SAP Multichannel Foundation for Utilities and Public Sector

Administrator's Guide for SAP for UtilitiesDocument version: 1.8 – 2016-12-16

SAP Multichannel Foundation for Utilities and Public Sector

CUSTOMER

Document History

CautionBefore you start the implementation, make sure you have the latest version of this document. You can find the

latest version at the following location:service.sap.com/utilities .

The following table provides an overview of the most important document changes.

Table 1

Version Date Description

1.8 2016-12-16 Sixth Version

2CUSTOMERCopyright 2016

SAP Multichannel Foundation for Utilities and Public SectorDocument History

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Futilities

Content

1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Installation of SAP Multichannel Foundation for Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Configuration of SAP CRM System as Leading System Scenario . . . . . . . . . . . . . . . . . . . . . . . . 143.1 Configuring the SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

SAP NetWeaver System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 SAP Gateway Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Maintain System Aliases for the SAP IS-U and SAP CRM Systems . . . . . . . . . . . . . . . . . . . . . . . . 15 Register Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Create PFCG Role for Service User in SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . . . 16 Create PFCG Role for Reference User in SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . 17 Create Service User in SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Create Reference User in SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Set Service User in SICF Node for Public OData Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Activate the SICF Nodes for Private and Public SAPUI5 Template Applications . . . . . . . . . . . . . . . 19

3.2 Configuring the SAP CRM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Create PFCG Role for Service User in SAP CRM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Create PFCG Role for Reference User in SAP CRM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Activate BC-Sets in SAP CRM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Create Service User in SAP CRM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Create Reference User in SAP CRM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.3 Configuring the SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Create PFCG Role for Service User in SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Create PFCG Role for Reference User in SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Create Service User in SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Create Reference User in SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Activate BC-Sets in SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.4 Set Up B2C User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Maintain URL for User Account Activation (Mandatory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Maintain Number Range Interval for User Self Service (Mandatory) . . . . . . . . . . . . . . . . . . . . . . 26 Maintain RFC Destinations for User Replication (Mandatory) . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Maintain User Category (Mandatory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Verify User Request (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Define Notification Process for User Request Management (Optional) . . . . . . . . . . . . . . . . . . . . . 27 Implement User Management (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Define Handler for User Management Notification (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 User Request Cleanup (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.5 Quick Testing of OData Services CRM_UTILITIES_UMC and ERP_UTILITIES_UMC . . . . . . . . . . . . . . 29

4 Configuration of SAP IS-U System as Standalone Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 304.1 Configuring the SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

SAP Multichannel Foundation for Utilities and Public SectorContent

CUSTOMERCopyright 2016 3

SAP NetWeaver System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 SAP Gateway Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Maintain System Alias for the SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Register Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Create PFCG Roles for Service User for SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . 32 Create PFCG Roles for Reference User for SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . 32 Create Service User in SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Create Reference User in SAP Gateway Hub System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Set Service User in SICF Node for Public OData Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.2 Configuring the SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Create PFCG Role for Service User in the SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Create PFCG Role for Reference User in the SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Create Service User in the SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Create Reference User in the SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Activate BC-Sets in SAP IS-U System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.3 Set Up B2C User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Maintain URL for User Account Activation (Mandatory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Maintain Number Range Interval for User Self Service (Mandatory) . . . . . . . . . . . . . . . . . . . . . . . 37 Maintain RFC Destinations for User Replication (Mandatory) . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Maintain User Category (Mandatory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Verify User Request (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Define Notification Process for User Request Management (Optional) . . . . . . . . . . . . . . . . . . . . . 39 Implement User Management (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Define Handler for User Management Notification (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 User Request Cleanup (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.4 Quick Testing of OData Services ERP_UTILITIES_UMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Quick Testing of OData Services ERP_UTILITIES_UMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5 Configuration of SAP Self-Service for Utilities Mobile App . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415.1 Working Example of How to Set Up SAP Self-Service for Utilities Mobile App . . . . . . . . . . . . . . . . . . . 415.2 Additional Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

6 Application Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446.1 SAP Gateway Service Model Development in SAP CRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446.2 SAP Gateway Service Model Development in SAP IS-U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446.3 SAP Gateway Service Model Extensibility in SAP CRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456.4 SAP Gateway Service Model Extensibility in SAP IS-U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476.5 Batch Operations for OData Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486.6 Consuming OData Batch Request from SAP UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506.7 Error Message Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506.8 SAP Multichannel Foundation for Utilities and Public Sector Solution Monitoring . . . . . . . . . . . . . . . . 526.9 SAP Multichannel Foundation for Utilities and Public Sector Management . . . . . . . . . . . . . . . . . . . . 536.10 Sample SAP UI5 Application Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

UMCUI5 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 UMCUI5 Public Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Log Out Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.11 Sample SAP UI5 Mobile Application Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 SAP Gateway Service Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 UMCUI5_MOBILE Public Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 UMCUI5_MOBILE Private Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58



UMCUI5_MOBILE Foundation Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586.12 Applying Custom Themes to Mobile Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Applying a Custom UI Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Specifying the Path to a Custom UI Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Creating a Custom Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.13 Configuring Outage in SAP Multichannel Foundation for Utilities and Public Sector . . . . . . . . . . . . . . 60 Configuring Visual Business for OData Entity Outage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Consuming Visual Business Services from the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Creating an Outage Region . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Configuring Outage Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.14 Retrieving Channel Information in SAP Multichannel Foundation for Utilities and Public Sector . . . . . . 63

7 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647.1 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647.2 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657.3 Security Aspects of Data, Data Flow, and Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667.4 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677.5 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677.6 Integration into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707.7 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707.8 Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737.9 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747.10 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747.11 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757.12 Internet Communication Framework Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757.13 Data Protection and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767.14 OData Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777.15 Other Security-Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777.16 Security-Relevant Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

8 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808.1 Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80



1 Getting Started

1.1 Getting Started

About this Document

This document is a single source of information for the implementation of SAP Multichannel Foundation for Utilities and Public Sector. It contains implementation, security and operation information only for SAP for

Utilities. You can find the Administrator's Guide for public sector at help.sap.com/industries under SAP for Public Sector.

This document is divided into the following main sections:

● Introduction with references to related documents and relevant SAP Notes

● Installation information

● Security information

● Application Operations information

NoteYou can find the most current version of this document on SAP Service Marketplace at help.sap.com/umc .

We strongly recommend that you use the document available there. The Guide will be updated according to updates of the software.

Related Information

For more information about implementation topics not covered in this Guide, see the following content on SAP Service Marketplace:

Table 2

Content Location on SAP Service Marketplace

Latest versions of installation and upgrade guides service.sap.com/instguides

General information about SAP Multichannel Foundation for Utilities and Public Sector

service.sap.com/utilities

Sizing, calculation of hardware requirements – such as CPU, disk and memory resource – with the Quick Sizer tool

service.sap.com/quicksizer

Released platforms and technology-related topics such as maintenance strategies and language support

service.sap.com/platforms

To access the Platform Availability Matrix directly, enter

service.sap.com/pam

Network Security service.sap.com/securityguide

High Availability www.sdn.sap.com/irj/sdn/ha

Performance service.sap.com/performance

SAP Multichannel Foundation for Utilities and Public SectorGetting Started


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Findustries

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fumc

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstguides

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Futilities

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fquicksizer

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fplatforms

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fpam

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurityguide

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sdn.sap.com%2Firj%2Fsdn%2Fha

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fperformance

Content Location on SAP Service Marketplace

Information about Support Package Stacks, latest software versions and patch level requirements

service.sap.com/sp-stacks

Information about Unicode technology www.sdn.sap.com/irj/sdn/i18n

SAP Notes search service.sap.com/notes

SAP Software Distribution Center (software download and ordering of software)

service.sap.com/swdc

SAP Online Knowledge Products (OKPs) – role-specific learning maps

service.sap.com/rkt

Related Guides

You can find more information about the relevant applications in the following documents:

Table 3

Title Location

Master Guide – SAP Netweaver 7.0 service.sap.com/installNW70

See the Master Guide under the Planning section

Technical Operations for SAP NetWeaver help.sap.com/netweaver

See the Guide under SAP Netweaver 7.4 System

Administration and Maintenance Technical Operations for

SAP NetWeaver

SAP NetWeaver Gateway Security Guide help.sap.com/nwgateway

SAP NetWeaver Gateway Technical Operations Guide help.sap.com/nwgateway

Important SAP Notes

You must read and implement the following SAP Notes before you start the installation. These SAP Notes contain the most recent information, and are prerequisites for installing SAP Multichannel Foundation for Utilities and Public Sector.

Make sure that you have the current version of each SAP Note, which you can find on SAP Service Marketplace at

service.sap.com/notes .

Table 4

SAP Note Number Title

1942072 SAP NetWeaver Gateway 2.0 Support Package Stack Definition

1964240 * User Self Service: Check Password Security Policy Fixes

1988794 * User Self Service Enhancement: Resetting Password Using Email ID of the User

2000713 * User Self Service - User is Unable to Change the Password



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsp-stacks

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sdn.sap.com%2Firj%2Fsdn%2Fi18n

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fnotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fswdc

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Frkt

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2FinstallNW70

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnetweaver

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnwgateway



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2F~form%2Fhandler%3F_APP%3D01100107900000000342%26_EVENT%3DREDIR%26_NNUM%3D1942072%26_NLANG%3Den%26_NVERS%3D0





2004762 * User Self Service: Reset Credentials with auto generated password

2025549 * User Self Service: Improving the Error Message Shown to End User

2028105 * User Self Service: Short Dump While Checking Password

NoteAll the SAP Notes marked with an asterisk are required only if you have installed IW_BEP SP08 or the corresponding SAP_GWFND Support Pack.

RecommendationYou are recommended to implement the following SAP Notes. Additionally, they may prove useful when using the SAP Multichannel Foundation for Utilities and Public Sector solution.

Table 5


1509851 ICF logoff service with redirectURL

853878 HTTP WhiteList Check (security)

1.2 Overview

The figure below shows an overview of the technical system landscape for SAP Multichannel Foundation for Utilities and Public Sector.








Figure 1: The technical system landscape for SAP Multichannel Foundation for Utilities and Public Sector

Two add-ons that group business processes in SAP ERP and SAP CRM for Utilities for OData consumption are UMCERP01 and UMCCRM01. A sample SAPUI5 template is hosted on SAP Gateway. The user interface application communicates with the SAP Gateway using OData protocol. The SAP Gateway dispatches the calls to specific back end systems.



2 Installation of SAP Multichannel Foundation for Utilities

Installation Sequence

The following tables provide the implementation sequence:

Table 6

SAP for Utilities

1. Installation of SAP for Utilities, based on SAP ERP 6.0 Enhancement Package 4 or higher, SAP CRM 7.0 or higher, SAP NetWeaver 7.0 Enhancement Package 1 or higher

For more information, see SAP

Service Marketplace Installation &

Upgrade Guides Industry Solutions

Industry Solution Guides SAP for

Utilities

SAP for Utilities contains several business scenarios. Each scenario requires a different technical system landscape and installation sequence. For SAP Multichannel Foundation for Utilities and Public Sector, you should choose from one of the following business scenarios:

● Selling of Energy Supply Products (E-Services)

● Selling of Energy Supply Products (Interaction Center)

● Selling of Energy Supply Products (Key Account Management)

● Selling of Utility Services

For all of the listed scenarios, both the SAP ERP and SAP CRM Servers are required. It is also necessary to have an additional SAP Gateway Server. It is further necessary to install additional components of the Servers mentioned above. The following table provides the implementation sequence:

Table 7

SAP ERP Server

1 – as part of the installation of SAP for Utilities

Installation of SAP ERP 6.0 EHP4 (or higher) – Utilities/Waste and Recycl./Telco

For more information, see

service.sap.com/erp-inst SAP ERP

6.0 Planning .

2 ● Installation of IW_BEP SP11 on

SAP ERP 6.0 EHP4 or higher

● NW 7.40 SAP ERP 6.0 EHP7 onwards, installation of SAP_GWFND 740 SP12 is

required instead of IW_BEP

See help.sap.com/nwgateway and

choose SAP NetWeaver Gateway

Developer Guide OData Channel

Advanced Features User Self

Service .

For more information on compatibility of the different SAP Gateway

components, see SAP Note 1942072

3 Installation of Add-On UMCERP01 For more information, see

service.sap.com/erp-inst SAP ERP

Add-Ons .

SAP Multichannel Foundation for Utilities and Public SectorInstallation of SAP Multichannel Foundation for Utilities


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Ferp-inst



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Ferp-inst

Table 8

SAP CRM Server

1 – as part of the installation of SAP for Utilities

Installation of SAP CRM 7.0 or higher For more information, see

service.sap.com/crm-inst SAP

CRM SAP CRM 7.0 Enhancement

Package X Plan .

2 ● Installation of IW_BEP SP11 on

SAP ERP 6.0 EHP4 or higher

● NW 7.40 SAP ERP 6.0 EHP7 onwards, installation of SAP_GWFND 740 SP12 is

required instead of IW_BEP

See help.sap.com/nwgateway and

choose SAP NetWeaver Gateway

Developer Guide OData Channel

Advanced Features User Self

Service .

For more information on compatibility of the different SAP Gateway

components, see SAP Note 1942072

3 Installation of Add-On UMCCRM01 For more information, see

service.sap.com/crm-inst SAP

CRM Add-Ons .

Table 9

SAP Gateway Server

1 For SAP NetWeaver versions prior to NW 7.40, installation of GW_CORE SP04

or higher and IW_FND SP04 or higher

are required.

For NW 7.40 SAP_GWFND SP06 or

higher is needed

For more information, see http://

help.sap.com/nwgateway under SAP NetWeaver Gateway Installation

Guide Installation Prerequisites .

For detailed information on compatibility of the different SAP Gateway components, see SAP Note

1942072

2 Installation of SAPUI5 related Add-Ons:

UISAPUI5 SP13 or higher, UI_INFRA SP08 or higher.

NoteUISAPUI5 and UI_INFRA can be

delivered within the same Add-On (SAP_UI). In this scenario, SAP_UI SP13 or higher must be installed.

If the package SAP_UI 740 or

higher is already installed in the system, then the UISAPUI5,

UI_INFRA are already a part of it

and do not require explicit installation.

For more information, see

help.sap.com/nw under User

Interface Add-On for SAP NetWeaver

Master Guide Software Units .



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fcrm-inst



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fcrm-inst


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw

SAP Gateway Server

Optional UI5 components: UI5_731 SP05 or higher for Team Provider and other UI5 components depending on the UI implementation approach

3 Installation of Add-On UMCUI501

Hardware Sizing

A sizing guide for SAP Gateway is available on the SAP Service Marketplace at service.sap.com/sizing and under Sizing Guidelines. You can also refer to the Sizing Guides for SAP CRM for ISU and SAP ERP. The Quick Sizer tool can also be used to come up with a rough estimation regarding hardware calculations for the system landscape.



