Professional Documents
Culture Documents
2020-08-04
This guide is the central starting point for installing and configuring the SAP Customer Guide. It also provides
security and operations information.
● System administrators
● Technical consultants
● Key users
The SAP Customer Guide mobile app provides users with consistent and holistic financial and commercial
information about a customer, such as an overview of disputes and sales volume across all revenue streams, or
account receivables. The app supports C-level customer conversations, customer negotiations, overdue calls,
customer visits, and approvals.
The main purpose of the app is to help users to prepare for customer C-level meetings and contractual
discussions. The app provides an easy-to-consume overview, and users can drill down into the respective SAP
Fiori launchpad content directly from the app.
The main user groups of SAP Customer Guide are regional CFOs and senior sales managers, but the data
might also be relevant for any sales person.
After logging into the mobile app, users select a customer from the customer list. Customers can be marked as
favorites for faster access. Users get an overview of the most important financial KPIs and information on three
customer screens: Customer Overview, Contracts, and Accounts Receivable.
The app is integrated into SAP S/4HANA on premise, and can be configured easily to adapt the layout and
show data elements according to your needs.
Documentation
Make sure you have the latest version of this guide by checking the SAP Customer Guide, mobile app page on
SAP Help Portal before starting the installation.
Getting Support
If you encounter any problems with SAP Customer Guide, report an incident on the SAP Support Portal at
http://support.sap.com/incident .
Related Products
See the following documents for more information about the respective topics.
SAP Cloud Platform SDK for iOS SAP Cloud Platform SDK for iOS
The SAP Customer Guide iOS app 1.0 is released for iOS 13 and higher versions. Although the mobile
application can run on any iOS 13 or higher versions, to achieve the best user experience, we recommend that
you use the following devices:
● iPhone 11 Pro
● iPad Pro (11 inch) (second generation)
You can download the Customer Guide IOS App 1.0 from the Apple App Store. It is delivered in English only and
supports the Gregorian calendar.
Before users can onboard, administrators need to configure the mobile app and mobile services.
Prerequisites
Overview
The following diagram shows the main components that need to be configured on SAP Cloud Platform Mobile
Services:
You subscribe to SAP Cloud Platform Mobile Services using the administration user interface in the SAP Cloud
Platform cockpit. For more information about this configuration UI, see Application Administration.
Prerequisites
Context
The following configuration is recommended for the SAP Customer Guide. Instead of mapping the users to
roles in the SAP Cloud Platform cockpit, use assertion-based groups that allow you to maintain roles in your
SAML Identity Provider.
Procedure
1. Log in to the SAP Cloud Platform cockpit, and in the left pane, select Services. Under Mobile Services, click
Development & Operations.
2. Under Service Configuration, click Configure Development & Operations Cockpit.
3. In the left pane, select Roles and create a new role called MobileServicesCockpitAdministrator.
4. In the left pane, select Destinations & Permissions.
5. Under Application Permissions, click Edit and assign the role that you just created to the
HanaMobileAdmin permission, and save your changes.
Procedure
Option Description
ID com.sap.mobile.apps.CustomerGuide
Vendor SAP SE
5. In the next dialog box, activate the following features for Native Applications:
○ Mobile Client Log Upload
○ Mobile Client Resources
○ Mobile Client Usage and User Feedback
○ Mobile Connectivity
○ Mobile Network Trace
The result should look like this:
Configure how a mobile user should authenticate against the mobile application.
Context
● App Passcode Protection: The user defines an app passcode during the onboarding process. Each time the
app launches and the timeout expires the user has to re-enter this passcode.
● Touch ID protection: Each time the app launches and the timeout expires the user has to authenticate
using Touch ID. This requires that Touch ID is enabled on the corresponding mobile device.
● No protection: The user does not have to authenticate on the mobile application.
Procedure
Note
We recommend that you enable CSRF protection in Mobiles Services for the Customer Guide
application. Navigate to the SAP Customer Guide application in Mobile Services, and in the Security
tab, select CSRF Protection.
Related Information
Prerequisites
To log on to the SAP Cloud Platform Mobile Services cockpit, you have to configure User Authentication and
Authorization as described in User Authentication and Authorization [page 24].
In addition, make sure that you have set up the SAP Cloud Connector and have established a connection
between your SAP S/4HANA on premise and your SAP Cloud Platform tenant.
The app uses dedicated OData services, which are part of S/4HANA on premise. To be able to call these
services, make sure that your S/4HANA on premise system is connected to your SAP Cloud Platform tenant
using an SAP Cloud Connector. Once the Cloud Connector is connected, maintain the resource-mapping path
in SAP Cloud Connector.
