Common set-up issues of Joule in SAP S/4HANA Cloud Private Edition

Common set-up issues of Joule in SAP S/4HANA Cloud Private Edition
Estimated read time 11 min read

This Blog continues my previous setup blog post – Joule for SAP S/4HANA Cloud Private Edition – A Comprehensive Setup Guide. 

Note: The below are general findings. For detailed analysis of issues, we recommend checking the SAP Help Portal or working with SAP Incidents. 

You can find the list of the most common issues here:

Joule is not answering as expected, but only giving instructions on how to access informationJoule is not greeting you with your name or showing a blank screenJoule responds with “I’m having trouble connecting.”

 

1.      Joule is not answering as expected, but only giving instructions on how to access information

Reason: This is often a sign that the actual logged-on user has insufficient roles assigned or that the assigned roles are not known to Joule.

 

Fix: Joule requires access to the actual backend system and needs to know about assigned S/4HANA user roles to pre-select appropriate capabilities.

Some Joule capabilities are linked to Semantic Objects and Actions, so only users with access to those Semantic Objects will also be able to access them via Joule. Typically, when the respective Fiori app is accessible to the user, this will also grant access via Joule. However, it’s important that user/role assignments are replicated to Workzone and, therefore, known to Joule.

Figure 1: The picture on the left shows the expected response, while the right picture shows that Joule does a fallback citing user assistance resources.

When Joule does not find the respective role assigned to a user, it will resort to informational capabilities, such as citing out-of-help documentation.

a. Check if there is a capability available in the catalog that allows Joule to actually access data from a backend, see the help documentation

b. Find the required Semantic Objects and Actions for each Joule Capability in the SAP Note 3523238 attached spreadsheet

c. Check if your SAP S/4HANA Cloud version supports that capability (see column F)

Note: In case of a release upgrade of your SAP S/4HANA Cloud system, you must trigger an update of Joule’s capability catalog. To do so in your SAP BTP Global Account, go to Formations, find the relevant Joule formation, and Exclude and afterwards Include your S/4HANA Private Cloud system.

d. Check if the respective Fiori app is included within your exposed CDM content.

In transaction /UI2/CDM3_EXP_SCOPE go to “Preview Content”, ensure that the respective user role has the Fiori App ID linked

Fiori apps, their App IDs, and Semantic Objects and Actions can be found in the Fiori Apps Library.

 

Transactions /n/ui2/flia or /n/UI2/FLPCM_CUST allows to find Roles for a specific Semantic Object:

e. Go to your SAP Build Work Zone Admin -> Channel Manager and check if the CDM content was properly read from S/4HANA. Note the “Report” only shows newly created artifacts.

In case of errors, click “edit” to find the name of the “Design Time” destination. Within your BTP Cockpit check you can do a Connection test of the destination:

 

Further help:

https://help.sap.com/docs/build-work-zone-standard-edition/sap-build-work-zone-standard-edition/troubleshooting-e69b6f5d31a542c6a5f87c8b45c1d427

Besides also it is also recommended to schedule a job to regularly update content: https://help.sap.com/docs/ABAP_PLATFORM_NEW/a7b390faab1140c087b8926571e942b7/a6e718dcfe4f47e5adc71078bb35ec74.html?version=202110.000

 

f.  Go to your SAP Build Work Zone Admin -> Settings -> SAP Identity Provisioning and check if your user has the necessary roles assigned. These can also be customer-specific roles; it is important that the standard Fiori applications with their Semantic Objects (see column D above) are included within those roles.

PS: SAP Build Work Zone also offers an API for advanced scenarios; you can find details here.

If no roles are listed, check the provisioning jobs in Cloud Identity services – Identity Provisioning service (IPS) for errors or filter conditions.

 

g. Check if the necessary OData API was activated in your system 

 

2. Joule is not greeting you with your name or showing a blank screen

Issue: When Joule is not greeting you with your name, it is an indication that the wrong identity is used and not mapped to the identity in the SAP S/4HANA Cloud system.

