Introduction
We are back with yet another Joule service: From Questions to Insights with Joule, now available in SAP S/4HANA Cloud Public Edition and Supply Chain Management Applications(please read the announcement). Supported by Joule, SAP S/4HANA Cloud Public Edition users can work faster, smarter, and more efficiently, all while maintaining control over crucial decisions and data.
With the current release, you can use Joule for:
Quick Navigation: Find and quickly navigate to applications for your next task.Instant Insights: Get fast insights on critical business data, such as purchase orders and outbound deliveries.Receiving Help: For those needing help, Joule summarizes relevant enablement content and guides users to it, speeding up task completion.
To see Joule in action, watch this video: GROW with SAP – Joule – The AI Copilot. You can also find the latest updates on the Joule capabilities for SAP S/4HANA Cloud Public Edition.
Here in this blog, I will guide you through the steps to activate Joule for SAP S/4HANA Cloud Public Edition once you have received your entitlement. You can always find the most up-to-date information on the SAP Help Portal. If you are just getting started with Joule, you may want to read my previous blogs listed below:
****************************************************************************
This blog post is a series for Joule Setup:
SAP Business AI – Overview for all !!! (Includes information on Joule Supported Data Centers, Different scenarios during Joule setup, etc..)Joule – Unified Setup: Bridging Simplicity and Performance (Demo Video to understand the Unified Setup, Joule basics & architecture, how to set up Joule, etc…) Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach
Joule for SAP S/4HANA Cloud Public Edition – Setup Guide (You are here)
SAP Digital Supply ChainJoule for SAP Integrated Business Planning Joule – Getting Started with Document Grounding – setup guide
Blogs – Work in Progress (WIP):
SAP SuccessFactors Joule Activation (WIP)SAP Digital Supply Chain (WIP)SAP Asset Performance ManagementSAP Product Lifecycle ManagementSAP Digital ManufacturingSAP Build Work Zone, standard edition, and SAP Mobile Startand more to be added towards General Availability
****************************************************************************
Now, once you understand SAP’s positioning on the Joule setup with a unified approach, and if you are setting up Joule for SAP S/4HANA Cloud Public Edition, you can continue this blog post booster activity. This blog demonstrates a green field setup with new Joule activations.
Joule Architecture
The architecture describes the Services and Communications used for Joule and how we are going to activate Joule. Architecture is going to be similar for most of the Joule setup with few changes as required.
Image 1
Before we get started, let us understand the prerequisites:
You have set up the SAP Business Technology Platform (BTP), with the following services active as part of the Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach blog post indicated above.Joule Service – activeSAP Build Work Zone, standard edition – foundation plan or standard plan activated as per the previous blogCloud Foundry – activeSAP S/4HANA Cloud Public EditionYou have set up a role for the administratorYou have set up SAP Cloud Identity Services (test/production tenant based on your setup) with your SAP BTP SubaccountIf you are looking to activate Document Grounding, please complete the Joule setup for your SAP S/4HANA Cloud Public Edition and then follow the blog here.
We recommend setting your Joule on the SAP S/4HANA Cloud Public Edition – test tenant for evaluation and then on your Production Tenant.
Note: The Joule setup must be done for each tenant as they cannot be transported. Please review the official help documentation if required.
During the blog documentation, we may have used different subaccounts in the images attached here. Please do not get confused when looking at the blog series. Please continue the setup process on the same SAP BTP Subaccount that you are working on.
Post Booster Run
We will look at the details as to what the setup that a booster has executed in the SAP BTP and SAP S/4HANA Cloud Public Edition while following the previous blog – Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach. Let’s take a look at each configuration:
1. Validations and Destination Creation
We need to ensure that the Booster has created the required configurations for the Joule setup. So, we need to validate the following:
Validate the Work Zone, Provider IDDestination Certificates4 Destinations SSO, DT, and RT – Default & RT – DataCommunication Arrangements and Communication Systems created in SAP S/4HANA Cloud Public Edition
1.1 Validate the SAP Build Work Zone, Provider ID
Assign the required role to log in to the SAP Build Work Zone. To do this, in your SAP BTP Subaccount, you can navigate to Security -> your user should be created with SAP Cloud Identity Services by default. In case it’s not created, please Create it. Click on Users and click on Create -> enter your email address -> select the SAP Cloud Identity Services, and click on Create.
Image 2
Once the user is created, click on it to assign the required Role Collections as shown below.
Image 3
Now we can go back to the Instance and Subscription options and under the Subscription, click on the SAP Work Zone, standard edition application. You will be redirected with two options, click on the SAP Cloud Identity Service that you have configured, and please authenticate yourself.
Image 4
Once you log in, please click on the Channel Manager options, check for the SAP S/4HANA Cloud Public Edition content provider, and note the ID value that is displayed below. We will be using this ID value during our IPS configurations.
