Administration Guide Setup, Configuration and Administration THE BEST RUN

Transcription

1 ADMINISTRATION GUIDE PUBLIC SAP Global Track and Trace Document Version: Cloud a Setup, Configuration and Administration 2019 SAP SE or an SAP affiliate company. All rights reserved. THE BEST RUN

2 Content 1 Document History Overview General Aspects Technical Considerations Browser and Browser Settings Product Availability Onboarding Tenant Onboarding Initial User Activation Connecting to SAP Cloud Platform Prerequisites Configure SAP Cloud Platform Neo Subaccount Configure SAP Cloud Platform Identity Add SAP Cloud Platform Subaccount as a Trusted Application Configure SAP Web IDE Enable SAP Web IDE Full-Stack Import the Destination for the GTT Metadata Service Configure SAP Cloud Platform Business Rules Service Connecting to SAP ERP Prerequisites Deploy SAP Cloud Platform Integration Content Set up Certificate and Permissions Copy and Deploy Integration Content Monitor Integration Content Endpoint URL Settings in the ERP System Set up Communication with SAP Cloud Platform Integration PI Set up Delta Replication Scheduling for Master Data Define the SAP Cloud Platform Integration Tenant for SAP Global Track and Trace Define Application Object Types and Event Types Load Master Data Initial Load Delta Load P U B L I C Content

3 6.5 Create Master Data in Multiple Language Versions User Management by Solution Administrators Prerequisites Background Create Business Roles Register the Technical User for Your Company User Management by Other Roles Prerequisites Tasks for User Administrators Register a User for a GTT Solution Modify User Information Lock a User Unlock a User Delete Users from a GTT Solution Assign Business Roles to Users Register the Technical User for Your Company Tasks for DP&P Specialists Tasks for Audit Specialists Access the Audit Log Viewer Business Configuration Prerequisites Invite Business Partners to a Solution Cancel Invitations Sent to Business Partners Discontinue the Participation of Business Partners Check Participation Status of Business Partners Content P U B L I C 3

4 1 Document History Provides details about the changes made in each version of this document. Document Version Date Comment a 08 March 2019 In the chapter, User Management by Other Roles, the section, Tasks for Audit Specialists, was updated in synchronization with the Onboarding guide a 25 January 2019 The chapter, User Management by Solution Administrators, was updated with some of the role tables that are synchronized with the Onboarding guide a 20 December 2018 New chapter "General Aspects" The chapter, Connecting to SAP Cloud Platform, was updated to integrate with the newly-introduced Onboarding Assistance app a 19 September 2018 Initial version 4 P U B L I C Document History

5 2 Overview About This Document This document describes the main concepts and tasks required to set up, configure and administer SAP Global Track and Trace. Before you start working through this document, ensure that you have the most recent version of this document available from the SAP Help Portal at: This document covers application-specific information only. For general information about SAP Cloud Platform, see the documentation on SAP Help Portal at About SAP Global Track and Trace The aim of SAP Global Track and Trace is to capture, process and store tracking information about tracked business processes. Then, it allows business users to get real-time transparency of the execution of those processes. They can query any tracked process and display its retrieved data from end to end. SAP Global Track and Trace is a cloud service solution based on the SAP Cloud Platform, and is a re-use component of the SAP Leonardo portfolio. Overview P U B L I C 5

6 3 General Aspects This chapter describes some of the general aspects of SAP Global Track and Trace. 3.1 Technical Considerations Please note that currently there are limitations regarding the overall data volume that can be managed. Before starting your project, please discuss your expected data volumes with your SAP technical contact. 3.2 Browser and Browser Settings This application supports the standard browsers supported by SAP Cloud Platform. For more information, please see the related chapter in the Feature Scope Description for SAP Cloud Platform. Note The apps provided with SAP Global Track and Trace run on desktops, as well as tablet devices that have a screen format wide enough to display the overview section and the detailed section of the screen, side-byside. 3.3 Product Availability This section describes certain product availability aspects. Availability Aspect Regions Description SAP Global Trace and Trace is currently hosted on the AWS data center for Europe. 6 P U B L I C General Aspects

7 Availability Aspect Languages Description The apps provided with SAP Global Track and Trace support the following languages: English French German Spanish Portuguese (Brazilian) Russian Simplified Chinese In addition, selected SAP Global Track and Trace documentation on the SAP Help Portal supports the languages listed above. General Aspects P U BL IC 7

8 4 Onboarding Onboarding involves activities that are required to establish technical connectivity, registration, and initial user activation. This chapter describes how to onboard business users so that they can use SAP Global Track and Trace. 4.1 Tenant Onboarding After you purchase a license for SAP Global Track and Trace, a tenant is provisioned for you by SAP. You receive the technical information of your tenant in the initial with the subject line SAP Cloud Platform is ready to use. To connect to your tenant and complete registration, please follow the procedures in the Onboarding guide, available from the Help Portal at SAP Global Track and Trace. 4.2 Initial User Activation Prerequisites You need to have the role solution administrator for your tenant 8 P U B L I C Onboarding

9 Activation Processes Typical activation processes for business partners and business users Role Business Partner Activation Process As a business partner involved in a GTT solution, your company information needs to be maintained in SAP Global Track and Trace. Business partner information is maintained in the following ways: Option 1: You replicate business partner information from your source systems (such as SAP ERP) to SAP Global Track and Trace. To do this, you connect your SAP ERP system with SAP Global Track and Trace using SAP Cloud Platform Integration PI. For more information, see Connecting to SAP ERP [page 19]. Then the administrator for business partner management can login to release the business partners in SAP Global Track and Trace using the Manage Business Partners app. Option 2: The administrator for business partner management logs in to the Manage Business Partners app. Then the administrator for business partner management can manually create business partners and release them to SAP Global Track and Trace. Contact Person of a Business Partner As the contact person of a business partner in a GTT solution, you become the administrator for user management in your company. When the administrator from the solution owner invites your company to participate in the GTT solution, you receive an with a link for accepting the invitation and registering you in SAP Global Track and Trace. When you click the link in the , you navigate to the SAP Cloud Platform Identity Authentication service. You need to set your admin password for SAP Global Track and Trace. After that, your account is created, and you are automatically logged out to activate your role as user administrator. Then you can login as a user administrator for the Manage GTT Users app. For more information about common user activities (for example, how to reset your password), see the User Guide documentation in the SAP Help Portal for SAP Cloud Platform Identity Authentication Service Help. Note As the user administrator, you also need to set up access for your business users. For more information, see the following details for Business Users. Onboarding P U BL IC 9

10 Role Business Users Activation Process As the user administrator from your company, you need to register the accounts of your business users. Then, SAP Global Track and Trace provides these users with the details by . When you click the link in the , you navigate to the SAP Cloud Platform Identity Authentication Service. You need to set your own user password for SAP Global Track and Trace. After that, your account is activated, and you are able to access the Global Track and Trace app. For more information about common user activities (for example, how to reset your password), see the User Guide documentation in SAP Help Portal for SAP Cloud Platform Identity Authentication Service. 10 P U B L I C Onboarding

11 5 Connecting to SAP Cloud Platform This chapter describes how to configure the SAP Cloud Platform Cloud Foundry Neo environment, and the solutions or services that you want to run in the Neo environment, with SAP Global Track and Trace. Introduction SAP Web IDE is provided in your SAP Cloud Platform Neo account. However, GTT metadata models are deployed in your SAP Cloud Platform Cloud Foundry environment subaccount. Therefore, a Security Assertion Markup Language (SAML) trust is required between the two subaccounts. To connect to SAP Cloud Platform, you are required to establish a SAML trust between the Neo and Cloud Foundry environments. This involves completing configuration in three places, as shown in the following table: The configuration of the SAML trust between the Neo and Cloud Foundry environments Trust between SAP Cloud Platform Neo environment subaccount and SAP Cloud Platform Identity SAP Cloud Platform Identity and SAP Cloud Platform Neo environment subaccount SAP Cloud Platform Cloud Foundry environment subaccount (or identity zone) and SAP Cloud Platform Neo environment subaccount Set up in SAP Cloud Platform cockpit (Neo environment) SAP Cloud Platform Identity Authentication Administration Console XS Advanced Administration (Cloud Foundry environment) After the SAML trust is established between the Neo and Cloud Foundry environments, you then need to configure the solutions or services that you want to run on the Neo environment for use with SAP Global Track and Trace. For example, by configuring the SAP Web IDE and SAP Cloud Platform Business Rules service. Related Information Regions and Hosts on SAP Cloud Platform Connecting to SAP Cloud Platform P U BL IC 11

