SAP Cloud Platform Integration Onboarding Guide: Public 2021-02-14

PUBLIC
2021-02-14
SAP Cloud Platform Integration Onboarding

Guide
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Getting Access to SAP Cloud Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3 SAP Cloud Integration in SAP BTP Cockpit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
4 Adding New Administrators (Optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5 Assigning Users and Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6 Available Roles and Authorization Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7 Verifying Access for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
8 Performing a Smoke Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
9 Security FAQs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

9.1 Transport Level Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
10 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
SAP Cloud Platform Integration Onboarding Guide

2 PUBLIC Content
1 Introduction
This quick start guide provides all the information you need to quickly onboard after subscribing to SAP Cloud
Integration. Here are the steps in which you can complete the onboarding:

Introduction PUBLIC 3
2 Getting Access to SAP Cloud Integration
Context
After you subscribe to any of the SAP Cloud Integration editions, you will receive one or two e-mails from SAP
based on the edition of SAP Cloud Integration that you have purchased.
● If you have not received this e-mail, the most likely reason is that your user ID was not specified in the order
form. Check with your internal team who was responsible for signing the contract and check which e-mail
ID or S-user ID was provided to SAP Account Manager in the order form.
● Check with SAP Account Manager which S-user ID was provided in the order form.
● Contact the SAP Customer Success Team at [email protected].
● If you are still facing issues, create a ticket using the component LOD-HCI. The SAP Cloud Operations team
will provide a solution.

4 PUBLIC Getting Access to SAP Cloud Integration
3 SAP Cloud Integration in SAP BTP
Cockpit
SAP provides Cloud Integration tenants with Admin access to the S-user ID specified in the order form. This
user is the administrator of the tenant.
To check whether the administrator can access the Cloud Integration tenants, you need to log on to the SAP
BTP cockpit. There are different URLs for different data centers. You need to use the URL provided in the e-mail
from SAP (refer to example e-mail in Getting Access to SAP Cloud Integration [page 4]) and log on with your S-
user ID and password. The following screen appears:
You can view the Global Accounts ID by clicking on the  (information)
Selecting Services, you get an overview of all services enabled for your subaccount. Under Integration select
the tile Cloud Integration. When you choose Configure Cloud Integration, you have the following options (when
you have purchased Enterprise Edition):
● Provisioning a message broker if you like to use Java Message Service (JMS) queues
● Activating Integration Content Advisor for the subaccount

SAP Cloud Integration in SAP BTP Cockpit PUBLIC 5
4 Adding New Administrators (Optional)
Prerequisites
● Only users with a valid S-user or P-user ID can be added as members of the tenant.
● If you don't have an S-user ID but are eligible for one (you are a customer or a partner), please follow the
steps in this link to generate a new S-user ID and password.
● If you don't have a P-user ID, please follow the steps in this link to generate a new P-user ID and
password.
● You have logged into the SAP BTP
Context
SAP grants administrator rights to the S-user ID specified in the order form. This user can grant administrator
rights to other users in this account.
Procedure
1. In the cockpit, choose Members.

6 PUBLIC Adding New Administrators (Optional)
2. Choose Add Members.
3. In User IDs field, enter the S-user or P-user IDs of all the users you want to add as administrators. Select
the roles Administrator (predefined role), Developer (predefined role) and Cloud Connector Admin
(predefined role).

Adding New Administrators (Optional) PUBLIC 7
Next Steps
● The Cloud Connector Admin role is not mandatory for all users and depends on your requirements. Check
question 16 in Security FAQs [page 29]. Also, you may not need the Cloud Connector Admin role during
onboarding.
● If you have more than one tenant, you must add members to each tenant separately.
● For the latest documentation and detailed instructions on how to add members to an account,see Adding
Members to an Account.

8 PUBLIC Adding New Administrators (Optional)
5 Assigning Users and Roles
Prerequisites
● Only users with a valid S-user or P-user ID can be added as members of the tenant.
● If you don't have an S-user ID but are eligible for one (you are a customer or a partner), please follow the
steps in this link to generate a new S-user ID and password.
● If you don't have a P-user ID, please follow the steps in this link to generate a new P-user ID and
password.
Context
Once you have verified that you have administrator access and have added any additional administrators
required, you can assign users who will work on SAP Cloud Integration scenarios and grant them the necessary
user roles.
Procedure
1. To assign users to your tenant account, choose Security Authorizations Groups .
We recommend that you assign Users and Roles on the Groups tab as this is the most efficient way of
managing user role assignments.