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsizing

3 Configuration of SAP CRM System as Leading System Scenario

In order to configure your SAP CRM system as a leading system scenario, certain roles, users and activations need to be maintained in the system. The following sections provide you with instructions on how to set up SAP CRM as the leading system.

3.1 Configuring the SAP Gateway Hub System

3.1.1 SAP NetWeaver System Settings

To allow proper authentication for online users, it is necessary to set correct Application Server (AS) profile parameters related to HTTP Security Session Management on AS ABAP. This can be done in transaction SICF_SESSIONS.

For more information, see the SAP Application Help at help.sap.com under SAP NetWeaver SAP NerWeaver Platform Security Information Security Guide User Administration and Authentication User Authentication and Single Sign-On .

To check HTTP Session Management settings, run transaction SICF_SESSIONS. Sample values for HTTP session parameters are:

● login/create_sso2_ticket = 2● login/accept_sso2_ticket = 1● login/ticketcache_off = 0● login/ticket_only_by_https = 1● icf/user_recheck = 1

NoteDepending on your session security configuration, these parameters may differ.

3.1.2 SAP Gateway Activation

Procedure

In order to check whether SAP Gateway is activated, do the following:

1. Use transaction SPRO in the system.

2. Navigate to SAP NetWeaver Gateway OData Channel Configuration Activate or Deactivate SAP NetWeaver Gateway .


SAP Multichannel Foundation for Utilities and Public SectorConfiguration of SAP CRM System as Leading System Scenario

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com

3.1.3 Maintain System Aliases for the SAP IS-U and SAP CRM Systems

An SAP system alias maps the following together:

● A logical RFC destination pointing to an SAP business system

● A Web service provider system pointing to the same SAP business system

● The software version of that SAP business system; the supported versions are shipped by SAP and cannot be changed

Procedure

In order to create system aliases for the SAP ERP and SAP CRM systems proceed as follows:

1. In transaction SM59, create trusted RFC connections to the appropriate systems.

2. On the Logon and Security tab pages for these RFCs, select the Current User check box.

3. Use transaction SPRO and open the SAP Reference IMG.

4. Navigate to SAP NetWeaver Gateway OData Channel Configuration Connection Settings Manage SAP System Aliases .

5. Create system aliases for the SAP ERP and SAP CRM systems.

3.1.4 Register Services

OData Channel implementations retrieve the data from an SAP Business Suite system, which is a back end system. You can use the OData Services that have already been defined by SAP; alternately, you can redefine the OData Services according to your requirements. Once an OData Service has been defined in the back end system, the Service must be registered or activated on the SAP Gateway system.

Procedure

In order to register services in SAP NetWeaver Gateway Hub system, proceed as follows:

1. In transaction /IWFND/MAINT_SERVICE, choose the Add Service option.

2. Select the system alias of the SAP CRM system and select Get Services.

3. Add the following services:

○ CRM_UTILITIES_UMC○ CRM_UTILITIES_UMC_URM○ CRM_UTILITIES_UMC_PUBLIC_SRV○ USERMANAGEMENT○ ERP_UTILITIES_UMC○ ERP_UTILITIES_UMC_PUBLIC_SRV



4. Select a package in the customer namespace for the objects that will be created during the registration of the services.

5. Select the system alias of the SAP ERP system and select Get Services.

6. Add service ERP_UTILITIES_UMC.

7. Select a package in the customer namespace for the objects that will be created during the registration of the services.

NoteIn the context of SAP Multichannel Foundation for Utilities and Public Sector, we enhanced the originally delivered SAP NetWeaver Gateway service USERREQUESTMANAGEMENT by adding Utilities-specific business logic validation (business agreement ID and business partner’s E-mail address are used for user request validation). CRM_UTILITIES_UMC_URM replaces the original USERREQUESTMANAGEMENT service.

8. For each registered service, select ICF Node pushbutton and then select Configure (SICF).

9. For additional security, navigate to the Logon Data tab page, and adjust the security parameters as necessary, for example, the SSL parameter.

3.1.5 Create PFCG Role for Service User in SAP Gateway Hub System

To execute the User Self Service, the system needs to be setup with users and authorizations for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the Service User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZUMC_SRV_USR using the templates /IWFND/RT_GW_USR, /IWBEP/RT_USS_SRVUSR.

NoteAdd additional required authorization objects /IWFND/SRV, S_SECPOL and S_TCODE.

2. For authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name), you must ensure that the following entries exist:

Table 10

Program ID Object Type Object Name

R3TR IWSG CRM_UTILITIES_UMC_URM

R3TR IWSG CRM_UTILITIES_UMC_PUBLIC_SRV

R3TR IWSG ERP_UTILITIES_UMC_URM




(in SAP ERP standalone)

R3TR IWSG ERP_UTILITIES_UMC_PUBLIC_SRV

NoteThe name of the authorization role is provided as an example only. You can choose any other name in the “customer namespace”.

For the object names to show up in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in transaction /IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see Register Services [page 15].

If you need to use a custom password security policy for the reference user, additional authorization object S_SECPOL must be added to the role.

3. For authorization objects that do not have predefined values for authorization fields in the templates, you must ensure that values relevant to the current business scenarios are provided.

4. Check Customizing in transaction SPRO under the path SAP NetWeaver Application Server System Administration Users and Authorizations Set Customizing Switch in Table PRGN_CUST .

If CHECK_S_USER_SAS is specified as YES, the authorization object S_USER_SAS must be manually added to the PFCG role for the Service User.

3.1.6 Create PFCG Role for Reference User in SAP Gateway Hub System

To execute the User Self Service, the system needs to be set up with users and authorizations for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the Reference User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZUMC_REF_USR using the /IWBEP/RT_USS_INTUSR template.


Table 11


R3TR IWSG CRM_UTILITIES_UMC

R3TR IWSG ERP_UTILITIES_UMC

R3TR IWSG USERMANAGEMENT



NoteThe name of the authorization role is provided as an example only. You can choose any other name in the customer namespace.



3.1.7 Create Service User in SAP Gateway Hub System

Procedure

To execute the User Self Service, the system needs to be set up with users and the required authorizations for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Service” created in the SAP Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. A Service User should be able to access the OData Service /IWBEP/USERREQUESTMANAGEMENT.

1. In transaction SU01, create user UMC_SRV_USR.

NoteThe name of the user is provided as an example. You can use any other name of your choice but you must make sure that the same name is maintained for the service in transaction SICF.

2. On the Logon Data tab page, specify the user’s type as S - Service.

3. On the Roles tab page, assign the previously created role ZUMC_SRV_USR.

3.1.8 Create Reference User in SAP Gateway Hub System

Procedure

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Reference User is a standard SAP user of User Type “Reference” created in the SAP Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. This user is used by the user management service as a template to create other users in the system.

1. In transaction SU01, create user UMC_REF_USR.




2. On the Logon Data tab page, specify the user’s type as L - Reference.

3. Specify the alias for the user as UMC_REFERENCE_USER.

4. On the Roles tab page, assign the previously created role ZUMC_REF_USR.

3.1.9 Set Service User in SICF Node for Public OData Services

In order to execute the CRM_UTILITIES_UMC_URM service, a “Service” type user must be set up in the ICF node of CRM_UTILITIES_UMC_URM.

Procedure

In order to set the service user in the ICF Node for CRM_UTILITIES_UMC_URM, proceed as follows:

1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/crm_utilities_umc_urm.

2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user:

○ Client: SAP Gateway Hub system client

○ User: UMC_SRV_USR○ Password: UMC_SRV_USR user’s password

3. Disable Cross-Site Request Forgery (CSRF) for CRM_UTILITIES_UMC_URM ICF node since the service is executed in the context of the service user. In order to disable CSRF validation in the Service Data tab page of the ICF node, select GUI Configuration and add parameter ~CHECK_CSRF_TOKEN with value 0.

For the OData Service CRM_UTILITIES_UMC_PUBLIC_SRV, you can set the service user in the same way as described above.

NoteYou must omit setting the parameter ~CHECK_CSRF_TOKEN with value 0 for CRM_UTILITIES_UMC_PUBLIC_SRV.

3.1.10 Activate the SICF Nodes for Private and Public SAPUI5 Template Applications

Once you have installed the Application Server ABAP (AS ABAP), all Internet Communication Framework (ICF) services are available in an inactive state for security reasons. After the installation, you have to decide which services are required to be activated for the applications you want to use. Moreover, after installing the SAP



Multichannel Foundation for Utilities and Public Sector application, all service nodes must be activated in the SICF tree.

Procedure

In order to activate the SICF nodes for private and public SAPUI5 template application, proceed as follows:

1. In transaction SICF, find the following nodes:

○ /default_host/sap/bc/ui5_ui5/sap/umcui5○ /default_host/sap/bc/ui5_ui5/sap/umcui5_mobile○ /default_host/sap/public/bc/ui2○ /default_host/sap/public/bc/ui5_ui5○ /default_host/sap/public/bc/icf/logoff

2. Right click on the nodes and select the Activate Service option.

If you need to change security settings for the login procedure of UMCUI5 Web application, select the Logon Data tab page and adjust the options as necessary. By default the user is authenticated in the system using a user alias (Internet user). Further configuration can be carried out on the Error Pages Logon Errors System LogonConfiguration .

3.2 Configuring the SAP CRM System

3.2.1 Create PFCG Role for Service User in SAP CRM System

To execute the User Self Service, the system needs to be set up with users and authorization for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the Service User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZUMC_SRV_USR using the templates /IWBEP/RT_USS_SRVUSR and SAP_CRM_UMC_SRV.


Table 12


R3TR IWSG CRM_UTILITIES_UMC_URM

R3TR IWSG CRM_UTILITIES_UMC_PUBLIC_SRV








3.2.2 Create PFCG Role for Reference User in SAP CRM System


Procedure

1. In transaction PFCG, create a new role ZUMC_REF_USR using the templates /IWBEP/RT_USS_INTUSR and SAP_CRM_UMC_ODATA.

2. For authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name) you must ensure that the following entries exist:

Table 13


R3TR IWSG /IWBEP/USERMANAGEMENT

R3TR IWSG CRM_UTILITIES_UMC






4. If you create your own services, you must add the authorization objects you have used to the role of the Reference User. Additionally, you must include entry of your service to the authorization object S_SERVICE as mentioned above.

5. Add authorization object S_RFCACL for trusted RFC authorizations to the PFCG role ZUMC_REF_USR.

3.2.3 Activate BC-Sets in SAP CRM System

To be able to execute contract management related entities in SAP Multichannel Foundation for Utilities and Public Sector, the system requires some specific Customizing that is delivered through BC-Sets. This is a mandatory step as the scenario does not work if the Customizing is done incorrectly.

In this step, the following BC-Sets need to be activated using transaction SCPR20:

● CRM_IU_UMC_IR_CATEGORY● CRM_IU_UMC_ISR● CRM_IU_UMC_PR_PROCESS● CRM_IU_UMC_SETTING

3.2.4 Create Service User in SAP CRM System

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Service” created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. A Service User should be able to access the OData service/IWBEP/USERREQUESTMANAGEMENT_0001.

Procedure







3.2.5 Create Reference User in SAP CRM System

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Reference” created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. This user is used by the user management service to create users in the system.

Procedure






3.3 Configuring the SAP IS-U System

The SAP IS-U system needs to be configured in the same way as the SAP CRM system.

3.3.1 Create PFCG Role for Service User in SAP IS-U System

To execute the User Self Service, the system needs to be set up with users and authorization for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the UMC Service User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZUMC_SRV_USR using the templates /IWBEP/RT_USS_SRVUSR and SAP_ISU_UMC_SRV.





If CHECK_S_USER_SAS is specified as YES, the authorization object S_USER_SAS must be manually added to the PFCG role for the UMC service user.

4. Add authorization object S_RFCACL for trusted RFC authorizations to the PFCG role ZUMC_REF_USR.

Set activity to Execute and configure the rest of the RFC settings depending on what the service user is allowed to run.

3.3.2 Create PFCG Role for Reference User in SAP IS-U System

To execute the User Self Service, the system needs to be set up with users and authorization for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the UMC Reference User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZUMC_REF_USR using the templates /IWBEP/RT_USS_INTUSR and SAP_ISU_UMC_ODATA.

2. For authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name) make sure that the following entries exist:

Table 14



R3TR IWSG ERP_UTILITIES_UMC_PUBLIC_SRV




4. If you create your own services, you must add the authorization objects you have used to the role of the Reference User. Additionally, you must include entry of your service to the authorization object S_SERVICE as mentioned above.



3.3.3 Create Service User in SAP IS-U System

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Service” created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on..

Procedure

For more information on how to create a Service User, see Create Service User in SAP CRM System [page 22].

3.3.4 Create Reference User in SAP IS-U System

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Reference” created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. This user is used by the user management service to create users in the system.

Procedure

For more information on how to create a Reference User, see Create Reference User in SAP CRM System [page 23].

3.3.5 Activate BC-Sets in SAP IS-U System

You have to activate the BC Sets ISU_UMC_CORRESP_DISPATCH_CONTROL and ISU_UMC_SETTING using transaction SCPR20. Based on the delivered example, you can maintain your own Customizing for communication preference categories and generate a new variant using a different variant prefix.

3.4 Set Up B2C User Management

Configuration tasks specific to User Self Service are included in Customizing for SAP NetWeaver Gateway. To access these Customizing activities, do the following:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup .



3.4.1 Maintain URL for User Account Activation (Mandatory)

You can maintain the activation URL of the application you are using to manage your user accounts as follows:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Maintain URL for User Account Activation .

For the external service name of the User Request Management (/SAP/CRM_UTILITIES_UMC_URM), enter the URL to the sample UI Application, for example, <server><port>.

NoteInstead of <server><port>, all relevant information of your system with installed component UMCUI501 should be provided.

3.4.2 Maintain Number Range Interval for User Self Service (Mandatory)

You can maintain the number range for generating the users in the SAP system as follows:.


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Maintain Number Range Interval for User Self Service .

The number range must be 11 characters long. That is because an SAP username has 12 characters and SAP NetWeaver Gateway uses the scheme UXXXXXXXXXXX, where XXX is the number range.

3.4.3 Maintain RFC Destinations for User Replication (Mandatory)

It enables you to replicate the users from the SAP back end system to the SAP Gateway Hub system. You can carry out this activity as follows:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Maintain RFC Destinations for User Replication .

Procedure

1. Use transaction SM59 and create trusted RFC connections to the SAP IS-U and SAP Gateway Hub systems.

2. On the Logon & Security tab page, select the Current User check box for these RFCs.

3. Select the Customizing activity Maintain RFC Destinations for User Replication and maintain the following implementation types:



○ ISU_UMC: Pointing to the SAP IS-U RFC connection

○ IWBEPUM: Pointing to the SAP Gateway Hub system

3.4.4 Maintain User Category (Mandatory)

You can maintain the list of user categories for your application as follows.