Image 5
1.2. Destination Certificates
In your SAP BTP Subaccount, click on Connectivity -> click on Destination Certificates, and select the certificate that you would like to validate. You should be able to see the details shown below.
Image 6
1.3 Validate the Destinations created by the Booster and create NavigationService
We need 5 Destination services for Joule to be working with SAP S/4HANA Cloud Public Edition, 4 of the destinations are automatically created with the help of the Booster and you should be able to see them as shown below, and see this in your SAP BTP Subaccount, expand the Connectivity option -> and Click on Destination.
SAP S/4HANA SSOJoule Design time DestinationJoule Run time DestinationRuntime DefaultRuntime Data
Once you validate the details, on the same screen you can Click on Create Destination to create a new destination.
Image 7
In the new window, please enter the following details (we need the Service Key file that is created in your BTP Subaccount):
Field
Value
Name
“NavigationService” (should be the same value as mentioned, case sensitive)
Type
HTTP
URL
portal-service URL
from the service key created for the service instance of SAP Work Zone, standard edition.
Proxy Type
Internet
Authentication
OAuth2UserTokenExchange
Client ID
Client ID
from the service key created for the service instance of SAP Build Work Zone, standard edition.
Client Secret
Client Secret
from the service key created for the service instance of SAP Build Work Zone, standard edition.
Token Service URL Type
Dedicated
Token Service URL
https://<uaa url>/oauth/token
It’s the value from the SAP BTP Subaccount – Service Key, just below the Client Secret
Additional Properties
Use default JDK trust store
Enable this option
Please verify the details as shown below and click on Save.
Image 8
1.4 Validate the Communication Arrangements and Communication Systems created by the booster in SAP S/4HANA Cloud Public Edition
Go to Communication Arrangements, two Communication Systems SAP_COM_0882 and SAP_COM_0647 should be created
Image 9
Also, Communication Systems should be created, as Communication Systems are used by SAP_COM_0822 and SAP_COM_0647.
Go to Communication Systems, you will see that the two communication arrangements are linked to the destination certificates created in SAP BTP as in step 1.2 of this blog.
Image 10
1.5 Validate your SAP Cloud Identity Services post booster setup
You can navigate to your SAP Cloud Identity Services, which is used by your SAP S/4HANA Cloud Public Edition, and the Subaccount that you have configured. In your SAP Cloud Identity Services, there should be entries for “das-ias” and “document grounding”.
To check this, log in to your SAP Cloud Identity Services -> click on Applications and Resources -> click on Application -> search for “das-ias” and then “document grounding” both these services should be listed as shown below.
Image 11
Based on your setup, you should be able to see the services here. In my case, I can see das-ias, Document Grounding, SAP Build Work Zone, etc…
If you use Azure Entra, OKTA, or other IDP services for authentication, you may have to configure the same mechanism with your SAP S/4HANA Cloud Public Edition with your “das-ias” services so that Joule can pick up the same session for Joule authentication.
Example:
My SAP S/4HANA Cloud Public Edition is using Microsoft Entra, so I have to set up something similar for “das-ias,” as shown below.
In your SAP Cloud Identity Services -> click on Application & Resources -> Click on application -> search for your SAP S/4HANA Cloud system -> click on Conditional Authentication – do a similar setup to “das-ias”. In my case, I have Authentication Rules, and my default authentication is still “Identity Authentication”
Image 12
2. Configure S/4HANA Cloud Content with Joule
In this step, we are going to prepare your SAP S/4HANA Cloud Public Edition system for content exposure, and we are going to do the following:
2.1 Expose the SAP Fiori Launchpad Content to SAP BTP – to replicate roles and catalogs via SAP_COM_0647.
2.2 Maintain Communication Arrangement SAP_COM_0193 – to replicate user-assignments to replicated roles via IPS:
2.2.1 Create a Communication User – which represents the IPS (source system config)
2.2.2 Create Communication System – which represents the S4 system
2.2.3 Assign communication users to the Communication System – to enable read-access for IPS to S4.
2.2.4 Create Communication Arrangement SAP_COM_0193 – to enable the required API endpoints for IPS.
2.2.5 Activate the communication arrangement – to enable SAP_COM_0193.
2.3 Manage Content Security Policy – to enable Joule iFrame loading in FLP.
2.1 Expose the SAP Fiori Launchpad Content to SAP BTP
This section is required in case you would like to Maintain Individual Business Roles to be Exposed to SAP BTP in your SAP S/4HANA Cloud system. In most cases, in the Communication Arrangements, the Scenario ID SAP_COM_0647 – Launchpad Content Exposure to SAP BTP Integration – Exposure Role Selection is set to All as shown in the image below.
