Professional Documents
Culture Documents
1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Technical Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1 Internet Connection and Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Browsers and Browser Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Onboarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4.1 Creating a Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2 Handling Users and User Groups Required for Enterprise Contract Assembly. . . . . . . . . . . . . . . . . . . 9
Creating Users and User Groups in the Identity Authentication Service. . . . . . . . . . . . . . . . . . . . 10
Assigning User Groups to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.3 Subscribing to Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4 Configuring SCIM destinations in the Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5 Configuring Multi-Factor Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.1 Defining and Bundling Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2 Assigning Role Collections to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
9 Error Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Provides details about the changes made in each version of this document.
This administration guide describes the steps you need to perform as an administrator to set up and run SAP
Enterprise Contract Assembly. It covers application-specific information only. For general information about
SAP BTP, see the documentation on SAP Help Portal at https://viewer/product/BTP/Cloud.
SAP Enterprise Contract Assembly is a cloud solution that enables you to create and manage the complete
lifecycle of templates and text blocks that can be used for producing virtual documents used in various
transactions.
For information about using the features provided by Enterprise Contract Assembly, see User Guide for SAP S/
4HANA Cloud for Enterprise Contract Assembly .
Before you start to use SAP Enterprise Contract Assembly, check the requirements and recommendations in
this section.
For using Enterprise Contract Assembly, choose the following Cloud Foundry environment:
For detailed information about the regions and hosts, see Regions.
Browser Versions
Note
This section describes the tasks that an administrator must perform in order to start using Enterprise Contract
Assembly.
The actual process of onboarding onto SAP BTP has been completed. For information about the onboarding
process, see the documentation under Getting Started with a Customer Account: Workflow in the Cloud
Foundry Environment.
When you purchase Enterprise Contract Assembly, it includes services provided by SAP BTP. The platform
does not have its own user base but a separate identity provider (IdP) is required. Use Identity Authentication
service as the identity provider. For more information about those services, refer to their documentation.
Prerequisites
• You have a global account on SAP BTP for the Cloud Foundry environment in the Europe (Frankfurt) region
running on AWS.
• You are assigned the Administrator role for the global account.
• You have administration rights in the Identity Authentication administration console.
Next Steps
To be able to subscribe to the application and reach the SAP BTP services, create a subaccount in the SAP BTP
Cockpit.
Prerequisites
Procedure
Use only lower-case letters and digits for the subdomain name. The subdomain becomes part of the URL
for accessing subscribed applications.
When you create a subaccount, the platform automatically grants your user the role for the administration
of business users and their authorizations in the subaccount. Having this role, you can also add or remove
other users who will then also be user and role administrators of this subaccount.
Note
Only the administrator who created the current subaccount can add other administrators with access
tothe Security tab in the SAP BTP Cockpit. Make sure you add users with sufficient rights that enable
managing accounts in all occasions.
You can configure the users and user groups for working with Enterprise Contract Assembly based on different
scenarios.
Scenario 1: Users and user groups do not exist in the Identity Authentication service.
Prerequisite:
If the setup already exists, you can find more information in the SAP BTP documentation under Manually
Establish Trust and Federation Between UAA and Identity Authentication.
Scenario 2: Users and user groups are maintained in third-party repositories like WinAd/LDAP systems, and so
on.
Push the user and user groups using the Users and Groups Management API.
1. Create the user groups using the Configure User Groups app.
2. Bind the users and user groups using the Users and Groups Management API.
This API enables you to connect your user repositories to Enterprise Contract Assembly’s configuration
repository using the Identity Provisioning service, replicate the user details to the configuration repository,
and associate with user groups created using the Configure User Groups app.
Related Information
Creating Users and User Groups in the Identity Authentication Service [page 10]
Assigning User Groups to Users [page 11]
Configuring User Groups [page 33]
As an administrator, you can create new users and user groups in the administration console for Identity
Authentication.
Context
The administrator creates the new user with a minimum set of attributes and can set an initial password.
Procedure
1. Access the administration console for Identity Authentication by using the console's URL.
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant
receives an activation e-mail with a URL in it. This URL contains the tenant ID.
2. Create new end-users.
Option Description
Send activation e-mail The user receives an e-mail with instructions how to ac
tivate the user account.