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Maintain User Category .

For external service name CRM_UTILITIES_UMC_URM, specify user category text and Reference User Name as UMC_REFERENCE_USER, which is a user alias created in the step Create Reference User in SAP CRM System [page 23].

NoteIf you enhanced User Request Management Service, you must specify the external service name that you created in the Customizing instead of the SAP-delivered CRM_UTILITIES_UMC_URM.

3.4.5 Verify User Request (Optional)

You can specify the implementation for the Business Add-In (BAdI) /IWBEP/BD_MGW_URM_VERIFICATION. This BAdI defines the functionality for verifying the information provided during the user request creation.

You can maintain this Customizing activity as follows:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Verify User Request .

3.4.6 Define Notification Process for User Request Management (Optional)

You can specify the implementation for the BAdI /IWBEP/BD_MGW_URM_NOTIFICATION, here. It defines the functionality for sending notifications from the User Request Management application.



2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Define Notification Process for User Request Management .

The User Request Management application has the provision to deliver notifications using e-mail as the standard communication method. You can enhance the solution by adding your own notification mechanism. SAP Multichannel Foundation for Utilities and Public Sector application has a default implementation of this BAdI in



Enhancement Implementation CRM_IU_UMC_URM - CRM_IU_UMC_URM_VERIFICATION (check that this implementation is active).

3.4.7 Implement User Management (Optional)

You can specify the implementation for the BAdI /IWBEP/BD_MGW_UM_USR_MANAGER to manage the users, here.



2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Implement User Management .

SAP Multichannel Foundation for Utilities and Public Sector has a default implementation of this BAdI in Enhancement Implementation CRM_IU_UMC_UM - CRM_IU_UMC_UM_USER_MANAGER.

3.4.8 Define Handler for User Management Notification (Optional)

You can specify the implementation for the BAdI /IWBEP/BD_MGW_UM_NOTIFICATION to notify about the user creation, here.



2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Define Handler for User Management Notification .

3.4.9 User Request Cleanup (Optional)

You can delete the user requests that are in process, open, completed or cancelled by using this activity as follows:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup User Request Cleanup .



3.5 Quick Testing of OData Services CRM_UTILITIES_UMC and ERP_UTILITIES_UMC

Procedure

It is sometimes necessary to perform a quick test on OData services to see how the entities work. By performing the following steps, you can test OData services with your user via the SAP Gateway client or Google Chrome’s Advanced Rest client:

1. You must ensure that you have a user with the same username in transaction SU01 in the SAP Gateway Hub, SAP CRM and SAP ERP systems.

2. Use transaction SU01 on the SAP ERP and SAP CRM systems, open your user, and choose Goto References in the menu.

3. Create a new reference for your user, and set Object Type to BUS1006.

4. Set Key to the business partner ID which has test data with which you would like to test the OData services.

5. Go to the SAP Gateway client and execute a GET request on ERP_UTILITIES_UMC or CRM_UTILITIES_UMC services for OData entity Account.

6. You should receive the data for the business partner that you assigned to yourself upon performing GET account.

7. If you did not receive the data, perform an analysis on the user authorization log in transaction SU53 to see if you are missing any authorizations for your user.

NoteYou must ensure that the test user does not exist in the production environment.



4 Configuration of SAP IS-U System as Standalone Scenario

In order to configure your SAP IS-U system as a standalone system scenario, certain roles, users and activations need to be maintained in the system. The following sections provide you with instructions on how to set up SAP IS-U as the standalone system.

4.1 Configuring the SAP Gateway Hub System

4.1.1 SAP NetWeaver System Settings

To allow proper authentication for online users, it is necessary to set correct Application Server (AS) profile parameters related to HTTP Security Session Management on AS ABAP. This can be done in transaction SICF_SESSIONS.

For more information, see the SAP Application Help at help.sap.com under SAP NetWeaver SAP NerWeaver Platform Security Information Security Guide User Administration and Authentication User Authentication and Single Sign-On .

To check HTTP Session Management settings, run transaction SICF_SESSIONS. Sample values for HTTP session parameters are:

● login/create_sso2_ticket = 2● login/accept_sso2_ticket = 1● login/ticketcache_off = 0● login/ticket_only_by_https = 1● icf/user_recheck = 1

NoteDepending on your session security configuration, these parameters may differ.

4.1.2 SAP Gateway Activation

Procedure

In order to check whether SAP Gateway is activated, do the following:

1. Use transaction SPRO in the system.

2. Navigate to SAP NetWeaver Gateway OData Channel Configuration Activate or Deactivate SAP NetWeaver Gateway .


SAP Multichannel Foundation for Utilities and Public SectorConfiguration of SAP IS-U System as Standalone Scenario


4.1.3 Maintain System Alias for the SAP IS-U System

Procedure

In order to create system aliases for the SAP IS-U system proceed as follows:

1. In transaction SM59, create trusted RFC connections to the appropriate systems.

2. On the Logon and Security tab pages for these RFCs, select the Current User checkbox.


4. Navigate to SAP NetWeaver Gateway OData Channel Configuration Connection SettingsManageSAP System Aliases .

5. Create system alias for the SAP IS-U system. Create system alias for the SAP IS-U system.

4.1.4 Register Services

OData Channel implementations retrieve the data from an SAP Business Suite system, which is a back end system. You can use the OData Services that have already been defined by SAP; alternately, you can redefine the OData Services according to your requirements. Once an OData Service has been defined in the back end system, the Service must be registered or activated in the SAP Gateway system.

Procedure

In order to register services in SAP Gateway Hub system, proceed as follows:

1. In transaction /IWFND/MAINT_SERVICE, choose the Add Service option.

2. Select the system alias of the SAP IS-U system and select Get Services.

3. Add the following services:

○ ERP_UTILITIES_UMC○ ERP_UTILITIES_UMC_URM○ USERMANAGEMENT○ ERP_UTILITIES_UMC_PUBLIC_SRV

4. Select a package in the customer namespace for the objects to be created during the registration of the services.

NoteIn the context of SAP Multichannel Foundation for Utilities and Public Sector, the originally delivered SAP Gateway service USERREQUESTMANAGEMENT has been enhanced by adding Utilities-specific business logic validation (Contract Account ID and business partner’s E-mail address are used for user request validation). ERP_UTILITIES_UMC_URM replaces the original USERREQUESTMANAGEMENT service.

5. For each registered service, select the ICF Node pushbutton and then select Configure (SICF)

6. For additional security, navigate to the Logon Data tab page, and adjust the security parameters as necessary, for example, the SSL parameter.



4.1.5 Create PFCG Roles for Service User for SAP Gateway Hub System

To execute the User Self Service, the system needs to be setup with users and authorizations for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the Service User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZUMC_SRV_USR using the templates /IWFND/RT_GW_USR, /IWBEP/RT_USS_SRVUSR.

NoteAdd additional required authorization objects /IWFND/SRV, S_SECPOL and S_TCODE.


Table 15


R3TR IWSG ERP_UTILITIES_UMC_URM






4.1.6 Create PFCG Roles for Reference User for SAP Gateway Hub System

To execute the User Self Service, the system needs to be set up with users and authorizations for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this



step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the Reference User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZUMC_REF_USR using the /IWBEP/RT_USS_INTUSR template.


Table 16



R3TR IWSG USERMANAGEMENT


For the object names to show up in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in transaction /IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see the section Register Services [page 31].


4.1.7 Create Service User in SAP Gateway Hub System

Procedure

To execute the User Self Service, the system needs to be set up with users and the required authorizations for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Service” created in the SAP Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. A Service User should be able to access the OData Service /IWBEP/USERREQUESTMANAGEMENT.







4.1.8 Create Reference User in SAP Gateway Hub System

Procedure

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Reference User is a standard SAP user of User Type “Reference” created in the SAP Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. This user is used by the user management service as a template to create other users in the system.






4.1.9 Set Service User in SICF Node for Public OData Services

Procedure

In order to set the service user in the ICF Node for ERP_UTILITIES_UMC_URM, proceed as follows:

1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/erp_utilities_umc_urm.

2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user:

○ Client: SAP Gateway Hub system client

○ User: UMC_SRV_USR○ Password: UMC_SRV_USR user’s password

3. Disable Cross-Site Request Forgery (CSRF) for ERP_UTILITIES_UMC_URM ICF node since the service is executed in the context of the service user. In order to disable CSRF validation in the Service Data tab page of the ICF node, select GUI Configuration and add parameter ~CHECK_CSRF_TOKEN with value 0.

For the OData Service ERP_UTILITIES_UMC_PUBLIC_SRV, you can set the service user in the same way as described above.

4.2 Configuring the SAP IS-U System

The SAP IS-U system must be configured in the same way as the SAP IS-U system mentioned in the section describing the configuration of SAP CRM as a leading system scenario.



For more information, see the description for the same step under Configuring the SAP IS-U System [page 23].

4.2.1 Create PFCG Role for Service User in the SAP IS-U System


Procedure

1. In transaction PFCG, create a new role ZUMC_SRV_USR using the templates /IWBEP/RT_USS_SRVUSR and SAP_ISU_UMC_SRV_USR.


○ Program ID: R3TR

○ Object Type: IWSV

○ Object Name: ERP_UTILITIES_UMC_URM 00013. For authorization objects that do not have predefined values for authorization fields in the templates, you

must ensure that values relevant to the current business scenarios are provided.



4.2.2 Create PFCG Role for Reference User in the SAP IS-U System

To execute the User Self Service, the system needs to be se tup with users and authorization for those users. This is a mandatory step as the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the Service User. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.



Procedure

1. In transaction PFCG, create a new role ZUMC_REF_USR using the templates /IWBEP/RT_USS_INTUSR and SAP_ISU_UMC_ODATA.

2. For authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name) make sure that the following entries exist:

Table 17


R3TR IWSV /IWBEP/USERMANAGEMENT 0001

R3TR IWSV ERP_UTILITIES_UMC 0001


For authorization objects that do not have predefined values for authorization fields in the templates, you must ensure that values relevant to the current business scenarios are provided.

4.2.3 Create Service User in the SAP IS-U System

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Service” created in the Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. A Service User should be able to access the OData service /IWBEP/USERREQUESTMANAGEMENT_0001.

More Information

For more information on how to create a Service User, see the description for the same step under the SAP CRM as leading system scenario at Create Service User [page 22].

4.2.4 Create Reference User in the SAP IS-U System

To execute the User Self Service, the system needs to be set up with users and the required authorization for those users. Additionally, the users have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user of User Type “Reference”created in the Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. This user is used by the user management service to create users in the system.



More Information

For more information on how to create a Reference User, see the description for the same step under the SAP CRM as leading system scenario at Create Reference User [page 23].

4.2.5 Activate BC-Sets in SAP IS-U System

You have to activate the BC Sets ISU_UMC_CORRESP_DISPATCH_CONTROL and ISU_UMC_SETTING using transaction SCPR20. Based on the delivered example, you can maintain your own Customizing for communication preference categories and generate a new variant using a different variant prefix.

4.3 Set Up B2C User Management

Configuration tasks specific to User Self Service are included in Customizing for SAP Gateway. To access these Customizing activities, do the following:



4.3.1 Maintain URL for User Account Activation (Mandatory)

You can maintain the activation URL of the application you are using to manage your user accounts as follows:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Maintain URL for User Account Activation .

For the external service name of the User Request Management (ERP_UTILITIES_UMC_URM), enter the URL in the sample UI Application, if it exists, for example, <server><port>. You must also enter Version (0001) and Namespace (/SAP/).

4.3.2 Maintain Number Range Interval for User Self Service (Mandatory)

You can maintain the number range to generate users in the SAP system as follows:





The number range must be 11 characters long. That is because an SAP username has 12 characters and SAP Gateway uses the scheme UXXXXXXXXXXX, where XXX is the number range.

4.3.3 Maintain RFC Destinations for User Replication (Mandatory)

It enables you to replicate the users from the SAP back end system to the SAP Gateway Hub system.



2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Maintain RFC Destinations for User Replication .

Procedure

1. Use transaction SM59 and create a trusted RFC connection to the SAP Gateway Hub systems.

2. On the Logon & Security tab page, select the Current Use check box for these RFCs.

Implementation type is IWBEPUM: Pointing to the SAP Gateway Hub System

4.3.4 Maintain User Category (Mandatory)

You can maintain the list of user categories for your application as follows:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Maintain User Category .

For external service name ERP_UTILITIES_UMC_URM, specify user category text and Reference User Name as UMC_REFERENCE_USER, which is a user alias created in the step Create Reference User in SAP-IS-U System.. You must also enter Version (0001) and Namespace (/SAP/).

NoteIf you have enhanced User Request Management Service, you must specify the external service name that you created in Customizing instead of the SAP-delivered ERP_UTILITIES_UMC_URM.

4.3.5 Verify User Request (Optional)

You can specify the implementation for the Business Add-In (BAdI) /IWBEP/BD_MGW_URM_VERIFICATION. This BAdI defines the function for verifying the information provided during the user request creation.

You can implement this BAdI as follows:




2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Verify User Request .

3. Proceed with creating the BAdI implementation.

4.3.6 Define Notification Process for User Request Management (Optional)

You can specify the implementation for the BAdI /IWBEP/BD_MGW_URM_NOTIFICATION, here. It defines the function for sending notifications from the User Request Management application.



2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Define Notification Process for User Request Management .

The User Request Management application has the provision to deliver notifications using E-mail as the standard communication method. You can enhance the solution by adding your own notification mechanism. SAP Multichannel Foundation for Utilities and Public Sector has a default implementation of this BAdI in Enhancement Implementation ISU_UMC_URM - ISU_UMC_URM_VERIFICATION (check to ensure that this implementation is active).

4.3.7 Implement User Management (Optional)

You can specify the implementation for the BAdI /IWBEP/BD_MGW_UM_USR_MANAGER to manage the users as follows:


2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Implement User Management .

SAP Multichannel Foundation for Utilities and Public Sector has a default implementation of this BAdI in the Enhancement Implementation ISU_UMC_UM - ISU_UMC_UM_USER_MANAGER.

4.3.8 Define Handler for User Management Notification (Optional)

You can specify the implementation for the BAdI /IWBEP/BD_MGW_UM_NOTIFICATION to create a notification about the user creation, here.





2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup Define Handler for User Management Notification .

4.3.9 User Request Cleanup (Optional)

You can delete the user requests that are in process, open, completed or cancelled using this activity.



2. Navigate to SAP NetWeaver Gateway Service Enablement Backend OData Channel User Self Service Setup User Request Cleanup .

4.4 Quick Testing of OData Services ERP_UTILITIES_UMC

4.4.1 Quick Testing of OData Services ERP_UTILITIES_UMC

Procedure

It is sometimes necessary to perform a quick test on OData services to see how the entities work. By performing the following steps, you can test OData services with your user via the SAP Gateway client or Google Chrome’s Advanced Rest client:

1. You must ensure that you have a user with the same username in transaction SU01 in the SAP Gateway Hub, and SAP ERP systems.