Image 13
If you have set Exposure Role Selection to All, then we recommend there should be no more than 3000 apps assigned to a single Role, Group, or Catalog. In case you get an error during the SAP Work Zone refresh, you may want to look at this note and try to Maintain Business Roles individually.
SAP Note: https://me.sap.com/notes/0003107801
However, if you would like to expose individual business roles to SAP BTP and you can edit the Scenario ID: SAP_COM_0647 and change the Exposure Role Selection to SELECTION (Selected Roles in “Maintain Business Roles” Application), and then you must expose the required roles to SAP BTP as follows:
In your SAP S/4HANA Cloud Public Cloud system -> search for Maintain Business Roles -> look for the business roles example I have picked BR_PURCHASER click on it -> click on Edit -> in the Access Categories select the option Exposed to BTP and save the settings as shown below.
Image 14
Once this is set, the content is ready to be consumed by SAP BTP – SAP Build Work Zone, standard edition service. For details on the exposure log, visit Display Launchpad Content Exposure Logs.
2.2 Maintain Communication Arrangement “SAP_COM_0193”
We are going to follow the Communication Management approach to enable SAP_COM_0193, which is used in IPS for step Create Source and Target Systems later.
See the SAP Help Portal on Communication Management in general and on SAP S/4HANA Cloud as a Source System in IPS for SAP_COM_0193.
Image 15
2.2.1 Create a Communication User
Let us create the Communication User for Inbound, you can navigate to Maintain Communication Users -> Click on New and enter the details that can relate to Joule as shown below:
UserName: JOULE_INBOUND_IPS
Password: Propose Password is recommended as it requires at least 20 characters, the password must contain at least one special character. Ensure to make a note of the password that you generate.
Click on Create, once the details are entered.
Note: We use Basic Authentication in this guide for simplification. You can also use Certificate-based authentication, see the IPS procedure on SAP S/4HANA Cloud as Source System for details.
Image 16
2.2.2 Create Communication System
To Create a New Communication System, navigate to Communication Systems -> click on New -> Enter the System ID and System Name as shown below with your system details, and click on Create.
Image 17
2.2.3 Assign communication users to the Communication System
Once the user is created, on the Communication Systems page click on the user that you created e.g. K5F100JOULE in my case. Enter the details in the General tab as shown below – we need the System ID and System Name of your choice, but it can be related to Joule. The Host Name should be your SAP S/4HANA Cloud URL without the https://.
Image 18
Then look for the option Users for Inbound Communication and click on “+”, in Authentication Method select the option User Name and Password, and User Name/Client ID select the User that you have created as shown below, and Save the settings.
Image 19
2.2.4 Create Communication Arrangement SAP_COM_0193
Now let us create the Communication Arrangements, navigate to Communication Arrangements in your SAP S/4HANA Cloud system -> Click on New click on the selection option in the Scenario, and search for SAP_COM_0193 and select it.
Image 20
Enter the Arrangement Name as Joule_Communication_0193 and click on Create.
Image 21
2.2.5 Activate the communication arrangement SAP_COM_0193
Click on the Communication Arrangement that you created in the previous step, and in the Communication System click on the select option and select the Communication System that you have created for Joule, in this example it is K5F100JOULE.
Image 22
For the User Name select the user that you have created in the previous steps, in my case it is JOULE_INBOUND_IPS and click on Save.
Image 23
This completes the setup for the Communication Arrangement SAP_COM_0193.
2.3 Manage Content Security Policy
We must activate Joule in your SAP S/4HANA Cloud system, and this requires the Joule Service URL. Navigate to your SAP BTP Subaccount where Joule is active -> Click on Instances and Subscriptions -> hover the mouse on the Joule service, right click on it and copy the URL or open the Joule Application, you should be navigated to a new window.
Image 24
You should be able to see that the Service is up and running, we need the full URL. In case the system is looking for authentication please authenticate yourself with the SAP Cloud Identity Services which is configured in your Subaccount.
Image 25
Go to your SAP S/4HANA Cloud system, navigate to Manage Content Security Policy, and select the Trusted Sites and click on UI_RESOURCE_SCRIPTS.
Image 26
Navigate to Managed by Customer and click on New, enter the Joule URL that you have copied, and Save the settings.
Image 27
3. SAP Cloud Identity Services Configurations
This is one of the last steps to configure the SAP Cloud Identity Services. First ensure, we have added your SAP S/4HANA Cloud system as part of the Trusted Domains in the SAP Cloud Identity Services as per the previous blog and then add the Source and the Target systems. Here Navigation service of SAP Build Work Zone, standard edition service uses Identity Provisioning service (IPS) that is used to provision identities and their authorizations between source and target systems.
