General Ledger Accounting Configuration

Steps
General Ledger Accounting:- General ledger accounting is the complete record of all
business transactions.
GL Accounting Configuration Steps:-
 Step-1:- Define Chart of Accounts
 Step-2:-Assign Company Code to Chart of Accounts
 Step 3:- Define Account Groups
 Step 4:- Define Retained Earning Account
 Step 5:- Creation of GL Master Records
 Step 6:- Define Tolerance Group for GL Account

Step 1:- Define Chart of Accounts

 SAP Path :- SPRO -> IMG –> Financial accounting –> General ledger
Accounting –> GL Accounts –> Master Data–> Preparations –> Edit
Chart of Accounts list
 Transaction Code :- OB13

Step-2 :-Assign Company Code to Chart of Accounts

 SPRO -> IMG –> Financial accounting –> General ledger Accounting –
> GL Accounts –> Master Data–> Preparations –> Assign Company
Code to Chart of Accounts
 Transaction Code :- OB62

Step 3 :- Define Account Groups

 SAP Path :- SPRO -> IMG –> Financial accounting –> General ledger
Accounting –> GL Accounts –> Master Data–> Preparations –> Define
Account Groups
 Transaction Code:- OBD4
Step 4:- Define Retained Earnings Account
 SAP Path :- SPRO -> IMG –> Financial accounting –> General ledger
Accounting –> GL Accounts –> Master Data–> Preparations –> Define
Retained Earnings Account
 Transaction Code:- OB53
Step 5:- Creation of GL Master Records
 SAP Path :- SPRO -> IMG –> Financial accounting –> General ledger
Accounting –> GL Accounts –> Master Data–> Preparations –> GL
Account Creation and Processing –> Edit G/L Account
 Transaction Code:- FS00
Step 6:- Define Tolerance Group for GL Account
 SAP Path :- SPRO -> IMG –> Financial accounting –> General ledger
Accounting –> Business transactions –> Open Item Clearing –>
Clearing Differences –> Define Tolerance Groups for GL Accounts
Transaction Code:- OBA0

Special Purpose Ledger

Special Purpose Ledgers are ledgers that you can define for your specific business and organizational
requirements. The ledgers contain the dimensions you enter. You can create Special Purpose Ledgers in your
FI-SL system.
Step 1) Define Table Directory

IMG Path:

Financial Accounting (New) -> Special Purpose Ledger->Basic Settings->Tables-

>Execute Express Installation

In this activity, you can perform an express installation for a FI-SL system. The system performs the express
installation for the respective functions using default settings and values.
Step 2) Maintain Table Directory

Financial Accounting (New) -> Special Purpose Ledger->Basic Settings-> Maintain

Table Directory

In this step, you can call up a directory of all the tables used in the Special Purpose Ledger system and display or
maintain these tables. The table directory is updated automatically when you install an FI-SL table. You should
only maintain it manually if absolutely necessary.
Step 3) Maintain Fixed Field Movement:

Financial Accounting (New)-> Special Purpose Ledger->Basic Settings-> Maintain

Fixed Field Movements

In this step, you can define which fields of a sender table are transferred to the fields of a FI-SL receiver
table. Table T800M is updated automatically if you install a FI-SL table you should only maintain the table
manually if absolutely necessary. You should under no circumstances delete entries from this table.
Step 4) Maintain Field Movements

Financial Accounting (New)-> Special Purpose Ledger-> Basic Settings-> Master

Data-> Maintain Field Movements

When assigning activities to your company code/ledger and global company/ledger combinations, you define a
field grouping code for each combination. This field grouping code determines which dimensions from other SAP
application areas are transferred to dimensions in the FI-SL system. In the “Maintain Field Movement” step you
can maintain the field grouping codes for your activities.
Step 5) Define Ledger

Financial Accounting (New) -> Special Purpose Ledger-> Basic Settings-> Master
Data-> Ledger-> Define Ledger

In this step, you can create and maintain a Special Purpose Ledger. Data is posted to the ledgers from other
SAP application areas or external systems and can also be entered directly in the FI-SL system.
Step 6) Maintain Company code:

Financial Accounting (New)-> Special Purpose Ledger-> Basic Settings-> Master

Data-> Ledger-> Maintain Company Codes
Display Data

When a document is entered it generates unique special purpose document number.

In the reference field of the document the original document detail appears. It may
be FI document number (If posted directly),PO number(If entered through MM
module) or it may be a Billing document number.

Ex:Go to FB03 and enter FI document number as below and press enter.
In the below screen you can get the special purpose document number as below.

https://help.sap.com/docs/SAP_S4HANA_ON-PREMISE/
8308e6d301d54584a33cd04a9861bc52/3c143a9c5e284f1b97282ccbdeb17aae.html
The special purpose ledger document appears as below.

Authorizations in Analytics
for Universal Journal
On this page
 Use

 Overview of Authorization Objects

 Extensibility

 Further Aspects

 Related Information
Grant authorizations in Analytics for the universal journal, that is, for
example, for general ledger accounting, sales accounting, overhead
accounting, product cost accounting, inventory accounting and asset
accounting.

Use
The universal journal is the basis of an integrated accounting system in
which financial accounting and management accounting data are
recorded in a single chart of accounts. Since all financial data is based on
the same line items, no reconciliation between financial accounting and
management accounting is ever required.

Permanent reconciliation is achieved by bringing together the following

components:

 General Ledger Accounting (FI-GL)

 Asset Accounting (FI-AA)
 Controlling (CO)
 Profitability Analysis (CO-PA)

The universal journal is integrated only with account-based

profitability analysis. However, costing-based profitability analysis
can be run in parallel.

 Material Ledger (CO-PC-ACT)

Even though the data is stored in a universal journal entry (table

ACDOCA), and only one virtual data model applies, different business
users with different business roles need to access the same data with
different authorizations.

