zhongwei/gh-secondsky-sap-skills-skills-sap-btp-cias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:54:54 +08:00
commit d5f8dc087c
13 changed files with 3235 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

257
templates/destination-config.md Normal file
View File

@@ -0,0 +1,257 @@
# CIAS Destination Configuration Templates
Templates for configuring destinations in Cloud Integration Automation Service.
---
## Basic HTTP Destination
### Configuration
| Property | Value | Notes |
|----------|-------|-------|
| Name | `<SYSTEM_ID>_DEST` | Use meaningful identifier |
| Type | `HTTP` | Default |
| Description | Integration destination for [System Name] | Purpose description |
| URL | `[https://<hostname>:<port>`](https://<hostname>:<port>`) | Always use HTTPS |
| Proxy Type | `Internet` | For cloud systems |
| Authentication | See options below | Based on requirements |
---
## Authentication Options
### Basic Authentication
```
Authentication: BasicAuthentication
User: <technical_user>
Password: <password>
```
**Use when**:
- Simple username/password authentication
- Technical user with limited scope
- Development/testing environments
**Security note**: Store credentials securely; delete destination after workflow completion.
### OAuth2 Client Credentials
```
Authentication: OAuth2ClientCredentials
Client ID: <client_id>
Client Secret: <client_secret>
Token Service URL: [https://<auth_server>/oauth/token](https://<auth_server>/oauth/token)
```
**Use when**:
- Machine-to-machine authentication
- SAP BTP services integration
- API access scenarios
### OAuth2 User Token Exchange
```
Authentication: OAuth2UserTokenExchange
Client ID: <client_id>
Client Secret: <client_secret>
Token Service URL: [https://<auth_server>/oauth/token](https://<auth_server>/oauth/token)
```
**Use when**:
- User context required in target system
- Principal propagation needed
### Client Certificate
```
Authentication: ClientCertificateAuthentication
Key Store Location: <path_to_keystore>
Key Store Password: <keystore_password>
```
**Use when**:
- mTLS required
- High-security environments
- Production systems
---
## Destination Templates by Target System
### SAP S/4HANA Cloud
```
Name: S4HC_<TENANT_ID>
Type: HTTP
URL: [https://<tenant>.s4hana.ondemand.com](https://<tenant>.s4hana.ondemand.com)
Proxy Type: Internet
Authentication: OAuth2SAMLBearerAssertion
Audience: [https://<tenant>.s4hana.ondemand.com](https://<tenant>.s4hana.ondemand.com)
Client Key: <client_key>
Token Service URL: [https://<tenant>.s4hana.ondemand.com/sap/bc/sec/oauth2/token](https://<tenant>.s4hana.ondemand.com/sap/bc/sec/oauth2/token)
Token Service User: <communication_user>
Token Service Password: <password>
```
### SAP S/4HANA On-Premise (via Cloud Connector)
```
Name: S4OP_<SYSTEM_ID>
Type: HTTP
URL: [http://<virtual_host>:<virtual_port>](http://<virtual_host>:<virtual_port>)
Proxy Type: OnPremise
Location ID: <cloud_connector_location_id>
Authentication: BasicAuthentication
User: <system_user>
Password: <password>
```
### SAP SuccessFactors
```
Name: SFSF_<COMPANY_ID>
Type: HTTP
URL: [https://<datacenter>.successfactors.com](https://<datacenter>.successfactors.com)
Proxy Type: Internet
Authentication: OAuth2SAMLBearerAssertion
Audience: www.successfactors.com
Client Key: <api_key>
Token Service URL: [https://<datacenter>.successfactors.com/oauth/token](https://<datacenter>.successfactors.com/oauth/token)
Token Service User: <admin_user>
Token Service Password: <password>
```
### SAP Integration Suite (CPI)
```
Name: CPI_<TENANT_ID>
Type: HTTP
URL: [https://<tenant>.it-cpi<region>.cfapps.<region>.hana.ondemand.com](https://<tenant>.it-cpi<region>.cfapps.<region>.hana.ondemand.com)
Proxy Type: Internet
Authentication: OAuth2ClientCredentials
Client ID: <client_id>
Client Secret: <client_secret>
Token Service URL: [https://<tenant>.authentication.<region>.hana.ondemand.com/oauth/token](https://<tenant>.authentication.<region>.hana.ondemand.com/oauth/token)
```
### SAP BTP ABAP Environment
```
Name: ABAP_ENV_<SYSTEM_ID>
Type: HTTP
URL: [https://<system_id>.abap.<region>.hana.ondemand.com](https://<system_id>.abap.<region>.hana.ondemand.com)
Proxy Type: Internet
Authentication: OAuth2ClientCredentials
Client ID: <client_id>
Client Secret: <client_secret>
Token Service URL: [https://<system_id>.authentication.<region>.hana.ondemand.com/oauth/token](https://<system_id>.authentication.<region>.hana.ondemand.com/oauth/token)
```
### SAP Ariba
```
Name: ARIBA_<REALM_ID>
Type: HTTP
URL: [https://<datacenter>.ariba.com](https://<datacenter>.ariba.com)
Proxy Type: Internet
Authentication: OAuth2ClientCredentials
Client ID: <application_key>
Client Secret: <shared_secret>
Token Service URL: [https://api.ariba.com/v2/oauth/token](https://api.ariba.com/v2/oauth/token)
```
### SAP Concur
```
Name: CONCUR_<ENTITY_ID>
Type: HTTP
URL: [https://<datacenter>.concursolutions.com](https://<datacenter>.concursolutions.com)
Proxy Type: Internet
Authentication: OAuth2ClientCredentials
Client ID: <client_id>
Client Secret: <client_secret>