12 5.1 Prerequisites To perform the tasks described in this chapter, you must have the following prerequisites: You are able to log on to the SAP Cloud Platform cockpit. You have administrator privileges for your Neo environment subaccount. You have the role of administrator for the SAP Cloud Platform Identity Authentication Service in the administration console. Optionally, for SAP Cloud Platform Business Rules service: You have a license for SAP Cloud Platform Business Rules service. You have a technical user [P-user] (already created during Onboarding). 5.2 Configure SAP Cloud Platform Neo Subaccount To use a custom identity provider (and not the default identity provider), you need to configure your SAP Cloud Platform Neo subaccount. 1. Log on to the SAP Cloud Platform Cockpit. 2. Choose your global account and Neo subaccount. 3. Choose Security Trust. 4. Choose the Local Service Provider tab and perform the following tasks: a. Choose Edit. b. Change the Configuration Type from Default to Custom, click Generate Key Pair. The Signing Key and Signing Certificate values are generated. c. Enter a name for the Local Provider. You can enter your subaccount name. Note, keep the name to less than 20 characters to avoid issues later. d. Enter Enabled as the Principal Propagation value. e. Enter Disabled as the Force Authentication value. f. Choose Save. g. Choose Get Metadata and save the XML file. This file is needed for the tasks you perform in the administration console of the SAP Cloud Platform Identity Authentication service. 12 P U B L I C Connecting to SAP Cloud Platform

13 5. Choose the Application Identity Provider tab and perform the following tasks: a. Choose Add Trusted Identity Provider. b. Download the SAP Cloud Platform Identity Authentication tenant metadata by navigating to the following link: metadata <Identity_Authentication_Tenant_ID> is an automatically generated ID by the system. The first administrator created for the tenant receives an activation with a URL in it. The URL contains the tenant ID. c. In the General tab, choose Browse and upload the SCI tenant metadata file that you downloaded. d. In the Attributes tab, choose Add Assertion Based Attribute. Enter Groups in the Assertion Attribute text box and in the Principal Attribute text box. e. Choose Save. 5.3 Configure SAP Cloud Platform Identity Establish trust between your SAP Cloud Identity and Neo subaccount, as follows: 1. In a browser, navigate to the administration console of the SAP Cloud Platform Identity Authentication service. Example URL: admin/. <Identity_Authentication_Tenant_ID> is an automatically generated ID by the system. The first administrator created for the tenant receives an activation with the URL of the administration console. 2. Add an application as follows: a. Choose the Applications tile. b. Choose + Add. c. Enter your subaccount name as the application name. Your application is listed in the left pane. d. Choose your application. 3. Choose SAML 2.0 Configuration and upload the XML file that you downloaded while configuring the custom identity provider (see Configure SAP Cloud Platform Neo Subaccount [page 12] ). Save your changes. Connecting to SAP Cloud Platform P U BL IC 13

14 4. Choose the Name ID Attribute, enter as the value, and save your changes. 5. Add an assertion attribute as follows: a. Choose Assertion Attributes. b. Above the table, choose + Add. c. Add Groups as an attribute with value Groups. d. Save your changes. 5.4 Add SAP Cloud Platform Subaccount as a Trusted Application Add the SAP Cloud Platform Neo subaccount as a trusted application in the Cloud Foundry environment as follows: 1. Go to your Cloud Foundry subaccount in the SAP Cloud Platform. 2. In the left pane, select Security Trust Configuration New Trust Configuration. 3. Change the XML file that you downloaded while configuring the custom identity provider (see Configure SAP Cloud Platform Neo Subaccount [page 12]) as follows. a. Replace all SPSSO strings with IDPSSO. b. At the beginning of the XML file, add an XML declaration "<?xml version="1.0"?>". 4. In the Metadata field, upload the changed XML metadata. 5. Choose Parse. 6. In the Status box, select Active. 7. Clear the option Show SAML login link on login page. 8. Specify a name in the Name field. 9. Click Save. 10. Click the Trust Configuration you have created. 11. In the left page, click Role Collection Mappings New Role Collection Mapping. 12. Select Role Collection: TT_SOLUTION_ADMINS, fill in the value TT_SOLUTION_ADMINS, and save the changes. The trust between SAP Cloud Platform Neo subaccount and Cloud Foundry subaccount is created. 14 P U B L I C Connecting to SAP Cloud Platform

15 5.5 Configure SAP Web IDE Configure SAP Web IDE as follows: 1. Enable SAP Web IDE Full-Stack [page 15]. 2. Import the Destination for the GTT Metadata Service [page 16] Enable SAP Web IDE Full-Stack Enable SAP Web IDE Full-Stack service and assign permissions to developers as follows: 1. Log on to the SAP Cloud Platform Cockpit. 2. Choose your global account and Neo subaccount. 3. Go to Services SAP Web IDE Full-Stack and enable the service. 4. Go back to your Neo subaccount. 5. Go to Security Authorizations : a. In the Groups tab, choose New Group to add a new group named WEBIDE_USERS. b. Above the Roles table, choose Assign. Then in the Assign roles for group WEBIDE_USERS dialog box, select sapwebide for Subaccount, select di for Application, select DiDeveloper for Role, and then choose Save. Connecting to SAP Cloud Platform P U BL IC 15

16 5.5.2 Import the Destination for the GTT Metadata Service You need to download the destination file in the onboarding assistance app and import the destination into the SAP Cloud Platform cockpit as follows: 1. Log on to the SAP Cloud Platform Cockpit. 2. Choose your global account and Cloud Foundry subaccount. 3. Choose Subscriptions. 4. Choose the SAP Global Track and Trace tile and click Go to Application. 5. Choose the link under or sign in with, and log on to the application using the user that is assigned to the user group: TT_ONBOARDING_ADMINS. Note To find the user assigned to the user group TT_ONBOARDING_ADMINS, go to the administration console of SAP Cloud Platform Identity Authentication by using the following URL. Then in the left pane, choose Users & Authorizations User Groups. Example URL: admin/. <Identity_Authentication_Tenant_ID> is an automatically generated ID by the system. The first administrator created for the tenant receives an activation with the URL of the administration console. 6. Click Onboarding Assistance app and choose the tab System Integration. 7. In SAP Web IDE Metadata Service, click the Download button. Download and save. 8. In the SAP Cloud Platform cockpit, go to your Neo subaccount. 9. Choose Connectivity Destinations to open the Destinations editor. 10. Choose Import Destination and upload the Destination file you just downloaded. 11. Under Additional Properties, choose New Property. Set WebIDE Enabled to True. 12. Choose Save. 16 P U B L I C Connecting to SAP Cloud Platform

17 5.6 Configure SAP Cloud Platform Business Rules Service Prerequisites To perform the tasks described in this section, you must have the following prerequisites: You have a license for SAP Cloud Platform Business Rules service. You have a technical user [P-user] (already created during Onboarding). Note This section is optional. You need to configure the service only when you want to add business rules to your deployed GTT models. Configure the business rules service as follows: 1. You need a P-user to access the event-to-action engine APIs. This P-user provides basic authentication to access the following event-to-action engine APIs, such as the following: Enable the Rule Service in the subaccount. a. In the subaccount page, click Services. b. Search for Business Rules and enable. 3. Configure user authorizations. a. Create a group Business Rules. In the subaccount, go to Security Authorizations, add a new group named Business Rules. b. Assign roles for group Business Rules. Connecting to SAP Cloud Platform P U BL IC 17

18 Select Assign and add two new roles as follows: Application and Roles Subaccount Application Role wf130c150 bpmrulesrepository RuleSuperUser wf130c150 bpmrulesruntime RuleSuperUser c. Click the name of the group Business Rules to assign your technical user [P-user] to this group. You need the PID (Person ID) of your P-user. To find the PID, user the following URL: people.sap.com/manage 18 P U B L I C Connecting to SAP Cloud Platform

19 6 Connecting to SAP ERP This chapter describes how to use SAP Cloud Platform Integration with the SAP Global Track and Trace interfaces to connect to SAP ERP. Introduction The interfaces for SAP Global Track and Trace include: Tracked Processes and Event Messages to activate the configuration in the SAP ERP system for process and event tracking with SAP Global Track and Trace. ERP Master Data Replication to integrate SAP ERP master data with SAP Global Track and Trace. After executing all the steps described, you will be able to replicate the following data from the SAP ERP system to SAP Global Track and Trace: Process data such as delivery orders and shipment documents Event data such as Goods_Issue, Packing, Picking, and Load_Begin Master data such as business partner and location Tracked Process and Event Messages To track a process, the following two types of messages can be triggered in the SAP ERP system: Extracted process data is sent with IDOC basic type EHPOST01 when creating and updating the data, to be processed for tracked processes in SAP Global Track and Trace. Extracted event type data is sent with IDOC basic type EVMSTA02 when reporting the data, to be processed for tracked processes in SAP Global Track and Trace. In the SAP ERP system, the necessary customizing needs to be maintained to trigger the data extraction and create the IDOCs. The IDOCs are sent to an SAP Cloud Platform Integration (SAP CI) tenant on which one integration flow has to be configured for each IDOC message type. ERP Master Data Replication The replication of master data is message-based using IDoc format. SAP ERP supports the following types of messages that represent business partners and locations: customer data that uses IDOC message type DEBMAS vendor data that uses IDOC message type CREMAS address data that uses IDOC message type ADRMAS product data that uses IDOC message type MATMAS When sending data to SAP Global Track and Trace Master Data service through SAP Cloud Platform Integration PI, the outbound adapter is an HTTP adapter. Thus, for customer data and vendor data, both the method POST Connecting to SAP ERP P U B L I C 19