A general ledger accountant, for example, might want to view all data of a
certain company code in the financial statement, whereas a cost
accountant, for example, should only be able to see certain cost centers.
To enable this, different authorizations contexts have been introduced.
Depending on the authorization context, the system checks a different set
of authorization objects. If you want to see in detail which authorizations
are checked, start ABAP eclipse or transaction SE80 to view the different
Access Controls, for example for I_GLAccountLineItem.
The authorization context is set via a new authorization
object F_AcDocA_C with a set of predefined values:

 OVHDCOST (Overhead Cost Accounting)

 SALES (Sales Accounting)
 INVTRY (Production Cost Accounting)
 GENLDGR (General Ledger Accounting)
 ASSET (Asset Accounting)

Caution
Please note that assigning business catalogs defining different
authorization contexts to a business user can lead to the overriding of
existing authorizations.

For example, a business user has only been assigned business catalogs
that are attached to authorization context OVHDCOST and has been
granted partial authorization for the restriction type Cost Center. This
business user can therefore only see some cost centers. If the same
business user is now assigned an additional business catalog with the
authorization context GENLDGR, PRODNCOST, INVTRY or ASSET, the
existing authorizations for the restriction type Cost Center are overridden.
The business user can now see all cost centers. Please also note that
despite it losing its effect, the restriction type is still visible in
the Maintain Business Roles app under Restrictions.

This overriding effect can also be caused if one restriction type is used in
different assigned business roles of different business catalogs.

Note
Please note that no authorization check will be performed.

Overview of Authorization Objects

Authorization Objects for General Ledger Accounting (F_AcDocA_C - GENLDGR)

CDS View Field Authorization Object

Ledger / CompanyCode F_FAGL_LDR

CompanyCode F_BKPF_BUK
Authorization Objects for General Ledger Accounting (F_AcDocA_C - GENLDGR)

CDS View Field Authorization Object

CompanyCode F_CC_HIER

FinancialAccountType F_BKPF_KOA

BusinessArea F_BKPF_GSB

Segment F_FAGL_SEG

_GLAccountInCompanyCode.Authorization F_BKPF_BES
Group

_Supplier.AuthorizationGroup F_BKPF_BEK

_Customer.AuthorizationGroup F_BKPF_BED

_AccountingDocumentType.AuthorizationG F_BKPF_BLA
roup

ProfitCenter K_PCAR_REP

ProfitCenter / ControllingArea / GLAccount K_PCA_HIER

ProfitCtrResponsibleUser

Authorization Objects for Sales Accounting (F_AcDocA_C - SALES)

CDS View Field Authorization Object

Ledger / CompanyCode F_FAGL_LDR

CompanyCode F_BKPF_BUK

CompanyCode F_CC_HIER

FinancialAccountType F_BKPF_KOA

BusinessArea F_BKPF_GSB
Authorization Objects for General Ledger Accounting (F_AcDocA_C - GENLDGR)

CDS View Field Authorization Object

Segment F_FAGL_SEG

_GLAccountInCompanyCode.Authorization F_BKPF_BES
Group

_Supplier.AuthorizationGroup F_BKPF_BEK

_Customer.AuthorizationGroup F_BKPF_BED

_AccountingDocumentType.AuthorizationG F_BKPF_BLA
roup

ProfitCenter K_PCAR_REP

ProfitCenter / ControllingArea / GLAccount K_PCA_HIER

ProfitCtrResponsibleUser

CostCenter / ControllingArea / GLAccount K_REPO_CCA

CostCenter / ControllingArea / GLAccount K_CCA_HIER

CostCtrResponsibleUser (ResponsibleU
ser = current logged on user)

SalesOrganization, DistributionChannel, V_VBAK_VKO

OrganizationDivision

_SalesDocument.SalesDocumentType V_VBAK_AAT

Authorization Objects for Overhead Cost Accounting (F_AcDocA_C - OVHDCOST)

CDS View Field Authorization Object

Ledger / CompanyCode F_FAGL_LDR

CompanyCode F_BKPF_BUK
Authorization Objects for Overhead Cost Accounting (F_AcDocA_C - OVHDCOST)

CDS View Field Authorization Object

CompanyCode F_CC_HIER

_GLAccountInCompanyCode.Authorization F_BKPF_BES
Group

_Supplier.AuthorizationGroup F_BKPF_BEK

_Customer.AuthorizationGroup F_BKPF_BED

_AccountingDocumentType.AuthorizationG F_BKPF_BLA
roup

Order.OrderType K_ORDER

ProfitCenter K_PCAR_REP

ProfitCenter / ControllingArea / GLAccount K_PCA_HIER

ProfitCtrResponsibleUser

CostCenter / ControllingArea / GLAccount K_REPO_CCA

CostCenter / ControllingArea / GLAccount K_CCA_HIER

CostCtrResponsibleUser (ResponsibleU
ser = current logged on user)

Authorization Objects for Product Cost Accounting (F_AcDocA_C - PRODNCOST)

CDS View Field Authorization Object

Ledger / CompanyCode F_FAGL_LDR

CompanyCode F_BKPF_BUK

CompanyCode F_CC_HIER

_GLAccountInCompanyCode.Authorization F_BKPF_BES
Authorization Objects for Overhead Cost Accounting (F_AcDocA_C - OVHDCOST)

CDS View Field Authorization Object

Group

_Supplier.AuthorizationGroup F_BKPF_BEK

_Customer.AuthorizationGroup F_BKPF_BED

_AccountingDocumentType.AuthorizationG F_BKPF_BLA
roup

_Order.OrderType K_ORDER

ProfitCenter K_PCAR_REP

ProfitCenter / ControllingArea / GLAccount K_PCA_HIER

ProfitCtrResponsibleUser

CostCenter / ControllingArea / GLAccount K_REPO_CCA

CostCenter / ControllingArea / GLAccount K_CCA_HIER

CostCtrResponsibleUser (ResponsibleU
ser = current logged on user)

