SAP Customer Guide Administration

Administration Guide | PUBLIC
2020-08-04
SAP Customer Guide Administration

© 2020 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 SAP Customer Guide Administration Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 Supported Platforms, Devices, and Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Setup and Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configure Mobile Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configure the Mobile App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3 User Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configure a Trusted Identity Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configure your SAML IdP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configure Roles on SAP Cloud Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Integration into the On-Premise Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Example Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.4 Onboarding - Admin Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
1.5 Onboarding - End-User Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
1.6 Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Error Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Monitoring Mobile Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.7 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

2 PUBLIC Content
1 SAP Customer Guide Administration
Guide
This guide is the central starting point for installing and configuring the SAP Customer Guide. It also provides
security and operations information.
This guide addresses the following target audience:
● System administrators
● Technical consultants
● Key users
About SAP Customer Guide
The SAP Customer Guide mobile app provides users with consistent and holistic financial and commercial
information about a customer, such as an overview of disputes and sales volume across all revenue streams, or
account receivables. The app supports C-level customer conversations, customer negotiations, overdue calls,
customer visits, and approvals.
The main purpose of the app is to help users to prepare for customer C-level meetings and contractual
discussions. The app provides an easy-to-consume overview, and users can drill down into the respective SAP
Fiori launchpad content directly from the app.
The main user groups of SAP Customer Guide are regional CFOs and senior sales managers, but the data
might also be relevant for any sales person.
After logging into the mobile app, users select a customer from the customer list. Customers can be marked as
favorites for faster access. Users get an overview of the most important financial KPIs and information on three
customer screens: Customer Overview, Contracts, and Accounts Receivable.
The app is integrated into SAP S/4HANA on premise, and can be configured easily to adapt the layout and
show data elements according to your needs.
Documentation
Make sure you have the latest version of this guide by checking the SAP Customer Guide, mobile app page on
SAP Help Portal before starting the installation.
Getting Support
If you encounter any problems with SAP Customer Guide, report an incident on the SAP Support Portal at
http://support.sap.com/incident .

SAP Customer Guide Administration Guide PUBLIC 3
The relevant component is FI-MOB-CG.
Related Products
See the following documents for more information about the respective topics.
Resource Link to Documentation
SAP Cloud Platform https://help.sap.com/viewer/product/CP/Cloud/en-US?

task=discover_task
SAP Cloud Platform Mobile Services https://help.sap.com/viewer/

38dbd9fbb49240f3b4d954e92335e670/Cloud/en-US
SAP Cloud Platform Cloud Connector https://help.sap.com/viewer/

cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/
e6c7616abb5710148cfcf3e75d96d596.html
SAP Cloud Platform SDK for iOS SAP Cloud Platform SDK for iOS
1.1 Supported Platforms, Devices, and Languages
The SAP Customer Guide iOS app 1.0 is released for iOS 13 and higher versions. Although the mobile
application can run on any iOS 13 or higher versions, to achieve the best user experience, we recommend that
you use the following devices:
● iPhone 11 Pro
● iPad Pro (11 inch) (second generation)
You can download the Customer Guide IOS App 1.0 from the Apple App Store. It is delivered in English only and
supports the Gregorian calendar.
1.2 Setup and Business Configuration
Before users can onboard, administrators need to configure the mobile app and mobile services.

4 PUBLIC SAP Customer Guide Administration Guide
1.2.1 Configure Mobile Services
Prerequisites
● You have subscribed to SAP Cloud Platform Mobile Services.

For more information, see Mobile Services - Getting Started
● SAP S/4HANA on premise is connected to an SAP Cloud Platform tenant (for example, via an SAP Cloud
Connector)
Overview
The following diagram shows the main components that need to be configured on SAP Cloud Platform Mobile
Services:
You subscribe to SAP Cloud Platform Mobile Services using the administration user interface in the SAP Cloud
Platform cockpit. For more information about this configuration UI, see Application Administration.
In the cockpit, the administrator has to perform the following steps:
1. Create a mobile application with the ID com.sap.mobile.apps.CustomerGuide

1. Configure Security: Setup OAuth based authentication
2. Configure Connectivity: For each OData service that the mobile app consumes, you need to configure a
destination that links to the corresponding OData service on SAP S/4HANA on premise, such as
API_BUSINESS_PARTNER. Each of these destinations on Mobile Services has a predefined name that

starts with the prefix com.sap.mobile.apps.CustomerGuide, for example,
com.sap.mobile.apps.CustomerGuide.API_BUSINESS_PARTNER.
The authentication between SAP Cloud Platform Mobile Services and SAP S/4HANA on premise is
done using Cloud Connector SSO.
1.2.1.1 Initial Configuration
Prerequisites
● You have configured the SAP Cloud Platform Mobile Service.

For more information about all of the configuration steps and options, see Set Up Customer Accounts.
Context
The following configuration is recommended for the SAP Customer Guide. Instead of mapping the users to
roles in the SAP Cloud Platform cockpit, use assertion-based groups that allow you to maintain roles in your
SAML Identity Provider.
Procedure
1. Log in to the SAP Cloud Platform cockpit, and in the left pane, select Services. Under Mobile Services, click
Development & Operations.
2. Under Service Configuration, click Configure Development & Operations Cockpit.
3. In the left pane, select Roles and create a new role called MobileServicesCockpitAdministrator.
4. In the left pane, select Destinations & Permissions.
5. Under Application Permissions, click Edit and assign the role that you just created to the
HanaMobileAdmin permission, and save your changes.

1.2.1.2 Create a Mobile Application
Procedure
1. Log on to the SAP Cloud Platform Mobile Service cockpit.
2. On the left side panel, click Mobile Applications Native/Hybrid .

3. Click New.
4. In the dialog box that opens, fill out the fields as shown in the following table, and click Next.
Option Description
ID com.sap.mobile.apps.CustomerGuide
Name SAP Insurance Sales Assistant
Vendor SAP SE
XSUAA Service Default Instance
5. In the next dialog box, activate the following features for Native Applications:
○ Mobile Client Log Upload
○ Mobile Client Resources
○ Mobile Client Usage and User Feedback
○ Mobile Connectivity
○ Mobile Network Trace
The result should look like this:
6. Open the Security tab.

7. Configure Security Configuration as OAuth.

The screen should look like this:
1.2.1.3 Configure the Passcode Policy
Configure how a mobile user should authenticate against the mobile application.
Context
There are three ways to set up authentication:
● App Passcode Protection: The user defines an app passcode during the onboarding process. Each time the
app launches and the timeout expires the user has to re-enter this passcode.
● Touch ID protection: Each time the app launches and the timeout expires the user has to authenticate
using Touch ID. This requires that Touch ID is enabled on the corresponding mobile device.
● No protection: The user does not have to authenticate on the mobile application.
Procedure
1. Navigate to the entry page of the application.

2. In the Assigned Features section, click Mobile Settings Exchange.
3. Configure the entries in the Passcode Policy section as follows.