Set password The administrator sets the password for the user.
Note
The user is prompted to reset the password after
signing in for the first time.
Note
All the backend activities taking place between Enterprise Contract Assembly and its integrating
systems such as SAP S/4HANA for enterprise contract management will be handled by a fixed
technical user with username as eca-system-user and email ID as eca-system-user@sap.com. For all
activities performed by this user, the audit log entries will display the username as eca-system-user.
Note
The user group name must always start with "eca-". The name can contain lower-case characters (a-
z), upper-case characters (A-Z), base 10 digits (0-9), hyphens, and underscores.
d. Save your entry.
As an administrator, you can assign one or more groups to a user in the administration console for Identity
Authentication.
Prerequisites
See Creating Users and User Groups in the Identity Authentication Service [page 10].
Procedure
1. Access the administration console for Identity Authentication by using the console's URL.
Prerequisites
1. You have purchased SaaS licenses for the applications you want to consume.
2. You have created a subaccount in your global account.
3. You have created trust both from the SAP BTP Cockpit and Identity Authentication administration console.
Procedure
After a few seconds, the status will change from Not Subscribed to Subscribed.
4. Choose Go to Application.
The application launchpad is displayed. Note down this URL for future reference.
Note
Applications do not open before you have created trust both from the SAP BTP cockpit and Identity
Authentication administration console.
To complete the setup, you must configure new SCIM destinations in the subaccount.
Prerequisites:
You have created a new system administrator in Identity Authentication and copied the user ID and password.
See Creating Users and User Groups in the Identity Authentication Service [page 10].
SAP Enterprise Contract Assembly currently supports the following types of multi-factor authentication:
In order to generate virtual documents based on the templates and text blocks available in Enterprise Contract
Assembly, and edit specific fields in the virtual documents, Enterprise Contract Assembly must be integrated
with SAP S/4HANA for enterprise contract management. Also, text elements such as variables that are used in
text blocks will be available in Enterprise Contract Assembly, only if the connectivity is set up. This is because
the variables are retrieved from the SAP S/4HANA for enterprise contract management system.
For information about setting up the integration between Enterprise Contract Assembly and SAP S/4HANA for
enterprise contract management, see the configuration guide for SAP S/4HANA for enterprise contract
management available in the SAP Best Practices Explorer . In the SAP Best Practices Explorer, search for
Integration to SAP S/4HANA Cloud for Enterprise Contract Assembly (2OQ).
This section describes how to configure user management for your application. As a prerequisite, you have
created business users and user groups in your identity provider (IdP). SAP ID service is configured as the
default IdP, but you can also add your instance of SAP Cloud Identity Services - Identity Authentication or a
different IdP.
If you use the Identity Authentication service, you can find more information in the SAP BTP documentation
under Manually Establish Trust and Federation Between UAA and Identity Authentication.
Ensure your trust configuration allows logins only via the SAML protocol configuration. For other
configurations, please disable the Available for User Logon option.
When you create new users, each user is assigned a unique user ID. The user details like configurations,
authorizations, audit logs, and so on are mapped to the respective user IDs.
Caution
When you switch IdPs, the user IDs must remain the same. If the user IDs are changed, the user details will
be mapped incorrectly. This can result in incorrect data being displayed to users.
config_all Config_Admin Write permission on the con Should be bundled with the
figuration apps relevant roles mentioned
above for the configuration
apps, to view the tiles for the
configuration apps and work
with areas, input fields,
clause types, and so on.
Additionally, you can assign the following roles to use the Personal Data Manager apps:
As a prerequisite for assigning roles to IdP users or user groups, you also need to configure role collections. A
role collection consists of one or more roles from one or more applications and can be used to bundle
authorizations within and across applications.
For more information about how to create roles and how to bundle them in role collections using the SAP BTP
cockpit, see Building Roles and Role Collections for Applications.
In the SAP BTP cockpit, you must assign role collections to IdP users or user groups. As a prerequisite, users
and user groups must have been created in the Identity Authentication service or another IdP.
Note
If you use the SAP ID service, you assign role collections to individual users. If you use the Identity
Authentication service or another IdP, you assign them either to individual users or to user groups.