Plant K_PKSA

Authorization Objects for Inventory Accounting (F_AcDocA_C - INVTRY)

CDS View Field Authorization Object

Ledger / CompanyCode F_FAGL_LDR

CompanyCode F_BKPF_BUK

CompanyCode F_CC_HIER

_GLAccountInCompanyCode.AuthorizationGrou F_BKPF_BES
p
Authorization Objects for Inventory Accounting (F_AcDocA_C - INVTRY)

CDS View Field Authorization Object

_Supplier.AuthorizationGroup F_BKPF_BEK

_Customer.AuthorizationGroup F_BKPF_BED

_AccountingDocumentType.AuthorizationGroup F_BKPF_BLA

ProfitCenter K_PCAR_REP

ProfitCenter / ControllingArea / GLAccount K_PCA_HIER

ProfitCtrResponsibleUser

ValuationArea K_ML_VA

Authorization Objects for Asset Accounting (F_AcDocA_C - ASSET)

CDS View Field Authorization Object

Ledger / CompanyCode F_FAGL_LDR

CompanyCode F_BKPF_BUK

CompanyCode F_CC_HIER

BusinessArea F_BKPF_GSB

Segment F_FAGL_SEG

_GLAccountInCompanyCode.AuthorizationGrou F_BKPF_BES
p

_Supplier.AuthorizationGroup F_BKPF_BEK

_Customer.AuthorizationGroup F_BKPF_BED

_AccountingDocumentType.AuthorizationGroup F_BKPF_BLA

ProfitCenter K_PCAR_REP
 Authorization Objects for Inventory Accounting (F_AcDocA_C - INVTRY)

CDS View Field Authorization Object

ProfitCenter / ControllingArea / GLAccount K_PCA_HIER

ProfitCtrResponsibleUser

CompanyCode / AssetClass A_S_ANLKL

CompanyCode / BusinessArea A_S_GSBER

Please be aware of the following:

1. Lines including AuthorizationGroup are initial and automatically

authorized. In case the line does not have a value for the object, the
value is null (e.g. if Customer is initial, the returned value for
Authorization Group is null. If this situation applies to you, please
refer to scenario 2.
2. Lines including initial values are automatically authorized for the
respective authorization object:
a. BusinessArea – F_BKPF_GSB
b. Segment – F_FAGL_SEG
c. Customer – F_BKPF_BED
d. Supplier – F_BKPF_BEK
e. CostCenter – K_REPO_CCA, K_CCA_HIER
f. SalesOrganization, DistributionChannel, OrganizationDivision –
V_VBAK_VKO
g. SalesDocument – V_VBAK_AAT
h. Order – K_ORDER
i. Plant – K_PKSA
j. AssetClass – A_S_ANLKL
k. BusinessArea – A_S_GSBER
3. Lines including initial values need explicit authorization:
a. ProfitCenter – K_PCAR_REP (not possible with K_PCA_HIER)
b. ValuationArea – K_ML_VA

Extensibility
This authorization context also allows custom authorizations for CDS views
delivered by SAP. To define your own set of authorization objects to be
checked you need to do the following:

 Create a fixed value append for the domain FIS_AUTHCNTXT with

your own custom authorization context.
 Create a custom access control (for example a copy
of I_GLAccountLineItem).
 Add the following line as first line into the body, for example:

( ) = aspect pfcg_auth ( F_AcDocA_C, FAuthCntxt =

'<YOURCONTEXT>' )

 Add further authorization checks line by line, for example:

AND ( CompanyCode ) = aspect pfcg_auth ( F_BKPF_BUK, BUKRS ,

ACTVT = '03' )

 Define your roles accordingly and assign your newly created

authorization context.

Further Aspects
Some objects can be authorized in multiple ways. For example, profit
centers and cost centers.

 If users are entered as responsible user, they are automatically

authorized.
 Authorizations can be defined via single object authorizations
(K_REPO_CCA, K_PCAR_REP)
 Authorizations can be defined via hierarchy nodes
(K_CCA_HIER, K_PCA_HIER)

By specifying the Controlling Area, Hierarchy ID, and Hierarchy Node

ID you can authorize a user for a complete sub tree of a hierarchy.
Every change to that hierarchy is automatically reflected in the
authorization check. As a prerequisite you have to replicate your
runtime hierarchies (see Replicate Runtime Hierarchy).
Please consider the following: If you grant for example a full authorization
for K_REPO_CCA, the user can see all cost centers, no matter what you
enter in K_CCA_HIER and vice versa.

SAP HANA Extended Application Services (SAP HANA XS) enables you to
create a database view as a design-time file in the repository. Repository
files can be read by applications that you develop. In addition, all
repository files including your view definition can be transported to
other SAP HANA systems, for example, in a delivery unit.

If your application refers to the design-time version of a view from the

repository rather than the runtime version in the catalog, for example, by
using the explicit path to the repository file (with suffix), any changes to
the repository version of the file are visible as soon as they are committed
to the repository. There is no need to wait for the repository to activate a
runtime version of the view.

If you want to create a view definition as a design-time object, you must

create the view as a flat file and save the file containing the view
definition with the suffix .hdbview, for example, MYVIEW.hdbview in the
appropriate package in the package hierarchy established for your
application in the SAP HANA repository. You can activate the design-time
object at any point in time.

