In this Blog I will explain how the Fiori apps defined in S4HANA On-Premises system via Role /Catalog/ Groups can be accessed in SAP Build Work Zone, standard edition (formerly SAP Launchpad service) Site with the concept of content federation. Also, we will see that SAP Build Work Zone, standard edition can be central entry point for accessing Fiori apps coming from different content providers. Hence users will be able to access all their apps via the central entry point.

To achieve this scenario of content federation, we access S/4HANA On Premise system from the SAP Build Work Zone, standard edition Site via SAP Cloud Connector for the tunneled access. This integration will be done at role level and the content under roles like (Group/Catalog/Apps) will be exposed to SAP Build Work Zone.

In the previous blog post Blog,I have covered integrating HTML5 freestyle Fiori apps which are deployed in the cloud foundry. Here, Cloud Foundry environment is a content provider providing access to HTML5 apps within SAP Build Work Zone, standard edition.

Configuration Steps for BTP content Federation: -

Step 1: - Subscribe to the SAP Build Work Zone, standard edition.

Step 2: - Cloud connector Setup

Step 3: - Setup the Runtime and Design-Time destinations in SAP BTP

Step 4: - Expose content from SAP S/4HANA

Step 5: - Import the content in SAP Build Work Zone, standard edition.

Step 6: - Assign the imported roles to the Site.

Step 7: - Add the roles to the user.

Step 8: - Access the federated content

Step 1: - Subscribe to the SAP Build Work Zone, standard edition.

In trial account, we have to subscribe the "SAP Build work zone service".

Step 2: - Cloud connector Setup –

a. Connect BTP Trial account.

In the cloud connector, add SAP BTP trial account as a subaccount.

To find the right information to enter SAP Cloud Connector, access SAP BTP trial in a second browser tab and open the sub account.



b. Configure access control.

We must specify the on-premises backend system that the trial should be able to access and add resource in the cloud connector.

Step 3: - Setup the Runtime and Design-Time destinations in SAP BTP

a. Create the design-time destination.

The design-time destination is used to fetch the federated content from the content provider system during design-time.

Click on New Property to add an additional property to the destination.

Enter sap-client and the client of the SAP S/4HANA system, e.g., 100 for SAP S/4HANA trial as property name and value.

b. Create the runtime destination.

The runtime destination is used to launch federated applications at runtime.

In New Property add the following properties to the destination. We will have to type in the property name if it is not available in the dropdown list.

Property Name	Value
HTML5.DynamicDestination	TRUE
sap-platform	ABAP
Sap-client	100 - Client ID of the SAP S/4HANA system
sap-service	A string that consists of the first two characters 32 and the instance number of the ABAP application server, 3200 for current system
sap-sysid	System ID of SAP S/4HANA system

Step 4: - Expose content from SAP S/4HANA

a. Activate clickjacking.

Since the SAP S/4HANA apps are integrated into SAP Build Work Zone using iFrames, need to configure an allow list to protect the system against clickjacking attacks. We can manage such allow list scenarios with the Unified Connectivity Framework (UCON Framework) to optimize the protection of the RFC and HTTP(S) communication against unauthorized access.

To allow SAP Build Work Zone to consume data from the SAP S/4HANA system, we should add trial account to the allow list for Clickjacking Framing Protection via T Code UCONCOCKPIT

b.Add FLP entries

We need to Set customizing parameter EXPOSURE_SYSTEM_ALIASES_MODE. This parameter defines how to handle system aliases during content exposure. In an embedded deployment of the SAP Fiori front-end server, all apps run on the same server. Therefore, system aliases can be cleared during exposure. In a hub deployment in contrast, they might come from different back-end systems and each back-end system may have several aliases. Therefore, we need to map these aliases to the runtime destinations manually after creating the content provider.

This will be setting required in S4HANA.

c.Check activation status of cdm3 service

Service /sap/bc/ui2/cdm3 should be activated in the SAP S/4HANA system.

d.Select SAP Fiori Content for Exposure

Run Transaction /n/UI2/CDM3_EXP_SCOPE and add multiple roles which we want to expose, here we have used Custom roles.



Step 5: - Import the content in SAP Build Work Zone, standard edition.

a.Create a new Content Provider

Open the “channel” Manager of SAP Build Work Zone, standard edition. Add new content provider "s4h" in “Provider Manager “Tab and provide below detail. We will use the Design time "S4hanadt" and run time destination "S4hanart"created in step 3.

New Content provider will get created for the S4Hana On Premise system in BTP and exposure logs will be generated in report.

b. Add roles to My Content

Open Content Manager and click on “content explorer” to access content coming from content providers.

Select the newly created content- "s4h" and we can see the roles which got exposed from S4HANA on premise system.

Select the roles and add them to the content with the button “Add to My Content”.

Now we will be able to see those roles in “My Content”. .

Click the” Role for Procurement “to open it and view the apps that are part of this role. We can see that there are 3 apps (shown in right side) available in this role. In the next step, we will assign the role to the site..Step 6: - Assign the imported roles to the site

To make the apps that come with the federated roles available in the site, we need to assign the roles to the site.

Click the Site Directory icon to access the site and add the exposed roles coming from S4hana.

Step 7: - Add the roles to the user in BTP.

Fiori Apps are only displayed to users with the corresponding roles assigned.

Federated Role above will be automatically created in SAP BTP Cockpit under Role Collection Section. We assign those role collections to users in the SAP BTP cockpit.

In Role collection it will be visible in the format ~<Provider Name>_<Role Name>.

Step 8: - Access the federated content

Launch the site from “Site Directory “in SAP Build Work Zone, standard edition.

We can now see the respective Fiori apps assigned via role collections to the user.

Since role collection from both the content are assigned to the user id hence, we can see that Fiori apps will be shown in the site coming from both “HTML5 apps (Green)” and “S4HANA on premise (Blue)”

Conclusion:

We can access the S4HANA on-premises Fiori apps along with the HTML5 apps based on the Role collection assigned to users in the same SAP Build Work Zone, standard edition site.

Hence users can access all their apps via the central entry point. The more Fiori apps coming from different sources user need to access, the more benefit from now having one central point of access,

I hope this blog post helps you during your role configuration. We look forward to your comments and feedback.

Happy Learning and please follow for more content on SAP BTP security.

Also please follow SAP Business Technology Platform Security Topic Page  https://community.sap.com/topics/btp-security

SAP Help Reference:

Federation of Remote Content Providers