For more information about how to assign role collections to users or user groups using the SAP BTP cockpit,
see Assigning Role Collections.
• Configure Areas
• Configure Input Fields
• Configure Clause Types
• Configure Authorizations
In order to generate virtual documents based on the templates and text blocks available in Enterprise Contract
Assembly and edit specific fields in the virtual documents, Enterprise Contract Assembly must be integrated
with SAP S/4HANA for enterprise contract management.
Context
Areas are used for authorization between Enterprise Contract Assembly and SAP S/4HANA for enterprise
contract management.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Areas app.
Context
Enterprise Contract Assembly enables you to create custom clause types by using the Configure Clause Types
app. These clause types are made available in the Manage Templates app. When you create a new text block,
you can choose the type from this list of clause types.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Clause Types app.
4. Choose Save.
Context
Enterprise Contract Assembly enables you create input fields by using the Configure Input Fields app. The
created input fields are then available in the Text Elements library of the Manage Templates app for inserting
into text blocks. After the virtual document is generated based on the selected template, users can enter data
in the input fields.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Input Fields app.
Label in Template Indicates the name of the input field that will be displayed
in the template and virtual document.
Help Text Provide information that will help the document user to in
put the correct value.
Input Format Name Indicates the type of input format you want to assign for
the input field you are creating. This depends on the input
field type.
4. Choose Save.
Enterprise Contract Assembly enables you to define the authorizations for various user groups. Depending on
the authorizations that are provided, users can perform various operations.
Prerequisites
Users and user groups have been created in Identity Authentication. Users are assigned to relevant user
groups.
For more information, see Creating Users and User Groups in the Identity Authentication Service [page 10] and
Assigning User Groups to Users [page 11].
Context
Authorization administrators have all the authorizations required to perform all the operations. They can also
create authorizations based on different business requirements and assign these authorizations to the user
groups. This ensures that the end users have access to the relevant objects.
The authorization administrators should create at least one authorization for the end users who work with
either of the objects: virtual documents, templates, or text blocks.
Note
The created authorization is applicable to the combination of values selected for all the fields.
1. Sign in to the SAP Fiori Launchpad and launch the Configure Authorizations app.
Business Actions Indicates the business actions that Templates and virtual documents
the users in the selected user group
with this authorization can perform.
Area Indicates the areas for which the au Virtual document
thorization is applicable.
Content Type Indicates the various content types Templates and virtual documents
for which the authorization is applica
ble.
Status Indicates the object statuses, for Templates and virtual documents
which the authorization is applicable
Access Level of Legal Transaction (Op Indicates the access level of the legal Virtual document
tional) transaction for which the authoriza
tion is applicable.
Access Level of Legal Document (Op Indicates the access level of the legal Virtual document
tional) document for which the authorization
is applicable.
Text Block Class Indicates the text block class for Text block
which the authorization is applicable.
Text Block Type Indicates the text block type for which Text block
the authorization is applicable.
5. Choose Create.
Related Information
Create an authorization for a user group that includes end users who work with text blocks.
Context
An authorization for a user group that includes end users who work with text blocks.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Authorizations app.
Operation Choose the operations that the users in the user group
with this authorization can perform. Read and Write are
the available options here.
Note
For the authorization where Write operation is se
lected, the user automatically also gets permission to
the read, update, create, and delete operations.
Text Block Class Choose the text block class for which the authorization is
applicable. Signature and Clause are the available options
here.
Text Block Type Choose the text block type for which the authorization is
applicable.
Note
Text block type cannot be selected when Signature is
selected in the Text Block Class.
Results
The created authorization is applicable to the combination of values selected for all the fields. This means a
user gets permission to access a text block only when the combination of values for all the fields matches
between the authorization and the text block.
• Operation: Write
• Text Block Class: Clause
• Text Block Type: Preamble
Even if one condition is not satisfied, the user will not get write permission on the text block.
Note
• All the fields are mandatory to be filled, except for the ones that are marked as optional.
• Follow the below steps to edit the created authorization later:
1. Launch the Configure Authorizations app.
2. Choose the user group where you have created the authorization.
3. Select the authorization.
4. Click on Edit to edit the authorization.
Note
The fields Object and Operation cannot be edited in an existing text block authorization.