20 and the method PUT need to be maintained in the SAP ERP Master Data Replication package. There are seven process integration artifacts in the package: Replicate Customer from SAP ERP Replicate Vendor from SAP ERP Replicate Address from SAP ERP Replicate Product from SAP ERP Replicate Business Partner and Product from SAP ERP This process integration artifact contains all content from the four artifacts above. To simplify your settings, you can use this one, instead of those four artifacts. Replicate Location from SAP ERP Failed Logs This process integration artifact generates an error report for iflow messages. The report shows all iflow message errors that occur during a specified time frame on a certain process integration artifact in the SAP ERP Master Data Replication package. 6.1 Prerequisites To perform the tasks described in this chapter, you must have the following prerequisites: SAP ERP You have a specified user in SAP ERP with the necessary roles. You have implemented SAP Note and SAP Note or installed the corresponding support packages. For the sending messages from the SAP ERP system to SAP CI, you have implemented one of the following authentication methods: Basic authentication: the RFC user ID in your SAP ERP system has been registered as the SAP CI user ID and assigned appropriate authorization for sending messages. For more information, see Managing User Role Assignments. Client-certificate authentication: the client certificate in your SAP ERP system is signed by a certificate authority (CA) that is supported by SAP. For a list of all supported CAs, see Load Balancer Root Certificates Supported by SAP. For the procedure to generate a certificate request and send it to a CA, see Configuring SAP NetWeaver AS for ABAP to Support SSL. SAP Cloud Platform Integration PI You have been provided with an SAP Cloud Platform Integration tenant. You have installed the Eclipse-based tools for SAP Cloud Platform Integration. For details of Eclipse-based tools, see Installing and Configuring the Tool. SAP Global Track and Trace You have a user with the necessary roles in SAP Global Track and Trace. 20 P U B L I C Connecting to SAP ERP

21 The following roles perform the stated activities: Role Activity SAP ERP Consultant Configures the Sales and Distribution area of SAP ERP Configures integration with other SAP Components of SAP ERP System Administrator Establishes a secure network connection between the SAP ERP system and SAP Global Track and Trace Installs software SAP Cloud Platform Integration Consultant Configures the SAP Cloud Platform Integration Master Data Specialist Creates the master data of business partners in non-english languages 6.2 Deploy SAP Cloud Platform Integration Content Set up Certificate and Permissions To enable a secure connection between the SAP ERP system and SAP Cloud Platform Integration, the certificates need to be configured correctly. To establish a secure connection from the SAP ERP system to SAP Cloud Platform Integration, you must import the root certificate from SAP Cloud Platform Integration to the Trust Manager of the SAP ERP system. 1. Open a web browser (such as Google Chrome) and enter the URL of your SAP Cloud Platform Integration (SAP CI) tenant. Open the Security tab (for example, press F12 in Google Chrome), click View certificate, click Details, and then click View certificate. The Certificate dialog box appears. 2. On the Certification Path tab, select the root certificate, such as Baltimore CyberTrust Root, and then click View Certificate. The Certificate dialog box of the root certificate appears. 3. On the Details tab, click Copy to File, and then save the certificate with the Base-64 encoded X.509 format. Now you have a copy of the root certificate. Connecting to SAP ERP P U B L I C 21

22 4. Log on to the SAP ERP system, open the Trust Manager (transaction STRUST), and then open an SSL client. For the client-certificate authentication method, a CA signed client certificate should be added into the SSL client. The CA must be supported by SAP. For a list of all supported CAs, see Load Balancer Root Certificates Supported by SAP. 5. In the Certificate area, click Import certificate, and then enter the directory where the copy of the root certificate is located in File Path. 6. Click Add to Certificate List and then save. For the basic authentication method and the client-certificate authentication method with certificate-to-user mapping, make sure that the SAP CI user that is used to trigger calls from outside the middleware to SAP CI has the necessary permission for sending messages. We recommend that you assign the following roles to the associated user. To enable access to the web tool, to monitor, to deploy integration iflows, or to deploy security content included in integration flows: AuthGroup.IntegrationDeveloper (Application: TMN) To enable monitoring and reading of the message payload (for example, MPL attachments): AuthGroup.BusinessExpert (Application: TMN) To enable monitoring, deploy integration iflows, or deploy security content on TMN-level (for example, keystores): AuthGroup.Administrator (Application: TMN) To enable a sender system to process messages on a tenant using HTTPS/basic authentication: ESBmessaging.send. (Application: IFLMAP) For more information, see Overview of Authorization Groups You must deploy a Java keystore (Type of JAVA_KEYSTORE, with extension.jks) on your SAP CI PI tenant in the Eclipse-based tool. The keystore must contain the root certificate of SAP Global Track and Trace, so that SAP Global Track and Trace can be identified as a trust server by the CI PI tenant. To generate a new tenant client keystore, see Setting Up the Tenant Client Keystore. Note We recommend that you contact SAP for Java keystore deployment. Authentication and Authorization (Inbound) Authentication and authorization options can be combined in a specific way for inbound communication of SAP CI PI. 22 P U B L I C Connecting to SAP ERP

23 Authentication and Authorization Options Authentication Option Can Be Used with the Following Authorization Option Basic authentication The sender (client) authenticates itself against the server based on user credentials (SCN user name and password). The HTTP header of the inbound message (from the sender) contains the user name and password. Client-certificate authentication and certificate-to-user mapping The sender (client) authenticates itself against the server based on a digital client certificate. Furthermore, this certificate is mapped to a user (based on the information contained in a Certificate-to-User Mapping artifact deployed on the tenant). Client-certificate authentication (without certificate-to-user mapping) The sender (client) authenticates itself against the server based on a digital client certificate. Role-based authorization For this user, the authorizations are checked based on userto-role assignments defined on the tenant. To authorize a sender system to process messages on a tenant, the role ESBMessaging.send has to be assigned to the associated user. Role-based authorization For the user derived from the certificate-to-user mapping, the authorizations are checked based on user-to-role assignments defined on the tenant. To authorize a sender system to process messages on a tenant, the role ESBMessaging.send has to be assigned to the associated user. Subject/Issuer DN authorization check of a certificate In a subsequent authorization check, the permissions of the sender are checked on the tenant by evaluating the distinguished name (DN) of the client certificate of the sender. For more information, see Authentication and Authorization Options (Inbound). If you use client-certificate authentication, you must export the client certificate supported by SAP from the SAP ERP system. If you use client-certification and certificate-to-user mapping for authentication, you must define a certificate-to-user mapping in the SAP CI PI tenant. For more information, see Managing Certificate-to-User Mappings. You must create valid credentials for your technical users of SAP Global Track and Trace on your SAP CI PI tenant. For more information, see Deploying and Editing a User Credentials Artifact Copy and Deploy Integration Content 1. Access the SAP Cloud Platform Integration web-based application. 2. From the Discover page, locate your package and then click to navigate to the details page of the package. package name for master data replication: SAP Global Track and Trace Interface: SAP ERP Master Data Replication package name for process and event tracking: SAP Global Track and Trace Interface: Tracked Processes and Event Messages Connecting to SAP ERP P U B L I C 23

24 3. Click Copy in the upper right corner of the screen and navigate to the Design page. You can also copy the same package into the workspace multiple times if you want to connect to more than one GTT tenant. To copy an existing package to your workspace, choose Create copy and then specify a unique suffix. 4. For each process integration, choose Actions Configure, enter the value of the following parameters, and then save your settings. Package and Parameter Values Package Tab Parameter Value SAP ERP Master Data Replication SAP ERP Master Data Replication Sender Address This is a part of the endpoint address, for example /ERP/ DEBMAS.DEBMAS06. Make sure the value of ERPaddress for each process integration is unique on the SAP CI PI tenant. Sender Authorization The authorization type of inbound communication. For role-based authentication, choose User Role and enter the role based on which inbound authorization is used. The default role is ESBmessaging.send. For subject/issuer DN authorization, choose Client Certificate and enter the subject DN and issuer DN of the CA signed client certificate of your SAP ERP system or upload the CA signed client certificate file exported from your SAP ERP system by using transaction STRUST. SAP ERP Master Data Replication Receiver webservicehost The URL of the Global Trace and Trace tenant. 24 P U B L I C Connecting to SAP ERP

