archive

Support Regulatory Compliance Across Your SAP Landscape with SAP Data Privacy Integration

 

by Prem Roshan Madhusudhan Nair and Sharath Jois, Product Owners, Data Privacy Services, SAP

 

Digital data has continued to grow in volume over the years as organizations work toward modernizing their operations to take advantage of the various efficiency and innovation benefits of digital technologies. Of course, digitization and innovation bring new considerations as well. While companies are gaining access to more data than ever before — especially data about their customers — they are also facing new types of threats as hackers seek access to this valuable data, and new security requirements for landscapes that include the cloud. And with the COVID-19 pandemic driving a rapid increase in digital business as well as individuals’ online activity, the protection of data — in particular, the protection of personal data — is front and center.

While it is important for businesses to ensure data privacy to gain the trust of both customers and business partners, the protection of this data is critical for adhering to the regulations that countries are introducing at a growing rate, with more data privacy bills introduced in 2020 compared to 2019. These regulations — such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Cybersecurity Law of the People’s Republic of China — are designed to protect citizens by ensuring that their data is stored, processed, and deleted in a transparent and legally compliant manner.

To comply with these types of regulations, businesses need to make sure that the applications they use to process personal data provide the required privacy protections. SAP offers SAP Data Privacy Integration for this purpose. This article explains how SAP Data Privacy Integration supports data privacy compliance in SAP customer landscapes. It first explains important data privacy concepts, and then walks through the data privacy and integration features the service provides to support compliance across multiple applications throughout the enterprise.

 

Key Data Privacy Concepts

Before diving into how SAP Data Privacy Integration can help organizations fulfill their data privacy obligations, it will help to understand some key data privacy concepts, such as what is considered personal data, the roles involved in the processing of personal data, when businesses can process personal data, and the rights of data subjects when it comes to their personal data. Note that while each specific regulation has its own terminology for data privacy concepts, the following sections follow the terminology established by GDPR, which SAP uses in most data privacy discussions.

 

What Is Personal Data?

Personal data is any information — such as address, telephone number, and IP addresses — that can be used to directly or indirectly identify a living person (see Figure 1).

 

Figure 1 — Personal data is any information — such as address, telephone number, and IP addresses — that can be used to directly or indirectly identify a living person

Figure 1 — Personal data is any information — such as address, telephone number, and IP addresses — that can be used to directly or indirectly identify a living person

 

Attributes that can be used for direct identification — that is, information that can be used alone to identify someone — include:

  • Name
  • Address
  • Telephone number
  • Email address

Information that can be used for indirect identification — that is, information that can be used to identify someone only in combination with other information — includes:

  • IP address
  • MAC address
  • License plate number
  • Insurance number

 

What Roles Are Involved in Processing Personal Data?

It is also important to understand the three key roles that are involved in the processing of personal data:

  • The data subject is the user or person whose personal data is being stored or processed. An example is an employee of an organization.
  • The data controller is a person or legal entity responsible for the lawful processing of personal data for the data subject. An example is an employer that signs a contract with an employee to process personal data.
  • The data processor is a person or legal entity that processes personal data on behalf of and in accordance with the instructions of a data controller. An example is a cloud-based human resources application provider that processes the personal data of a data subject according to the instructions of an employer.

 

When Can Personal Data Be Processed?

Organizations must have a valid business purpose or legal basis for processing someone’s personal data. A valid business purpose is defined as:

  • Execution of a contract
  • Freely given consent
  • Fulfillment of a legal obligation
  • Vital interests of a data subject
  • Overriding legitimate interest

More information on valid reasons for processing personal data can be found in Article 6 of the GDPR.

 

What Are the Rights of Data Subjects?

Data privacy regulations across the globe provide basic rights for data subjects when it comes to how data controllers and data processors handle their data. These rights include:

  • Right to information: The data subject has the right to know if any personal data is being processed by the data controller, including the purposes for which that data is being processed and the categories of the data being processed (contact information or payment information, for example). A copy of the personal data must also be provided to the data subject upon request.
  • Right to be forgotten: The data subject must have an option to trigger the deletion of personal data when the data controller no longer needs it to fulfill the business purpose for which the data was collected. The data should be marked for deletion upon the withdrawal of the data subject’s consent or any other legal basis for the processing of that data.
  • Right to export data: The data subject can request an export of the personal data processed by a data controller in a machine-readable format to enable easy movement of the data from one controller to another — to switch service providers, for example — as required by Article 20 of the GDPR.

 

A Cloud Service for Data Privacy Across End-to-End Processes

To comply with data privacy regulations, the applications an organization uses to process personal data must have the capabilities necessary to support the rights of the data subject. In smaller, simpler landscapes, where a business process or use case is performed within a single application (where all sales functions are managed by one sales solution, for example), simple data deletion and reporting capabilities can provide this compliance. In larger enterprise business landscapes, where complex business processes are performed by multiple applications running on different technology stacks, adhering to data privacy requirements becomes increasingly complex.

For example, in SAP landscapes, the total workforce management or hire-to-retire business process begins with employee onboarding in an SAP SuccessFactors system, for instance, and the distribution of the employee master data to multiple systems, such as SAP S/4HANA and SAP Concur. In these types of scenarios, as part of fulfilling an employee contract, the data subject — in this case, the employee — may use a front-end system to provide personal data that is then transferred or replicated across the different systems in the landscape. The business context or reason for processing the data can then get lost in downstream systems, which can make it difficult to identify the business purpose for processing the data and report or delete it at the end of its purpose.

SAP Data Privacy Integration is a service available on SAP Business Technology Platform (SAP BTP) that provides capabilities for managing the privacy of personal data in end-to-end business processes, including those enabled by SAP’s Intelligent Suite or any other applications that integrate with the service. Its features can help organizations fulfill data privacy requests and adhere to data privacy regulations, and include centralized configuration and management of business purposes, information reporting and retrieval, and data deletion functionality. We’ll look at each of these areas in turn next.

 

Business Purpose Management

To support end-to-end data privacy, SAP Data Privacy Integration provides functionality for the centralized configuration and management of the business purpose for data. The defined business purpose brings together the legal basis for processing the personal data of the data subject, the data controller responsible for processing that personal data, the business processes that can be executed using that personal data, and the categories of the personal data that can be processed based on this purpose.

When a data subject is part of a business process in which personal data is collected for a purpose, SAP Data Privacy Integration can use application programming interfaces (APIs) to create a central instance of the business purpose for that data. Any applications across the landscape that store that data can reference that central instance of the business purpose.

Figure 2 shows an example scenario. As you can see, in a typical sales scenario, there can be multiple IT systems processing customer data. There could be a marketing system using the customer’s personal data for promotional purposes as well as an ERP and commerce solution for stock-keeping and billing purposes, which would also process the customer’s personal data. In this type of scenario, the contract signing during customer onboarding can be used as the event for creating a purpose record for the customer. This central purpose record is then referenced by the different applications in the landscape to process the customer’s personal data.

 

Figure 2 — Purpose-based processing of personal data in an example end-to-end business process

Figure 2 — Purpose-based processing of personal data in an example end-to-end business process

 

With a central instance of the business purpose within SAP Data Privacy Integration, it becomes easy to discover personal data stored across the different applications in the landscape, and when the purpose is no longer relevant, such as when a contract has expired or consent is no longer relevant, it becomes easier to trigger the retention or deletion of the data as necessary.

 

Information Reporting and Retrieval

Information reporting and retrieval, which addresses the data subject’s right to information and right to export data, is one of the most common data privacy requests (Figure 3). In this case, data subjects request information about their personal data stored in the organization’s systems. This request is usually made to determine if any data is being processed by the data controller without the knowledge of the data subject or is being processed beyond the defined business purpose.

 

Figure 3 — Information reporting and retrieval is one of the most common data privacy requests

Figure 3 — Information reporting and retrieval is one of the most common data privacy requests

 

In addition, data subjects can request changes or corrections to any of their personal data that is stored by the organization, such as a change of address, and can request that their data be exported in a machine-readable format so that it can be easily imported into a new target landscape. For example, the data subject may want to transfer the data to another vendor or service provider, or from one hyperscaler to another.

SAP Data Privacy Integration also enables customer service representatives to perform these tasks on their own, without the need to involve IT. Using the provided features, they can discover the personal data of a data subject, trigger the export of that data, and send that data to the data subject as an email message or as a file (a PDF, JSON, or XML file, for example).

 

Data Deletion

Along with ensuring that personal data is processed only for a valid purpose and that only the data agreed upon by the data subject is processed, it is crucial to ensure that personal data is removed from the system when there is no longer a business need for it. This is also referred to as the right to be forgotten or the right to delete personal data from the system.

It is important to keep in mind that although data subjects have the right to delete personal data, enterprise systems require that data for a certain period of time to ensure that business needs can be met, such as order delivery or audit requirements. This means that data cannot necessarily be deleted immediately upon request. What is required for compliance is that the data be deleted when there is no longer a business need to process the data.

Within SAP Data Privacy Integration, this compliance can be realized by configuring deletion periods for the required data set. These deletion periods are defined as the residence period and the retention period (see Figure 4).

 

Figure 4 — SAP Data Privacy Integration helps meet data deletion requirements with configurable deletion periods

Figure 4 — SAP Data Privacy Integration helps meet data deletion requirements with configurable deletion periods

 

The residence period is the period of time after the end of the business purpose, when there is no need to store contact details for marketing purposes, for instance. During this period, the data can be anonymized or stored in secondary persistence in the system, rather than in primary persistence, to ensure that it is no longer processed (to receive marketing emails, for example). The data then remains in an inactive state to fulfill audit requirements, for instance, during what is called the retention period. At the end of the retention period, the data can be permanently deleted from the system (see Figure 5).

 

Figure 5 — SAP Data Privacy Integration provides features for defining the life cycle of personal data in the system

Figure 5 — SAP Data Privacy Integration provides features for defining the life cycle of personal data in the system

 

SAP Data Privacy Integration provides features for configuring rules for these periods of time and orchestrates the deletion of data by performing an end-of-purpose check for the data across the different applications integrated with the service. When the end-of-residence or end-of-retention period is reached, the service provides the necessary trigger to block or delete the personal data.

 

Integrating Applications with SAP Data Privacy Integration

A license to SAP Data Privacy Integration can be purchased as part of an SAP customer’s Cloud Platform Enterprise Agreement or via SAP Store, after which the service can integrate with applications. Figure 6 provides a high-level overview of the steps required to integrate applications with SAP Data Privacy Integration.

 

Figure 6 — A high-level overview of the steps required to integrate applications with SAP Data Privacy Integration

Figure 6 — A high-level overview of the steps required to integrate applications with SAP Data Privacy Integration

 

Once the service is added to the customer’s global account, an instance of the service must be created that includes the configuration required to integrate with applications containing personal data. The configuration specifies the data objects and entities that contain personal data as well as the interfaces through which data can be accessed to realize the data privacy use cases. More in-depth information about these steps is available in the online SAP Help Portal.
Let’s take a closer look at the interfaces and runtimes that support the integration between the service and business applications.

 

Supported Interfaces

SAP Data Privacy Integration does not store or persist any personal data processed by a business application. The service can report, manage business purposes, or delete personal data by interacting with an application using well-defined interface technologies, such as the Representational State Transfer (REST) and Open Data (OData) protocols, to read data for reporting purposes and trigger deletion of data. Annotations in the data model of business applications identify the business objects and entities that are relevant to data privacy or contain personal data.

Annotations in the data model also help categorize the personal data in an application, such as contact data, address data, and payment details. In addition, annotations can be used to differentiate personal data from sensitive data, which is anonymized for all scenarios except when the data is provided directly to the data subject.

More information on the interfaces supported by SAP Data Privacy Integration can be found at SAP API Business Hub.

 

Supported Runtimes

SAP Data Privacy Integration is available as a service for applications that process personal data and can integrate with SAP BTP technologies. To integrate an application with SAP Data Privacy Integration, an instance of the service must be created within the runtime environment of the business application — the runtime environment is Cloud Foundry in the example shown in Figure 7. The instance is created using a service broker based on the Open Service Broker API (OSBAPI) specification.

 

Figure 7 — To integrate an application with SAP Data Privacy Integration, an instance of the service must be created within the runtime environment of the business application

Figure 7 — To integrate an application with SAP Data Privacy Integration, an instance of the service must be created within the runtime environment of the business application

 

The service broker is registered with the service manager component of SAP BTP, which allows the service to be instantiated from any landscape that provides a service catalog based on the service manager implementation. These landscapes include the Cloud Foundry and Kubernetes (Kyma) runtimes provided by SAP, and can be extended to any landscape that can create a service instance using the service manager client.

Details on how applications in different runtimes can integrate with SAP Data Privacy Integration are available in SAP Help Portal.

 

Conclusion

SAP Data Privacy Integration became generally available in Q3 2020. SAP customers and partners that build applications on SAP BTP using either Cloud Foundry or Kyma as their runtime can consume SAP Data Privacy Integration as part of their Cloud Platform Enterprise Agreement or by purchasing the license from SAP Store. The service is also available for partner testing scenarios in the SAP PartnerEdge portal through the partner test, demo, and development license.

SAP customers and partners that build applications on SAP BTP can look to SAP Data Privacy Integration as a starting point for fulfilling the requirements of data privacy regulations. With SAP Data Privacy Integration providing data privacy features, organizations can focus on using their business applications to power their digital transformation journey.

 


Learn More

SAP Discovery Center

SAP Help Portal

Data Privacy Integration overview video


 

Prem Roshan Madhusudhan Nair

Prem Roshan Madhusudhan Nair (prem.roshan.madhusudhan.nair@sap.com) has over 10 years of experience in SAP technologies. He has worked as a consultant for financial services solutions on the SAP NetWeaver platform, followed by developing business services on SAP Business Technology Platform. In his current role as a Product Owner for Data Privacy Services at SAP, he has worked on the development of requirements for data privacy use cases and data privacy solutions.

Sharath Jois

Sharath Jois (sharath.jois@sap.com) has over 10 years of experience in building and operating data privacy and data management tools on a wide range of platforms, including SAP NetWeaver ABAP, SAP Business Technology Platform, Cloud Foundry, and Kubernetes. As a Product Owner for Data Privacy Services at SAP, he has had the opportunity to drive the end-to-end life cycle of product development, from gathering requirements from customers, backlog ranking, and overseeing the end-to-end development cycle to commercializing, delivering, and marketing the product.