Token Service URL: [https://<datacenter>.concursolutions.com/oauth2/v0/token](https://<datacenter>.concursolutions.com/oauth2/v0/token)
```
---
## Additional Properties
### Common Additional Properties
| Property | Value | Purpose |
|----------|-------|---------|
| `sap-client` | `<client_number>` | ABAP system client |
| `HTML5.DynamicDestination` | `true` | Dynamic destination resolution |
| `WebIDEEnabled` | `true` | Enable for BAS/WebIDE |
| `WebIDEUsage` | `odata_abap` | OData service usage |
### Example with Additional Properties
```
Name: S4HC_PROD
Type: HTTP
URL: [https://my-tenant.s4hana.ondemand.com](https://my-tenant.s4hana.ondemand.com)
Proxy Type: Internet
Authentication: OAuth2SAMLBearerAssertion
[Authentication details...]
Additional Properties:
sap-client: 100
HTML5.DynamicDestination: true
```
---
## Security Best Practices
### Do
- Always use HTTPS for URLs
- Use technical/service users with minimal required permissions
- Rotate credentials regularly
- Delete destinations after workflow completion
- Document destination purpose in description
### Don't
- Store production credentials in non-production environments
- Share destination credentials across teams
- Use personal user credentials
- Leave unused destinations active
- Skip certificate validation in production
---
## Troubleshooting
### Destination Not Found in Dropdown
1. Verify destination exists in subaccount
2. Check URL matches tenant Host Base URL exactly
3. Confirm destination type is HTTP
4. Refresh dropdown after creation
### Authentication Failures
1. Verify credentials are correct
2. Check token service URL accessibility
3. Confirm user has required authorizations in target system
4. Review audit logs for specific error
### Connection Timeouts
1. Check Cloud Connector status (for on-premise)
2. Verify network connectivity
3. Confirm target system is available
4. Review timeout settings
---
## Documentation Links
- Destinations: [https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/destinations-496a763.md](https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/destinations-496a763.md)
- Destination Creation: [https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/destination-creation-b2cd7e9.md](https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/destination-creation-b2cd7e9.md)
- SAP BTP Destinations: [https://help.sap.com/docs/btp/sap-business-technology-platform/destination](https://help.sap.com/docs/btp/sap-business-technology-platform/destination)

279
templates/role-assignment.md Normal file
View File

@@ -0,0 +1,279 @@
# CIAS Role Assignment Templates
Templates and procedures for assigning roles in Cloud Integration Automation Service.
---
## Role Collections Overview
Three role collections are automatically created during CIAS subscription:
| Role Collection | Role | Purpose |
|-----------------|------|---------|
| `CIASIntegrationAdministrator` | Integration Administrator | Full access and administration |
| `CIASIntegrationExpert` | Integration Expert | Task execution |
| `CIASIntegrationMonitor` | Integration Monitor | Read-only monitoring |
---
## Role Assignment Templates
### Template: Integration Administrator Assignment
**Use for**: IT administrators, solution architects, integration leads
**Capabilities granted**:
- Access My Inbox application
- Access Plan for Integration
- Access Scenario Execution Monitoring
- Plan integration scenarios and generate workflows
- Review workflow execution plans
- Monitor workflow execution
- Terminate scenarios
- Create destinations
**Assignment procedure**:
```
1. Navigate to SAP BTP Cockpit > [Subaccount] > Security > Role Collections
2. Select: CIASIntegrationAdministrator
3. Click: Edit
4. Go to: Users tab
5. Add users: [email1@domain.com, email2@domain.com]
6. Click: Save
```
**Typical recipients**:
- Integration architects
- BTP administrators
- Project leads
- System administrators
---
### Template: Integration Expert Assignment
**Use for**: Functional consultants, configuration specialists, implementation team members
**Capabilities granted**:
- Access My Inbox application
- Work on assigned tasks
- Execute manual and automated tasks
- Add comments to tasks
**Assignment procedure**:
```
1. Navigate to SAP BTP Cockpit > [Subaccount] > Security > Role Collections
2. Select: CIASIntegrationExpert
3. Click: Edit
4. Go to: Users tab
5. Add users: [email1@domain.com, email2@domain.com]
6. Click: Save
```
**Typical recipients**:
- Functional consultants
- Configuration specialists
- Implementation team members
- Subject matter experts
---
### Template: Integration Monitor Assignment
**Use for**: Project managers, auditors, stakeholders needing visibility
**Capabilities granted**:
- Read-only access to Scenario Execution Monitoring
- View task status
- View execution progress
**Assignment procedure**:
```
1. Navigate to SAP BTP Cockpit > [Subaccount] > Security > Role Collections
2. Select: CIASIntegrationMonitor
3. Click: Edit
4. Go to: Users tab
5. Add users: [email1@domain.com, email2@domain.com]
