In this blog I will go through the steps to federate the ABAP based PFCG roles containing Tiles, Groups/Spaces and Pages to the Launchpad of Work Zone through Content Federation using cloud connector.
Prerequisite : SAP Build Work Zone, Cloud Identity Services has to be subscribed in the BTP subaccount, Alongside a cloud connector has to be connected with the same subaccount.
Steps Overview:
The following steps needs to be executed for federation of roles.
- Setup cloud Connector for Cloud to On-premise system
- Create Destination in the Sub-Account of BTP Tenant.
- Expose the PFCG role from backend ABAP System.
- Sync the exposed content in Work Zone.
- Configuring the role in BTP launchpad.
Connection between cloud connector and BTP subaccount https://help.sap.com/docs/SAP_EXTENSIBILITY_EXPLORER/757c85f07ab84278927025e6fd6ea6d2/e19e08d7e49f4a4dac8872d588424b78.html
1. Setup Cloud Connector for Cloud to On-Premise system
- Navigate to Cloud to On-Premise in cloud connector.
- Under Access control click on add and define the connection as mentioned above:
- Backend type: ABAP Systems
- Protocol: HTTPS
- Virtual host: Please check this detail in SMICM transaction of ABAP system.
- Virtual port: Please check this detail in SMICM transaction of ABAP system.
- Under resource path please add new entry “/” as URL path and Access policy as “path and all sub-path”
- Generate the CA certificate & system certificate and exchange it with the STRUST of backend ABAP system.
- Under principal propagation of configuration of Cloud connector, please maintain “Email” as Subject pattern.
- Check the generated sample certificate in CERTRULE of backend ABAP system.
2. Create Destination in the Sub-Account of BTP Tenant
- Name: <sysid><client> + dt
- Type: HTTP
- Description: meaningful text
- URL: http://<hostname> : <portno> + /sap/bc/ui2/cdm3/entities
- Proxy Type: On-Premise
- Authentication: Basic Authentication
- Location ID: same as cloud connector
- User/Password: Technical user created in System having permission to read the CDM (SAP_FLP_EXP_USER) and other authorizations.
- Additional properties:
- HTML5.DynamicDestination: true
- Sap-client: <client no>
- Sap-platform: ABAP
- Sap-service: 32+<instance number>
- Sap-sysid: <sysid>
- Name: <sysid><client> + rt
- Type: HTTP
- Description: meaningful text
- URL:http://<hostname>:<port no>
- Proxy type: On-Premise
- Authentication: Principal Propagation
- Location ID: same as cloud connector
- Additional Property:
- HTML5.DynamicDestination: true
- Sap-client: <client no>
- Sap-platform: ABAP
- Sap-service: 32 + <instance no>
- Sap-sysid: <sysid>
- Please test the connections once created.
3. Expose the PFCG role from backend ABAP System
A Catalog and Group must be created with the Fiori app assigned and consumed by a role.
T-code: /n/ui2/flpcm_cust (Creation of catalogs and assignment of Fiori app)
App Added: (F0859) Create Supplier Invoice
4. Sync the exposed content in Work Zone.
- Navigate to Channel Manager and create a new Content Provider.
- Select the Design time destination and Runtime destination created in BTP along the meaningful title, save it and sync the content.
5. Configuring the role in Work Zone launchpad.
Once the role is federated with the above steps, it will be available for assignment.
Create Supplier Invoice app is now available in the launchpad of Work Zone present in PFCG role.
Conclusion
These steps completes the federation of PFCG role from ABAP system to Work Zone launchpad, where we can control user access through BTP and IAS.The setup was completely created on trial accounts, Please do try.
References
Be the first to comment