Create an authorization for a user group that includes end users who work with templates.
Context
An authorization for a user group that includes end users who work with templates.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Authorizations app.
Operation Choose the operations that the users in the user group
with this authorization can perform. Read and Write are
the available options here.
Note
For the authorization where Write operation is se
lected, the user automatically also gets permission to
the read, update, create, and delete operations.
Business Actions Choose the business actions that the users in the user
group with this authorization can perform. The available
options are:
• Full Read and Restricted Read are the available op
tions when Read is selected as the operation.
• All the business actions are available with the write
operation.
Following table shows available user actions for different
business actions:
• Approve the
template
• Use the Show
Library fea
ture
• Archive the
template
• Export the
template
• Edit the tem
plate
• Create new
template
Note
The statuses are selected by default and are not edit
able based on the selected operation and business
actions. See the below table for more details:
Operation Status
Write All
Results
The created authorization is applicable to the combination of values selected for all the fields. This means a
user gets permission to access a template only when the combination of values for all the fields matches
between the authorization and the template.
• Operation: Read
• Business Actions: Full Read
• Content Types: NDA and Amendment
• Governing Law: Germany (DE)
• Status: All
In this case, the user has read permission on the templates with the following values:
• Content Type: NDA • Content Type: Amendment • Content Types: NDA and
• Governing Law: Germany (DE) • Governing Law: Germany (DE) Amendment both
• Governing Law: Germany (DE)
Note
• All the fields are mandatory to be filled except for the ones that are marked as optional.
• Follow the below steps to edit the created authorization later:
1. Launch the Configure Authorizations app.
2. Choose the user group where you have created the authorization.
3. Select the authorization.
4. Click on Edit to edit the authorization.
Note
The fields Object, Operation, and Business Actions cannot be edited in an existing template
authorization.
Create an authorization for a user group that includes end users who work with virtual documents.
Context
An authorization for a user group that includes end users who work with virtual documents.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure Authorizations app.
Operation Choose the operations that the users in the user group
with this authorization can perform. Read and Write are
the available options here.
Note
For the authorization where Write operation is se
lected, the user automatically also gets permission to
the read, update, create, and delete operations.
Business Actions Choose the business actions that the users in the user
group with this authorization can perform. The available
options are:
• View and Download as PDF are the available options
and are selected by default when Read is selected as
the Operation.
• Following business actions are available when Write is
selected as the Operation:
• Edit
• Edit Input Field
• Set To Final
• Edit Final
•Expert Edit
Following table shows available permissions for different
business actions:
Expert Edit Edit all the aspects Edit Final, and Edit
in the virtual docu Variable
ment and edit vari
ables.
Note
You can choose the statuses only for the Read opera
tion. For the Write operation, the statuses are selected
by default and are not editable. See the below table
for more details:
Access Level of Legal Transaction (Optional) Choose access level of the legal transaction to which the
authorization is applied. If access level is not selected, the
user gets full access.
Access Level of Legal Document (Optional) Choose access level of the legal document to which the
authorization is applied. If access level is not selected, the
user gets full access.
The created authorization is applicable to the combination of values selected for all the fields. This means a
user gets permission to access a virtual document only when the combination of values for all the fields
matches between the authorization and the virtual document.
• Operation: Write
• Business Actions: Edit
• Areas: Area01, Area02
• Content Types: NDA
• Status: Pending, Error, or Complete
• Access Level of Legal Transaction: Private
• Access Level of Legal Document: Public
In this case, the user has write permission on the virtual documents with the following values:
Note
• All the fields are mandatory to be filled except for the ones that are marked as optional.
• Follow the below steps to edit the created authorization later:
1. Launch the Configure Authorizations app.
2. Choose the user group where you have created the authorization.
3. Select the authorization.
4. Click on Edit to edit the authorization.
Note
The fields Object, and Operation cannot be edited in an existing virtual document authorization.
Enterprise Contract Assembly enables you to create user groups by using the Configure User Groups app.
Users can be assigned to user groups. For example, users who work with the Manage Legal Templates app can
be added to a group.
Context
Use the app to create user groups only if user groups are not maintained in external repositories.