Biometric Authentication
Protection Mode Enable Passcode Policy Allowed Additional Settings
App Passcode Enabled Not relevant ○ Lock Timeout

○ Minimum Length
○ Retry Limit
○ Minimum Unique Char
acters
○ Upper Case Character
Required
○ Lower Case Character
Required
○ Special Character Re
quired
○ Digits Required
Touch ID Enabled Enabled Lock Timeout
None Disabled Disabled
 Note
We recommend that you enable CSRF protection in Mobiles Services for the Customer Guide
application. Navigate to the SAP Customer Guide application in Mobile Services, and in the Security
tab, select CSRF Protection.
Related Information
Mobile Client [page 45]
1.2.1.4 Create Destinations
Prerequisites
To log on to the SAP Cloud Platform Mobile Services cockpit, you have to configure User Authentication and
Authorization as described in User Authentication and Authorization [page 24].
In addition, make sure that you have set up the SAP Cloud Connector and have established a connection
between your SAP S/4HANA on premise and your SAP Cloud Platform tenant.
For more information, see Defining Connectivity.

Context
The app uses dedicated OData services, which are part of S/4HANA on premise. To be able to call these
services, make sure that your S/4HANA on premise system is connected to your SAP Cloud Platform tenant
using an SAP Cloud Connector. Once the Cloud Connector is connected, maintain the resource-mapping path
in SAP Cloud Connector.
Make sure to maintain the resource-mapping path to the following S/4HANA on-premise OData services:
● /sap/opu/odata/sap/API_BUSINESS_PARTNER
● /sap/opu/odata/sap/API_OPLACCTGDOCITEMCUBE_SRV
● /sap/opu/odata/sap/API_SALES_CONTRACT_SRV
● /sap/opu/odata/sap/C_DAYSSALESOUTSTANDING_CDS
● /sap/opu/odata/sap/C_FUTUREACCTRBLS_CDS
● /sap/opu/odata/sap/C_OPENDISPUTECASE_CDS
● /sap/opu/odata/sap/C_OVERDUEACCTRBLS_CDS
● /sap/opu/odata/sap/C_SALESVOLUMEANALYTICSQRY_CDS
● /sap/opu/odata/sap/C_TOTALACCOUNTSRECEIVABLES_CDS
In the following procedure, the <scc-host> placeholder indicates that this value needs to be replaced with the
actual virtual host name of your SAP Cloud Connector OData Service.
Procedure
1. Log on to the SAP Cloud Platform Mobile Services cockpit.

3. Select the SAP Customer Guide application.
4. In the Assigned Features section, click Mobile Connectivity.
5. Click to add a new destination.
6. In the dialog box that opens, fill out the following fields:

○ Destination Name: com.sap.mobile.apps.CustomerGuide.API_BUSINESS_PARTNER
○ URL: http://<scc-host>/sap/opu/odata/sap/API_BUSINESS_PARTNER
○ Use Cloud Connector: true
○ Cloud Connector Location ID: <Your Cloud Connector Lcoation ID>
Maintain the other fields according to your needs.
7. Click Next.
8. Add a custom header:
○ Header Name: sap-client
○ Header Value: <Your SAP S/4HANA client number>
9. Click Next and skip following step about Annotations.
10. In the last step, select Propagate User Name and SSO Mechanism=Cloud Connector SSO.
Repeat this step for all destinations as listed in the following table:
Destination Name URL
com.sap.mobile.apps.CustomerGuide.API_BUSI http://<scc-host>/sap/opu/odata/sap/API_BUSI
NESS_PARTNER NESS_PARTNER
com.sap.mobile.apps.CustomerGuide.API_OPLACCTG http://<scc-host>/sap/opu/odata/sap/API_OPLACCTG
DOCITEMCUBE_SRV DOCITEMCUBE_SRV
com.sap.mobile.apps.CustomerGuide.API_SALES_CON http://<scc-host>/sap/opu/odata/sap/
TRACT_SRV API_SALES_CONTRACT_SRV
com.sap.mobile.apps.CustomerGuide.C_DAYSSALESOUT http://<scc-host>/sap/opu/odata/sap/C_DAYSSALE
STANDING_CDS SOUTSTANDING_CDS
com.sap.mobile.apps.CustomerGuide.C_FUTUR http://<scc-host>/sap/opu/odata/sap/C_FUTUR
EACCTRBLS_CDS EACCTRBLS_CDS
com.sap.mobile.apps.CustomerGuide.C_OPENDISPUTE http://<scc-host>/sap/opu/odata/sap/C_OPENDISPU
CASE_CDS TECASE_CDS
com.sap.mobile.apps.CustomerGuide.C_OVER http://<scc-host>/sap/opu/odata/sap/C_OVER
DUEACCTRBLS_CDS DUEACCTRBLS_CDS
com.sap.mobile.apps.CustomerGuide.C_SALESVOLU http://<scc-host>/sap/opu/odata/sap/C_SALESVOLU
MEANALYTICSQRY_CDS MEANALYTICSQRY_CDS
com.sap.mobile.apps.CustomerGuide.C_TOTALAC http://<scc-host>/sap/opu/odata/sap/C_TOTALAC
COUNTSRECEIVABLES_CDS COUNTSRECEIVABLES_CDS
The configuration looks like this:

1.2.2 Configure the Mobile App
Prerequisites
You have configured the Mobile Services. See Configure Mobile Services [page 5].
Context
To set up and configure the SAP Customer Guide, you first need to create and upload three configuration files
to Mobile Services:
● AppConfiguration
● FLPEndpointConfiguration (optional)
● LayoutConfiguration
Mobile Services have a feature for uploading configuration files assigned to the SAP Customer Guide
application. For more information about this feature, see Uploading Client Resources.
Procedure

2. In the left-side panel, click Mobile Applications Native/Hybrid .
3. Select the SAP Customer Guide application and in the Assigned Features section, click Mobile Client
Resources.
4. Click  to create or upload a new resource.
5. Create the following 3 resources:
○ AppConfiguration
○ FLPEndpointConfiguration (optional)
○ LayoutConfiguration
For more information about these resources, see Maintain Configuration Resources [page 13].
 Note
Make sure that the app always uses the resource with highest version number in case there are several
bundle names with same name.
1.2.2.1 Maintain Configuration Resources
The SAP Customer Guide app requires that you upload three configuration files to Mobile Services and
maintain them:
● AppConfiguration
● FLPEndpointConfiguration (optional)
● LayoutConfiguration
AppConfiguration File
The AppConfiguration file is a JSON-compliant file containing basic technical configuration required by the
app. The configuration file should contain the following property:
Property Name Description
supportEmail Email address used by the app as a recipient for composing

emails to report issues to support.
Please use a non-personal email address, such as a generic

address or a distribution list.
The JSON should look like this:
{
"supportEmail": "SupportEmailAddress@MyCompany.com"
}

