How to federate your ABAP PFCG Role containing Fiori Apps to SAP Build Work Zone site using Content Federation


In this blog I will go through the steps to federate the ABAP based PFCG roles containing Tiles, Groups/Spaces and Pages to the Launchpad of Work Zone through Content Federation using cloud connector.

Prerequisite : SAP Build Work Zone, Cloud Identity Services has to be subscribed in the BTP subaccount, Alongside a cloud connector has to be connected with the same subaccount.

Steps Overview:

The following steps needs to be executed for federation of roles.

  1. Setup cloud Connector for Cloud to On-premise system
  2. Create Destination in the Sub-Account of BTP Tenant.
  3. Expose the PFCG role from backend ABAP System.
  4. Sync the exposed content in Work Zone.
  5. Configuring the role in BTP launchpad.

Connection between cloud connector and BTP subaccount https://help.sap.com/docs/SAP_EXTENSIBILITY_EXPLORER/757c85f07ab84278927025e6fd6ea6d2/e19e08d7e49f4a4dac8872d588424b78.html

    1. Setup Cloud Connector for Cloud to On-Premise system

Cloud_connector

  • Navigate to Cloud to On-Premise in cloud connector.
  • Under Access control click on add and define the connection as mentioned above:
  • Backend type: ABAP Systems
  • Protocol: HTTPS
  • Virtual host: Please check this detail in SMICM transaction of ABAP system.
  • Virtual port: Please check this detail in SMICM transaction of ABAP system.
  • Under resource path please add new entry “/” as URL path and Access policy as “path and all sub-path”
  • Generate the CA certificate & system certificate and exchange it with the STRUST of backend ABAP system.
  • Under principal propagation of configuration of Cloud connector, please maintain “Email” as Subject pattern.
  • Check the generated sample certificate in CERTRULE of backend ABAP system.

2. Create Destination in the Sub-Account of BTP Tenant

Designtime_destination

Designtime_destination

  • Name: <sysid><client> + dt
  • Type: HTTP
  • Description: meaningful text
  • URL: http://<hostname> : <portno> + /sap/bc/ui2/cdm3/entities
  • Proxy Type: On-Premise
  • Authentication: Basic Authentication
  • Location ID: same as cloud connector
  • User/Password: Technical user created in System having permission to read the CDM (SAP_FLP_EXP_USER) and other authorizations.
  • Additional properties:
    • HTML5.DynamicDestination: true
    • Sap-client: <client no>
    • Sap-platform: ABAP
    • Sap-service: 32+<instance number>
    • Sap-sysid: <sysid>

Runtime_destination

Runtime_destination

  • Name: <sysid><client> + rt
  • Type: HTTP
  • Description: meaningful text
  • URL:http://<hostname>:<port no>
  • Proxy type: On-Premise
  • Authentication: Principal Propagation
  • Location ID: same as cloud connector
  • Additional Property:
    • HTML5.DynamicDestination: true
    • Sap-client: <client no>
    • Sap-platform: ABAP
    • Sap-service: 32 + <instance no>
    • Sap-sysid: <sysid>
  • Please test the connections once created.

3. Expose the PFCG role from backend ABAP System

A Catalog and Group must be created with the Fiori app assigned and consumed by a role.

T-code: /n/ui2/flpcm_cust (Creation of catalogs and assignment of Fiori app)

App Added: (F0859) Create Supplier Invoice

T-code: PFCG (Creation of role and assignment of Catalog and Groups)

Execute Transaction /UI2/CDM3_EXP_SCOPE and expose the role.

Proceed with Expose and below notification will be displayed.

4. Sync the exposed content in Work Zone.

  • Navigate to Channel Manager and create a new Content Provider.
  • Select the Design time destination and Runtime destination created in BTP along the meaningful title, save it and sync the content.

5. Configuring the role in Work Zone launchpad.

Once the role is federated with the above steps, it will be available for assignment.

Open the site launcher to view the app available in the access. Meanwhile also assign the role in      BTP subaccount for the user that must be provided the access and in IAS group mapping through Role Collection Mapping.

Create Supplier Invoice app is now available in the launchpad of Work Zone present in PFCG role.

Conclusion

These steps completes the federation of PFCG role from ABAP system to Work Zone launchpad, where we can control user access through BTP and IAS.The setup was completely created on trial accounts, Please do try.

References

https://help.sap.com/docs/cloud-portal-service/sap-cloud-portal-service-on-cloud-foundry/federation-of-remote-content-providers



Source link

Be the first to comment

Leave a Reply

Your email address will not be published.


*