SAP Innovation Management Master Guide

PUBLIC
Document Version: 2.0 – 2018-01-31
SAP Innovation Management: Master Guide

Content
1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Related Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 SAP Innovation Management Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 What's New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
4 Installation Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1 Special Consideration for Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 System Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.3 SAP INM Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
4.4 Technical User Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5 Innovation System Manager Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
4.6 Admin User Setup Checkpoint and Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.7 Acquiring Repository Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.8 Application Security Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.9 Run after Import Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.10 Schedule Batch Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.11 User and Group Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
User Upload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Group Upload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
User Log and Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.12 Automatic Grouping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
4.13 Setting Up DB Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.14 SAML Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Maintaining the Trust Relation between the HANA System and the Identity Provider. . . . . . . . . . . . . 28
Enable SAML Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Troubleshooting SAML Logon Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.15 Innovation Manager Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5 Update Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1 Special Consideration for Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2 PUBLIC Content
5.2 Notifying Users about Maintenance Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6 Landscape Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
7 Application Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.2 General Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.3 Individual Application Configuration Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Customize your own PPT Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Config Email Notification Rule for Customized Status Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
7.4 Settings in Innovation Office. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
7.5 URL Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
7.6 Export Ideas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
8 Business Scenario of SAP Innovation Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

8.1 Run an Idea Campaign for Product Innovation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
9 Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
9.1 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
User Consent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Change Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
10 Integration with SAP Portfolio and Project Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

10.1 Integration from SAP Portfolio and Project Management to SAP Innovation Management. . . . . . . . . . . . 59
10.2 Integration from SAP Innovation Management to the Portfolio and Project Management. . . . . . . . . . . . .61
11 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
12 Release Availability Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Content PUBLIC 3
1 Document History
Publishing Date Change Related Links
January 2018 Data Protection and Privacy Security Considerations [page 53]

4 PUBLIC Document History
2 Getting Started
2.1 About this Document
Purpose
This Master Guide is the central starting point for the technical implementation of SAP Innovation Management.
You can find cross-scenario implementation information as well as scenario-specific information in this guide.
Use the Master Guide to get an overview of SAP Innovation Management, and the required steps for installing the
application, setting up the required system landscape, and configuring the system.
The Master Guide consists of the following main sections:
● Installation guide
● Update guide
● Landscape setup
● Configurations
Constraints
● You can use the business scenarios as examples of how you can use SAP software in your company. The
business scenarios are only intended as models and do not necessarily run the way they are described here in
your customer-specific system landscape. Ensure to check your requirements and systems to determine
whether these scenarios can be used productively at your site. Furthermore, we recommend that you test
these scenarios thoroughly in your test systems to ensure they are complete and free of errors before going
live.
● This Master Guide primarily discusses the overall technical implementation of SAP Innovation Management,
rather than its subordinate components. This means that additional software dependencies might exist
without being mentioned explicitly in this document. You can find more information on component-specific
software dependencies in the corresponding installation guides.

Getting Started PUBLIC 5
2.2 Related Information
The following resources provide access to more information about general topics, such as software downloads,
customer incidents, or high availability.
Resource Where to Find It
User assistance for SAP Innovation Management http://help.sap.com/inm
Information about creating customer incidents http://support.sap.com/incident
SAP Notes search http://support.sap.com/notes
SAP Software Download Center http://support.sap.com/swdc
Product Availability Matrix http://support.sap.com/pam
Early Knowledge Transfer and role-specific learning maps http://support.sap.com/ekt
Sizing http://service.sap.com/sizing
Network security http://service.sap.com/securityguide
High availability http://www.sdn.sap.com/irj/sdn/ha
Performance http://service.sap.com/performance
Information about support package stacks, latest software http://support.sap.com/sp-stacks

versions and patch level requirements
Information about Unicode technology http://www.sdn.sap.com/irj/sdn/i18n
Related Master Guides
The Master Guides for cross-industry applications form the basis of this Master Guide. You can find more
information about the relevant applications in the following documents:
Title Location
Master guide for SAP HANA https://help.sap.com/ and navigate to SAP HANA Platform
Relevant Version Installation and Upgrade SAP HANA
Master Guide