25 Package Tab Parameter Value Process and event tracking (artifact: Create or Update Tracked Processes) Sender Address A part of the endpoint address, for example /ERP/ AOPOST.EHPOST01. Make sure the value for each process integration is unique on the SAP CI PI tenant. Process and event tracking (artifact: Create or Update Tracked Processes) Sender Authorization The authorization type of inbound communication. For role-based authentication, choose User Role and enter the role based on which inbound authorization is used. The default role is ESBmessaging.send. For subject/issuer DN authorization, choose Client Certificate and enter the subject DN and issuer DN of the CA signed client certificate of your SAP ERP system or upload the CA signed client certificate file exported from your SAP ERP system by using transaction STRUST. Process and Event Tracking (artifact: Create or Update Tracked Processes) Process and Event Tracking (artifact: Send Event Message) Master Data/Process and Event Tracking Master Data/Process and Event Tracking Receiver processmessaginguri The URL of the Global Trace and Trace tenant. Receiver eventmessaginguri The URL of the Global Trace and Trace tenant. Receiver Credential Name The user credential you have deployed on your SAP CI PI tenant. Parameters EnablePayloadLogging If you want to generate a log file of the payload for each message, enter True for debugging issues. But for the security of the data, we recommend that you enter False. Connecting to SAP ERP P U B L I C 25

26 Package Tab Parameter Value SAP ERP Master Data Replication SAP ERP Master Data Replication SAP ERP Master Data Replication SAP ERP Master Data Replication SAP ERP Master Data Replication SAP ERP Master Data Replication Receiver tmnurl The URL of the tenant management node of your SAP CPI tenant. Receiver Credential Name The user credential you have deployed on your SAP CPI tenant. This user must have the permission to logon to your SAP CPI tenant. Receiver Page Size(optional) The page size used to retrieve the required number of records. More artifactid The ID of the artifact on which you want to catch iflow message errors. Only one artifact ID can be specified. More starttime Start time of the time frame in which the system catches iflow message errors. Data format: YYYY-MM- DDTHH:MM:SS(GMT) More endtime End time of the time frame in which the system catches iflow message errors. Data format: YYYY-MM- DDTHH:MM:SS(GMT) 5. Deploy the integration contents in the package. After you deploy the Failed Logs artifact, the system generates a message processing log in the Operation view of the SAP Cloud Platform Integration web-based application. This message processing log contains an error report (a JSON attachment) for iflow messages. You can check the error count, artifact ID, error message, and attachments in the report Monitor Integration Content You use the web-based SAP CI monitor application to check if the integration contents have been deployed and started successfully. For more information, see Web-Based Monitoring. Additionally, you can check the status of messages in the web-based SAP CI monitor application. 26 P U B L I C Connecting to SAP ERP

27 6.2.4 Endpoint URL The integration processes for master data replication and process and event messaging are triggered by the SAP ERP system. Therefore, SAP ERP has to know the endpoint URL that is used to connect in SAP Cloud Platform Integration. To view the endpoint URL in SAP Cloud Platform Integration, proceed as follows: 1. Go to Integration Content Monitor Manage Integration Content. 2. Click the integration content to which you need to send messages. Results If it is deployed and started successfully, you can see the endpoint URL. The URL follows this pattern: URL of your SAP Cloud Platform Integration environment>>/cxf/ <<address>> Note The address is the Address field that you specified under the Sender tab of the integration content configuration. 6.3 Settings in the ERP System This section describes the SAP ERP system settings which are required for activating a specific visibility process, and for establishing communication between SAP ERP and SAP CI. Note Before you make these settings, ensure that you have activated the application system interface for SAP Global Track and Trace for process and event tracking. In the standard system, the application interface for SAP Global Track and Trace is inactive when shipped. Therefore, the relevant BAdIs and BETs are not called. Connecting to SAP ERP P U B L I C 27

28 To activate the application interface for process and event tracking in the SAP ERP system, you must set the PI- EM indicator using transaction BF Set up communication with SAP CI PI. 2. Set up delta replication scheduling for master data replication Note This setting is NOT needed for process and event tracking. 3. Define the SAP Cloud Platform Integration tenant for SAP Global Track and Trace. Note This setting is NOT needed for master data replication. 4. Define application object types and event types Note This setting is NOT needed for master data replication. Note For SAP S/4HANA, you must activate SAP Master Data Governance (MDG) to ensure the scenarios for data replication. For more information about MGD, visit the following website: Set up Communication with SAP Cloud Platform Integration PI To set up communication with SAP Cloud Platform Integration PI, you must complete the steps outlined in this section. 1. Define Logical Systems [page 29] 2. Create RFC Destinations [page 29] 3. Assign Message Types to IDOC Types [page 31] 4. Create Ports for IDoc Processing [page 32] 5. Create Partner Profiles [page 32] 6. Define Distribution Model [page 34] 7. Define Technical Settings for Business Systems for S/4HANA [page 35] 8. Define Replication Model for S/4HANA [page 36] 28 P U B L I C Connecting to SAP ERP

29 Define Logical Systems For master data replication, you need to define two logical systems, with one representing the receiver that receives business partner data, and the other representing the receiver that receives location data. If you are also implementing process and event tracking, you can share either of the logical systems. 1. Transaction: SALE Basic Setting Logical System Define Logical System. 2. On the Change View Logical Systems : Overview screen, choose New Entries. 3. On the New Entries: Overview of Added Entries screen, enter the required fields. 4. Choose Save Create RFC Destinations In the SAP ERP system, the following four RFC destinations need to be created for master data replication: endpoint that receives IDOC DEBMAS06 to replicate customers URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.md.customercreation endpoint that receives IDOC CREMAS06 to replicate vendors URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.md.vendorcreation endpoint that receives IDOC ADRMAS03 to replicate addresses URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.md.addressreplication endpoint that replicates locations URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.md.locationreplication endpoint that replicates products URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.md.productreplication Alternatively, if you are using the "Replicate Business Partner and Product from SAP ERP" artifact, you only need to create two RFC destinations for master data replication. endpoint that replicates business partners and products URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.md.productreplication Connecting to SAP ERP P U B L I C 29

30 endpoint that replicates locations URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.md.locationreplication For more information about process integration artifacts, see Connecting to SAP ERP [page 19]. The following two RFC destinations need to be created for process and event tracking (posting tracked processes and sending event messages): endpoint that receives IDOC EHPOST01 to post tracked processes URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.core.processmessaging endpoint that receives IDOC EVMSTA02 to send event messages URL endpoint can be found on SAP CI in iflow with ID com.sap.tnt.core.eventmessaging Note Before completing to the following procedure, you may need to configure proxy settings, depending on how the SAP ERP system is set up. 1. Transaction: SM Select HTTP Connections to External Server and then choose Create. 3. On the RFC Destination screen, enter the following settings: RFC Destination: the name of RFC destination. Connection Type: G. Description: description for this RFC destination. On the Technical Settings tab: If the endpoint URL is URL of your SAP CI environment>>/cxf/ <<address>>: Target Host: <runtime URL of your SAP CI environment> Service No. : 443 Path Prefix: /cxf/<<address>> Where address is the Address field that you specified under the Sender tab of the integration content configuration. On the Login & Security tab: Logon Logon with User : For basic authentication, choose Basic Authentication, enter the user credentials which is also registered in SAP CI. For client-certificate authentication, choose Do Not Use a User. Logon Logon with Ticket : Keep the default value Do Not Send Logon Ticket. Logon Security Options Status of Secure Protocol : choose Active in SSL, and choose the SSL certificate created previously. 4. Choose Save. 30 P U B L I C Connecting to SAP ERP

31 Results After saving, you can execute a connection test. If the setup is correct, you will get a response with HTTP code Assign Message Types to IDOC Types Message types and IDOC types are used for sending application object types and event messages. You must assign message types to IDOC types. 1. Transaction: WE Enter the following new entry: Field Message Type Basic Type Entry AOPOST EHPOST01 Release Enter the following new entry: Field Message Type Basic Type Release Entry EVMSTA EVMSTA02 46C 4. Save the new entries. Connecting to SAP ERP P U B L I C 31

32 Create Ports for IDoc Processing A port is a channel by which the SAP ERP system can exchange data with SAP Cloud Platform Integration PI. This means you create a port of the XML HTTP type, which uses the RFC connection you previously created. Therefore, you must create four ports for the master data replication and three ports for process and event tracking. 1. Transaction: WE Select XML_HTTP and choose Create. 3. On the Ports in IDoc processing screen, enter the following settings: Port: the name of the port Description: description of the port RFC Destination: use the RFC destination you previously created. Content Type: choose Application/x-sap.idoc Select the SOAP Protocol checkbox 4. Choose Save Create Partner Profiles You must create a partner profile for each logical system you previously created. If you are implementing both master data replication and process and event tracking, the two can share one partner profile. For the partner profile to replicate business partner data, add DEBMAS, CREMAS, ADRMAS, and MATMAS to the outbound parameters. The receiver ports are the corresponding ports for the RFC destination of sap.tnt.md.customercreation, sap.tnt.md.vendorcreation, sap.tnt.md.addressreplication, and sap.tnt.md.productreplication. For the partner profile to replicate location data, add DEBMAS, CREMAS, and ADRMAS to the outbound parameters. The receiver port is the same port for the RFC destination of sap.tnt.md.locationreplication. 32 P U B L I C Connecting to SAP ERP