Assigning Users and Roles PUBLIC 9
2.
IMPORTANT
We have used Authgroup.IntegrationDeveloper as an example here. You can use other authorization groups
as well, depending on your requirements.

10 PUBLIC Assigning Users and Roles
6 Available Roles and Authorization Groups
We recommend that you use authorization groups to assign user roles. , you need to assign the role
esb.messaging.send to the user with whom you want to perform basic authentication for the HTTPS inbound
scenario for SAP Cloud Integration.
For detailed information on tasks and the roles that you need to perform them, see Tasks and Required Roles.
For the latest documentation and detailed instructions on how to assign roles, see Defining Authorizations.
The following table provides an overview of some of the frequently used authorization groups.
Authorization Groups Overview
Authorization Group Description
AuthGroup.BusinessExpert Enables a business expert to perform business tasks.
This includes tasks such as:
● Monitoring integration flows

● Reading the message payload
AuthGroup.Administrator Enables the administrator of the tenant cluster (also referred

to as the tenant administrator) to connect to a cluster and
perform administrative tasks on the cluster.
● Deploying security content (for example, keystores or

SSH known hosts artifacts)
● Deploying integration flows
● Canceling messages
● Deleting messages from the transient data store
AuthGroup.IntegrationDeveloper Enables an integration developer to connect to a cluster us

ing Integration Designer and to display, download, and de
ploy artifacts (for example, integration flows).
This includestasks such as:

● Deploying integration flows
● Deploying security content included in integration flows
(for example, keystores or SSH known hosts artifacts)
● Canceling messages

Available Roles and Authorization Groups PUBLIC 11
Authorization Group Description
AuthGroup.ReadOnly Enables you to connect to a tenant cluster (from the cus

tomer side), display nodes and node properties, and monitor
messages.
AuthGroup.SystemDeveloper Enables a system developer to perform the tasks required

for system support.

● Restarting subsystems of the tenant cluster
● Software development tasks on VMs of the tenant clus
ter
 Note
System developer tasks are typically required in the sup
port case by SAP experts who need to perform tasks de
bugging on the tenant cluster.

12 PUBLIC Available Roles and Authorization Groups
7 Verifying Access for Users
The next step is to verify whether all the users that you have added have access to the SAP Cloud Integration
application.
In the welcome e-mail that you received from SAP, you will find the URL for the WebUI, (the Web application.)
Here's an example:
Launch this URL in a browser (Internet Explorer or Google Chrome). Enter your S-user or P-user ID and
password to log on to the application. The following screen appears, showing prepackaged integration content
from SAP.
If you are unable to verify access, perform the following steps:
1. If you get an authentication error or any other issues, please check that you have assigned the right role to
the S/P-user that you are verifying access for. For more information, see Assigning Users and Roles [page
9].
2. You can also contact the SAP Customer Success Team at [email protected].
3. If you get an Access Denied error even though you have correctly assigned the required user roles, please
check the SSO certificates in your browser. The browser might be using another user for the SSO logon
instead of the S-user that you defined in the roles and authorizations.

Verifying Access for Users PUBLIC 13
4. If you are still facing issues, create a ticket using the component LOD-HCI. The SAP Cloud Operations team
will look into the issue and provide a solution.

14 PUBLIC Verifying Access for Users
8 Performing a Smoke Test
Context
Procedure
1. Launch the application URL provided by SAP.
For information about how to obtain this URL, see Verifying Access for Users [page 13].
You see the logon screen.
2. Enter your S/P-user ID and password. Choose Log On.

Performing a Smoke Test PUBLIC 15
3. Choose to access your workspace. This is where you will create integration packages and develop
and deploy integration flows.
4. Choose Create to create a new integration package.
5. Enter <Name> and <Short Description>. If you leave the <Technical Name> field empty, the value
you have entered in the <Name> field is used. You cannot change this after you have saved the integration
package.
6. Choose Save.