Make sure to maintain the resource-mapping path to the following S/4HANA on-premise OData services:
● /sap/opu/odata/sap/API_BUSINESS_PARTNER
● /sap/opu/odata/sap/API_OPLACCTGDOCITEMCUBE_SRV
● /sap/opu/odata/sap/API_SALES_CONTRACT_SRV
● /sap/opu/odata/sap/C_DAYSSALESOUTSTANDING_CDS
● /sap/opu/odata/sap/C_FUTUREACCTRBLS_CDS
● /sap/opu/odata/sap/C_OPENDISPUTECASE_CDS
● /sap/opu/odata/sap/C_OVERDUEACCTRBLS_CDS
● /sap/opu/odata/sap/C_SALESVOLUMEANALYTICSQRY_CDS
● /sap/opu/odata/sap/C_TOTALACCOUNTSRECEIVABLES_CDS
In the following procedure, the <scc-host> placeholder indicates that this value needs to be replaced with the
actual virtual host name of your SAP Cloud Connector OData Service.
Procedure
Repeat this step for all destinations as listed in the following table:
com.sap.mobile.apps.CustomerGuide.API_BUSI http://<scc-host>/sap/opu/odata/sap/API_BUSI
NESS_PARTNER NESS_PARTNER
com.sap.mobile.apps.CustomerGuide.API_OPLACCTG http://<scc-host>/sap/opu/odata/sap/API_OPLACCTG
DOCITEMCUBE_SRV DOCITEMCUBE_SRV
com.sap.mobile.apps.CustomerGuide.API_SALES_CON http://<scc-host>/sap/opu/odata/sap/
TRACT_SRV API_SALES_CONTRACT_SRV
com.sap.mobile.apps.CustomerGuide.C_DAYSSALESOUT http://<scc-host>/sap/opu/odata/sap/C_DAYSSALE
STANDING_CDS SOUTSTANDING_CDS
com.sap.mobile.apps.CustomerGuide.C_FUTUR http://<scc-host>/sap/opu/odata/sap/C_FUTUR
EACCTRBLS_CDS EACCTRBLS_CDS
com.sap.mobile.apps.CustomerGuide.C_OPENDISPUTE http://<scc-host>/sap/opu/odata/sap/C_OPENDISPU
CASE_CDS TECASE_CDS
com.sap.mobile.apps.CustomerGuide.C_OVER http://<scc-host>/sap/opu/odata/sap/C_OVER
DUEACCTRBLS_CDS DUEACCTRBLS_CDS
com.sap.mobile.apps.CustomerGuide.C_SALESVOLU http://<scc-host>/sap/opu/odata/sap/C_SALESVOLU
MEANALYTICSQRY_CDS MEANALYTICSQRY_CDS
com.sap.mobile.apps.CustomerGuide.C_TOTALAC http://<scc-host>/sap/opu/odata/sap/C_TOTALAC
COUNTSRECEIVABLES_CDS COUNTSRECEIVABLES_CDS
Prerequisites
You have configured the Mobile Services. See Configure Mobile Services [page 5].
Context
To set up and configure the SAP Customer Guide, you first need to create and upload three configuration files
to Mobile Services:
● AppConfiguration
● FLPEndpointConfiguration (optional)
● LayoutConfiguration
Mobile Services have a feature for uploading configuration files assigned to the SAP Customer Guide
application. For more information about this feature, see Uploading Client Resources.
Procedure
Note
Make sure that the app always uses the resource with highest version number in case there are several
bundle names with same name.
The SAP Customer Guide app requires that you upload three configuration files to Mobile Services and
maintain them:
● AppConfiguration
● FLPEndpointConfiguration (optional)
● LayoutConfiguration
AppConfiguration File
The AppConfiguration file is a JSON-compliant file containing basic technical configuration required by the
app. The configuration file should contain the following property:
{
"supportEmail": "SupportEmailAddress@MyCompany.com"
}
The FLPEndpointConfiguration file is a JSON-compliant file containing information about the SAP Fiori
launchpad (FLP) hosted on the customer side. This is required by the app to construct URLs for navigating
from the app to corresponding Fiori apps. This feature allows the user to deep dive into information shown in
the app. If the FLPEndpointConfiguration file is not uploaded, the navigation feature is not available.