6 PUBLIC Getting Started
Related Operations Information
SAP Innovation Management 2.2 is based on SAP HANA, SPS 12. Please check note SAP Note 2396823 for
exact HANA revisions that shall be used for SAP Innovation Management.
The operations guide for SAP HANA covers the general operations information for the following areas:
● Technical system landscape

● Overview of technical runtime scenarios, which result from setting up the corresponding business scenarios
● Monitoring concept
● Logging and tracing
● Technical configuration
● Backup and recovery
● Periodical tasks
● High availability concept
● Starting and stopping (by which means and in which sequence)
● Scenario administration concept (possible dependencies between scenario components)
● Concept for monitoring, error handling, restart and recovery of interfaces
● Concept for data archiving and management of outdated technical data
● Software change management
● Scenario maintenance concept
● Concept for handling customer development
● Support desk management
● Troubleshooting
You can find more information about the corresponding operations guide in the following table:
Title Location
SAP HANA Platform https://help.sap.com/ and navigate to SAP HANA Platform
Relevant Version
Deployment
The SAP HANA Master Guide covers the deployment of SAP HANA delivery units. You can find more information
about the corresponding section in the following table:
Title Location
SAP HANA Content https://help.sap.com/ and navigate to SAP HANA Platform
Relevant Version Installation and Upgrade SAP HANA
Master Guide

Getting Started PUBLIC 7
Title Location
Installing and Updating SAP HANA Products https://help.sap.com/ and navigate to SAP HANA Platform
Relevant Version Development SAP HANA Developer
Guide
2.3 Important SAP Notes
You must read the following SAP Notes before you start the installation. These SAP Notes contain the most recent
information on the installation, as well as corrections to the installation documentation.
Make sure that you have the up-to-date version of each SAP Note, which you can find at http://support.sap.com/
notes .
SAP Note Number Title Description
SAP Note 2396823 SAP Innovation Management 2.2 Re This note contains the latest information
lease Note about installing SAP Innovation Manage
ment
2.4 Support
You can create SAP Innovation Management specific incidents on https://support.sap.com/incident using the
application component PLM-INM.

8 PUBLIC Getting Started
3 SAP Innovation Management Overview
3.1 Overview
SAP Innovation Management is used to manage innovation by collecting and filtering ideas of internal or external
users. The basic scenario is innovation management.
SAP Innovation Management uses the following software components:
● SAP HANA
Note
SAP Innovation Management currently supports SAP HANA 1.0 only.
● SAP Innovation Management
To download SAP Innovation Management, see Software Center and navigate to Installation and Upgrades or
Support Packages and Patches Alphabetical Index (A-Z) I SAP Innovation Management .
For more information about how to set up the system landscape, see Landscape Setup. Please consult the release
note 2396823 for the exact HANA revision used for setup.
For more information about the system landscape, see SAP Help Portal and navigate to SAP HANA Platform
Relevant Version Installation and Upgrade Master Guide e.
3.2 What's New
New User Interface
In SAP Innovation Management 2.2, the user interface has been upgraded for most of the application functionality.
To educate the end users of these changes, you would need to consider the following sections.
Changed URL Paths
The new user interface uses different URL paths. Redirects are taken care of, but previous links should be adjusted
and new links should be used instead. The following table gives an overview about the changes in the URL paths:

SAP Innovation Management Overview PUBLIC 9
URL Path Innovation Management 1.0 URL Path Innovation Management 2.2 Comment
/sap/ino/ui/frontoffice /sap/ino/ Please note the trailing slash
/sap/ino/ui/mobile /sap/ino/ Mobile is handled responsive
/sap/ino/ui/mashup /sap/ino/ui/mashup Unchanged
/sap/ino/ui/backoffice /sap/ino/ A common user interface now handles

most parts of the Innovation Office. Only
/sap/ino/config
configuration parts remain.
New Role for External Analytics Tools
It is mandatory to assign the role sap.ino.authorizations::analytics_user for users that need to access
SAP Innovation Management data using external analytics tools like SAP Lumira, etc.