Native platform capabilities.

https://help.sap.com/docs/SAP_HANA_PLATFORM/
cc2b23beaa3344aebffa2f6e717df049/
aa300f37f08f4f02bfa7f8ade507f0fa.html?version=2.0.02&locale=en-US

string schema;

string query;

bool public(default=true);

optional list<string> depends_on_table;

optional list<string> depends_on_view;

schema="MYSCHEMA";

public=false

query="SELECT T1.\"Column2\"
FROM \"MYSCHEMA\".\"acme.com.test.tables::MY_TABLE1\" AS T1 LEFT
JOIN \"MYSCHEMA\".\"acme.com.test.views::MY_VIEW1\" AS T2 ON
T1.\"Column1\" = T2.\"Column1\"";

depends_on=
"acme.com.test.tables::MY_TABLE1","acme.com.test.views::MY_VIEW1";
Blue-Green deployment is a technique used to release software updates with zero
downtime and minimal risk. In Blue-Green deployment, two identical environments
are set up: one is the “blue” environment, which is currently in use (live system), and
the other is the “green” environment, which is the updated version (deployment
candidate). Once the green environment is ready, traffic is redirected from the blue
environment to the green environment. If any issues occur during deployment, traffic
can be quickly redirected back to the blue environment.

Hybrid & Native approaches to Mobile app

development
There are basically two paradigms in mobile app development using SAP, namely the
Hybrid and the Native paradigm.

Hybrid apps are built using web technologies like HTML, CSS and JavaScript whereas
Native apps built with specific technology and language for specific platform like Java
for Android, Swift for iOS. In other words, any mobile app that is built using the
mobile platform specific technologies are called Native apps. Hybrid app can be built
for any platform from single code base.

Examples of Native technologies are React Native (based on JavaScript), Flutter

(based on Dart created by Google). Examples of Hybrid technologies are Cordova
(plugins can be used for SAP Mobile development), Ionic (uses Cordova in the
background).
Hybrid apps are usually easier and faster to develop than native apps. They also
need less support and maintenance. On the contrary, the speed of your hybrid app
will depend completely on the speed of the end user’s browser. This means that the
hybrid apps will almost never run as fast as a native app.

Native apps are very fast and responsive because they are built for that specific
platform (Android/IOS) and are compiled using the platform’s core programming
languages and APIs. As a result, the app generated, is much more efficient than the
hybrid apps. The device stores the app allowing the app’s software to leverage the
device’s processing speed. These apps can also directly access the hardware of the
device such as the GPS, camera, microphone, etc. So they are much faster than
hybrid apps in execution, which ultimately results in better user experience. Push
notifications are another huge advantage in native apps.

In the SAP domain, an SAPUI5 or FIORI app can directly be converted (built) into a
mobile app from the WebIDE. This is an example of Hybrid app development in SAP.
But, to use native technology for our mobile app development, SAP has provided a
new set of tools called as MDK (Mobile Development Kit), which is based on the FIORI
guidelines, and provides a user friendly UX. It also has a drag and drop interface
which can be used for app development. We will look in detail at these paradigms, in
this blog.

Hybrid approach is becoming obsolete for our SAP mobile apps development. Due to
the reasons mentioned above, SAP is moving more towards development of mobile
apps using the MDK tool. It is easier to develop and use.
https://blogs.sap.com/2020/07/07/creating-sap-based-mobile-apps-using-hybrid-and-mdk-
tools/

when to use CDS AMDP

ADBC - ABAP Database Connectivity

ADBC is an API for the Native SQL interface of the AS ABAP that is based on ABAP Objects. The ADBC
methods can be used to pass Native SQL statements to the database interface. The make it possible to

 send database-specific SQL commands to a database system and process the result

 establish and administer database connections.

The ADBC classes all begin with the prefix CL_SQL_ or CX_SQL_ and are documented. The following
paragraphs briefly introduce the most important classes.

 CL_SQL_STATEMENT - Execution of SQL Statements

  CL_SQL_PREPARED_STATEMENT - Prepared SQL Statements

 CL_SQL_CONNECTION - Administration of Database Connections

 CX_SQL_EXCEPTION - Exception Class

Programming Guideline

Notes

 ADBC can always be used when access to a database using the Native SQL interface instead of
the Open SQL interface is necessary.

 ADBC does not support automatic client handling. The client ID of a database table must be
specified explicitly. Note that application programs should only use data from the current client.
See also the associated security note and the programming guideline.

 Alongside ADBC, it is also possible to embed Native SQL statically between EXEC
SQL and ENDEXEC in ABAP programs. The recommendation, however, is to used ADBC.

o While the static embedding of Native SQL offers exclusively static access to the
Native SQL interface, ADBC makes modern object-oriented and dynamic access
possible.

o New developments and improvements, such as optimized performance using bulk

access across internal tables, are now made only for ADBC.

The existing static embedding of Native SQL statements is still supported but should no longer be
used in new programs.

ALV IDA

Overview
https://blogs.sap.com/2018/07/16/sap-list-viewer-
with-integrated-data-access-alv-with-ida/

ALV with IDA (SAP List Viewer with Integrated Data Access) helps tables that
contain very large quantities of data to be displayed on the UI. The results of
operations such as sorting, grouping, or filtering are also delivered with a very fast
response time. It uses the in-memory database, such as SAP HANA, without having
to switch to a new programming environment. There is no change in the User
interface and standard functions (also ALV services). ALV functions are adjusted to
the use of in-memory databases. The new general programming model (Coding
Pushdown) is also optimally supported when using in-memory databases.

Examples
Example#1: Display Sales Order Details
Following example demonstrates how to display sales order with SALV IDA.

Output:
Check DB Capabilities

CHECK cl_salv_gui_table_ida=>db_capabilities( )-
>is_table_supported( iv_ddic_table_name = ‘VBAK’).

Create IDA

DATA(o_ida) = cl_salv_gui_table_ida=>create( iv_table_name = ‘VBAK’ ).

Set Maximum Rows Recommended

IF cl_salv_gui_table_ida=>db_capabilities( )->is_max_rows_recommended( ).

o_ida->set_maximum_number_of_rows( iv_number_of_rows = 2000 ).

ENDIF.

Display

o_ida->fullscreen( )->display( ).

Program

cl_salv_gui_table_ida=>create_for_cds_view( 'Z_Invoice_Items_XXX' )->fullscreen( )-

>display( ).