16 PUBLIC Performing a Smoke Test
7. Choose Artifacts Add Integration Flow .
8. Enter Name (mandatory) and Description (optional). The <ID> is automatically provided by the system.
Choose OK.
9. You can now see the artifact with the Name you provided. Select it.
10. The integration flow that you have created opens in the integration flow editor. Choose Edit to edit the
integration flow.

11. Mouse over the Sender, Receiver, and Start steps, and choose Delete to remove them from the integration
flow. We will not be using these steps in this smoke test. The final integration flow should look like this:
12. Now, let's model the integration flow to create the smoke test. The first step is to add the Timer step from
the palette. Select > Timer, then click inside the Integration Process where you want to place the Timer.
13. Select External Call Request Reply and add it to the integration process.

14. Select Script Groovy Script and add it to the integration process.
You see the Script Editor.

15. Replace the contents of the Script Editor with the following script and choose OK.
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message)
{
def body = message.getBody(java.lang.String) as String;
def messageLog = messageLogFactory.getMessageLog(message);
if(messageLog != null)
{
messageLog.addAttachmentAsString("Log current Payload:", body, "text/
plain");
}
return message;
}

16. Select Exception Subprocess and add it to the integration process.
17. Delete the message path between Error Start and End by selecting the message path and choosing
(Delete).
18. Choose Content Modifier and add it insideException Subprocess 1.

19. Go to the Message Body tab. In the Body field, enter The service is unavailable at the moment.
Please try again after some time..
20.Select Script GroovyScript and add it inside Exception Subprocess 1.

21. Replace the contents of the Script Editor with the following script and choose OK, just like you did in Step
15.
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message)
{
def body = message.getBody(java.lang.String) as String;
def messageLog = messageLogFactory.getMessageLog(message);
if(messageLog != null)
{
messageLog.addAttachmentAsString("Log current Payload:", body, "text/
plain");
}
return message;
}

 Tip
Rearrange the integration flow steps in Exception Subprocess 1 to ensure that you can easily define the
message path.
22. Select Receiver and add it outside the integration process.
23. Choose the message path icon from Request-Reply and define a message path to Receiver1.
24. In the Adapter Type prompt, select HTTP.

25. In the adapter properties, go to the Connection tab. Enter the following values for the fields:
Field Description
Address http://www.webservicex.net/globalweather.asmx/GetCi
tiesByCountry
Query CountryName=Germany
 Note
You can provide any country name you want.
Proxy Type Internet
Method GET
Authentication None
Ensure that the Send Body checkbox is selected.

26. Define the other message paths just like you did in step 23, and complete the integration flow as shown
below.
27. Choose Save. This saves the integration flow with the input that you have provided.
28. Choose Deploy.
29. Choose OK in the confirmation prompt.
You see a message that the integration flow Smoke Test has been deployed successfully.
You have to go to the monitoring tab to see the status of your integration flow.

30.Choose to go to the Monitoring tab.
You see the overview of the monitoring section.
31. Select All Integration Flows.
You see the integration flow that you deployed in the Artifact Name column with status Completed.
32. Select the entry.
You see more information about the deployed integration flow. The Status Details tab shows that message
processing completed successfully.
33. In the MPL Attachment column, choose Log Current Payload.

34. You see a list of cities from the country you entered in step 25. In this case, you entered Germany, so you
see a list of cities in Germany.
35. If the weather service that you accessed is unavailable, you see the message 'The service is unavailable.
Please try again after some time.'.

Results
If you see either a list of cities (step 34) or a message (step 35), this means that the smoke test was executed
successfully and you can start using SAP Cloud Integration for processes productively.