This section describes the steps to configure the source system (SAP S/4HANA Cloud Public Edition) and target systems (Identity Authentication and SAP Build Work Zone, standard edition) in the Identity Provisioning of your IAS application user interface.
3.1 Create Source and Target Systems
You can either create the Source and Target systems manually using the help page here, or you can use the template that I have attached to the bottom of the blog. The attachment takes care of the Transformation and the Properties required as per the help page.
I have taken the example of templates, so if you download the files, you can navigate to Identity Provisioning -> select Source System -> click on Add and import the file SourceFile_Joule.json (the attached file has SourceFile_Joule1.txt, please change the file name to SourceFile_Joule1.json before using it). Change the System Name and Description as required and click on the Properties tab to fix the missing values.
Image 28
In the Properties tab, modify the URL (you can find the correct URL in the API-URL field of the communication arrangement set up for communication scenario SAP_COM_0193) and the User that you have created in your SAP S/4HANA Cloud system and Save the settings.
Image 29
You need to maintain the field “s4hana.cloud.roles.filter – cFLGExposure eq true” if you have selected Exposure Role Selection to SELECTED for your SAP_COM_0647 in Communication Arrangement.
Image 30
If you have opted to expose ALL business roles to SAP BTP, please skip the field “s4hana.cloud.roles.filter – cFLGExposure eq true” as it is not required.
Next, we are going to import the Target System file. Click on Identity Provisioning -> click on Target System -> click on Add -> Import the file, click on Browse and select the TargetFile_Joule.json (the attached file has TargetFile_Joule1.txt, please change the file name to TargetFile_Joule.json before using it), make changes to the System Name as required, add Description, and click on the Source System option to select your Joule Source that was created in the previous step. Once you make these changes, click on the Properties tab to edit the values.
Image 31
In the properties tab, we need the values from your SAP Build Work Zone, the service key file that we created in previous steps. Please edit the values that are highlighted below:
Parameter
Value
cflp.providerId
This is the value from your SAP Work Zone. Navigate to your SAP BTP Subaccount, click on Instance and Subscriptions and click on the SAP Build Work Zone, standard edition and in the new window click on Channel Manager. You will be able to see the Joule Provider ID.
In case of authorization issues, please assign the role Launchpad_admin to the subaccount user.
OAuth2TokenServiceURL
Enter the OAuth 2.0 Token Service URL from the service key of your SAP Build Work Zone, standard edition instance. It follows the pattern: <uaa.url>/oauth/token.
Replace the <uaa.url> in the place of URL from service key file.
For example: https://ips-cflp-woaealle.authentication.sap.hana.ondemand.com/oauth/token
URL
Enter the API URL of SAP Build Work Zone, standard edition from the service key of your SAP Build Work Zone, standard edition instance under endpoints [portal-service]. It follows the pattern: https://portal-service.cfapps.sap.hana.ondemand.com
User
Enter the OAuth Client Id, from the service key of your SAP Build Work Zone, standard edition instance under uaa.clientid.
Password
(Credential) Enter the OAuth Client Secret, from the service key of your SAP Build Work Zone, standard edition instance under uaa.clientsecret.
Once you modify the setting, it should be as shown below, and you can click on Save.
Image 32
Next, just before the last step, we are going to validate that the SAP Work Zone Content Channel is also good. In your SAP Work Zone page confirm the status is updated and you may click on the Refresh button.
Image 33
Next, we need to run the SAP Source System Job to synchronize or replicate the SAP S/4HANA Cloud content to the SAP Work Zone. In your SAP Cloud Identity Services, navigate to Identity Provisioning -> click on Source Systems -> select your Joule source system -> click on Jobs, and select Run Now for Read Job.
Image 34
Once the job is triggered, you can Navigate to Identity Provisioning and then click on Provisioning Logs and look for the successful Job Execution. We are focusing on the Statistics part where you should be able to see the Entity and System for User and Group.
Image 35
4. Joule Validation
Congratulations!!! You have completed the Joule setup for your SAP S/4HANA Cloud and based on the setup you can test the Joule use cases with the help of the Diamond icon to launch Joule. I am showing you the options for Show Purchase Orders on my screen below.
Image 36
To learn more about the SAP S/4HANA Cloud Public Edition – Joule capabilities and to view business data you can find the details in the help page.
If you have any further questions on the setup of Joule in SAP S/4HANA Cloud Public Edition, you can refer to the official help page, in case of issues you can Create a Support Ticket using the component ID CA-FLP-EXT-JOU.
Credits to the SAP S/4HANA Cloud Public Edition team, and special thanks to Sarah Rudi, Sahil Grover, Paul Goetz, Philipp Knuesel, Milena Zahn, Emese Antal, Joule product team, and RIG Team for the support to writing this blog post.
Happy Learning!!!