&---------------------------------------------------------------------*
*& Report zjp_cds_inv_items_test
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
REPORT zjp_cds_inv_items_test.

class lcl_main definition create private.

public section.
CLASS-METHODS create
RETURNING
value(r_result) TYPE REF TO lcl_main.

methods run.

protected section.
private section.

endclass.

class lcl_main implementation.

method create.
create object r_result.
endmethod.

method run.

cl_salv_gui_table_ida=>create_for_cds_view(`Z_Invoice_Items`)->fullscreen(
)->display( ).
endmethod.
endclass.

start-of-selection.

lcl_main=>create( )->run( ).

 SELECT * FROM <table_name> WHERE CONTAINS (<column_name>,

<search_string>, FUZZY(x) ).
CDS table function creates a CDS view inside a method of AMDP class
CDS Table function creates a CDS view that isimplemented by class method which should implementinterface
IF_AMDP_MARKER HDB. The result set of theclass method is the CDS view. In this case, it is called
asABAP MANAGED DATABASE FUNCTION

Build Your First Chatbot with SAP Conversational AI

With a standard Perform Actions bot, the developer is responsible for
creating entities and intents with expressions. The developer is also
responsible for building and managing the conversational flow that pulls
information from back-end systems to help simplify processes for the
chatbot end user.

An FAQ bot retrieves answers to users’ questions from one or more

documents ( .csv files) that you upload. The document must include
predefined pairs of questions and answers. This allows your bot to map
the user’s query to the best match and retrieve an answer without
interpreting the intent of the question.

To ease the complexity of the FAQ bot, the intents and entities are
predefined and hidden, and the bot includes a set of predefined skills.
However, you can design the bot responses as per your business needs.

http://cpplerdev.centurypnp.com:8000/sap/opu/odata/sap/
MM_PUR_PO_MAINT_V2_SRV/C_PurchaseOrderTP

http://cpplerpdev.centurypnp.com:8080/sap/opu/odata/sap/
MM_PUR_PO_MAINT_V2_SRV/C_PurchaseOrderTP

Machine Learning

How is it different from other intelligent technologies like RPA and

Situation handling?
Machine learning is used in Predicting the future outcomes by utilizing the past
data and help the business users in decision making. It provides Real-time,
predictive insights so users can make faster and better decisions and adjustments.
While RPA is used for automating the repetitive tasks, here the focus is to
identify recurring tasks and automate them using RPA bots. It accelerates the digital
transformation of business processes by automatically replicating tedious actions
that have no added value.
On the other hand like ML, Situation Handling also help in decision making but it is
based on Decision flow charts, that are created by the users to take decisions for
different kind of situations. Here future outcomes are not predicted to make
decisions.
How ML works in SAP S/4HANA?

Machine learning algorithms use customer-specific history and exceptions to predict

future outcomes and these outcomes can be used to automate business user
decisions.

In SAP S/4HANA, we have two kinds of ML capabilities: Embedded ML and Side by

Side ML.
Embedded ML is used for simple ML scenario using classic algorithms like
regression, clustering, classification, and time-series that requires low CPU & RAM
and no external data is required. It is based on the SAP Analytics cloud.
While Side-by-Side ML is used for Complex ML scenarios using deep learning like
image or language processing that requires high CPU & RAM and external data is
required. It is based on the SAP Business Technology Platform.

Managing delivery delays

APL
Predictive

tive Power-

PAL

HANDSHAKING OF PYTHON CODE WITH CAP MODEL

https://blogs.sap.com/2023/06/22/auto-generating-hana-ml-cap-artifacts-from-
python/

DESCiption:
The predictive power of a model is the quality indicator of models generated using
the application. This indicator corresponds to the proportion of information contained
in the target variable that the explanatory variables can explain. To improve the
predictive power of a model, new variables may be added to the training dataset.
Explanatory variables may also be combined

Details:

A model with a predictive power of:

 “0.79” can explain 79% of the information contained in the target variable
using the explanatory variables contained in the dataset analyzed.
 “1” is a hypothetical perfect model, capable of explaining 100% of the target
variable using the explanatory variables contained in the dataset analyzed. In
practice, such a predictive power would generally indicate that an explanatory
variable 100% correlated with the target variable was not excluded from the
dataset analyzed.
 “0” is a purely random model

Predictive Confidence-

Description:

The prediction confidence is the robustness indicator of the models generated using
the application. It indicates the capacity of the model to achieve the same
performance when it is applied to a new data set exhibiting the same characteristics
as the training dataset. To improve the prediction confidence of a model, additional
observation rows may be added to the training

Details:

A model with prediction confidence:

 Equal to or greater than “0.98” is very robust. It has a high capacity for
generalization.
 Less than “0.95” must be considered with caution. Applying it to a new
dataset will incur the risk of generating unreliable results.

Probability of employee retention

Buidiling a Predictive Model:

Train Dataset- Which emp will leave the company or not- its given to SAC
and it create a ML model – this is called predictive model.
The model is built by dividing in

There is a train dataset which is divided into 2 models – 1 is training (multiple models)
and another is validation. (accuracy of all these model) whichever gives best accuracy it will use
predictive power, sensitivity , prediction confidence, TPR, FPR for giving its accuracy.

