SAP Build Apps : Principal Propagation with S/4HANA Cloud


Building enterprise-ready applications was never easy before and thanks to SAP Build Apps which provides a no-code low-code platform with great features. When we talk about enterprise-ready applications, the first 2 topics that strike me are 2A’s (Authentication & Authorization). As we know, it’s super easy to build these applications SAP Build Apps, but it’s also important to understand how we can handle these 2A’s. In our blog will try to understand how we can achieve user propagation with SAP Build Apps and S/4HANA Cloud.

Gunter Albrecht and I were discussing different possibilities on this topic and decided to go with this approach and test the e2e integration.

To understand this better, let’s refer to the following flow where a user wants to access a remote cloud system via a cloud application hosted with the same user-id and authentication provided by the cloud application (Not the remote cloud system).



Business Context:

We will be building a S/4HANA Cloud Extension application using SAP Build Apps, which will be used by a Business user in the Purchase department to check the list of purchase orders (Let’s keep it simple, it will be just a list).

The business user will be accessing the extension application deployed on BTP. You have a choice of the runtime environment which is Kyma / Cloud foundry as both runtimes support Authentication & Authorization on BTP with a deployed web application. Before we proceed further, let’s check our prerequisites for user creation –

  1. Business user created in S/4HANA Cloud
  2. Business user created in SAP BTP (Same email address which was used in S/4HANA Cloud)

Note – To create these users, you will need admin rights, for which you can contact your IT team in case you don’t have them.

We will be using principal propagation to achieve the above-described flow. Let’s also understand What is principal propagation? The user is propagated from a cloud application to another remote (cloud) system using a destination configuration with authentication type OAuth2SAMLBearerAssertion.

S/4HANA Cloud setup for the communication user

We need a communication user which is nothing but a type of technical user that can be used for inbound communication in the system. With this, we need to create a communication arrangement w.r.t communication system. To set up these please follow the GitHub guide and make sure you have noted the following points at the end which will be needed in the next steps.

Points to be noted –

  1. User Credentials
  2. When you have the communication arrangement created, choose OAuth 2.0 Details. Copy and save locally the fields and their values. You will need them when setting up the destination in the SAP BTP cockpit.

The next step is to create a business user with the same email ID with which you are going to access the BTP application. Please assign the respective business roles, e.g. for purchase orders, you can assign SAP_BR_PURCHASER

SAP Build Apps web application development

We will not cover the entire process of building applications using SAP Build Apps, you can get started with or from my previous blog where a simple card was created for SAP Build Work Zone Advanced Edition. You can deploy this application on Kyma Runtime or CF Runtime, choice is yours according to your business needs, we support both.

In any case, we need to configure a destination to consume the S/4HANA Cloud api’s to fetch Purchase Orders information from the system.

Please refer to the following screenshot of a destination created with the required details.



To test the connectivity of this destination from build apps, make sure you have enabled the BTP authentication and added it under SAP Systems as shown below –

Now select the required entity, in my case it’s A_PurchaseOrder, and test (Browse Data) if it can connect to the remote system and pull the data in the test section.

A successful connection shows a list of the purchase orders, which means this connection was able to authenticate my user with BTP authentication and forward(Assert) the details into the S/4 API request, where it actually authorized my user against the assigned business role. You can also verify the user propagation by removing the business role against your user from the S/4HANA cloud.

Demo – 

We have added the web application as content within SAP Build WorkZone Advanced edition and tried to access it. You can also do the same with SAP Build WorkZone Standard Edition (Launchpad). In this demo, you will see the application took the default IDP of the subaccount for authentication and propagated my user to the remote system.

Conclusion – 

This opens a lot of opportunities for customers/partners to leverage SAP Build Apps to build extensions without worrying about our 2 A’s (Authentication & Authorizations). Please let me know your thoughts on this and which of the use case you think fits the best.

References –

  1. Communication Arragment. – Github
  2. OAuth2SAMLBearerAsertion – Link

Original Article:

Related blogs


Please enter your comment!
Please enter your name here