FLPEndpointConfiguration File
The FLPEndpointConfiguration file is a JSON-compliant file containing information about the SAP Fiori
launchpad (FLP) hosted on the customer side. This is required by the app to construct URLs for navigating
from the app to corresponding Fiori apps. This feature allows the user to deep dive into information shown in
the app. If the FLPEndpointConfiguration file is not uploaded, the navigation feature is not available.
Property Name Description
version Version information of the

JSON file
flpEndpointSettings Object containing informa

tion about the SAP Fiori
launchpad
default Default endpoint settings
baseURL Base URL of the SAP Fiori

launchpad
clientID System client ID of the SAP

Fiori launchpad (optional,
only needed if required for
the base URL)
{
"version": "1.0.0",
"flpEndpointSettings": {
"default": {
"baseUrl": "https://<Fiori-Launchpad-Host>/sap/bc/ui5_ui5/ui2/ushell/
shells/abap/FioriLaunchpad.html",
"clientId": "<System-Client>"
}
}
}
The following navigation to Fiori applications is enabled by default:
Fiori Application (link to

SAP Fiori Apps Reference
User Interaction (Tap on) Library) Semantic Object Action
Customer Header (Header Customer - 360° View (Fiori Customer displaySalesOverview

information about selected App ID F2187)
customer)
Bar Chart (Sales volume, net Sales Volume - Profit Mar BillingDocument ssb_Profit_Margin
sales costs, and profit margin gin / Credit Memos (Fiori
of the customer) App ID F2271)

Fiori Application (link to
SAP Fiori Apps Reference
User Interaction (Tap on) Library) Semantic Object Action
Invoice Manage Journal Entries (Fiori AccountingDocument displayFactSheet

App ID F0717)
Sales Contract Sales Contract (Fiori App ID SalesContract displayFactSheet

F2026)
Bar Chart (Overdue Receiva Overdue Receivables (Fiori OverdueReceivablesKPI analyzeSBKPIOverdueRe

bles) App ID F1747) ceivables
Bar Chart (Future Receiva Future Receivables (Fiori App FutureReceivablesKPI analyzeSBKPIFutureReceiva
bles) ID F1744) bles
Bar Chart (DSO Trend) Days Sales Outstanding DaysSalesOutstandingKPI analyzeSBKPIDaysSalesOut

(Fiori App ID F1741) standing
The FLPEndpointConfiguration file allows you to disable navigation to dedicated Fiori applications using
navigationSettings:
Property Name Descriptions
navigationSettings Object containing settings

for navigation to Fiori appli
cations
semanticObject1 Name of a semantic object

from the table above
hiddenActions Array of actions for semanti

cObject1 to disable for navi
gation
semanticObject2 Name of a semantic object

from the table above
hiddenActions Array of actions for semanti

cObject2 to disable for navi
gation
...
hiddenActions can list dedicated actions such as ["action1","action2","action3"] or, include an

asterisk ["*"] as the single entry in the array to disable all actions for a particular semantic object.
{
"version": "1.0.0",
"flpEndpointSettings": {
"default": {
"baseUrl": "https://<Fiori-Launchpad-Host>/sap/bc/ui5_ui5/ui2/ushell/
shells/abap/FioriLaunchpad.html",

"clientId": "<System-Client>"
}
},
"navigationSettings": {
"Customer": {
"hiddenActions": ["displaySalesOverview"]
},
"AccountingDocument": {
"hiddenActions": ["*"]
}
}
}
The first entry in this example, pointing to the Customer semantic object and the displaySalesOverview
action, will disable navigation to the Customer - 360° View (Fiori App ID F2187) app. Tapping on the customer
header will not trigger any action.
The second entry in the example, pointing to the AccountingDocument semantic object is marked with an
asterisk "*" and this disables all navigation options related to the AccountingDocument. Tapping on an
invoice row will not trigger any action.
LayoutConfiguration file
The LayoutConfiguration file is a JSON-compliant file containing the configuration of the app layout. With
this configuration, administrators can determine which components are shown in the app at which position.
The following table describes the basic structure of the configuration file:
Name Description
version Version information of

the JSON file.
tabs This array contains all

of the tab pages to
show in the Customer
Detail view. For more
information, see Tabs
[page 18].
title Title of the tab page

shown at the top
sections Array containing all

sections on the related
tab page. A section
contains KPIs or infor
mation of the same
type.
title Title of the section,

shown on top of each
section. Whether the
title is shown depends
on the type of the
section.

Name Description
type Defines what kind of

information to show in
this section. This influ-
ences which data is
shown and how. Only
specific types are sup
ported. If other types
are maintained, end
users will receive an er
ror. For more informa
tion, see Section Type
[page 18].
components Array containing de

tailed configuration for
the actual components
shown in the related
section. There are sec
tion types, which allow
you to have several
components in same
section. These are con
figured in here.
title Title of the component

shown if several com
ponents are config-
ured.
context If there are several

components,
context defines
what data is shown on
this specific compo
nent. There is a de
fined list of supported
contexts for each sec
tion type. For more in
formation, see Compo
nent Context [page
20].

Name Description
options Some components

may require specific
configuration. Cur
rently this is only re
quired for News. For
more information, see
News-Related Options
[page 21].
Tabs
You can define the pages within tabs to be shown in the Customer Detail view. The following sample and
screenshot show how this would appear in the app.
 Sample Code
{
"version": "1.0.0",
"tabs":[
{
"title":"Overview",
...
},
{
"title":"Contracts",
...
},
{
"title":"Accounts Receivable",
...
}
]
}
Section Type
The section type defines which subset of data is shown and how this is visualized. The table shows a list of the
supported section types. If other types are used, end users get errors in the app.
Supported Type Screenshot
kpi

barChart
barChartCard
chartCard
customerHeader
contactList
invoiceList
contractList
contactInformation

newsFeed
Component Context
The context of a component gives more detailed information about what data to show in a section, if several
components are to be shown in a specific section. Only the following list of supported combinations of section
type and component context are allowed. If the configuration doesn't meet them, end users will see an error in
the app.
Section Supported Context Data Shown
kpi InvoiceAmountOverdue Sum up all amounts for overdue peri

ods, up to the current date, for the se
lected customer.
TotalReceivablesAmount Sum up the amount of total receivables,

up to the current date, for the selected
customer.
DSO Days Sales Outstanding (DSO) for the

last 12 months of the selected cus
tomer.
NumberOfDisputes Sum up the number of open disputes,

customer.
AmountOfDisputes Sum up the amount of open disputes,

customer.
barChart Revenue Sales volume, net sales costs, and profit

margin of the customer. The KPIs for
the last five quarters are displayed on
the chart.
barChartCard InvoiceAmountOverdue Overdue receivable amounts of a cus

tomer in different time periods.
InvoiceAmountDue Future receivable amounts of a selected

customer in different time periods.
DSOTrend DSO trend of a customer over the last

12 months.