2. Use transaction SU01 on the SAP ERP and SAP CRM systems, open your user, and choose GotoReferences in the menu.

3. Create a new reference for your user, and set Object Type to BUS1006.

4. Set Key to the business partner ID which has test data with which you would like to test the OData services.

5. In the SAP Gateway client, execute a GET request on the ERP_UTILITIES_UMC service for OData entity Account.

6. You should receive the data for the business partner that you assigned to yourself upon performing GET account.

7. If you did not receive the data, perform an analysis on the user authorization log in transaction SU53 to see if you are missing any authorizations for your user.

NoteYou must ensure that the test user does not exist in the production environment.



5 Configuration of SAP Self-Service for Utilities Mobile App

The following section describes the steps to configure your mobile apps for iOS and Android in SAP Mobile Platform (SMP).

Prerequisites

In order to configure the SAP Self-Service for Utilities apps, the following prerequisites must be fulfilled:

● The SMP installation must have been completed. For more information, see help.sap.com/smp303svr .

● Admin and push notification users must be set up.

5.1 Working Example of How to Set Up SAP Self-Service for Utilities Mobile App

The following process describes how the SAP Self-Service for Utilities mobile app can be set up once the prerequisite steps have been completed.

NoteWe are using only the onboarding process and push notification feature and there is no persistent data, user management, data model and offline mode.

Process

Two types of OData services are exposed - public and private. The public services don’t need user authentication, while the private ones do. On the SMP Server, two applications need to be defined with their own configurations.

Follow the steps below:

1. Create application com.sap.umc.mobile.public

○ Endpoint: /sap/bc/ui5_ui5/sap/UMCUI5_MOBILE/○ Rewrite Mode: No Rewriting

○ Type: Hybrid

○ SSO Mechanisms: SSO2 and Basic

2. Create connections to the back end system:

○ CRM_UTILITIES_UMC_PUBLIC_SRV: <server>:<port>/sap/opu/odata/sap/CRM_UTILITIES_UMC_PUBLIC_SRV/

○ CRM_UTILITIES_UMC_URM: <server>:<port>/sap/opu/odata/sap/CRM_UTILITIES_UMC_URM/

SAP Multichannel Foundation for Utilities and Public SectorConfiguration of SAP Self-Service for Utilities Mobile App


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsmp303svr

○ ERP_UTILITIES_UMC_PUBLIC_SRV: <server>:<port>/sap/bc/ui5_ui5/sap/ERP_UTILITIES_UMC_PUBLIC_SRV/

○ UMCUI5_MOBILE: <server>:<port>/sap/bc/ui5_ui5/sap/UMCUI5_MOBILE/○ VBI_APPL_DEF_SRV: <server>:<port>/sap/opu/odata/sap/VBI_APPL_DEF_SRV/○ VBI_GEOCODER_SRV: <server>:<port>/sap/opu/odata/sap/VBI_GEOCODER_SRV/

3. Create application com.sap.umc.mobile.

○ Endpoint: <server>:<port>/sap/opu/odata/sap/ERP_UTILITIES_UMC/○ Rewrite Mode: No Rewriting

○ Type: Hybrid

○ SSO Mechanisms: SSO2 and Basic

4. Create a connection to the back end system.

○ CRM_UTILITIES_UMC: <server>:<port>/sap/opu/odata/sap/CRM_UTILITIES_UMC/○ CRM_UTILITIES_UMC_PUBLIC_SRV: <server>:<port>/sap/opu/odata/sap/

CRM_UTILITIES_UMC_PUBLIC_SRV/○ CRM_UTILITIES_UMC_URM: <server>:<port>/sap/opu/odata/sap/CRM_UTILITIES_UMC_URM/○ ERP_UTILITIES_UMC: <server>:<port>/sap/opu/odata/sap/ERP_UTILITIES_UMC/○ ERP_UTILITIES_UMC_PUBLIC_SRV: <server>:<port>/sap/opu/odata/sap/

ERP_UTILITIES_UMC_PUBLIC_SRV/○ USERMANAGEMENT: <server>:<port>/sap/opu/odata/IWBEP/USERMANAGEMENT/○ VBI_APPL_DEF_SRV (optional): <server>:<port>/sap/opu/odata/sap/VBI_APPL_DEF_SRV/○ VBI_GEOCODER_SRV (optional): <server>:<port>/sap/opu/odata/sap/VBI_GEOCODER_SRV/

NoteFor the public service, authentication of any type is not required to be set.

<server> corresponds to the SAP Gateway Server address.

This configuration assumes that SAP CRM is being used as the leading system.

5. Create Security Profile UMC in settings:

○ Control Flag: required

○ URL: <server>:<port>/sap/opu/odata/sap/ERP_UTILITIES_UMC/○ Try Basic Auth if Token Auth Fails: checked

○ SSO Cookie Name: MYSAPSSO2

On the Application tab page under Authentication, select UMC profile.

6. On the Push tab page, enable push for Apple and Android.

○ Go to the Mac Developer Library on Apple's website and search for the document Apple Push Notification Service for push notifications. Follow the instructions to create a certificate.

○ Go to the Android Developers website and search for Google Cloud Messaging. Follow the instructions to create the sender ID and API key.

7. Set up back end SAP ERP system report (ISU_UMC_BROADCAST_SAMPLE) to send push notifications to all registered devices:

○ Enter the user name and password provided by the SMP administrator, for example, push URL: <server>:<port>/restnotification/application/com.sap.umc.mobile/.



8. After running the report, you should get status 201, which means the push was successfully sent. In case of error regarding proxy and SSL, contact your IT department to import the certificate or set up a proxy).

9. Push only works if PUSH ports are not blocked by your firewall.

NoteFirewalls usually block these ports (for example: APN:5223,2195,2196 GCM: 5228-5230).

5.2 Additional Setup Information

Procedure

Configure the user type as Internet User (the alias name) for the Basic Authentication logon procedure in our service:

1. In transaction SICF, double-click the service.

2. Click the Change icon.

3. Under Logon Data/Authentication, select Internet User.

4. Save your changes.

NoteAt this time, it is not possible to reset password or sign up for a new account using the app from the login page. This is because the connection has not yet been set. This feature is only available online.



6 Application Operations

6.1 SAP Gateway Service Model Development in SAP CRM

SAP Multichannel Foundation for Utilities and Public Sector is delivered with a default project for OData Services. The default project is called CRM_UTILITIES_UMC in SAP CRM and ERP_UTILITIES_UMC on the SAP ERP side.

Behind each OData Service in the back end system, the SAP Gateway engine generates a Model Provider and a Data Provider:

● Model Provider defines a structure of the model. It can be enhanced either manually (old way) or by using the SAP Gateway Service Builder (transaction SEGW).

● Data Provider defines the logic of handling HTTP requests for all entities in the service model. It can be enhanced by using the development approach introduced in SAP Multichannel Foundation for Utilities and Public Sector.

To modify the existing project or to create your own, you use the service extensibility features in SAP Gateway Service Builder (transaction SEGW). The Business Add-In (BAdI) CRM_IU_UMC_ODATA is called in the data provider extension class for each OData Entity requested by the system. This BAdI implementation provides the infrastructure to extend the existing SAP Multichannel Foundation for Utilities and Public Sector implementation with the additional functions that you created.

SAP Multichannel Foundation for Utilities and Public Sector has a certain approach towards OData Entity implementation in the Data Pprovider class:

● Data Provider class gets requests to read a specific OData Entity.

● Data Provider calls BAdI CRM_IU_UMC_ODATA (SAP CRM) to get a BAdI implementation for a filter entity = requested entity name and service_name = requested service name. The BAdI implementation provides the infrastructure to extend the existing SAP Multichannel Foundation for Utilities and Public Sector implementation with the additional functions that you created.

● BAdI runtime behaves like a factory pattern finding a specific OData entity implementation class. This class is then called to handle read requests and calls business logic.

● Common logic shared across all entities is put into an abstract class CL_CRM_IU_UMC_ODATA_ABSTRACT (SAP CRM) or CL_ISU_UMC_ODATA_ABSTRACT (SAP ERP).

Using the abstract class CL_CRM_IU_UMC_ODATA_ABSTRACT for new entities ensures access to the method that checks for security (CHECK_USER_AUTHORISATION).

CL_CRM_IU_UMC_ODATA_ABSTRACT supports long navigation which is not supported by default. Also, it performs better on the expand operation.

6.2 SAP Gateway Service Model Development in SAP IS-U

SAP Multichannel Foundation for Utilities and Public Sector standalone SAP IS-U scenario is delivered with a default project for OData Services. The default project is called ERP_UTILITIES_UMC, and you can modify it by


SAP Multichannel Foundation for Utilities and Public SectorApplication Operations

accessing the data model and creating additional entities, entity attributes, and navigation properties. Alternately, you can create your own project.

You can use this BAdI definition to create new or modify existing OData entity implementations. The purpose of this BAdI is to provide an implementation specific to the entity name. The base class of implementation classes for all entities is CL_ISU_UMC_ODATA_ABSTRACT.

By default, all BAdI implementations are active and flagged as default implementations. The default implementation is executed automatically. This BAdI is filter-dependent, and the filter is based on the name of the entity. For example, the filter for the account entity is ENTITY_NAME = Account; service_name = ZERP_UTILITIES_UMC_PUBLIC_SRV (or any other name you have created).

6.3 SAP Gateway Service Model Extensibility in SAP CRM

As mentioned in an earlier section, the extensibility of SAP Multichannel for Utilities and Public Sector is based on the BAdI CRM_IU_UMC_ODATA. SAP standard delivery consists of two OData services in SAP CRM, namely, CRM_UTILITIES_UMC and CRM_UTILITIES_UTILTIES_UMC_PUBLIC_SRV. In the standard delivery we follow the rules listed below:

1. If the BAdI implementation of an entity is exactly the same for both CRM_UTILITIES_UMC and CRM_UTILITIES_UMC_PUBLIC_SRV, then the BAdI implementation only maintains filter entity_name = requested entity.

2. If an entity has different BAdI implementations for CRM_UTILITIES_UMC and CRM_UTILITIES_UMC_PUBLIC_SRV, then the implementation for CRM_UTILITIES_UMC_PUBLIC_SRV maintains the filters service_name = CRM_UTILITIES_UMC_PUBLIC_SRV and entity_name = requested entity, while the implementation for CRM_UTILITIES_UMC maintains the filters entity_name = requested entity and entity_name <> CRM_UTILITIES_UMC_PUBLIC_SRV.

Therefore, when you extend CRM_UTILITIES_UMC to derive a Z service for the entities choose to expose, there are two options:

1. A new BAdI implementation is created for the entity with your own implementation class then filter values must be maintained in the BAdI implementation filters entity_name = requested entity and service_name = Z service

2. No new BAdI implementation is created, and the applicable SAP implementation with the correct filter values is called.

The SAP Gateway service model can be extended on the following different levels:

● Extending the structure of an OData Entity (adding append structure with custom fields)

● Extending the logic of an OData Entity (for example, adding additional validations)

● Adding new OData Entities

RecommendationSAP recommends that you create your own model by using the Redefine OData Service option. This approach has the following advantages:

● You can decide what (entities, associations, attributes) to inherit into your own model

● New artifacts can be easily added to your model after inheritance

● Existing implementation of the original model is automatically inherited

● New artifacts of the original model will not affect the inherited mode/service



For more information on the approaches used to extend or redefine SAP Gateway Services, see the OData

Channel Cookbooks under SAP Gateway Cookbooks at help.sap.com/saphelp_gateway .

Extending the Structure of the OData Entity

If you want to add new fields to an entity, you are recommended to use the following approach.

Behind each OData entity is a DDIC structure that you can see by accessing the original project in the Service Builder (transaction SEGW). This DDIC structure has a subset of fields originating from the API. The names of the fields correspond to those in the API.

By creating an append structure, you can add fields from the API, and then regenerate the model in the Service Builder. By doing so, no further coding is required for GET operations, although further adjustments may be required for POST, PUT, and DELETE operations in the OData entity implementation class.

For example, let us start by enhancing the Account Entity in the CRM_UTILITIES_UMC service model by adding one field that you can find in the Business Partner structure, for example, Nationality.

Follow the steps below to enhance the service:

1. Start transaction SEGW in the SAP CRM system and create a new service model project, for example, ZCRM_UTILITIES_UMC.

2. Right click on Data Model and select Redefine OData Service (GW).

3. Select CRM_UTILITIES_UMC as the service to be redefined.

4. Select all entities to be included in the new service.

5. Choose the Generate pushbutton to generate the new service.

6. In the popup, do not select the Overwrite Extended Service option.

7. Enter a name for the new service, for example, ZCRM_UTILITIES_UMC.

8. You now have an enhanced service.

Use the following steps to add a field to the service:

1. Use transaction SE80, and add append structure to CRMS_IU_UMC_ACCOUNT.

2. Add field Nationality and activate the structure.

3. Since we always use the “move-corresponding” ABAP statement in our implementation behind each entity, the newly added field should become visible in the entity after adding it to the service model.

4. Use transaction SEGW, and add a new attribute to the Account entity structure.

5. Choose Generate model.

6. The newly added field should become visible in the service metadata.

The ZCRM_UTILITIES_UMC service should also be registered in Gateway hub system:

1. In the SAP Gateway Hub, run transaction/IWFND/MAINT_SERVICE to register and activate the new service.

2. Choose Add Service.

3. Enter the System Alias for the SAP CRM system and add the service.

4. The service can now be tested in the SAP Gateway Client or advanced REST plugin available in browsers.

If, for some reason, the field is still unavailable in the metadata of the service, execute transaction /IWFND/MAINT_SERVICE, select Go to Cleanup of Model Cache to clear the metadata model buffer.

Extending the OData Entity Logic

To overwrite standard behavior, create a new BAdI implementation with the required filter value. This implementation is then called instead of the standard one. The BAdI definition is based on the interface IF_CRM_IU_UMC_ODATA_BADI. This interface has only one method get_instance, which provides an instance



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_gateway

of a SAP Multichannel Foundation for Utilities and Public Sector OData Service Implementation class (class with the suffix DPC_EXT).

Use the following steps to extend the existing entity:

1. Create a class for an entity inheriting from the SAP standard class, for example, CL_CRM_IU_UMC_ODATA_ACCOUNT.

2. Use transaction SE19, create a new BAdI implementation for an entity with a filter name set to an entity name and whose logic you would like to enhance; set the implementing class to your class you created in step 1 above.

3. Your new implementation is called instead of a standard one.

Adding New OData Entities

You can define your own entity-based service implementation class using the inheritance from the existing class that was assigned to the BAdI implementation. In your service implementation class, you can redefine all the methods of both IF_CRM_IU_UMC_ODATA_BADI and IF_CRM_IU_UMC_ODATA_IMPL interfaces to replace delivered SAP functions with your own functions.