10 PUBLIC SAP Innovation Management Overview
4 Installation Guide
To install SAP Innovation Management, you would need to carry out the procedures discussed in the following
sections, in the order in which they appear here.
Note
Even if you are setting up the system as a system's user, you can experience a lack of sufficient authorization.
This applies to the authorizations for the SAP HANA XS Engine based tools.
For more information about SAP HANA XS Administration Roles, see SAP Help Portal and navigate to SAP
HANA Platform Relevant Version Administration SAP HANA Administration Guide Application Run-Time
Services Maintaining the SAP HANA XS Classic Model Run Time SAP HANA XS Administration Tools .
This chapter contains a comprehensive list of the roles required for these tools. Depending on your specific
scenarios, you might need some or all of these roles in addition to the database system privileges.
4.1 Special Consideration for Installation
Installation Checklist
Steps Installation Comments
Plan HANA Revision Yes Supported SAP HANA version for Sap In
novation Management is described in
corresponding release information note.
Besides SAP INM Installation, SAP In

novation Management can also be instal
led from the life cycle management Web
UI
http://
<fully_qualified_host_nam
e>:<por t>/sap/hana/xs/lm
For more information, please refer to

Technical User Setup [page 16].

Installation Guide PUBLIC 11
Installation SAP HANA Yes Refer to the SAP Help Portal, navigate to
SAP HANA Platform Relevant
Version Installation and Upgrade ,

and navigate to SAP HANA Master Guide
and Sap HANA Server Installation and
Update Guide.
System Configuration Yes System Configuration [page 14]
SAP INM Installation Yes SAP INM Installation [page 15]
SAP Innovation Management can also be

installed from the life cycle management
Web UI
Sample Code
http://
<fully_qualified_host_n
ame>:<por t>/sap/
hana/xs/lm
Technical User Setup Yes Technical User Setup [page 16]
Innovation System Manager Setup Yes Innovation System Manager Setup [page
17]
Admin User Setup Checkpoint and Trou Yes For more information, please refer to the
bleshooting following sections:
● Admin User Setup Checkpoint and

Troubleshooting [page 18]
● Landscape Setup [page 37]
● Application Configuration
Application Security Setup Yes Application Security Setup [page 19]
If you want to enable SAML as well, refer

to SAML Setup [page 28].
Run After Import Scripts Yes With a new installation, typically there
will be steps like:
1. Run after import scripts

2. Database restart
3. Run after import scripts again
Schedule Batch Jobs Yes Schedule Batch Jobs [page 20]

12 PUBLIC Installation Guide
User and Group Administration May There are two approaches for user man
agement:
Setting Up DB Users
● Manual import&DB user manual
creation or
● Manage user in IDP with SAML inte
gration
SAML Setup May There are two approaches for user man
agement:
● Manual import&DB user manual

creation or
● Manage user in IDP with SAML inte
gration
Innovation Manager Setup Yes Admin User Setup Checkpoint and Trou
bleshooting [page 18]
Landscape Setup Yes Landscape Setup [page 37]
Application Configuration Yes For more information about this, refer to

Application Configuration
Note
To install and configure SAP Innovation management, the user requires roles like:
CONTENT_ADMIN
sap.hana.xs.admin.roles::JobSchedulerAdministrator
sap.hana.xs.admin.roles::TrustStoreAdministrator
sap.hana.xs.admin.roles::SQLCCAdministrator
sap.hana.xs.admin.roles::SAMLAdministrator sap.hana.xs.ide.roles::Developer
sap.hana.xs.lm.roles::Administrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator
Additional Hints
It is highly recommended that no application users except the administrator remain logged in during an upgrade.
It is also recommended to not to use different administration tools at the same time to access the same objects.
Do no use the HANA XS Web administration tools and/or HANA Studio and/or the command line tools without
properly logging out from the other tools. Otherwise, there can be pending processes that may lock or deadlock
the concurrent accesses.