Regards,
Nagesh Caparthy
SAP Business AI RIG Team
If you have any questions about the setup, you can reach our inbox with the Subject line “Joule with SAP S/4HANA Cloud Public Edition Setup questions or issues” at SAP_AI_RIG@sap.com.
IntroductionWe are back with yet another Joule service: From Questions to Insights with Joule, now available in SAP S/4HANA Cloud Public Edition and Supply Chain Management Applications(please read the announcement). Supported by Joule, SAP S/4HANA Cloud Public Edition users can work faster, smarter, and more efficiently, all while maintaining control over crucial decisions and data.With the current release, you can use Joule for:Quick Navigation: Find and quickly navigate to applications for your next task.Instant Insights: Get fast insights on critical business data, such as purchase orders and outbound deliveries.Receiving Help: For those needing help, Joule summarizes relevant enablement content and guides users to it, speeding up task completion.To see Joule in action, watch this video: GROW with SAP – Joule – The AI Copilot. You can also find the latest updates on the Joule capabilities for SAP S/4HANA Cloud Public Edition. Here in this blog, I will guide you through the steps to activate Joule for SAP S/4HANA Cloud Public Edition once you have received your entitlement. You can always find the most up-to-date information on the SAP Help Portal. If you are just getting started with Joule, you may want to read my previous blogs listed below:****************************************************************************This blog post is a series for Joule Setup:SAP Business AI – Overview for all !!! (Includes information on Joule Supported Data Centers, Different scenarios during Joule setup, etc..)Joule – Unified Setup: Bridging Simplicity and Performance (Demo Video to understand the Unified Setup, Joule basics & architecture, how to set up Joule, etc…) Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach Joule for SAP S/4HANA Cloud Public Edition – Setup Guide (You are here)SAP Digital Supply ChainJoule for SAP Integrated Business Planning Joule – Getting Started with Document Grounding – setup guideBlogs – Work in Progress (WIP):SAP SuccessFactors Joule Activation (WIP)SAP Digital Supply Chain (WIP)SAP Asset Performance ManagementSAP Product Lifecycle ManagementSAP Digital ManufacturingSAP Build Work Zone, standard edition, and SAP Mobile Startand more to be added towards General Availability****************************************************************************Now, once you understand SAP’s positioning on the Joule setup with a unified approach, and if you are setting up Joule for SAP S/4HANA Cloud Public Edition, you can continue this blog post booster activity. This blog demonstrates a green field setup with new Joule activations.Joule ArchitectureThe architecture describes the Services and Communications used for Joule and how we are going to activate Joule. Architecture is going to be similar for most of the Joule setup with few changes as required.Image 1Before we get started, let us understand the prerequisites:You have set up the SAP Business Technology Platform (BTP), with the following services active as part of the Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach blog post indicated above.Joule Service – activeSAP Build Work Zone, standard edition – foundation plan or standard plan activated as per the previous blogCloud Foundry – activeSAP S/4HANA Cloud Public EditionYou have set up a role for the administratorYou have set up SAP Cloud Identity Services (test/production tenant based on your setup) with your SAP BTP SubaccountIf you are looking to activate Document Grounding, please complete the Joule setup for your SAP S/4HANA Cloud Public Edition and then follow the blog here.We recommend setting your Joule on the SAP S/4HANA Cloud Public Edition – test tenant for evaluation and then on your Production Tenant.Note: The Joule setup must be done for each tenant as they cannot be transported. Please review the official help documentation if required.During the blog documentation, we may have used different subaccounts in the images attached here. Please do not get confused when looking at the blog series. Please continue the setup process on the same SAP BTP Subaccount that you are working on. Post Booster RunWe will look at the details as to what the setup that a booster has executed in the SAP BTP and SAP S/4HANA Cloud Public Edition while following the previous blog – Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach. Let’s take a look at each configuration:1. Validations and Destination CreationWe need to ensure that the Booster has created the required configurations for the Joule setup. So, we need to validate the following:Validate the Work Zone, Provider IDDestination Certificates4 Destinations SSO, DT, and RT – Default & RT – DataCommunication Arrangements and Communication Systems created in SAP S/4HANA Cloud Public Edition1.1 Validate the SAP Build Work Zone, Provider IDAssign the required role to log in to the SAP Build Work Zone. To do this, in your SAP BTP Subaccount, you can navigate to Security -> your user should be created with SAP Cloud Identity Services by default. In case it’s not created, please Create it. Click on Users and click on Create -> enter your email address -> select the SAP Cloud Identity Services, and click on Create. Image 2Once the user is created, click on it to assign the required Role Collections as shown below.Image 