Some implementation classes also provide additional methods that you can redefine. If your implementation is inherited or based on the SAP standard BAdI implementation, we recommend that you call super-class methods whenever possible. This ensures that subsequent corrections or updates delivered by SAP are integrated within the implementation.

Follow the steps below to add a new entity:

1. Add a new entity to the service model in transaction SEGW, associate an ABAP structure from DDIC to it, and define the entity attributes.

2. Create a class for an entity inheriting from SAP abstract class, for example, CL_CRM_IU_UMC_ODATA_ABSTRACT.

3. Use transaction SE19 to create a new BAdI implementation for an entity with a filter name corresponding to the entity name you want to add.

4. Your new entity should be visible after regeneration of the model in transaction SEGW.

The new entity can be tested using the SAP Gateway client or any other REST client.

6.4 SAP Gateway Service Model Extensibility in SAP IS-U

As mentioned in an earlier section, the extensibility of SAP Multichannel for Utilities and Public Sector is based on the BAdI ISU_UMC_ODATA. SAP standard delivery consists of two OData services in SAP ERP, namely, ERP_UTILITIES_UMC and ERP_UTILITIES_UTILTIES_UMC_PUBLIC_SRV. In the standard delivery we follow the rules listed below:

1. If the BAdI implementation of an entity is exactly the same for both ERP_UTILITIES_UMC and ERP_UTILITIES_UMC_PUBLIC_SRV, then the BAdI implementation only maintains filter entity_name = requested entity, for example Account.

2. If an entity has different BAdI implementations for ERP_UTILITIES_UMC and ERP_UTILITIES_UMC_PUBLIC_SRV, then the implementation for ERP_UTILITIES_UMC_PUBLIC_SRV maintains the filters service_name = ERP_UTILITIES_UMC_PUBLIC_SRV and entity_name = requested entity, while the implementation for ERP_UTILITIES_UMC maintains the filters entity_name = requested entity and service_name <> ERP_UTILITIES_UMC_PUBLIC_SRV.



Therefore, when you extend ERP_UTILITIES_UMC to derive a Z service for the entities you choose to expose, there are two options:

1. A new BAdI implementation is created for the entity with your own implementation class then filter values must be maintained in the BAdI implementation filters entity_name = requested entity and service_name = Z service

2. No new BAdI implementation is created, and the applicable SAP implementation with the correct filter values is called.

The SAP Gateway service model can be extended on the following different levels:

● OData entity field extension

● OData entity logic extension

● Addition of new OData entities

If you want to add new fields to an entity, the following approach can be used. Behind each OData entity is a DDIC structure that you can see by accessing the Service Builder (transaction SEGW). This DDIC structure has a subset of fields originating from the API. The names of the fields correspond to those in the API; however, the labels for data elements are displayed on the UI.

By creating an append structure, you can add fields from the API, and then regenerate the model in the Service Builder. By doing so, no further coding is required for GET operations, although further adjustments may be required for POST, PUT, and DELETE operations in the OData entity implementation class.

To overwrite standard behavior, create a new BAdI implementation with the required filter value. This implementation is then called instead of the standard one. The BAdI definition is based on the interface IF_ISU_UMC_ODATA_BADI. This interface has only one method get_instance, which provides an instance of a Multichannel Service Implementation class to the standard Data Provider class (class with the suffix DPC_EXT).

You can define your own entity-based service implementation class using the inheritance from the existing class that was assigned to the BAdI implementation. In your service implementation class, you can redefine all the methods of both IF_ISU_UMC_ODATA_BADI and IF_ISU_UMC_ODATA_IMPL interfaces to replace delivered SAP functions with your own.

Some implementation classes also provide additional methods that you can redefine. If your implementation is inherited or based on the SAP standard BAdI implementation, we recommend that you call super-class methods whenever possible. This ensures that subsequent corrections or updates delivered by SAP are integrated within the implementation.

If a new entity is needed, you can enhance the existing SEGW model with new entities and follow the SAP BAdI concept.

6.5 Batch Operations for OData Services

In some cases, business entity instances may logically belong together and need to be handled or processed together in the same logical unit of work. For example, on moving out of a premise, an update of two or more entities could be required and must be processed together in a single request (all or none).

SAP Gateway can be used to process such scenarios with its capability to execute multiple operations in a single request, including retrieval and change. In the delivered OData Service for SAP Multichannel Foundation for Utilities and Public Sector, batch processing is already enabled. Therefore, it is possible to use $batch to collect a fixed number of operations (get, create, update, delete) of an OData Service in one single HTTP POST request.



Example

The following example creates a new address and ends a contract on a certain date (MoveOut procedure). The two create operations are executed in the same session and in atomic manner (all or none). Contrary to this, normal OData operations are running in their own sessions.

Batch Request HeaderPOST /sap/opu/odata/sap/CRM_UTILITIES_UMC/$batchContent-Type: multipart/mixed;boundary=batch_01869434-0004Batch Request Body--batch_01869434-0004Content-Type: multipart/mixed; boundary=changeset_01869434-0004-0001--changeset_01869434-0004-0001Content-Type: application/httpContent-Transfer-Encoding: binaryPOST AccountAddresses HTTP/1.1Content-Length:388Content-Type:application/json{"AddressInfo":{"__metadata":{"type":"CRM_UTILITIES_UMC.AddressInfo"},"StandardFlag":"X","City":"Walldorf","District":"","PostalCode":"69190","POBoxPostalCode":"","POBox":"","Street":"Cedar","HouseNo":"0847","Building":"","Floor":"","RoomNo":"","CountryID":"DE","Region":"08","TimeZone":"CET","TaxJurisdictionCode":"","LanguageID":"","ShortForm":"Cedar 15 / Walldorf"},"AccountID":"1068"}--changeset_01869434-0004-0001Content-Transfer-Encoding: binaryPOST MoveOut?MoveOutDate=datetime'2012-02-02T00%3A00%3A00'&ContractID='900008186' HTTP/1.1 Content-Type:application/json--changeset_01869434-0004-0001----batch_01869434-0004--The above example creates a new address and ends a contract on a certain date (Move Out procedure). The two create operations are executed in the same session and in an atomic manner (all or none). Contrary to this, normal OData Service operations run in their own sessions.

By using batch processing, you can get improved performance since OData Service operations can be grouped in one round trip. However, batch processing is more complex than standalone OData Service operations, and may not always be beneficial. We suggest reviewing your use cases one individually, to evaluate the benefits of batch processing.

For more examples, you can refer to SAP Note 1869434 .

If you have certain business logic to be executed before the processing of a “changeset” in a batch, you must overwrite the framework method /IWBEP/IF_MGW_APPL_SRV_RUNTIME~CHANGESET_BEGIN. In the implementation of SAP Multichannel Foundation for Utilities and Public Sector OData Services, this method was redefined in class CL_CRM_UTILITIES_UMC_DPC_EXT on the SAP CRM side and CL_ERP_UTILITIES_UMC_DPC_EXT on the SAP IS-U side.

For example, the redefined method sets a session-wise flag to indicate the batch mode that will be used by the SAP Multichannel Foundation for Utilities and Public Sector redefined /IWBEP/IF_MGW_APPL_SRV_RUNTIM methods later. CREATE_ENTITY is one such example and also performs basic validation on whether an operation




is allowed in a batch process. This is due to the fact that SAP Gateway is solely responsible for commit and rollback for batch processing, so if an operation uses an API that has its own commit or rollback logic, then such an operation should not be included in a batch. /IWBEP/IF_MGW_APPL_SRV_RUNTIME~CHANGESET_END can be redefined for logic after a “changeset” is processed.

RecommendationSAP recommends you to use batch processing in the SAPUI5 Web application.

For more examples, refer to SAP Note 1869434 .

6.6 Consuming OData Batch Request from SAP UI

As the SAPUI5 control ODataModel supports batch processing, SAPUI5 applications can consume OData service in batches. You might need to use one or more of the following methods:

● addBatchChangeOperations● clearBatch● addBatchReadOperations● createBatchOperation● setUseBatch

For more information about ODataModel, refer to sapui5.hana.ondemand.com/sdk/#docs/api/symbols/

sap.ui.model.odata.ODataModel.html .

The following code snippet is an example of a batch request from the SAP Multichannel Foundation for Utilities and Public Sector application where oDataCrm is the oDataModelWrapper instantiated up front:

Figure 2

6.7 Error Message Handling

Error message handling in SAP Multichannel Foundation for Utilities and Public Sector follows both OData protocol approach (from 2.0) and SAP Gateway approach. OData entities should be able to return standardized HTTP codes to tell the Client about the status of the request.




http://help.sap.com/disclaimer?site=https%3A%2F%2Fsapui5.hana.ondemand.com%2Fsdk%2F%23docs%2Fapi%2Fsymbols%2Fsap.ui.model.odata.ODataModel.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsapui5.hana.ondemand.com%2Fsdk%2F%23docs%2Fapi%2Fsymbols%2Fsap.ui.model.odata.ODataModel.html

SAP Gateway runtime checks for payload and resource URL consistency. In case of error, for example, when instead of decimal, a character field is provided, the runtime will give an error with HTTP code 500. If a resource is incorrectly addressed, the runtime produces the HTTP status code 500 again.

For other error situations, service implementation needs to provide error handling. If there is a technical exception raised, then HTTP status code will be 500 (Server error) with an exception message appended to it; if it is a business-related application error, the HTTP code should be 400. Each entity calls a certain API or BAPI to execute business logic and this API returns a list of error messages that are propagated via SAP Gateway in the payload.

The error handling logic is implemented in the Data Provider class CL_CRM_UTILITIES_UMC_DPC_EXT and also in a particular entity implementation via standard methods HANDLE_TECHNICAL_ERROR and HANDLE_BUSINESS_ERROR available in abstract class CL_CRM_IU_UMC_ODATA_ABSTRACT. A similar approach is reused for SAP ERP based Services.

The table below describes various error situations and the associated HTTP status codes:

Table 18

Scenario Sample Request Response Behavior Handling Level *

Authorization failure on accessing an Entity with a wrong key

GET Accounts(‘X’) 404 Not Found with no specific error message

Service implementation

Get Entity by key not found GET Accounts(‘X’) 404 Not Found with no specific error message

Entity implementation

Get Entityset not found GET Invoices 200 With empty payload Entity implementation

Get with navigation A(‘x’)/B not found

Get Accounts(‘X’)/StandardAccountAddress

200 With empty payload Service implementation

POST POST AccountAddressDependentEmail

404 Not found due to authorization issues

400 Bad Request due to business logic issues

201 Created on success with payload with a newly created entity returned


UPDATE UPDATE AccountAddressDependentEmail



200 on success with updated entity returned in payload


DELETE DELETE AccountAddressDependentEmail



204 No Content on success




Scenario Sample Request Response Behavior Handling Level *

Expand on Entities that do not have keys filled in the source Entity, A(‘x’)$expand=B,C

GET Accounts(‘X’)?$expand= AccountAddressDependentEmail, AccountAddressDependentPhone

Entities for which keys are not filled in source are ignored, payload still returned with 200

Service implementation

Not properly formed URL, payload

Get Accounts(‘X’)/NotExistingResource

500 Server error with a specific error message

SAP Gateway

* Handling levels are the following:

● SAP Gateway runtime

● Service Implementation (Data Provider class and Abstract class from which all entities inherit)

● Entity Implementation (specific OData Entity implementation class)

For a particular Entity, it is possible to change error logic by redefining methods HANDLE_BUSINESS_ERROR or HANDLE_TECHNICAL_ERROR where a mapping can be provided from API error messages to friendly messages on the user interface. Alternatively, to implement a generic mapping for error messages for all Entities, it is possible to define an implicit enhancement point at the beginning of the methods HANDLE_BUSINESS_ERROR or HANDLE_TECHNICAL_ERROR in the abstract class CL_CRM_IU_UMC_ODATA_ABSTRACT or CL_ISU_UMC_ODATA_ABSTRACT where generic error mapping can be handled.

6.8 SAP Multichannel Foundation for Utilities and Public Sector Solution Monitoring

Within the management of SAP technology, monitoring is an essential task.

For more information about the underlying technology, see Technical Operations for SAP NetWeaver in the SAP

Library at help.sap.com/nw .

Features

Alert Monitoring

In order to monitor errors and alert messages in SAP Gateway, use transaction /IWFND/ERROR_LOG. In the back end systems, use transaction /IWBEP/ERROR_LOG.

For more information, see http://help.sap.com/nwgateway, SAP NetWeaver Gateway Technical Operations Guide Alert Monitoring with CCMS .

Trace and Log Files

Trace files and log files are essential for analyzing problems. SAP Multichannel Foundation for Utilities and Public Sector follows the approach used by SAP NetWeaver Gateway. For more information, see the SAP NetWeaver

Gateway Technical Operations Guide in the SAP Library at help.sap.com/nwgateway .





6.9 SAP Multichannel Foundation for Utilities and Public Sector Management

SAP provides you with an infrastructure to help your technical support consultants and system administrators effectively manage all SAP components and complete all tasks related to technical administration and operation.

For more information about the underlying technology, see the Technical Operations for SAP NetWeaver manual

in the SAP Library under help.sap.com/netweaver .

Software Configuration

Certain components or scenarios used by this application can be configured and tools are available for adjusting these components.

For more information, see the SAP NetWeaver Gateway Configuration Guide under help.sap.com/nwgateway/

and other SAP Library documentation under help.sap.com/utilities .

6.10 Sample SAP UI5 Application Configuration

When you install the Add-On UMCCUI501 for SAP Gateway, you receive a sample SAP UI5 application UMCUI5. This should serve as an example of how OData Services are consumed within SAP Multichannel Foundation for Utilities and Public Sector.

To install the UMCCUI501 Add-On, follow the instructions in the Installation of SAP Multichannel Foundation for Utilities [page 11]

6.10.1 UMCUI5 Application

The UMCUI5 application is stored as a BSP application under the MIME repository path /sap/bc/bsp/sap/UMCUI5. It contains a set of CSS, HTML, and JavaScript files packaged into a BSP application and uploaded to the Server using a Team Provider Eclipse plugin. To copy the application and re-upload it to the Server, you can use the report /UI5/UI5_REPOSITORY_LOAD.

Application Structure

UMCUI5 Web content consists of the following folders:

● CSS (Style Sheet files)

● i18n (text property files)

● IMG (images)

● JS (globally used JavaScript files)

● Views (JavaScript code with model/view/controllers)

● index.html (main index page)




http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnwgateway%2F

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Futilities

SAP Gateway Service Configuration

The UMCUI5 application calls OData services from SAP ERP and SAP CRM; therefore, CRM_UTILITIES_UMC, ERP_UTILITIES_UMC and /IWBEP/USERMANAGEMENT services need to be configured to point to a proper back end system (SAP system alias) using transaction /IWFND/MAINT_SERVICE in SAP NetWeaver Gateway.