4.2 System Configuration
To optimize your system for SAP Innovation Management, we recommend some specific server configurations. For
more information about these configurations, see the following chapters.
Timeout Settings
For most users, the default SAP HANA timeout settings are too short. For this reason, we recommend increasing
them substantially. You can see recommended values in the following table:
Configuration File Section Parameter Target Value
indexserver.ini authentication session_cookie_validity 3600

_time
xsengine.ini httpserver sessiontimeout 3600
You can set them either in the SAP HANA Studio or directly from an SQL console, as shown in the following:
Sample Code
alter system alter configuration ('indexserver.ini', 'SYSTEM')

set ('authentication', 'session_cookie_validity_time') = '3600';
alter system alter configuration ('xsengine.ini', 'SYSTEM')
set ('httpserver', 'sessiontimeout') = '3600';
Mail and Host Configuration
SAP Innovation Management sends informational mails to its users. Mail delivery needs to be configured so that
mails can be sent. The configuration requires the host name of the server for mail transfer and the port in the
xsengine.ini file section "smtp".
Some of the mails sent by SAP Innovation Management contain links pointing back to the server. Because of
different DNS mappings for internal and external access, the base URL for such links can differ, depending on the
intended recipient. This means 'internal' and 'external' users receive mails that contain different links. Of course,
the difference is the fully qualified host name and/or the port number. Thus, it is possible to configure two different
base URLs, in the innovation_management section of the xsengine.ini configuration.
All of the mails sent by SAP Innovation Management contain a response e-mail address configured in the
innovation_management section.
Note
At this time, SAP Innovation Management does not evaluate response emails. So, unless somebody handles the
response mails, they are ignored.

If the external and internal host names are equal, the host_external parameter is optional. If it is missing, the
system automatically uses the value stored in the host parameter.
Since the system sends out mails asynchronously, the corresponding job must be scheduled. This is configured
later. However, the scheduler must be enabled for the configuration to have any effect.
Configuration File Section Parameter Target Value
xsengine.ini smtp server_host <host name>
xsengine.ini smtp server_port <mail port, typically 25>
xsengine.ini innovation_management host <base url>
xsengine.ini innovation_management host_external <base url>
xsengine.ini innovation_management email_sender <email_sender>
xsengine.ini scheduler enabled <true>

set ('smtp', 'server_host') = '<fully qualified mail server host name>';
set ('smtp', 'server_port') = '25';
set('innovation_management','host') =
'http://<fully qualified host name>:<port>';
set ('innovation_management','host_external') =
'http://<fully qualified host name>:<port>';
set ('innovation_management','email_sender') =
'<email_sender>';
set ('scheduler', 'enabled') = 'true';
4.3 SAP INM Installation
Installation and upgrade of SAP Innovation Management is carried out with hdbalm, the command line tool of SAP
HANA application lifecycle management, which is available as part of the HANA client installation. You can use the
following command for installing SAP Innovation Management:
hdbalm -h <host> -p <port> -u <user> install <path to software archive>
Where <port> is the http port of the XS Engine (typically 80nn with nn as the instance number).
For more information, see Installing and Updating Add-On Products and Software Components under SAP Help
Portal and navigate to SAP HANA Platform SAP HANA Administration Guide SAP HANA Application Lifecycle
Management .