Procedure
1. Sign in to the SAP Fiori Launchpad and launch the Configure User Groups app.
4. Choose Create.
You can edit only the Display Name and Description for an existing user group. User details cannot be
updated. To edit a user group, select the required group in the user groups list view and choose > to view
the details. Choose Edit.
You can delete a user group only if there are no users present in that group. To delete a user group, select
the required group in the user groups list view and choose Delete.
Handling Users and User Groups Required for Enterprise Contract Assembly [page 9]
Defining and Bundling Roles [page 16]
In this section, you can find information about the security features of SAP Enterprise Contract Assembly.
Since the apps are on SAP BTP, many of the security measures are taken care of by SAP BTP. For more
information about security on the platform, see Security in the SAP BTP documentation on SAP Help Portal.
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data protection and privacy acts, it is necessary to consider compliance with industry-
specific legislation in different countries. SAP provides specific features and functions to support compliance
with regard to relevant legal requirements, including data protection, which are documented in these templates
along with the assumptions that have been guiding the implementation in the software. By nature of legal
requirements the conclusion whether these features are covering customer specific demands as well as the
conclusion whether additional measures have to be taken is solely with the customer.
Note
SAP does not provide legal advice in any form. SAP software supports data protection compliance by
providing security features and specific data protection-relevant functions, such as simplified blocking and
deletion of personal data. In many cases, compliance with applicable data protection and privacy laws will
not be covered by a product feature. Definitions and other terms used in this document are not taken from
a particular legal source.
Caution
The extent to which data protection is supported by technical means depends on secure system operation.
Network security, security note implementation, adequate logging of system changes, and appropriate
usage of the system are the basic technical requirements for compliance with data privacy legislation and
other legislation.
• User-identifying data is processed to authenticate users, to display (error) messages, and to write audit
logs of business-relevant or security-relevant events. For example,
• User ID
• User’s full name
• Contact information, such as, email address
• Personal data present in variables is tracked (for storing and displaying purposes). The catalog
configuration defines which data must be tracked.
• Processing of sensitive data is not supported in variables. Please do not provide any sensitive data, for
example, religion, employee number, gender, and so on.
• For virtual documents that contain input fields, consider the following:
Input fields can be used for entering any kind of data. In order to ensure data protection and privacy,
please do not enter any personal data, such as, personal email id, phone numbers, and so on.
8.1.1 Glossary
The following terms are general to SAP products. Not all terms may be relevant for this SAP product.
Term Definition
Automated Decision Making The ability to make decisions by technological means with
out human involvement.
Business Purpose The legal, contractual, or in other form justified reason for
the processing of personal data to complete an end-to-end
business process. The personal data used to complete the
process is predefined in a purpose, which is defined by the
data controller. The process must be defined before the per
sonal data required to fulfill the purpose can be determined.
Consent The action of the data subject confirming that the usage of
his or her personal data shall be allowed for a given purpose.
A consent functionality allows the storage of a consent re
cord in relation to a specific purpose and shows if a data
subject has granted, withdrawn, or denied consent.
End of Business Defines the end of active business and the start of residence
time and retention period.
End of Purpose (EoP) The point in time when the processing of a set of personal
data is no longer required for the primary business purpose,
for example, when a contract is fulfilled. After the EoP has
been reached, the data is blocked and can only be accessed
by users with special authorizations (for example, tax audi
tors).
End of Purpose (EoP) check A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization, for example, tax auditors.
Processing of Personal Data Processing means any operation or set of operations which
is performed on personal data or on sets of personal data,
whether or not by automated means, such as collection, re
cording, organisation, structuring, storage, adaptation or al
teration, retrieval, consultation, use, disclosure by transmis
sion, dissemination or otherwise making available, align
ment or combination, restriction, erasure or destruction.
Purpose The information that specifies the reason and the goal for
the processing of a specific set of personal data. As a rule,
the purpose references the relevant legal basis for the proc
essing of personal data.
Residence period The period of time between the end of business and the end
of purpose (EoP) for a data set during which the data re
mains in the database and can be used in case of subse
quent processes related to the original purpose. At the end
of the longest configured residence period, the data is
blocked or deleted. The residence period is part of the over
all retention period.