Then we use apply dataset and give to ML model where only data of emp , now it gives
prediction probability and category (0 & 1) . this gives the chance of empl leaving
These 2 above datasets are input and the output dataset is built on it,

A report is based on these 2 datasets and given to HR and then they can address the issue

Machine learning
For training ML model, data source, called Training Dataset, is needed, and the
data to which the prediction is applied has to be prepared, which is called Apply
Dataset. Both have to be created as CDS View manually.
Then the ML data model, called Intelligent Scenario, is created in which Library
(APL), algorithm (Regression) is defined as well as setting Training Dataset and Apply
Dataset with the tool Intelligent Scenarios.
After that, the model is trained to create output view, called ABAP Apply View. it is
also CDS View.
In the final step, the Fiori application (KPI Tile Generic Drill down app) is created.
For doing that, the CDS view data source for the app is created in which ABAP Apply
View is used as the source.
Steps in detail
1. Create Custom CDS Views as the data source of Intelligent Scenario /
ML Model.
2. Create Intelligent scenario / ML model with Intelligent Scenarios using
the created CDS Views.
3. Train the ML model with Intelligent Scenario Management and output CDS
View is generated.
4. Create Custom CDS View as the source of Custom Fiori app.
5. Create Fiori app using the created Custom CDS View.
Detail steps are described in the configuration guide of the Scope Item 55Z. Here the
brief steps are shown.

ARTIFICIAL Intelligence

Data Security :
SAP Cloud Platform offers an OAuth 2.0 user authentication service that
communicates with an Identity Provider or local trust store to provide a secure
method of passing valid credentials through HTTP calls.

Beginners guide to SAP Security: Why is it important and

how does it work?
By September 15th, 2020
Organizations using SAP as their business application or ERP system often
store their most critical assets, including intellectual properties within
SAP. This data must be protected against unauthorized access originating
from both outside and within the organization. SAP systems require
extensive protection and security monitoring as business-critical systems.

What is SAP Security?

SAP (Systems Applications and Products) Security is a means to protect
your company’s data and systems by monitoring and controlling access
both internally and externally. SAP Systems are a type of ERP software
used widely by all kinds of businesses across a variety of industries.
There are various aspects to SAP Security, such as infrastructure security,
network security, operating system security, and database security.
Another layer involves the secure code, which includes maintaining SAP
code and security in custom code.

A secure setup of SAP servers is essential to keep your business’s private

information safe and out of the hands of cyber attackers. It covers the
secure configuration of a server, enablement of security logging, security
in terms of system communication, and data security. Users and
authorizations are also critically monitored and tracked.

Elements of SAP Security

Given the complicated and interconnected nature of SAP systems, there is
a lot that goes into maintaining their security. When it comes to SAP
Security, here’s an overview of the different aspects involved:

 Infrastructure security
 Network security
 Operating system security
 Database security
 Secure code ABAP/4
 Configuration of a server
 Enablement of security logging
 System communication
When carried out effectively, it’s easy to maintain system compliance with
the help of continuous monitoring, audits, and the establishment of
emergency concepts.

What is SAP Security Used for and Why is it important?

SAP security is often siloed or a blind spot within the centralized
cybersecurity monitoring of a business. And with 66% of business
executives feeling that cyberattacks are increasing in frequency around
the world, it’s a serious concern.

And so, as a countermeasure to these attacks, SAP security is designed to

help protect the business-critical systems that organizations rely on to run
their business effectively.

The Most Common Uses of SAP Security Are:

 Avoiding exploitation and fraud

 Ensuring data integrity
 Identifying unauthorized access
 Continuous and automated audits
  Detecting data leaks
 Centralizing security monitoring
An attack on SAP systems can have a devastating impact on the
operations of the business, leading to financial losses, supply chain issues,
and long-term reputation damage.

To prevent that kind of headache, these systems need to be protected

against internal and external cyber threats. That way your company can
continue to maintain confidentiality, availability, and integrity.

Despite this, many organizations keep them out of scope for security
teams or rely on the ERP vendor tools alone. As you might expect, this
dramatically increases the risk of attacks and makes ERP systems, such as
SAP, a prime target for adversaries.

How does SAP Security work?

Because SAP systems connect different departments and programs
together to help you run your business smoothly, they are incredibly
complicated. Since they are so complex and unique by nature, this makes
it harder to develop proper cybersecurity measures.

According to a study from the University of Maryland, cyberattackers

attempt to attack systems every 39 seconds – Protecting them is vital.

Within SAP security, there are several steps you can take to prevent
attacks:

Roles and Authorizations

First, your SAP systems deliver necessary authorizations as a standard.
Customer-specific authorization concepts are set up in SAP, allowing
essential permissions to be assigned. The assignment of authorization
combinations (Segregation of Duties, SOD) is critical.

The assignment of critical combinations of authorizations should be

avoided and only used or assigned in exceptional cases, such as with so-
called firefighter accounts. A further complication in SAP security is that
authorizations and roles can be manipulated in SAP by SAP standard
means.

Therefore, examining necessary authorizations and authorization

combinations is crucial and presents companies with significant
challenges. Also, it’s crucial to conduct continuous, automated reviews of
SAP authorizations.

You can easily do these checks using a test catalog. Creating this from
scratch requires effort and is not only relevant for the authorizations in
the SAP Basis area, but also for business processes. Suppose 4-6 eye
principles are undermined by the assignment of necessary permissions
and combinations of permissions. In that case, there is a risk of
exploitation or fraud.

SOD-checks are ideally carried out not only according to SAP roles but
according to users who may violate a so-called SOD conflict by assigning
several roles. In addition to users’ evaluation, you should know which
roles ultimately trigger the conflict in combination. The SAP transaction
SUIM and its API allow checks of combinations of critical authorizations.

Patch Management
SAP is increasingly affected by security breaches. Threats that are
currently dealt with in traditional cybersecurity are also valid for SAP
systems. There are continuous publications of so-called SAP Security
Notes, however, the challenge for organizations is to keep the SAP
systems up-to-date and apply the patches continuously.

Unfortunately, it’s just not always possible.

And so, many SAP systems remain unpatched for a long time and end up
with serious security gaps. To make matters worse, with the release of
new patches, information is released about where the vulnerabilities are,
and how they can be exploited. Not only is patching essential but also the
detection of exploited vulnerabilities, so-called zero-day exploits.