{
"version": "1.0.0",
"flpEndpointSettings": {
"default": {
"baseUrl": "https://<Fiori-Launchpad-Host>/sap/bc/ui5_ui5/ui2/ushell/
shells/abap/FioriLaunchpad.html",
"clientId": "<System-Client>"
}
}
}
Bar Chart (Sales volume, net Sales Volume - Profit Mar BillingDocument ssb_Profit_Margin
sales costs, and profit margin gin / Credit Memos (Fiori
of the customer) App ID F2271)
Bar Chart (Future Receiva Future Receivables (Fiori App FutureReceivablesKPI analyzeSBKPIFutureReceiva
bles) ID F1744) bles
The FLPEndpointConfiguration file allows you to disable navigation to dedicated Fiori applications using
navigationSettings:
...
{
"version": "1.0.0",
"flpEndpointSettings": {
"default": {
"baseUrl": "https://<Fiori-Launchpad-Host>/sap/bc/ui5_ui5/ui2/ushell/
shells/abap/FioriLaunchpad.html",
The first entry in this example, pointing to the Customer semantic object and the displaySalesOverview
action, will disable navigation to the Customer - 360° View (Fiori App ID F2187) app. Tapping on the customer
header will not trigger any action.
The second entry in the example, pointing to the AccountingDocument semantic object is marked with an
asterisk "*" and this disables all navigation options related to the AccountingDocument. Tapping on an
invoice row will not trigger any action.
LayoutConfiguration file
The LayoutConfiguration file is a JSON-compliant file containing the configuration of the app layout. With
this configuration, administrators can determine which components are shown in the app at which position.
The following table describes the basic structure of the configuration file:
Name Description
Tabs
You can define the pages within tabs to be shown in the Customer Detail view. The following sample and
screenshot show how this would appear in the app.
Sample Code
{
"version": "1.0.0",
"tabs":[
{
"title":"Overview",
...
},
{
"title":"Contracts",
...
},
{
"title":"Accounts Receivable",
...
}
]
}
Section Type
The section type defines which subset of data is shown and how this is visualized. The table shows a list of the
supported section types. If other types are used, end users get errors in the app.
kpi
barChart
barChartCard
chartCard
customerHeader
contactList
invoiceList
contractList
contactInformation
newsFeed
Component Context
The context of a component gives more detailed information about what data to show in a section, if several
components are to be shown in a specific section. Only the following list of supported combinations of section
type and component context are allowed. If the configuration doesn't meet them, end users will see an error in
the app.
News-Related Options
Some additional configuration is required for the News component. In the current version, only the Bing news
provider is supported. Bing requires an API key, so this information needs to be provided via configuration.
news
LayoutConfiguration.json Sample
This is a complete configuration sample. You can apply it as is, just make sure to maintain the proper Bing API
key:
{
"version": "1.0.0",
"tabs":[
{
"title":"Overview",
"sections":[
{
"title":"customerHeader",
"type":"customerHeader",
"components":[
{
"title":"Component0",
"context":"CustomerHeader"
}
]
},
{
"title":"Contact Information",
"type":"contactInformation",
"components":[
{
"title":"Component1",
"context":"CustomerDetail"
}
]
},
{
"title":"Key Contacts",
"type":"contactList",
"components":[
{
"title":"Component2",
"context":"AccountExecutives"
}
]
},
{
"title":"KPIs",
"type":"kpi",
"components":[
{
"title":"Receivables Amount Overdue",
"context":"InvoiceAmountOverdue"
},
{
"title":"Total Receivable Amount",
"context":"totalReceivablesAmount"
},
{
"title":"DSO, Last 12 Months",
"context":"DSO"
},
{
"title":"Number of Disputes",
"context":"NumberOfDisputes"
},
{
"title":"Amount of Disputes",
"context":"AmountOfDisputes"
}
]
},
{
"title":"Revenue",
"type":"barChart",
The following diagram shows the authentication mechanisms that are used between the various components
of the SAP Customer Guide technology stack.
Based on the user authenticated via SAML, the mobile client requests an OAuth token that is used in
subsequent authentications to SAP Cloud Platform. The setup of this is described in Configure Mobile Services
[page 5].
The authentication between SAP Mobile Services and SAP S/4 HANA on premise is performed via Cloud
Connector SSO, which does not require any specific configuration.
The Principal Propagation technology of the SAP Cloud Connector is used to access the backend system in the
on-premise landscape. The setup is described here: Integration into the On-Premise Landscape [page 29].