Section Supported Context Data Shown
chartCard SalesRevenueCardsBySegment Sales volume KPIs per material of the

selected customer.
customerHeader CustomerHeader Header information about the selected

customer.
contactList ContactList List of key contacts of the customer.
invoiceList InvoiceList Invoices and credit memos posted in

the last 12 months for the selected cus
tomer.
contractList ContractList Contract list of a customer for the last

12 months.
contactInformation ContactInformation Address and general contact informa

tion of the customer.
newsFeed News News about the customer.
News-Related Options
Some additional configuration is required for the News component. In the current version, only the Bing news
provider is supported. Bing requires an API key, so this information needs to be provided via configuration.
Property Name Description Values
news
providers Array of names of the bing
providers that you

want to integrate or
use
keys Contains API keys for

the selected providers
<providerName> Use the name of the

provider that you put
into the providers ar
ray, and assign the API
key, for example,
"bing":"MyAPI-
Key"
LayoutConfiguration.json Sample
This is a complete configuration sample. You can apply it as is, just make sure to maintain the proper Bing API
key:

 Sample Code
{
"version": "1.0.0",
"tabs":[
{
"title":"Overview",
"sections":[
{
"title":"customerHeader",
"type":"customerHeader",
"components":[
{
"title":"Component0",
"context":"CustomerHeader"
}
]
},
{
"title":"Contact Information",
"type":"contactInformation",
"components":[
{
"context":"CustomerDetail"
}
]
},
{
"title":"Key Contacts",
"type":"contactList",
"components":[
{
"context":"AccountExecutives"
}
]
},
{
"title":"KPIs",
"type":"kpi",
"components":[
{
"title":"Receivables Amount Overdue",
"context":"InvoiceAmountOverdue"
},
{
"title":"Total Receivable Amount",
"context":"totalReceivablesAmount"
},
{
"title":"DSO, Last 12 Months",
"context":"DSO"
},
{
"title":"Number of Disputes",
"context":"NumberOfDisputes"
},
{
"title":"Amount of Disputes",
"context":"AmountOfDisputes"
}
]
},
{
"title":"Revenue",
"type":"barChart",

"components":[
{
"title":"Revenue",
"context":"Revenue"
}
]
},
{
"title":"Sales Volume per Material",
"type":"chartCard",
"components":[
{
"title":"Trends",
"context":"SalesRevenueCardsBySegment"
}
]
},
{
"title":"Stock Market",
"type":"stockChart",
"components":[
{
"context":"StockChart"
}
]
},
{
"title":"News Feed",
"type":"newsFeed",
"components":[
{
"context":"NewsFeed",
"options": {
"news": {
"providers": ["bing"],
"keys": {
"bing": "<Your Bing API key>"
}
}
}
}
]
}
]
},
{
"sections":[
{
"components":[
{
}
]
},
{
"type":"contractList",
"components":[
{
"title":"Contract List",
"context":"ContractList"
}

]
}
]
},
{
"title":"Accounts Receivables",
"sections":[
{
"components":[
{
}
]
},
{
"title":"barChartCardHeader",
"type":"barChartCard",
"components":[
{
"title":"Future Receivables",
"context":"InvoiceAmountDue"
},
{
"title":"Overdue Receivables",
"context":"InvoiceAmountOverdue"
},
{
"title":"DSO Trend",
"context":"DSOTrend"
}
]
},
{
"title":"Invoices",
"type":"invoiceList",
"components":[
{
"title":"Invoice List",
"context":"InvoiceList"
}
]
}
]
}
]
}
1.3 User Authentication and Authorization
The following diagram shows the authentication mechanisms that are used between the various components
of the SAP Customer Guide technology stack.

In the onboarding process, the mobile client authenticates to the SAML 2.0 identity provider (IdP) using SAML
authentication. You need to configure a SAML IdP for this.
Based on the user authenticated via SAML, the mobile client requests an OAuth token that is used in
subsequent authentications to SAP Cloud Platform. The setup of this is described in Configure Mobile Services
[page 5].
The authentication between SAP Mobile Services and SAP S/4 HANA on premise is performed via Cloud
Connector SSO, which does not require any specific configuration.
The Principal Propagation technology of the SAP Cloud Connector is used to access the backend system in the
on-premise landscape. The setup is described here: Integration into the On-Premise Landscape [page 29].
The IdP needs to fulfill the SAML 2.0 standard. Use one of the following mutually exclusive options:
1. Use an existing SAML 2.0 IdP: If you already have a SAML 2.0 compliant IdP, you can use this for the
Corporate Identity Provider. For more information, see Identity Federation with a Corporate Identity
Provider.
2. Use an Identity Authentication Tenant: If you don't have a Corporate Identity Provider, you can use SAP's
cloud product - SAP Cloud Platform Identity Authentication Service. A detailed description about this
product can be found here: SAP Cloud Platform Identity Authentication Service
3. Use the SAP ID Service: The SAP ID service is SAP's ready-to-use identity service that is offered as a
Software-as-a-Service solution completely operated by SAP. This variant should only be considered for
testing scenarios as you don't have control over the user store. Also, you cannot integrate this solution with
your on-premise user management.
Prerequisites
● You have a tenant on SAP Cloud Platform. Within this tenant, your user is assigned as a member.

● On this tenant, you have subscribed and enabled SAP Cloud Mobile Services.
● If you are using SAP Cloud Platform Identity Authentication Service as the SAML IdP, you have subscribed
to this service and have a user with the corresponding administrative privileges.
1.3.1 Configure a Trusted Identity Provider
For information about configuring identity providers, see Application Identity Provider.
Configure SAP Cloud Platform as a Local Service Provider
 Note
Skip this step if you are using the SAP ID Service as the IdP.
Follow the procedure provided here: Configure SAP Cloud Platform as a Local Service Provider.
Make sure that you apply the following settings:
Setting Value
Configuration Type Custom
Principal Propagation Enabled
Force Authentication Disabled
Configure Trust to the SAML Identity Provider
 Note
Skip this step if you use the SAP ID Service as the IdP.
Follow the procedure provided here: Configure Trust to the SAML Identity Provider
The configuration of groups is optional. It depends on how you want to assign users to groups. You can do this
in one of two ways:
1. Define assertion-based groups: The user-to-group assignment is maintained in your SAML IdP. Each SAML
assertion that is sent to SAP Cloud Platform not only contain the user identifier, but also the information to
which groups this user belongs. This variant also allows you to derive the user groups, for example from
your ABAP backend systems, by using the SAP Cloud Platform Identity Provisioning service.
2. Maintain the user-to-group assignment in SAP Cloud Platform cockpit, as described here: Managing Roles

