SAP S/4HANA Cloud ABAP Environment integration journey with Microsoft – Part 1 – Microsoft Teams approval
>> part 2
Hello and welcome back to your ABAP Cloud with Microsoft integration journey. Part 0 of this series got you covered with the prerequisites to get your SAP dev environment with ABAP Development Tools (ADT) on Eclipse up and running.
Today we approve a travel booking request issued to SAP from Microsoft Teams. The orchestration happens through the ABAP cloud compliant RAP enabled business object. Wow, that was a mouthful 🤯but no worries, there will be screenshots and more mumbo-jumbo to help you along. See below the architecture for the flow.
|🛈 To ensure the usage of the ABAP environment in “on-premises” or private edition scenarios, simply verify the ABAP language version setting on ADT is set to “ABAP for Cloud Development”. Find the option on the Properties pane under General. Public edition or BTP ABAP environment in any flavor default to ABAP Cloud automatically.|
Generate the complete ABAP object tree on ADT
For this sample I ran through the SAP developer tutorial “How to Create RAP Business Events in an On-Premise system” till step 7 (skipping 5 and 6), which creates a Travel Booking app. It was the simplest one regarding the integration without any additional “shi-shi”.
Pay special attention to:
- Step 2 subsection 4: The program supplied by the tutorial relies on an existing table with demo data. In case that doesn’t exist in your system you can skip step 2 and easily create your own values from the Fiori preview screen once you have generated them in step 3.
- Step 1 subsection 4: My S/4 HANA 2022 didn’t contain the SAP demo namespace “/dmo/” referenced by the tutorial. Replace them with internal types (e.g. abap.numc(6) instead of /DMO/travel_id) to continue (have a look at my modified version of it here). Alternatively, you may consider loading the “/dmo/” objects via abapGit as SAP described here and here. See this community post for reference.
- Skip step 5-6
- Step 7 subsection 3: Use my implementation of the “lcl_event_handler” class instead
The last step of the tutorial introduces the custom behavior for the “Save” action. We are using it to send the approval request to Microsoft Teams to change the Travel Request state.
|🛈 In case you are curious to go down the RAP built-in eventing route, described by the remaining parts of the tutorial, have a look at this blog post. In there, I describe the various options available. Among them is also native SAP Event Mesh integration with Azure Event Grid.|
A deep dive into the integration options with Microsoft services for this scenario
There are multiple options to interact with Microsoft services like Microsoft Teams. Any compute that can perform the authentication flow and http request achieves the technical goal (check the security section at the end for more insights)
See below a list of integration options that I typically discuss with our joint SAP + Microsoft customers:
- SAP Integration Suite on Azure with Microsoft Connectors or custom http/OData adapter
- Azure Integration Services (AIS) with out-of-the-box Connectors using Microsoft Graph under the hood
Since Azure Logic Apps (serverless low code workflow engine in AIS) has a drag & drop experience with a couple of clicks to send an adaptive card to Teams I chose that path. See projects like SAP’s bridge framework to generate mentioned cards with SAP means in case you go down that route instead.
So, on to Azure…
For starters, deploy the provided Azure Logic App to your Azure Subscription using the “Deploy to” button on GitHub or this link from here. Once finished, navigate to the app, and authorize your Teams connection.
Open the Logic App and retrieve the generated endpoint URL from the http trigger. It contains an access signature. That is the simplest way to get started.
|🛈 For production readiness, see the next section for more details on how to secure and isolate the integration workload using private virtual network integration, Azure AD backed OAuth2 flows, and OIDC etc.|
Secret hint: Fix Logic Apps Designer UI glitches ad-hoc by navigating to Code View saving from there.
Copy the URL and add to your ABAP code in line 8.