Extend Your Core Business Applications and Drive Your Business Forward with SAP Extension Suite

 

by Martin Grasshoff, Lead Product Manager for SAP Extension Suite, SAP

 

SAP customers are no strangers to customizing their SAP applications to add unique, differentiating capabilities to off-the-shelf software that enable them to run innovative processes and meet their unique business needs. The ability to significantly tailor SAP solutions to address different requirements has long been a valued characteristic of SAP software.

As customer landscapes move toward modern technologies and the cloud, and the pace of business requires a real-time response, maintaining customizations of applications can become an increasingly complex task. Emerging technologies need to be adopted, changing business needs must be addressed rapidly, and new regulations keep up the pressure on development teams.

To enable its customers to address their business requirements in a modern, maintainable way, SAP offers SAP Extension Suite. This article introduces developers, projects managers, and architects to SAP Extension Suite. It explains the basic concepts around extending SAP applications and the capabilities of SAP Extension Suite. It then looks at an example of what it looks like to use SAP Extension Suite, based on a real customer solution in productive use, and provides an overview of the steps involved.

 

A Modern Approach to Extending SAP Applications

There are three main types of extensibility when it comes to customizing SAP applications: classic extensibility, which is the traditional approach, and in-app extensibility and side-by-side extensibility, which are newer approaches (more on in-app and side-by-side extensibility, and when to use which, is available in Custom Extensions in SAP S/4HANA Implementations: A Practical Guide for Senior IT Leadership):

  • Classic extensibility refers to the well-known traditional method used to extend applications based on SAP ERP Central Component (SAP ECC), such as SAP Business Suite applications. This approach involves the use of standard SAP customization and extension technologies such as ABAP, Web Dynpro, and SAP GUI. It is tightly coupled with SAP-delivered code and the customizations reside on the SAP application server in the Z-namespace used for custom development.
  • In-app extensibility is a concept that was introduced with SAP S/4HANA. It provides a framework for building SAP Fiori-based customizations within the SAP S/4HANA system itself. It is best suited for extensions that are intended for SAP S/4HANA users and that work with SAP S/4HANA data and processes only.
  • Side-by-side extensibility enables truly decoupled extensions, where enhancements are developed on a separate platform, such as SAP Business Technology Platform (SAP BTP), and integrated into the application, instead of developing them directly within the original business system itself. This not only minimizes upgrade efforts, but also opens up SAP systems to technologies such as JavaScript, artificial intelligence (AI), machine learning (ML), Internet of Things (IoT), and many innovations, while at the same time allowing ABAP developers to experience an agile cloud development environment.

Side-by-side extensibility is a modern approach to extending SAP applications that enables innovation and simplification and is supported by SAP BTP through SAP Extension Suite. The technologies, services, and best practices that comprise SAP Extension Suite can be categorized into three main areas (see Figure 1):

  • Digital experience: Tools in this area help organizations build and run a consistent and engaging user experience through mobile apps, conversational bots, and SAP Fiori-based web applications. These tools can be used not only by developers, but also by end users to create business content, collaborate, and consume information. SAP Work Zone, SAP Launchpad, and SAP Conversational AI are good examples.
  • Digital process automation: Tools in this area help automate, enhance, and adapt business processes beyond what is possible with standard solutions. These tools are designed for process owners, and some very convenient low-code tools enable the use and customization of process templates to adhere to local compliance rules or build new processes from scratch. For instance, SAP Workflow Management and the live process content packages fall into this category.
  • Development efficiency: Tools in this area help developers and other users rapidly build extensions by providing software development kits (SDKs) and recommended application architectures that can streamline their daily tasks. Low-code, graphical development tools such as SAP Business Application Studio enable business users to work collaboratively with developers on data, processes, and the user experience, and increase development efficiency. SAP Cloud Application Programming Model, SAP Business Application Studio, and SAP BTP, ABAP environment fulfill the developer’s needs.

 

Figure 1 — SAP Extension Suite comprises digital experience, development efficiency, and digital process automation tools and services that simplify the development of application extensions

Figure 1 — SAP Extension Suite comprises digital experience, development efficiency, and digital process automation tools and services that simplify the development of application extensions

 

SAP BTP enables the extension of both SAP and non-SAP systems, regardless of whether they are on premise or in the cloud, through a combination of SAP Extension Suite and SAP Integration Suite (see Figure 2). While SAP Integration Suite covers the functionality required to connect to systems and ensure that the right data is in the right system at the right time, SAP Extension Suite provides the technologies, tools, and services required to put this data into action. SAP Extension Suite relies heavily on the capabilities of SAP Integration Suite since most extension scenarios are based on the need to adapt existing data and processes to new business needs. In a case where business requirements have no existing system to connect to, SAP Extension Suite can be used to build new, innovative solutions from scratch.

 

Figure 2 — SAP Extension Suite in the context of SAP Business Technology Platform

Figure 2 — SAP Extension Suite in the context of SAP Business Technology Platform

 

SAP Extension Suite in Action

Let’s now take a look at SAP Extension Suite in action. We’ll use an example that is based on a real customer’s existing, productive extension developed using the tools, services, and best practices provided by SAP Extension Suite. This customer is in the professional services industry and wants to provide a consistent and engaging user experience to consultants and project managers across different back-end systems when entering data into and approving timesheets. In addition to providing a better user experience, the customer wants to be able to aggregate project-related data from multiple existing business solutions — SAP SuccessFactors solutions, SAP S/4HANA Cloud, and two third-party systems — to enable consultants to use one system instead of multiple systems and provide a single view of data for project managers.

The extension (see Figure 3) involved building two timesheet extension applications (one for recording data entry by consultants and one for approval by managers) on SAP BTP that integrate the data from the SAP SuccessFactors, SAP S/4HANA Cloud, and third-party solutions, as well as adding SAP Analytics Cloud to enable a consolidated view of better-quality data across four previously disparate solutions. SAP Integration Suite provides connectivity and data replication capabilities along with the SAP Enterprise Messaging service to propagate business events through the systems and SAP HANA Cloud for transactional data storage and consumption via SAP Analytics Cloud.

 

Figure 3 — An example multi-channel extension built using SAP Extension Suite supported by SAP Integration Suite

Figure 3 — An example multi-channel extension built using SAP Extension Suite supported by SAP Integration Suite

 

SAP Extension Suite provides the functionality for implementing the custom business logic for the extension via a custom-developed extension endpoint using SAP Cloud Application Programming Model, which enables rapid development and ties together all the necessary pieces. In addition to the business logic, SAP Extension Suite technologies provide a new, customized, and highly optimized user experience based on SAP Fiori elements that serves as a web channel to the solution for consultants. The analytics reporting dashboard based on SAP Analytics Cloud provides another dedicated channel to the solution for managers. This makes the overall solution a multi-channel extension.

So, what were the steps involved in building this extension? The tasks can be broken into four steps:

  1. Connect.
  2. Build an endpoint.
  3. Add channels.
  4. Deploy and operate.

We’ll cover these steps at a high level in the following sections. Detailed information is available in a free online openSAP introductory course on SAP Extension Suite.

 

Step 1: Connect

Once you have identified the business use case for the extension you want to build on SAP BTP, use SAP Integration Suite features to ensure the extension has access to existing business data and processes.

To enable this access, you can search for and use an application programming interface (API) at SAP API Business Hub. You could also use Cloud Connector to connect to an existing on-premise SAP S/4HANA system or to replicate the data to SAP BTP for consumption by your extension. SAP Enterprise Messaging, which was the approach used in the example scenario, is a useful option as it includes many predefined events that can be exposed to SAP BTP for consumption by extensions.

In summary, you can connect via API or you can consume events emitted by an existing back-end solution. In some cases — where a real-time response is needed, for example — you may want to use both in the same extension.

 

Step 2: Build an Endpoint

Once the connection is configured, use SAP Extension Suite tools to create a dedicated endpoint — again using an API and/or events, as described in Step 1, that are designed for and to be used solely by the extension. The main reason for a dedicated endpoint rather than reusing an existing API, for example, is to ensure a decoupled solution that has its own life cycle and does not clutter the core of your business system.

The dedicated endpoint is built with custom code, by using either SAP Cloud Application Programming Model (for JavaScript and Java development), which was the model used in the example, or SAP BTP, ABAP environment, which provides the ABAP RESTful programming model. These development models help developers concentrate more on the business implementation task and less on the software architecture and other non-functional requirements.

 

Step 3: Add Channels

Next, use SAP Extension Suite tools to add user interface channels to the extension. This step depends on the channels you want to expose to your end users. For instance, adding a mobile channel would require SAP Mobile Services while adding a web channel would involve developing SAP Fiori elements or
an SAPUI5 application. In any case, most channel development is performed in SAP Business Application Studio.

Adding channels means that you need to decide which digital touchpoints the extension should expose to the end user. It is important to choose the right user interface technology for the right channel and to keep in mind the specific use case per channel. For example, if you want to enable a chatbot for the extension, the use case would probably not include mass transaction handling or advanced drill-down analytics. Chatbot features, such as those provided by SAP Conversational AI, are well suited for small lookups, but for more comprehensive analytical use cases, such as the one in the example scenario, an SAP Analytics Cloud dashboard — provided via a traditional SAP Fiori application, as in the example, or a mobile application, for instance — is a better choice.

Since the user interface is decoupled from the endpoint via APIs, it is easy to add multiple channels to your extensions to meet different user needs, as in the example scenario, and provide the best possible user experience. The decoupling of the user experience also enables you to change your user experience strategy without affecting the core system as you gain a better understanding of the usage of the extension.

 

Step 4: Deploy and Operate

The last step includes the deployment and the ongoing operation of the extension. Automation is key to these tasks as you continue to build more extensions over time. Deployment can and should be automated with industry standard best practices. SAP Extension Suite offers predefined templates for creating automated build pipelines and provides automation to make transport management for different system landscapes much easier.

Deployment targets are also an important consideration. While SAP BTP supports various application runtimes to execute custom business logic — including the Cloud Foundry runtime, serverless runtime, and the Kyma runtime — the unique advantage of SAP BTP is the ABAP runtime, which allows developers to carry over their existing ABAP skillsets and SAP process knowledge to an agile cloud environment. Runtimes are not the only deployment targets, however. The user interface must also be deployed and, depending on the channel, there are multiple options at hand. For instance, you could deploy an SAP Fiori application to the new, centralized SAP Launchpad to enable access via an SAP Fiori launchpad, or you could deploy it to SAP Work Zone to enable users to customize their user experience.

The operational aspect of running extensions is also covered by the tools and services of SAP Extension Suite. With SAP Application Logging service for SAP BTP, you have full control over your application logs and can analyze them with an easy-to-use web-based user interface. SAP Application Logging service for SAP BTP is based on Kibana and offers state-of-the-art log file analysis capabilities. Another important operational feature is the ability to react quickly to runtime issues and minimize the time required to solve them. Here, SAP Alert Notification service for SAP BTP comes into play. SAP Alert Notification service for SAP BTP allows you to post or receive events from your  application or predefined platform events and forward them to different consumption channels, such as email or messaging or using automated event notifications. SAP Alert Notification service for  SAP BTP also provides filtering for events and settings thresholds.

 

Summary

SAP Extension Suite provides a strategic approach for extending business solutions — whether SAP, non-SAP, cloud, or on premise — beyond what is provided with the core system to drive digitalization forward. With its multi-cloud strategy, you get the best technologies from SAP and underlying hyperscalers, along with a development environment and tools that enable ABAP developers to work on cloud solutions with access to new and open technology while also allowing non-SAP developers to contribute to SAP-related projects. Digital experience and digital process automation tools also enable you to support the channel that best meets user needs.

SAP offers various resources to help you learn more about using the technologies, tools, and services in SAP Extension Suite, including an introductory openSAP course, which is a good place to start. This course, which is free of charge, provides an overview of SAP Extension Suite capabilities. Developers can then dive into the various technologies using the tutorials in the SAP Developer Center site, while project managers and architects can find blueprints of end-to-end projects for different use cases in the SAP Discovery Center site. All learners can find guidance, as well as a certification path for becoming a certified Development Associate for Enterprise Extensions in the learning journeys available in SAP Help Portal.

A free 12-month trial is available for SAP BTP, which includes all the services of SAP Integration Suite and SAP Extension Suite, both of which have been recognized as leaders in their respective Gartner magic quadrants. No need to wait to boost your digitalization journey — you can start today.

 

Martin Grasshoff

Martin Grasshoff (martin.grasshoff@sap.com) was a trainer for database systems and other Sybase products following an extensive background in software development. After SAP’s acquisition of Sybase, he joined the Product Management team for Mobile Platform. For the past year, he has been Lead Product Manager for SAP Extension Suite.



Build an Agile Data Platform with SAP Data Warehouse Cloud

Understanding the Solution's Role in SAP's Data Warehouse Portfolio, Its Usage Scenarios, and Its Benefits

 

by Ingo Hilgefort, Global Product Evangelist, SAP Data Warehouse Cloud

 

In a rapidly changing business landscape, the ability to adapt by making fast, well-informed decisions is critical. Data is the foundation for the reporting and analytics that are required to support decisions throughout an organization, and businesses need a way to enable access to this data from a variety of heterogeneous locations across their landscapes. This is where data warehouses come in, by serving as a central location of consolidated data.
To help support its customers in this area, SAP provides a portfolio of data warehousing solutions that includes SAP BW/4HANA, SAP HANA for SQL data warehousing, and the latest addition, SAP Data Warehouse Cloud. This most recent addition has many SAP customers — which often already have a data warehouse solution in place — wondering how the new solution fits into their overall SAP landscape. This article walks through some of the most common usage scenarios for SAP Data Warehouse Cloud and outlines the benefits it can provide.

Before diving into the usage scenarios, it will be helpful to clarify the role of SAP Data Warehouse Cloud in SAP’s data warehouse portfolio, and how it works with the other solutions in the portfolio.

 

Understanding the Role of SAP Data Warehouse Cloud

SAP Data Warehouse Cloud is SAP’s data warehouse offering for the public cloud. It can be used as a standalone data warehouse, and it can also be used as a complementary solution for SAP’s any-premise (on-premise and private cloud) data warehouse solutions, SAP BW/4HANA and SAP HANA for SQL data warehousing (see Figure 1).

 

Figure 1 — SAP Data Warehouse Cloud can be used either standalone in the public cloud or as a complementary solution for SAP’s data warehouse portfolio in a hybrid scenario

Figure 1 — SAP Data Warehouse Cloud can be used either standalone in the public cloud or as a complementary solution for SAP’s data warehouse portfolio in a hybrid scenario

 

It is important to understand that SAP Data Warehouse Cloud is not intended to replace existing SAP BW/4HANA or SAP HANA for SQL data warehousing implementations. Instead, it’s intended to complement those solutions via a hybrid approach to enable SAP customers to leverage their already-existing assets and to empower business users with a more flexible and agile environment.

