Configuring a Console Site

The SAP Customer Data Cloud Console is a central hub for managing all aspects of customer identity and access management (CIAM). It provides a user-friendly interface to configure site settings, manage user identities, customize user interfaces, define security policies, orchestrate data flows, ensure data privacy, generate reports, and access advanced configuration tools.

Let's begin with a tour of the SAP CDC Console.

The Partner Dashboard collects and consolidates available information about your users and presents the Key Performance Indicators (KPIs) in chart form. You can customize your Partner Dashboard by selecting different KPIs, types/sizes of charts, and time ranges. Your customized Partner Dashboard illustrates trends at a glance, gives you deeper insights into customer data, and points you to suspicious activities that may require your attention.

In the Sites menu, use the Site Selector app to get an overview of your sites, create new sites or child sites within a partner, and access more settings and tools for your site configuration.

In the Site Settings app, you can configure a site's properties, including trusted site URLs and CNAME configurations. These settings are fundamental to Customer Identity projects.

The Identity Access section is where you manage user account information. You can view user profiles, edit details, and perform administrative actions.

The SAP Customer Data Cloud Groups feature allows you to organize users into groups.

The One Account Model consolidates all user data, whether lite or fully registered, under a single UID, streamlining user management. The toggle for Lite and Full accounts on the Profiles page in Identity access has been replaced by a special icon identifiying users with a ‘lite’ identity.

Several apps available in the User Interfacing menu allow you to customize user touchpoints with your SAP Customer Data Cloud-based services in the User Interfacing menu.

Use the UI Builder is used to create screen-sets, which include registration, login, and other flows out of the box; these cover the vast majority of scenarios encountered when consumers log in to your site.

The Identity Flow Builder is a tool that manages Identity Flows for your sites.

Use the Email Templates app to design the emails sent to users as part of their site journey. 

Define text templates for the SMS messages sent out to users as part of their site journey to ensure compliance with each country's text messaging laws and regulations.

Hosted Pages allows you to easily create cloud-hosted pages on SAP Customer Data Cloud servers that implement various flows.

SAP Customer Data Cloud's Identity section focuses on connection and security policies that govern the user's connections to SAP Customer Data Cloud and your sites.

The Connect section allows you to set up policies for user self-registration, social network identity providers, inbount federation, and outbound federation.

The Security section provides a Security Dashboard and the security policies for Authentication, Identity Verification, and CAPTCHA.

The Orchestrate section includes tools for data integration and workflow automation. It comprises Dataflows and Webhooks, Emarsys Integrations, and Extensions.

Dataflows provide a robust ETL solution (Extract, Transform, Load) solution for transferring transfer data in bulk between platforms.

SAP Customer Data Cloud Webhooks offer a flexible way to extend SAP Customer Data Cloud's flows by sending a notification to your server upon specific events.

The SAP Emarsys Integrations window helps you configure the connection between SAP Customer Data Cloud and SAP Engagement Cloud (as SAP Emarsys is now called) for contact data synchronization, using the SAP Emarsys connector.

Extensions support secure, synchronous server-side, execution of custom code for data validations, restrictions, and profile enrichment.

The Data Privacy menu allows you to transparently manage User Privacy and uphold compliance with international privacy regulations.

You can create and manage Consent Statements and use the Consent Vault to view and search the history of all Consent objects on your site. This section also allows you to create communication topics and channels to interact with end-users, such as SMS and social networks.

The Reports section provides insights into user data. User Identities shows reports for new registered users, new users by provider, daily logins, and logged-in users by provider.

The Identity Query Tool is a dynamic query tool allowing you to search and retrieve user profile data and metadata.

Customer Insights generates useful user analytics, including demographics, interests, social behavior, influence, and revenue-generating activities. 

The Advanced configuration section provides access to complex configuration tools.

Site Groups lists and manages your SAP Customer Data Cloud sites. Accounts Schema allows you to add custom attributes beyond the default organization and identity attributes. Group Model Management allows you to define groups within your customer data that can hold multiple users. Site-Level SMS Providers allows you to send SMS to your end users at the site or site group level.

Certificate Provisioning prevents API calls to SAP Customer Data Cloud resources from being considered  3rd Party and configures SSO using a Central Login Domain architecture.

Copy Configuration enables you to copy configurations and settings between sites.

Web SDK Configuration allows you to define the configuration for your site or site group, accessible by the SAP Customer Data Cloud Web SDK; these are hosted by SAP Customer Data Cloud, and edited within the Console.

To set up your site, you must create your site domain, adding its name to the sites table in the Dashboard. Then, you must select your Data Residency and the Data Center where your site's data will be stored.

It’s important you use separate site definitions for each environment in your development process. For instance, if you have development, staging, and production environments, you need three distinct site definitions, each with its own unique API keys.

When creating a new site, you'll be prompted to select an account model: either the One Account Model or the Legacy Account Model.

When you create a new site, after selecting your data center(s), you’ll now see a new prompt: Select an Account Model. Here, you must select between the new One Account model or the existing Legacy Account model.

