Administration Guide For SAP Enterprise Contract Assembly

PUBLIC
Document Version: SHIP – 2022-09-15
Administration Guide for SAP Enterprise

Contract Assembly
© 2022 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Technical Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1 Internet Connection and Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Browsers and Browser Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Onboarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4.1 Creating a Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2 Handling Users and User Groups Required for Enterprise Contract Assembly. . . . . . . . . . . . . . . . . . . 9
Creating Users and User Groups in the Identity Authentication Service. . . . . . . . . . . . . . . . . . . . 10
Assigning User Groups to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.3 Subscribing to Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4 Configuring SCIM destinations in the Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5 Configuring Multi-Factor Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5 Connecting to SAP S/4HANA for enterprise contract management. . . . . . . . . . . . . . . . . . . . . 15
6 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.1 Defining and Bundling Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2 Assigning Role Collections to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
7 Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

7.1 Configuring Areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.2 Configuring Clause Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.3 Configuring Input Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.4 Configuring Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create Authorization for a Text Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Create Authorization for a Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Create Authorization for a Virtual Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.5 Configuring User Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
8 Security and Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

8.1 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Information Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Working with Manage Personal Data App in Personal Data Manager. . . . . . . . . . . . . . . . . . . . . . 41
Administration Guide for SAP Enterprise Contract Assembly

2 PUBLIC Content
Working with Manage My Personal Data App in Enterprise Contract Assembly. . . . . . . . . . . . . . .42
Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.2 Communication and Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9 Error Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Content PUBLIC 3
1 Document History
Provides details about the changes made in each version of this document.
Document Version Date Comment
1.0 2019-09-20 First release of SAP Enterprise Contract

Assembly.
1.1 2020-10-09 New topics in the Admin Guide:
• Create Authorization for a Text

Block [page 24]
• Create Authorization for a Tem
plate [page 26]
• Create Authorization for a Virtual
Document [page 29]
Updated topics in the Admin Guide:
• Configuring Authorizations [page

22]
• Defining and Bundling Roles [page
16]

4 PUBLIC Document History
2 Overview
About This Guide
This administration guide describes the steps you need to perform as an administrator to set up and run SAP
Enterprise Contract Assembly. It covers application-specific information only. For general information about
SAP BTP, see the documentation on SAP Help Portal at https://viewer/product/BTP/Cloud.
This guide addresses system administrators.
About This Solution
SAP Enterprise Contract Assembly is a cloud solution that enables you to create and manage the complete
lifecycle of templates and text blocks that can be used for producing virtual documents used in various
transactions.
For information about using the features provided by Enterprise Contract Assembly, see User Guide for SAP S/
4HANA Cloud for Enterprise Contract Assembly .

Overview PUBLIC 5
3 Technical Prerequisites
Before you start to use SAP Enterprise Contract Assembly, check the requirements and recommendations in
this section.
3.1 Internet Connection and Network Requirements
For using Enterprise Contract Assembly, choose the following Cloud Foundry environment:
Europe (Frankfurt) (running on AWS)
For detailed information about the regions and hosts, see Regions.
3.2 Browsers and Browser Settings
Enterprise Contract Assembly supports the following browsers:
Browser Versions
Google Chrome Latest version
Microsoft Edge Latest version
Mozilla Firefox Latest version
Safari Latest version
 Note
Internet Explorer is not supported.

6 PUBLIC Technical Prerequisites
4 Onboarding
This section describes the tasks that an administrator must perform in order to start using Enterprise Contract
Assembly.
The actual process of onboarding onto SAP BTP has been completed. For information about the onboarding
process, see the documentation under Getting Started with a Customer Account: Workflow in the Cloud
Foundry Environment.
When you purchase Enterprise Contract Assembly, it includes services provided by SAP BTP. The platform
does not have its own user base but a separate identity provider (IdP) is required. Use Identity Authentication
service as the identity provider. For more information about those services, refer to their documentation.
Prerequisites
• You have a global account on SAP BTP for the Cloud Foundry environment in the Europe (Frankfurt) region
running on AWS.
• You are assigned the Administrator role for the global account.
• You have administration rights in the Identity Authentication administration console.
Next Steps
1. Create subaccounts under your global account.

See Creating a Subaccount [page 8].
2. Create a tenant in the Identity Authentication service.
If you already have a tenant in the Identity Authentication service, for example, from S/4HANA Cloud
Edition, you can reuse it.
See Establish Trust Between Identity Authentication Service and SAP Cloud Platform.
3. Create users and user groups in the Identity Authentication service. Assign the users to relevant user
groups.
See Creating Users and User Groups in the Identity Authentication Service [page 10] and Assigning User
Groups to Users [page 11].
4. An entitlement is only visible in the SAP BTP cockpit if you have a license for Enterprise Contract
Assembly.
Purchase the relevant product from the SAP Store .
5. Subscribe to the application.
See Subscribing to Applications [page 12].
6. (Required if you are integrating with SAP S/4HANA for enterprise contract management) Configure areas.
See Configuring Areas [page 19].
7. Configure input fields for inserting in text blocks.
See Configuring Input Fields [page 21].

Onboarding PUBLIC 7
8. Configure clause types required for creating text blocks.
See Configuring Clause Types [page 20].
9. Configure authorizations for user groups, in order to work with virtual documents.
See Configuring Authorizations [page 22].
4.1 Creating a Subaccount
To be able to subscribe to the application and reach the SAP BTP services, create a subaccount in the SAP BTP
Cockpit.
Prerequisites
• You have a global account.

• You are assigned the Administrator role for the global account.
Procedure
1. Sign in to the SAP BTP cockpit and go to your global account.

2. Click the New Subaccount button and create a subaccount with Amazon Web Services (AWS) (in Frankfurt
or any other Europe region).
3. Enter the Display Name and Subdomain.
Use only lower-case letters and digits for the subdomain name. The subdomain becomes part of the URL
for accessing subscribed applications.
When you create a subaccount, the platform automatically grants your user the role for the administration
of business users and their authorizations in the subaccount. Having this role, you can also add or remove
other users who will then also be user and role administrators of this subaccount.
 Note
Only the administrator who created the current subaccount can add other administrators with access
tothe Security tab in the SAP BTP Cockpit. Make sure you add users with sufficient rights that enable
managing accounts in all occasions.
For more information, see the documentation in https://viewer/product/BTP/Cloud, under Security

Security in the Cloud Foudry Environment Authorization and Trust Management in the Cloud
Foundry Environment Security Administrators in Your Subaccount .