Retention period The period of time between the end of the last business ac
tivity involving a specific object (for example, a business
partner) and the deletion of the corresponding data, subject
to applicable laws. The retention period is a combination of
the residence period and the blocking period.
Sensitive personal data A category of personal data that usually includes the follow
ing type of information:
Technical and organizational measures (TOM) Some basic requirements that support data protection and
privacy are often referred to as technical and organizational
measures (TOM). The following topics are related to data
protection and privacy and require appropriate TOMs, for ex
ample:
Read Access Logging is considered as an additional safeguard in the protection of personal data, because it
helps to identify potential illegitimate access to personal data. Read access to sensitive personal data is
partially based on legislation, and it is subject to logging functionality. Read access logging (RAL) is used to
monitor and log read access to sensitive personal data that was disclosed via user interface, which can be
extended to read access to other personal data. Data may be categorized as sensitive by law, by external
company policy, or by internal company policy. When these read accesses are logged, you should be able check
which user accessed personal data on which access channel and the date and time, depending on the
configuration. Read access logging enables you to answer questions about who accessed particular data within
a specified time frame. That logging also includes downloading attachments or files, logs for such events shall
contain information to identify the attachment. Additionally, as for Read Access Logging across system
boundaries, the respective “access” shall be logged as soon as sensitive personal data crosses the boundary
from a trusted to an un-trusted area. Here are some examples of such questions:
• Who accessed the data of a given business entity, for example a bank account?
• Who accessed personal data, for example of a business partner?
• Which employee accessed personal information, for example religion?
• Which accounts or business partners were accessed by which users?
Furthermore, log records can be viewed and queried, but access to them is restricted by adequate
authorizations. The personal data for which read access shall be logged and the retention period of logs, can be
configured.
Data accesses that have been logged are written to the central audit logging infrastructure provided by SAP
BTP. You can access the logs using Audit Log Viewer. You must subscribe to Audit Log Viewer to access the
logs.
1. Create a RoleCollection.
2. Include the auditlog-viewer!t*/Auditlog Auditor role and the auditlog-management!b*/Auditlog Auditor role.
3. Assign it to a user or create a rule to assign it to users based on the SAML Assertion coming from the IDP.
Note
Only account members with the Security Administrator role are authorized to edit application
authorizations.
Audit logs for various actions can be accessed in the Audit Log Viewer.
Logging Read Access for Logging Modifications for Logging Configuration Changes for
The feature provides data associated to the Data Subject. It is in the duty of the customer to check, whether all
the data reported shall get handed over to the data subject, because the report might contain internal
customer information or information on other third parties. Data subjects have the right to receive information
regarding their personal data undergoing processing. The personal data record feature helps you to comply
with the relevant legal requirements for data protection by allowing you to search for and retrieve personal data
for a specified data subject. The search results are displayed in a comprehensive and structured list containing
all personal data of the data subject specified, organized according to the purpose for which the data was
collected and processed. The extracted data can be downloaded in form of a report, that provides
configuration and extensibility functionality. The access to the personal data record is only allowed with
authorization.
Personal Data Manager is used to view user specific data for Enterprise Contract Assembly.
Prerequisites
You have configured Personal Data Manager and assigned the required roles to the user before you use the
Personal Data Manager app.
After you have assigned the roles, follow these steps to display personal data:
Entity Properties
The Manage Personal Data application in Personal Data Manager provides a self-service cockpit that enables
you to view which of your personal data is being processed and stored by Enterprise Contract Assembly. With
this app, you can see personal details used in the following business objects:
• Legal templates
• Text blocks
• Virtual documents
• Document DPP
Information
To search for a specific data subject within the app, you can use the ID, dppType, and dppID filters. By default,
only the ID filter is displayed. Choose Adapt Filters, to display the dppType and dppID filters.
The ID filter is mandatory. In this filter, you can enter either dppID or dppType. If you do not know both these
values, enter colon (":"). When you search using the ID filter, legal templates, text blocks, and virtual documents
are displayed.
The dppID and dppType filters are optional. You can provide values for both the dppID and dppType filters or
either one of them. When you search using the dppType and/or dppID filters, only document DPP details are
displayed.