• One Account Model: This model unifies all user accounts, regardless of their registration status (fully registered or lite), under a single, unique account. This simplifies user management and eliminates the need for complex migrations when users upgrade from a lite account to a full account.
• Legacy Account Model: This model maintains the previous behavior, where lite accounts and fully registered accounts are separate entities. This requires additional migration steps if a user transitions to full registration.

To make administration easier, the Admin Console’s Sites → Site Selector screen now displays an Account Model column for easy identification of each site’s account model.

Remember: your choice of account model is foundational and permanent for each site and its group, so select carefully based on your long-term business needs.

The Data Center determines where your site's data will be stored. Customer Data Cloud offers four primary Data Centers: US, EU, CN, and AU. This selection is critical for compliance with data privacy regulations and cannot be changed after the site is created. Carefully consider your site's location and the applicable regulations when choosing a data center. Refer to the Finding Your Data Center documentation in the SAP Help Portal.

API keys are automatically assigned to each site upon creation and serve as unique identifiers. These keys are essential for every page of your site that relies on SAP Customer Data Cloud functionality. The API key identifies the calling site and determines the available permissions.

The API key for each domain is listed next to the domain name in the table above. Production environment API keys should never be used for testing purposes. Always maintain separate site definitions and API keys for test and production environments.

Site settings can be accessed from the Site Selector page or by selecting the site name in the table.

Alternatively, a site's settings can be accessed from the Site Selector app under Actions by selecting the three dots button.

Site settings include:

• Site Name: A descriptive name for your site.
• Trusted URLs: A list of URLs that are authorized to access your site's data.
• CAPTCHA: Settings for implementing CAPTCHA to prevent bot activity.
• Additional Share URLs: URLs for social sharing.
• Domain Alias (CNAME) and SSL: Configuration for custom domain names and SSL certificates.
• Akamai IP Resolution: Settings for using Akamai's IP resolution services.
• Custom URL Shortening: Options for shortening URLs.

Settings are configured at an API key level. Child sites inherit the Parent site settings by default, but some settings can be overridden at the Child level.

For more information, refer to the Site Settings documentation in the SAP Help Portal.

The Administration section of the SAP Customer Data Cloud Console is where you manage your system, setting and enforcing user-level and application-level permissions. You can access it by selecting the Administration button at the bottom of the main menu.

As seen below, this section provides access to several key areas, including System Status, SMS Providers, Email Providers, Organization Management, and Access Management.

SAP Customer Data Cloud offers visibility into the platform’s health related to your sites. System administrators can use the Status Page to monitor high-traffic events in near real-time.

The page displays traffic data of the selected site; in a site group, each child site shows its data, while the parent displays the combined traffic of the entire group.

To send SMS to your end users, you must configure an SMS Provider. SAP Customer Data Cloud supports several providers, including Twilio, LiveLink, Sinch, and Karaden. Configuration involves entering the necessary credentials and settings provided by your chosen SMS provider.

In a similar manner, sending email to your end users requires that you configure an Email provider.

SAP Customer Data Cloud supports various providers such as Amazon SES, Microsoft 365, Twilio, Gmail, Mailgun, SAP Email Provider, and generic SMTP providers. Configuring an email provider involves entering the necessary SMTP settings and authentication details.

The Organization Management page allows you to activate a site to use SAP Customer Data Cloud's CIAM for B2B. This assumes you have already set up a site in the SAP Customer Data Cloud console with a valid API key.

For more information, refer to the Site Setup documentation in the SAP Help Portal.

The Access Management section includes the following elements:

• The Audit Log is a tool that allows site administrators to view actions performed by users and administrators via the Console or by end-users to their accounts (for example, changing a password). It provides a detailed record of activities, aiding in security monitoring and compliance.
• Permission Groups are sets of features, APIs, and data access permissions in SAP Customer Data Cloud. They provide Console Users and Applications with the permissions they can access in SAP CDC. By assigning users and applications to specific permission groups, you can control their access to sensitive data and functionality.
• On the Security Notifications page, you can set up security alerts to receive via e-mail when suspicious activity is detected on an account. This proactive monitoring helps in quickly responding to potential security breaches.
• The Log Connector tool allows you to expose your log data and send it to specific log providers. This enables you to use the data in platform-related monitoring and correlate your CIAM flow with other application metrics.
• The Administrators page lists and manages your administrators in SAP Customer Data Cloud. The page allows you to add, edit, and remove administrators, ensuring that only authorized personnel have administrative access.
• The Federated Console Login page is where you configure the connection between your corporate IDP and the SAP Customer Data Cloud Console. This allows your Administrator users to authenticate to the Console using their employee credentials, streamlining the login process and enhancing security.
• The Partner Secret Settings page lets you rotate a Partner Secret for your account if the current one becomes compromised. Regularly rotating the secret helps maintain the security of your account.
• The Applications page allows you to create, remove, and edit application keys. These are credentials given to third-party applications to enable them to access the SAP Customer Data Cloud platform and make system calls. Applications must be associated with Permission Groups to know which permissions they will allow or deny.
• On the IP Restrictions page, you can control the IP addresses that can access Customer Data APIs on behalf of your organization. You can configure allow lists, deny lists, or both within the SAP Customer Data Console to restrict access to authorized networks..