8 PUBLIC Onboarding
4.2 Handling Users and User Groups Required for
Enterprise Contract Assembly
You can configure the users and user groups for working with Enterprise Contract Assembly based on different
scenarios.
Scenario 1: Users and user groups do not exist in the Identity Authentication service.
Prerequisite:
Ensure that Identity Authentication is set up.
If you are new to the setup, see Initial Setup.
If the setup already exists, you can find more information in the SAP BTP documentation under Manually
Establish Trust and Federation Between UAA and Identity Authentication.
1. Create users and user groups in the Identity Authentication service.

2. Assign user groups to users.
Scenario 2: Users and user groups are maintained in third-party repositories like WinAd/LDAP systems, and so
on.
Push the user and user groups using the Users and Groups Management API.
Scenario 3: Users are maintained in proprietary user repositories.
1. Create the user groups using the Configure User Groups app.
2. Bind the users and user groups using the Users and Groups Management API.
This API enables you to connect your user repositories to Enterprise Contract Assembly’s configuration
repository using the Identity Provisioning service, replicate the user details to the configuration repository,
and associate with user groups created using the Configure User Groups app.
Related Information
Creating Users and User Groups in the Identity Authentication Service [page 10]
Assigning User Groups to Users [page 11]
Configuring User Groups [page 33]

Onboarding PUBLIC 9
4.2.1 Creating Users and User Groups in the Identity
Authentication Service
As an administrator, you can create new users and user groups in the administration console for Identity
Authentication.
Context
The administrator creates the new user with a minimum set of attributes and can set an initial password.
Procedure
1. Access the administration console for Identity Authentication by using the console's URL.
The URL has the https://<tenant ID>.accounts.ondemand.com/admin pattern.
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant
receives an activation e-mail with a URL in it. This URL contains the tenant ID.
2. Create new end-users.
a. Go to Users & Authorizations User Management .

b. Choose + Add User.
c. Enter the required values in the Add New User dialog box.
d. Choose one of the following options:
Option Description
Send activation e-mail The user receives an e-mail with instructions how to ac
tivate the user account.
Set password The administrator sets the password for the user.
 Note
The user is prompted to reset the password after
signing in for the first time.
e. Save your entry.
 Note
All the backend activities taking place between Enterprise Contract Assembly and its integrating
systems such as SAP S/4HANA for enterprise contract management will be handled by a fixed
technical user with username as eca-system-user and email ID as eca-system-user@sap.com. For all
activities performed by this user, the audit log entries will display the username as eca-system-user.

10 PUBLIC Onboarding
3. Create new system administrators.
a. Go to Users & Authorizations Administrators .

b. Choose +Add System .
c. Enter a name for the system in the Add Administrator screen and save it.
d. Choose the newly created system from the list and select Set Password.
e. In the Configure User ID and Password screen, set a new password for the system. An alphanumeric
user ID is generated automatically when you set the password for the first time. Copy this user ID and
password. It is required for configuring the SCIM destinations.
4. Create new user groups.
 Note
You must create atleast three user groups as follows:

• A group for configuration experts.
• A group for virtual document users.
• A group for template users.
a. Go to Users & Authorizations User Groups .

b. Choose +Add.
c. Enter the required values for the various fields.
The user group name must always start with "eca-". The name can contain lower-case characters (a-
z), upper-case characters (A-Z), base 10 digits (0-9), hyphens, and underscores.
d. Save your entry.
4.2.2 Assigning User Groups to Users
As an administrator, you can assign one or more groups to a user in the administration console for Identity
Authentication.
Prerequisites
You have created users and user groups.
See Creating Users and User Groups in the Identity Authentication Service [page 10].
Procedure
1. Access the administration console for Identity Authentication by using the console's URL.
The URL has the https://<tenant ID>.accounts.ondemand.com/admin pattern.

Onboarding PUBLIC 11
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant
receives an activation e-mail with a URL in it. This URL contains the tenant ID.
2. Go to Users & Authorizations User Management .

3. Choose the user for whom you want to assign user groups.
4. Go to the User Groups tab and choose Assign Groups.
5. Select the groups that you want to assign to the user.
6. Save the changes.
4.3 Subscribing to Applications
Prerequisites
1. You have purchased SaaS licenses for the applications you want to consume.
2. You have created a subaccount in your global account.
3. You have created trust both from the SAP BTP Cockpit and Identity Authentication administration console.
Procedure
1. Navigate to your subaccount in the SAP BTP cockpit.

2. Go to Subscriptions. Under SAAS Applications, choose the SAP Enterprise Contract Assembly tile.
The SAP Enterprise Contract Assembly overview page is displayed.

3. Choose Subscribe.
After a few seconds, the status will change from Not Subscribed to Subscribed.
4. Choose Go to Application.
The application launchpad is displayed. Note down this URL for future reference.
 Note
Applications do not open before you have created trust both from the SAP BTP cockpit and Identity
Authentication administration console.

4.4 Configuring SCIM destinations in the Subaccount
To complete the setup, you must configure new SCIM destinations in the subaccount.
Prerequisites:
You have created a new system administrator in Identity Authentication and copied the user ID and password.
See Creating Users and User Groups in the Identity Authentication Service [page 10].
• A destination to the SCIM API endpoint of the identity provider.

2. Go to Destinations.
3. Choose New Destination.
4. In the Name field, enter scim.
5. In the URL field, enter the SCIM API link of the identity provider.
For example, <IAS url>/service/scim/Users.
6. Choose Basic Authentication. Enter the user ID and password of the system administrator for the
identity provider.
7. Choose Save.
The destination is now configured.
8. Check if the destination is reachable.
• A destination to the SCIM user group.
2. Go to Destinations.
3. Choose New Destination.
4. In the Name field, enter scim-usergroup.
5. In the URL field, enter the SCIM user group link.
For example, <IAS url>/service/scim/Groups.
6. Choose Basic Authentication. Enter the user ID and password of the system administrator for the
identity provider.
7. Choose Save.
The destination is now configured.
8. Check if the destination is reachable.
For information about checking if the user group is reachable, see Check the Availability of a Destination.
4.5 Configuring Multi-Factor Authentication
You can configure multi-factor authentication at the application or tenant level.
SAP Enterprise Contract Assembly currently supports the following types of multi-factor authentication:
• TOTP two-factor authentication

For information about activating TOTP two-factor authentication, see Activate TOTP Two-Factor
Authentication.

Onboarding PUBLIC 13
• Web two-factor authentication
For information about activating web two-factor authentication, see Add a Device for Web Two-Factor
Authentication.