The IdP needs to fulfill the SAML 2.0 standard. Use one of the following mutually exclusive options:
1. Use an existing SAML 2.0 IdP: If you already have a SAML 2.0 compliant IdP, you can use this for the
Corporate Identity Provider. For more information, see Identity Federation with a Corporate Identity
Provider.
2. Use an Identity Authentication Tenant: If you don't have a Corporate Identity Provider, you can use SAP's
cloud product - SAP Cloud Platform Identity Authentication Service. A detailed description about this
product can be found here: SAP Cloud Platform Identity Authentication Service
3. Use the SAP ID Service: The SAP ID service is SAP's ready-to-use identity service that is offered as a
Software-as-a-Service solution completely operated by SAP. This variant should only be considered for
testing scenarios as you don't have control over the user store. Also, you cannot integrate this solution with
your on-premise user management.
Prerequisites
● You have a tenant on SAP Cloud Platform. Within this tenant, your user is assigned as a member.
For information about configuring identity providers, see Application Identity Provider.
Note
Skip this step if you are using the SAP ID Service as the IdP.
Follow the procedure provided here: Configure SAP Cloud Platform as a Local Service Provider.
Setting Value
Note
Skip this step if you use the SAP ID Service as the IdP.
Follow the procedure provided here: Configure Trust to the SAML Identity Provider
The configuration of groups is optional. It depends on how you want to assign users to groups. You can do this
in one of two ways:
1. Define assertion-based groups: The user-to-group assignment is maintained in your SAML IdP. Each SAML
assertion that is sent to SAP Cloud Platform not only contain the user identifier, but also the information to
which groups this user belongs. This variant also allows you to derive the user groups, for example from
your ABAP backend systems, by using the SAP Cloud Platform Identity Provisioning service.
2. Maintain the user-to-group assignment in SAP Cloud Platform cockpit, as described here: Managing Roles
You can do the initial configuration of your system by maintaining the user-to-group assignment in SAP
Cloud Platform cockpit and later on with assertion-based groups. This might help you to identify issues in
the initial setup phase.
To perform this configuration step, you need to first download the metadata of your SAML IdP. If you are using
an Identity Authentication tenant, see the documentation about how to download the SAML IdP metadata
here: Tenant SAML 2.0 Configuration
Note
Skip this step if you use the SAP ID Service as the IdP.
In this step you configure your SAML IdP to interact with your SAP Cloud Identity tenant. If you are using an
existing SAML 2.0 IdP, consult the documentation of the vendor for information about how to configure a SAML
service provider.
The following steps are only valid if you are using an Identity Authentication tenant.
The SAP Cloud Platform Identity Authentication service uses the term Application, which refers to a SAML 2.0
service provider. In this context, an Application refers to the SAP Cloud Platform tenant that you configured in
the previous steps.
For information about how to create a new application on your Identity Authentication tenant, see Create a New
Application.
● Configure the Name ID attribute sent to the application: Configure the Subject Name Identifier Sent to the
Application
In this step you configure the user name that is used in SAP Cloud Platform. The same name is also sent to
the SAP Cloud Connector for principal propagation. This name is also required for mapping your users in
your Identity Authentication tenant to your users in the SAP on-premise backend systems. We recommend
using the Login Name as the Name ID attribute as this allows you easy mapping to your on-premise user
names.
● Configure the default attributes sent to the application: Configure the Default Attributes Sent to the
Application
If you use assertion-based groups to assign users to groups in SAP Cloud Platform, we recommend using
the User Groups functionality of your Identity Authentication tenant as described here:User Groups. To use
this user-to-group assignment on SAP Cloud Platform, you also have to send the group information of your
Identity Authentication tenant to SAP Cloud Platform in the SAML assertion. This is why you should add
the groups attribute in this configuration step.
SAP Customer Guide uses different roles to authorize different privileges to authenticated users. The following
table gives you an overview of the roles that are required for the different user types.
Some services of SAP Cloud Platform, such as SAP Cloud Platform Mobile Services Development &
Operations, have predefined roles that a user must be assigned to in order to perform specific tasks. Instead of
directly assigning these roles to users, we strongly recommend using groups. Users are assigned to groups and
roles are assigned to groups.
Administrator of SAP Cloud SAP Cloud Platform Mobile MobileServicesCockp There is no role called
Platform Mobile Services Services Cockpit (dis itAdministrator MobileServicesCockp
patcher)
itAdministrator pro
vided by default. You need to
create this role in the SAP
Cloud Platform Mobile Serv
ices cockpit as described in
Set Up Customer Accounts
Note that the roles defined in the previous section are only visible after you have subscribed to the referenced
applications.