9 Security FAQs
How can new users and authorizations be added once a customer gets the
SAP Cloud Integration tenant? Who is authorized to add new users?
When SAP provides a tenant, administrator permissions are given to the S-user ID provided by the customer in
the order form during contract signing. This administrative user can go to the SAP BTP cockpit and add
additional users, and assign them roles and authorizations. Since SAP Cloud Integration uses SAP Cloud
Identity provider by default, all the users must have valid S-user or P-user IDs.
You can also configure Cloud Integration to use your own custom identity provider.For more information, see .
Where can I find a list of all roles and authorizations that can be assigned to
users?
More information:
Which recommendations are given for assigning roles to users?
The customer has full control on giving permissions to users on a tenant.
A key part of an integration project is the development and deployment of integration content (for example,
integration flows). The related permissions are defined by the authorization group
AuthGroup.IntegrationDeveloper and AuthGroup.Administrator. Note that this authorization group
provides extensive permissions. Therefore, take into account special considerations when assigning this
authorization group to a user.
More information:

Security FAQs PUBLIC 29
How can I contact SAP Cloud Integration Operations support for information
or issues related to tenant provisioning and security?
Create a ticket on component LOD-HCI-PI-OPS.
Are CA-signed certificates mandatory for transport-level authentication?

Which scenarios require CA-signed certificates?
More information:
Transport Level Security [page 33]
Where can I find a list of CAs approved by SAP?
Load Balancer Root Certificates Supported by SAP
I want to use the same signed certificate for multiple systems. Can I put * in
the Common Name field (for example, *.xxxxx.com) while the certificate is
being signed by the CA? Does SAP allow this?
SAP recommends using the full host name in the Common Name (CN) field for both inbound and outbound
scenarios, but technically does support the wildcard character in the CN field (for certificate-based client
authentication only). For HTTPS outbound scenarios (where SAP manages the CA-signed key pairs), SAP uses
the full host name in the CN field.
Can I use self-signed certificates for HTTPS certificate-based client

authentication (also referred to as dual authentication)?
No, self-signed certificates are not supported for inbound connections to SAP Cloud Integration. For outbound
connections, we recommend using a CA-signed base certificate.
Which scenarios support self-signed certificates? Can I use them for

message-level encryption and signing?
You can use self-signed certificates for message-level encryption and signing. However, we recommend using
CA-signed certificates.

30 PUBLIC Security FAQs
Who maintains and manages the keystore? Can control be given to the end
customer?
SAP provides some keys by default, but keystore management is now a self-service, so you can manage your
keystore yourself.
More information:
What is the procedure for using certificates for message-level encryption

and signing?
You can use the certificates that are in the keystore provided by SAP during tenant provisioning. If you want to
use your own key pair, you can manage it yourself using the self-service. There are different ways in which you
can sign and encrypt message content (for example, PGP, X.509).
More information:
Message Level Security.
Do I need to make any special requests when connecting to the SFTP/SMTP

server?
The following ports are opened by default:
● For SFTP/SSH: port 22

● For SMTP: ports 25, 465, and 587
Do I need to make any special requests for HTTP(S) for outbound

connectivity?
By default, port 443 and all HTTP ports 1024 and higher are opened.
Which IP addresses for the SAP Cloud Integration landscape do I need to

configure in my own firewall for inbound connections (IP allowlisting)?
See Virtual System Landscapes.

Where can I find details on SAP Data Centers and security?
You can find this information on the SAP website under SAP Data Centers Information.
More information: https://www.sap.com/about/cloud-trust-center/data-center.html
What is SAP Cloud Connector? Is it mandatory?
SAP Cloud Connector is a complementary offering. It needs to be installed on premise and is an integral
component of SAP BTP. It acts as a reverse proxy and creates a secure tunnel with the customer's own SAP
Cloud Integration account. SAP Cloud Integration can route calls via SAP Cloud Connector for HTTP-based
protocols (for example, SOAP, OData IDoc XMLs). SAP Cloud Connector is the preferred mode of
communication for SAP BTP customers. However, it is not mandatory and customers can use other reverse
proxy software (for example, Web Dispatcher).
More information:

9.1 Transport Level Security
SAP Cloud Integration Inbound Connection
CERT Usage
in Customer Customer- CERT Usage
Where to Get Sender or CA Signed in Cloud In
Related Authentica Required Required Receiver CERT Re tegration
Protocol Adapters tion Method Certificates Certificates Systems quired? Keystore
HTTPS HTTP, SOAP, Basic Au Root CA of You can use Need to im No Not required
IDoc, OData thentication SAP Cloud
the self-serv port Root CA
and other Integration/ Note: Users
ice provided of SAP SAP
HTTP based Load Bal requiring ba
sender ancer by SAP Cloud
sic authenti
adapters Integration/
cation must
Load Bal
be have the
ancer in the
role
backend sys
ESBMessagin
tem's key
g.send role in
store
SAP Cloud
Integration
tenant. It
needs to be
assigned on
the IFLMAP
node.
HTTPS HTTP, SOAP, Certificate Root CA of You can use Need to im No Not required
SAP Cloud
IDoc, OData based client the self-serv port Root CA
Integration/
and other authentica ice provided of SAP Cloud
Load Bal
HTTP based tion ancer by SAP Integration/
sender Load Bal
adapters ancer in the
backend sys
tem's key
store

CERT Usage
Public key for Customer Customer Yes Not Required

certificate
must gener needs to im
based client Note: Cus
ate a key pair port the
authentica tomer needs
tion using any signed key
to provide the
tool, generate pair along
public key of
CSR (certifi- with Root CA
the signed CA
cate signing in their send
client certifi-
request) and er's system
cate in the in
get it signed keystore.
tegration flow
by CA. List of
configuration
allowed CAs
on sender
are men
system after
tioned in the
selecting au
operations
thentication
guide.
type as certif
icate based.

Cloud Integration Outbound Connection
CERT Usage
HTTPS HTTP, SOAP, Basic Au Root and in Root and in Not required Yes The root and
IDoc, OData thentication termediate termediate intermediate
and other CAs of the CAs should certificates of
HTTP based customer be provided the CA ap
sender by the cus proved certif
adapters tomer icate needs
to be added
to the SAP
Cloud
Integration
keystore. You
can use the
self-service
to add it to
the keystore.
Note: Users
needing basic
authentica
tion must be
deployed as
user creden
tials on SAP
Cloud
Integration
and name of
this creden
tial should be
specified in
the respec
tive technical
adapter set
tings

CERT Usage
HTTPS HTTP, SOAP, Certificate Root and in Root and in Not required Yes The root and
IDoc, OData based client termediate termediate intermediate
and other authentica CAs of the CAs should certificates of
HTTP based tion customer be provided the CA ap
sender by the cus proved certif
adapters tomer icate needs
to be added
to the SAP
Cloud
Integration
keystore. You
can use the
self-service
to add it to
the keystore.
SAP Cloud You can use Public Key (or No (yes only SAP will gen
Integration the self serv client certifi- if customer erate the
Public Key for ice to man cate should wants to use signed certifi-
certificate age keystore. be imported own key pair cate and will
based client in customer for client au upload it in
authentica server's key thentication) the keystore
tion store. Root of SAP Cloud
and inter Integration
mediate cer tenant (or will
tificate store the cer
should be im tificates pro
ported in the vided by cus
customer tomer). Cus
server trust tomer would
keystore. need to men
tion the alias
name of the
certificate in
adapter set
tings.
HTTP HTTP Basic Au NA NA NA NA NA

thentication
LDAP LDAP Simple Au NA NA NA NA NA

thentication

CERT Us
age in Cus CERT Us
Where to tomer Customer- age in
Authenti Required Get Re Sender or CA Signed Cloud Inte
Related cation Certifi quired Cer Receiver CERT Re gration
Direction Protocol Adapters Method cates tificates Systems quired? Keystore
SAP Cloud SSH SFTP (Poll Certificate Public key SAP gener You have to Optional SAP cloud
based client
Integration from SAP for certifi- ates a key import/add ops team
authentica
inbound/ Cloud cate based pair and this public will gener
tion
outbound Integration) client au shares the key in des ate a key
thentication public key ignated lo pair and
with the cation at create an
customer. If SFTP alias "id
you wants server rsa" or "id
to use your dsa" in key
own key store and
pair, you will deploy
can use the it on SAP
self service Cloud
to generate Integration
it and add it tenant.
to the key Public key
store. from this
key pair will
be provided
to the cus
tomer.