Note
The sap.hana.xs.lm.roles::Administrator role must be assigned to the user performing the
installation.
4.4 Technical User Setup
SAP Innovation Management is a SAP HANA XS application. The SAP HANA XS Engine executes JavaScript code
where most of the application logic resides. SAP Innovation Management implements its own application-specific
user and authorization concept. This concept is implemented on top of SAP HANA’s user and authorization
concept and extends it.
The persistency resides in the schema SAP_INO. No application user must get access to this schema. Access must
be restricted to the code running in the JavaScript layer. This JavaScript code requires a sqlcc (technical user)
connection that has sufficient privileges though.
You can use the following SQL code to create the technical user:
create user HCO_INO_TECHNICAL_USER password <some password>;

alter user HCO_INO_TECHNICAL_USER disable password lifetime;
call _sys_repo.grant_activated_role(
'sap.ino.authorizations::technical_user', 'HCO_INO_TECHNICAL_USER' );
The technical user can be assigned to the application with the SAP HANA XS Administration Tool.
http://<fully qualified host name>:<port>/sap/hana/xs/admin/
Navigate to package sap.ino.xs.xslib and assign the technical user HCO_INO_TECHNICAL_USER as the
database user for the application’s SQL connection. Follow the URL below and enter the user name and password
of the technical user (HCO_INO_TECHNICAL_USER).
http://<fully qualified host

name>:<port>/sap/hana/xs/admin/#/package/sap.ino.xs.xslib/sqlcc/dbuser
If you fail to assign this user due to missing authorizations, your user can be missing one or all of the following
roles:
● sap.hana.xs.admin.roles::SQLCCAdministrator
● sap.hana.xs.admin.roles::SQLCCViewer
Note
These roles contain different privileges. None of these is a superset of any of the other during setup. You might
prefer to have the privileges of all three roles.

4.5 Innovation System Manager Setup
Application user upload requires elevated privileges. We recommend granting these privileges to a special user for
bootstrapping. For enhanced security, we highly recommend that this user is not an application user. In contrast to
a SAP HANA system manager user, this user can access SAP Innovation Management.
We refer to this user role as the Innovation_System_Manager.
It is possible to assign this role to any administrative user, as long as this user does not become an application user
later. Depending on your system administration approach, it may be reasonable to assign the
Innovation_System_Manager to an SAP HANA system manager user.
You may create such a role as described below:
create role "Innovation_System_Manager";

'sap.ino.authorizations::innovation_system_manager',
'Innovation_System_Manager'
);
Note
Do not combine the roles sap.ino.authorizations::backoffice_user,
sap.ino.authorizations::community_user, or sap.ino.authorizations::innovation_manager
with this role.
After creating this role, you need to grant it to a suitable user as shown below:
grant "Innovation_System_Manager" to <innovation management system admin>;
Alternatively, you can assign the pre-shipped role directly to the innovation system manager, as shown below:
create user INNOVATION_SYSTEM_MANAGER password <some password>;

'sap.ino.authorizations::innovation_system_manager',
'INNOVATION_SYSTEM_MANAGER'
);
Note
These users must not get access to user interfaces of SAP Innovation Management. They must especially, they
must not be assigned the roles sap.ino.authorizations::backoffice_user,
sap.ino.authorizations::community_user, or sap.ino.authorizations::innovation_manager.
Once an Innovation_System_Manager user is created, the user must self-register with SAP Innovation
Management as shown below:
call
"SAP_INO"."sap.ino.db.iam.admin::grant_innovation_management_system_admin_privil
eges"('<innovation management system admin>',
'<admin first name>',
'<admin last name>',
'<admin email address>',
?, ?);

