Setting up Additional Services in SAP Cell and Gene Therapy Orchestration

Objective

After completing this lesson, you will be able to set up additional services like e-signature, custom domain, and audit log in SAP Cell and Gene Therapy Orchestration

E-Signature

What is E-Signature?

An electronic signature is a legal concept that is defined in eIDAS by the following:

"Electronic signature' means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign; (eIDAS Article 3.10)."

Difference between e-Signature and Digital Signature

A digital signature refers to a mathematical and cryptographic concept that is widely used to provide concrete and practical instances of an electronic signature. A digital signature always relies on a crypto-based technology. This means that the content of the document will always be locked and secured when placing a digital signature, you always have the guarantee that the content of the document cannot be changed anymore after signing.

Where as an electronic signature can be as simple as a name entered in an electronic document and does not provide this level of tamper sealing. However, the term electronic signature and digital signature are often used in the same context due to the similarity of the meaning of the words.

Note

SAP Cell and Gene Therapy Orchestration supports the basic e-signature functionality. This feature is mandatory to implement in SAP Cell and Gene Therapy Orchestration.

E-Signature - Requirements

As per GxP requirement, SAP Cell and Gene Therapy Orchestration needs an e-Signature for the following use-cases:

Order

Workflow

The following is required the following functionalities to be provided as part of the Basic e-Signature:

Functionalities

Feature	Description
Identity	Identity will be default as login user (that is email id).
Integrity	Capture and hash the snapshot of saved business context information of the signature.
Authentication	Re-authentication by SAP Identity Authentication Service through the OIDC protocol with login user and password input.

Additional requirements from CGT business applications:

Report for e-Signature Log
Reusable User Interface for authentication through the password input by the user

E-Signature – Implementation Steps

These are the high-level steps to configure the e-signature feature in SAP Cell and Gene Therapy Orchestration.

The image shows a web application interface for managing client authentication settings in a cloud-based platform. The main section displays the configuration options for client authentication, including application IDs, default attributes, and secrets management. The right side of the interface prompts the user to add a new secret, which includes a description field and a warning that the secret cannot be retrieved from the system later. The overall interface appears to be focused on securing client access to the platform.

Generate Client Credentials in SAP Identity Authentication Service

In this step, you will create the client secret in order to access the application created in SAP IAS. This client secret will be used to setup the connection between the SAP Cell and Gene Therapy Orchestration and the SAP Identity Authentication Service application through the SAP Business Technology Platform destination.

Go to your IAS Tenant and open the application created in the last lesson.
Choose Client Authentication under the Application APIs section.
Click on ADD Secrets on the Client Authentication Detailed page.
On the dialog screen, enter the description and choose save.
The Client ID and Client Secret keys will be generated.

Note

Ensure that you saved your client secret locally. You will not be able to retrieve it from the system later.

Result

This results in an application with the OIDC protocol enabled in SAP Identity Authentication Service with client-credential configured.

Generate Client Credential in SAP IAS (Client ID and Client secret)
Maintain BTP Destination

SAP Identity Authentication Service Tenant Settings

In this step, you will disable login with USER ID (which is the P User created internally by SAP IAS) as e-signature supports the login through the email id as login user.

The image shows a web application interface for configuring login alias options. The main section displays a table with various user identifiers, such as User ID, Email, Login Name, Display Name, and Phone, and allows the administrator to specify whether each identifier is required, unique, and allows login. The left-hand side menu provides options for authentication, including login alias, initial password and email link validity, and password recovery.

Go to your SAP Identity Authentication Service and go to the Tenant Settings app.
Choose the Logon Alias under Authentication tab.
Choose OFF using toggle action for User ID entry.

Maintain BTP Destination

In this step, you will configure the SAP Business Technology Platform destination to access SAP Identity Authentication Service through the OIDC protocol.

The image shows a web application interface for configuring a destination in a cloud-based platform. The main section displays various fields for setting up the destination, including the name, type, URL, proxy type, authentication method, and token service details. The interface also highlights specific configuration items such as the IDP_OIDC_URL, SAP IAS Endpoint, SAP IAS Application Client Credentials, and SAP IAS Token End Point.

Go to your SAP Business Technology Platform subaccount and choose the Destination Under Connectivity menu.
Choose New Destination.
Maintain the Destination Parameters as described.

Note

Keep the BTP Destination name as IDP_OIDC_URL as SAP Cell and Gene Therapy Orchestration consume this predefined name to authenticate the e-signature step by the SAP Identity Authentication Service.

Result

E-Signature Setup is complete.

Result

Now, you can go into relevant SAP Cell and Gene Therapy Orchestration application and try to transact on any treatment order. For example, change the existing therapy master data.

The image displays a web application interface for e-signature, with fields for entering a user, password, reason code for e-signature, and a comment. The user is shown as Default User, and the reason code is set to Approval. The interface also includes Save and Cancel buttons at the bottom.

Afterward, the User Interface pop-up appears for e-signing the business step.

Note

Your user will be shown as email id as default user. You need to provide the reason code and comment to electronically sign the transaction.

On action SAVE, Process flow would be like:

In SAP Cell and Gene Therapy Orchestration, E-Signature Request with User credentials Prepared → Get the BTP destination IDP_OIDC_URL → Post the request data to SAP IAS to verify the user credentials → Based on Response with OK or failed → Save Audit log and Generate the e-sign log.