 

Common Usage Scenarios for SAP Data Warehouse Cloud

There are four common scenarios for using SAP Data Warehouse Cloud:

  1. Enabling self-services for data modeling and analytics
  2. Combining data from disparate sources
  3. Establishing a central semantic layer
  4. Modernizing your data warehouse

Keep in mind that these scenarios are not mutually exclusive — they are scenarios in which organizations can use SAP Data Warehouse Cloud, and more than one of these scenarios likely applies to any business.

 

Scenario 1: Enabling Self-Services for Data Modeling and Analytics

The concept of self-service analytics has been around for quite some time, and organizations continue to try and leverage these capabilities in an increasing number of ways to empower their business users.

So what does “self-service” mean in this context? Let’s look at analytics. From a high-level perspective, for most customers, self-service analytics refers to a scenario where business users are provided with an environment in which they can fulfill most of their requirements themselves, without having to rely on the IT department or a power user to create the analytics for them.

Now let’s take this concept into the data warehousing world. Let’s say that a business user needs information that is partly in the corporate data warehouse — SAP BW/4HANA, for instance — while other parts are stored in local spreadsheets. In this case, the business user typically sends the spreadsheets to the IT team, and the IT team creates a data structure for the information and then uploads the information and combines it with the corporate data warehouse model. What if instead business users could do this themselves, with the ability to enrich data with additional information without creating data models from scratch?

This is where the “spaces” concept from SAP Data Warehouse Cloud comes in (see Figure 2).

 

Figure 2 — SAP Data Warehouse Cloud includes a “spaces” concept that empowers users to access and enhance information

Figure 2 — SAP Data Warehouse Cloud includes a “spaces” concept that empowers users to access and enhance information

 

Spaces in SAP Data Warehouse Cloud allow the IT team to create a dedicated area in which business users can access — in a trusted and governed way — the corporate data warehouse, and bring in additional information from spreadsheets, for instance. Using the visual modeling capabilities in SAP Data Warehouse Cloud, business users can enrich the already-existing data with the added information and then use the newly combined data in SAP Analytics Cloud, without having to rely on the IT team.

In this way, SAP Data Warehouse Cloud — and its spaces concept, in particular — empowers business users and increases the accessibility of relevant information for informed decision making. In addition, it enables IT staff to focus on more critical tasks and continuous improvements.

 

Scenario 2: Combining Data from Disparate Sources

Nearly every SAP customer has faced the challenge of integrating disparate data sources to avoid “data silos,” and doing so with centralized governance and security to ensure that the integrated information is trustworthy. Those that have a central enterprise data warehouse tend to solve this problem by combining all the information as part of their data warehouse strategy. But what if a more agile and flexible approach is required — one that can quickly react to changes in the data landscape and provide business users with the up-to-date information they need for analytics and decision making?

SAP Data Warehouse Cloud offers unique capabilities that can help meet this need. It provides not only the functionality required to load information from a large variety of SAP and non-SAP data sources, but also the option to enable access to those disparate data sources and use the solution’s visual modeling capabilities to federate those sources — whether the data is acquired via replication or virtually accessed from the sources. SAP Data Warehouse Cloud allows organizations to connect to the data in various sources, without necessarily duplicating the information from the source in SAP Data Warehouse Cloud, and map that together to provide a consistent view.

With the capabilities provided by SAP Data Warehouse Cloud — to virtually access disparate data sources, integrate the information into data models and analytics, and then later decide whether to keep using virtual (remote) access or instead replicate the information into SAP Data Warehouse Cloud — organizations can quickly onboard additional data sources and integrate them into their existing data models (see Figure 3). The ability to simply switch between virtual access or a replicated data approach is unique to SAP Data Warehouse Cloud, and allows SAP customers to quickly get started and later decide on the data materialization, without affecting the data model or analytics.

 

Figure 3 — SAP Data Warehouse Cloud enables organizations to quickly onboard data sources without affecting the data model or analytics

Figure 3 — SAP Data Warehouse Cloud enables organizations to quickly onboard data sources without affecting the data model or analytics

 

Scenario 3: Establishing a Central Semantic Layer

The capability described in the previous usage scenario — the ability to combine different data sources and essentially create a “single version of the truth” — is a valuable one. Now imagine adding the ability to create a more business-driven layer on top of that combined data that uses business-friendly terms, hides joining logic, and prepares a set of calculations, all decoupled from the physical data model so the elements are reusable across data sources. This “semantic layer” concept will be familiar to customers using SAP BusinessObjects solutions, and it has now been introduced into SAP Data Warehouse Cloud.

Known as the “business layer” in SAP Data Warehouse Cloud, it provides separation between the physical data model and the semantic model. This allows business users to follow a top-down modeling approach by enabling them to create an abstraction layer from the underlying data model without having to worry about the physical data model. This approach not only allows business users to leverage a more business-oriented abstraction layer, but also encourages strong collaboration between the IT team and business users as well as a common understanding of the data model and the business-oriented view.

The new business layer in SAP Data Warehouse Cloud hides the complexity of data models and combining data and provides a central location for business semantics and key performance indicator (KPI) definitions. This helps avoid redundant and potentially conflicting definitions, and it ensures a common set of definitions for analytics workflows.

 

Scenario 4: Modernizing Your Data Warehouse

Many SAP customers are currently using SAP BW/4HANA or SAP HANA for SQL data warehousing and seeking ways to modernize their environment to become more agile and flexible. SAP Data Warehouse Cloud complements these offerings to meet these needs via hybrid integration, which allows organizations to reuse their existing on-premise assets while taking advantage of the cloud-based capabilities of SAP Data Warehouse Cloud.

The SAP Data Warehouse Cloud capabilities discussed in the previously outlined scenarios — self-service analytics, combining and onboarding data from a variety of sources, and establishing a central semantic layer — are all part of creating a modernized data warehouse. The ability to reuse assets from an existing on-premise data warehouse as part of this effort enables SAP customers to decide for themselves on the speed of their journey into the cloud.

The integration of SAP Data Warehouse Cloud with SAP BW/4HANA and SAP HANA for SQL data warehousing enables access to all of the capabilities described in the usage scenarios and allows organizations to leverage their existing data warehouses while using SAP Data Warehouse Cloud to provide more agility and flexibility. This approach empowers business users with more self-service analytics and modeling capabilities, creating an environment that allows a rapid reaction to changes and an accelerated time-to-value for information.

 

Summary

As demonstrated by the four usage scenarios discussed in this article, SAP Data Warehouse Cloud provides SAP customers with several options for creating an agile data platform. Use SAP Data Warehouse Cloud to begin your organization’s cloud journey and to foster a collaborative approach for your overall data strategy that leverages the knowledge of both IT and business users.

 


Learn More

SAP Data Warehouse Cloud overview

SAP Data Warehouse Cloud onboarding guide

Hybrid integration with SAP BW/4HANA and SAP Data Warehouse Cloud

Hybrid integration with SAP BW and SAP Data Warehouse Cloud

SAP Data Warehouse Cloud customer stories


 

MEET THE EXPERTS

Ingo Hilgefort
Read More

Ingo Hilgefort started his career in 1999 with Seagate Software/Crystal Decisions as a trainer and consultant. He moved to Walldorf for Crystal Decisions at the end of 2000, and worked with the SAP NetWeaver BW development team integrating Crystal Reports with SAP NetWeaver BW. He then relocated to Vancouver in 2004, and worked as a product manager/program manager (in engineering) on the integration of BusinessObjects products with SAP products. Ingo's focus is now on the integration of the SAP BusinessObjects BI suite with  SAP landscapes, such as SAP BW and SAP BW on SAP HANA, focusing on end-to-end integration scenarios. In addition to his experience as a product manager and in his engineering roles, Ingo has been involved in architecting and delivering deployments of SAP BusinessObjects software in combination with SAP software for a number of global customers, and has been recognized by the SAP Community as an SAP Mentor for SAP BusinessObjects- and SAP integration-related topics. Currently, Ingo is the Vice President of Product Management and Product Strategy at Visual BI Solutions, working on extensions to SAP’s product offering such as SAP BusinessObjects Design Studio and SAP Lumira. You may follow him on Twitter at @ihilgefort.



Introducing SAP Business Application Studio

A New Tool for Developing SAP Fiori Applications with SAP Cloud Platform ABAP Environment Services

 

by Karl Kessler, Vice President of Product Management ABAP Platform, SAP SE

 

SAP Fiori technology has transformed the user experience for SAP solutions with modern concepts and designs, and it soon became the design technology for SAP’s solutions going forward. With this in mind, it has been critical for developers to have access to a development environment that optimally supports SAP Fiori application development, and that is flexible enough to adapt to rapidly changing standards and tools.

Over the last few years, SAP Web IDE has been the dominant development environment for developing SAP Fiori applications for SAP Cloud Platform, SAP S/4HANA, and SAP S/4HANA Cloud. SAP Web IDE offers a variety of tools, editors, frameworks, and wizards to boost developer productivity. However, since SAP Web IDE is hosted in SAP Cloud Platform for the Neo environment, which operates in SAP data centers, it has some limitations, such as a lack of adherence to the newest tool standards and lack of support for multi-cloud environments, such as Cloud Foundry-based environments.

To overcome these limitations and extend support for modern application development in intelligent enterprise scenarios, SAP has introduced a new environment for developing and extending SAP solutions: SAP Business Application Studio. Hosted in SAP Cloud Platform for the Cloud Foundry environment and based on open standards, SAP Business Application Studio supports intuitive, end-to-end application development for key business scenarios with the help of easy-to-use tools and known frameworks, such as SAP Fiori templates and OData service consumption.

This article introduces developers and professional key users to using SAP Business Application Studio for SAP Fiori application development with SAP Cloud Platform ABAP environment services. To give you a feel for the simplified, modernized developer experience it provides, it starts with an overview of the tool, and then walks through the tasks involved in setting it up, developing an SAP Fiori application using an SAP Fiori template, and deploying the application. Lastly, it demonstrates how to create a launchpad for the application for display in SAP Fiori launchpad using the Eclipse-based ABAP development tools in SAP Cloud Platform ABAP environment.

 

Introducing SAP Business Application Studio

Released for general availability in February 2020, SAP Business Application Studio is a cloud-based service that can be used for any kind of development, including SAP Cloud Platform ABAP environment development, native SAPUI5 development, and Cloud Application Programming (CAP) model development.

The tool’s features include:

  • A browser-based developer experience targeted at full-stack development, from the user interface (UI) down to the application and database level
  • A local desktop-like development environment based on a file system and command line (also known as “terminal”) approach that goes beyond menu interactions and is particularly popular when developing applications for the cloud (to automate tasks such as continuous integration, testing, and deployment, for example)
  • Support for multi-cloud development and deployment — SAP Business Application Studio is hosted in the Cloud Foundry environment, eliminating the need to bridge Neo and Cloud Foundry accounts
  • Dev spaces, which behave like virtual images for a freely chosen programming model or paradigm, with each space offering prepackaged tools specific to the type of application under development plus optional extensions
  • Adherence to standards — for example, it uses command palettes that are also used in similar locally installed tools, such as Visual Studio Code, which provides convenience, simplicity, and a shorter learning curve

Figure 1 shows the basic architecture and philosophy of SAP Business Application Studio. The developer accesses the tool through a browser and runs one or more dev spaces in parallel. Each dev space serves a certain purpose — SAP Fiori development, for example — and consists of related tools, extensions, and a corresponding file system to store development artifacts that can be versioned in an attached Git repository. Access to cloud or on-premise data sources is enabled in the usual way through the consumption of OData services, which will be covered later in the article.

 

Figure 1 — An overview of the SAP Business Application Studio architecture

Figure 1 — An overview of the SAP Business Application Studio architecture

 

To provide a solid foundation for understanding SAP Business Application Studio development, the next sections walk through an example SAP Fiori development project. Using SAP Cloud Platform, and with the help of known frameworks such as SAP Fiori templates, we will create a straightforward SAP Fiori application based on SAP’s familiar travel and flight reference scenario, which can be downloaded from GitHub. Trial systems always include the travel and flight reference scenario, and it can also be downloaded as described in a previous article.

 

Setup: Getting Access to SAP Business Application Studio

To access SAP Business Application Studio, you must have an SAP Cloud Platform account, so that you can subscribe to the application, and you must have the proper authorizations to use the application. If you do not already have an SAP Cloud Platform account, start by creating a trial account.

 

Create a Trial SAP Cloud Platform Account

For those without an existing SAP Cloud Platform account, the easiest way to get access to SAP Business Application Studio is via an SAP Cloud Platform trial account. From the welcome page (Figure 2), you can choose to run a tutorial for a common scenario, or you can directly access your trial account. If you are new to SAP Cloud Platform, or if your account has expired after the 90-day trial period, you can create a new account.

 

Figure 2 — The welcome page for an SAP Cloud Platform trial accountFigure 2 — The welcome page for an SAP Cloud Platform trial account

Figure 2 — The welcome page for an SAP Cloud Platform trial account

 

First, choose a region — SAP Cloud Platform cockpit offers two options, Europe and US. Once a region is selected (Europe in the example), the cockpit automatically creates the trial account and generates the required global account, Cloud Foundry-based subaccount, Cloud Foundry organization, and space to host your services (Figure 3).

 

Figure 3 — SAP Cloud Platform cockpit sets up the account with the required global account, subaccount, organization, and space

Figure 3 — SAP Cloud Platform cockpit sets up the account with the required global account, subaccount, organization, and space

 

Subscribe to SAP Business Application Studio

To subscribe to SAP Business Application Studio, in SAP Cloud Platform cockpit, navigate to the main page (Figure 4) of your global account (cdeb6b1atrial in the example) and select the associated subaccount (in the example, trial). On the subaccount overview screen, select Subscriptions in the left-hand navigation pane, which lists all the available applications, including SAP Business Application Studio (Figure 5).

 

Figure 4 — Access the subaccount via the global account main page

Figure 4 — Access the subaccount via the global account main page

 

Figure 5 — The subaccount page lists all of the applications available for subscription

Figure 5 — The subaccount page lists all of the applications available for subscription

 

To subscribe to an application — by default, they are all unsubscribed — click on the tile for that application. Selecting SAP Business Application Studio takes you to its detail screen, where you can subscribe by clicking on the Subscribe button. Once the status field turns to green (Figure 6), the tool is ready for use.

 

Figure 6 — When the status field changes to “Subscribed,” the application is ready for use

Figure 6 — When the status field changes to “Subscribed,” the application is ready for use

 

Note that if you already have a valid SAP Cloud Platform subscription, you can subscribe to SAP Business Application Studio in the same way. In this case, your administrator has likely already created the subaccount and space for you and assigned your user ID to it.