33 If you are also implementing process and event tracking, add the message types AOPOST and EVMSTA to outbound parameters depending on the logical system you choose to share. 1. Transaction: WE Select Partner Type LS, and choose Create. 3. On the Partner Profiles screen, enter the following settings: Partner No.: the logical system that you defined in the previous step. Partn. Type: LS. On the Post processing: permitted agent tab: Ty.: User Agent: The ERP user with necessary roles Language: EN 4. Choose Save. 5. In the Outbound parameters section, select Create outbound parameter. For the partner profile, enter the following settings: CREMAS (Message type for creating and updating vendors): Message Type: CREMAS On the Outbound Options tab: Receiver Port: the port you created for the corresponding RFC destination Output mode: choose Pass IDoc Immediately. IDoc Type: in Basic type, enter CREMAS06 Select the Cancel Processing After Syntax Error checkbox DEBMAS (Message type for creating and updating customers): Message Type: DEBMAS On the Outbound Options tab: Receiver Port: the port you created for the corresponding RFC destination Output mode: choose Pass IDoc Immediately. IDoc Type: in Basic type, enter DEBMAS06 Select the Cancel Processing After Syntax Error checkbox ADRMAS (Message type for creating and updating addresses): Message Type: ADRMAS On the Outbound Options tab: Receiver Port: the port you created for the corresponding RFC destination Output mode: choose Pass IDoc Immediately. IDoc Type: in Basic type, enter ADRMAS03 Select the Cancel Processing After Syntax Error checkbox MATMAS (Message type for creating and updating products): Message Type: MATMAS On the Outbound Options tab: Receiver Port: the port you created for the corresponding RFC destination Connecting to SAP ERP P U B L I C 33

34 Output mode: choose Pass IDoc Immediately. IDoc Type: in Basic type, enter MATMAS05 Select the Cancel Processing After Syntax Error checkbox AOPOST (Message type for creating and updating tracked processes): Message Type: AOPOST On the Outbound Options tab: Receiver Port: the port you created for the corresponding RFC destination Output mode: choose Pass IDoc Immediately. IDoc Type: in Basic type, enter EHPOST01 Select the Cancel Processing After Syntax Error checkbox EVMSTA (Message type for sending event messages): Message Type: EVMSTA On the Outbound Options tab: Receiver Port: the port you created for the corresponding RFC destination Output mode: choose Pass IDoc Immediately. IDoc Type: in Basic type, enter EVMSTA02 Select the Cancel Processing After Syntax Error checkbox 6. Choose Save Define Distribution Model You need to define a distribution model to connect the logical systems you have created. For the distribution model to replicate business partner data, add DEBMAS, CREMAS, MATMAS, and BAPI AddressOrg.SaveReplica. For the distribution model to replicate location data, add DEBMAS, CREMAS, and BAPI AddressOrg.SaveReplica. If you are also implementing process and event tracking for business partners and locations, add AOPOST or EVMSTA to outbound parameters (depending on the logical system you choose to share). 1. Transaction: BD64 2. Switch to edit mode. 3. Choose Create Model View. 34 P U B L I C Connecting to SAP ERP

35 4. On the Create Model View screen, enter the following settings: Short text: short text description for the distribution model Technical name: technical name for the distribution model 5. Choose Continue. 6. In the Distribution Model list, select the distribution mode you created, choose Add Message Type. 7. On the Add Message Type screen, enter the corresponding settings: For sending customers: Sender: the logical system created for the SAP ERP system Receiver: the logical system created for SAP CI Message Type: DEBMAS For sending vendors: Sender: the logical system created for the SAP ERP system Receiver: the logical system created for SAP CI Message Type: CREMAS For sending products: Sender: the logical system created for the SAP ERP system Receiver: the logical system created for SAP CI Message Type: MATMAS For tracking processes: Sender: the logical system created for the SAP ERP system Receiver: the logical system created for SAP CI Message Type: AOPOST For event messages: Sender: the logical system created for the SAP ERP system Receiver: the logical system created for SAP CI Message Type: EVMSTA 8. In the Distribution Model list, select the distribution mode you created, choose Add BAPI, and then enter the following settings for sending addresses. Sender: the logical system created for the SAP ERP system Receiver: the logical system created for SAP CI Obj.name: AddressOrg Method: SaveReplica 9. Choose Save Define Technical Settings for Business Systems for S/4HANA Connecting to SAP ERP P U B L I C 35

36 1. Enter transaction code DRFIMG and then navigate to Define Custom Settings for Data Replication Define Technical Settings Define Technical Settings for Business Systems. 2. To define a new business system and maintain the logical system for the receiving systems, choose New Entries. 3. In the Logical System field, enter the logical system name used for IDoc communication. In the RFC Destination field, enter the RFC destination to be used for RFC communication with the receiver system. 4. Select the entry and click Define Bus. Systems, BOs. 5. Create a new entry: For customers, In the BO Type field enter the business object type 159. For vendors, In the BO Type field enter the business object type Select each entry and then double-click Define Bus. Systems, BOs, Communication Channel. Table Define Bus. Systems, BOs, Communication Channel must contain an entry for the IDoc replication. If you cannot find an entry, create a new one. Select the entry containing "Communication Channel: Replication via IDoc". In the Key Harm. column, select Harmonized IDs Define Replication Model for S/4HANA 1. Enter transaction code DRFIMG and then navigate to Replication Define Custom Settings for Data Replication Define Replication Models. 2. Choose Define Replication Model New Entries. 3. Enter the replication model name and its description. 4. Click to highlight the line and then choose Assign Outbound Implementation. 5. Create a new entry: For customers, In the Outb. Impl. field enter 159_2. For vendors, In the Outb. Impl. field enter 226_2. 6. Select each line and then double-click Assign Target System for Repl. Model/Outb.Impl. Create a new entry and enter the business system name for the receiving system created previously. 7. Return to the Define Replication Model view. Choose Save to save your entries. 36 P U B L I C Connecting to SAP ERP

37 8. Locate the newly created replication model, and choose Activate Set up Delta Replication Scheduling for Master Data To schedule delta replication for master data, you must complete the following steps. Note These steps are not required for process and event tracking Enable Change Pointers (General) 1. Transaction: BD On the Activate Change Pointers Generally screen, select Change pointers activated-generally Enable Change Pointers 1. Transaction: BD On the Change View Activate Change pointers for Message Type : Overview screen, select DEBMAS, CREMAS, ADRMAS, and MATMAS. Connecting to SAP ERP P U B L I C 37

38 Create Variant of IDOC from Change Pointers You must create a variant for IDOC MATMAS. 1. Transaction:BD On the Creating IDoc Type from Change Pointer screen, enter the message type MATMAS. 3. Choose Goto Variant Save as Variant. 4. On the Variant Attributes screen, enter the values for Variant Name and Description. 5. Choose Save Create Variant of Serialization Group from Change Pointers You must create two variants, one for the serialization group (GRP_DEBMAS_ADR) and the other for the serialization group (GRP_CREMAS_ADR). 1. Transaction:BD On the Generate IDocs for Serialization Group From Change Pointers screen, enter the corresponding serialization groups. For customer and address, enter GRP_DEBMAS_ADR. For vendor and address, enter GRP_CREMAS_ADR. 3. Choose Goto Variant Save as Variant. 4. On the Variant Attributes screen, enter the values for Variant Name and Description. 5. Choose Save. 38 P U B L I C Connecting to SAP ERP

39 Schedule Delta Distribution You need to create three scheduling jobs; two for the serialization groups, and the other for message type MATMAS. 1. Transaction: SM On the Define Background Job screen, enter the value for Job Name. 3. Choose Step. 4. On the Create Step 1 screen, enter the following settings: In the ABAP program: For the two serialization groups Name: RBDSER01 Variant: the variant you created for the serialization group GRP_DEBMAS_ADR or GRP_CREMAS_ADR in the previous step. For message type MATMAS 5. Choose Save. Name: RBDMIDOC Variant: the variant you created for the message type MATMAS in the previous step. 6. Choose Back and return to the Define Background Job screen. 7. Choose Start Condition. 8. On the Start Time screen, choose Immediate, select the Periodic Job checkbox, and then choose Period Values. 9. On the Period Values screen, enter the scheduling period value. For example, set 2 minutes for the period value. By doing this, the system will send out messages to inform you about the business partners actions, such as the create and update operations, every two minutes. 10. Choose Save, and then go back to the Define Background Job screen. 11. Choose Save. 12. Use transaction SM37 to monitor the scheduled and completed job runs. Connecting to SAP ERP P U B L I C 39