CRM_UTILITIES_UMC and /IWBEP/USERMANAGEMENT should point to the SAP CRM system, and ERP_UTILITIES_UMC should point to the SAP ERP system since user management is executed from SAP CRM as a leading system.

For more information on SAP Gateway configuration, see the documentation at help.sap.com/nwgateway .

6.10.2 UMCUI5 Public Application

The logon application is stored under the MIME repository path /sap/public/bc/ui2/umcui5_logon. The application HTML, image and JavaScript files are loaded manually into the MIME repository. The SAP NetWeaver Server loads the logon UI dynamically when the browser hits the index.html page of the UMCUI5 application.

Figure 3: File content of application that is loaded into browser

The SAP Gateway service CRM_UTILITIES_UMC_URM needs to be configured using transaction /IWFND/MAINT_SERVICE in SAP Gateway to point to the SAP CRM back end system.

Logon Configuration

The browser tries to access the index.html of the UMCUI5 Web application but the Server does not allow access if the user is not authorized. The browser is served an HTML page with a logon screen as a response from the Server.




NoteThe URL path in the browser window continues to point to index.html.

The logon HTML page is dynamically prepared as a Server response by the ABAP class /UI2/CL_SRA_LOGIN. It is set on Error Pages Logon Errors System Logon configuration Logon layout and procedure Custom implementation in SICF configuration for the node /default_host/sap/bc/ui5_ui5/sap/umcui5.

Figure 4: System logon configuration

For more information on SICF configuration, see Changing Password for Initial Logon at http://help.sap.com/nwgateway/ under Application Help Support Package 07 SAP NetWeaver Gateway SAP NetWeaver Configuration Settings Basic Configuration Settings .

Logon Logic

Figure 5

When the browser accesses the path of the SAP UI5 application, a request is sent to the Server; the request is processed based on the SICF Customizing for SAP UI5 Web applications. This Customizing mentions the availability of a custom implementation for the logon layout and procedure and the HTM_LOGIN method of /UI2/CL_SRA_LOGIN class is executed. It searches for the login.properties file in the UMCUI5 Web application directory. In the login.properties file, it searches for a way to load the template_login page (see screenshot below).



Figure 6: Login properties file

The template_login page represents an HTML page with certain parameters that are dynamically set and the final HTML page is served to the browser.

The following code snippet is from the template_login.html page supplied with the sample application:

Figure 7: Code sample from template_login.html page

Note@sys_form_name_login and all items that start with @ are the parameters that are replaced during runtime by the HTM_LOGIN method of the /UI2/CL_SRA_LOGIN class.

Actual logon happens when the user enters their user ID and password and chooses the log on option. On the client side, a form is prepared with certain set fields and is posted to the Server. If authentication is completed successfully, the user is brought to the index.html page of the Web application. If it fails, error messages are returned in place of parameter @sys_messages_text and shown on the UI.



6.10.3 Log Out Configuration

There is no specific log out page. The SAP UI5 application needs to execute navigation to the standard log out ICF node /sap/public/bc/icf/logoff with a redirect URL. For this ICF node, one can define an external alias (with the same name /sap/public/bc/icf/logoff) on which one defines a log out redirect ( error pages Logoff PageRedirect to URL ). This affects the entire Server.

For more information on fixing issues with the log out redirect method described, see the SAP Note 1509851 .

Applying an HTTP white-list is also recommended by SAP Note 853878

NoteNot all log out functionality is available in releases prior to SAP NetWeaver 7.02.

6.11 Sample SAP UI5 Mobile Application Configuration

The SAP Multichannel Foundation for Utilities and Public Sector responsive application consists of three applications: private, public, and foundation. The foundation application is required by both the public and private applications.

For more information on the general requirements for a responsive application, see Sample SAP UI5 Application Configuration [page 53].

6.11.1 SAP Gateway Service Configuration

The UMCUI5_MOBILE application calls OData Services from SAP IS-U and SAP CRM; therefore, CRM_UTILITIES_UMC, ERP_UTILITIES_UMC and /IWBEP/USERMANAGEMENT services need to be configured to point to a proper back end system (SAP system alias) using transaction /IWFND/MAINT_SERVICE in SAP Gateway.

The CRM_UTILITIES_UMC and /IWBEP/USERMANAGEMENT services should point to the SAP CRM system, since user management is executed from SAP CRM as leading system and the ERP_UTILITIES_UMC service should point to the SAP IS-U system.

Since this application consumes OData Services from Visual Business, the services VBI_GEOCODER_SRV and VBI_APPL_DEF_SRV have to be configured to point to the SAP Gateway system.

More Information

For more information on SAP Gateway configuration, see the documentation for SAP NetWeaver Gateway at

help.sap.com/nwgateway .





http://help.sap.com/disclaimer?site=help.sap.com%2Fnwgateway

6.11.2 UMCUI5_MOBILE Public Application

The public application is stored under the MIME repository path /sap/public/bc/ui2/umcui5_mobile_logon. The application files are loaded manually into the MIME repository. The SAP NetWeaver Server loads the logon UI dynamically when the browser hits the index.html page of the UMCUI5_MOBILE application. If you want to modify the public application, you must copy the content of the MIME repository /sap/public/bc/ui2/umcui5_mobile_logon folder manually into a different folder, and modify the login.properties file stored in the BSP application UMCUI5_MOBILE.

6.11.3 UMCUI5_MOBILE Private Application

The private application is stored as a BSP application with the name UMCUI5_MOBILE within package UMCUI501_UI and under SICF path /sap/bc/bsp/sap/UMCUI5_MOBILE. It contains a set of CSS, XML, and has JavaScript files packaged into the BSP application and uploaded to the Server using a Team Provider Eclipse plug-in. To copy the application and reupload it to the Server, you can use the Team Provider Eclipse plug-in or the report /UI5/UI3_REPOSITORY_LOAD.

6.11.4 UMCUI5_MOBILE Foundation Application

The foundation application is stored under the MIME repository path /sap/public/bc/ui2/umcui5_mobile_foundation. The foundation files are loaded manually into the MIME repository. The foundation JavaScript library is required by both the private and public applications.

6.12 Applying Custom Themes to Mobile Applications

6.12.1 Applying a Custom UI Theme

Procedure

To apply a custom theme for the SAPUI5 mobile application, you must execute the following JavaScript code:

sap.ui.getCore().applyTheme("myThemeName");Example of the dynamic theme switch can be found in the ActionSheetController.js file in the home component of the application for the responsive UI:

Figure 8



6.12.2 Specifying the Path to a Custom UI Theme

Procedure

In the bootstrap script responsible for the SAPUI5 library include additional attribute data-sap-ui-theme-roots must be added.

NoteIn order to define a default theme attribute, data-sap-ui-theme must also be included, which is, data-sap-ui-theme="umc_bluecrystal".

The following code snippet is an example of the bootstrap script in the application that supports multiple themes:

Figure 9: JavaScript Code for multiple themes

6.12.3 Creating a Custom Theme

There is not one single way to create a new theme, but there are several options. The option you choose depends on several factors:

● How different is the desired design from an existing theme?

● Should the theme be used across several applications or just in one?

● Are sufficient CSS skills available?

● How much effort can be invested?

● How structured should the result be?

Depending on the answers it may be determined that adapting an existing theme might be the best choice. The following options are available:

● Adapting an existing theme by adding custom CSS at the application level is the easiest option and still sufficient for many use cases.

● Creating a new theme as an SAPUI5 library project in Eclipse. This gives a clear development structure like separated CSS files per control. This approach requires considerable CSS coding effort.

● Using the Theme designer tool to generate a new theme.

Theme for SAP Multichannel Foundation for Utilities and Public Sector

To develop the umc_bluecrystal theme, the Theme Designer tool has been used with sap_bluecrystal theme as a base. Physically, theme-related CSS files are located in the SAP UI5 folder of the public application for SAP Multichannel Foundation for Utilities and Public Sector.



More Information

For more information on the Theme Designer, see help.sap.com/netweaver under User Interface Add-On 1.0 for SAP NetWeaver Application Help UI Theme Designer .

6.13 Configuring Outage in SAP Multichannel Foundation for Utilities and Public Sector

6.13.1 Configuring Visual Business for OData Entity Outage

Procedure

The sample SAP UI5 mobile application UMCUI5_MOBILE uses the following OData Services provided by Visual Business:

● VBI_APPL_DEF_SRV, used to get the map configuration

● VBI_GEOCODER_SRV, provides a wrapper for geo-coding or decoding services

Both of these OData Services can be activated in the SAP Gateway system using transaction /IWFND/MAINT_SERVICE.

To configure Visual Business, do the following:

1. Log in to the SAP Gateway system and run transaction SPRO.

2. Choose SAP Reference IMG SAP NetWeaver UI Technologies SAP Visual Buisness Maintain Application Definitions

3. Choose the New Entries pushbutton.

4. In the application, enter the name of the application ID to be referenced in the OData Service for the configuration.

5. You can configure specific UI functionality for the map such as displaying the tool bar, the scaling, the navigation, camera rotations, and the ability to move, and zoom levels.

6. You can enable visual frames, which allow the map to restrict itself and zoom in at a specific location. You can place the layer depth, minimum and maximum latitude and longitude values.

7. In the service ID, you can choose which geo-coding/decoding service to use.

8. You can define a new geo-coding service by choosing Geocoding Service in the Dialog structure and then choose New Entries.

9. Enter values for the following fields:

○ Service ID

○ Description

○ Service Provider

○ Implementation Class

10. You can define a new third party map provider service by clicking on the new entries and choosing the ID, the description as well as the copyright text to be displayed visually on the map.




6.13.2 Consuming Visual Business Services from the User Interface

This procedure describes how to call the OData Services from the UI.

Procedure

1. To get the application settings for Visual Business, you must call the /sap/opu/odata/sap/VBI_APPL_DEF_SRV/VBIApplicationSet(‘APP_NAME’) OData Service.

2. To convert a search to geo location, you must use the Service call /sap/opu/odata/sap/VBI_GEOCODER_SRV/GetGeoLocation?AppID=’APP_NAME'&='SEARCH_TEXT'.

3. The geo location service returns a list of geo coordinates that include x, y and z position,s which can be used in the Visual Business SAPUI5 control.

More Information

For more information, see the resources available for configuring the SAPUI5 control for JSON Interface at

scn.sap.com/docs/DOC-56942 .

6.13.3 Creating an Outage Region

This procedure is an example of how to draw an outage region on a map using business partner contact information.

Procedure

1. The outage broadcast region can be stored in the business partner note. This can be accessed in the SAP ERP system using transaction BCT1. Enter the business partner contact information and the coordinates are stored in the Note field.

2. Look at the sample for visual objects at sapui5.hana.ondemand.com/sdk/#test-resources/sap/ui/vbm/

demokit/VisualBusiness.html .

3. Drag and drop the drawing object that looks like a polygon to the map. This will allow you to draw and object onto the map.

4. Now create an outage region outline and double-click in the center of the region you just created. This colors in the entire region.

5. Right-click on the object and this creates the code in the Raised Event pane. Within the code, find the coordinates that correspond to the region you drew in and place it in the business partner note.



http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fdocs%2FDOC-56942

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsapui5.hana.ondemand.com%2Fsdk%2F%23test-resources%2Fsap%2Fui%2Fvbm%2Fdemokit%2FVisualBusiness.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsapui5.hana.ondemand.com%2Fsdk%2F%23test-resources%2Fsap%2Fui%2Fvbm%2Fdemokit%2FVisualBusiness.html

6.13.4 Configuring Outage Messages

Outage messages are encapsulated in business partner contact objects in SAP ERP. The outage collection returns two kind of outage information: user reported outage and globally broadcast ones.

SAP delivers CL_ISU_UMC_OUTAGE_IMPL as standard implementation of the Outage BAdI ISU_UMC_OUTAGE_SETTING.

If you want to configure your own outage messaging, this implementation needs to be overwritten.

Sample Implementations

The delivered sample implementation is CL_ISU_UMC_OUTAGE_IMPL.

Use the interface IF_ISU_UMC_OUTAGE_BADI~GET_OUTAGE_SETTING.

The service partner (used for broadcast outage) is configured in this method.

You can use the following example implementation:

Figure 10

Use transaction BCT1 to create a business partner contact for the service partner and put the outage information in the note (for example, we use a list of geographic coordinates to represent the reported area).

As a sample implementation for broadcasting an outage, the following geographic coordinates were used:

● 8.638096073409542; 49.477792394030566; 0;

● 8.554325321456417;49.49162087871508;0;

We use customer additional information to act as status, for example: IF_ISU_UMC_OUTAGE_BADI~GET_ADDITIONALINFO rv_additionalinfo = '08'You must maintain the Customizing for contact additional information under Financial Accounting Basic Functions Customer Contacts Additional Information Define Additional Customer Contact Information .

Example:

● 7 Outage Broadcast

● 8 Outage Reported



● 9 Crew Assigned

● 10 Repair Completed

● 11 Service Restored

We use this method to filter out the returned outage data: IF_ISU_UMC_OUTAGE_BADI~PROCESS_OUTAGE

Figure 11

6.14 Retrieving Channel Information in SAP Multichannel Foundation for Utilities and Public Sector

When creating a utility quotation, contract or interaction record in the back end system (for example, creating an interaction record after a business partner phone number is changed), the channel information might need to be obtained and maintained.

One way to get this channel information is to use the User-Agent field in the request header. When an end user visits a Web page, the browser sends the user-agent string to the Server hosting the site that they are visiting. This string indicates which browser they are using, its version number, and details about the system, such as operating system and version. The Web Server can use this information to provide content that is tailored to the user's specific browser.

To support the retrieval of channel information, a Business Add-In (BAdI) CRM_IU_UMC_CHANNEL is called in the Data Provider extension class for each OData editing operation, such as create, delete, and update. The purpose of this BAdI is to publish header information of the OData requests and map it to channel information when interaction records or One-Order headers are created during the OData service operations.

There are two types of channel information:

● In Interaction Records (IR) as the communication channel, also known as Activity Category. There are three possible categories delivered in the BC Set CRM_IU_UMC_IR_CATEGORY.

● In the header of a utility quotation or contract. The attribute Input_channel may have some predefined values. Among those, three are used by the default implementation.

In the interface IF_CRM_IU_UMC_CHANNEL_BADI, Two methods (get_channel_code and get_1o_channel_code) are used to retrieve the two types of channel information, respectively. The default implementation provides a preliminary mapping and is executed automatically. However, you can create your own implementation to suit your specific needs.



7 Security

7.1 Before You Start

This security section provides security-relevant information applicable to SAP Multichannel Foundation for Utilities and Public Sector. Because the solution deals with business data from your core business processes, it adheres to the highest security and quality requirements.