 

Ensure You Have the Correct Authorizations

Next, ensure that you have the right authorizations to use SAP Business Application Studio. To verify this, in SAP Cloud Platform cockpit, navigate to the Security section on the subaccount overview screen, select Trust Configuration, and click on the default trust configuration sap.default (Figure 7). On the detail screen that opens, if you have administrator privileges (which most developers do for their development work), you can assign the Business_Application_Studio_Developer role collection to your user identity (Figure 8).

 

Figure 7 — Select the default trust configuration to view the authorizations

Figure 7 — Select the default trust configuration to view the authorizations

 

Figure 8 — Ensure the Business_Application_Studio_Developer role is assigned to the user identity

Figure 8 — Ensure the Business_Application_Studio_Developer role is assigned to the user identity

 

Create a Dev Space

With the correct authorizations in place, return to the main subaccount page in SAP Cloud Platform cockpit and click on the Go to Application link that now appears on the SAP Business Application Studio tile, which takes you to the display area for your dev spaces (Figure 9). To create a dev space (note that in the trial environment you are limited to two), click on the Create Dev Space button at the lower right of the display. This presents you with a selection of dev space types to choose from — including SAP Fiori, SAP Cloud Business Application, SAP Cloud Platform Mobile Services, and Basic — to support different development scenarios. Each dev space comes with a predefined set of standard tools, to which you can add extension options to further enhance the dev space.

 

Figure 10 — The dev spaces display area in SAP Business Application Studio

Figure 9 — The dev spaces display area in SAP Business Application Studio

 

The example uses the SAP Fiori dev space and is named MyFiori (Figure 10). When the settings are complete, click on Create Dev Space. This starts up the dev space, which is now displayed with the status RUNNING in the dev space display area (Figure 11).

 

Figure 10 — Each dev space comes with a predefined set of tools, which can be supplemented with additional extensions

Figure 10 — Each dev space comes with a predefined set of tools, which can be supplemented with additional extensions

 

Figure 11 — The newly created dev space is running in the dev space display area

Figure 11 — The newly created dev space is running in the dev space display area

 

Development: Using SAP Business Application Studio

With the setup complete, you’re ready to start developing an application with SAP Business Application Studio. Click on the name of the dev space (MyFiori in the example) to start SAP Business Application Studio, where you can begin your development work (Figure 12). Before diving in, let’s take a quick look at the tool layout.

 

Figure 12 — The welcome screen for a newly created dev space in SAP Business Application Studio

Figure 12 — The welcome screen for a newly created dev space in SAP Business Application Studio

 

Understanding the Tool Layout

The tool layout is intuitive and straightforward in SAP Business Application Studio. On the left of the main screen is the Explorer, which typically displays the project folder containing the development artifacts of the application. The right portion of the screen is used to display the code for the application. The welcome page lists useful resources such as wizards for creating a file or project, shows recently used artifacts, and points to documentation. In addition, there is a standard menu bar at the top and a tool palette along the left.

To open a workspace, click on the Open Workspace button, and in the pop-up screen, select “projects” from the drop-down list of folders, which then displays that folder in the Explorer. Back on the main screen, the status bar at the bottom will display a reminder that SAP Business Application Studio is not yet connected to an organization and space in Cloud Foundry to enable access to back-end resources. Click on the status bar and at the prompt enter your Cloud Foundry endpoint URL, which can be copied from the subaccount overview page — the URL is https://api.cf.eu10.hana.ondemand.com in the example (Figure 13).

 

Figure 13 — Enter your Cloud Foundry endpoint URL to enable SAP Business Studio to access back-end resources

Figure 13 — Enter your Cloud Foundry endpoint URL to enable SAP Business Studio to access back-end resources

 

At the next prompt, sign in to the Cloud Foundry endpoint with your user identity — that is, the email address and password for your SAP Cloud Platform account. The tool presents a drop-down list of the Cloud Foundry organizations to which your user identity is assigned. In the example, we select ABAP Product Management_pm (Figure 14). Next, select a Cloud Foundry space from the drop-down list of available spaces (Figure 15). In the example, we select Dev for the development project. The project target settings are now set, and back on the main screen, the status bar indicates the targeted organization and space.

 

Figure 14 — Select a Cloud Foundry organization

Figure 14 — Select a Cloud Foundry organization

 

Figure 15 — Select a Cloud Foundry space

Figure 15 — Select a Cloud Foundry space

 

With all the basic settings in place, the real development can begin.

 

Using a UI Application Generator

The architecture of SAP Business Application Studio consists of a core development environment with the project outline view, editors, compile/build tools, and deployment tools. In addition to these typical elements, it comes with useful plug-ins and extensions for application development, such as UI application generators, that are designed to allow their reuse in the popular Visual Studio Code development tool. The UI application generators help speed the creation of SAP Fiori applications and are based on the Yeoman open source framework, which was designed to create wizards for fast application scaffolding.

To access the UI application generators, open the command palette from the SAP Business Application Studio menu bar by selecting View > Find Command, and then search for the Yeoman UI Generators (Figure 16). Several different generators are presented, such as SAP Fiori Freestyle and Basic Multitarget Applications (Figure 17). For the example, we select the SAP Fiori elements application generator. The SAP Fiori elements concept is based on the notion of templates that define the floor plan for an application, and this generator is well suited for working with services exposed by SAP Cloud Platform ABAP environment, which is the type of service our application needs to access data from the back end. Choose a template for the app — while we choose the List Report Object Page V2 template for the example (Figure 18), any of the others (Worklist, Analytical List Page, or Overview Page) could just as easily be used here.

 

Figure 16 — Search for the Yeoman UI generators

Figure 16 — Search for the Yeoman UI generators

 

Figure 17 — Several different Yeoman UI generators are available to meet different development needs

Figure 17 — Several different Yeoman UI generators are available to meet different development needs

 

Figure 18 — Choose the template for the application

Figure 18 — Choose the template for the application

 

To populate the template, you must connect with a data source and service. You can choose to either connect with an SAP system or directly consume an OData service. For the example, we connect to an SAP system (Figure 19) and create a new system destination (Figure 20). Since we are logged on to the target environment (the Cloud Foundry organization and space we logged on to earlier), SAP Business Application Studio presents the available ABAP instances, which in the example is an ABAP cloud system called PMD that runs in the Cloud Foundry subaccount.

 

Figure 19 — Connect to the SAP system to populate the template

Figure 19 — Connect to the SAP system to populate the template

 

Figure 20 — Create a system destination

Figure 20 — Create a system destination

 

System PMD then displays the available OData services to choose from — for the example, we choose the travel service ZUI_C_TRAVEL_M_KK (Figure 21), which exposes travel requests (this example service is based on SAP’s well-known travel and flight reference scenario, and its creation using SAP Cloud Platform ABAP environment was described in a previous SAPinsider article). Choose a main entity from the list of entity sets contained in the selected OData service — for the example, we choose TravelProcessor (Figure 22).

 

Figure 21 — Choose the ZUI_C_TRAVEL_M_KK OData service for the example

Figure 21 — Choose the ZUI_C_TRAVEL_M_KK OData service for the example

 

Figure 22 — Choose TravelProcessor

Figure 22 — Choose TravelProcessor

 

Next, set the project attributes — such as the module name (ztravel), title (Travel requests), description (A Fiori application for handling travel requests), and a project folder location in the file system (/home/user/projects) — and click on Finish (Figure 23). The system generates the new project and asks to open the project in a new workspace or add it to an existing workspace. Choose Open in New Workspace, which generates a folder containing the new SAP Fiori application along with various related items, such as deployment configuration files (Figure 24).

 

Figure 36 — Enter the project attributes

Figure 23 — Enter the project attributes

 

Figure 24 — The newly generated application and related files

Figure 24 — The newly generated application and related files

 

To start the generated application, in the left menu, switch from the Explorer view to the Run Configurations view (click on run), and click on the “plus” sign (add) at the top of the left navigation pane. Specify the newly created project (ztravel in the example) at the system prompt for which project to run. The system generates and runs the configuration (Run ztravel), and then the local SAPUI5 server starts and listens for incoming requests (Figure 25).

 

Figure 25 — Run the configuration

Figure 25 — Run the configuration

 

To preview the newly created application, click on Expose and Open at the lower right of the screen. Open the test folder (Figure 26) and select the automatically generated SAP Fiori launchpad sandbox, flpSandbox.html (Figure 27).

 

Figure 26 — Open the test folder

Figure 26 — Open the test folder

 

Figure 27 — Select the FLP sandbox

Figure 27 — Select the FLP sandbox

 

SAP Fiori launchpad displays with a tile for the new Travel request application (Figure 28). Clicking on the Travel request tile displays the travel requests in the corresponding SAP Fiori template (Figure 29).

 

Figure 28 — The new Travel requests application displayed in SAP Fiori launchpad

Figure 28 — The new Travel requests application displayed in SAP Fiori launchpad

 

Figure 29 — Travel requests displayed in the Travel request application

Figure 29 — Travel requests displayed in the Travel request application

 

Deploying the Application

The application is now ready for direct deployment to the target ABAP stack (ABAP cloud system PMD in the example). While direct deployment was always possible in on-premise and Neo-based environments, with SAP Business Application Studio, this option is now also available for SAP Cloud Platform ABAP environment. This deployment option avoids the need to deal with Cloud Foundry specifics of deployment, which involved the application’s UI being treated as a separate entity that connects to the back end — now it is treated as an easily transportable ABAP artifact.

This direct deployment is performed by executing commands in the terminal, also known as the command line. The command line is one of the major innovations in SAP Business Application Studio compared to SAP Web IDE, and while it might sound a bit retro-focused, since command lines have been mostly replaced by mouse-driven graphical tools, in the open-source world, command lines are still extremely popular. A good graphical tool is still essential for user acceptance, but a strong command line tool can speed development tasks significantly — for example, it can reduce the need to locate a particular function, enable fast interaction (such as reissuing certain command sequences), and allow for automated command execution in scripts.

To execute the deployment in the command line, open a new terminal session by selecting Terminal > New Terminal, which opens the command palette. Then configure the deployment descriptors with a few commands:

  • npx fiori add flp-config — This command (Figure 30) asks for a semantic object and action and a title that describes the application to enable intent-based navigation in SAP Fiori launchpad.

 

Figure 30 — The npx fiori add flp-config command enables intent-based navigation in SAP Fiori launchpad

Figure 30 — The npx fiori add flp-config command enables intent-based navigation in SAP Fiori launchpad

 

  • npx fiori add deploy-config — This command (Figure 31) asks for a deployment target (ABAP or Cloud Foundry); a destination (system PMD); a name for the application (ZTRAVEL); a comprising ABAP package (Z_TRAVEL_APP_KK); and a transport request number (PMDK900141).

 

Figure 31 — The npx fiori add deploy-config command configures the deployment

Figure 31 — The npx fiori add deploy-config command configures the deployment

 

  • npm run deploy — This command (Figure 32) starts the deployment process. Upon successful completion (Figure 33), the development artifacts are uploaded to the ABAP instance. You can double-check the status in the Eclipse workspace of the ABAP development toolkit (Figure 34), to make sure that all the artifacts have arrived properly, by selecting the ABAP package (Z_TRAVEL_APP_KK) in the Project Explorer and viewing the details in the Transport Organizer in the lower part of the screen.

 

Figure 32 — The npm run deploy command starts the deployment process

Figure 32 — The npm run deploy command starts the deployment process

 

Figure 49 — The completed deployment

Figure 33 — The completed deployment

 

Figure 34 — Check on the progress of the deployment in the Transport Organizer in the ABAP development tools

 

Creating a Launchpad for the SAP Fiori Application

Next, we create a launchpad for the application, which will enable a tile for the new application to appear in SAP Fiori launchpad. Version 2008 of SAP Cloud Platform ABAP environment offers a new way to create and maintain a launchpad for an SAP Fiori application using the Eclipse-based ABAP development tools. The ABAP back end introduces new artifacts that facilitate the process in a well-structured way, including a layout concept called “spaces.” Instead of displaying all roles to which you are assigned in a full-screen approach, a space is associated with a business role and is represented by a browser tab (Figure 35). The layout of the space is defined by the page, which consists of one or more sections that can contain tiles. The tile is contained in a business catalog, which is associated with the business role so that end users assigned to that business role can launch the tile and its associated application. The layout can be easily adjusted with an easy-to-use page editor.

 

Figure 35 — New development artifacts help structure the process of creating a launchpad for SAP Fiori applications

Figure 35 — New development artifacts help structure the process of creating a launchpad for SAP Fiori applications

 

To create a launchpad for an SAP Fiori application, you must first create an identity and access management (IAM) application that represents the launchpad tile for the application. In the Eclipse workspace, create a new ABAP repository object — an IAM application — for the project (PMD_EN in the example) by searching for “IAM” (Figure 36). Give the IAM application a name (ZTRAVELAPP), description (Travel IAM app), and type (EXT – External App) — the system appends the suffix “EXT” since it is an external-facing application (Figure 37). Then specify the UI5 application ID (ZTRAVEL_UI5R) that was created during the deployment of the SAP Fiori application (Figure 38).

 

Figure 36 — Create an identity and access management (IAM) application to represent the launchpad tile for the application

Figure 36 — Create an identity and access management (IAM) application to represent the launchpad tile for the application

 

Figure 37 — Define the IAM application

Figure 37 — Define the IAM application

 

Figure 38 — Specify the UI5 application ID (ZTRAVEL_UI5R) that was created during the deployment

Figure 38 — Specify the UI5 application ID (ZTRAVEL_UI5R) that was created during the deployment

 

Next, create a new ABAP repository object — a business catalog — for the project (PMD_EN in the example) by searching for “catalog” (Figure 39). Specify the settings for the catalog (Figure 56), including a package (Z_TRAVEL_APP_KK), name (ZTRAVELCAT), and description (Travel app catalog).

 

Figure 39 — Create a business catalog to which you can assign the application

Figure 39 — Create a business catalog to which you can assign the application

 

Figure 40 — Define the business catalog

Figure 40 — Define the business catalog

 

Once the catalog is created, a screen appears that lists the applications assigned to the catalog (Figure 41). Click on Add to assign the newly created IAM application to the catalog. Define the assignment (Figure 42) — including the project (PMD_EN), package (Z_TRAVEL_APP_KK), IAM app (ZTRAVELAPP_EXT), name (ZTRAVELCAT_0001), and description (Business Catalog to IAM App assignment) — and the application is then listed in the catalog (Figure 43).