 Tip
You can do the initial configuration of your system by maintaining the user-to-group assignment in SAP
Cloud Platform cockpit and later on with assertion-based groups. This might help you to identify issues in
the initial setup phase.
To perform this configuration step, you need to first download the metadata of your SAML IdP. If you are using
an Identity Authentication tenant, see the documentation about how to download the SAML IdP metadata
here: Tenant SAML 2.0 Configuration
1.3.2 Configure your SAML IdP
 Note
Skip this step if you use the SAP ID Service as the IdP.
In this step you configure your SAML IdP to interact with your SAP Cloud Identity tenant. If you are using an
existing SAML 2.0 IdP, consult the documentation of the vendor for information about how to configure a SAML
service provider.
The following steps are only valid if you are using an Identity Authentication tenant.
The SAP Cloud Platform Identity Authentication service uses the term Application, which refers to a SAML 2.0
service provider. In this context, an Application refers to the SAP Cloud Platform tenant that you configured in
the previous steps.
For information about how to create a new application on your Identity Authentication tenant, see Create a New
Application.
The following steps are important to ensure proper authentication:
● Configure the Name ID attribute sent to the application: Configure the Subject Name Identifier Sent to the
Application
In this step you configure the user name that is used in SAP Cloud Platform. The same name is also sent to
the SAP Cloud Connector for principal propagation. This name is also required for mapping your users in
your Identity Authentication tenant to your users in the SAP on-premise backend systems. We recommend
using the Login Name as the Name ID attribute as this allows you easy mapping to your on-premise user
names.
● Configure the default attributes sent to the application: Configure the Default Attributes Sent to the
Application
If you use assertion-based groups to assign users to groups in SAP Cloud Platform, we recommend using
the User Groups functionality of your Identity Authentication tenant as described here:User Groups. To use
this user-to-group assignment on SAP Cloud Platform, you also have to send the group information of your
Identity Authentication tenant to SAP Cloud Platform in the SAML assertion. This is why you should add
the groups attribute in this configuration step.

1.3.3 Configure Roles on SAP Cloud Platform
SAP Customer Guide uses different roles to authorize different privileges to authenticated users. The following
table gives you an overview of the roles that are required for the different user types.
Some services of SAP Cloud Platform, such as SAP Cloud Platform Mobile Services Development &
Operations, have predefined roles that a user must be assigned to in order to perform specific tasks. Instead of
directly assigning these roles to users, we strongly recommend using groups. Users are assigned to groups and
roles are assigned to groups.
User Application Role Details
Administrator of SAP Cloud SAP Cloud Platform Mobile MobileServicesCockp There is no role called
Platform Mobile Services Services Cockpit (dis itAdministrator MobileServicesCockp
patcher)
itAdministrator pro
vided by default. You need to
create this role in the SAP
Cloud Platform Mobile Serv
ices cockpit as described in
Set Up Customer Accounts
Note that you don’t have to

use the name
MobileServicesCockp
itAdministrator, but
for consistency reasons we
recommend that you use this
name as it is also used in the
documentation as an exam
ple.
This role is required to log in

to the SAP Cloud Platform
Mobile Services cockpit.
SAP Cloud Platform Mobile Administrator This role is required to log in

Services (mobilejava) to the SAP Cloud Platform
Mobile Services cockpit.
Assigning Roles to Users
Note that the roles defined in the previous section are only visible after you have subscribed to the referenced
applications.
For information about defining groups and assigning users, see Managing Roles.

1.3.4 Integration into the On-Premise Landscape
The principal propagation mechanism of the SAP Cloud Connector is used for authentication from SAP Cloud
Platform to the on-premise SAP NetWeaver ABAP and Java systems, as described in Configure Principal
Propagation to an ABAP System for HTTPS. A user in the SAML IdP needs to be mapped to a user in the
backend system. The recommended way of defining this mapping is with rule-based mapping of certificates, as
described in Rule-based Mapping of Certificates.
One option is to make the user alias in the AS ABAP system identical to the Logon Name in your Identity
Authentication tenant.
User Management
When using the SAP Cloud Platform Identity Authentication service, you have several options for keeping the
users in sync with on-premise user management:
1. Manual maintenance: You can create users manually on your IdP. This solution is only recommended if
you have a very small user base.
2. SAP Cloud Platform Identity Provisioning service: This service allows you to synchronize your user
master data from various systems, such as an SAP NetWeaver ABAP system, into your Identity
Authentication tenant. For more information, see SAP Cloud Platform Identity Provisioning Service.
3. Corporate User Store: If you have an existing on-premise user store, you can configure the SAP Cloud
Platform Identity Authentication service to use the corporate user store in addition to its own cloud user
store. For more information, see Corporate User Store.
1.3.5 Example Setup
You can use the following example setup as an example of a best practice. This scenario uses a valid
combination of options that you can use:
● SAP Cloud Platform Identity Authentication service is used as the SAML IdP
● Assertion-based groups are used to map users to groups on SAP Cloud Platform
● SAP Cloud Platform Identity Authentication Service configuration:
○ Users are assigned to groups. Each group on the SAP Cloud Platform Identity Authentication service
maps to one group on SAP Cloud Platform.
○ The Login Name is the Name ID attribute.
○ Users and groups are maintained manually.

1.3.5.1 Create Roles on SAP Cloud Platform Cockpit
Procedure
1. Log on to SAP Cloud Platform cockpit.

2. On the left side panel, choose Security and Authorizations.
3. Open the Groups tab.
4. Create a group called CloudPlatformMobileServices-Admin.
Assign roles as follows:
Group Application Role
CloudPlatformMobileServic SAP Cloud Platform Mobile Services MobileServicesCockpitAdmi

es-Admin Cockpit (dispatcher) nistrator
SAP Cloud Platform Mobile Services Administrator

(mobilejava)

1.3.5.2 Download Metadata from Identity Authentication
Procedure
1. Log on to your Identity Authentication tenant.

2. On the left side panel, select Application & Resources and Tenant Settings.
3. Click SAML 2.0 Configuration.
4. Click Download Metadata File.
This downloads a file named metadata.xml.
1.3.5.3 Configure Trust in SAP Cloud Platform Cockpit
Procedure
1. Log on to the SAP Cloud Platform cockpit.

2. On the left side panel, select Security and Trust.
3. Open the Local Service Provider tab. Click Edit and select Custom as the Configuration Type.
4. Leave all other fields with their existing values, and click Save.
5. Click the Get Metadata link.
This downloads an XML file whose name starts with https–.

6. Open the Application Identity Provider tab.
7. Click Add Trusted Identity Provider.
8. In the dialog box that opens, click Browse. Select the metadata.xml file that you downloaded from your
Identity Authentication tenant. All required fields populated. Do not change these values and do not close
this dialog box.
9. Open the Groups tab and create the following assertion-based group:
Group Mapping Rules
CloudPlatformMobile groups equals CloudPlatformMobile

Services-Admin Services-Admin
10.
1.3.5.4 Create an Application in Identity Authentication
Procedure

2. On the left side panel, select Application & Resources and Applications.
3. Click + Add to create a new application.
4. Give the application a name, such as SAP Customer Guide.
5. Click Save.