Fix: Joule requires a global user identity within all connected systems to act on behalf of the business user. Therefore, Joule uses an identity stored locally within SAP Cloud Identity services (Identity Directory). It is important that user attributes (first name, last name, email, global user ID) are properly mapped from potential third-party identity providers to a local identity in SAP Cloud Identity services, and the same are forwarded to Joule during authentication.

 

Ensure that your SAP S/4HANA Cloud system is configured to use the very same SAP Cloud Identity Service tenant for authentication as your Joule instance.Ensure that the top-level domain (e.g., cloud.sap or ondemand.com) is set-up consistent within your landscape.

In SAP S/4HANA, check transaction SAML2 -> Trusted Providers

 

In BTP Cockpit -> your Joule subaccount -> Trust Configuration -> check the “Domain” selection:

Ensure that the global user id is distributed across your complete landscape

In transaction SU01 -> open the respective business users -> click “Goto” -> click “External user id (UID)” and validate that the same ID is maintained as within SAP Cloud Identity Services, Identity Directory (“Global User ID”).

See also: https://help.sap.com/docs/cloud-identity/system-integration-guide/global-user-id-in-integration-scenarios?locale=en-US

 

3. Joule responds with “I’m having trouble connecting.”

Issue: When Joule responds, “I’m having trouble connecting. Please make sure you are online and can access your SAP system,” this indicates that Joule tried to access the backend but was not able to access it.

Fix: Often, the principal propagation between Joule, BTP Destination, SAP Cloud Connector, WebDispatcher, ICM, and the API within the SAP S/4HANA Cloud, private edition system is broken.

You can trace Joule’s interactions for a specific user by starting an HTTP Payload trace in transaction /n/IWDFND/TRACES

 

A very good troubleshooting guide can be found here:

https://help.sap.com/docs/SUPPORT_CONTENT/appservices/3361376259.html

Other helpful resources:

https://github.com/SAP-archive/cloud-platform-connectivity-principal-propagation/blob/master/exercises/B2/README.md

https://help.sap.com/doc/si/1.0/en-US/attachments/3362959224/WebDispatcherSSLCertificateForwarding_V3.pdf

 

Cheers, 

Happy Learning. 

Credits and Co-Written with RIG Team – @mathias Rup

 

 