Afterward, the Signature log will be available on SAP Cell and Gene Therapy Orchestration application area.

The image shows a web application interface for an e-signature log. The table displays a single row of data, including the name of the signer, the date and time of the signature, the signature status, the reason code, and a comment. The table header provides options to filter and search the log entries.

Audit Log

There is a Non-functional Requirement associated with the e-signature - that is, create the Audit Log.

The Signature log (as shown in previous section) is different as compared to the audit log. You will see the Signature log appearing in the CGTO application for the actions performed by users.

Whereas Audit log records the security event for authentication and generating signature and stored in SAP Business Technology Platform Audit Log Service. You need to configure Audit Log Viewer service in your SAP Business Technology Platform subaccount.

The Audit Log interface allows administrators to examine audit events. The audit log keeps track of security-relevant changes. However, the data is retained only for 30 days. On the other hand, the Change Logs persists all data changes.

The system records audit events in the customer subaccount for the following types:

Personal Data Changes - for more information, see Personal Data Manager.
Configuration Changes
Security Events

For events, refer to the following help documentation: Audit Log.

Audit Log Viewer

To view the audit logs collected for your Cloud Foundry account, you can use the SAP Audit Log Viewer. Access to the SAP Audit Log Viewer is restricted to users who have subscribed to the SAP Audit Log Viewer service for SAP Business Technology Platform.

The image shows a web application interface for managing subscriptions and applications. The main section displays a list of applications to which the user's account is subscribed, with the Audit Log Viewer Service application marked as Subscribed. The right-hand side of the interface allows the user to create a new subscription, and the bottom section shows an application viewer interface for an unspecified application.

Note

Additional authorization is required to retrieve audit logs for the customers' subaccounts. The person viewing the audit logs must be assigned a role collection with the following roles: auditlog-viewer!t*/Auditlog Auditor.

You can subscribe to the Audit Log Viewer in a similar way as you have configured other SAP Business Technology Platform services. The reference image provided above shows you the subscription instance created and application view of Audit log viewer.

For more details, see the audit logger view documentation at the following: Audit Log Viewer for the Cloud Foundry Environment.

Additional Services

The following are the additional services available in case you need to configure the same in your subaccount.

Additional Services

Service Name	Description	Implementation Steps
Cloud Transport Management	The SAP Cloud Transport Management service allows you to manage software deliverables between accounts of different environments, such as Neo and Cloud Foundry, by transporting them across various runtimes. This includes application artifacts and their respective application specific content. You can use the SAP Cloud Transport Management service to export the configuration data from your SAP Cell and Gene Therapy Orchestration instance to one or more tenants. The data can be exported using the Manage Transports app. The app also displays the list of outgoing transport requests made for a transport node, and the list of the imported transport requests.	Prerequisites Export Configuration Data
Document Status Management	Learn how to manage data and document integration in SAP Cell and Gene Therapy Orchestration. To use the document upload and view functions in SAP Cell and Gene Therapy Orchestration and to view patient information in Data and Document Integration for SAP Cell and Gene Therapy Orchestration, your system administrator must add the required initial document configurations to set up endpoints for communication between SAP Cell and Gene Therapy Orchestration and the Data and Document Integration for SAP Cell and Gene Therapy Orchestration add-on. This is to ensure appropriate documents are uploaded to the Data and Document Integration for SAP Cell and Gene Therapy Orchestration add-on and correct details are displayed in the user interface.	Configuration for Document Status Management: You can view protected health information of a patient using the data and document integration for SAP Cell and Gene Therapy Orchestration.
Data Privacy Integration	Configure a consent agreement that is displayed when a user logs in to SAP Cell and Gene Therapy Orchestration. You can create a consent agreement, which states a user's responsibility to work with patient data. This agreement is displayed after you create and activate a consent form using SAP Data Privacy Integration. After you create the form, a one-time consent agreement is displayed when a user logs in to SAP Cell and Gene Therapy Orchestration. The user can accept or reject this agreement, but can only access the solution if they accept the agreement. When the user accepts the agreement, their email and details of the consent form are stored in SAP Data Privacy Integration.	For detailed configuration steps, referred to step wise documentation provided already here Configure Consent Agreement
SAP Cloud ALM	The purpose of real user monitoring is to provide transparency about the usage (executions) and the performance (response times) of user interactions. It supports the monitoring request executions from different platforms with a unified user experience using a common handling pattern. SAP Cell and Gene Therapy Orchestration allows real user monitoring of the micro-service of the Manage Orders app. For more information on how to use real user monitoring, see Real User Monitoring.	For configuration refer to Real User Monitoring
Custom Domain	The SAP Custom Domain service allows you to access SAP Cell and Gene Therapy Orchestration using a custom domain, instead of the default hana.ondemand.com domain. The custom domain URL will only change the way you access SAP Cell and Gene Therapy Orchestration. You need to make sure that solution URL is updated in your existing use cases. For example, bookmarks URLs, redirects, or test scripts if any.	You will get the custom domain service with custom URL pre-configured as part of SAP Cell and Gene Therapy Orchestration onboarding. In case it is not available, reach out to SAP Cell and Gene Therapy Orchestration Team.

Note

To secure the configuration and operation of SAP Cell and Gene Therapy Orchestration, refer to Security Recommendations for SAP Cell and Gene Therapy Orchestration.

Continue to quiz