40 6.3.3 Define the SAP Cloud Platform Integration Tenant for SAP Global Track and Trace To define the SAP Cloud Platform Integration tenant for SAP Global Track and Trace in SAP ERP, proceed as follows. 1. In Customizing, choose Integration with Other SAP Components Interface to Global Track and Trace Define Application Interface Define CI Tenant for Global Track and Trace. Transaction: /SAPTRX/ASC0TS_CTT 2. Choose New Entries. 3. Enter the following data: Field CI for SAP Global Track and Trace User Actions and Default Values Specify the SAP Cloud Platform Integration tenant For example CIV0387 CI Log. System Specify the logical system for the SAP Cloud Platform Integration tenant, as maintained For example CIV0387 SAP Global Track and Trace Version Description Global Track and Trace Provide a description for your SAP Cloud Platform Integration tenant for SAP Global Track and Trace 4. Save your entries Define Application Object Types and Event Types Application object types determine whether a business process or an object is relevant for tracking in SAP Global Track and Trace, that is, whether a tracked process instance in SAP Global Track and Trace should be 40 P U B L I C Connecting to SAP ERP

41 created or not. Moreover, the data to be extracted for creating planned events, parameters, and tracking IDs is also defined here. Several application object types can be assigned to one business process type. These are then processed according to their priority and transferred to SAP Global Track and Trace. Event types determine whether a change to a business process or an object (or parts of it), is relevant to tracking in SAP Global Track and Trace, that is, whether an event message instance in SAP Global Track and Trace should be created for this change. Several event types can be assigned to one business process type. These are then processed according to their priority and transferred to SAP Global Track and Trace. Note In the following procedure, the OBP10_DELIV scenario is used as an example for the settings that need to be made regarding application object types and event types. The extractors used in the example need to be enhanced if you want to use them with the template tracked process type com.sap.gtt.app.delivery.deliveryprocess in SAP Global Track and Trace. See SAP Note regarding further details about what needs to be enhanced by custom coding. 1. In Customizing for SAP ECC, choose Integration with Other SAP Components Interface to Global Track and Trace Define Application Interface Define Used Bus. Proc. Types, Appl. Obj. Types, and Evt Types Transaction: /SAPTRX/ASC0AO_CTT The BPT Process Mode of the business process type that you choose must be Active. The business process type for the example scenario to track outbound deliveries is ESC_DELIV. The application object type OBP10_DELIV and the event types OBP10_PICK and OBP10_GI are used in the example scenario. 2. Select the business process type ESC_DELIV. 3. Choose Define Application Object Types and then select OBP10_DELIV. 4. Choose Details. On the General Data tab: In the HCI for GTT field, select the appropriate CI ID which was previously created using transaction / SAPTRX/ASC0TS_CTT and will be used for the connection to SAP Global Track and Trace. Select GTT Relevance of Appl. Obj. 5. Choose Define Event Types and then select OBP10_PICK and OBP10_GI. 6. Choose Details. In the HCI for GTT field, select the appropriate CI ID which was previously created using transaction / SAPTRX/ASC0TS_CTT and will be used for the connection to SAP Global Track and Trace. Select GTT Relevance of Event Type. 7. Save your entries. Connecting to SAP ERP P U B L I C 41

42 Next Steps See SAP Note for further details about the custom enhancements that need to be implemented for tracking outbound deliveries with the template tracked process type com.sap.gtt.app.delivery.deliveryprocess in SAP Global Track and Trace. See SAP Note for a detailed list of the IDOC segments and fields per segment of the IDOC types EHPOST01 and EVMSTA02 that are supported for the integration with SAP Global Track and Trace. This is very important if you create your own custom extraction function modules. 6.4 Load Master Data You can integrate customer, vendor, and product master data from your SAP ERP system with SAP Global Track and Trace. You first complete an initial load of the data by sending it from your SAP ERP system to the logical system you have defined. When delta replication is scheduled, the delta load of data occurs automatically as customer, vendor, and product master data is updated Initial Load To integrate SAP ERP master data with SAP Global Track and Trace, you first need an initial load of the business partner, location, and product master data Delta Load When delta replication scheduling is complete, subsequent changes to business partner, location, or product data (such as creation or update), automatically trigger message sending of business partners, locations, and products to the SAP CI integration flows. Use these transactions to create or change business partner, location, and product master data: 42 P U B L I C Connecting to SAP ERP

43 Master Data Tasks and Transactions Task Create a new customer Change an existing customer Create a new business partner (vendor) Change an existing business partner (vendor) Create a new product Change an existing product Transaction XD01 XD02 XK01 XK02 MM01 MM Create Master Data in Multiple Language Versions You can create the master data of business partners and locations (for both customers and vendors) in a non- English language. To do this, click International Versions when you are creating or updating the master data and select an activated version. You can then enter the information in the selected language version. Note To activate or deactivate the language versions, use transaction SA09. Additionally, you can use transaction SM30 to create new entries in the V_SAPTSADV view. Related Information For more information on international address versions, see SAP Note Connecting to SAP ERP P U B L I C 43

44 7 User Management by Solution Administrators This chapter provides background information and describes how you, as solution administrator, can configure user management for your GTT solution. Note the following points: Solution administrators may also perform the following user administration tasks: Assign Business Roles to Users [page 58] Register the Technical User for Your Company [page 52] For user management tasks performed by other roles, see User Management by Other Roles [page 53]. Introduction SAP Global Track and Trace provides multiple apps, but by default, users have no access to any app. For reasons of security and good business practice, the use of each app should be restricted to one or more specific roles, such as solution administrator or delivery specialist. This is done by assigning only those specific roles access to the appropriate app. A solution administrator must assign access to apps for his or her users by configuring user management. The relevant background and the procedures to do this are outlined in this chapter. Instance-based Authorization In SAP Global Track and Trace you configure user management using instance-based authorization. Its purpose is to restrict the business users who can view a particular tracked process instance to only those from business partners that are involved in that tracked process instance. Involved in a tracked process instance means that the user has a property related to that tracked process. That is, the business partner organization to which the business user is assigned, is involved in this tracked process instance. Or, to put it another way, that one property of the tracked process instance is related to the business party organization. For example, for a solution participant, one specific GTT sample for delivery has a ship to party of a particular tracked process instance A that involves business party X. Then all authorized business users of business party X can see that tracked process instance A. However, no business users from other business partners can see that tracked process instance A because they are not involved. As a further example, when a new tracked process type is created using the Metadata Modeling app (MM) app, you, as solution administrator, must make it visible to your business users who have the delivery specialist role. You do this using instance-based authorization. 44 P U B L I C User Management by Solution Administrators

45 To assign roles to users for a new tracked process type, implement instance-based authorization by completing the following tasks: 1. Create Business Roles [page 50] 2. Assign Business Roles to Users [page 58] 7.1 Prerequisites To perform the tasks outlined in this chapter, you must have the following prerequisites: You have created business users and user groups in your identity provider (IdP). For more information, see the Onboarding guide, available from the Help Portal at SAP Global Track and Trace. You have performed the initial user activation (a one-off task) detailed in Initial User Activation [page 8]. You have the role solution administrator, and can log on and use the Manage Business Roles (MBR) app. Role Solution Administrator Activity Defines, organizes and manages user authorizations within a GTT solution. 7.2 Background The purpose of a role is to define the authorization that users assigned to the role have. To simplify the creation of roles, role templates are provided. A role template: defines the type of access permitted for an application is used to build a role A role is an instance of a role template. If a role template has no attributes, then any role you create from it is identical to the role template. If a role template has one or more attributes, you must provide the attribute values for any role you create from it. A role collection: consists of one or multiple roles from one or more apps is used to bundle authorizations within and across apps can only be assigned to user groups not individual users User Management by Solution Administrators P U BL IC 45

46 As an overview while working through the remaining activities in this section, the following tables provide standard examples of roles, role collections, user groups and so on. Delivery specialist example Role Characteristics Delivery Specialist Solution Owner Solution Participant Role: tt_live_delivery_so tt_live_delivery_bp Role template: tt_live_trackandtrace_business User tt_live_trackandtrace_business User Role collection: TT_DELIVERY_SO TT_DELIVERY_BP User group: TT_DELIVERY_SO TT_DELIVERY_BP Business role: Delivery Specialist Delivery Specialist Shipment specialist example Role Characteristics Shipment Specialist Solution Owner Solution Participant Role: tt_live_shipment_so tt_live_shipment_bp Role template: tt_live_trackandtrace_business User tt_live_trackandtrace_business User Role collection: TT_SHIPMENT_SO TT_SHIPMENT_BP User group: TT_SHIPMENT_SO TT_SHIPMENT_BP Business role: Shipment Specialist Shipment Specialist The following conventions apply to names used throughout user management: <tt_<name> is used to start the role name. You can build up the <<name>>, for example tt_live is the local part of the role name. <_SO> at the end of a name indicates solution owner. <_BP> at the end of a name indicates business partner. The SAML attribute name <BP> indicates business partner type. For example: DELIVERY:* for a Solution Owner - all the DELIVERY tracked processes can be seen. Alternatively, the attribute DELIVERY:INVOLVED is usually for a solution participant - only involved DELIVERY tracked processes can be seen. The SAML attribute name TrackedProcessType indicates that the tracked process type with the specified namespace can be seen. For example: DELIVERY:com.sap.gtt.app.delivery* * at the end of an SAML attribute value indicates a wild card. This is generally suitable for the solution administrator role as it has no restriction. <INVOLVED> at the end of an SAML attribute value indicates a restriction to a subset. For example, the user is restricted to only the tracked processes that involve that role. The source is a UAA attribute type that is always static. 46 P U B L I C User Management by Solution Administrators