Transaction Monitoring

SAP also offers a large number of critical transactions and functional

modules that are even available remotely. That also means it’s possible to
create accounts via the SAP system’s API, equip them with authorizations,
and then use them remotely. Other building blocks and function modules
can then load or manipulate data from the SAP system.

Once again, the authorizations assignment plays a role here, as it restricts

the use of the transactions. And so, it’s vital you monitor the execution of
transactions, RFC modules, or SAP reports continuously and in real-time.
Access to SAP systems from outside via the interfaces of an SAP system,
for example, the RFC interface, will need to be monitored too.

SAP Code Security

Next up, is code security—an essential part of your SAP security. In SAP
systems, it is often left to the developers to ensure the ABAP code’s
security. Coding is put together in transports and transported from the
development systems to the production systems, but often it’s done
without a sufficient examination of the coding.

Worse yet, SAP offers attackers options for code injection as coding can
even be generated and executed at runtime. The manipulation of
important and urgent transports is just one way of transporting malicious
programs into an SAP system completely undetected. Luckily, SAP
provides a code inspector, with modules like the Code Vulnerability
Analyzer, to check the coding.

System Settings

Your system settings are the basis of SAP security and there are
numerous settings options in SAP systems. Settings are done at the
database level by SAP transactions, or so-called SAP Profile Parameters,
which are stored in files. The rollout of an SAP system must comply with a
set of rules for system settings, which can be found in an SAP Basis
operating manual.

Here it is determined how the security settings are assigned in an SAP

system, how access is granted or denied, and which communication of an
SAP system is allowed. The operating system, database, and application
layers are relevant here. Each of these layers requires proper
configuration of the security settings.

Unfortunately, these are often insufficient in the standard SAP system. For
instance, in many companies, only 5% of their folders are properly
protected.

RFC Configuration

The RFC Gateway can be described as the SAP-internal firewall and needs
to be configured precisely (RegInfo, SecInfo), to avoid unauthorized
remote access from systems and applications.

SAP best practice guidelines, or guidelines from SAP user groups such as
the DSAG, contain practice-tested and security-oriented settings and test
catalogs.

SAP security and Read Access Logs

SAP Security also covers a row of security logs. These need to be switched
on and controlled at the same time.

The most critical logs are the SAP Security Audit Log (SM20), which
contains a set of security and audit-relevant events. Change Logs (SCU3)
of database tables are available, and the so-called Change Documents of
users and business objects (SCDO). The SAP RFC Gateway Log SMGW
carries logs of the RFC Gateway, logs of the SAP Internet Communication
Manager, and the Web Dispatcher.

The SAP Read Access Log stores read and write access to specific fields of
transactions, reports, or programs. Thereby providing an essential
component to meet the obligations under the EU Data Protection
Regulation (GDPR or DS-GVO) – the logging of personal data access.

The configuration of the SAP Read Access Logs and their evaluation is an
essential element of SAP Security Monitoring, not least in times of GDPR.
With this log’s help, access to SAP can be monitored, extracted, and
centrally collected, and at best, automatically monitored with appropriate
rules. The SAP Read Access Log is maintained via the transaction
SRALMANAGER.

SAP Security Best Practices

With so much at risk and so much to organize, it’s can be overwhelming to
get a plan in motion. So, here’s a quick and easy checklist to help you get
started if you’re looking to improve your SAP security.

To keep your data safe you need to conduct a number of different

assessments:

 Internal assessment of access control

 Change & transport procedure assessment
 Network settings & landscape architecture assessment
 OS security assessment
 DBMS security assessment
 SAP NetWeaver security assessment
 Assessment of various SAP components (like SAP Gateway, SAP
Messenger Server, SAP Portal, SAP Router, SAP GUI).
 Assessment of compliance with SAP, ISACA, DSAG, OWASP
standards
After doing these assessments, there are still some other steps you’ll
need to take. With a plan in place, you’ll be far ahead of most companies
—and cyberattackers. Here is an easy 4 step process to get you started
and monitor your SAP security:

1. Align Your Settings: Make sure you have your settings all set up
to align with your organizational structure. You should also educate
your teams and double-check all security measures in place are
being followed.
2. Create Emergency Procedures: In the event of an emergency,
you should have a plan in place to address it quickly and effectively.
For one, you should be sure your Network Administrators can easily
revoke access and privileges as needed.
3. Conduct Housekeeping and Review: Next, you should always be
monitoring your SAP Systems. Also, make sure the list of
permissions is updated regularly, especially when you have new
hires or staff change roles.
 4. Use Security Tools: Lastly, it’s crucial to have the right security
tools in place to keep tabs on what’s happening and catch any
suspicious activity. That way, you can more easily prevent a
cyberattack or data breach from happening.

Security In SAP BTP

 Identity Provider (IdP)

 XSUAA
 OAuth
 Application Router
 Authentication and Authorization Implementation etc.

Add authorization in app

To implement authentication, all we need to do is:

1. Implement App Router

2. Create an instance of XSUAA service
3. Bind the application and App Router with XSUAA instance
4. Modify the application to make sure it only accepts request contains a JWT
token

https://blogs.sap.com/2022/07/08/fundamentals-of-security-in-btp-
implement-authentication-in-a-node.js-app/
The above diagram showcases the call flow. Let’s break it down.

1. User request for the resource from Application. The App Router takes
incoming.
2. Since user is not authenticated, App Router initiates an OAuth2 flow with
the XSUAA.
3. XSUAA forwards the request to Identity Provider to enforce the
business user to authenticate.
4. IdP prompts the user to authenticate himself. For Example, by entering
username and password.
5. User authenticates himself.
6. If the authentication was successful, Identity Provider sends a SAML
token to user (web browser). The web browser sends this new SAML
token to the XSUAA for authentication.
7. XSUAA consider this request as authenticated and generates an OAuth Token
which is technically a JWT token.
8. The App Router enriches each subsequent request with the JWT, before
the request is routed to a dedicated application. The application verify the JWT
token and send the requested resource to user.