5 Connecting to SAP S/4HANA for
enterprise contract management
In order to generate virtual documents based on the templates and text blocks available in Enterprise Contract
Assembly, and edit specific fields in the virtual documents, Enterprise Contract Assembly must be integrated
with SAP S/4HANA for enterprise contract management. Also, text elements such as variables that are used in
text blocks will be available in Enterprise Contract Assembly, only if the connectivity is set up. This is because
the variables are retrieved from the SAP S/4HANA for enterprise contract management system.
For information about setting up the integration between Enterprise Contract Assembly and SAP S/4HANA for
enterprise contract management, see the configuration guide for SAP S/4HANA for enterprise contract
management available in the SAP Best Practices Explorer . In the SAP Best Practices Explorer, search for
Integration to SAP S/4HANA Cloud for Enterprise Contract Assembly (2OQ).

Connecting to SAP S/4HANA for enterprise contract management PUBLIC 15
6 User Management
This section describes how to configure user management for your application. As a prerequisite, you have
created business users and user groups in your identity provider (IdP). SAP ID service is configured as the
default IdP, but you can also add your instance of SAP Cloud Identity Services - Identity Authentication or a
different IdP.
If you use the Identity Authentication service, you can find more information in the SAP BTP documentation
under Manually Establish Trust and Federation Between UAA and Identity Authentication.
Ensure your trust configuration allows logins only via the SAML protocol configuration. For other
configurations, please disable the Available for User Logon option.
When you create new users, each user is assigned a unique user ID. The user details like configurations,
authorizations, audit logs, and so on are mapped to the respective user IDs.
 Caution
When you switch IdPs, the user IDs must remain the same. If the user IDs are changed, the user details will
be mapped incorrectly. This can result in incorrect data being displayed to users.
6.1 Defining and Bundling Roles
Enterprise Contract Assembly provides the following roles:
Role Name Technical Name Description Additional Details
edit_manage_document VD_EDIT Write permission on virtual Also includes read permis

documents sion on virtual documents.
edit_template TM_EDIT Write permission on legal Also includes read permis

templates sion on legal templates.
edit_textblock TB_EDIT Write permission on text Also includes read permis

blocks sion on text blocks.
view_manage_document VD_DISPLAY Read permission on virtual

documents
view_template TM_DISPLAY Read permission on legal

templates

16 PUBLIC User Management
Role Name Technical Name Description Additional Details
view_textblock TB_DISPLAY Read permission on text

blocks
config_area_code CAR View the Configuring Areas

app tile
config_clause_type CCL View the Configuring Clause

Types app tile
config_auth CAU View the Configuring

Authorizations app tile
config_input_field CIF View the Configuring Input

Fields app tile
config_user_group CUG View the Configuring User

 Remember
Groups app tile
This role is required only
if user groups are not
maintained externally.
config_all Config_Admin Write permission on the con Should be bundled with the
figuration apps relevant roles mentioned
above for the configuration
apps, to view the tiles for the
configuration apps and work
with areas, input fields,
clause types, and so on.
Additionally, you can assign the following roles to use the Personal Data Manager apps:
Role Name Technical Name Description
PDM_Administrator User can export the personal data using

the Data Export app in Personal Data
Manager.
PDM_ CustomerServiceRepresentative User can process and manage personal

data requests using the Manage
Personal Data and Manage Personal
Data Requests apps in Personal Data
Manager.
As a prerequisite for assigning roles to IdP users or user groups, you also need to configure role collections. A
role collection consists of one or more roles from one or more applications and can be used to bundle
authorizations within and across applications.
For more information about how to create roles and how to bundle them in role collections using the SAP BTP
cockpit, see Building Roles and Role Collections for Applications.

User Management PUBLIC 17
6.2 Assigning Role Collections to Users
In the SAP BTP cockpit, you must assign role collections to IdP users or user groups. As a prerequisite, users
and user groups must have been created in the Identity Authentication service or another IdP.
 Note
If you use the SAP ID service, you assign role collections to individual users. If you use the Identity
Authentication service or another IdP, you assign them either to individual users or to user groups.
For more information about how to assign role collections to users or user groups using the SAP BTP cockpit,
see Assigning Role Collections.

18 PUBLIC User Management
7 Business Configuration
Enterprise Contract Assembly provides various configuration applications.
Following are the configuration applications that are available:
• Configure Areas
• Configure Input Fields
• Configure Clause Types
• Configure Authorizations
7.1 Configuring Areas
In order to generate virtual documents based on the templates and text blocks available in Enterprise Contract
Assembly and edit specific fields in the virtual documents, Enterprise Contract Assembly must be integrated
with SAP S/4HANA for enterprise contract management.
Context
Areas are used for authorization between Enterprise Contract Assembly and SAP S/4HANA for enterprise
contract management.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Areas app.
The area list view is displayed.

2. Choose  (Create Area).
3. In the new screen, enter the Name and Description.
The default language is English.

4. Choose Save.
The new area is created.

Business Configuration PUBLIC 19
7.2 Configuring Clause Types
Context
Enterprise Contract Assembly enables you to create custom clause types by using the Configure Clause Types
app. These clause types are made available in the Manage Templates app. When you create a new text block,
you can choose the type from this list of clause types.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Clause Types app.
The clause types list view is displayed.

2. Choose  (Create Clause Type).
3. Enter the required values for the following properties:
Field Name Description
Code Indicates the identifier for the clause type.
This code is visible only within the Configure Clause Types

app. Enter a meaningful code to identify the clause type. It
can be used for searching and filtering the clause types
within the app.
Name Name of clause type.
This is the name that is used in the Manage Templates

app.
Language Default language is English.
4. Choose Save.
A new clause type is created.

20 PUBLIC Business Configuration
7.3 Configuring Input Fields
Context
Enterprise Contract Assembly enables you create input fields by using the Configure Input Fields app. The
created input fields are then available in the Text Elements library of the Manage Templates app for inserting
into text blocks. After the virtual document is generated based on the selected template, users can enter data
in the input fields.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Input Fields app.
The input fields list view is displayed.

2. Choose  (Create Input Field).
Type Indicates the type of the input field.
Name Name of input field.
This name is visible within the Configure Input Fields app.

Enter a meaningful name to identify the input field. It can
be used for searching and filtering the input fields within
the app.
When an input field is created in multiple languages, the

same name must be used in all languages. This ensures
that when an input field used in the virtual document is
not available in the user's logon language, the name is dis
played instead of the label.
Label in Template Indicates the name of the input field that will be displayed
in the template and virtual document.
Help Text Provide information that will help the document user to in
put the correct value.