 

Figure 41 — The business catalog lists the applications assigned to it

Figure 41 — The business catalog lists the applications assigned to it

 

Figure 42 — Assign an application to the business catalog

Figure 42 — Assign an application to the business catalog

 

Figure 43 — The assigned application listed in the business catalo

Figure 43 — The assigned application listed in the business catalo

 

To create the launchpad for the application, switch to the SAP Fiori launchpad administrator tool in SAP Cloud Platform cockpit (Figure 44). As an administrator, create a new launchpad space by going to the User Interface Configuration tab and selecting the Manage Launchpad Spaces tile. On the Create Space screen (Figure 45), provide a space ID (ZTRAVELSP), description (Space for travel apps), and title (Travel app space), along with a page ID (ZTRAVELPG), description (Page for travel apps), and title (Travel apps). The page is then displayed in the list of pages for that space (Figure 46).

 

Figure 44 — Select the Manage Launchpad Spaces tile to create a new launchpad space

Figure 44 — Select the Manage Launchpad Spaces tile to create a new launchpad space

 

Figure 45 — Specify the details of the new launchpad space

Figure 45 — Specify the details of the new launchpad space

 

Figure 46 — The page details of the newly created space

Figure 46 — The page details of the newly created space

 

Next, maintain the business role (Figure 47). Clicking on the Maintain Business Roles tile on the Identity and Access Management tab displays the list of available roles (Figure 48). Create a new role (Figure 49) and specify a name (ZTRAVELROLE) and description (Travel app role).

 

Figure 47 — Select the Maintain Business Users tile to create a new business role

Figure 47 — Select the Maintain Business Users tile to create a new business role

 

Figure 48 — The available business roles for the newly created space

Figure 48 — The available business roles for the newly created space

 

Figure 49 — Create a new business role

Figure 49 — Create a new business role

 

In the detail screen for the new role (Figure 50), assign the previously created Travel app catalog (Figure 51), which is then displayed in the role details (Figure 52).

 

Figure 50 — The details of the newly created role

Figure 50 — The details of the newly created role

 

Figure 51 — Add the previously created business catalog to the newly created role

Figure 51 — Add the previously created business catalog to the newly created role

 

Figure 52 — The role details now include the previously created business catalog

Figure 52 — The role details now include the previously created business catalog

 

To assign a role to the launchpad space, click on Manage Launchpad Space at the upper right of the Maintain Business Role screen. In the following pop-up (Figure 53), assign the role to the previously created space (ZTRAVELSP). The assignment is then included in the role details (Figure 54).

 

Figure 53 — Assign the role to the previously created space

Figure 53 — Assign the role to the previously created space

 

Figure 54 — The space now appears in the role details

Figure 54 — The space now appears in the role details

 

Now that we have assigned the space to our role, return to the User Interface Configuration tab, select the Manage Launchpad Pages tile, and go to the customer-created pages view, which now lists the newly created page (Figure 55). The green Assigned status shown in the role assignment indicates that it is active. Clicking on the pencil (“change”) icon allows you to add the business catalog derived from the role to the launchpad layout (Figure 56). By default, the page is marked as invisible, but you can immediately change it to visible (Figure 57).

 

Figure 55 — The newly created page is now listed in the customer-created pages view

Figure 55 — The newly created page is now listed in the customer-created pages view

 

Figure 56 — Add the business catalog to the launchpad page

Figure 56 — Add the business catalog to the launchpad page

 

Figure 57 — Change the page visibility to visible

Figure 57 — Change the page visibility to visible

 

Now you can assign the role to a user by returning to the role details (Figure 58) and specifying the user ID. Enable spaces in the user’s SAP Fiori launchpad preferences (Figure 59) and the newly created launchpad will be displayed (Figure 60).

 

Figure 58 — Assign the role to a user ID

Figure 58 — Assign the role to a user ID

 

Figure 59 — Enable spaces in the user’s SAP Fiori launchpad preferences

Figure 59 — Enable spaces in the user’s SAP Fiori launchpad preferences

 

Figure 60 — The newly created launchpad

Figure 60 — The newly created launchpad

 

Summary

Using the new SAP Business Application Studio in conjunction with SAP Cloud Platform ABAP environment is a straightforward, modern, and intuitive experience for developers. Many parts of SAP Business Application Studio look and feel familiar, such as the project outline view and the various wizards. At the same time, the tool includes a variety of new concepts — such as the command palette and command line capabilities, which provide a high level of control — designed to help accelerate development efforts. With SAP Business Application Studio and SAP Cloud Platform ABAP environment, you can quickly build custom SAP Fiori launchpads in an efficient, role-based fashion, enabling fast, simplified development of sophisticated applications.

Learn more at the SAP Community page for SAP Business Application Studio.

 

Karl Kessler

Karl Kessler (karl.kessler@sap.com) joined SAP SE in 1992. He is the Vice President of Product Management ABAP Platform — which includes SAP NetWeaver Application Server, the ABAP Workbench, the Eclipse-based ABAP development tools, and SAP Cloud Platform ABAP environment — and is responsible for all rollout activities.



How to Build a Strong Security and Compliance Foundation for Your SAP Landscape

Ensure a Secure Environment Using SAP Solutions and the NIST Cybersecurity Framework

 

by Martin Müller, Presales Expert Security, SAP Deutschland, and Arndt Lingscheid, Product Manager of SAP Enterprise Threat Detection, SAP SE

 

Attacks that come from outside of a company often target its IT infrastructure layer to interrupt business operations. Most successful attacks are carried out by insiders or individuals compromised via phishing or malware attacks, and sometimes employees are recruited by suspicious organizations and used as vehicles to carry out an attack. These attacks often focus on the company’s application layer and use privileged user accounts. Unfortunately, many security departments see the SAP application layer as a “black box,” and they view the security of SAP applications as the responsibility of their Basis or SAP application colleagues, leaving these applications at risk.

In cases where an organization’s SAP applications are run by a service provider, the security team might even expect the service provider to be responsible for the security of these applications. While the provider might be responsible for the IT infrastructure layer, depending on the service level agreement (SLA) in place, technologies used for securing this layer often cannot prevent or detect attacks and data breaches at the application layer, where the most important business-critical data is usually stored. And responsibility for the data always lies with the customer organization.

For these reasons, the security of the application layer can often be a blind spot within organizations. Compounding this issue are myriad factors at play. For example, small-size companies have requirements that are different from mid-size or large organizations. Some businesses run their SAP software on premise, others use cloud-based SAP applications, and still others run their SAP applications in heterogeneous landscapes. And auditors have varying expectations of companies depending on variables such as the legal and geographical structure of an organization, its use of solutions, and the distribution models it uses, which leads to very individual audit requirements for companies, even if they operate in the same industry.

This article helps SAP decision makers (CIOs, CFOs, and CISOs) and IT operations managers successfully meet these challenges and secure their SAP landscapes. The article first looks at how security frameworks can help lay the foundation for a strong security strategy. It then walks through SAP’s portfolio of security and compliance solutions through the lens of the Cybersecurity Framework provided by the National Institute of Standards and Technology (NIST) — a framework that is widely used for establishing standard security guidelines and best practices within organizations — to provide SAP customers with a toolkit for creating a comprehensive security strategy that meets their unique and varied needs. Lastly, it explains how to control security activities with a security infrastructure to meet compliance and business requirements and to provide insight that helps those at the C level make better decisions.

 

Solid Security Strategies Start with a Framework

A framework of guidelines, standards, and best practices is a critical tool for ensuring the security of an organization’s landscape. One resource that SAP provides for its customers for this purpose is the SAP Security Optimization Services Portfolio, which provides Best Practices centered on three key areas: Security Overview, which provides overall SAP security recommendations; Security Topics Area, which provides recommendations for areas such as security patch management and configuration analysis; and Security Services, Tools and Information, which recommends additional resources on service offerings. For those seeking to create a structured overall SAP security strategy, the Security Overview area is an ideal place to start, and the SAP Secure Operations Map at its center provides an overview of the SAP-specific topics that need to be covered.

Another resource that is widely used by many organizations is the NIST Cybersecurity Framework. The NIST Cybersecurity Framework can be used in a complementary way with the SAP Secure Operations Map, as it is orthogonally oriented and provides a more general approach to structuring a security strategy. The framework is divided into three components: core, profiles, and tiers. The core component, which is the focus of this article, contains an array of activities, desired outcomes, and information about aspects of and approaches to cybersecurity, while profiles and tiers center on aligning the core information with an organization’s objectives and practices.

 

The SAP Secure Operations Map

The SAP Secure Operations Map serves as a reference model for structuring the overall security of an organization, and for serving as the basis for discussions about the needs and solutions required for specific security areas. These areas include: organization, processes, application, system, and environment (see Figure 1). The focus is on the operational aspects of security — that is, the tasks and considerations that a customer or service provider needs to consider to maintain and operate its systems and landscapes safely.

 

Figure 1 — The SAP Secure Operations Map provides a 360-degree view of security in an organization’s SAP landscape

Figure 1 — The SAP Secure Operations Map provides a 360-degree view of security in an organization’s SAP landscape

 

This most recent version of the map, which was updated in January 2020, includes the addition of two new areas: organization and processes. To establish the processes, data protection measures, and technologies that are necessary to effectively secure the business, all employees — including those at the board level — must be aware of the issue of security in the organization. To this end, the organization layer describes activities such as awareness campaigns and general knowledge of security governance and risk management. The process layer completes the known paradigm of people (organization), processes, and technology. It covers areas such as regulatory process compliance, data privacy and protection, and audit and fraud management, and it deals with the correct behavior of applications concerning policies and legal demands.

The application layer consists of typical SAP applications that cover areas such as identity access management, roles and authorization management, and typical custom code security. It is important to note that the application layer is separate from the system and environment layers (many organizations do not see it as separate, which can have security ramifications, as mentioned earlier). The system layer covers typical elements such as security hardening, secure code from SAP (via SAP security patches), and continuous security monitoring and event management of the application layer. The environment layer collects the security actions needed for SAP operations on a network, operating system, and client level.

 

The NIST Cybersecurity Framework

Established in 2014, the NIST Cybersecurity Frame­work is used by many organizations — IDC estimates that more than half of Fortune 500 companies with US headquarters have adopted this framework as their primary control framework for cybersecurity. This framework helps IT security teams assess and improve their ability to prevent, detect, and respond to cyberattacks. Through its core component — which provides the foundation for the framework’s other two components, profiles and tiers — the NIST framework provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes (see Figure 2).

 

Figure 2 — The NIST Cybersecurity Framework helps organizations assess and improve their ability to prevent, detect, and respond to cyberattacks

Figure 2 — The NIST Cybersecurity Framework helps organizations assess and improve their ability to prevent, detect, and respond to cyberattacks

 

An NIST-Based Overview of SAP’s Security and Compliance Solutions

Figure 3 provides an overview of SAP’s security and compliance solutions through the lens of the NIST Cybersecurity Framework. At the lower right is a legend that describes the focus of the product or service, which is indicated by color in the diagram. Some tools are SAP standard tools (shipped with SAP’s core software), some focus on cybersecurity, and others focus on compliance. In addition, several support services are available to help organizations improve their enterprise security environments. The length of the bars indicates where to position the solutions in the NIST framework. Across the top are solutions that provide overarching control over the activities performed with these tools as part of the defined security strategy, along with transparency for executives. Next, we will walk through the key features and functionality of the solutions shown in the diagram.

 

Figure 3 — An overview of SAP’s security and compliance solutions based on the NIST Cybersecurity Framework

Figure 3 — An overview of SAP’s security and compliance solutions based on the NIST Cybersecurity Framework

 

SAP EarlyWatch Alert Workspace

According to the NIST framework, one of the first steps in assessing an SAP application is to identify the most important systems and applications and how users are accessing the most important data in these systems, so that you can then take steps to protect it. The SAP EarlyWatch Alert Workspace service, which helps address the “identify” and “protect” areas of the NIST framework, is a free, automated SAP standard tool that scans all productive SAP instances on a weekly basis, collecting and analyzing a comprehensive set of critical settings and vulnerabilities, and highlighting missing security patches. This service can also be used for an initial security assessment of all productive SAP instances to identify vulnerabilities and to visualize unpatched systems.

Introduced more than 20 years ago as SAP EarlyWatch Alert, the service originally ran within SAP Solution Manager or via the customer’s SAP Service Backbone connection. In 2018, SAP EarlyWatch Alert was completely redesigned as a cloud-based tool called EarlyWatch Alert Workspace and accessed through SAP ONE Support Launchpad, and that same year received an SAP Product Excellence Award from SAP User Group Executive Network (SUGEN) customers.

The goal of SAP EarlyWatch Alert Workspace is to identify critical security issues across an organization’s productive landscape and to provide a prioritized worklist to share and track progress — for example, it offers an easy way to view how many systems are vulnerable and in what ways. Despite the advantages of using this tool, however, many organizations are often unaware of it or don’t understand its benefits. Be sure to take advantage of this freely available service to help ensure a comprehensive security strategy based on the NIST framework.

 

SAP Configuration Validation

SAP Configuration Validation uses data from SAP Solution Manager to help determine whether the SAP systems in an organization’s landscape are configured consistently and in accordance with the company’s requirements. This SAP standard tool, which helps address the “identify” and “protect” areas of the NIST framework, can help validate the current configuration of a system against the configuration data of other systems, or against a defined target system, for example, and can help fulfill standard requirements from auditors.

This tool enables the execution of validation reports to compare the current configuration of one or more systems with a reference system. The reference system can be either a real, existing system or a virtual target system containing user-defined configuration criteria. Each configuration element is checked, and if the value of the element in the comparison system fulfills the conditions defined in the reference system, it is rated compliant. If any element in a configuration store is not compliant, the entire configuration store is rated noncompliant. The same applies to a system: if any element in a configuration store is noncompliant, the entire system is rated noncompliant.

 

System Recommendations

System Recommendations is an SAP standard tool that also helps address the “identify” and “protect” areas of the NIST framework. Included with SAP Solution Manager, this tool provides a tailored list of SAP Notes, including security notes, that should be applied to a selected managed system. Details of the notes, including any prerequisites for a particular note, can be viewed in a user-friendly SAP Fiori interface.

 

SAP Focused Run

SAP Focused Run, a solution originally developed by SAP’s cloud operations team, helps address the “identify,” “protect,” and “detect” areas of the NIST framework. It is a solution that uses SAP HANA to support high-volume monitoring, alerting, diagnostics, and analytics, and it is available for all SAP customers and service providers with an additional license via SAP Service Marketplace. SAP Focused Run helps organizations maintain their SAP applications using a central, scalable, safe, and automated environment.