The system landscape of SAP Multichannel Foundation for Utilities and Public Sector is built from multiple components, such as SAP Enterprise Resource Planning (ERP), SAP Customer Relationship Management (CRM) and SAP Gateway, so the corresponding component security guides also apply.

Fundamental Security Guides

● SAP Security Guides for SAP ERP

● SAP Security Guides for SAP CRM

● SAP NetWeaver Gateway Security 2.0

● SAP Security Guides

More Information

Important SAP Notes

For a list of important security-relevant SAP Hot News and SAP Notes, see SAP Service Marketplace at

service.sap.com/securitynotes .

Configuration

For information on configuration, see the Scenario & Process Component List on SAP Service Marketplace at

service.sap.com/scl .

Other Topics

For more information about specific topics, see the Quick Links in the table below:

Table 19

Content Quick Link on SAP Service Marketplace or SCN

Security service.sap.com/security

Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes

service.sap.com/securitynotes

Released platforms service.sap.com/pam


SAP Multichannel Foundation for Utilities and Public SectorSecurity

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecuritynotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fscl

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurity



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecuritynotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fpam

Content Quick Link on SAP Service Marketplace or SCN

Network security service.sap.com/securityguide

SAP Solution Manager service.sap.com/solutionmanager

SAP NetWeaver scn.sap.com/community/netweaver

7.2 Technical System Landscape

The figure below shows an overview of the technical system landscape for SAP Multichannel Foundation for Utilities and Public Sector.

Figure 12: The technical system landscape for SAP Multichannel Foundation for Utilities and Public Sector

Two add-ons that group business processes in SAP ERP and SAP CRM for Utilities for OData consumption are UMCERP01 and UMCCRM01. A sample SAPUI5 template is hosted on SAP NetWeaver Gateway. The user interface application communicates with the SAP NetWeaver Gateway using OData protocol. The SAP NetWeaver Gateway dispatches the calls to specific back end systems.

For more information about the technical system landscape, see the resources listed in the table below.

Table 20

Topic Guide/Tool Quick Link on SAP Service Marketplace or SCN

Technical description for SAP Multichannel Foundation for Utilities

Master Guide service.sap.com/instguides




http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsolutionmanager

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fnetweaver


Topic Guide/Tool Quick Link on SAP Service Marketplace or SCN

and Public Sector and the underlying components such as SAP NetWeaver

High availability See applicable documents scn.sap.com/docs/DOC-7848

Technical landscape design See applicable documents scn.sap.com/docs/DOC-8140

Security See applicable documents scn.sap.com/community/security

7.3 Security Aspects of Data, Data Flow, and Processes

The figure below shows the data flow when an existing user logs on to SAP Multichannel Foundation for Utilities and Public Sector.

Figure 13

The following table shows the security aspects to consider for each process step and also which mechanism applies:

Table 21

Step Description Security Measure

1 User logs on with username and password

Communication protocol: HTTPS

2 User credentials sent over SAP NetWeaver user management





http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fsecurity

Step Description Security Measure

3 Gets accounts for user Communication using HTTPS and synchronous RFC to trusted destination

Recommendation

In order to protect users from being locked by external attackers after several failed login attempts, it is recommended to set the parameter login/failed_user_auto_unlock to automatically remove user locks at midnight. This is maintained in the CCMS profile maintenance tool.

More Information

For more information, see help.sap.com/nw_platform and choose Technical Operations for SAP NetWeaver (7.01) Configuration Profiles Maintaining Profiles Changing and Switching Profile Parameters .

7.4 User Administration and Authentication

The SAP Multichannel Foundation for Utilities and Public Sector solution adopts the user management and authentication mechanisms provided by the SAP NetWeaver platform, specifically SAP NetWeaver Application Server ABAP (SAP NW AS ABAP).

Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to this solution. The SAP NetWeaver Application Server ABAP Security Guide contains the following information:

● User management concept, tools, and required users

● User authentication and single sign-on

● Authorization and roles

For more information, see User Administration and Authentication in the SAP NetWeaver Gateway Security Guide 2.0, which is available on the SAP Help Portal.

Starting from SAP NetWeaver Gateway SP07, a set of OData Services are available that expose some of the functionality of SAP NetWeaver User Management and enhances it with User Request Management that allows online users to request the creation of user accounts.

For more information, see SAP NetWeaver Gateway User Self Service. Security aspects are also described in the SAP NetWeaver Gateway Security Guide 2.0.

The SAP Multichannel Foundation for Utilities and Public Sector solution also enhances SAP NetWeaver Gateway’s user management processes as follows:

● Linking the user to business partners

● Validating prospective users

7.5 User Management

User management for the SAP Multichannel Foundation for Utilities and Public Sector solution uses the mechanisms provided with the SAP NetWeaver Application Server, such as tools, user types, and password



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw_platform

policies. In particular, the SAP Multichannel Foundation for Utilities and Public Sector solution uses the following management concepts:

User Creation and Activation for SAP CRM

Use the following procedure to create application users and assign authorizations to them:

1. Validate prospective user based on the business partner information.

The current enhancement checks the business agreement ID and E-mail address. Customers can apply their own mechanisms for validation in SAP CRM.

2. Notify prospective user for initial logon and activation through E-mail.

3. Create users on the SAP Gateway system and on the application back end systems.

The main user record is stored in SAP Gateway in SU01 with an active password and user type communications data user type. Users with the same name are created in SAP CRM and SAP ERP with no password and a communications data user type.

A prospective user can send multiple requests to create users using SAP Gateway OData services. The SAP Gateway security guide provides measures that you can use to avoid overloading the server and to mitigate the Denial-of-Service attack. It is recommended that these measures be implemented in order to maximize security. After activation and a successful logon, users can also change the password.

User Creation and Activation for Standalone SAP ERP

Use the following procedure to create application users and assign authorizations to them:

1. Validate prospective user based on the business partner information.

The current enhancement checks the contract account ID and E-mail address. Customers can apply their own mechanisms for authentication in SAP ERP.

2. Notify prospective user for initial logon and activation through E-mail.

3. Create users on the SAP Gateway system and on the application back end system.

The main user record is stored in SAP Gateway in SU01 with an active password and communications data user type. Users with the same name are created in SAP ERP with no password and a communications data user type.

A prospective user can send multiple requests to create users using SAP Gateway OData Services. The SAP Gateway Security Guide provides measures that you can use to avoid overloading the server and to mitigate the Denial-of-Service attack. It is recommended that these measures be implemented in order to maximize security. After activation and a successful logon, users can also change the password.

Users in the Back End Systems and SAP Gateway (SU01, PFCG)

Application users are relevant for the back end system. The authorizations required for a particular application are provided by using a PFCG role, which can be created based on the delivered PFCG template. For more information, see the Authorizations section in this Guide.

In the SAP back end systems, users are created without a password. This protects the users against attacks that exploit incorrect or insecure password handling. Users also require a user ID for the SAP Gateway layer. They must have the same user name as the users in the back end system. The user requires certain authorizations that allow the services of the application to be triggered in the back end system.

User Administration Tools

For information regarding user management and the user administration tools that are used with this solution, see User and Role Administration for SAP NW AS ABAP.



User Types

You may have to employ different security policies for different types of users.

For SAP Multichannel Foundation for Utilities and Public Sector, the following minimum user types are required:

● Service user

All application users are communications data users.

● Reference user

Provides a template of authorizations for service users.

During configuration of the systems, the following two users must be created to enable user management:

● UMC_SRV_USR: This special service user is used to create application users based on the reference user. UMC_SRV_USR must have authorization to create users and validate user requests. UMC_SRV_USR is an example of a username.

● UMC_REF_USR: The reference user can be used as a template for authorizations for creating other online users. UMC_REF_USR is an example of a username.

These users have to be customized in the SAP Gateway User Self Service.

For more information, see help.sap.com/nw and choose SAP NetWeaver 7.0 SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide User Authentication User Types

User Data Synchronization

By default, all application users are created with the same username in SAP Gateway and in the back end systems.

Password Rules and Security Policy

Password rules define what form a password can take in SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP. Some rules are predefined in the system, while others you can configure with the security policy or with profile parameters.

For more information, see help.sap.com/nw_platform , and then choose Identity Management User and Role Administration of Application Server ABAP Configuration of User and Role Administration First Installation Procedure Logon and Password Security in SAP NetWeaver Application Server ABAP Password Rules .

More Information

For more information, see the following on help.sap.com :

● At help.sap.com/nwgateway , choose SAP Gateway Developer Guide Advanced Features (SAP Gateway) User Self Service

● At help.sap.com/nw_platform , choose Identity Management User and Role Administration of Application Server ABAP

● At help.sap.com/netweaver , see Technical Operations for SAP NetWeaver

For more information on configuring users in the SAP CRM and SAP ERP systems, see Configuration of SAP CRM System as Standalone Scenario [page 14] and Configuration of SAP ERP System as Standalone Scenario [page 30].




http://help.sap.com/disclaimer?site=%20help.sap.com%2Fnw_platform





7.6 Integration into Single Sign-On Environments

The SAP Multichannel Foundation for Utilities and Public Sector solution does not use single sign-on (SSO). However, SAP NetWeaver provides SSO so that customers can use it as needed.

For more information about available authentication mechanisms, see SAP NetWeaver Gateway Authentication

and Single Sign-On in the SAP Library for SAP NetWeaver Gateway (help.sap.com/nwgateway ).

7.7 Authorizations

The SAP Multichannel Foundation for Utilities and Public Sector solution uses the authorization concept provided by the SAP NetWeaver Application Server ABAP.

Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the SAP Multichannel Foundation for Utilities and Public Sector solution. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator transaction on the Application Server ABAP (AS ABAP).

Reference Role Templates and Authorizations in SAP CRM

You create a reference user (UMC_REF_USR) during system installation. The reference user provides the necessary authorizations for each online user. This means the reference user can access data in the back end systems and SAP Gateway.

PFCG role templates (SAP_CRM_UMC_ODATA and SAP_ISU_UMC_ODATA for SAP CRM and SAP ERP, respectively) are delivered with SAP CRM and SAP ERP, which can be used (together with role templates delivered by SAP Gateway, for example, /IWBEP/RT_USS_INTUSR) to create the PFCG role for the reference user.

Reference Role Templates and Authorizations in SAP ERP

For SAP ERP, the PFCG role template (SAP_ISU_UMC_ODATA ) is delivered with the SAP ERP system, which can be used together with role templates delivered by SAP Gateway, for example, /IWBEP/RT_USS_INTUSR to create the PFCG role for the reference user.

Service Role Templates and Authorizations in SAP CRM

In addition to the reference user, you create a service user (UMC_SRV_USR) during installation. The service user is responsible for creating the application users. Since the service user is used for anonymous logon, the user should be granted minimum authorizations.

PFCG role templates (SAP_CRM_UMC_SRV and SAP_ISU_UMC_SRV for CRM and ERP, respectively) are delivered in SAP CRM and SAP ERP systems, which can be used (together with role templates delivered by SAP Gateway, for example, /IWBEP/RT_USS_SRVUSR) to create the PFCG role for the service user.

For more information, see the SAP Help Portal at help.sap.com/nwgateway SAP Gateway Security GuideAuthorizations in the SAP System Roles in the SAP Gateway Landscape. .

Service Roles and Authorizations in SAP ERP

For SAP ERP, the PFCG role template SAP_ISU_UMC_SRV is delivered in SAP ERP system, which can be used together with role templates delivered by SAP Gateway, for example, /IWBEP/RT_USS_SRVUSR to create the PFCG role for the service user.





Creating and Assigning Roles in SAP CRM

To create the required users (UMC_SRV_USR, UMC_REF_USR), you must perform the following steps in SAP ERP, SAP CRM, and the SAP Gateway systems.

NoteIn role maintenance, choose Utilities Templates to display the available templates, copy templates delivered by SAP, change the copies, and create templates for yourself. You will need the authorization User Master Record Maintenance: User Groups (S_USER_GRP) with value * in the fields CLASS and ACTVT. SAP template names start with the letter S; therefore, templates that you create must not start with S.

You require administrator authorizations to create roles and users, and to assign roles to users.

1. Create a role and enter a description.

2. Insert the authorizations using the role templates.

Depending on the system and the role type, you can combine different role templates; see the following table:

Table 22

Templates SAP CRM System SAP ERP System SAP Gateway

UMC_SRV_USR SAP_CRM_UMC_SRV/IWBEP/RT_USS_SRVUSR

SAP_ISU_UMC_SRV/IWBEP/RT_USS_SRVUSR

/IWFND/RT_GW_USR/IWBEP/RT_USS_SRVUSR

UMC_REF_USR SAP_CRM_UMC_ODATA/IWBEP/RT_USS_INTUSR

SAP_ISU_UMC_ODATA/IWBEP/RT_USS_INTUSR

/IWBEP/RT_USS_INTUSR

NoteAdd additional required authorization objects /IWFND/SRV, S_SECPOL and S_TCODE

3. You must manually add authorization object CRM_IUPROC to the reference user in the SAP CRM system. The recommendation is to add activity 16 (execute) on all the processes (*) as shown below:

Figure 14: Manually add authorization object CRM_IUPROC

4. Verify and edit the authorizations, if necessary.

For the UMC_SRV_USR, check role access to the following services (authorization object: S_SERVICE):

○ Activate OData Services in the SAP Gateway system.

○ CRM_UTILITIES_UMC_URM (SAP CRM and SAP Gateway)

○ CRM_UTILITIES_UMC_PUBLIC_SRV (SAP CRM and SAP Gateway)

○ /IWBEP/USERMANAGEMENT (SAP CRM and SAP Gateway)

For the UMC_REF_USR , check role access to the following services (authorization object: S_SERVICE):

○ Activate OData Services in the SAP Gateway system.

○ CRM_UTILITIES_UMC (for SAP CRM system and SAP Gateway)

○ ERP_UTILITIES_UMC (for SAP ERP system and SAP Gateway)

○ /IWBEP/USERMANAGEMENT (for SAP CRM system and SAP Gateway)



This is especially true when some function enhancements are carried out.

5. Generate the authorizations.

A profile is automatically generated for the role.

6. Assign the role to users (UMC_SRV_USR, UMC_REF_USR) and run a user master comparison to enter the generated profile into the user master record.

Creating and Assigning Roles in SAP ERP

To create the required users (UMC_SRV_USR, and UMC_REF_USR), you must perform the following steps in SAP ERP and the SAP Gateway systems.

NoteIn role maintenance, choose Utilities Templates to display the available templates, copy templates delivered by SAP, change the copies, and create templates for yourself. You will need the authorization User Master Record Maintenance: User Groups (S_USER_GRP) with value * in the fields CLASS and ACTVT. SAP template names start with the letter S; therefore, templates that you create must not start with S.

You require administrator authorizations to create roles and users, and to assign roles to users.