3Now we can go back to the Instance and Subscription options and under the Subscription, click on the SAP Work Zone, standard edition application. You will be redirected with two options, click on the SAP Cloud Identity Service that you have configured, and please authenticate yourself.Image 4Once you log in, please click on the Channel Manager options, check for the SAP S/4HANA Cloud Public Edition content provider, and note the ID value that is displayed below. We will be using this ID value during our IPS configurations.Image 51.2. Destination CertificatesIn your SAP BTP Subaccount, click on Connectivity -> click on Destination Certificates, and select the certificate that you would like to validate. You should be able to see the details shown below.Image 61.3 Validate the Destinations created by the Booster and create NavigationServiceWe need 5 Destination services for Joule to be working with SAP S/4HANA Cloud Public Edition, 4 of the destinations are automatically created with the help of the Booster and you should be able to see them as shown below, and see this in your SAP BTP Subaccount, expand the Connectivity option -> and Click on Destination.SAP S/4HANA SSOJoule Design time DestinationJoule Run time DestinationRuntime DefaultRuntime DataOnce you validate the details, on the same screen you can Click on Create Destination to create a new destination.Image 7In the new window, please enter the following details (we need the Service Key file that is created in your BTP Subaccount): FieldValueName“NavigationService” (should be the same value as mentioned, case sensitive)TypeHTTPURLportal-service URLfrom the service key created for the service instance of SAP Work Zone, standard edition.Proxy TypeInternetAuthenticationOAuth2UserTokenExchangeClient IDClient IDfrom the service key created for the service instance of SAP Build Work Zone, standard edition.Client SecretClient Secretfrom the service key created for the service instance of SAP Build Work Zone, standard edition.Token Service URL TypeDedicatedToken Service URLhttps://<uaa url>/oauth/tokenIt’s the value from the SAP BTP Subaccount – Service Key, just below the Client SecretAdditional PropertiesUse default JDK trust storeEnable this optionPlease verify the details as shown below and click on Save.Image 81.4 Validate the Communication Arrangements and Communication Systems created by the booster in SAP S/4HANA Cloud Public EditionGo to Communication Arrangements, two Communication Systems SAP_COM_0882 and SAP_COM_0647 should be createdImage 9Also, Communication Systems should be created, as Communication Systems are used by SAP_COM_0822 and SAP_COM_0647.Go to Communication Systems, you will see that the two communication arrangements are linked to the destination certificates created in SAP BTP as in step 1.2 of this blog.Image 101.5 Validate your SAP Cloud Identity Services post booster setupYou can navigate to your SAP Cloud Identity Services, which is used by your SAP S/4HANA Cloud Public Edition, and the Subaccount that you have configured. In your SAP Cloud Identity Services, there should be entries for “das-ias” and “document grounding”.To check this, log in to your SAP Cloud Identity Services -> click on Applications and Resources -> click on Application -> search for “das-ias” and then “document grounding” both these services should be listed as shown below.Image 11Based on your setup, you should be able to see the services here. In my case, I can see das-ias, Document Grounding, SAP Build Work Zone, etc…If you use Azure Entra, OKTA, or other IDP services for authentication, you may have to configure the same mechanism with your SAP S/4HANA Cloud Public Edition with your “das-ias” services so that Joule can pick up the same session for Joule authentication.Example:My SAP S/4HANA Cloud Public Edition is using Microsoft Entra, so I have to set up something similar for “das-ias,” as shown below.In your SAP Cloud Identity Services -> click on Application & Resources -> Click on application -> search for your SAP S/4HANA Cloud system -> click on Conditional Authentication – do a similar setup to “das-ias”. In my case, I have Authentication Rules, and my default authentication is still “Identity Authentication”Image 122. Configure S/4HANA Cloud Content with JouleIn this step, we are going to prepare your SAP S/4HANA Cloud Public Edition system for content exposure, and we are going to do the following:2.1 Expose the SAP Fiori Launchpad Content to SAP BTP – to replicate roles and catalogs via SAP_COM_0647.2.2 Maintain Communication Arrangement SAP_COM_0193 – to replicate user-assignments to replicated roles via IPS:2.2.1 Create a Communication User – which represents the IPS (source system config)2.2.2 Create Communication System – which represents the S4 system2.2.3 Assign communication users to the Communication System – to enable read-access for IPS to S4.2.2.4 Create Communication Arrangement SAP_COM_0193 – to enable the required API endpoints for IPS.2.2.5 Activate the communication arrangement – to enable SAP_COM_0193.2.3 Manage Content Security Policy – to enable Joule iFrame loading in FLP.2.1 Expose the SAP Fiori Launchpad Content to SAP BTPThis section is required in case you would like to Maintain Individual Business Roles to be Exposed to SAP BTP in your SAP S/4HANA Cloud system. In most cases, in the Communication Arrangements, the Scenario ID SAP_COM_0647 – Launchpad Content Exposure to SAP BTP Integration – Exposure Role Selection is set to All