While SAP Focused Run is not solely focused on security, it includes many security features that can help ensure a secure system landscape, including:

  • Predefined and policy-based security and compliance validation of configurations
  • Monitoring of server-side certificates
  • Security note deployment validation, including transparency about gaps versus achievement
  • Integration into operational processes
  • Insights into actual usage, including system communication, document flow, and user behavior
  • Graphical charts and built-in dashboarding capabilities that can also be used by auditors and management

 

SAP Code Vulnerability Analyzer

Many SAP customers use the ABAP programming language to create their own and extend existing SAP applications. While the ability to customize and enhance applications is a useful capability, incorrect programming can lead to severe security issues, such as data theft and costly compliance violations. For this reason, SAP recommends using SAP Code Vulnerability Analyzer for all custom ABAP code development. At SAP, ABAP code must be checked using this cybersecurity solution before it can leave the development system, which has led to a significant decrease in vulnerabilities.

SAP Code Vulnerability Analyzer, which helps address the “identify” and “protect” areas of the NIST framework, fits seamlessly into the well-known ABAP test cockpit. Within the ABAP test cockpit, developers can review their code and perform tests for code robustness, performance, and usability. When a customer licenses SAP Code Vulnerability Analyzer, ABAP developers receive an additional option within the ABAP test cockpit to perform SAP Code Vulnerability Analyzer security checks within the ABAP test cockpit.

 

SAP Fortify by Micro Focus

SAP Fortify software by Micro Focus helps secure applications wherever they are deployed — in house, on the web, in the cloud, or on mobile devices around the world. The software integrates with SAP Code Vulnerability Analyzer across the solution life cycle and automates key processes for developing and deploying highly secure technology and services.

This cybersecurity solution helps address the “identify” and “protect” areas of the NIST framework. It supports a cohesive approach to application quality management and security testing, and it helps identify and address security vulnerabilities throughout the software life cycle. Through its intuitive web interface, SAP Fortify provides line-of-code guidance specific to the programming language used. Additional functionality includes real-time security vulnerability testing and verification for web applications and services, a sophisticated software security center, a static code analyzer for different development languages, and web inspect functionality.

SAP Fortify helps organizations comply with internal and external security and quality mandates and establish continuous, automated procedures to address security issues in deployed software and reduce risk in software that is in development or being acquired.

 

UI Data Protection Masking and UI Data Protection Logging

Controlling which data can be viewed and tracking who has viewed critical data is crucial in an SAP environment. SAP provides two functionalities via the UI data protection masking and UI data protection logging add-ons, which require an additional license. These compliance solutions help SAP customers meet this need, and they help address the “identify” and “protect” areas of the NIST framework.

UI data protection masking enables SAP customers to reduce the visibility of their sensitive data — such as salary data, bank account information, and social security numbers — via easy configuration settings. The UI masking technology allows security administrators to hide, mask, or block data on a business transaction. The data is not displayed because it is never sent to the client system, providing the strongest possible data protection. Dynamic authorizations enable the configuration of output based on attribute and role information, so that only those with a specific role see the unmasked data, while all others are shown only the masked data. For example, in an HR scenario, not every HR employee should view the salary details of all employees.

UI data protection logging helps provide transparency around who has viewed which data, how often, and when to help spot access misuse. The UI logging technology provides a detailed, screen-exact data access protocol for both user input and system output. It is also possible to configure real-time alerts upon access to predefined data, or to enable more advanced alerting via native integration with SAP Enterprise Threat Detection (more on this tool later).

 

SAP Business Integrity Screening

Fraudulent transactions can have a costly effect on an organization’s profitability, but it can be difficult to identify these types of transactions before they occur.

SAP Business Integrity Screening is a compliance solution that helps address the “detect” and “respond” areas of the NIST framework. It helps organizations prevent risky transactions and reduce processing errors, fraud risk, and losses by identifying anomalies early enough to stop the transaction. The software uses SAP HANA technology to scan large volumes of data, identify risks and suspicious patterns, and generate alerts so you can react to compliance violation checks immediately and avoid transactions with suspicious third parties.

 

Single Sign-On, User and Identity Management, and Access Management

Different types of users (such as employees, customers, and business partners) work with SAP applications in heterogeneous landscapes (on premise, in the cloud, or both). These users need functions such as single sign-on, user provisioning, and segregation of duties in parallel with self-services, workflows, and role management, while security administrators need identity and access management solutions that ensure consistent and compliant identity management and access control.

SAP has several cybersecurity and compliance solutions and services that support the identity and access management needs of users and security administrators in a secure way, both on premise and in the cloud, and that help address the “protect” area of the NIST framework. These include SAP Cloud Identity Services, SAP Identity Management, SAP Single Sign-On, SAP Cloud Identity Access Governance, and SAP Access Control, which were discussed in detail in a previous SAPinsider article.

 

SAP Data Custodian

Maintaining data security and regulatory compliance is a primary concern with public cloud deployments. SAP Data Custodian, which helps address the “protect” area of the NIST framework, is a software-as-a-service (SaaS) product that is designed to give public cloud users insight into their public cloud resources and applications, along with data transparency, protection, and control in public cloud deployments.
This compliance solution provides monitoring and reporting functionality for data access, storage, movement, and location in the public cloud. In addition, security administrators can create and enforce access restrictions with policy-based controls and use encryption features across cloud applications to further strengthen data security and regulatory compliance.

 

SAP Enterprise Threat Detection

SAP Enterprise Threat Detection, which helps address the “detect” and “respond” areas of the NIST framework, is a real-time security event management and monitoring solution that is tailored to the needs of SAP applications and provides insight into SAP systems out of the box. It helps security administrators detect, analyze, and neutralize cyberattacks as they are happening, and before serious damage occurs. This solution provides a single source of truth for centrally audited SAP systems and provides all connected log types in a readable format. It recognizes any unusual or critical behavior inside the SAP system, such as brute force attacks, activation and use of highly privileged user accounts, and extraction of confidential information.

Using SAP HANA technology, all log types can be processed and correlated in real time, instantly creating a complete picture of what is happening instead of producing puzzle pieces that need to be assembled, which enables the early interception of hacking attacks. The generic approach of SAP Enterprise Threat Detection and its semantic understanding of SAP logs help the solution quickly and easily adapt to new threats with no additional development required.

The risk-based, step-by-step implementation process for SAP Enterprise Threat Detection allows organizations to start quickly with small (“alarm”) system scenarios that focus on the most important applications using a manageable amount of detection patterns and different log types. This helps quickly close security and audit gaps and protect the organization’s most valuable assets. More information on SAP Enterprise Threat Detection is available in a previous SAPinsider article.

 

SAP Services and Support

The SAP Services and Support organization provides resources that can help SAP customers take the right steps to strengthen cybersecurity protections and increase compliance throughout their SAP landscapes. With the SAP Consulting Security Services offering, the support team at SAP evaluates the customer’s IT landscape, creates the architectural plan and defines the necessary steps, and then supports the realization and implementation of the plan.

Through its SAP Cloud Application Services organization, SAP also offers managed security services for cybersecurity based on SAP Enterprise Threat Detection. With SAP managed security services for SAP Enterprise Threat Detection, the SAP managed services team monitors an organization’s SAP applications and, optionally, non-SAP applications. To meet the individual requirements of different organizations, several packages are available, ranging from basic event monitoring to highly complex threat hunting services. The agreed-upon SLA describes the exact content and extent of the managed service, including the monitoring time (from six days per month to 24 hours per day, seven days per week).

 

SAP HANA Platform Security

SAP HANA is designed as a multi-purpose business data platform for the intelligent enterprise that supports analytical and transactional scenarios in different deployment modes, both on premise and in the cloud. The security approach used for SAP HANA enables SAP customers to address the security requirements for this type of multi-purpose platform.

SAP HANA comes with a comprehensive security framework for secure data access and applications, with SAP standard functions for authentication, user management, authorization, encryption, and auditing. The SAP HANA data privacy option (data anonymization and masking) allows for the cautious treatment of sensitive and confidential data.

SAP HANA is designed to be set up and run securely in different environments. Tools, settings, and information help organizations configure, manage, and monitor SAP HANA security in their specific environment. SAP HANA cockpit provides a role-based security dashboard, security configuration, and user and role management screens.

 

Controlling Security Activities and Providing Insight to the C Level

An important component of a comprehensive security strategy is control over the activities performed for that strategy to ensure the compliance of the SAP landscape, which involves monitoring the behavior of applications in terms of the guidelines and legal requirements, such as data privacy requirements, in place where SAP systems are operating. It is also important to create transparency about cybersecurity risks, and to quantify these risks in monetary terms, to help those at the C level, and CISOs in particular, balance risks against appropriate business value and make better decisions. SAP offers several solutions to meet these needs, including SAP Process Control, SAP Risk Management, a cybersecurity dashboard concept, and SAP Privacy Governance.

 

SAP Process Control

Regulatory pressures are increasing as organizations expand into different geographical areas. While in the past, companies could set up a team to handle a new regulation, regulations are now increasing at a rate that outpaces the resources of most companies. In addition, organizations tend to have duplicate controls in place due to a siloed approach to managing regulatory compliance, which can be costly during tough economic times that require reduced costs and streamlined processes.

SAP Process Control provides a robust compliance framework that helps businesses document, test, and report across regulations and company initiatives, thus reducing effort, increasing visibility, and enabling more streamlined and harmonized processes. For example, a control can be documented once and assigned to as many regulations and initiatives as necessary, while still ensuring that data specific to each regulation is captured as required. If the result of a single evaluation is relevant for other scenarios, the evaluation can also be shared as appropriate. This not only saves time and effort, but also makes it easier to expand into new geographies and adopt new regulations and initiatives. It also establishes clear accountability by control, subprocess, regulation, or initiative.

 

SAP Risk Management

SAP Risk Management helps organizations integrate and coordinate risk management activities, gain a deeper understanding of risk, and plan timely, reliable responses. It provides reliable, accurate information for making better decisions and ultimately improving and sustaining the profitability of the business.

The solution enables companies to see and assess current and future risks, link them to business value drivers, and preserve and build on that value. It enables insights into how value is created and destroyed by linking risk drivers, key risk indicators, and related impacts, and it provides the ability to easily integrate and coordinate risk management activities across the organization, from corporate and executive levels to audit committees and operating managers. The instant access to information from key risk indicators and integration with SAP S/4HANA means businesses can act quickly and decisively on emerging risks and opportunities.

 

Cybersecurity Dashboard

When it comes to securing business applications, organizations tend to face three key challenges:

  • How to enable the application security team to prioritize the necessary cybersecurity actions
  • How to give the CISO insight into application security risk activities
  • How to bridge the gap between the problems faced by the CISO and the problems faced by the rest of the C-suite

One potential way to address these challenges is by building a cybersecurity dashboard using SAP Analytics Cloud and its integration with SAP security solutions, a concept in which several SAP customers have expressed interest, and which SAP is planning to build by working together with customers.

The idea is to create a customizable dashboard that combines the feeds from various cybersecurity solutions, analyzes attacks, and suggests actions for the application security team to prioritize. The dashboard would also give CISOs a snapshot of what their teams are doing at any point in time so they can adjust operations if necessary. In addition, the dashboard would help the board understand how cybersecurity risks can affect strategic business objectives, and make better decisions based on risk mitigation, by providing insight into the monetary value of cybersecurity risks and into the company’s overall risk management status.

 

SAP Privacy Governance

Complex data privacy regulations are emerging worldwide, from the EU’s General Data Protection Regulation (GDPR) to the first-of-its-kind California Consumer Privacy Act (CCPA) and India’s sweeping new privacy laws. Tracking which regulations affect a business and how they affect a business is no small task, and monitoring whether a business is in compliance is equally challenging.

SAP Privacy Governance addresses this by providing purpose-built automated tools to help organizations bring order and transparency to privacy compliance. This SaaS offering establishes data protection and privacy governance for the enterprise, supported by automation, transparency, and reporting that provides real-time insight into where the organization stands when it comes to complying with security and privacy regulations, and what needs attention before it’s too late and costly fines are imposed.

 

Summary

The security and compliance challenges faced by SAP customers across their technology landscapes vary widely and can be overwhelming. By establishing a solid security foundation for your organization — using the guidance of a framework such as the NIST Cybersecurity Framework and the resources provided by SAP for security and compliance — you have everything you need to overcome these challenges and succeed.

 

Martin Müller

Martin Müller (mart.mueller@sap.com) obtained an engineering degree from HFT Stuttgart, and went on to hold various positions in application development and product management in Germany and abroad. He joined SAP in July 1998 and worked in SAP Business Information Warehouse development until June 2000. Martin has been responsible for presales and program management for SAP’s various security products for more than 15 years, focusing on cybersecurity for the past six.

 

Arndt Lingscheid

Arndt Lingscheid (a.lingscheid@sap.com) studied general mechanical engineering at the University of Applied Sciences in Cologne. He then worked in Germany and abroad in the areas of SAP NetWeaver Basis, ABAP application development, and ABAP product development. Beginning in 2007, Arndt served as Product Manager for various SAP add-on products, and then in 2013, became Pre-Sales and Product Manager for SAP security add-on products. Since September 2019, he has been Product Manager for SAP Enterprise Threat Detection.



Jump-Start Your Process Automation Projects with Cloud-Based Artificial Intelligence Technologies

An Introduction to SAP AI Business Services

 

by Jana Wuerth, Senior Product Manager, and Ivona Crnoja, Project Consultant, SAP AI Business Services, SAP SE

 

For many organizations, artificial intelligence (AI) is no longer a future vision. It is already a key part of their plans for transforming into high-performing digital businesses with a competitive edge driven by automated processes and operations. For example, at least 50% of large global companies are projected to be using AI, advanced analytics, and the Internet of Things (IoT) in their supply chain operations by 2023. Furthermore, almost 60% of individual tasks involved in the source-to-pay process have the potential to be fully or largely automated using currently available technologies. Lastly, about 50% of the overall working time in finance and insurance is devoted to collecting and processing data, which represents a ripe opportunity for automation.

Statistics like these show a compelling case for cloud-based AI services. These services offer an easy way for organizations in various industries and lines of business to make AI-based technologies part of their innovation roadmap and to start benefiting from the productivity, efficiency, and agility they help create, which are especially critical in environments of uncertainty, such as the current COVID-19 pandemic. To help its customers improve the efficiency of business processes, reduce manual and repetitive work, and solidify the resilience of their operations, SAP offers SAP AI Business Services, a portfolio of cloud services that provide machine learning and AI capabilities for business applications.