Input Format Name Indicates the type of input format you want to assign for
the input field you are creating. This depends on the input
field type.
For example, if the input field type is Drop-down, the drop-

down options must be defined here. If the type is Free Text,
the maximum character length must be defined here.
You can create a new input format or choose an existing

one.
4. Choose Save.
A new input field is created.
7.4 Configuring Authorizations
Enterprise Contract Assembly enables you to define the authorizations for various user groups. Depending on
the authorizations that are provided, users can perform various operations.
Prerequisites
Users and user groups have been created in Identity Authentication. Users are assigned to relevant user
groups.
For more information, see Creating Users and User Groups in the Identity Authentication Service [page 10] and
Assigning User Groups to Users [page 11].
Context
Authorization administrators have all the authorizations required to perform all the operations. They can also
create authorizations based on different business requirements and assign these authorizations to the user
groups. This ensures that the end users have access to the relevant objects.
The authorization administrators should create at least one authorization for the end users who work with
either of the objects: virtual documents, templates, or text blocks.
The authorizations can be edited too after their creation.
 Note
The created authorization is applicable to the combination of values selected for all the fields.

Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Authorizations app.
The available user groups are displayed.

2. Choose the user group for which you want to define the authorization.
3. In the Authorizations section, choose Create.
Field Name Description Applicable to the Object Types
Object Type of object, select one of the fol Not applicable

lowing:
• Virtual Document
• Template
• Text Block
Text block is selected by default.
Name Name of the authorization All
This is visible only within the

Configure Authorizations app. Enter a
meaningful name to identify the au
thorization. It can be used for search
ing and filtering the authorizations
within the Configure Authorizations.
Operation Indicates the operation that the user All

in the users in the selected user group
with this authorization can perform.
Business Actions Indicates the business actions that Templates and virtual documents
the users in the selected user group
with this authorization can perform.
Area Indicates the areas for which the au Virtual document
thorization is applicable.
Content Type Indicates the various content types Templates and virtual documents
for which the authorization is applica
ble.
Status Indicates the object statuses, for Templates and virtual documents
which the authorization is applicable
Access Level of Legal Transaction (Op Indicates the access level of the legal Virtual document
tional) transaction for which the authoriza
tion is applicable.
Access Level of Legal Document (Op Indicates the access level of the legal Virtual document
tional) document for which the authorization
is applicable.
Governing Law Indicates the governing law for which Template

the authorization is applicable.

Field Name Description Applicable to the Object Types
Text Block Class Indicates the text block class for Text block
which the authorization is applicable.
Text Block Type Indicates the text block type for which Text block
the authorization is applicable.
5. Choose Create.
A new authorization is created for the selected user group.
Related Information
Create Authorization for a Template [page 26]

Create Authorization for a Virtual Document [page 29]
Create Authorization for a Text Block [page 24]
7.4.1 Create Authorization for a Text Block
Create an authorization for a user group that includes end users who work with text blocks.
Context
An authorization for a user group that includes end users who work with text blocks.
Procedure

Object Select Text Block from the drop-down list.
Name Enter a meaningful name to identify the authorization. It

can be used for searching and filtering the authorizations
within the app Configure Authorizations.

Operation Choose the operations that the users in the user group
with this authorization can perform. Read and Write are
the available options here.
 Note
For the authorization where Write operation is se
lected, the user automatically also gets permission to
the read, update, create, and delete operations.
Following table shows available permissions for different

operations:
Also Includes User

Actions for the Fol
Operation User Actions lowing Operations
Read User can:

• Search for the
text blocks
• View the list
on the Man
age Text
Blocks app
• View the text
blocks
Write User can edit and Read

create the text
blocks
Text Block Class Choose the text block class for which the authorization is
applicable. Signature and Clause are the available options
here.
Text Block Type Choose the text block type for which the authorization is
applicable.
 Note
Text block type cannot be selected when Signature is
selected in the Text Block Class.
Results
The created authorization is applicable to the combination of values selected for all the fields. This means a
user gets permission to access a text block only when the combination of values for all the fields matches
between the authorization and the text block.
For example, an authorization is created with the following values:
• Operation: Write
• Text Block Class: Clause
• Text Block Type: Preamble

In this case, the user has Write permission on text blocks that fulfils all the following conditions:
• Has Text Block Class as Clause

• Has Text Block Type as Preamble
Even if one condition is not satisfied, the user will not get write permission on the text block.
 Note
• All the fields are mandatory to be filled, except for the ones that are marked as optional.
• Follow the below steps to edit the created authorization later:
1. Launch the Configure Authorizations app.
2. Choose the user group where you have created the authorization.
3. Select the authorization.
4. Click on Edit to edit the authorization.
 Note
The fields Object and Operation cannot be edited in an existing text block authorization.
7.4.2 Create Authorization for a Template
Create an authorization for a user group that includes end users who work with templates.
Context
An authorization for a user group that includes end users who work with templates.
Procedure

Object Select Template from the drop-down list.

within the Configure Authorizations app.

 Note
Business Actions Choose the business actions that the users in the user
group with this authorization can perform. The available
options are:
• Full Read and Restricted Read are the available op
tions when Read is selected as the operation.
• All the business actions are available with the write
operation.
Following table shows available user actions for different
business actions:
Also Includes User

Actions for the fol
lowing Business Ac
Business Action User Actions tions
Restricted Read User can:

• Search for the
templates
• View the tem
plates that are
in the status
Released
• Download the
template
• Preview the
template
• Use the fea
ture Export to
Word
• Use the fea
ture Version
History
Full Read User can: Restricted Read

• View notes
• View tem
plates in all
the statuses
Create, Edit, Full User has full access Full Read

Display, and Delete to the templates.
The following list
contains some of
the actions that the
user can do:

Also Includes User

Actions for the fol
lowing Business Ac
• Approve the
template
• Use the Show
Library fea
ture
• Archive the
template
• Export the
template
• Edit the tem
plate
• Create new
template
Status Displays status that is applicable to the authorization.
 Note
The statuses are selected by default and are not edit
able based on the selected operation and business
actions. See the below table for more details:
Operation Status
Full Read All
Restricted Read Released
Write All
Content Type Select the various content types as required.
Governing Law Select the various governing laws as required.
Results
user gets permission to access a template only when the combination of values for all the fields matches
between the authorization and the template.
• Operation: Read
• Business Actions: Full Read
• Content Types: NDA and Amendment
• Governing Law: Germany (DE)
• Status: All
In this case, the user has read permission on the templates with the following values:

Template 1 Template 2 Template 3
• Content Type: NDA • Content Type: Amendment • Content Types: NDA and
• Governing Law: Germany (DE) • Governing Law: Germany (DE) Amendment both
• Governing Law: Germany (DE)
 Note
• All the fields are mandatory to be filled except for the ones that are marked as optional.
 Note
The fields Object, Operation, and Business Actions cannot be edited in an existing template
authorization.
7.4.3 Create Authorization for a Virtual Document
Create an authorization for a user group that includes end users who work with virtual documents.
Context
An authorization for a user group that includes end users who work with virtual documents.
Procedure

Object Select Virtual Document from the drop-down list.


within the Configure Authorizations app.
 Note
Business Actions Choose the business actions that the users in the user
group with this authorization can perform. The available
options are:
• View and Download as PDF are the available options
and are selected by default when Read is selected as
the Operation.
• Following business actions are available when Write is
selected as the Operation:
• Edit
• Edit Input Field
• Set To Final
• Edit Final
•Expert Edit
Following table shows available permissions for different
business actions:
Also includes User

Actiions for the fol
lowing Business Ac
Edit User can:

• Edit the virtual
document us
ing the Edit
button
• Edit proper
ties of the vir
tual docu
ment
• Refresh the
variables
• Use the show
library feature
• Create new
virtual docu
ments
Edit Input Field Edit input fields in

the virtual docu
ment.

Also includes User

Actiions for the fol
lowing Business Ac
Set to Final User can use the

option Set to Final
to move the virtual
document to the
status Final.
Edit Final View the virtual Edit, Edit Input

documents that are Field, and Set to Fi
in the status Final. nal
Expert Edit Edit all the aspects Edit Final, and Edit
in the virtual docu Variable
ment and edit vari
ables.
Areas Choose the areas as required.
Content Type Select the various content types as required.
Status Choose the statuses for which the authorization is appli

cable. Available options are:
• Pending, Error, or Complete

• Final
• Archived
 Note
You can choose the statuses only for the Read opera
tion. For the Write operation, the statuses are selected
by default and are not editable. See the below table
for more details:
Business Action Status
Edit Pending, Error, or Complete
Edit Final All
Expert Edit All
Edit Input Field Pending, Error, or Complete
Set To Final Complete
Edit Input Field + Set To Final Pending, Error, or Complete
Edit + Edit Input Field Pending, Error, or Complete
Edit + Set To Final Pending, Error, or Complete
Access Level of Legal Transaction (Optional) Choose access level of the legal transaction to which the
authorization is applied. If access level is not selected, the
user gets full access.
Access Level of Legal Document (Optional) Choose access level of the legal document to which the
authorization is applied. If access level is not selected, the
user gets full access.

Results
user gets permission to access a virtual document only when the combination of values for all the fields
matches between the authorization and the virtual document.
• Operation: Write
• Business Actions: Edit
• Areas: Area01, Area02
• Content Types: NDA
• Status: Pending, Error, or Complete
• Access Level of Legal Transaction: Private
• Access Level of Legal Document: Public
In this case, the user has write permission on the virtual documents with the following values:
Virtual Document 1 Virtual Document 2 Virtual Document 3
• Area: Area01 • Area: Area02 • Areas: Area01, Area02

• Content Type: NDA • Content Type: NDA • Content Types: NDA
• Access Level of Legal Transaction: • Access Level of Legal Document: • Access Level of Legal Transaction:
Private Public Private
• Access Level of Legal Document:
Public
 Note
• All the fields are mandatory to be filled except for the ones that are marked as optional.
 Note
The fields Object, and Operation cannot be edited in an existing virtual document authorization.

7.5 Configuring User Groups
Enterprise Contract Assembly enables you to create user groups by using the Configure User Groups app.
Users can be assigned to user groups. For example, users who work with the Manage Legal Templates app can
be added to a group.
Context
Use the app to create user groups only if user groups are not maintained in external repositories.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure User Groups app.
The user groups list view is displayed.

2. Choose Create.
Name Technical name of the user group.
It will always start with the prefix “eca-“. It must be a

unique value and cannot be changed once it is created. It
is case-sensitive.
Display Name User-friendly name of the user group.
It is not required to be a unique value and can be changed

at any time.
Description (Optional) Provides additional information about the user

group.
4. Choose Create.
A new user group is created.
You can edit only the Display Name and Description for an existing user group. User details cannot be
updated. To edit a user group, select the required group in the user groups list view and choose > to view
the details. Choose Edit.
You can delete a user group only if there are no users present in that group. To delete a user group, select
the required group in the user groups list view and choose Delete.

Related Information
Handling Users and User Groups Required for Enterprise Contract Assembly [page 9]
Defining and Bundling Roles [page 16]

8 Security and Data Protection and Privacy
In this section, you can find information about the security features of SAP Enterprise Contract Assembly.
Since the apps are on SAP BTP, many of the security measures are taken care of by SAP BTP. For more
information about security on the platform, see Security in the SAP BTP documentation on SAP Help Portal.
8.1 Data Protection and Privacy
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data protection and privacy acts, it is necessary to consider compliance with industry-
specific legislation in different countries. SAP provides specific features and functions to support compliance
with regard to relevant legal requirements, including data protection, which are documented in these templates
along with the assumptions that have been guiding the implementation in the software. By nature of legal
requirements the conclusion whether these features are covering customer specific demands as well as the
conclusion whether additional measures have to be taken is solely with the customer.
 Note
SAP does not provide legal advice in any form. SAP software supports data protection compliance by
providing security features and specific data protection-relevant functions, such as simplified blocking and
deletion of personal data. In many cases, compliance with applicable data protection and privacy laws will
not be covered by a product feature. Definitions and other terms used in this document are not taken from
a particular legal source.
 Caution
The extent to which data protection is supported by technical means depends on secure system operation.
Network security, security note implementation, adequate logging of system changes, and appropriate
usage of the system are the basic technical requirements for compliance with data privacy legislation and
other legislation.
How does Enterprise Contract Assembly process personal data?
Enterprise Contract Assembly processes personal data as follows:
• User-identifying data is processed to authenticate users, to display (error) messages, and to write audit
logs of business-relevant or security-relevant events. For example,
• User ID
• User’s full name
• Contact information, such as, email address
• Personal data present in variables is tracked (for storing and displaying purposes). The catalog
configuration defines which data must be tracked.