as shown in the image below.Image 13If you have set Exposure Role Selection to All, then we recommend there should be no more than 3000 apps assigned to a single Role, Group, or Catalog. In case you get an error during the SAP Work Zone refresh, you may want to look at this note and try to Maintain Business Roles individually.SAP Note: https://me.sap.com/notes/0003107801However, if you would like to expose individual business roles to SAP BTP and you can edit the Scenario ID: SAP_COM_0647 and change the Exposure Role Selection to SELECTION (Selected Roles in “Maintain Business Roles” Application), and then you must expose the required roles to SAP BTP as follows:In your SAP S/4HANA Cloud Public Cloud system -> search for Maintain Business Roles -> look for the business roles example I have picked BR_PURCHASER click on it -> click on Edit -> in the Access Categories select the option Exposed to BTP and save the settings as shown below.Image 14Once this is set, the content is ready to be consumed by SAP BTP – SAP Build Work Zone, standard edition service. For details on the exposure log, visit Display Launchpad Content Exposure Logs.2.2 Maintain Communication Arrangement “SAP_COM_0193”We are going to follow the Communication Management approach to enable SAP_COM_0193, which is used in IPS for step Create Source and Target Systems later.See the SAP Help Portal on Communication Management in general and on SAP S/4HANA Cloud as a Source System in IPS for SAP_COM_0193.Image 152.2.1 Create a Communication UserLet us create the Communication User for Inbound, you can navigate to Maintain Communication Users -> Click on New and enter the details that can relate to Joule as shown below:UserName: JOULE_INBOUND_IPSPassword: Propose Password is recommended as it requires at least 20 characters, the password must contain at least one special character. Ensure to make a note of the password that you generate.Click on Create, once the details are entered.Note: We use Basic Authentication in this guide for simplification. You can also use Certificate-based authentication, see the IPS procedure on SAP S/4HANA Cloud as Source System for details.Image 162.2.2 Create Communication System To Create a New Communication System, navigate to Communication Systems -> click on New -> Enter the System ID and System Name as shown below with your system details, and click on Create.Image 172.2.3 Assign communication users to the Communication SystemOnce the user is created, on the Communication Systems page click on the user that you created e.g. K5F100JOULE in my case. Enter the details in the General tab as shown below – we need the System ID and System Name of your choice, but it can be related to Joule. The Host Name should be your SAP S/4HANA Cloud URL without the https://.Image 18Then look for the option Users for Inbound Communication and click on “+”, in Authentication Method select the option User Name and Password, and User Name/Client ID select the User that you have created as shown below, and Save the settings.Image 192.2.4 Create Communication Arrangement SAP_COM_0193Now let us create the Communication Arrangements, navigate to Communication Arrangements in your SAP S/4HANA Cloud system -> Click on New click on the selection option in the Scenario, and search for SAP_COM_0193 and select it.Image 20Enter the Arrangement Name as Joule_Communication_0193 and click on Create.Image 212.2.5 Activate the communication arrangement SAP_COM_0193Click on the Communication Arrangement that you created in the previous step, and in the Communication System click on the select option and select the Communication System that you have created for Joule, in this example it is K5F100JOULE.Image 22For the User Name select the user that you have created in the previous steps, in my case it is JOULE_INBOUND_IPS and click on Save.Image 23This completes the setup for the Communication Arrangement SAP_COM_0193.2.3 Manage Content Security PolicyWe must activate Joule in your SAP S/4HANA Cloud system, and this requires the Joule Service URL. Navigate to your SAP BTP Subaccount where Joule is active -> Click on Instances and Subscriptions -> hover the mouse on the Joule service, right click on it and copy the URL or open the Joule Application, you should be navigated to a new window.Image 24You should be able to see that the Service is up and running, we need the full URL. In case the system is looking for authentication please authenticate yourself with the SAP Cloud Identity Services which is configured in your Subaccount.Image 25Go to your SAP S/4HANA Cloud system, navigate to Manage Content Security Policy, and select the Trusted Sites and click on UI_RESOURCE_SCRIPTS.Image 26Navigate to Managed by Customer and click on New, enter the Joule URL that you have copied, and Save the settings.Image 273. SAP Cloud Identity Services ConfigurationsThis is one of the last steps to configure the SAP Cloud Identity Services. First ensure, we have added your SAP S/4HANA Cloud system as part of the Trusted Domains in the SAP Cloud Identity Services as per the previous blog and then add the Source and the Target systems. Here Navigation service of SAP Build Work Zone, standard edition service uses Identity Provisioning service (IPS) that is used to provision identities and their authorizations between source and target systems.This section describes the steps to configure the source system (SAP S/4HANA Cloud Public Edition) and target systems (Identity Authentication and SAP