This article provides process managers with an introduction to SAP AI Business Services and how they can be used to automate functions such as document processing, financial closing, recommendation capabilities, and service ticket classification. The article starts with a look at how these business services fit into a comprehensive digital process automation strategy and how they can help SAP customers drive end-to-end process automation. It then walks through two examples of how these services can improve processing time and quality: in a shared service center framework and in a business document processing scenario.

 

Introducing SAP AI Business Services

SAP AI Business Services (formerly known as SAP Leonardo AI Business Services) are part of the SAP Cloud Platform portfolio of services. Business services on SAP Cloud Platform leverage SAP technologies and SAP’s business process expertise to add reusable, cloud-based, business-relevant capabilities to SAP standard solutions and to enable the extension of customers’ legacy and third-party solutions. The services are designed to solve concrete business problems that can be found in various types of business processes, such as extracting information from invoices in accounts payable or submitting a travel expense report, and for this reason, they can be used across all types of lines of businesses within organizations.

SAP AI Business Services combine the concept of business services with innovative technologies to enable these capabilities for a variety of usage scenarios. These reusable services provide strategic machine learning capabilities that can automate and optimize business processes and enrich the customer experience across SAP’s intelligent suite of integrated, end-to-end applications, such as SAP S/4HANA, SAP SuccessFactors solutions, and SAP Customer Experience solutions. Through the open application programming interfaces (APIs) used by the services, they can be integrated into any SAP or third-party application to extend support for a process, enabling older legacy systems to become intelligent.

The SAP AI Business Services portfolio enriches the customer experience and provides immediate business value through the following services (Figure 1):

  • Business Entity Recognition helps to detect and highlight any given type of named entity in unstructured text.
  • Document Information Extraction enables the extraction of information from documents such as invoices and payment advices. Structured semantic information is extracted from unstructured documents and matched with relevant business data.
  • Document Classification allows the categorization of documents into different categories that are relevant for further processing of those documents.
  • Data Attribute Recommendation supports the automation of data management tasks by proposing categories, classes, and sub-categories.
  • Invoice Object Recommendation proposes the correct general ledger (G/L) account and other cost objects for invoices that come in without a reference.
  • Service Ticket Intelligence automatically classifies incoming service tickets and helps with resolving tickets faster by recommending similar tickets to the ticket processor.

 

Figure 1 — The SAP AI Business Services portfolio consists of services that are designed to solve concrete business problems

Figure 1 — The SAP AI Business Services portfolio consists of services that are designed to solve concrete business problems

 

Using SAP AI Business Services in an End-to-End Process

SAP AI Business Services can be applied to various end-to-end processes either by using out-of-the-box integrations defined for some use cases, or by using the open APIs to define an integration. To give an idea of how this works, and how these services can be used to increase automation within end-to-end processes, we’ll look at two use cases that provide a useful illustration of combining services with one another and also with other intelligent technologies: shared service center automation and automated processing of business documents.

 

Shared Service Center Automation

In shared service centers, organizations bundle the provisioning of certain services to achieve higher service levels and quality standards. These improvement efforts often include creating economies of scale; eliminating redundancies in functions, people, and IT; and increasing the efficiency and standardization of processes. Typical examples of shared service centers include HR shared services for serving an organization’s employees or financial shared services for serving an organization’s suppliers.

To see what this might look like, let’s look at an example centered on a financial shared service center that takes care of supplier requests, inquiries, and complaints. In this process, shown in Figure 2, suppliers write an email or open a ticket in which they describe their situation or problem. Here, the Service Ticket Intelligence and Business Entity Recognition services are integrated with SAP Shared Service Framework to support the process.

 

Figure 2 — An example scenario where SAP AI Business Services help automate a financial shared service center’s supplier inquiry process

Figure 2 — An example scenario where SAP AI Business Services help automate a financial shared service center’s supplier inquiry process

 

Let’s say that a supplier writes an email asking for the payment status of an invoice (see Figure 3). In this example, the supplier has not yet received the payment for this particular invoice and is asking when to expect payment.

 

Figure 3 — In the example shared service center scenario, the supplier asks for an invoice update via email

Figure 3 — In the example shared service center scenario, the supplier asks for an invoice update via email

 

When the email is received by the ticketing system, the Service Ticket Intelligence service is used to automatically determine the ticket category. The service uses historical data, on which the AI training is performed, to identify the correct category. In the example, the ticket category could be “invoice inquiry,” for instance.

After the ticket categorization, the Business Entity Recognition service identifies the relevant entities in the body of the email. In the example scenario (see Figure 4), the service is able to detect the customer, the date, and the invoice number referenced in the email. The Business Entity Recognition service then returns those detected entities via an API, and the values can be transferred into a receiving system — for example, they can be displayed to the shared service center agent processing the email.

 

Figure 4 — In the example shared service center scenario, the Business Entity Recognition service identifies the relevant entities in the body of the email and returns them for display to the agent

Figure 4 — In the example shared service center scenario, the Business Entity Recognition service identifies the relevant entities in the body of the email and returns them for display to the agent

 

The process can be further automated by adding SAP Intelligent Robotic Process Automation (SAP Intelligent RPA). A bot could pick up simpler requests, such as this invoice inquiry, instead of a human, saving even more time. With the extracted invoice number, the bot could go to the relevant back-end system, look up the current status of the invoice, and then automatically answer the supplier. With this type of support, the entire supplier invoice inquiry process can be fully automated. (A previous SAPinsider article took an in-depth look at getting started with process automation using RPA.)

SAP’s unique value proposition lies in the ability to combine different kinds of innovative solutions to provide its customers with unique end-to-end process automation capabilities. This enables customers to enrich standard processes and significantly increase the level of process automation across their organizations, going beyond the core process, to achieve operational excellence.

 

Intelligent Business Document Processing

Documents are at the core of just about any business process, and many enterprises across various industries still process large amounts of paper-based documents daily. Invoices alone amounted to approximately 550 billion paper-based and digital invoices worldwide, in the past year. Another 124 billion business e-mails are being sent and received every single day, while the UK alone prints 11 billion paper receipts per year. Considering the amount of resources, time, and effort needed to process these various forms of business documents in huge organizations, businesses have a pressing need for solutions that can help them automate the processing of these documents.

There are three services available with SAP AI Business Services that tackle the problem of document processing: Document Information Extraction, Document Classification, and Business Entity Recognition. The underlying principle is to first transform unstructured documents to structured information with machine learning-based document processing, and in the next step, embed the information into business processes for instant value, meaning improvements in speed and accuracy as well as significant cost reductions.

The three services function as follows:

  • Document Information Extraction is a highly scalable cloud service that can fully automate the information extraction process, saving employees and enterprises valuable time that can instead be spent on higher value tasks while lowering the error rate and achieving more accurate results.
  • Document Classification increases business process efficiency by automatically classifying documents into pre-defined categories, making the routing of documents to the respective processing department and automated follow-up processes possible.
  • Business Entity Recognition, as described in the shared service center use case, automatically detects named entities in any given textual input, such as supplier ID or invoice ID.

Let’s look at a specific use case for the Document Information Extraction service. Processing invoices in the accounts payable department is a challenging and time-consuming task in most enterprises. Large numbers of invoices are received by the clerks daily and need to be processed accordingly. Invoices come in various formats, and each company sending invoices uses different templates and places information in different spots inside the document. Business-critical data and information is often extracted manually by the clerks, leading to long processing times and error-prone outcomes, as the process includes manual tasks such as reading the invoice, understanding its context, typing relevant information into the ERP system, and enriching extracted information with additional data.

The Document Information Extraction service can extract information from invoices (unstructured business documents) and semantically analyze the extracted information (see Figure 5). Vendor matching and employee matching capabilities enable the service to enrich the existing structured master data with additional business-critical data — such as an invoice number or supplier ID — for customers, employees, or suppliers. This enables employees to quickly return to relevant processes and to focus their attention on more value-creative tasks, rather than having to manually process the information as part of a lengthy process.

 

Figure 5 — In this example, the Document Information Extraction service can extract, structure, and enrich information from invoices

Figure 5 — In this example, the Document Information Extraction service can extract, structure, and enrich information from invoices

 

While this specific example focuses on the Document Information Extraction service, all three of the previously mentioned services are offered as part of the Business Document Processing portfolio, which can form a powerful end-to-end process when used together. Processing the large amounts of documents that organizations receive every single day can be tiresome and can take up huge amounts of time. With the help of the Document Information Extraction, Document Classification, and Business Entity Recognition services, this process can be almost fully automated.

Through the Document Classification service, incoming documents can be classified into customer-specific types, such as invoices or complaints. The Document Information Extraction service can then extract business-critical information from a document’s header or line item field to automate the follow-up processing. On the other side, through the Business Entity Recognition service, free text can be extracted to recognize and extract business-relevant entities and enable automated follow-up processing (see Figure 6).

 

Figure 6 — The services offered as part of the Business Document Processing portfolio together can form a powerful end-to-end process based on machine learning

Figure 6 — The services offered as part of the Business Document Processing portfolio together can form a powerful end-to-end process based on machine learning

 

Summary

The implementation of AI-based business applications can transform an enterprise in myriad ways. The automation of business processes, the insights gleaned through improved data analysis, and the expanded possibilities for customer and employee engagement that can be granted with AI are crucial for the ongoing success of companies across industries.

With SAP AI Business Services providing an easy on-ramp to the benefits of AI, SAP customers don’t have to wait any longer to start taking advantage of its benefits. Learn more at the SAP Community page for SAP AI Business Services and take the services for a test drive with an SAP Cloud Platform trial.

 


Women in SAP Tech Spotlight

Ivona Crnoja

Ivona Crnoja, Project Consultant, SAP AI Business Services, SAP SE

What specific skills have you found to be most helpful in getting you where you are today?

I believe soft skills are of immense importance. While it is of course very important to also develop your job-specific hard skills, developing soft skills such as collaboration and networking skills, (written) communication skills, and problem-solving skills have become at least as critical. Also, I would recommend everyone who has the chance to spend some time either working or studying abroad. My years abroad have not only taught me to speak multiple languages, but also helped me develop many basic skills such as agility, empathy, critical thinking, and intercultural competences. Lastly, I believe it is crucial to keep up with the latest technology trends and developments since technology is advancing at an incredible speed and continuing to impact every aspect of our lives.

What is your organization doing right when it comes to transparency, collaboration, and inclusion?

SAP is a global organization with employees from all over the world. It is therefore strongly committed to topics such as diversity, inclusion, equality, and sustainability. Diversity, for example, has shown to be a crucial driver for performance and innovation, and I believe the fact that SAP places so much emphasis and value on these topics has been a crucial success factor in the past. No matter the nationality, ethnicity, culture, or sexual orientation, SAP preaches and practices a culture in which everyone feels included and empowered and no one is left behind. SAP also leverages technology to ensure inclusion, with streamlined processes and tools that are accessible for all. It gives me peace to know that I work for an employer that values every single individual for what they have to contribute.

What advice would you offer to women seeking to advance their careers?

Still being a fairly young woman myself, the one thing that I would like to impart to women of all stages and ages (myself included) is to be confident! Believe in yourself and your abilities, speak up, volunteer for that project (that seems somewhat over-ambitious), and don’t be afraid to ask for that salary raise. Remind yourself to be persistent and assertive, and try to not belittle yourself. Also, if your company offers such initiatives, make use of personal career coaching and mentoring and work on building a strong network of successful women that you admire who can support you on your way forward.

Jana Wuerth

Jana Wuerth, Senior Product Manager, SAP AI Business Services, SAP SE

What do you like best about your career?

With so many innovations happening in technology, a career in this field is very diverse and fast-paced, and it never gets boring. I like this diversity and fast-paced environment because there is always something new to learn, and there are always new opportunities for growth and development. I am also fascinated by the things that can be achieved with technology and the progress that can be made in the world. For example, the way that a machine can recognize lung cancer on x-rays with higher confidence than a human being, enabling faster treatment and higher chances of recovery, shows that technology is still improving our way of life.

How would you advise women who are just starting out in their careers in technology?

A saying I find to have a lot of truth in it is, “A comfort zone is a beautiful place, but nothing ever grows there.” Try things out of your comfort zone. If your manager or your project lead asks you to do something you have never done before, take the task and try your best to achieve it. If you feel like it is not working out, you can still ask for help, but don’t say “no” or get scared because you have never done it before. Be bold and trust in yourself, in your skills, and in your abilities. We grow with our challenges.

What recommendations do you have to help women with their professional development?

One piece of advice I have for women who are at any stage of their professional career is this: “Do a good job — and talk about it.” Women tend to minimize themselves. They don’t talk about the great things they have achieved, and instead point out who helped them or say that it wasn’t that big of a deal. Don’t do that! Accept the compliments for the hard work you have accomplished. Don’t hide, but be proud of yourself, and especially, don’t let others take the credit for your achievements.

And don’t only talk about your achievements. State your opinion, share your viewpoint, and ask for a certain opportunity or the training you always wanted. Use initiatives for career development within as well as outside of your organization — for example, look for a coach or a mentor who can give you advice on how to handle certain situations or how to improve some of your weak spots. And lastly: be sure to network. Women are often excellent communicators — use this advantage to grow a large network of people who can help you and support you in achieving your goals.


 

Jana Wuerth (jana.wuerth@sap.com) is a Senior Product Manager for SAP AI Business Services. She focuses on go-to-market strategy and commercialization topics, and she is always on the lookout for new opportunities to infuse artificial intelligence into various business processes to improve efficiency and automation rates. Jana has been with SAP for more than 10 years and has experience in a number of roles, from consulting to solution management and product management. Taking the best out of these experiences, she is always enthusiastic about new approaches.

Ivona Crnoja (ivona.crnoja@sap.com) is a Project Consultant and Storyteller at SAP, driving various projects and communication activities for the SAP AI Business Services team in Germany. This team works on developing generic machine learning and artificial intelligence capabilities that customers can use out of the box to automate and optimize business processes. Ivona dedicates her time to exploring the latest artificial intelligence trends, while writing articles and blog posts to share the team’s latest achievements with the world.



SAP Announces Q3 Financial Results

Cloud Numbers Improve But 2020 Guidance Reduced

by Robert Holland, VP Research, SAPinsider

 

Despite initial expectations of a decrease in revenue in Q2 of 2020 followed by a gradual improvement in Q3, SAP today announced that their overall revenue for the quarter decreased 4% and that their IFRS operating profit decreased 12%. However, while the numbers this quarter were lower, overall revenue year to date was still up 1% year over year.

 

SAP Q3 2020 numbers

 

Software Revenue, Total Revenue, & Profit Fall

While SAP sought to emphasize its continued and accelerated transition to the cloud and has increased its target for cloud revenue to €22 billion by 2025, there was a negative market reaction to the numbers from the German software maker.