47 SAP Global Track and Trace provides the following role templates: Role Templates and Descriptions Role Template Description Business Role Apps SAML Attribute Name tt_live_trackandt race_bucketowner Assigned users can do everything except some DPP-related functions. For example, they cannot block or delete personal data, or view data that has been blocked. Solution Administrator All tt_live_datapriva cyspecialist Assigned users can manage personal data DP&P Specialist MPD, GMM, MGU PDM (Personal Data Manager) DataPrivacySpecia listtype tt_live_auditor Assigned users can view personal data including data that has been blocked Audit Specialist MPD, MGU, GMM (Read only) AuditorType tt_live_trackandt race_masterdatasp ecialist Assigned users can manage master data records. Master Data Specialist MBP, ML, MP tt_live_trackandt race_modelingexpe rt Assigned users can manage GTT metadata models. Modeling Expert MM, GMM tt_live_trackandt race_localadmin Assigned users can manage local users from his/her company. User Administrator MGU tt_live_trackandt race_businessuser Assigned users can view business models, tracked processes, and events As created by the customer such as Delivery Specialist, Shipment Specialist or EPCIS Specialist GTT (Defined in MBR and assigned in MGU) BP TrackedProcessTyp e tt_live_trackandt race_appuser Assigned users can view business models, tracked processes, and events (as business users). GTT Also they can create process event data. tt_live_trackandt race_integrationu ser Assigned users can create data using SAP Cloud Platform Integration None User Management by Solution Administrators P U BL IC 47

48 The following reference table lists more details of the standard roles: Roles, Role Templates and their SAML Attributes Role Role Template SAML Attribute Name SAML Attribute Value TT_Delivery_SO tt_live_trackandtrace_ BusinessUser BP (S) DELIVERY:* TT_Delivery_SO tt_live_trackandtrace_ BusinessUser TrackedProcessType (S) DELIVERY:com.sap.gtt.a pp.delivery* TT_Delivery_BP tt_live_trackandtrace_ BusinessUser BP (S) DELIVERY:INVOLVED TT_Delivery_BP tt_live_trackandtrace_ BusinessUser TrackedProcessType (S) DELIVERY:com.sap.gtt.a pp.delivery* TT_Shipment_SO tt_live_trackandtrace_ BusinessUser BP (S) SHIPMENT:* TT_Shipment_SO tt_live_trackandtrace_ BusinessUser TrackedProcessType (S) SHIPMENT:com.sap.gtt.a pp.shipment* TT_Shipment_BP tt_live_trackandtrace_ BusinessUser BP (S) SHIPMENT:INVOLVED TT_Shipment_BP tt_live_trackandtrace_ BusinessUser TrackedProcessType (S) SHIPMENT:com.sap.gtt.a pp.shipment* TT_Purchaseorder_SO tt_live_trackandtrace_ BusinessUser BP (S) PURCHASEORDER:* TT_Purchaseorder_SO tt_live_trackandtrace_ BusinessUser TrackedProcessType (S) PURCHASEORDER:com.sap. gtt.app.purchaseorder* TT_Purchaseorder_BP tt_live_trackandtrace_ BusinessUser BP (S) PURCHASEORDER:* TT_Purchaseorder_BP tt_live_trackandtrace_ BusinessUser TrackedProcessType (S) PURCHASEORDER:com.sap. gtt.app.purchaseorder* tt_live_dataprivacyspe cialist tt_live_dataprivacyspe cialist DataPrivacySpecialistT ype (S) * tt_live_auditor tt_live_auditor AuditorType (S) * TT_MASTERDATA_SPECIALI ST TT_MODELING_EXPERT tt_live_cockpitmanager tt_live_onboardingassi stanceuser tt_live_trackandtrace_ AppUser tt_live_trackandtrace_ LocalAdmin tt_live_trackandtrace_ MasterDataSpecialist tt_live_trackandtrace_ ModelingExpert tt_live_cockpitmanager tt_live_onboardingassi stanceuser tt_live_trackandtrace_ AppUser tt_live_trackandtrace_ LocalAdmin 48 P U B L I C User Management by Solution Administrators

49 Role Role Template SAML Attribute Name SAML Attribute Value tt_live_trackandtrace_ BucketOwner tt_live_trackandtrace_ IntegrationUser tt_live_disableduser tt_live_trackandtrace_ BucketOwner tt_live_trackandtrace_ IntegrationUser tt_live_disableduser (S) indicates a static source The following reference table lists further details of the standard role templates: Role Template Role Role Collection User Group Business Role tt_live_trackand Trace_BucketOwner tt_live_trackand Trace_BucketOwner TT_SOLUTION_AD MINS TT_SOLUTION_AD MINS Solution Administrator tt_live_trackand Trace_LocalAdmin tt_live_trackand Trace_LocalAdmin TT_LOCAL_AD MIN_GROUP TT_LOCAL_AD MIN_GROUP User Administrator tt_live_trackand Trace_AppUser tt_live_trackand Trace_IntegrationUser tt_live_trackand Trace_AppUser tt_live_trackand Trace_IntegrationUser TT_USER_GROUP TT_USER_GROUP If a solution admin or user admin invites a business user of GTT, then the user will be in this group. So as a gtt user, you must be in this group. TT_USER_GROUP TT_USER_GROUP If a solution admin or user admin invites a business user of GTT, then the user will be in this group. So as a gtt user, you must be in this group. tt_live_trackand Trace_BusinessUser tt_live_trackand Trace_BusinessUser tt_live_trackand Trace_BusinessUser tt_live_trackand Trace_BusinessUser TT_Delivery_SO TT_DELIVERY_SO TT_DELIVERY_SO Delivery Specialist for Solution owner TT_Delivery_BP TT_DELIVERY_BP TT_DELIVERY_BP Delivery Specialist for Solution participant TT_Shipment_SO TT_SHIPMENT_SO TT_SHIPMENT_SO Shipment Specialist for Solution Owner TT_Shipment_BP TT_SHIPMENT_BP TT_SHIPMENT_BP Shipment Specialist for Solution participant tt_live_trackand Trace_BusinessUser TT_ Purchaseorder_SO TT_PURCHASEOR DER_SO TT_PURCHASEOR DER_SO Purchasing Specialist for Solution owner tt_live_trackand Trace_BusinessUser TT_Purchaseorder_BP TT_PURCHASEOR DER_BP TT_PURCHASEOR DER_BP Purchasing Specialist for Solution participant tt_live_auditor tt_live_auditor TT_AUDITOR TT_AUDITOR Audit Specialist tt_live_dataprivacy Specialist tt_live_dataprivacy Specialist TT_DATA_PRI VACY_SPECIALIST TT_DATA_PRI VACY_SPECIALIST DP&P Specialist User Management by Solution Administrators P U BL IC 49

50 Role Template Role Role Collection User Group Business Role tt_live_masterdataspecialist tt_live_masterdataspecialist TT_MASTER DATA_SPECIALIST TT_MASTER DATA_SPECIALIST Master Data Specialist tt_live_modelingexpert tt_live_modelingexpert TT_MODELING_EX PERT TT_MODELING_EX PERT Modeling Specialist tt_live_trackand Trace_OnboardingAssistanceUser tt_live_trackand Trace_OnboardingAssistanceUser TT_ONBOARD ING_ADMINS TT_ONBOARD ING_ADMINS Onboarding Administrator User groups: are valid for a specific role grant access to users in that group to the related apps by the role collection. You map role collections to user groups so that users in that user group have access to the apps specified in the role collection. Note We recommend mapping one role collection to one user group. 7.3 Create Business Roles A business role describes the following: the authorizations for users who have the assigned business role the types of objects these users can access Technically, authorization settings are not controlled by business roles. It is the role template corresponding to the business role together with the attribute settings of template that determines the types of tracked processes users being assigned with a certain business role can access. This section introduces how to create a business role in the Manage Business Roles (MBR) app. This app is designed for solution administrators to manage business roles within organizations using SAP Global Track and Trace. Business roles created in the MBR app enable users to access various types of tracked processes in the GTT app. Each business role created in MBR triggers an automatic role creation in the backend using the tt_<xsappname>_trackandtrace_businessuser template, which contains two attributes, BP and TrackedProcessType. The system intelligently sets the attribute values according to the settings you defined during the business role creation in MBR. Note User administrators cannot access the MBR app. 50 P U B L I C User Management by Solution Administrators