Security and Data Protection and Privacy PUBLIC 35
 Remember
• Processing of sensitive data is not supported in variables. Please do not provide any sensitive data, for
example, religion, employee number, gender, and so on.
• For virtual documents that contain input fields, consider the following:
Input fields can be used for entering any kind of data. In order to ensure data protection and privacy,
please do not enter any personal data, such as, personal email id, phone numbers, and so on.
8.1.1 Glossary
The following terms are general to SAP products. Not all terms may be relevant for this SAP product.
Term Definition
Artificial Intelligence (AI) The simulation of human intelligence processes by machines

and computer systems – typically by learning, coming to its
own conclusions, appearing to understand complex content,
engaging in natural dialogs with people, enhancing human
cognitive performance (also known as cognitive computing)
or replacing people on execution of nonroutine tasks. Appli
cations include autonomous vehicles, automatic speech rec
ognition and generation and detecting novel concepts and
abstractions (useful for detecting potential new risks and
aiding humans to quickly understand very large bodies of
ever-changing information)
Automated Decision Making The ability to make decisions by technological means with
out human involvement.
Blocking A method of restricting access to data for which the primary

business purpose has ended.
Business Purpose The legal, contractual, or in other form justified reason for
the processing of personal data to complete an end-to-end
business process. The personal data used to complete the
process is predefined in a purpose, which is defined by the
data controller. The process must be defined before the per
sonal data required to fulfill the purpose can be determined.
Consent The action of the data subject confirming that the usage of
his or her personal data shall be allowed for a given purpose.
A consent functionality allows the storage of a consent re
cord in relation to a specific purpose and shows if a data
subject has granted, withdrawn, or denied consent.

36 PUBLIC Security and Data Protection and Privacy
Term Definition
Data Subject Any information relating to an identified or identifiable natu

ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification
number, location data, an online identifier, or to one or more
factors specific to the physical, physiological, genetic, men
tal, economic, cultural, or social identity of that natural per
son.
Deletion Deletion of personal data so that the data is no longer avail

able.
End of Business Defines the end of active business and the start of residence
time and retention period.
End of Purpose (EoP) The point in time when the processing of a set of personal
data is no longer required for the primary business purpose,
for example, when a contract is fulfilled. After the EoP has
been reached, the data is blocked and can only be accessed
by users with special authorizations (for example, tax audi
tors).
End of Purpose (EoP) check A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization, for example, tax auditors.
Personal data Any information relating to an identified or identifiable natu

ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification
number, location data, an online identifier, or to one or more
factors specific to the physical, physiological, genetic, men
tal, economic, cultural, or social identity of that natural per
son.
Processing of Personal Data Processing means any operation or set of operations which
is performed on personal data or on sets of personal data,
whether or not by automated means, such as collection, re
cording, organisation, structuring, storage, adaptation or al
teration, retrieval, consultation, use, disclosure by transmis
sion, dissemination or otherwise making available, align
ment or combination, restriction, erasure or destruction.
Purpose The information that specifies the reason and the goal for
the processing of a specific set of personal data. As a rule,
the purpose references the relevant legal basis for the proc
essing of personal data.

Term Definition
Residence period The period of time between the end of business and the end
of purpose (EoP) for a data set during which the data re
mains in the database and can be used in case of subse
quent processes related to the original purpose. At the end
of the longest configured residence period, the data is
blocked or deleted. The residence period is part of the over
all retention period.
Retention period The period of time between the end of the last business ac
tivity involving a specific object (for example, a business
partner) and the deletion of the corresponding data, subject
to applicable laws. The retention period is a combination of
the residence period and the blocking period.
Sensitive personal data A category of personal data that usually includes the follow
ing type of information:
• Special categories of personal data, such as data reveal

ing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic
data, biometric data, data concerning health or sex life
or sexual orientation.
• Personal data subject to professional secrecy
• Personal data relating to criminal or administrative of
fenses
• Personal data concerning insurances and bank or credit
card accounts
Technical and organizational measures (TOM) Some basic requirements that support data protection and
privacy are often referred to as technical and organizational
measures (TOM). The following topics are related to data
protection and privacy and require appropriate TOMs, for ex
ample:
• Access control: Authentication features

• Authorizations: Authorization concept
• Read access logging
• Transmission control / Communication security
• Input control / Change logging
• Availability control
• Separation by purpose: Is subject to the organizational
model implemented and must be applied as part of the
authorization concept.

8.1.2 Read Access Logging
Read Access Logging is considered as an additional safeguard in the protection of personal data, because it
helps to identify potential illegitimate access to personal data. Read access to sensitive personal data is
partially based on legislation, and it is subject to logging functionality. Read access logging (RAL) is used to
monitor and log read access to sensitive personal data that was disclosed via user interface, which can be
extended to read access to other personal data. Data may be categorized as sensitive by law, by external
company policy, or by internal company policy. When these read accesses are logged, you should be able check
which user accessed personal data on which access channel and the date and time, depending on the
configuration. Read access logging enables you to answer questions about who accessed particular data within
a specified time frame. That logging also includes downloading attachments or files, logs for such events shall
contain information to identify the attachment. Additionally, as for Read Access Logging across system
boundaries, the respective “access” shall be logged as soon as sensitive personal data crosses the boundary
from a trusted to an un-trusted area. Here are some examples of such questions:
• Who accessed the data of a given business entity, for example a bank account?
• Who accessed personal data, for example of a business partner?
• Which employee accessed personal information, for example religion?
• Which accounts or business partners were accessed by which users?
Furthermore, log records can be viewed and queried, but access to them is restricted by adequate
authorizations. The personal data for which read access shall be logged and the retention period of logs, can be
configured.
Requesting Audit Logs
Data accesses that have been logged are written to the central audit logging infrastructure provided by SAP
BTP. You can access the logs using Audit Log Viewer. You must subscribe to Audit Log Viewer to access the
logs.
Subscribe to Audit Log Viewer

1. To use Audit Log Viewer, go to the Subscriptions tab of your subaccount in the SAP BTP cockpit and
subscribe for it.
2. After you have subscribed, select Go to Application to open Audit Log Viewer and log in to the application.
Access the Logs Using Audit Log Viewer

To retrieve the audit logs for your subaccount using Audit Log Viewer, you need to have proper authorizations.
1. Create a RoleCollection.
2. Include the auditlog-viewer!t*/Auditlog Auditor role and the auditlog-management!b*/Auditlog Auditor role.
3. Assign it to a user or create a rule to assign it to users based on the SAML Assertion coming from the IDP.
See Manage Custom Platform Roles.
 Note
Only account members with the Security Administrator role are authorized to edit application
authorizations.

