In Part 1, we explored the importance of governance within Developer Hub and how administrators can configure built-in governance levels to balance openness with control.
In Part 2, we walked through how to set up an external governance workflow, enabling subscription requests to be processed through systems such as SAP Build Process Automation.
Building on these foundations, Part 3 focuses on how to implement the Service Provider Interface (SPI) using SAP Integration Suite – API Management and how to design and manage your approval workflow with SAP Build Process Automation. This combined approach ensures a streamlined, standardized, and well-governed integration between Developer Hub subscription flows and your organization’s external approval mechanisms.
Before we dive into the implementation details, it is helpful to revisit the foundations covered in the earlier parts of this series.
Recommended Workflow:
Set up the External Workflow in SAP Build
Leverage SAP Build Process Automation to design the external governance workflow. For more information on SAP Build Process Automation, see SAP Process Automation | SAP Learning.
Sample workflow to review the applications
On click of approve/reject call the Developer Hub API to inform about the decision. You can find the API details here: Developer Hub – External Governance (CF) -Governance Decision
Sample workflow to invalidate the credentials when they were shared with Developer Hub
On click of Submit the credentials can be deleted in Developer Hub by calling the API: Developer Hub – External Governance (CF) – Deletion Confirmation
Note: If you don’t have any externally managed API products, you can skip this step.
Obtain Credentials from Workflow
Create a service instance and a service key of SAP Build Process Automation Service in SAP BTP Cockpit to obtain the credentials. For more information, see Create a Service Instance and Create a Service Key for the SAP Build Process Automation Instance | SAP Help Portal.
1. Create the API proxy that acts as your SPI implementation for SAP Build
Prerequisite:
Create an API provider
a). Log on to the SAP Integration Suite.
b). Navigate to the API Configuration Page.
From the side navigation pane, choose Configure → APIs.
c). Create a New API Proxy.
Click Create to start defining your API proxy.
Discover the policy template
Navigate to the Discover tab and search for the SAP API Management Governance <Link> package. Open the package and go to Artifacts. Select the template Developer Hub Governance with SAP Build Process Automation and, under Actions, choose Copy.
Steps to create an API
Log on to the SAP Integration Suite.
Access your Integration Suite environment with administrator privileges.Navigate to the API Configuration Page.
From the side navigation pane, choose Configure → APIs.Click Create to start defining your API proxy.
4. Select the Provider method and fill in the required details.
From the dropdown, choose the API Provider you created for SAP Build Process Automation in the prerequisite steps. Then enter the API Name, Title, and API Base Path.
Note: In the URL field, enter: /workflow/rest/v1/workflow-instances.
Fields such as API State and Host Alias will populate automatically. Set the Service Type to REST.
5. Review your configurations and choose Create.
. Now, go to the Policies tab, click on Policy Template and choose Import.
To call the SAP Build workflow, import this policy template and update the following script:
Script Name: setVariables
jsgovernanceWorkflowDefinitionId: The workflow ID for the governance approval/rejection process.
keyInvalidationWorkflowDefinitionId: The workflow ID for the key invalidation request.
keyInvalidationResponse:
Set to 200 if you want Developer Hub to immediately proceed with application deletion once the workflow request is created.
Set to 202 if you want Developer Hub to wait for confirmation before deleting the application.
In the top-right corner of the API details page, click the ⋯ (More options) button. From the dropdown menu, select Deploy.
2. Add the API Proxy URL to the Destination in SAP BTP Cockpit
After implementing the Service Provider Interface (SPI), the customer subaccount administrator creates a destination in their SAP BTP subaccount pointing to the SPI endpoint.
In your web browser, log on to SAP BTP Cockpit and navigate to your source subaccount.Choose the Connectivity > Destinations tab in the left-hand pane.Choose Create and in the Create New Destination popup, select From Scratch to create a new destination manually.In Destination Details section, fill in all the required details according to the descriptions provided in the table and choose Create.
Note: Use the credentials provided by the customer sub-account administrator. Supported authentication methods include OAuth 2.0, Client Certificate, and Basic authentication.
Fields
Details
Name
Enter DeveloperHub_Governance_SPI as the destination name.
Type
Enter HTTP as the supported type.
Description
Enter a brief description stating the purpose of creating a new destination in the Description field.
URL
Enter the external governance application URL.
Since, in this use case, you are using the API proxy as the SPI implementation in SAP Build, enter the API proxy connectivity link in the Destination URL field and provide the corresponding authentication details.
Proxy Type
Internet
Authentication
Choose OAuth2ClientCredentials.
Fetch the Client ID, Client Secret, and Token Service URL from the workflow credentials. Refer to the “Obtain Credentials from Workflow” section for details. The token URL should correspond to the customer governance application when OAuth2 is being used.
You can also do a Check Connection to verify whether you’ve added the destination correctly.
3. Enable External Governance in Developer Hub
Logon to Developer Hub.Navigate to Admin Center > Manage Governance Settings, click on the Subscriptions tab, and choose Edit.Now, select the option Manage Approval Outside Developer Hub and choose Save.