In case the procedure fails, error messages would be delivered with the relevant information. In case of success, it
contains some internal IDs that you could ignore. These IDs are only relevant for SAP development support.
Additional Considerations
During setup and/or troubleshooting, it is very helpful to be able to access the application schema SAP_INO. All
required privileges for this are contained in the role (sap.ino.authorizations::technical_user) for the
technical user. If this role is assigned to the innovation system administrator, troubleshooting and setup becomes
easier.
'sap.ino.authorizations::technical_user',
'INNOVATION_SYSTEM_MANAGER'
);
Note
Although this assignment is very convenient for the administrators, it may fail to comply with your security
policies. The issue is that these privileges allow the administrators to access and alter any SAP Innovation
Management table content. We recommend granting this authorization to administrators during setup. In
productive systems, you should remove this authorization role after successful installation.
4.6 Admin User Setup Checkpoint and Troubleshooting
At this stage in the process, the application is functional but not yet ready. To verify if this is the case, call (as SAP
Innovation System Manager) the following URLs with a browser.
<hostname>:<port>/
<hostname>:<port>/sap/ino/xs/rest/support/ping.xsjs
<hostname>:<port>/sap/ino/xs/rest/support/pingDB.xsjs
<hostname>:<port>/sap/ino/xs/rest/support/pingSchema.xsjs
If all four URLs work as desired, you may proceed. Otherwise, you need to figure out what might have failed so far.
If the first URL does not work, the SAP HANA XS engine is not running or unreachable. This is not an SAP
Innovation Management-specific issue. Check the reason for the SAP HANA XS engine being unreachable and fix
this issue.
If ping.xsjs does not respond, either SAP Innovation Management is not deployed or the user calling the ping
has insufficient authorizations. The required privilege is sap.ino.xs.rest.support::execute. This privilege
is contained in the role sap.ino.authorizations::innovation_system_manager.
If pingDB.xsjs fails to respond, most probably, the technical user cannot access the database. Double-check the
technical user connection for SAP Innovation Management and verify the authorizations of the technical user.

If pingSchema.xsjs fails to respond, although pingDB responds successfully, the technical user lacks sufficient
authorizations. Double-check the authorizations of the technical user.
Sometimes it is not easy to verify proper SAP HANA XS Engine setup with the UI-based administration tools. In
this case, it is usually helpful to access schema _SYS_XS by means of SQL and verify the content of the tables,
_SYS_XS.SQL_CONNECTIONS and _SYS_XS.RUNTIME_CONFIGURATION.
4.7 Acquiring Repository Access
Some of the following steps require access to the SAP HANA XS Repository. The easiest way to access the
repository is by means of the Web IDE, which can be reached with the URL:
<your_host>:<port>/sap/hana/xs/ide
If you cannot access the IDE, you might be missing suitable privileges and or roles. Users with role
sap.hana.xs.ide.roles::Developer plus CONTENT_ADMIN can usually access it. Depending on your security
policies, you may have to use authorizations that are more constrained.
4.8 Application Security Setup
Use the SAP HANA XS Administration Tool to set up the desired authentication mechanism for SAP Innovation
Management. You must maintain the setup for the package sap.ino.
You can use the HANA XS Admin tool to maintain this:
http://<fully qualified host name>:<port>/sap/hana/xs/admin/#/package/sap.ino/
Note
You may get an authorization error when you try to access this url. In case of this error, please confirm that the
following roles are assigned to you:
● sap.hana.xs.admin.roles::RuntimeConfAdministrator
● sap.hana.xs.admin.roles::SAMLViewer
For more information about these roles, please see SAP Help Portal and navigate to SAP HANA Platform
Relevant Version Security SAP HANA Security Guide .
If you want to activate SAML authentication, additional steps described in SAML Setup, are necessary. Unless you
have prior experience with advanced authentication mechanisms, it is advised to start with the basic
authentication and verify that everything works. Then establish https and finally enable x.509 or SAML
authentication. Once you have established the desired security level you might disable basic authentication.

Related Information
SAML Setup [page 28]
4.9 Run after Import Scripts
After installation and/or upgrade of the SAP Innovation Management deliver unit, the innovation system manager
is required to execute the after import scripts. In order to trigger these scripts, issue a HTTP POST Request to
http://<fully_qualified_host_name>:<port>/sap/ino/setup/rest/run.xsjs
You may issue a POST request with a command line http client with innovation system manager user, for example
with cURL:
curl --user<USER>:<PASSWORD> -X POST http://<fully qualified host