6. Click: Save
```
**Typical recipients**:
- Project managers
- Internal auditors
- Quality assurance
- Stakeholders requiring visibility
---
## Multi-User Assignment
### Comma-Separated Assignment
You can assign multiple users per role with comma-separated user IDs:
```
Users: user1@domain.com, user2@domain.com, user3@domain.com
```
### Bulk Assignment via Trust Configuration
For large teams, use Trust Configuration:
1. Navigate to **Security****Trust Configuration**
2. Select identity provider (SAP IDP, Custom IDP, or IAS tenant)
3. Map groups to role collections
4. Users in mapped groups automatically receive roles
---
## Identity Provider Integration
### SAP Cloud Identity Services (Default)
```
Trust Configuration:
Identity Provider: SAP Cloud Identity Services
Domain: accounts.sap.com
User Format: <email>@<domain>
Example: john.doe@company.com
```
### Corporate Identity Provider (Custom IDP)
```
Trust Configuration:
Identity Provider: Corporate SAML IDP
Metadata: [Upload IDP metadata XML]
User Format: Per corporate IDP configuration
SAML Attribute: NameID (any supported format)
```
### SAP Identity Authentication Service (IAS)
```
Trust Configuration:
Identity Provider: IAS Tenant
Tenant URL: [https://<tenant>.accounts.ondemand.com](https://<tenant>.accounts.ondemand.com)
User Format: <email> or <user_id>
```
---
## Workflow User Assignment Template
When invoking workflows via Plan for Integration or Maintenance Planner:
### Initial Task Assignment
**Field**: SAP BTP Workflow Users
**Format**: Comma-separated list of user IDs
**Requirements**:
- Users must have access to specified SAP BTP subaccount
- Users must be in configured identity provider
- At least one user required
**Template**:
```
Workflow Users: admin@company.com, lead@company.com, consultant@company.com
```
### Role-Based User Identification
During workflow execution, view role assignments:
1. Open task in My Inbox
2. Click role name in Task Instructions
3. View:
- Role description
- Complete list of assigned users
---
## Task Claiming Behavior
### Multi-User Task Assignment
When multiple users are assigned to a task:
1. Any assigned user can click **Claim** to lock the task
2. Task marked as **Reserved** for all other assigned users
3. Padlock icon appears next to claiming user in monitoring
4. Only claiming user can complete the task
### Best Practices
- Coordinate team assignments to avoid conflicts
- Use Integration Monitor role for stakeholders needing visibility
- Assign Integration Expert to implementation team members
- Reserve Integration Administrator for lead personnel
---
## Role Assignment Checklist
### Before Assignment
- [ ] Verify subaccount is subscribed to CIAS
- [ ] Confirm identity provider is configured
- [ ] Identify users requiring each role level
- [ ] Verify user IDs exist in identity provider
### During Assignment
- [ ] Use correct role collection name
- [ ] Add users via email ID or login user ID
- [ ] Save changes after each modification
- [ ] Verify assignment in Role Collection details
### After Assignment
- [ ] Have users test application access
- [ ] Verify appropriate tiles are visible
- [ ] Confirm task visibility in My Inbox
- [ ] Check Scenario Execution Monitoring access (if applicable)
---
## Troubleshooting Role Issues
### User Cannot Access Application
1. Verify role collection assignment
2. Check identity provider user exists
3. Confirm user is logging in with correct credentials
4. Review trust configuration settings
### User Cannot See Expected Tiles
| Missing Tile | Required Role |
|--------------|---------------|
| My Inbox | Administrator or Expert |
| Plan for Integration | Administrator only |
| Scenario Execution Monitoring | Administrator or Monitor |
### User Cannot Claim Tasks
1. Verify user has Expert or Administrator role
2. Check if another user has already claimed the task
3. Confirm user is assigned to the specific task
### Access Denied After IdP Change
1. Add users to new identity provider
2. Reassign role collections
3. Verify SAML attribute mapping
4. Test login with updated credentials
---
## Documentation Links
- Roles and Authorizations: [https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/roles-and-authorizations-917f842.md](https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/roles-and-authorizations-917f842.md)
- Role Assignment: [https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/role-assignment-cd6b96b.md](https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/role-assignment-cd6b96b.md)
- Assigning Roles to Users: [https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/assigning-roles-to-the-users-9ad530a.md](https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/assigning-roles-to-the-users-9ad530a.md)
- Identity Provider: [https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/identity-provider-and-identity-management-1508b49.md](https://github.com/SAP-docs/btp-cloud-integration-automation-service/blob/main/docs/identity-provider-and-identity-management-1508b49.md)