​ This Blog continues my previous setup blog post – Joule for SAP S/4HANA Cloud Private Edition – A Comprehensive Setup Guide. Note: The below are general findings. For detailed analysis of issues, we recommend checking the SAP Help Portal or working with SAP Incidents. You can find the list of the most common issues here:Joule is not answering as expected, but only giving instructions on how to access informationJoule is not greeting you with your name or showing a blank screenJoule responds with “I’m having trouble connecting.” 1.      Joule is not answering as expected, but only giving instructions on how to access informationReason: This is often a sign that the actual logged-on user has insufficient roles assigned or that the assigned roles are not known to Joule. Fix: Joule requires access to the actual backend system and needs to know about assigned S/4HANA user roles to pre-select appropriate capabilities.Some Joule capabilities are linked to Semantic Objects and Actions, so only users with access to those Semantic Objects will also be able to access them via Joule. Typically, when the respective Fiori app is accessible to the user, this will also grant access via Joule. However, it’s important that user/role assignments are replicated to Workzone and, therefore, known to Joule.Figure 1: The picture on the left shows the expected response, while the right picture shows that Joule does a fallback citing user assistance resources.When Joule does not find the respective role assigned to a user, it will resort to informational capabilities, such as citing out-of-help documentation.a. Check if there is a capability available in the catalog that allows Joule to actually access data from a backend, see the help documentationb. Find the required Semantic Objects and Actions for each Joule Capability in the SAP Note 3523238 attached spreadsheetc. Check if your SAP S/4HANA Cloud version supports that capability (see column F)Note: In case of a release upgrade of your SAP S/4HANA Cloud system, you must trigger an update of Joule’s capability catalog. To do so in your SAP BTP Global Account, go to Formations, find the relevant Joule formation, and Exclude and afterwards Include your S/4HANA Private Cloud system.d. Check if the respective Fiori app is included within your exposed CDM content.In transaction /UI2/CDM3_EXP_SCOPE go to “Preview Content”, ensure that the respective user role has the Fiori App ID linkedFiori apps, their App IDs, and Semantic Objects and Actions can be found in the Fiori Apps Library. Transactions /n/ui2/flia or /n/UI2/FLPCM_CUST allows to find Roles for a specific Semantic Object:e. Go to your SAP Build Work Zone Admin -> Channel Manager and check if the CDM content was properly read from S/4HANA. Note the “Report” only shows newly created artifacts.In case of errors, click “edit” to find the name of the “Design Time” destination. Within your BTP Cockpit check you can do a Connection test of the destination: Further help:https://help.sap.com/docs/build-work-zone-standard-edition/sap-build-work-zone-standard-edition/troubleshooting-e69b6f5d31a542c6a5f87c8b45c1d427Besides also it is also recommended to schedule a job to regularly update content: https://help.sap.com/docs/ABAP_PLATFORM_NEW/a7b390faab1140c087b8926571e942b7/a6e718dcfe4f47e5adc71078bb35ec74.html?version=202110.000 f.  Go to your SAP Build Work Zone Admin -> Settings -> SAP Identity Provisioning and check if your user has the necessary roles assigned. These can also be customer-specific roles; it is important that the standard Fiori applications with their Semantic Objects (see column D above) are included within those roles.PS: SAP Build Work Zone also offers an API for advanced scenarios; you can find details here.If no roles are listed, check the provisioning jobs in Cloud Identity services – Identity Provisioning service (IPS) for errors or filter conditions. g. Check if the necessary OData API was activated in your system  2. Joule is not greeting you with your name or showing a blank screenIssue: When Joule is not greeting you with your name, it is an indication that the wrong identity is used and not mapped to the identity in the SAP S/4HANA Cloud system.Fix: Joule requires a global user identity within all connected systems to act on behalf of the business user. Therefore, Joule uses an identity stored locally within SAP Cloud Identity services (Identity Directory). It is important that user attributes (first name, last name, email, global user ID) are properly mapped from potential third-party identity providers to a local identity in SAP Cloud Identity services, and the same are forwarded to Joule during authentication. Ensure that your SAP S/4HANA Cloud system is configured to use the very same SAP Cloud Identity Service tenant for authentication as your Joule instance.Ensure that the top-level domain (e.g., cloud.sap or ondemand.com) is set-up consistent within your landscape.In SAP S/4HANA, check transaction SAML2 -> Trusted Providers In BTP Cockpit -> your Joule subaccount -> Trust Configuration -> check the “Domain” selection:Ensure that the global user id is distributed across your complete landscapeIn transaction SU01 -> open the respective business users -> click “Goto” -> click “External user id (UID)” and validate that the same ID is maintained as within SAP Cloud Identity Services, Identity Directory (“Global User ID”).See also: https://help.sap.com/docs/cloud-identity/system-integration-guide/global-user-id-in-integration-scenarios?locale=en-US 3. Joule responds with “I’m having trouble connecting.”Issue: When Joule responds, “I’m having trouble connecting. Please make sure you are online and can access your SAP system,” this indicates that Joule tried to access the backend but was not able to access it.Fix: Often, the principal propagation between Joule, BTP Destination, SAP Cloud Connector, WebDispatcher, ICM, and the API within the SAP S/4HANA Cloud, private edition system is broken.You can trace Joule’s interactions for a specific user by starting an HTTP Payload trace in transaction /n/IWDFND/TRACES A very good troubleshooting guide can be found here:https://help.sap.com/docs/SUPPORT_CONTENT/appservices/3361376259.htmlOther helpful resources:https://github.com/SAP-archive/cloud-platform-connectivity-principal-propagation/blob/master/exercises/B2/README.mdhttps://help.sap.com/doc/si/1.0/en-US/attachments/3362959224/WebDispatcherSSLCertificateForwarding_V3.pdf Cheers, Happy Learning. Credits and Co-Written with RIG Team – @mathias Rup    Read More Technology Blog Posts by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author