The below image showcases the same thing as sequence diagram.

I hope you got the basic idea of Identity Provider, XSUAA and App Router.

If you have any queries, let me know in comment or get in touch with me
at LinkedIn!
Next blog in the series:
 Fundamentals of Security in BTP: What is OAuth?
 Fundamentals of Security in BTP: Implement Authentication and Authorization
in a Node.js App

Public cloud security

https://blogs.sap.com/2023/04/20/security-of-grow-with-sap-landscape/

Customer Access to SAP S/4HANA cloud, public edition

1. The SAP S/4HANA cloud, public edition is hosted in SAP Converged Data
Center, Azure, and Google Cloud at various global locations. In the SAP
S/4HANA Cloud, Public Edition and SAP BTP, business users access the
application via a standard browser, providing a seamless user experience
across all devices and Fiori applications through the Fiori Launchpad.
2. SAP S/4HANA Cloud uses a load balancer and a web dispatcher. The incoming
request is directed to the load balancer. The load balancer distributes
incoming network traffic across shared web dispatcher cluster. Each customer
accesses their system through a unique, customer-specific URL, with
communication managed by the SAP Web Dispatcher’s Reverse Proxy
component. The web dispatcher is responsible for routing incoming requests
from the load balancer to the customer specific application (ABAP)
3. Standard users authenticate using SAML 2.0 assertions (SSO) through SAP
Cloud Identity, ensuring secure access to the system. It handles
authentication, ensuring that end users can securely access the system.
 4. At the backend, the SAP HANA database powers the system, providing
optimized access through Core Data Services (CDS) views. Both the SAP
S/4HANA ABAP and SAP HANA components are managed by SAP, ensuring a
reliable and secure environment for users.

Figure 2: Customer Access to SAP S/4HANA cloud, public edition

Secure Customer Data Segregation

In the SAP S/4HANA Cloud, public edition each customer’s environment is segregated
using Security Group. Security Groups provide a mechanism for controlling access
and communication between different resources in the cloud. This isolation ensures
that customers’ applications and data are not exposed to other customers’
environments. Every tenant has their own ABAP application servers that operate on
distinct SAP HANA tenant databases. The SAP S/4HANA cloud, public edition relies
on multi-tenant database containers (MDC) feature of SAP HANA
database allowing multiple isolated databases, referred to as “Tenant DB”. Tenant
DB refers to independent databases that are part of a single SAP HANA system
database. These databases store all the application data and configuration that are
specific to each tenant. Therefore, each SAP HANA Tenant DB has its own set of
tables, users, and security policies, and can be managed independently of other
Tenant DB on the same system.

Customer security group allows system communication between various

environment of the same customer. Within a customer’s environment, there are
three system landscape: Development (D), Testing (T), and Production (P). The
customer security group enables secure communication between these systems,
ensuring that only authorized users and resources within the same customer’s
environment can access and interact with the data and processes in these systems.

Integrated Secure Landscape

A secure connectivity from SAP S/4HANA cloud, public edition and SAP Business
Technology Platform can be established via several methods that includes support
for standard OData services in SAP S/4HANA cloud that can be consumed by
applications running on SAP BTP, Integration Suite in SAP BTP to integrate SAP
S/4HANA Cloud with other services and applications on SAP BTP by creating
integration flows that define how data is exchanged between the systems.
Additionally customer’s expose SAP S/4HANA Cloud services as APIs and consume
them in your applications on SAP BTP. The secure connectivity can be established
between SAP S/4HANA Cloud and SAP BTP leveraging security and authentication
mechanisms available such as OAuth 2.0, SAML 2.0, and Client certificates. For
example, SAP S/4HANA Cloud uses OAuth 2.0 for authentication and authorization.
This ensures that only authorized users and applications can access data in SAP BTP.

SAP S/4HANA Cloud, public edition subscription contains embedded SAP Analytics
Cloud and is automatically deployed and configured during tenant provisioning.
However, this is limited to only live connection to S/4HANA Cloud tenant.

Figure 3: Secure Integrated Landscape

Encryption Controls:
By default, SAP manages encryption key for data at rest encryption keys for SAP
S/4HANA cloud, public edition. To manage the encryption keys, two Secure Stores in
the File System (SSFS) are used. The Instance SSFS stores various encryption root
keys (data volume, log volume, backup), while the System PKI SSFS stores system-
internal root certificates for secure internal communication. The contents of both
SSFSs are protected by SSFS Master Keys, which are generated during installation.
There is an option for customers to use Customer-Controlled Encryption Key
integration, You can refer to the documentation for details.
 Figure 4: Data Protection and Encryption Stack

API Security:

Customers should follow best practice approach to security settings under their
responsibility. SAP BTP provide API Security in API Management. The SAP S/4HANA
cloud provides Business user Change API, Security Audit Log API, Business Role
Change API, OAuth 2.0, SAML2.0, Cross Origin Resource Sharing security. Besides,
customer should ensure establishing strong authentication methods for business
users, such as multi-factor authentication and single sign-on. Additionally, it is crucial
to define and enforce appropriate authorization levels based on users’ roles, securely
configure, and manage trusted certificates for secure communication channels and
implement read access logging to monitor and audit data access for potential
security breaches or unauthorized activities.

Figure 5: API Security

Data Protection and Privacy

While SAP, as a data processor, is committed to protecting data through its Data
Processing Agreement and Technical and Organisational Measures, SAP S/4HANA
cloud application offers built-in security features and specific data protection
functions that customers can easily customize to their needs to meet their data
privacy compliance. These functions include consent management, security audit
logs, read access logs, blocking, and deletion of personal data.
 Figure 6: Data Privacy in SAP S/4HANA cloud, public edition

For more details in Data Protection and Privacy features available with SAP S/4HANA
cloud, public edition, please refer to this documentation.

RPA

SOAP vs REST API