6. Click SAML 2.0 Configuration.
7. Click Browse and upload the XML file that you downloaded from SAP Cloud Platform. The file name starts
with https–.
8. Leave all of the entries with their default values and click Save.
9. Navigate back to Application Configuration and click Name ID Attribute.

10. Select Login Name and click Save.

11. Navigate back to Application Configuration and click Assertion Attributes.
12. By default, First Name, Last Name, and E-Mail are already configured. Click + Add to add additional
attributes.
13. From the dropdown list of attributes, select Groups. Leave the assertion attribute value as groups.
14. Save your changes.

1.3.5.5 Create Users and Groups in Identity Authentication
Procedure

2. On the left side panel, select Users & Authorizations and User Groups.
3. Create a group called CloudPlatformMobileServices-Admin.
4. On the left side panel, select Users & Authorizations and User Management.
5. Create new users as required and assign the relevant groups to these users.

1.4 Onboarding - Admin Tasks
Context
The SAP Customer Guide app currently supports QR code-based onboarding. Follow these steps to get the QR
code, which you can then distribute to end users. This task can only be done by administrators of SAP Cloud
Platform Mobile Services. Before you start, make sure that you have set up the application in Mobile Services
as described in Configure Mobile Services [page 5].
 Tip
When end users onboard, they are asked to provide their consent. To further improve end-user experience,
we recommend that you enable auto approve. You do this in the Security tab in the mobile application that
you created in Mobile Services.

For more information, see Editing OAuth Clients.
Procedure

3. Select the SAP Customer Guide application.
4. Open the APIs tab.
You will see a list of Mobile Destination URLs and the QR code that end users can use for onboarding.
1.5 Onboarding - End-User Tasks
Procedure
1. Open the Apple App Store and search for the SAP Customer Guide app.
2. Install the app and open it.
3. To connect to SAP Cloud Platform, scan the QR code that you received from an administrator.
1. Tap the Scan button.
2. Allow the app to access the camera. The device's camera is activated.
3. (Optional) Allow the app the access the device's photos.
4. Scan the QR code.
5. Tap Continue.
4. Log in with your credentials.
5. Read the End User License Agreement and tap Agree.
6. If requested, create a passcode for unlocking the app.
7. Tap Next and confirm the passcode.
8. Tap Done.
9. The screen with the Face ID (or Touch ID) activator for unlocking the application opens.
○ If you want to use Face ID (or Touch ID) to unlock the app, tap Enable.
○ If you want to use the passcode to unlock the app, tap Not Now.

1.6 Operations
The operations information contains the following tasks:
Error Handling [page 38]
Logging and Tracing [page 39]
Monitoring Mobile Services [page 40]
1.6.1 Error Handling
If end users face an error in the SAP Customer Guide mobile application, they should reach out to their IT
contact, who can then open a customer incident in SAP Support .
Report an Incident
Use the FI-MOB-CG component to report bugs or incidents in SAP Customer Guide to SAP Support.
To speed up processing of your incident, please provide the following information:
● Installed version of the mobile application

● Device and iOS version
● Detailed steps to reproduce the issue
● Time when the issue happened
● Client log
Upload the Client Log
The app automatically uploads log files, which can be used for issue analysis by SAP Support, to SAP Cloud
Platform Mobile Services. You need to first enable client log upload in your SAP Cloud Platform Mobile Services
cockpit as described in Logging and Tracing [page 39].
Alternatively, users can send the logs as an attachment from the app’s Profile screen. To use this feature, an
administrator has to set up the app configuration as described in Maintain Configuration Resources [page 13].
If the user cannot navigate to the Profile screen, they can download the files from iTunes and then send them to
you, as follows:
1. Open iTunes on your computer and connect your mobile device to the same computer.
2. After iTunes has detected your mobile device, select your device and go to the Apps view.
3. In the lower left corner, search for the SAP Customer Guide app in the Apps list, and select it.
A folder structure opens in the lower right corner in the Documents of <App Name>: box.

4. Select the Logs folder, click Save as..., and save the logs folder on your computer.
5. 5. The Logs folder contains.trc and .log files (depending on your settings). Send these files to SAP support.
You can zip the files into one file.
Upload iOS Crash Logs
If the SAP Customer Guide mobile application crashes on your Apple iOS mobile device, send the device crash
logs for the incident to SAP Support:
1. Start iTunes on your computer and connect your mobile device to the same computer.
2. After iTunes has detected your mobile device, synchronize the device (if it does not start to synchronize
automatically).
3. When the sync is complete, the crash logs are stored on your computer under the following paths
(depending on your operating system):
○ OSX (Mac)
Library/Logs/CrashReporter/MobileDevice/<DeviceName>/
○ Windows 10
C:\Users\<UserName>\AppData\Roaming\Apple Computer\Logs\CrashReporter
\MobileDevice\<DeviceName>
 Note
For <UserName> and <DeviceName>, you have to apply your personal values.
4. The respective folder contains several .crash files. Search for the crashed application and send all crash
files for this application to SAP Support. You can zip the files into one file.
1.6.2 Logging and Tracing
The Customer Guide Mobile app has built in logging capabilities. By default, all errors are logged into a local file.
Users can send an email to support and attach the log file.
 Note
To enable the development team to better analyze issues, you can send the log files using the Report an
Issue feature on the Profile screen. Log files contain information that archive the logical flow of the app,
such as error messages or view controller-related information. Log files never contain any personal
information.
The app also uploads logs automatically to SAP Cloud Platform Mobile Services each time the app starts.

Sending Logs Via Email
Mobile users can send logs via email. Tap on the user profile image in the upper-left corner of the app and then
click Report an Issue.
The user’s default email client opens with a predefined message and the latest log file already attached to mail.
Uploading the Log File to the Server
The mobile app automatically uploads local log files so that an administrator can analyze them or forward them
to SAP support. The logs can be accessed by administrators via their SAP Cloud Platform Mobile Services
tenant.
1.6.3 Monitoring Mobile Services
SAP Cloud Platform Mobile Services offer a set of capabilities to monitor the mobile application. This includes:
● Logging of errors between SAP Cloud Mobile Services and the backend system. For more information, see
Application Logs and Trace Files.
● You can find the support files uploaded from the mobile application in SAP Cloud Platform Mobile Services
under Analytics Logs . Set the filter for Application ID to com.sap.mobile.apps.CustomerLive:
● Trace network activity based on user name, connection, application, or content type. For more information,
see Tracing Network Activity.