This redirects all future subscription requests to your external governance system for approval.
In Part 1, we explored the importance of governance within Developer Hub and how administrators can configure built-in governance levels to balance openness with control.In Part 2, we walked through how to set up an external governance workflow, enabling subscription requests to be processed through systems such as SAP Build Process Automation.Building on these foundations, Part 3 focuses on how to implement the Service Provider Interface (SPI) using SAP Integration Suite – API Management and how to design and manage your approval workflow with SAP Build Process Automation. This combined approach ensures a streamlined, standardized, and well-governed integration between Developer Hub subscription flows and your organization’s external approval mechanisms.Before we dive into the implementation details, it is helpful to revisit the foundations covered in the earlier parts of this series.Recommended Workflow:Set up the External Workflow in SAP BuildLeverage SAP Build Process Automation to design the external governance workflow. For more information on SAP Build Process Automation, see SAP Process Automation | SAP Learning.Sample workflow to review the applicationsOn click of approve/reject call the Developer Hub API to inform about the decision. You can find the API details here: Developer Hub – External Governance (CF) -Governance DecisionSample workflow to invalidate the credentials when they were shared with Developer HubOn click of Submit the credentials can be deleted in Developer Hub by calling the API: Developer Hub – External Governance (CF) – Deletion ConfirmationNote: If you don’t have any externally managed API products, you can skip this step.Obtain Credentials from WorkflowCreate a service instance and a service key of SAP Build Process Automation Service in SAP BTP Cockpit to obtain the credentials. For more information, see Create a Service Instance and Create a Service Key for the SAP Build Process Automation Instance | SAP Help Portal.1. Create the API proxy that acts as your SPI implementation for SAP Build Prerequisite:Create an API providera). Log on to the SAP Integration Suite.b). Navigate to the API Configuration Page.From the side navigation pane, choose Configure → APIs.c). Create a New API Proxy.Click Create to start defining your API proxy.Discover the policy templateNavigate to the Discover tab and search for the SAP API Management Governance <Link> package. Open the package and go to Artifacts. Select the template Developer Hub Governance with SAP Build Process Automation and, under Actions, choose Copy.Steps to create an API Log on to the SAP Integration Suite.Access your Integration Suite environment with administrator privileges.Navigate to the API Configuration Page.From the side navigation pane, choose Configure → APIs.Click Create to start defining your API proxy.4. Select the Provider method and fill in the required details.From the dropdown, choose the API Provider you created for SAP Build Process Automation in the prerequisite steps. Then enter the API Name, Title, and API Base Path.Note: In the URL field, enter: /workflow/rest/v1/workflow-instances.Fields such as API State and Host Alias will populate automatically. Set the Service Type to REST. 5. Review your configurations and choose Create.. Now, go to the Policies tab, click on Policy Template and choose Import. To call the SAP Build workflow, import this policy template and update the following script: Script Name: setVariablesjsgovernanceWorkflowDefinitionId: The workflow ID for the governance approval/rejection process.keyInvalidationWorkflowDefinitionId: The workflow ID for the key invalidation request.keyInvalidationResponse:Set to 200 if you want Developer Hub to immediately proceed with application deletion once the workflow request is created.Set to 202 if you want Developer Hub to wait for confirmation before deleting the application.In the top-right corner of the API details page, click the ⋯ (More options) button. From the dropdown menu, select Deploy.2. Add the API Proxy URL to the Destination in SAP BTP CockpitAfter implementing the Service Provider Interface (SPI), the customer subaccount administrator creates a destination in their SAP BTP subaccount pointing to the SPI endpoint.In your web browser, log on to SAP BTP Cockpit and navigate to your source subaccount.Choose the Connectivity > Destinations tab in the left-hand pane.Choose Create and in the Create New Destination popup, select From Scratch to create a new destination manually.In Destination Details section, fill in all the required details according to the descriptions provided in the table and choose Create.Note: Use the credentials provided by the customer sub-account administrator. Supported authentication methods include OAuth 2.0, Client Certificate, and Basic authentication.FieldsDetailsNameEnter DeveloperHub_Governance_SPI as the destination name.TypeEnter HTTP as the supported type.DescriptionEnter a brief description stating the purpose of creating a new destination in the Description field.URLEnter the external governance application URL.Since, in this use case, you are using the API proxy as the SPI implementation in SAP Build, enter the API proxy connectivity link in the Destination URL field and provide the corresponding authentication details.Proxy TypeInternetAuthenticationChoose OAuth2ClientCredentials.Fetch the Client ID, Client Secret, and Token Service URL from the workflow credentials. Refer to the “Obtain Credentials from Workflow” section for details. The token URL should correspond to the customer governance application when OAuth2 is being used.You can also do a Check Connection to verify whether you’ve added the destination correctly.3. Enable External Governance in Developer HubLogon to Developer Hub.Navigate to Admin Center > Manage Governance Settings, click on the Subscriptions tab, and choose Edit.Now, select the option Manage Approval Outside Developer Hub and choose Save. This redirects all future subscription requests to your external governance system for approval. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