name>:<port>/sap/ino/setup/rest/run.xsjs
Note
The innovation_system_manager user, that has been created previously, should be used as <USER>.
In case of errors during the after import scripts, you should confirm the server response for any details. For further
information, refer to SAP Note 2069930 (After Import Method Driver).
Note
During the after import run, a manual system restart might be required as the driver does not trigger a restart
though. Instead, it terminates with an error message stating that a system restart is required. An administrator
must then manually perform the restart. Once the restart is finished, the driver can be started a second time. It
will then automatically detect that the restart was executed and continue without further errors.
4.10 Schedule Batch Jobs
Batch jobs are scheduled with the SAP HANA XS Administration Tool (http://<fully qualified host
name>:<port>/sap/hana/xs/admin/#/package/sap.ino.xs.batch/). Navigate to the package
sap.ino.xs.batch, open the jobs tab, and activate each of the jobs. To activate the jobs you need to click on
Configuration and then select the Active checkbox. In addition, you need to enter the user for the batch job (we
recommend the technical application user, for example, HCO_INO_TECHNICAL_USER). It is also mandatory to
choose a locale. The recommended value is English (en). Do not enter start/end times, as the jobs are intended to
run periodically with their pre-shipped defaults.
If you fail to edit the batch jobs due to missing authorizations, your user might be missing the following role:
sap.hana.xs.admin.roles::JobAdministrator.

If you want to deactivate all the batch jobs, you can also set the batch job scheduler to false via
http://<fully_qualified_host_name>:<port>/sap/hana/xs/admin/jobs/
This will stop all batch job in the database.
If you want to double check whether batch jobs are properly scheduled have a look at the
sap.ino.xs.batch::notification job. This is the job with the highest scheduling frequency (every 5
minutes). Therefore, if this job does not run within 5 minutes of activation, then the activation was not performed
properly.
Overview of batch jobs required in SAP Innovation Management:
Job Name Purpose
sap.ino.xs.batch::attachment_cleanup Removes orphaned attachments
sap.ino.xs.batch::feed_date Create feed for special campaign date:
● Campaign start/end
● Submission start/end
● Registration start/end
When this job is activated, system will create corresponding

feeds/notification three days before reaching an important
date of the campaign.
sap.ino.xs.batch::feed_email Send email of feed summary to corresponding user.
sap.ino.xs.batch::feed_inst_email Send instance email of certain feeds:
● New idea submitted to following campaign

● Blog posted to following campaign
● Following idea’s status changed
sap.ino.xs.batch::identity_email Send email to corresponding contact person
sap.ino.xs.batch::registration_auto_approve Auto approve registration request
sap.ino.xs.batch::notification Generates notifications for end users
sap.ino.xs.batch::notification_mail Sends notification mails to end users
sap.ino.xs.batch::setup_hints Takes care that query hints are set for performance critical
SQL queries. This can also be triggered by executing an HTTP
POST on
http://
<fully_qualified_host_name>:<port>
/sap/ino/xs/rest/admin/system/
setup_hints.xsjs
sap.ino.xs.batch::tracker Computation of usage tracking statistics

4.11 User and Group Administration
4.11.1 Overview
The user and group concept of SAP Innovation Management assumes that users and groups are typically
imported from some other system, for example, LDAP or some centralized user management. Alternatively, a
SAML identity provider may provide user management and authentication. Depending on your company-specific
security policy, you may decide to go for an upload based administration approach, to rely on an IDP or a mixed
approach.
Before we go into the details of the user management, have a look at how users and groups relate to each other.
Both users and groups are derived from the abstract class Identity. This means, both users and groups are
identities. In addition, groups may refer to any number of other identities. In other words, groups may contain both
users as well as further groups. You can reuse these groups in the same way as, for example, email distribution
lists. This is useful, for example, to assign innovation campaigns to groups instead of enumerating users
repeatedly.
User and Group as Identities
The user upload/delete as well as the group assignment of users and groups is performed by the following
services:
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload.xsjs
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload_delete.xsjs
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload.xsjs
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload_delete.xsjs
For troubleshooting purposes, it is also helpful to understand that HANA DB users are only loosely coupled with
Innovation Management users. There are two user tables; for a user on the DB User table there is not necessarily a
user on the Innovation Management User table and vice versa.
User Tables
This is a desired feature since HANA has technical users that are not intended for application access. On the other
hand, it allows uploading application users without the corresponding database users. This improves performance

