value",
                "targetVariable": "entityCorrelationAttributeValue"
            },

Below logic perform Patch operation of Login name in Display name field of IAS. S/4HANA Login name will be updated in display name field in IAS with below transformation.

            {
                "condition": "$.userName EMPTY false",
                "constant": "add",
                "targetPath": "$.Operations[0].op",
                "scope": "patchEntity"
            },
            {
                "condition": "$.userName EMPTY false",
                "constant": "displayName",
                "targetPath": "$.Operations[0].path",
                "scope": "patchEntity"
            },
            {
                "sourcePath": "$.userName",
                "optional": true,
                "targetPath": "$.Operations[0].value",
                "scope": "patchEntity"
            },

To patch more than one field, add the corresponding logic to each field and change the Operations[1].op count accordingly.

2.3.1.4.   IAS Target Parameters:

2.4.   Update the SAP Global user ID(UUID) in S/4HANA

2.4.1.   IPS Transformation from IAS to S/4HANA:

1. In IPS, Add a source system as IAS and read the users from S/4HANA user groups.
2. Add ABAP application server type as a Target system and select the RFC destination.
3. In the target system transformation logic, all the fields are ignored except the UUID field, so UUID will only be updated to S/4HANA users.
4. UUID assignment to S/4HANA users can be checked in USR_BY_GLOBALUID and USR_TO_GLOBALUID Table in S/4HANA and user change documents for the respective user.

2.4.1.1.   IAS Source transformation:

Read the users from group and map the display name to user name to identify the user in S/4HANA, ABAP functional module will use this input and update the user UUID data to respective users.

2.4.1.2.   IAS Source system parameters:

Set the below parameter to read the users from group,

Ias.user.filter – group.display eq “S/4HANA_User”

2.4.1.3.   S/4HANA system Target transformation:

Ignore the remaining fields except the user UUID in the transformation used to update S/4HANA. IPS job uses the RFC destination and BAPI to update the user UUID field.

2.4.1.4.   S/4HANA Target parameters:

3.   Integration of My inbox app with SAP BTP launchpad service

More details about the task created in S/4HANA can be displayed by integrating My Inbox application in Task Center. And by doing so, Task center displays the additional details using the iframe URL embedded with the task details.

In the below screenshot the iframe URL embedded with task is highlighted in green.

Note

Refer to the blog for more details on integrating My Inbox on-premise application with BTP Launchpad.

4.   Configure Launchpad site and Role Assignment

Launch Site Manager in Launchpad Service to add the My inbox role along with Task center site created in step 1.2.3 or add the role in another site and maintain the site details in S/4HANA as mentioned in step 4.1.

4.1.   Configure the Launchpad Site details in S/4HANA

To integrate My Inbox application with Task center, update the My inbox site details of launchpad service in below mentioned path in S/4HANA system.

Launch SPRO Tcode -> choose SAP Reference IMG -> SAP NetWeaver ->  Application Server -> Business Management  -> SAP Business workflow  -> Basic settings (Workflow system) -> Maintenance of URL Settings

4.2.  Role mapping to users in IAS

Task Center Operator role and My inbox role to be assigned to respective IAS users to execute their activity in Task Center.

Roles in BTP has been mapped to user groups in IAS (Refer step 2.2). Through which Users in the respective IAS group will inherit the BTP roles.

Task Center Administration role is assigned to the Administrator to check the connectivity status of all application.

5.   Troubleshooting steps:-

1. Can’t have more than one S/4HANA destination for same system to avoid duplicate tasks.
2. Check the note 2975987 for required Support Package detail information for S/4HANA version and implement the note 3160475, prerequisite notes if required.
3. Check the principal propagation setup for any approval related issues.
4. Update On-premise My Inbox version to latest patch level

Perform below checks if the task is not available for the user in Task Center

• User Id should be active in S/4HANA system and Fiori front end system (for HUB based fiori setup) with valid password.
• Provide necessary RFC access for HUB based Fiori setup to open the tasks.
• Repopulate the cache in Task center, To clear the cache in Task Center, remove the parameter tc.enabled from BTP destination for S/4HANA. Wait till the system gets removed from Task Center Administration tile and again add the parameter to back destination.
• Compare the user UUID between IAS and S/4HANA.
• Use the postman API to export the task details from Task Center, check the respective task with assigned Processor ID.

https://api.one-inbox-service-sap.cfapps.eu10.hana.ondemand.com/task-center-service/v1/export

6.   Conclusion

Hope this blog helps you to understand the concepts and steps involved in Integrating Task Center service in BTP with S/4HANA on-premise. Task center highly optimises the work of an end user or an approver, where the request from various system can be managed from single window and this feature helps to enhances the user experience and productivity to a greater extent.

Please feel free to post your questions in comment section or in SAP Community for SAP Task Center.