Total Revenue decreased 4% year over year in both IFRS and non-IFRS reporting to €6,535 million, Cloud and Software Revenue decreased 2% year over year in IFRS and non-IFRS to €5,5444 million, but the biggest drop was a 12% IFRS reduction in operating profit to €1,473 million (1% in non-IFRS). At the same time Cloud Revenue increased by 11% IFRS (10% non-IFRS) to €1,984 million, though this obviously did not offset the reduction in overall software revenue.

All of these metrics increased for the first nine months of 2020 as a whole, with IFRS Cloud Revenue increasing by 18% year to date, but the numbers for the quarter show that the global economy has not yet begun the recovery that SAP had expected.

 

A Deeper Examination

Looking at the specific numbers, SAP only reported details for four segments within the organization: Applications, Technology & Support; Concur; Qualtrics; and Services. The only one of those four segments that showed an increased in revenue in Q3 was Qualtrics, which improved by 22% to €169 million year over year. While important, this was offset by the 16% reduction in Services revenue, 14% reduction in Concur revenue, and 2% reduction in Applications, Technology & Support revenue (the largest area by far representing 78% of total revenue). This reduction in services revenue aligns with both research and conversations SAPinsider has had with many customers transitioning to SAP S/4HANA who are spending much of 2020 planning for the future unless they already had projects underway, and is consistent with a reduction in services revenue globally especially as seen with organizations like Accenture and Deloitte.

In the cloud, where SAP reported significant growth, the quarterly statement indicated that there was a 7% reduction in cloud revenue in the Intelligent Spend group (SAP Ariba, SAP Concur, and SAP Fieldglass), with the reduction in Concur revenues having the largest impact on that number. Given that Concur facilitates travel and expense management, that reduction in revenue can be explained by the lack of business travel this year. On the positive side, SAP saw an increase in 21% in actual currency in other SaaS and PaaS revenue to €1,127 million, and a 19% increase in IaaS cloud revenue to €208 million. This indicates that the biggest cloud growth areas for SAP were in areas like SAP SuccessFactors and SAP HANA Enterprise Cloud.

SAP also stated that over 500 SAP S/4HANA customers were added during the quarter which took the adoption total to over 15,100 customers. This is a 20% increase in those running SAP S/4HANA at the same point in 2019, with approximately 8,100 (53.6%) of these customers reported as being live. Of those new customers added this quarter around 45% were net new. While this is a positive sign for adoption of the product outside the existing enterprise ERP landscape, which SAP has previously stated is approximately 45,000 customers, it may also indicate that adoption of SAP S/4HANA within that landscape is slower than expected even though SAPinsider has seen a steady increase in those reporting that they have completed the transition to SAP S/4HANA.

Regionally, SAP reported “resilient performance” in the EMEA region, the only region that saw growth in both cloud and software revenue this quarter. Stating “solid performance” in the Americas and APJ, both regions saw a decrease in cloud and software revenues with only modest growth in cloud revenues (14% in EMEA and only 3% in the Americas). With the US market being the largest globally for SAP, and with many organizations delaying investment due to ongoing market uncertainty, it is no surprise that growth was lower than expected in this region compared to EMEA where many organizations returned to more normal operations during the quarter.

As a response to these results, SAP has updated its business outlook for the remainder of 2020. SAP expects full year operating profit to be in the €8.1—8.5 billion range, a reduction of approximately €200 million, and total revenue to be between €27.2 and 27.8 billion, a reduction of €600—700 million. Even with the continued growth of cloud revenue in Q3, SAP also expects cloud revenue to end up slightly below earlier predictions at €8.0—8.2 billion, a reduction of €300-500 million from the previous guidance provided in April.

 

What Does This Mean for SAPinsiders?

SAP’s overall performance continues to be greatly impacted by the global pandemic, as is the case with many organizations around the world. What remains to be seen is whether the extended pandemic continues to have a negative effect into Q4, or whether things will improve. To be prepared for whatever happens, SAPinsiders should:

  • Look for SAP to continue to push cloud adoption. Alongside the quarterly results, SAP also released a strategy update titled “Accelerating Our Customers’ Business Transformation in the Cloud”, which demonstrates that SAP sees the cloud as the path it needs to take and where it wants customers to be from both an adoption and investment perspective. No matter what your current infrastructure and product usage, SAP will continue to push cloud adoption.
  • Expect further emphasis on the transition to SAP S/4HANA. While SAP has shown continued growth in those purchasing SAP S/4HANA, adoption within the existing customer base has only been some of that growth. Even though SAPinsider research has shown that many customers see the benefits that SAP S/4HANA offers from a functionality perspective, the cost of that transition can be expensive. SAP will continue to emphasize this transition and enterprise ERP customers in particular should expect an emphasis on determining their plans for the product.
  • Continue to leverage SAP’s focus on the customer. At the beginning of 2020, SAP emphasized the fact that it is focused on the customer. While that message may have been somewhat lost in everything that has happened in 2020, SAP has continued to make customer focus an emphasis. Use this to your advantage during your day to day interactions with your SAP contacts.
  • Educate yourself around the current SAP strategy. SAPinsider is hosting our EMEA virtual event from November 17-19, which includes global summits on SAP S/4HANA and Supply Chain. Attendance is free to registered users, and you will have the opportunity to hear from those inside and outside SAP on current strategy, as well as what you need to make your 2021 plans successful.


Session Recap: Options for Extending and Integrating SAP S/4HANA with SAP Cloud Platform

by Annie Kennedy, Associate Conference Producer, SAPinsider

On the third day of the SAPinsider Virtual Conference Experience, Reddy Venumbaka, Senior Director of Product Marketing at SAP, led an informative session on the options available for extending SAP S/4HANA and integrating with SAP and non-SAP applications using SAP Cloud Platform.

Venumbaka set the stage by explaining the wide range of benefits that come with using SAP S/4HANA with SAP Cloud Platform, including:

  • Reducing maintenance and upgrade costs by decoupling your custom code and moving it the cloud
  • Accelerating integration using 1,400+ prebuilt integration flows and 175+ open connectors
  • Leveraging your existing ABAP developers to extend and build new cloud innovations securely
  • Simplifying development and delivering applications fast with low-code rapid development tools
  • Building new business models with SAP HANA Cloud, creating unique user experiences with SAP Fiori, and supporting mobile services such as iOS and Android
  • Enabling focus on higher-value tasks by augmenting knowledge workers and automating repetitive tasks
  • Expanding globally and complying with regulatory and data privacy requirements with the choice of cloud providers

He also walked through SAP Cloud Platform Integration Suite and how it integrates with other SAP solutions and third-party applications such as DocuSign and tax calculation programs, further emphasizing the benefits the platform can provide to customers navigating a modern business landscape. To illustrate, Venumbaka used SAP customer — a Brazilian cosmetics and personal care giant that operates stores including The Body Shop in the US, Latin America, and France — as an example. Natura used SAP Cloud Platform Integration Suite to integrate various systems for a 360-degree view of its data, increasing efficiency across operations and providing faster order fulfillment for 3.5 million ecommerce customers while allowing Natura to process 200 purchasing requests in a single minute. Venumbaka shared some screenshots from a June 2020 webinar by Hamilton Bokaleff of Natura, showing Natura’s simplified architecture thanks to SAP Cloud Platform.

For extending SAP S/4HANA, Venumbaka noted that SAP Cloud Platform enables companies to leverage their existing ABAP processes and expertise. The ABAP environment within SAP Cloud Platform is designed to extend SAP applications with whitelisted APIs, he said, and it includes SAP HANA for persistence. SAP Cloud Platform integrates source code management with Git and is fully managed by SAP, allowing for a clean core by decoupling custom code from the digital core and reducing administrative and maintenance effort and cost, he added. SAP Cloud Platform ABAP environment also includes the latest ABAP, SAP HANA, and cloud innovations, and enables you to easily migrate your custom code with a modern cloud-based ABAP environment.

When it comes to automating SAP S/4HANA processes, Venumbaka outlined the advantages of using the robotic process automation (RPA) capabilities available with SAP Cloud Platform through the service, which provides best-in-class integration with SAP applications, predefined bots, reusable components, comprehensive bot development tools, fully attended and unattended RPA capabilities, flexible pricing, and embedded artificial intelligence and machine learning. As an example, Venumbaka spoke of REHAU, a polymer company in China, that used SAP Intelligent RPA to automate financial processes that required significant manual intervention and redundant work. REHAU saved time and cut down on human error, and its employees have been able to spend more time on innovative work thanks to SAP Intelligent RPA reducing financial accounting document handling time from four days to 10 minutes, and reducing closing time from a full day to two minutes.

SAP HANA Cloud is a fully managed SAP HANA data platform-as-a-service that you can leverage to build custom applications with SAP Cloud Platform that support an SAP Fiori-based user experience, mobile capabilities for iOS and Android, and automation capabilities, Venumbaka said. A cloud-based approach is especially useful if you want to expand globally and comply with various countries’ requirements, he added, since SAP Cloud Platform runs all over the world on platforms from a variety of providers, including Alibaba Cloud, Amazon Web Services, Google Cloud, Microsoft Azure, and SAP. And with partners building applications using SAP Cloud Platform and making them available in SAP App Center, you don’t always need to build your own. Venumbaka recommended that attendees start with a free trial of SAP Cloud Platform to see how it works.

During the Q&A following the presentation, Venumbaka answered a variety of questions from attendees. One area of particular interest was what’s involved in getting SAP Cloud Platform to talk to SAP ECC, which some customers are still running with SAP Business Suite. Venumbaka emphasized that customers can get started using SAP Cloud Platform with SAP ECC without any restrictions. Integrations can be used to connect SAP Cloud Platform with SAP Business Suite, and SAP highly recommends using SAP Cloud Platform if you have SAP Business Suite today and plan to go to SAP S/4HANA in future.

Attendees were also interested in understanding why it is better to develop on SAP Cloud Platform than SAP S/4HANA itself. Venumbaka explained that using SAP Cloud Platform for integration and custom development reduces maintenance costs and simplifies upgrades. It keeps SAP S/4HANA stable while taking advantage of the guaranteed access provided by SAP Cloud Platform through published APIs, as well as the latest innovations and automatic updates.

A recording of the full session and the Q&A that followed will soon be available on demand from the SAPinsider 2020 Virtual Conference Experience.



Session Recap: Data Readiness and Preparation for Your SAP S/4HANA Implementation

by Annie Kennedy, Associate Conference Producer, SAPinsider

On day three of the SAPinsider 2020 Virtual Conference Experience, Don Loden, Director of Data and Analytics at Protiviti, shared a host of insights in the session “Data Readiness and Preparation for Your SAP S/4HANA Implementation.” A focus on data quality during an SAP S/4HANA migration is key, according to Loden, because without quality data, your investment with SAP S/4HANA will not reach its fullest potential.

A critical part of the SAP S/4HANA migration journey, according to Loden, is making sure your data is ready for the move, which involves understanding your current environment, how you’re using your data, what reports you’re using, and what challenges you’ve faced with reporting that SAP S/4HANA can help with via embedded analytics. Loden recommended keeping the following in mind:

  • What issues do you have with your data?
  • What scope of reports will you need to go live?
  • Are all of them needed or can embedded analytics or out-of-the-box products them?

It’s also important to make sure the core is clean by extracting, transforming, and cleaning the data before the migration, so you can build a solid foundation going forward, and a key component of this is archiving. When considering what to archive, Loden said to ask yourself the following:

  • Were customizations made because they were core to how you do your business or because you wanted some shortcuts? Keep your core clean so you can go live as close to the SAP standard as possible.
  • What do I need to get rid of to simplify the process? Assess the quality of your data and take a look at quantifiable aspects, such as what’s missing or not performing as it should.
  • What does my business look like today, and after rolling over in the next 9-12 months, where will we be and what can be built into the implementation? Build into the core how your business looks not only today, but also tomorrow.

The bottom line, according to Loden, is that you need to understand your data better than anyone, and make sure your data is trustworthy. You need efficient processes, clear rules, and defined stewardship, and after you go live, you need to take care of your master data going forward. And while SAP can help, the readiness of your data is generally your responsibility as an SAP customer, Loden emphasized. You need to make sure you can answer questions such as:

  • Are there competencies, tools, and technologies in-house that can help me deal with things like cleaning data before I start my SAP S/4HANA implementation?
  • Do I know what to do with historical data?
  • Do I know what to do about duplicate accounts?
  • Do I have data that’s crucial to the business is in Excel instead of my legacy system?
  • Do I have high rates of EDI failure when processing orders? Do I have obsolete product codes?

As a key takeaway, Loden stressed that data is one of the biggest risks to any ERP implementation, and SAP S/4HANA is no different. Bad data gets bad results, and it’s cheaper and easier to ensure data readiness before the project begins rather than trying to address data issues in the middle of the project. If your plan is to migrate to SAP S/4HANA in two years, now is the perfect time to start working on the readiness of your data, according to Loden.

When it comes to assessing your data readiness, Loden noted that a data migration is split into two phases: pre-migration and migration. In the pre-migration phase, the assessment focuses on conversion planning (data design and data extraction); data profiling and data cleansing; and conversion preparation (data mapping). During the migration, the assessment focuses on developing the conversion process (business rule analysis); testing the conversion process (data transformation and data remediation); and the conversion execution (data load).

According to Loden, the key data migration activities for assessing data readiness are data design and data extraction in the conversion planning stage; data profiling and data cleansing; and data mapping in the conversion preparation stage. To help with the assessment, use a remediation plan and scorecards to help with benchmarking, he recommended. By assessing source systems, data staging, data profiling and cleansing, and data quality, you’re taking what’s critical for a process to succeed, applying it to the expected behavior of that data for success, and seeing what happens in the scorecards.

When you choose to move forward with your SAP S/4HANA journey, be sure to monitor and keep your data clean before the move, said Loden, and be sure to consider the current state of your data in relation to the upcoming SAP S/4HANA implementation — where are you, and where do you need to go? Also evaluate the tools you own or need to procure. You may already own software such as SAP Data Services or SAP Information Steward. And again, don’t wait to start the planning process, emphasized Loden. Reach out to third parties for help, whether it’s user communities or conferences or services from external vendors, and take advantage of resources and networks.

After the presentation, Loden took questions from attendees, and one area of interest was how long it takes to assess your data readiness. Loden said it’s not months or years, but rather weeks with help from a third party like Protiviti. On your own, however, it could take six months because of all the required data mapping. A recording of the full session and the Q&A that followed will soon be available on demand from the SAPinsider 2020 Virtual Conference Experience.