8.1.2.1 Available Audit Logs
Audit logs for various actions can be accessed in the Audit Log Viewer.
Logging Read Access for Logging Modifications for Logging Configuration Changes for
• Templates • Templates • Areas

• Text blocks • Text blocks • Clause types
• Areas • Template versions • Access levels
• Clause types • Text block versions • Languages
• Variable catalogs • Text block draft versions • User groups
• Input fields • Virtual documents • Variable catalogs
• Governing laws • Virtual document versions • Input fields
• Content types • Content types
• Access levels
• Languages
• User groups
• Template versions
• Text block versions
• Text block draft versions
• Virtual documents
• Virtual document versions
8.1.3 Information Report
The feature provides data associated to the Data Subject. It is in the duty of the customer to check, whether all
the data reported shall get handed over to the data subject, because the report might contain internal
customer information or information on other third parties. Data subjects have the right to receive information
regarding their personal data undergoing processing. The personal data record feature helps you to comply
with the relevant legal requirements for data protection by allowing you to search for and retrieve personal data
for a specified data subject. The search results are displayed in a comprehensive and structured list containing
all personal data of the data subject specified, organized according to the purpose for which the data was
collected and processed. The extracted data can be downloaded in form of a report, that provides
configuration and extensibility functionality. The access to the personal data record is only allowed with
authorization.
Manage Personal Data Using Personal Data Manager
Personal Data Manager is used to view user specific data for Enterprise Contract Assembly.
Prerequisites
You have configured Personal Data Manager and assigned the required roles to the user before you use the
Personal Data Manager app.
Accessing Personal Data in Personal Data Manager
After you have assigned the roles, follow these steps to display personal data:

1. Launch the Personal Data Manager app.
2. Select the Manage Personal Data tile.
3. Enter the user ID in Data Subject ID field and click Go.
The applications that contain the personal data of the user are displayed.
You can view the following information:
Entity Properties
DocumentDppObject UUID, ExternalID, DocumentID, VersionID, Name,

DppType, DppId
DocumentObject ExternalID, DocumentID, VersionID, Name, Status
TemplateObject ID, Name, Version, Status
TextblockObject ID, Name, Version, Status
For information about Personal Data Manager, see below links:
• Business User Guide for Personal Data Manager

• User Guide for Personal Data Manager
8.1.4 Working with Manage Personal Data App in Personal

Data Manager
Learn how to use the self-service cockpit in Personal Data Manager.
The Manage Personal Data application in Personal Data Manager provides a self-service cockpit that enables
you to view which of your personal data is being processed and stored by Enterprise Contract Assembly. With
this app, you can see personal details used in the following business objects:
• Legal templates
• Text blocks
• Document DPP
Information
To search for a specific data subject within the app, you can use the ID, dppType, and dppID filters. By default,
only the ID filter is displayed. Choose Adapt Filters, to display the dppType and dppID filters.
The ID filter is mandatory. In this filter, you can enter either dppID or dppType. If you do not know both these
values, enter colon (":"). When you search using the ID filter, legal templates, text blocks, and virtual documents
are displayed.
The dppID and dppType filters are optional. You can provide values for both the dppID and dppType filters or
either one of them. When you search using the dppType and/or dppID filters, only document DPP details are
displayed.

8.1.5 Working with Manage My Personal Data App in
Enterprise Contract Assembly
The Manage My Personal Data app in Enterprise Contract Assembly provides a self-service cockpit that enables
you to view which of your personal data is being processed and stored by the different services you use. With
this app, you can see personal details used in the following business objects:
• Legal templates
• Text blocks
• Document DPP
 Note
On the launchpad, the app is displayed only in English. Within the app, the following languages are
supported:
• English
• German
• Spanish (Spain)
• French (France)
Information
In the self-service cockpit, you can see the following types of information:
• A list of applications that you have allowed to use your personal data
• The personal data used by each of the applications listed
• Any requests you have made for the correction, deletion, or export of your personal data
On the overview page for your user profile, there is a list of all the applications that use personal data and the
data subject roles associated with each application. You can also find a list of requests for correction, deletion,
or export of personal data.
For more detailed information about the personal data used by an application, choose the line with the data
subject role for which you want to display more information. Only the information associated with the data
subject role you selected is displayed in the application detail view.
Additionally, any requests you make related to the personal data used in an application only apply to the data
subject role you selected.
When you open the application, the first data subject role for the first application in the list is already displayed.

Export Your Personal Data
You can export your personal data, including information for your business transactions, business purposes,
and consent records, in a human-readable or machine-readable fromat.
You can download the information for the application and data subject role separately:
1. On the overview page, choose the application to go to the details view.

2. On the application details page, choose Export Personal Data to download or export the information.
3. In the dialog box, choose Email or Download.
1. For Email, select an email address from the dropdown menu and choose a file format for the exported
data. You can choose from PDF, JSON, or XML. PDF files are human readable, and JSON and XML files
are machine readable.
2. For Download, choose a file format for the download: PDF, JSON, or XML.
In both cases, if you select PDF, you can choose to export all transaction data. If you do not choose this
option, only five transaction data records are exported.
4. Choose Export in the dialog box.
1. If you chose Email, an email containing a link to the document and a second email containing a one-
time password that will allow you to access the document will be sent to the email address you
selected in step 3.
2. If you chose, Download, a download request will be created. You can download the files from the Export
Requests section under Requests once the request has been processed.
3. Once a download is created for certain criteria, such as the following, another request for the same
criteria can only be created after the existing request is completed (downloaded or canceled):
• Application name
• Data subject role (for example, customer or vendor)
• Download type (PDF, XML, JSON)
• Browser download or export via email)
• Data Subject ID
 Note
For a complete list of all business transactions and business purposes, you must export the data in a
machine-readable format. By selecting Export all transaction data you can download the data in a human-
readable format.
Requests
After you have created a request, it appears in the list of existing requests, either under Inbox Requests or
Export Requests.
You can find the following types of requests under Inbox Requests:
• Correction
• Deletion
• Withdraw consent
You can also get more information about an individual request by navigating to the details view for that request.