For information about defining groups and assigning users, see Managing Roles.
The principal propagation mechanism of the SAP Cloud Connector is used for authentication from SAP Cloud
Platform to the on-premise SAP NetWeaver ABAP and Java systems, as described in Configure Principal
Propagation to an ABAP System for HTTPS. A user in the SAML IdP needs to be mapped to a user in the
backend system. The recommended way of defining this mapping is with rule-based mapping of certificates, as
described in Rule-based Mapping of Certificates.
One option is to make the user alias in the AS ABAP system identical to the Logon Name in your Identity
Authentication tenant.
User Management
When using the SAP Cloud Platform Identity Authentication service, you have several options for keeping the
users in sync with on-premise user management:
1. Manual maintenance: You can create users manually on your IdP. This solution is only recommended if
you have a very small user base.
2. SAP Cloud Platform Identity Provisioning service: This service allows you to synchronize your user
master data from various systems, such as an SAP NetWeaver ABAP system, into your Identity
Authentication tenant. For more information, see SAP Cloud Platform Identity Provisioning Service.
3. Corporate User Store: If you have an existing on-premise user store, you can configure the SAP Cloud
Platform Identity Authentication service to use the corporate user store in addition to its own cloud user
store. For more information, see Corporate User Store.
You can use the following example setup as an example of a best practice. This scenario uses a valid
combination of options that you can use:
● SAP Cloud Platform Identity Authentication service is used as the SAML IdP
● Assertion-based groups are used to map users to groups on SAP Cloud Platform
● SAP Cloud Platform Identity Authentication Service configuration:
○ Users are assigned to groups. Each group on the SAP Cloud Platform Identity Authentication service
maps to one group on SAP Cloud Platform.
○ The Login Name is the Name ID attribute.
○ Users and groups are maintained manually.
Procedure
Procedure
Procedure
10.
Procedure
Procedure
4. On the left side panel, select Users & Authorizations and User Management.
5. Create new users as required and assign the relevant groups to these users.
Context
The SAP Customer Guide app currently supports QR code-based onboarding. Follow these steps to get the QR
code, which you can then distribute to end users. This task can only be done by administrators of SAP Cloud
Platform Mobile Services. Before you start, make sure that you have set up the application in Mobile Services
as described in Configure Mobile Services [page 5].
Tip
When end users onboard, they are asked to provide their consent. To further improve end-user experience,
we recommend that you enable auto approve. You do this in the Security tab in the mobile application that
you created in Mobile Services.
Procedure
You will see a list of Mobile Destination URLs and the QR code that end users can use for onboarding.
Procedure
1. Open the Apple App Store and search for the SAP Customer Guide app.
2. Install the app and open it.
3. To connect to SAP Cloud Platform, scan the QR code that you received from an administrator.
1. Tap the Scan button.
2. Allow the app to access the camera. The device's camera is activated.
3. (Optional) Allow the app the access the device's photos.
4. Scan the QR code.
5. Tap Continue.
4. Log in with your credentials.
5. Read the End User License Agreement and tap Agree.
6. If requested, create a passcode for unlocking the app.
7. Tap Next and confirm the passcode.
8. Tap Done.
9. The screen with the Face ID (or Touch ID) activator for unlocking the application opens.
○ If you want to use Face ID (or Touch ID) to unlock the app, tap Enable.
○ If you want to use the passcode to unlock the app, tap Not Now.
If end users face an error in the SAP Customer Guide mobile application, they should reach out to their IT
contact, who can then open a customer incident in SAP Support .
Report an Incident
Use the FI-MOB-CG component to report bugs or incidents in SAP Customer Guide to SAP Support.
The app automatically uploads log files, which can be used for issue analysis by SAP Support, to SAP Cloud
Platform Mobile Services. You need to first enable client log upload in your SAP Cloud Platform Mobile Services
cockpit as described in Logging and Tracing [page 39].
Alternatively, users can send the logs as an attachment from the app’s Profile screen. To use this feature, an
administrator has to set up the app configuration as described in Maintain Configuration Resources [page 13].
If the user cannot navigate to the Profile screen, they can download the files from iTunes and then send them to
you, as follows:
1. Open iTunes on your computer and connect your mobile device to the same computer.
2. After iTunes has detected your mobile device, select your device and go to the Apps view.
3. In the lower left corner, search for the SAP Customer Guide app in the Apps list, and select it.
A folder structure opens in the lower right corner in the Documents of <App Name>: box.