CLASS lcl_event_handler IMPLEMENTATION. ***** Make your changes below METHOD save_modified. ***** Act on booking create action. Use update, delete, etc. for alternate behavior. IF create IS NOT INITIAL. ***** Setup http request to Azure Logic Apps. DATA(dest) = cl_http_destination_provider=>create_by_url( 'https://prod-78.eastus.logic.azure.com:443/workflows/your-id/triggers/manual/paths/invoke?api-version=2016-10-01&sp=your-access-signature' ). DATA(client) = cl_web_http_client_manager=>create_by_http_destination( dest ). DATA(req) = client->get_http_request( ). ***** Create JSON payload from booking item properties DATA(lv_json) = /ui2/cl_json=>serialize( create-booking ). req->set_text( lv_json ). req->set_header_field( i_name = 'Content-Type' i_value = 'application/json; charset=UTF-8' ). ***** POST message to Azure Logic Apps DATA(create_response) = client->execute( if_web_http_client=>post )->get_text( ). client->close( ). ENDIF. ENDMETHOD. ENDCLASS.
the class cl_http_destination_provider doesn’t exist in S/4HANA Cloud ABAP environment private edition. To implement with embedded steampunk use the wrapper-concept with system-internal release (C1) for use in Cloud Development as described by SAP here.
Updating above abap snippet with next post.
In my sample using the /ui2/cl_json class to generate the JSON payload for the POST request from the booking business object structure. Kudos to Stoyko Stoev and his blog post describing an ABAP Cloud option for REST calls.
With that we are ready for an integration test 😎
Debugging with Fiori Preview and ADT
Put a break point on the save_modified method and open the Fiori preview of your Booking app.
Everything working as expected? Great, I had no doubts🤞. Release your breakpoint and head over to your Azure Logic App to inspect the run.
Note the successful workflow steps generating the adaptive card with the details from your Fiori booking app including the buttons to approve/reject the request. Hit approve for the fun of it because the description field reads “much needed vacation”.
Using the OData service generated for the RAP enabled business object, we can send an efficient PATCH request and adjust its status from Open (“O”) to Approved (“A).
See tutorial step 3 “Generating the transactional UI services” for reference on the OData v4 service generation.
And that’s it. Only thing left to do, is marveling at the beauty of the approved booking request 🤩
Fully isolated Azure environments
Done marveling? Ok, then let’s get serious again and see what is needed to uplevel this integration scenario into production readiness. Fixed access signatures are nice and simple but not going to cut it 😉also I know many of you love their private networks. Here you go 👇
All involved components can be isolated in a private virtual network. In addition to that they can be restricted to accept requests only from your own internal Azure services or IP ranges. Furthermore, OAuth2 or OIDC flows may be employed for secure authentication. For the callback to the SAP RAP enabled OData service X509 certificates or the OAuth2SAMLBearer flow are desirable for production. See this blog post and this Azure APIM policy to learn more about the setup process.
Stay tuned for part 2 of the steampunk series for insights into the X509 setup for BTP ABAP environment.
🛈 Comment on the side: you may implement above architecture in a similar fashion using SAP API Management, SAP Cloud Integration or SAP Build Process Automation. However, be aware that they have no private network injection capabilities. They are Internet-facing by design like Microsoft Teams or M365. And rightfully so, if you ask me – focus on app layer security rather than network.
Still many corporations like their private networks, hence my architecture reference above with private virtual networks on Azure.
What if I want pure ABAP without any integration services as negotiators?
Instead of using the Azure Integration Services you can make the call to Teams from ABAP without any intermediary if you wish. Get inspired from the code here to infuse your existing code. The ABAP classes speed up the integration with Microsoft Graph and Azure managed identities for instance.
However, compared to the “pure ABAP” way, using a workflow engine brings separation of concerns and the added value of managed connectors for the integration. In addition to that, the different developer personas (ABAP and Azure), that need to collaborate, also profit from this split as they can focus on their domain.
For event-driven approaches using ABAP, see this blog post.
That’s a wrap 🌯you saw today how you can enhance the SAP RAP logic from the S/4HANA Cloud ABAP environment (public or private doesn’t matter) to surface an SAP approval process directly in Microsoft Teams. We used adaptive cards exposing buttons to kick off the approval process. To conclude we shed some light on how to secure the scenario properly.