Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Exposing Content from SAP S/4HANA

Objective

After completing this lesson, you will be able to expose business content (roles) from SAP S/4HANA

Overview

Now that a basic connection between SAP S/4HANA and the SAP BTP subaccount has been established via the Cloud Connector, the next step to federate content from SAP S/4HANA can be started.

The goal is to make the existing business roles and content (catalogs, groups, apps, spaces & pages) available within SAP Build Work Zone, standard edition. Once the content is imported, it can be added to a launchpad site within the service and accessed via SAP Mobile Start.

Prerequisites

The technical settings that are described in the following sections must be performed in SAP S/4HANA as a prerequisite for content exposure.

Add FLP Configuration Parameter

The parameter EXPOSURE_SYSTEM_ALIASES_MODE defines how to handle system aliases during content exposure. In an embedded deployment of the SAP Fiori front-end server, all apps run on the same server. Therefore, system aliases can be cleared during exposure. In contrast to a hub deployment, they might come from different back-end systems and each back-end system may have several aliases. In this case, you would need to manually map these aliases to specific runtime destinations when creating the content provider in one of the next lessons.

Go to transaction /N/UI2/FLP_SYS_CONF and add an additional FLP configuration parameter. Click New Entries.

Screenshot of the S/4 transaction FLP_SYS_CONF highlighting the New Entries button at the top menu.

Enter the following values:

FLP Property ID	Category	Type	Property Value
EXPOSURE_SYSTEM_ALIASES_MODE	Automatically filled	Automatically filled	CLEAR

Screenshot showing the new parameter EXPOSURE_SYSTEM_ALIASES_MODE inside the launchpad configuration table in S/4 transaction FLP_SYS_CONF.

Save the entry and select a transport request when prompted.

Clickjacking Protection Activation

Because the apps are integrated into SAP Build Work Zone, standard edition using iFrames, you need protect your system against clickjacking (or UI redressing) attacks by enabling the clickjacking protection. For this, the Unified Connectivity Framework (UCON Framework) is used to optimize the protection of your RFC and HTTP(S) communication against unauthorized access.

Go to transaction UCONCOCKPIT and select the HTTP Allowlist Scenario from the list.

Screenshot highlighting the selection of the HTTP allowlist Scenario in S/4 transaction UCONCOCKPIT.

Then, in the More menu, select HTTP Whitelist → Setup.

Screenshot showing the menu dialog to access the setup of the HTTP allowlist scenario in S/4 transaction UCONCOCKPIT.

Select both options in the setup menu and save it.

Screenshot of the setup dialog offering two ticket checkboxes to enable the clickjacking protection.

Note

You can see that the entry Clickjacking Framing Protection is added in logging mode, which means that the connections are just logged but not checked. In production, it is recommended to set the Mode to Active Check and to maintain the patterns of SAP Build Work Zone, standard edition host.

To do that, double-click the row Clickjacking Framing Protection.

Screenshot of S/4 transaction UCONCOCKPIT highlighting the Clickjacking Framing Protection list entry for further configuration.

Next, the blocked and allowed connections can be viewed and edited. You can add the host of your SAP Build Work Zone, standard edition to the allowlist here.

It should look like this: "<subdomain>.launchpad.cfapps.eu10.hana.ondemand.com". The subdomain of the respective SAP BTP subaccount can be found in the BTP cockpit.

Screenshot of the allowlist logs and configuration in S/4 transaction UCONCOCKPIT.

Exposure Service Check

To make sure all prerequisites for content exposure are met, check if the service /sap/bc/ui2/cdm3 is activated in the SAP S/4HANA system.

Go to transaction SICF and find the cmd3 service.

Screenshot of S/4 transaction SICF highlighting the filtering and selection of the CDM3 service for further configuration.

Double-click on the list entry, and ensure that it is set to active and that the Use All Logon Procedures is ticked in the Logon Data tab.

Screenshot showing the configuration page of the cdm3 service highlighting the active state and setting checkbox for Use All Logon Procedures.

Preparation of Exposing User

To receive the exposed content from the cdm3 service later, a user with access to the specific endpoint is required. It is usually a good practice to create a dedicated service user whose credentials can later be used within the design-time destination. As a prerequisite, the user requires access to the "/sap/bc/ui2/cdm3/entities" endpoint. This access should be granted by assigning the SAP_FLP_ADMIN or SAP_FLP_EXP_USER role.

To do this, access the user maintenance (transaction SU01) and make sure that one of the mentioned standard roles (SAP_FLP_ADMIN or SAP_FLP_EXP_USER ) or a custom role that holds the proper authorization (the required Authorization Object is "/UI2/FREPO") is assigned.

In addition to that, navigate to the Parameters tab and ensure that the parameter /UI2/PAGE_CACHE_OFF does not show up there, as it will disturb the process. If it does, remove it.

Screenshot showing the parameters tab of a selected user in S/4 transaction SU01.

With that, the SAP S/4HANA system is now ready for content exposure.

Content Exposure

Now that all prerequisites are met, you can select and expose SAP S/4HANA content. Go to transaction /N/UI2/CDM3_EXP_SCOPE.Click the multiple selection icon.

Click the multiple selection icon.

Screenshot of S/4 transaction /N/UI2/CDM3_EXP_SCOPE highlighting the multiple selection icon for Business Roles selection.

Select the business roles that you want to expose. In this example, we will use the SAP_BR_Purchaser business role. Then, copy the list to your selection by pressing F8 or clicking the copy button.

Screenshot of the pop-up menu for Multiple Selection for Roles.

Click Save Selected Roles in the header bar, and then click Expose.

Screenshot of S/4 transaction /N/UI2/CDM3_EXP_SCOPE highlighting the “Save selected Roles” and “Expose” buttons within the top menu bar.

As a result, the business content is exposed from SAP S/4HANA as a json file and will be accessible via the service path /sap/bc/ui2/cdm3/entities.

With the Preview and View Exposed Content buttons, you can have a more comprehensive view of the exposed content.

Summary

The process of content exposure from the SAP S/4HANA system is now complete. As a next step, the SAP BTP subaccount needs to be prepared so that the content can be used within SAP Build Work Zone, standard edition.

Next lesson