1.7 Security
 Note
This section does not give any advice on whether these features and functions are the best method to
support company-, industry-, regional-, or country-specific requirements. Furthermore, this guide does not
give any advice or recommendations with regard to additional features that would be required in a
particular environment. Make decisions related to data protection on a case-by-case basis and under
consideration of the given system landscape and the applicable legal requirements.
1.7.1 Data Protection and Privacy
This section describes the specific features and functions that SAP provides to support compliance with legal
data protection requirements and data privacy.
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data privacy acts, it is necessary to consider compliance with industry-specific
legislation in different countries.
 Note
In most cases, compliance with data privacy laws is not a product feature. SAP software supports data
privacy by providing security features and specific data protection-relevant functions, such as functions for
the simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. The
definitions and other terms used in this guide are not taken from any given legal source.
 Caution
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system
are the basic technical requirements for compliance with data privacy legislation and other legislation.
Glossary
Term Definition
Personal data Information about an identified or identifiable natural per

son.
Sensitive Personal Data Special categories of personal data including social secrecy,
tax secrecy, bank secrecy, social security number (US), and
credit Card data (US).

Term Definition
Business purpose A legal, contractual, or other justified reason for the process
ing of personal data. The assumption is that any purpose
has an end that is usually already defined when the purpose
starts.
Blocking A method of restricting access to data for which the primary

business purpose has ended.
Deletion Deletion of personal data so that the data can no longer be

used.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization.
User Consent
SAP Customer Guide does not provide separate consent management. For the person-related data retrieved
from the backend systems, we assume that the application used to create the person-related data in the
system ensures that consent was given by the affected person. This means that it does not explicitly store the
consent of the user and a withdrawal of given consent is not supported on the Mobile Client. The customer has
to make sure that the consent of the data subjects is received by providing proper technical and organizational
measures.
Before using any device capabilities, such as the camera, calendar, geolocation, or photo library, the user is
asked for consent to use these mobile capabilities.
SAP Customer Guide provides sign-out functionality ( User Profile Sign Out ). This functionality resets all
application settings, but cannot reset the iOS system settings, especially the privacy settings such as access to
the camera, photos, and calendars.
Please be aware that iOS devices are not multi-user devices, so if the device user changes, a full reset of the
device has to be done using the iOS capabilities.
Sensitive Person-Related Data
SAP Customer Guide does not persist sensitive person-related data, however, it does process sensitive person-
related data (for example, addresses). Therefore, read access logging must be activated in the SAP S/4HANA
on-premise backend system if required. All systems use the Read Access Logging (RAL) functionality provided
by SAP NetWeaver. For more information, see Read Access Logging.

Displaying Person-Related Data
All person-related data for SAP Customer Guide is retrieved to the mobile device based on the user ID of the
user. Personal data includes the user ID and name. For the person specified, data from various backend
systems is retrieved based on the user authorizations. All retrieved data is also directly visible in the app. For a
full report of the stored data please refer to the relevant backend systems, which hold the final persistence of
the data.
Change Log for Person-Related Data
There is no person-related data persisted on the mobile client.
Change logs must be activated in the respective backend systems if required.
1.7.1.1 Data Protection
Application data is persisted locally in SAP Customer Guide is encrypted with 256-bit AES encryption using the
passcode set up by the user, or a default key if the passcode is deactivated.
Passcode Protection in the Mobile Application
Administrators of SAP Customer Guide can configure one of the following protection scenarios:
Protection Scenario Level of Protection Description
App Passcode Very High ● The user sets an application pass

code during the onboarding proc
ess that fulfills the configured
passcode complexity require
ments.
● Each time the app enters the fore
ground and the lock timeout has
exceeded, the user has to enter the
application passcode to access the
app content.
● All security-relevant data that is
stored within the app is encrypted
with a key that is derived from the
application passcode.

Protection Scenario Level of Protection Description
Touch ID / Face ID High ● Each time the app enters the fore
ground and the lock timeout has
exceeded, the user has to unlock
the app using Touch ID/Face ID.
● If Touch ID/Face ID fails, the user
can also unlock the app with the
device passcode.
stored within the app is encrypted
with a random generated key. This
key is stored in the iOS keychain
and can only be read via user au
thentication using Touch ID/Face
ID.
Default Low ● There is no extra protection for

launching the mobile app. How
ever, device protection can still be
enforced, for example by using Mo
bile Device Management (MDM).
stored in the app is encrypted with
a random generated key. This key
is stored in the iOS keychain with
out any additional protection.
Deletion of Person-Related Data
SAP Customer Guide may process person-related data that is subject to data protection laws applicable in
specific countries as described in SAP Note 1825544 : Simplified Deletion and Blocking of Personal Data in
SAP Business Suite.
As there is no person-related data persisted on SAP Cloud Platform or the Mobile Client, the respective
backend systems must provide an erasure functionality. As soon as the data is deleted or blocked in the
backend systems, it will be not available anymore on the frontend, as it is a pure online application (with
temporary caching). If the user deletes the SAP Customer Guide application from the mobile device or does a
reset of the application, performing those actions deletes all person-related protected data in their local data
store.
1.7.2 Identity and Access Management
This section contains an overview about how administrators can configure the security-relevant aspects of the
SAP Customer Guide solution.

1.7.2.1 Mobile Client
This topic describes the security concepts of the SAP Customer Guide mobile app. It also shows the possible
configuration options that affect security on the mobile device.
Configuration Bootstrapping
The SAP Customer Guide mobile app is an SAP standard application that is distributed via Apple's App Store.
Because of this, you need to configure which SAP Cloud Platform account it should connect to during the
onboarding process. This process starts the very first time the app is launched on the mobile device. The
required data that is used to connect to the correct SAP Cloud Platform account is referred to as
"bootstrapping configuration" in this document.
The mobile app uses QR codes to retrieve this bootstrapping configuration.
It's important that this bootstrapping process is secured, so that no malicious configuration data can be
injected into the mobile app.
Authentication Concept
The SAP Customer Guide mobile app authenticates the user on SAP Cloud Platform's SAML Identity Provider
during the onboarding process. After successful authentication, the mobile app requests an OAuth2 token from
SAP Cloud Platform that is used for all subsequent authentication communication. Administrators can
configure the lifetime of the Access Token and the Refresh Token. If the Access Token has expired, the mobile
app requests a new token via the Refresh Token. This does not require any user interaction. If the Refresh Token
is also expired, the user has to authenticate again on SAP Cloud Platform's SAML Identity Provider.
Secure Communication
All communication channels of the mobile app use the HTTPS protocol to encrypt the data in transit. The
mobile app fulfills Apple's App Transport Security requirements, which ensure that a defined minimum level of
security configuration is met. More details about the settings are available in Apple's iOS Security Guide:
https://www.apple.com/business/docs/iOS_Security_Guide
Security Configuration of the Mobile App
The mobile app supports several levels of security. This is because there is always a tradeoff between security
and comfort for the end user. In the most secure mode, the user always has to enter a passcode when the app
moves from background into foreground. This has a significant impact on the user experience. Administrators

can configure this in the SAP Cloud Platform Mobile Service, to ensure that the individual security
requirements are met.
The security level is expressed by defining the protection level. The following protection levels are defined:
Level Security Comfort
App Passcode Protection Very High Low
Biometric Protection High Medium
Default Protection Medium High
The selected protection level influences how the end user can access the app and also how local data is
encrypted. The persisted data includes critical elements such as the OAuth2 token that is used for
authentication on SAP Cloud Platform Mobile Services.
Note that even with the lowest protection level, all of the iOS protection mechanisms apply. You can, for
example, use a Mobile Device Management (MDM) system to enforce protection on the device level with a
device passcode. This means that all stored data is already encrypted by the operating system. If the device is
protected with a passcode, then this is already a high security level.
The protection modes that are discussed here are in addition to these default iOS device security mechanisms.
Security Configuration User Interface
Administrators configure security in the SAP Cloud Platform Mobile Services cockpit.