1. Create a role and enter a description.

2. Insert the authorizations using the role templates.

Depending on the system and the role type, you can combine different role templates; see the following table:

Table 23

Templates SAP ERP System SAP Gateway

UMC_SRV_USR SAP_ISU_UMC_SRV/IWBEP/RT_USS_SRVUSR

/IWFND/RT_GW_USR/IWBEP/RT_USS_SRVUSR

UMC_REF_USR SAP_ISU_UMC_ODATA/IWBEP/RT_USS_INTUSR

/IWBEP/RT_USS_INTUSR

NoteAdd additional required authorization objects /WFND/SRV, S_SECPOL and S_TCODE

3. Verify and edit the authorizations, if necessary.

For the UMC_SRV_USR, check role access to the following services (authorization object: S_SERVICE):

○ ERP_UTILITIES_UMC_URM (SAP ERP and SAP Gateway)

○ /IWBEP/USERMANAGEMENT (SAP ERP and SAP Gateway). This only applies to the standalone SAP ERP scenario

For the UMC_REF_USR, check role access to the following services (authorization object: S_SERVICE):

○ ERP_UTILITIES_UMC (for SAP ERP system and SAP Gateway)

○ /IWBEP/USERMANAGEMENT (for SAP ERP system and SAP Gateway)

This is especially true when some function enhancements are carried out.

4. Generate the authorizations.

A profile is automatically generated for the role.



5. Assign the role to users (UMC_SRV_USR, UMC_REF_USR) and run a user master comparison to enter the generated profile into the user master record.

More Information

For more information, see the following resources:

● On the SAP Help Portal at help.sap.com/nwgateway , see the SAP Gateway Security Guide.

● On the SAP Help Portal at help.sap.com/netweaver , see Identity Management User and Role Administration for SAP NW AS ABAP .

● On the SAP Help Portal at help.sap.com/netweaver , see System Administration TasksAuthorizations Maintaining Authorizations Authorization Templates .

● On the SAP Help Portal at help.sap.com/netweaver , see System Administration TasksAuthorizations Maintaining Authorizations Setting up Authorizations with Role Maintenance .

7.8 Session Security Protection

For SAP NetWeaver version 7.0 and higher, we recommend you activate HTTP security session management using transaction SICF_SESSIONS. In particular, it is recommended to activate extra protection of security-related cookies.

● The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser does not reveal the cookie to a third party.

● The secure flag tells the browser to send the cookie only if the request is being sent over a secure channel, such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.

You configure these additional flags with the following profile parameters:

Table 24

Profile Parameter Recommended Value Description Comment

icf/set_HTTPonly_flag_on_cookies

0 Add HttpOnly flag Client-dependent

login/ticket_only_by_https

1 Add Secure flag Client-independent

RecommendationWe recommend upgrading to SAP NetWeaver 7.02 or higher as the logout feature is not available to users using SAP NetWeaver versions earlier than 7.02.







More Information

For more information, see Activating HTTP Security Session Management on AS ABAP on the SAP Help Portal at

help.sap.com/nw702 for SAP Netweaver 7.0 including Enhancement Package 2.

7.9 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at the operating system level and application level) or network attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back end system’s database or files. Additionally, if users are not able to connect to the server LAN, they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for the SAP Multichannel Foundation for Utilities and Public Sector solution is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP Multichannel Foundation for Utilities and Public Sector solution.

More Information

For more information, see the SAP NetWeaver Security Guide on the SAP Help Portal.

7.10 Communication Channel Security

The following table shows the communication channels used by the SAP Multichannel Foundation for Utilities and Public Sector solution, the protocol used for the connection, and the data types transferred.

Table 25

Communication Path Protocol Used Data Types Transferred Data Requiring Special Protection

Web browser acting as front end client to SAP NetWeaver Gateway

HTTPS Application data and security credentials

Application data and security credentials

SAP NetWeaver Gateway to SAP back end systems and amongst each other

RFC Application data Application data

RFC connections can be protected using SNC. HTTP connections are protected using the SSL protocol. It is important to use HTTPS protocol in all cases so that sensitive information is encrypted. In order to ensure that in SICF node (for the UI application and all the services), you need to set SSL flag for Security Requirement in the Logon Data tab page.



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw702

More Information

See the following table for important SAP notes:

Table 26

Title SAP Note Comment

Setting up SSL on Web Application Server ABAP

510007 Point 6 talks about the configuration of cipher suites. It’s recommended to disable the weak cipher suites.

7.11 Network Security

Internet access to your SAP ERP back end system from the SAP Multichannel Foundation for Utilities and Public Sector application is secured by an application-level gateway in the corporate network DMZ. This is described in the SAP NetWeaver Security Guide.

7.12 Internet Communication Framework Security

Security for the SAP Multichannel Foundation for Utilities and Public Sector solution consists of SAP NetWeaver Gateway OData services and HTML5/SAP UI5-based web-enabled content managed by the Internet Communication Framework (ICF) (transaction SICF).

You must activate the ICF services required for the applications that you want to use.

NoteYou can also activate these services during the technical configuration.

The SAP Multichannel Foundation for Utilities and Public Sector solution relies on the following services in SAP CRM:

● UMCUI5: An HTML5/SAP UI5-based web-enabled interface to access the OData services

● CRM_UTILITIES_UMC: OData services from the SAP CRM system

● CRM_UTILITIES_UMC_URM: SAP Multichannel Foundation for Utilities and Public Sector extension of the SAP NetWeaver Gateway USERREQUESTMANAGEMENT OData service

● CRM_UTILITIES_UMC_PUBLIC_SRV: Anonymous OData Service for products in SAP CRM

● ERP_UTILITIES_UMC: OData services from the SAP ERP system

In addition, the application also uses service USERMANAGEMENT from SAP NetWeaver Gateway.

The SAP Multichannel Foundation for Utilities and Public Sector ERP stand-alone solution relies on the following services:

● ERP_UTILITIES_UMC_URM: SAP Multichannel Foundation for Utilities and Public Sector extension of the SAP Gateway USERREQUESTMANAGEMENT OData Service

● ERP_UTILITIES_UMC: OData services from the SAP ERP system

In addition, the application also uses the service USERMANAGEMENT from SAP NetWeaver Gateway.




More Information

For more information about ICF and OData service activation, see the RCF/ICF Security Guide at help.sap.com/

netweaver under SAP NetWeaver 7.0 Including Enhancement Package 1 SAP NetWeaver Security GuideSecurity Guides for Connectivity and Interoperability Technologies .

7.13 Data Protection and Privacy

Since the SAP Multichannel Foundation for Utilities and Public Sector solution collects and processes online users’ personal data, it is often required to comply with legal regulations or public standards such as data privacy. In that case, the user interface may need to be adjusted. For example, a check box has to be added to get the online user’s consent before an account is created.

The SAP Multichannel Foundation for Utilities and Public Sector application uses session cookies. For more information, see Session Security Protection [page 73].

RecommendationWe recommend activating secure session management. We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

User request data is stored in SAP Gateway for processing. Depending on business needs and local regulations, you can delete some user requests after certain periods of time.

The SAP Multichannel Foundation for Utilities and Public Sector solution is built upon SAP Gateway. To ensure your data is protected and cannot be accessed by anyone, we recommend that you refer to the Guide on Data

Protection and Privacy provided by SAP NetWeaver at help.sap.com/netweaver under SAP NetWeaver Gateway 2.0 Security Information SAP NetWeaver Gateway Security Guide .

Read Access Logging (RAL)

Read Access Logging (RAL) is used to monitor and log read access to sensitive data. It is often required to comply with legal regulations or public standards such as data privacy. Since the application relies on the underlying business suite to save sensitive data, it is highly recommended to refer to the documents of the underlying platforms and activate the RAL based on your specific needs.

For more information, see help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584711d989d/

frameset.htm .

More Information

● For more information about deleting user requests, see the SAP Help Portal at help.sap.com/nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel Advanced Features User Self Service Configuration Settings for User Self Service User Self Service IMG Activities (see User Request Cleanup Customizing Activity).

● For more information about data protection and privacy, see the SAP Help Portal at help.sap.com/

nwgateway . In the SAP NetWeaver Gateway Security Guide, choose Data Protection and Privacy.






http://help.sap.com/disclaimer?site=https%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F54%2F69bbeab2e94c93b9031584711d989d%2Fframeset.htm

http://help.sap.com/disclaimer?site=https%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F54%2F69bbeab2e94c93b9031584711d989d%2Fframeset.htm




● For information about configuration settings for User Self Service, see the SAP Help Portal at help.sap.com/

nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel Advanced Features User Self Service Configuration Settings for User Self Service .

7.14 OData Services Security

The SAP Multichannel Foundation for Utilities and Public Sector solution accesses back end data using OData. OData is a standardized protocol for creating and consuming data APIs. OData builds on core protocols like HTTP and commonly accepted methodologies like REST. The result is a uniform way to expose full-featured data APIs.

REST web services rely on HTTP semantics. Therefore, they use PUT and DELETE HTTP methods for update and delete operations. If an application-level gateway (reverse proxy) is used, it must be configured to enable the HTTP methods for the SAP NetWeaver Gateway OData Services.

To further secure the consumption of OData Services, it is recommended to use batch mode for OData Service requests. In batch mode, all OData Service requests are encapsulated into POST requests. Without this, navigation, filter, and other properties are visible in the URL. This means they can be bookmarked and, present in the browser history and potential sensitive data could be sniffed.

More Information

See help.sap.com/nw under SAP NetWeaver Security Guide (version 7.3 EHP1) Using Firewall Systems for Access Control Application-Level Gateways Provided by SAP .

7.15 Other Security-Related Information

Error Handling

The Server (ICM or SAP Web dispatcher) creates HTTP error messages in the standard system and sends them to the Client. For security reasons, the details should not be made available to Internet users.

Some profile parameters, such as is/HTTP/show_detailed_errors and icm/HTTP/error_templ_path, affect the contents of the error pages of the ICM or SAP Web dispatcher.

Clickjacking Vulnerabilities

Clickjacking, also known as a “UI Redress Attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. There are different solutions against clickjacking attacks, such as setting the X-Frame-Options, http header field, frame buster Java script, and so on.

The X-Frame-Options can be set with the instance profile parameter (to set the response header as): ict/perm_response_header = <name>:<value>The following values are supported:

● DENY (no hosting frame allowed)

● SAMEORIGIN (only same origin allowed)






● ALLOW-FROM (for example, https://hostname.example.com)

If this solution is not applicable, inclusion of JavaScript code in HTML pages can actively block pages to be embedded in a frame, also known as FrameKiller or FrameBuster. The code to be used looks like this:

Figure 15

Sensitive Information in Browser CacheA technical limitation has been identified that some PDF files are cached by browsers. This may cause security issues when the PDF files have sensitive information. This issue has been investigated and a solution is being implemented at this time. Contact SAP for the availability of this solution.

Payment Card SecurityThe Payment Card Industry Data Security Standard (PCI-DSS) was jointly developed by major credit card companies in order to create a set of common industry security requirements for the protection of cardholder data. Compliance with this standard is relevant for companies processing credit card data. For more information,

see www.pcisecuritystandards.org .

This application relies on the underlying SAP Business Suite to store or process payment card information. For general information and measures on ensuring payment card security, see the Payment Card Security Guide on

SAP Service Marketplace at service.sap.com/securityguide under SAP Business Suite ApplicationsPayment Card Security on the left-hand side panel.

NoteThe PCI-DSS covers more than those steps and considerations. Complying with the PCI-DSS is the customer’s responsibility.

Among other measures, it is important to make an access log and mask the payment card numbers when being displayed or transmitted. This can be handled by SAP Business Suite in Customizing under Cross-Application Components Payment Cards Basic Settings Make Security Settings for Payment Cards .

For current information about PCI-DSS, see SAP Note 1609917 .

CAPTCHAA CAPTCHA is a program that protects Websites against bots by generating and grading tests that humans can pass but current computer programs cannot. There are many CAPTCHA services available online, such as



http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.pcisecuritystandards.org



Google’s ReCAPTCHATM. It is strongly recommended to integrate CAPTCHA service into the application to further protect some public services, for example, User Registration, Anonymous Bill Payment, and so on.

NoteCAPTCHA integration involves extending the OData Model, which is detailed in an earlier chapter.

Virus Scan Interface

Virus scan interface can be used to include external virus scanners in the SAP system to increase security, especially when file upload from an unknown source is allowed. Virus scan interface can be used to restrict file types that can be uploaded to the system. It is important that the virus scan is configured and activated in the system.

For details about enabling antivirus scans, see the SAP Library at help.sap.com/saphelp_nw74/helpdata/en/4e/

2606c3c61920cee10000000a42189c/frameset.htm and help.sap.com/saphelp_nw74/helpdata/en/

b5/5d22518bc72214e10000000a44176d/content.htm .

More Information

For more information, see help.sap.com/nw_platform and choose Technical Operations for SAP NetWeaver (7.01) Configuration Profiles Maintaining Profiles Changing and Switching Profile Parameters .

7.16 Security-Relevant Logging and Tracing

For more information about security logs for the SAP NetWeaver Gateway, see help.sap.com/nwgateway and choose SAP NetWeaver Gateway Developer Guide OData Channel APIs and Coding Logging In SAP NetWeaver Gateway .



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F4e%2F2606c3c61920cee10000000a42189c%2Fframeset.htm

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F4e%2F2606c3c61920cee10000000a42189c%2Fframeset.htm

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2Fb5%2F5d22518bc72214e10000000a44176d%2Fcontent.htm

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2Fb5%2F5d22518bc72214e10000000a44176d%2Fcontent.htm



8 Appendix

8.1 Related Information

The following table contains links to information relating to the Application Operations Guide.

Table 27

Content Link to the SAP Service Marketplace

Master Guide, Installation Guide and Upgrade Guide service.sap.com/instguides

service.sap.com/ibc

Related SAP Notes service.sap.com/notes

Released Platforms service.sap.com/platforms

Network Security service.sap.com/securityguide

SAP Solution Manager service.sap.com/solutionmanager

How-To Guide for Customizing Sample SAP UI5 Application scn.sap.com/community/utilities/blog/2014/06/05/how-

to-customize-the-standard-mcf-package


SAP Multichannel Foundation for Utilities and Public SectorAppendix


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fibc


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fplatforms


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsolutionmanager

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Futilities%2Fblog%2F2014%2F06%2F05%2Fhow-to-customize-the-standard-mcf-package

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Futilities%2Fblog%2F2014%2F06%2F05%2Fhow-to-customize-the-standard-mcf-package

Typographic Conventions

Table 28

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

● Cross-references to other documentation or published works

Example ● Output on the screen following a user action, for example, messages

● Source code or syntax quoted directly from a program

● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

SAP Multichannel Foundation for Utilities and Public SectorTypographic Conventions


http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com



www.sap.com

Copyright 2016SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

http://www.sap.com

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

SAP Multichannel Foundation for Utilities and Public Sector

Documents

Transcript of SAP Multichannel Foundation for Utilities and Public Sector