CERT Us
age in Cus CERT Us
Where to tomer Customer- age in
Authenti Required Get Re Sender or CA Signed Cloud Inte
Related cation Certifi quired Cer Receiver CERT Re gration
Direction Protocol Adapters Method cates tificates Systems quired? Keystore
Public key Public key Optional Public key

fingerprint
fingerprint of SFTP
of SFTP
of SFTP sever must
server
server will be men
be provided tioned in
by SFTP ad "known
ministrator host" file
or SAP and de
cloud ops ployed on
team. Cloud
Integration
SAP Cloud
Integration.
Customer
must pro
vide it to
SAP and
this task
will be done
by SAP
cloud ops.
SAP Cloud SMTP Mail Basic Au Root and in Root and in Not re Yes You can
Integration thentica termediate termediate quired manage
Outbound tion/CEAM- CAs from CAs from your key
MD5 the mail the mail store using
server for server for the self-
TLS TLS service.

10 References
For more advanced help and information,see also the following standard resources for creating integration
scenarios:
● SAP Cloud Integration Community

● SAP Cloud Integration Product Documentation
● SAP Cloud Integration Roadmap on SMP
● SAP Cloud Integration Learning Maps Link on Learning Hub
● SLAs and Maintenance Window
● SAP Data Privacy and Security Policy
● SAP Cloud Integration Tools Information
● Available Standard Pre-Packaged Content
If you experience any technical issues, please create a ticket on LOD-HCI.

References PUBLIC 39
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

40 PUBLIC Important Disclaimers and Legal Information
Important Disclaimers and Legal Information PUBLIC 41
www.sap.com/contactsap
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

SAP Cloud Platform Integration Onboarding Guide: Public 2021-02-14

Uploaded by

Copyright:

Available Formats

SAP Cloud Platform Integration Onboarding Guide: Public 2021-02-14

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Cloud Platform Integration Onboarding Guide: Public 2021-02-14

Uploaded by

Copyright:

Available Formats

What are the steps to onboard after subscribing to SAP Cloud Integration?

What are the steps to onboard after subscribing to SAP Cloud Integration?

What are the different roles and authorization groups available in SAP Cloud Integration?

What are the different roles and authorization groups available in SAP Cloud Integration?

PUBLIC

SAP Cloud Platform Integration Onboarding

THE BEST RUN

2 Getting Access to SAP Cloud Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 SAP Cloud Integration in SAP BTP Cockpit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

4 Adding New Administrators (Optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

5 Assigning Users and Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6 Available Roles and Authorization Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

7 Verifying Access for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

8 Performing a Smoke Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

9 Security FAQs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

You can view the Global Accounts ID by clicking on the  (information)

SAP Cloud Platform Integration Onboarding Guide

1. In the cockpit, choose Members.

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

1. To assign users to your tenant account, choose Security Authorizations Groups .

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

Authorization Groups Overview

Authorization Group Description

AuthGroup.BusinessExpert Enables a business expert to perform business tasks.

This includes tasks such as:

● Monitoring integration flows

AuthGroup.Administrator Enables the administrator of the tenant cluster (also referred

This includes tasks such as:

● Deploying security content (for example, keystores or

AuthGroup.IntegrationDeveloper Enables an integration developer to connect to a cluster us­

This includestasks such as:

● Monitoring integration flows

SAP Cloud Platform Integration Onboarding Guide

AuthGroup.ReadOnly Enables you to connect to a tenant cluster (from the cus­

AuthGroup.SystemDeveloper Enables a system developer to perform the tasks required

This includes tasks such as:

● Monitoring integration flows

SAP Cloud Platform Integration Onboarding Guide

If you are unable to verify access, perform the following steps:

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

1. Launch the application URL provided by SAP.

You see the logon screen.

2. Enter your S/P-user ID and password. Choose Log On.

SAP Cloud Platform Integration Onboarding Guide

4. Choose Create to create a new integration package.

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

You see the Script Editor.

SAP Cloud Platform Integration Onboarding Guide

SAP Cloud Platform Integration Onboarding Guide

18. Choose Content Modifier and add it insideException Subprocess 1.

AuthGroup.IntegrationDeveloper Enables an integration developer to connect to a cluster us

AuthGroup.ReadOnly Enables you to connect to a tenant cluster (from the cus

HTTP HTTP Basic Au NA NA NA NA NA

LDAP LDAP Simple Au NA NA NA NA NA