Application Login
The administrator can configure a lock timeout in the cockpit. This timeout value is taken into consideration
when the mobile app is launched. The mobile app shows a login screen if the protection mode is either App
Passcode Protection or Touch ID/Face ID Protection, and if one of these two situations apply:
● The mobile app starts

● The mobile app moves from the background into the foreground and the configured timeout is expired
Depending on the app protection level, the mobile app shows either a screen to enter the app passcode or the
iOS framework shows a screen to authenticate using Touch ID/Face ID (with a fallback to the device passcode).

App Protection Levels
App Passcode Protection

This protection level is applied if the administrator has configured the passcode policy in the SAP Cloud
Platform Mobile Services cockpit with these values:
Configuration Name Configuration Value
No passcode required false
Choosing this protection level has the following consequences:
● The user has to set an application passcode during the onboarding process that fulfills the configured
complexity requirements.
● Each time the app enters the foreground and the lock timeout has exceeded, the user has to enter the
application passcode to enter the app.
● All security-relevant data that is stored in the app is encrypted with a key that is derived from the app
passcode.
● The app passcode is never persisted locally nor is it sent to the server.
●
If the administrator did not configure the passcode policy in the cockpit, this protection level is the default.
Touch ID/Face ID Protection

This protection level is applied if the administrator has configured the passcode policy in the cockpit with these
values:
No passcode required false
Biometric authentication allowed true
In addition to these settings, the following conditions must be fulfilled:
● Touch ID/Face ID is enabled on the mobile device.

● During the onboarding process, the user agreed to use Touch ID/Face ID for device unlocking.
If any of these conditions is not met, then the mobile app uses the default protection mechanism.
● Each time the app moves to the foreground and the lock timeout has exceeded, the user has to unlock the
app using Touch ID/Face ID.
● If Touch ID/Face ID fails, the user can also unlock the app with the device passcode.
● All security-relevant data that is stored in the app is encrypted with a random generated master key. This
key is stored in the iOS keychain and can only be read if the user authenticates using Touch ID/Face ID.
This key never leaves the device.

Default Protection
This protection level is applied if the administrator has configured the passcode policy in the cockpit with these
values:
No passcode required true
Biometric authentication allowed false
● There is no extra protection for launching the mobile app. However, there can still be device protection
(device passcode) that is enforced, for example using MDM.
● All security-relevant data that is stored in the app is encrypted with a random generated master key. This
key is stored in the iOS Keychain without any additional protection. This key never leaves the device.
1.7.2.2 Role Concept - Backend Systems
SAP Customer Guide uses existing services provided by SAP S/4HANA on Premise, so the respective role
concept of those services are applied. The OData services used are:
● sap/opu/odata/sap/API_BUSINESS_PARTNER
● sap/opu/odata/sap/API_OPLACCTGDOCITEMCUBE_SRV
● sap/opu/odata/sap/API_SALES_CONTRACT_SRV
● sap/opu/odata/sap/C_DAYSSALESOUTSTANDING_CDS
● sap/opu/odata/sap/C_FUTUREACCTRBLS_CDS
● sap/opu/odata/sap/C_OPENDISPUTECASE_CDS
● sap/opu/odata/sap/C_OVERDUEACCTRBLS_CDS
● sap/opu/odata/sap/C_SALESVOLUMEANALYTICSQRY_CDS
● sap/opu/odata/sap/C_TOTALACCOUNTSRECEIVABLES_CDS
1.7.2.3 Role Concept - Mobile Services
Performing administrative tasks on SAP Cloud Platform Mobile Services should be restricted to authorized
users only. SAP Cloud Platform Mobile Services provides a set of roles that the relevant users need to be
assigned to.
The list of roles and their purpose can be found here: Set Up Customer Accounts
For information about defining groups and assigning users, see Security Administration: Managing
Authentication and Authorization.

1.7.3 Technical System Landscape
The following diagram shows the security components in the system landscape, and especially how
authentication is handled in the SAP Customer Guide scenario.

SAP Customer Guide deals with personal data. The personal data is persisted in the Finance backend systems
of the customer and processed on the customer’s mobile devices that have the SAP Customer Guide mobile
app installed.
Communication between the SAP Customer Guide mobile app and SAP Cloud Platform is secured by industry
best practices and state-of-the-art open cryptographic standards. Customers use a unique, customer-specific
URL. The communication channels are secured by using Transport Layer Security protocol (TLS 1.2) which is
used in HTTPS. Users of the iOS application authenticate on SAP Cloud Platform using the SAML 2.0 protocol.
Based on this process step, the mobile app requests an OAuth 2.0 Token from SAP Cloud Platform and stores it
on the device in a SQLCipher database. This database uses Advanced Encryption Standard (AES) with 256-bit
key length to persist its content on top of the iOS file system, which is also encrypted (see https://
www.apple.com/business/docs/iOS_Security_Guide.pdf ). Administrators on SAP Cloud Platform Mobile
Services can configure how the user has to authenticate on the mobile app to access this token. This also
influences the algorithm how to create and persist the key of the SQLCipher database.
The configuration of Mobile Services and the Integration content is stored on SAP Cloud Platform. This data
can only be read and modified by authenticated users with the respective authorization roles. It's important
that those roles are only assigned to administrative users. For more information, see Role Concept - Mobile
Services [page 49].
In the SAP Customer Guide solution, no business data is stored on SAP Cloud Platform but only in the on-
premise backends. These backend systems are accessed from SAP Cloud Platform via the SAP Cloud
Connector. The authentication to those systems is done via a principal propagation mechanism provided by
the SAP Cloud Connector. This ensures that the mobile user that has been authenticated on SAP Cloud
Platform is propagated to the respective SAP ABAP and Java-based backend systems. There is no technical
user involved in this communication. As the backend systems have their own User Store, the users need to be
mapped and synchronized against the user database on the SAML IdP. If SAP Cloud Platform Identity
Authentication Service is used as the SAML IdP, a variety of options exist to connect these two user stores.
These are described in Corporate Identity Providers.

Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

52 PUBLIC Important Disclaimers and Legal Information
Important Disclaimers and Legal Information PUBLIC 53
www.sap.com/contactsap
© 2020 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

SAP Customer Guide Administration

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Customer Guide Administration

Uploaded by

Copyright:

Available Formats

Administration Guide | PUBLIC