If the SAP Customer Guide mobile application crashes on your Apple iOS mobile device, send the device crash
logs for the incident to SAP Support:
1. Start iTunes on your computer and connect your mobile device to the same computer.
2. After iTunes has detected your mobile device, synchronize the device (if it does not start to synchronize
automatically).
3. When the sync is complete, the crash logs are stored on your computer under the following paths
(depending on your operating system):
○ OSX (Mac)
Library/Logs/CrashReporter/MobileDevice/<DeviceName>/
○ Windows 10
C:\Users\<UserName>\AppData\Roaming\Apple Computer\Logs\CrashReporter
\MobileDevice\<DeviceName>
Note
For <UserName> and <DeviceName>, you have to apply your personal values.
4. The respective folder contains several .crash files. Search for the crashed application and send all crash
files for this application to SAP Support. You can zip the files into one file.
The Customer Guide Mobile app has built in logging capabilities. By default, all errors are logged into a local file.
Users can send an email to support and attach the log file.
Note
To enable the development team to better analyze issues, you can send the log files using the Report an
Issue feature on the Profile screen. Log files contain information that archive the logical flow of the app,
such as error messages or view controller-related information. Log files never contain any personal
information.
The app also uploads logs automatically to SAP Cloud Platform Mobile Services each time the app starts.
Mobile users can send logs via email. Tap on the user profile image in the upper-left corner of the app and then
click Report an Issue.
The user’s default email client opens with a predefined message and the latest log file already attached to mail.
The mobile app automatically uploads local log files so that an administrator can analyze them or forward them
to SAP support. The logs can be accessed by administrators via their SAP Cloud Platform Mobile Services
tenant.
SAP Cloud Platform Mobile Services offer a set of capabilities to monitor the mobile application. This includes:
● Logging of errors between SAP Cloud Mobile Services and the backend system. For more information, see
Application Logs and Trace Files.
● You can find the support files uploaded from the mobile application in SAP Cloud Platform Mobile Services
under Analytics Logs . Set the filter for Application ID to com.sap.mobile.apps.CustomerLive:
● Trace network activity based on user name, connection, application, or content type. For more information,
see Tracing Network Activity.
Note
This section does not give any advice on whether these features and functions are the best method to
support company-, industry-, regional-, or country-specific requirements. Furthermore, this guide does not
give any advice or recommendations with regard to additional features that would be required in a
particular environment. Make decisions related to data protection on a case-by-case basis and under
consideration of the given system landscape and the applicable legal requirements.
This section describes the specific features and functions that SAP provides to support compliance with legal
data protection requirements and data privacy.
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data privacy acts, it is necessary to consider compliance with industry-specific
legislation in different countries.
Note
In most cases, compliance with data privacy laws is not a product feature. SAP software supports data
privacy by providing security features and specific data protection-relevant functions, such as functions for
the simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. The
definitions and other terms used in this guide are not taken from any given legal source.
Caution
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system
are the basic technical requirements for compliance with data privacy legislation and other legislation.
Glossary
Term Definition
Sensitive Personal Data Special categories of personal data including social secrecy,
tax secrecy, bank secrecy, social security number (US), and
credit Card data (US).
Business purpose A legal, contractual, or other justified reason for the process
ing of personal data. The assumption is that any purpose
has an end that is usually already defined when the purpose
starts.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization.
User Consent
SAP Customer Guide does not provide separate consent management. For the person-related data retrieved
from the backend systems, we assume that the application used to create the person-related data in the
system ensures that consent was given by the affected person. This means that it does not explicitly store the
consent of the user and a withdrawal of given consent is not supported on the Mobile Client. The customer has
to make sure that the consent of the data subjects is received by providing proper technical and organizational
measures.
Before using any device capabilities, such as the camera, calendar, geolocation, or photo library, the user is
asked for consent to use these mobile capabilities.
SAP Customer Guide provides sign-out functionality ( User Profile Sign Out ). This functionality resets all
application settings, but cannot reset the iOS system settings, especially the privacy settings such as access to
the camera, photos, and calendars.
Please be aware that iOS devices are not multi-user devices, so if the device user changes, a full reset of the
device has to be done using the iOS capabilities.
SAP Customer Guide does not persist sensitive person-related data, however, it does process sensitive person-
related data (for example, addresses). Therefore, read access logging must be activated in the SAP S/4HANA
on-premise backend system if required. All systems use the Read Access Logging (RAL) functionality provided
by SAP NetWeaver. For more information, see Read Access Logging.