51 After business roles are created in the MBR app, both solution administrators and user administrators can assign these business roles to users during user account creation, using the Manage GTT Users (MGU) app. With the appropriate business roles, GTT users can access processes and objects in the GTT app. 1. Launch the MBR app. 2. Click + (Add) on the left pane. 3. Enter the following data: Field Business Role Entry Name of the business role with the maximum length of 100 characters. Space characters are allowed. Recommendation We recommend that you use a self-explanatory name such as Delivery Specialist, Shipment Specialist or EPCIS Specialist. Note The maximum number of business roles that can be assigned to a user is 5. For security reasons, you cannot use the MBR app to modify the predefined business roles, such as Solution Administrator, DP&P Specialist, and Audit Specialist. Description Role Identifier Used By (Optional) Description of the business role, with a maximum length of 1,000 characters. Identifier of the business role, for example, DeliveryHandler (Space characters are not allowed). Determines the type of companies for which the business role is valid. This can be one of the following: Solution Owner: the business role is valid for the solution owner Solution Participant: this business role is only valid for the solution participants of the business partner The Used By and Role Identifier fields cannot be edited after the business role is saved. 4. Click Save. The system automatically generates the value of the field Accessible Tracked Process Type(s) for you with this pattern: Accessible Tracked Process Type(s) = com.sap.gtt.app.<role_identifier>* This enables users with the business role to access tracked processes whose type starts with com.sap.gtt.app.<role_identifier> 5. You can modify the namespace prefix, which defaults to com.sap.gtt.app, by clicking the string. This enables users to access tracked processes whose type starts with a namespace prefix other than the default one. For example, you can change the namespace prefix to com.sap.gtt.myapp. User Management by Solution Administrators P U BL IC 51

52 Results Your business role is now available for use in the Manage GTT Users (MGU) app. You can see the role in the Business Role drop-down list of the Edit User window. Deletion After you have created a business role, you can also delete it. To do so, use the MBR app to select the business role, then click Delete. Note You cannot delete business roles that have been in use or any predefined business roles. 7.4 Register the Technical User for Your Company Prerequisites You have already created a technical user according to the steps described in the Onboarding Guide. A technical user is not a person. It is a token to authenticate the connection between different systems. After the technical user is created and has proper role collections assigned, you, as a user administrator of your company, must register the technical user using the Manage GTT Users app. Otherwise, the technical user does not work. 1. Launch the Manage GTT Users app. 2. Click the Manage Technical Users icon on the upper right of the page. 3. Enter the address of your technical user. Optionally, you can also enter a description for the technical user. 4. Click Save. 52 P U B L I C User Management by Solution Administrators

53 8 User Management by Other Roles This chapter describes the user management tasks performed by roles other than the solution administrator. Note User management tasks performed by solution administrators are detailed in the chapter User Management by Solution Administrators [page 44]. Introduction The Manage GTT Users app (MGU app) provides a role-specific graphical interface to perform user management activities for the following roles: user administrators and solution administrators DP&P specialists audit specialists Note The MGU app is used by both solution participants and solution owners to manage users. Solution participant: as user administrator, you use the MGU app to register users from the same solution participant, assign business roles to them, change their business roles, or remove them from the GTT solution. Solution owner: as user administrator or solution administratorfor the solution owner, you use the MGU app to manage business users within your organization. 8.1 Prerequisites To perform the tasks described in this chapter, you must have the following prerequisites: You work for a solution participant or the solution owner, have the role of user administrator, DP&P specialist or audit specialist, and can log on to the Manage GTT Users app. Note Before an administrator or specialist from a solution participant can log on to the Manage GTT Users app, they must receive and accept an invitation to participate in the GTT solution. Invitations are managed using the Manage Solution Participants app. For more information about invitation management and participation in a GTT solution, see Business Configuration [page 65]. User Management by Other Roles P U B L I C 53

54 Roles and Activities The following roles perform the stated activities: Role User Administrator Activity A business user who deals with user management and who can do the following: Register business users for a GTT solution Assign or changes their business roles Remove users that have not been activated Lock or unlock users DP&P Specialist A business user who deals with DPP requests and who can do the following: Block personal data for users Unblock personal data for users Delete users Audit Specialist A business user who reviews data processes and anomolies and who can do the following: View the information of all users 8.2 Tasks for User Administrators This section describes the activities that user administrators can complete using the MGU app. User administrators perform basic user management functions for their business users including the following: Register a User for a GTT Solution [page 55] Modify User Information [page 56] Lock a User [page 56] Unlock a User [page 57] Delete Users from a GTT Solution [page 58] Note To comply with retention policies, administrators are not allowed to delete activated users. Assign Business Roles to Users [page 58] 54 P U B L I C User Management by Other Roles

55 8.2.1 Register a User for a GTT Solution To register a user working for the same solution participant, or to register a user for the solution owner, proceed as follows: 1. Navigate to the Users tab. 2. Click Create in the upper right corner of the user list. 3. In the Create User dialog box, enter the name and address of the user to be added, and then select one or more business roles from the drop-down list. A business role describes the authorizations of users to which the business role is assigned. Business roles are created by the solution administrator using the Manage Business Roles app. 4. Click Create to finish the user creation. Results A new user is added with the information you entered, and the status is Activation Pending. The user will receive a notification with a link for activating the account. By clicking the link, the user will navigate to a web page of SAP Cloud Identity (SCI) to set the password for the new account in SAP Global Track and Trace. Then, the user will be able to log on to SAP Global Track and Trace with the address as the user ID. In case the user does not activate the account, you can send a reminder to the user by clicking Send Reminder on the Activation Pending list. When the new user first accesses an app in SAP Global Track and Trace, the status changes to Active. You may need to refresh the browser to see the status change for the user. User Management by Other Roles P U B L I C 55

56 8.2.2 Modify User Information To modify the information for a user, proceed as follows: 1. Navigate to the Users tab. 2. From the user list, locate the user for whom you want to modify the information, and then click the Edit icon on the top right side of the user row. 3. In the Edit User dialog box, you can modify the name, address, and business roles for the user. 4. Click Save to save the update. Results The user information is modified. Note that if you change the user's business roles, the change will take effect on the user's next logon. For more information, see.assign Business Roles to Users [page 58] Lock a User To lock a user, proceed as follows: 1. Navigate to the Active Users tab by clicking the Active icon. 2. From the user list, locate the user that you want to lock, and then click Lock in the upper right corner of the screen. 56 P U B L I C User Management by Other Roles

57 3. Click Lock to confirm. Results After being locked, the user cannot log on to the GTT solution until you unlock the user Unlock a User To unlock a user that has been locked, proceed as follows: 1. Navigate to the Locked Users tab by clicking the Locked icon. 2. From the user list, locate the user that you want to unlock, and then click Unlock in the top right of the screen. 3. Click Unlock to confirm. Results After being unlocked, the user can log on to the GTT solution again. User Management by Other Roles P U B L I C 57

58 8.2.5 Delete Users from a GTT Solution To delete one or more users that have not been activated from a solution, proceed as follows: 1. Navigate to the Users Pending Activation tab by clicking the Activation Pending icon. 2. From the user list, use the checkboxes to select the users you want to delete from the solution. 3. Click Delete in the upper right of the screen. 4. Click Delete to confirm the deletion. Results The selected users are deleted from the solution Assign Business Roles to Users As user administrator for solution partners, you need to assign business roles to your users. Note Solution administrators may also perform the following procedure for their users. You assign business roles so that users have access to the apps specified in the relevant XSUAA role collections. You use the Manage GTT Users app, as explained in this section. The URL is tenant specific. For explanatory purposes, the SaaS tenant <com-trackandtracedemo> has been used. For example, the URL is: sites#externalurl-l2jwl21ndq 58 P U B L I C User Management by Other Roles

59 1. On the SAP Fiori Launchpad, click the Manage GTT Users tile. 2. Click the Edit icon to assign a user to a user group: Manage GTT Users tile in SAP Fiori Launchpad 3. Select business roles for the user and click Save: Edit users in Manage GTT Users app User Management by Other Roles P U B L I C 59

60 Select business roles for the user 4. Use the SAP Cloud Platform Identity Authentication Administration Console to find the user, and check that the corresponding user group has been assigned. For example: users/p000038/groups User management in SAP Cloud Platform Identity Authentication 60 P U B L I C User Management by Other Roles

61 Check User Groups for user User management in SAP Cloud Platform Identity Authentication User Management by Other Roles P U B L I C 61

62 Available Groups within User Management Register the Technical User for Your Company Prerequisites You have already created a technical user according to the steps described in the Onboarding Guide. A technical user is not a person. It is a token to authenticate the connection between different systems. After the technical user is created and has proper role collections assigned, you, as a user administrator of your company, must register the technical user using the Manage GTT Users app. Otherwise, the technical user does not work. 1. Launch the Manage GTT Users app. 2. Click the Manage Technical Users icon on the upper right of the page. 3. Enter the address of your technical user. Optionally, you can also enter a description for the technical user. 62 P U B L I C User Management by Other Roles