Build Work Zone, standard edition) in the Identity Provisioning of your IAS application user interface.3.1 Create Source and Target SystemsYou can either create the Source and Target systems manually using the help page here, or you can use the template that I have attached to the bottom of the blog. The attachment takes care of the Transformation and the Properties required as per the help page.I have taken the example of templates, so if you download the files, you can navigate to Identity Provisioning -> select Source System -> click on Add and import the file SourceFile_Joule.json (the attached file has SourceFile_Joule1.txt, please change the file name to SourceFile_Joule1.json before using it). Change the System Name and Description as required and click on the Properties tab to fix the missing values.Image 28In the Properties tab, modify the URL (you can find the correct URL in the API-URL field of the communication arrangement set up for communication scenario SAP_COM_0193) and the User that you have created in your SAP S/4HANA Cloud system and Save the settings.Image 29You need to maintain the field “s4hana.cloud.roles.filter – cFLGExposure eq true” if you have selected Exposure Role Selection to SELECTED for your SAP_COM_0647 in Communication Arrangement.Image 30If you have opted to expose ALL business roles to SAP BTP, please skip the field “s4hana.cloud.roles.filter – cFLGExposure eq true” as it is not required.Next, we are going to import the Target System file. Click on Identity Provisioning -> click on Target System -> click on Add -> Import the file, click on Browse and select the TargetFile_Joule.json (the attached file has TargetFile_Joule1.txt, please change the file name to TargetFile_Joule.json before using it), make changes to the System Name as required, add Description, and click on the Source System option to select your Joule Source that was created in the previous step. Once you make these changes, click on the Properties tab to edit the values.Image 31In the properties tab, we need the values from your SAP Build Work Zone, the service key file that we created in previous steps. Please edit the values that are highlighted below:ParameterValuecflp.providerIdThis is the value from your SAP Work Zone. Navigate to your SAP BTP Subaccount, click on Instance and Subscriptions and click on the SAP Build Work Zone, standard edition and in the new window click on Channel Manager. You will be able to see the Joule Provider ID. In case of authorization issues, please assign the role Launchpad_admin to the subaccount user.OAuth2TokenServiceURLEnter the OAuth 2.0 Token Service URL from the service key of your SAP Build Work Zone, standard edition instance. It follows the pattern: <uaa.url>/oauth/token. Replace the <uaa.url> in the place of URL from service key file. For example: https://ips-cflp-woaealle.authentication.sap.hana.ondemand.com/oauth/tokenURL Enter the API URL of SAP Build Work Zone, standard edition from the service key of your SAP Build Work Zone, standard edition instance under endpoints [portal-service]. It follows the pattern: https://portal-service.cfapps.sap.hana.ondemand.comUserEnter the OAuth Client Id, from the service key of your SAP Build Work Zone, standard edition instance under uaa.clientid.Password(Credential) Enter the OAuth Client Secret, from the service key of your SAP Build Work Zone, standard edition instance under uaa.clientsecret.Once you modify the setting, it should be as shown below, and you can click on Save.Image 32Next, just before the last step, we are going to validate that the SAP Work Zone Content Channel is also good. In your SAP Work Zone page confirm the status is updated and you may click on the Refresh button.Image 33Next, we need to run the SAP Source System Job to synchronize or replicate the SAP S/4HANA Cloud content to the SAP Work Zone. In your SAP Cloud Identity Services, navigate to Identity Provisioning -> click on Source Systems -> select your Joule source system -> click on Jobs, and select Run Now for Read Job.Image 34Once the job is triggered, you can Navigate to Identity Provisioning and then click on Provisioning Logs and look for the successful Job Execution. We are focusing on the Statistics part where you should be able to see the Entity and System for User and Group.Image 354. Joule ValidationCongratulations!!! You have completed the Joule setup for your SAP S/4HANA Cloud and based on the setup you can test the Joule use cases with the help of the Diamond icon to launch Joule. I am showing you the options for Show Purchase Orders on my screen below.Image 36To learn more about the SAP S/4HANA Cloud Public Edition – Joule capabilities and to view business data you can find the details in the help page.If you have any further questions on the setup of Joule in SAP S/4HANA Cloud Public Edition, you can refer to the official help page, in case of issues you can Create a Support Ticket using the component ID CA-FLP-EXT-JOU.Credits to the SAP S/4HANA Cloud Public Edition team, and special thanks to Sarah Rudi, Sahil Grover, Paul Goetz, Philipp Knuesel, Milena Zahn, Emese Antal, Joule product team, and RIG Team for the support to writing this blog post. Happy Learning!!!Regards,Nagesh CaparthySAP Business AI RIG TeamIf you have any questions about the setup, you can reach our inbox with the Subject line “Joule with SAP S/4HANA Cloud Public Edition Setup questions or issues” at SAP_AI_RIG@sap.com. Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