8.1.6 Deletion of Personal Data
Simplified Blocking and Deletion
The processing of personal data is subject to applicable laws related to the deletion of this data when the
specified, explicit, and legitimate purpose for processing this personal data has expired. If there is no longer a
legitimate purpose, that requires the retention and use of personal data, it must be deleted irrecoverably.
Blocking is necessary when the original retention period has expired but additional applicable extended and
overruling (mandated by law) retention periods are still in place. After the expiration of the longest retention
period, the data must be deleted.
Deletion of Personal Data
When considering compliance with data protection regulations, it is also necessary to consider compliance
with industry-specific legislation in different countries. A typical potential scenario in certain countries is that
personal data shall be deleted after the specified, explicit, and legitimate purpose for the processing of
personal data has ended, but only if no other retention periods are defined in legislation, for example, retention
periods for financial documents. Legal requirements in certain scenarios or countries also often require
blocking of data in cases where the specified, explicit, and legitimate purposes for the processing of this data
have ended, however, the data still has to be retained in the database due to other legally mandated retention
periods. Sometimes, transactional data are personal data with relation to a master data object, e.g. a sales
order with reference to a business partner. Therefore, the challenge for deletion and blocking is first to handle
transactional data and finally other data, such as business partner data.
Deletion of Personal Data in Enterprise Contract Assembly
In Enterprise Contract Assembly, data related to the following objects is stored:
• Templates
• Text blocks
This data is handled as follows:
Virtual Documents Templates and Text Blocks
Purpose of legal document is still valid Active. The deletion of personal data related to
Can be accessed based on the authori templates and text blocks must be han
zations that are configured. dled manually on a case by case basis,

Virtual Documents Templates and Text Blocks
End of Purpose is reached If the corresponding legal document and cannot be automated, due to the
has reached End of Purpose, the virtual following reasons:
document is also set to the same state.
• Templates and text blocks are not
Can be accessed based on the authori linked to a specific legal transac
zations that are configured. tion. So they can continue to be
valid for as long as it is required by
Legal document is in To be Archived sta If the corresponding legal document is
the organization. The end of pur
tus
in To be Archived status, the virtual pose is decided by the organization
document is also set to the same sta based on the various business sce
tus. narios.
Can be accessed based on the authori • In the event of the need for a owner
change due to business reasons, or
zations that are configured for the To be
if the employee working as owner
Archived status.
leaves the company or position,
Retention period is over Virtual document is deleted. the user details will be deactivated.
8.2 Communication and Data Storage Security
Understand the communication protocol and data storage security measures used by Enterprise Contract
Assembly.
• Communication protocol: HTTPS

• Transport: SSL/TLS
• Tenants data is stored separately

9 Error Handling
This topic provides you the information required to contact SAP in case of any issues.
If you require support or encounter any technical issues, contact SAP by reporting an incident on the Support
Portal. Following are the components available for reporting:
Component Description
CM-ECA-TPL For issues related to template management.
CM-ECA-TBL For issues related to the text block library.
CM-ECA-DOC For issues related to virtual document management
CM-ECA For general issues related to Enterprise Contract Assembly, that do not fit into the
other components.
Specify the following information in the incident:
• Tenant ID
• Complete error message along with ID

46 PUBLIC Error Handling
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.

Important Disclaimers and Legal Information PUBLIC 47
www.sap.com/contactsap
© 2022 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

Administration Guide For SAP Enterprise Contract Assembly

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Administration Guide For SAP Enterprise Contract Assembly

Uploaded by

Copyright:

Available Formats

PUBLIC

Document Version: SHIP – 2022-09-15

Administration Guide for SAP Enterprise

THE BEST RUN

5 Connecting to SAP S/4HANA for enterprise contract management. . . . . . . . . . . . . . . . . . . . . 15

7 Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

8 Security and Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Administration Guide for SAP Enterprise Contract Assembly

Administration Guide for SAP Enterprise Contract Assembly

Document Version Date Comment

1.0 2019-09-20 First release of SAP Enterprise Contract

1.1 2020-10-09 New topics in the Admin Guide:

• Create Authorization for a Text

Updated topics in the Admin Guide:

• Configuring Authorizations [page

Administration Guide for SAP Enterprise Contract Assembly

About This Guide

This guide addresses system administrators.

About This Solution

Administration Guide for SAP Enterprise Contract Assembly

3.1 Internet Connection and Network Requirements

Europe (Frankfurt) (running on AWS)

3.2 Browsers and Browser Settings

Enterprise Contract Assembly supports the following browsers:

Google Chrome Latest version

Microsoft Edge Latest version

Mozilla Firefox Latest version

Safari Latest version

Internet Explorer is not supported.

Administration Guide for SAP Enterprise Contract Assembly

1. Create subaccounts under your global account.

Administration Guide for SAP Enterprise Contract Assembly

4.1 Creating a Subaccount

• You have a global account.

1. Sign in to the SAP BTP cockpit and go to your global account.

For more information, see the documentation in https://viewer/product/BTP/Cloud, under Security

Administration Guide for SAP Enterprise Contract Assembly

Ensure that Identity Authentication is set up.

If you are new to the setup, see Initial Setup.

1. Create users and user groups in the Identity Authentication service.

Scenario 3: Users are maintained in proprietary user repositories.

Administration Guide for SAP Enterprise Contract Assembly

The URL has the https://<tenant ID>.accounts.ondemand.com/admin pattern.

a. Go to Users & Authorizations User Management .

e. Save your entry.

Administration Guide for SAP Enterprise Contract Assembly

a. Go to Users & Authorizations Administrators .

You must create atleast three user groups as follows:

a. Go to Users & Authorizations User Groups .

4.2.2 Assigning User Groups to Users

You have created users and user groups.

The URL has the https://<tenant ID>.accounts.ondemand.com/admin pattern.

Administration Guide for SAP Enterprise Contract Assembly

2. Go to Users & Authorizations User Management .

4.3 Subscribing to Applications

1. Navigate to your subaccount in the SAP BTP cockpit.

The SAP Enterprise Contract Assembly overview page is displayed.

Administration Guide for SAP Enterprise Contract Assembly

• A destination to the SCIM API endpoint of the identity provider.

4.5 Configuring Multi-Factor Authentication

You can configure multi-factor authentication at the application or tenant level.

• TOTP two-factor authentication

Administration Guide for SAP Enterprise Contract Assembly

edit_manage_document VD_EDIT Write permission on virtual Also includes read permis

edit_template TM_EDIT Write permission on legal Also includes read permis

edit_textblock TB_EDIT Write permission on text Also includes read permis

Object Type of object, select one of the fol Not applicable