All person-related data for SAP Customer Guide is retrieved to the mobile device based on the user ID of the
user. Personal data includes the user ID and name. For the person specified, data from various backend
systems is retrieved based on the user authorizations. All retrieved data is also directly visible in the app. For a
full report of the stored data please refer to the relevant backend systems, which hold the final persistence of
the data.
Application data is persisted locally in SAP Customer Guide is encrypted with 256-bit AES encryption using the
passcode set up by the user, or a default key if the passcode is deactivated.
Administrators of SAP Customer Guide can configure one of the following protection scenarios:
Touch ID / Face ID High ● Each time the app enters the fore
ground and the lock timeout has
exceeded, the user has to unlock
the app using Touch ID/Face ID.
● If Touch ID/Face ID fails, the user
can also unlock the app with the
device passcode.
● All security-relevant data that is
stored within the app is encrypted
with a random generated key. This
key is stored in the iOS keychain
and can only be read via user au
thentication using Touch ID/Face
ID.
SAP Customer Guide may process person-related data that is subject to data protection laws applicable in
specific countries as described in SAP Note 1825544 : Simplified Deletion and Blocking of Personal Data in
SAP Business Suite.
As there is no person-related data persisted on SAP Cloud Platform or the Mobile Client, the respective
backend systems must provide an erasure functionality. As soon as the data is deleted or blocked in the
backend systems, it will be not available anymore on the frontend, as it is a pure online application (with
temporary caching). If the user deletes the SAP Customer Guide application from the mobile device or does a
reset of the application, performing those actions deletes all person-related protected data in their local data
store.
This section contains an overview about how administrators can configure the security-relevant aspects of the
SAP Customer Guide solution.
This topic describes the security concepts of the SAP Customer Guide mobile app. It also shows the possible
configuration options that affect security on the mobile device.
Configuration Bootstrapping
The SAP Customer Guide mobile app is an SAP standard application that is distributed via Apple's App Store.
Because of this, you need to configure which SAP Cloud Platform account it should connect to during the
onboarding process. This process starts the very first time the app is launched on the mobile device. The
required data that is used to connect to the correct SAP Cloud Platform account is referred to as
"bootstrapping configuration" in this document.
It's important that this bootstrapping process is secured, so that no malicious configuration data can be
injected into the mobile app.
Authentication Concept
The SAP Customer Guide mobile app authenticates the user on SAP Cloud Platform's SAML Identity Provider
during the onboarding process. After successful authentication, the mobile app requests an OAuth2 token from
SAP Cloud Platform that is used for all subsequent authentication communication. Administrators can
configure the lifetime of the Access Token and the Refresh Token. If the Access Token has expired, the mobile
app requests a new token via the Refresh Token. This does not require any user interaction. If the Refresh Token
is also expired, the user has to authenticate again on SAP Cloud Platform's SAML Identity Provider.
Secure Communication
All communication channels of the mobile app use the HTTPS protocol to encrypt the data in transit. The
mobile app fulfills Apple's App Transport Security requirements, which ensure that a defined minimum level of
security configuration is met. More details about the settings are available in Apple's iOS Security Guide:
https://www.apple.com/business/docs/iOS_Security_Guide
The mobile app supports several levels of security. This is because there is always a tradeoff between security
and comfort for the end user. In the most secure mode, the user always has to enter a passcode when the app
moves from background into foreground. This has a significant impact on the user experience. Administrators
The security level is expressed by defining the protection level. The following protection levels are defined:
The selected protection level influences how the end user can access the app and also how local data is
encrypted. The persisted data includes critical elements such as the OAuth2 token that is used for
authentication on SAP Cloud Platform Mobile Services.
Note that even with the lowest protection level, all of the iOS protection mechanisms apply. You can, for
example, use a Mobile Device Management (MDM) system to enforce protection on the device level with a
device passcode. This means that all stored data is already encrypted by the operating system. If the device is
protected with a passcode, then this is already a high security level.
The protection modes that are discussed here are in addition to these default iOS device security mechanisms.
Administrators configure security in the SAP Cloud Platform Mobile Services cockpit.
The administrator can configure a lock timeout in the cockpit. This timeout value is taken into consideration
when the mobile app is launched. The mobile app shows a login screen if the protection mode is either App
Passcode Protection or Touch ID/Face ID Protection, and if one of these two situations apply:
Depending on the app protection level, the mobile app shows either a screen to enter the app passcode or the
iOS framework shows a screen to authenticate using Touch ID/Face ID (with a fallback to the device passcode).
