Exposing Content from SAP S/4HANA


After completing this lesson, you will be able to:

  • Expose business content (roles) from SAP S/4HANA


Now that a basic connection between SAP S/4HANA and the SAP BTP subaccount has been established via the Cloud Connector, the next step to federate content from SAP S/4HANA can be started.

The goal is to make the existing business roles and content (catalogs, groups, apps, spaces and pages) available within SAP Build Work Zone, standard edition. Once the content is imported, it can be added to a launchpad site within the service and accessed via SAP Mobile Start.


The technical settings that are described in the following sections must be performed in SAP S/4HANA as a prerequisite for content exposure.

Add FLP Configuration Parameter

The parameter EXPOSURE_SYSTEM_ALIASES_MODE defines how to handle system aliases during content exposure. In an embedded deployment of the SAP Fiori front-end server, all apps run on the same server. Therefore, system aliases can be cleared during exposure. In contrast to a hub deployment, they might come from different back-end systems and each back-end system may have several aliases. In this case, you would need to manually map these aliases to specific runtime destinations when creating the content provider in one of the next lessons.

Go to transaction /N/UI2/FLP_SYS_CONF and add an additional FLP configuration parameter. Click New Entries.

Enter the following values:

FLP Property IDCategoryTypeProperty Value
EXPOSURE_SYSTEM_ALIASES_MODEAutomatically filledAutomatically filledCLEAR

Save the entry and select a transport request when prompted.

Clickjacking Protection Activation

Because the apps are integrated into SAP Build Work Zone, standard edition using iFrames, you need protect your system against clickjacking (or UI redressing) attacks by enabling the clickjacking protection. For this, the Unified Connectivity Framework (UCON Framework) is used to optimize the protection of your RFC and HTTP(S) communication against unauthorized access.

Go to transaction UCONCOCKPIT and select the HTTP Allowlist Scenario from the list.

Then, in the More menu, select HTTP WhitelistSetup.

Select both options in the setup menu and save it.

You can see that the entry Clickjacking Framing Protection is added in logging mode, which means that the connections are just logged but not checked. In production, it is recommended to set the Mode to Active Check and to maintain the patterns of SAP Build Work Zone, standard edition host.

To do that, double-click the row Clickjacking Framing Protection.

Next, the blocked and allowed connections can be viewed and edited. You can add the host of your SAP Build Work Zone, standard edition to the allowlist here.

It should look like this: "<subdomain>.launchpad.cfapps.eu10.hana.ondemand.com". The subdomain of the respective SAP BTP subaccount can be found in the BTP cockpit.

Exposure Service Check

To make sure all prerequisites for content exposure are met, check if the service /sap/bc/ui2/cdm3 is activated in the SAP S/4HANA system.

Go to transaction SICF and find the cmd3 service.

Double-click on the list entry, and ensure that it is set to active and that the Use All Logon Procedures is ticked in the Logon Data tab.

Preparation of Exposing User

To receive the exposed content from the cdm3 service later, a user with access to the specific endpoint is required. It is usually a good practice to create a dedicated service user whose credentials can later be used within the design-time destination. As a prerequisite, the user requires access to the "/sap/bc/ui2/cdm3/entities" endpoint. This access should be granted by assigning the SAP_FLP_ADMIN or SAP_FLP_EXP_USER roles.

To do this, access the user maintenance (transaction SU01) and make sure that one of the mentioned standard roles (SAP_FLP_ADMIN or SAP_FLP_EXP_USER) or a custom role (that holds the proper authorization. The required Authorization Object is "/UI2/FREPO") is assigned. In addition to that, navigate to the Parameters tab and ensure that the parameter /UI2/PAGE_CACHE_OFF does not show up there, as it will disturb the process. If it does, remove it.

With that, the SAP S/4HANA system is now ready for content exposure.

Content Exposure

Now that all prerequisites are met, you can select and expose SAP S/4HANA content. Go to transaction /N/UI2/CDM3_EXP_SCOPE.

Click the multiple selection icon.

Select the business roles that you want to expose. In this example, we will use the SAP_BR_Purchaser business role. Then, copy the list to your selection by pressing F8 or clicking the copy button.

Click Save Selected Roles in the header bar, and then click Expose.

As a result, the business content is exposed from SAP S/4HANA as a json file and will be accessible via the service path /sap/bc/ui2/cdm3/entities.

With the Preview and View Exposed Content buttons, you can have a more comprehensive view of the exposed content.


The process of content exposure from the SAP S/4HANA system is now complete. As a next step, the SAP BTP subaccount needs to be prepared so that the content can be used within SAP Build Work Zone, standard edition.

Log in to track your progress & complete quizzes