The Audit Log is a critical tool for monitoring actions performed by users and administrators within the Customer Data Cloud. It captures activities within the Console and certain end-user actions, such as password changes. Crucially, actions performed using a user key and secret are audited, while API calls made using application keys are generally not, unless otherwise noted.

Even though all audited events are logged, visibility depends on the user/group's privileges. These privileges can restrict viewing items at the site level or grant access at a global partner level. A ‘Global’ entry indicates an API call made outside the scope of a specific site, often related to creating sites, managing user and group information, or handling Access Control Lists (ACLs).

You can configure the retention period for audit log records, which defaults to 12 months. This affects both the Audit Log and the Account Audit Log. To access the Audit Log, navigate to the Administration menu in the SAP Customer Data Cloud console and select Audit Log under Access Management. The Audit Log includes an Advanced Query tool that allows you to view audit log entries using SQL syntax.

Although all audited events are logged, they may not appear in the Audit Log if the user/group viewing the page doesn't have the necessary privileges. These privileges may restrict viewing items at the site level or allow viewing items on a global partner level.

Application keys are special user keys not associated with a specific user. They provide credentials to third-party applications, enabling them to access the Customer Data Cloud platform and make system calls. When you add a new application, you essentially create a user key without requiring a user registration flow. While applications may have higher rate limits than administrator users, remember that their actions are generally not audited.

Once an application is defined, it's provided with a User Key and a Secret. These credentials serve as authentication and authorization when making system calls. If an application key is lost or compromised, you can always regenerate a new one in the application settings.

Adding an existing application grants access and permissions to an application that isn't part of your site, such as a third-party service.

For more information, refer to the Acceptable Use Policydocumentation in the SAP Help Portal.

Permission Groups are a collection of feature access (such as APIs) and data access levels. If a user is assigned to multiple permission groups on the same site, the highest level of permissions prevail.

Privileges are divided into categories and are mapped to allowed API methods.

Scopes display the list of sites that are enabled for a permission group.

Data Field Access allows you to set View and Edit permissions on specific schema fields.

You can also select the level of data access globally:

• Restricted Data Access (default): The group’s view and edit access must be explicitly granted for each data field.
• Full Data Access: Allows the group full access to the data of all schema fields.

Data Field Permissions only apply to the following APIs (both REST and JS versions):

• accounts.getAccountInfo
• accounts.setAccountInfo
• accounts.search

For more information, refer to the Permissions Groups documentation in the SAP Help Portal.

In case the application key gets lost or leaked, you can always navigate to the application settings and generate a new key.

The Permission Group system enables you to create administrators (user keys), grant them permissions, and evaluate their permissions upon incoming requests. The permissions determine which API methods the user can call, what parameters the user can pass, what are the valid values for these parameters and what types of logical operations are allowed. In addition, permissions are scoped to certain partners or sites. Manage access rights by assigning administrators to groups in the Permissions Groups section.

User keys grant individual permissions to certain users on certain sites. User keys are more secure than giving all users the partner secret key, which grants full permission to all data and actions on the API key, including the ability to delete user data. In addition, actions taken using the user key are tracked for auditing purposes. 

The Partner ID is a unique identifier for your Customer Data Cloud instance. The Secret Key is used to generate and check cryptographic signatures, verifying the authenticity of Customer Data Cloud processes and preventing fraud.

Never use the partner's secret key in your configuration or development, and never share it! Treat it like the root password for your entire partner account.

You can control the IP addresses that can access Customer Data Cloud APIs by configuring either allow lists, deny lists, or both in the Customer Data Cloud console. IP Restrictions are configured at the Partner level or for specific API keys in the Active Listings configuration. You can create the List Definitions & Active Listings on the IP Restrictions page, defining lists of IPs or Networks to grant or deny access.

For more information, refer to the IP Restrictions documentation in the SAP Help Portal.

The SDK Management settings page allows you to block potentially malicious calls that use SDKs not in use by your site. When enabled, only traffic from selected SDK versions is allowed, increasing the security of your sites by preventing malicious attacks and stopping attacks in real-time. The accounts.rba.sdkConfiguration.get API retrieves a list of all SDK types and their versions supported on the site.

The following SDKs are available:

• WebSDK
• REST
• Android
• IOS

The accounts.rba.sdkConfiguration.get API retrieves a list of all SDK types and their versions supported on the site.

For more information, refer to the SDK Managementdocumentation in the SAP Help Portal.

Federated Console Login configures login to the SAP Customer Data Cloud admin console using your corporate identity management system. It supports Secure Assertion Markup Language (SAML) 2.0 and OpenID Connect (OIDC).

For more information, please refer to Federated Console Login.

You can opt-in to receive security alerts by email when suspicious activity is detected on an account. The Account Take Over (ATO) Engine notices suspicious activity on the sites, and you can specify whether to monitor all sites/site groups or only specific API keys/groups.

For more information, refer to the following video: Taking a Tour of the SAP Customer Data Cloud Console