● The user has to set an application passcode during the onboarding process that fulfills the configured
complexity requirements.
● Each time the app enters the foreground and the lock timeout has exceeded, the user has to enter the
application passcode to enter the app.
● All security-relevant data that is stored in the app is encrypted with a key that is derived from the app
passcode.
● The app passcode is never persisted locally nor is it sent to the server.
●
If the administrator did not configure the passcode policy in the cockpit, this protection level is the default.
If any of these conditions is not met, then the mobile app uses the default protection mechanism.
● Each time the app moves to the foreground and the lock timeout has exceeded, the user has to unlock the
app using Touch ID/Face ID.
● If Touch ID/Face ID fails, the user can also unlock the app with the device passcode.
● All security-relevant data that is stored in the app is encrypted with a random generated master key. This
key is stored in the iOS keychain and can only be read if the user authenticates using Touch ID/Face ID.
This key never leaves the device.
This protection level is applied if the administrator has configured the passcode policy in the cockpit with these
values:
● There is no extra protection for launching the mobile app. However, there can still be device protection
(device passcode) that is enforced, for example using MDM.
● All security-relevant data that is stored in the app is encrypted with a random generated master key. This
key is stored in the iOS Keychain without any additional protection. This key never leaves the device.
SAP Customer Guide uses existing services provided by SAP S/4HANA on Premise, so the respective role
concept of those services are applied. The OData services used are:
● sap/opu/odata/sap/API_BUSINESS_PARTNER
● sap/opu/odata/sap/API_OPLACCTGDOCITEMCUBE_SRV
● sap/opu/odata/sap/API_SALES_CONTRACT_SRV
● sap/opu/odata/sap/C_DAYSSALESOUTSTANDING_CDS
● sap/opu/odata/sap/C_FUTUREACCTRBLS_CDS
● sap/opu/odata/sap/C_OPENDISPUTECASE_CDS
● sap/opu/odata/sap/C_OVERDUEACCTRBLS_CDS
● sap/opu/odata/sap/C_SALESVOLUMEANALYTICSQRY_CDS
● sap/opu/odata/sap/C_TOTALACCOUNTSRECEIVABLES_CDS
Performing administrative tasks on SAP Cloud Platform Mobile Services should be restricted to authorized
users only. SAP Cloud Platform Mobile Services provides a set of roles that the relevant users need to be
assigned to.
The list of roles and their purpose can be found here: Set Up Customer Accounts
For information about defining groups and assigning users, see Security Administration: Managing
Authentication and Authorization.
The following diagram shows the security components in the system landscape, and especially how
authentication is handled in the SAP Customer Guide scenario.
Communication between the SAP Customer Guide mobile app and SAP Cloud Platform is secured by industry
best practices and state-of-the-art open cryptographic standards. Customers use a unique, customer-specific
URL. The communication channels are secured by using Transport Layer Security protocol (TLS 1.2) which is
used in HTTPS. Users of the iOS application authenticate on SAP Cloud Platform using the SAML 2.0 protocol.
Based on this process step, the mobile app requests an OAuth 2.0 Token from SAP Cloud Platform and stores it
on the device in a SQLCipher database. This database uses Advanced Encryption Standard (AES) with 256-bit
key length to persist its content on top of the iOS file system, which is also encrypted (see https://
www.apple.com/business/docs/iOS_Security_Guide.pdf ). Administrators on SAP Cloud Platform Mobile
Services can configure how the user has to authenticate on the mobile app to access this token. This also
influences the algorithm how to create and persist the key of the SQLCipher database.
The configuration of Mobile Services and the Integration content is stored on SAP Cloud Platform. This data
can only be read and modified by authenticated users with the respective authorization roles. It's important
that those roles are only assigned to administrative users. For more information, see Role Concept - Mobile
Services [page 49].
In the SAP Customer Guide solution, no business data is stored on SAP Cloud Platform but only in the on-
premise backends. These backend systems are accessed from SAP Cloud Platform via the SAP Cloud
Connector. The authentication to those systems is done via a principal propagation mechanism provided by
the SAP Cloud Connector. This ensures that the mobile user that has been authenticated on SAP Cloud
Platform is propagated to the respective SAP ABAP and Java-based backend systems. There is no technical
user involved in this communication. As the backend systems have their own User Store, the users need to be
mapped and synchronized against the user database on the SAML IdP. If SAP Cloud Platform Identity
Authentication Service is used as the SAML IdP, a variety of options exist to connect these two user stores.
These are described in Corporate Identity Providers.
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.