The Manage My Personal Data app in Enterprise Contract Assembly provides a self-service cockpit that enables
you to view which of your personal data is being processed and stored by the different services you use. With
this app, you can see personal details used in the following business objects:
• Legal templates
• Text blocks
• Virtual documents
• Document DPP
Note
On the launchpad, the app is displayed only in English. Within the app, the following languages are
supported:
• English
• German
• Spanish (Spain)
• French (France)
Information
In the self-service cockpit, you can see the following types of information:
• A list of applications that you have allowed to use your personal data
• The personal data used by each of the applications listed
• Any requests you have made for the correction, deletion, or export of your personal data
On the overview page for your user profile, there is a list of all the applications that use personal data and the
data subject roles associated with each application. You can also find a list of requests for correction, deletion,
or export of personal data.
For more detailed information about the personal data used by an application, choose the line with the data
subject role for which you want to display more information. Only the information associated with the data
subject role you selected is displayed in the application detail view.
Additionally, any requests you make related to the personal data used in an application only apply to the data
subject role you selected.
When you open the application, the first data subject role for the first application in the list is already displayed.
You can export your personal data, including information for your business transactions, business purposes,
and consent records, in a human-readable or machine-readable fromat.
You can download the information for the application and data subject role separately:
Note
For a complete list of all business transactions and business purposes, you must export the data in a
machine-readable format. By selecting Export all transaction data you can download the data in a human-
readable format.
Requests
After you have created a request, it appears in the list of existing requests, either under Inbox Requests or
Export Requests.
You can find the following types of requests under Inbox Requests:
• Correction
• Deletion
• Withdraw consent
You can also get more information about an individual request by navigating to the details view for that request.
The processing of personal data is subject to applicable laws related to the deletion of this data when the
specified, explicit, and legitimate purpose for processing this personal data has expired. If there is no longer a
legitimate purpose, that requires the retention and use of personal data, it must be deleted irrecoverably.
Blocking is necessary when the original retention period has expired but additional applicable extended and
overruling (mandated by law) retention periods are still in place. After the expiration of the longest retention
period, the data must be deleted.
When considering compliance with data protection regulations, it is also necessary to consider compliance
with industry-specific legislation in different countries. A typical potential scenario in certain countries is that
personal data shall be deleted after the specified, explicit, and legitimate purpose for the processing of
personal data has ended, but only if no other retention periods are defined in legislation, for example, retention
periods for financial documents. Legal requirements in certain scenarios or countries also often require
blocking of data in cases where the specified, explicit, and legitimate purposes for the processing of this data
have ended, however, the data still has to be retained in the database due to other legally mandated retention
periods. Sometimes, transactional data are personal data with relation to a master data object, e.g. a sales
order with reference to a business partner. Therefore, the challenge for deletion and blocking is first to handle
transactional data and finally other data, such as business partner data.
• Templates
• Text blocks
• Virtual documents
Purpose of legal document is still valid Active. The deletion of personal data related to
Can be accessed based on the authori templates and text blocks must be han
zations that are configured. dled manually on a case by case basis,
End of Purpose is reached If the corresponding legal document and cannot be automated, due to the
has reached End of Purpose, the virtual following reasons:
document is also set to the same state.
• Templates and text blocks are not
Can be accessed based on the authori linked to a specific legal transac
zations that are configured. tion. So they can continue to be
valid for as long as it is required by
Legal document is in To be Archived sta If the corresponding legal document is
the organization. The end of pur
tus
in To be Archived status, the virtual pose is decided by the organization
document is also set to the same sta based on the various business sce
tus. narios.
Can be accessed based on the authori • In the event of the need for a owner
change due to business reasons, or
zations that are configured for the To be
if the employee working as owner
Archived status.
leaves the company or position,
Retention period is over Virtual document is deleted. the user details will be deactivated.
Understand the communication protocol and data storage security measures used by Enterprise Contract
Assembly.
This topic provides you the information required to contact SAP in case of any issues.
If you require support or encounter any technical issues, contact SAP by reporting an incident on the Support
Portal. Following are the components available for reporting:
Component Description
CM-ECA For general issues related to Enterprise Contract Assembly, that do not fit into the
other components.
• Tenant ID
• Complete error message along with ID
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.