during application user upload. It implies that both types of users must be created and linked with each other
before a login to the application is possible. There are several ways to achieve this.
● Upload application users from CSV file and create the DB users with CREATE USER statements
● Upload application users from CSV file and have DB users implicitly created by SAML login
● Do not upload application users; have them automatically created by SAML login
4.11.2 User Upload
For security reasons, the following service does not implicitly create any database users:
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload.xsjs
Therefore, the creation of the database users must be automated by other means, for example, by automatically
issuing CREATE USER statements. Once the users are in place, they can be imported into SAP Innovation
Management by sending suitable CSV files to the user_upload.xsjs service by the innovation system manager.
The following table describes the format of the CSV files:
Column Name Comment
1 USER _NAME SAP HANA DB user name (like in table

SYS.USERS)
(mandatory)
2 IS_EXTERNAL Flag to indicate company external users,

admissible values: 0 = internal, 1 = exter
(mandatory)
nal
3 FIRST_NAME First name of the user
(mandatory)
4 LAST_NAME Last name of the user
(mandatory)
5 NAME Full name of the user incl. title
(mandatory)
6 EMAIL Email address of the user
(mandatory)
7 PHONE Phone number of the user
8 MOBILE Mobile phone number of the user
9 COST_CENTER Cost Center of the user

Column Name Comment
10 ORGANIZATION Organization of the user
11 OFFICE Office address of the user
A standard file would contain the following lines:
"USER_NAME","IS_EXTERNAL","FIRST_NAME","LAST_NAME","NAME","EMAIL","PHONE","MOBILE","
CO
ST_CENTER","ORGANIZATION","OFFICE"
JOHNSMITH,0,John,Smith,John Smith,john.smith@example.com,,,,,
JANESMITH,1,Jane,Smith,Jane Smith,jane.smith@example.com,,,,,
Before you upload any users, you may want to verify if your user has sufficient credentials. You may also want to
get used to the interface. We recommend creating a file empty.csv, which should be blank.
The file can be uploaded with any http client, for example, cURL:
curl --user <User>:<Password>

http://<Hana_Server>:<XS_Engine_Port>/sap/ino/xs/rest/admin/system/user_upload.x
sjs --upload-file empty.csv
The response of the server is a CSV file with a valid header line that is otherwise empty.
"USER_NAME","IS_EXTERNAL","FIRST_NAME","LAST_NAME","NAME","EMAIL","PHONE","MOBIL
E","FAX","COST_CENTER","ORGANIZATION","MANAGER","OFFICE",
You may notice additional columns in this file. These are for error handling. If a user entry gives rise to errors, these
columns are filled with additional information about the error.
Since the upload service always adds or alters application users, there exists another service to delete users:
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload_delete.xsjs
This service is much simpler in its interface and only expects one column "USER_NAME".
The following table describes the format of the CSV files. The mandatory columns are in bold.
Column Name Comment
1 USER_NAME SAP HANA DB user name (like in table

SYS.USERS)
A file may thus contain lines as follows:
"USER_NAME"
JOHNSMITH
JANESMITH
You may want to leverage cUrl again to upload the file.

http://<Hana_Server>:<XS_Engine_Port>/sap/ino/xs/rest/admin/system/user_upload_d
elete.xsjs --upload-file users_to_delete.csv

Note
The CSV parser complies with the standard RFC 4180 (Attention: http://tools.ietf.org/html/rfc4180 ).
If you are using a spreadsheet (for example, MS Excel) to generate CSV files, the spreadsheet might not comply
with the standard, thereby making it impossible to parse the input. In particular, a MS Excel might use a value
separator different from a comma although it states to save the file with 'comma separated values'. This
behavior is locale dependent.
For example, MS Excel by default uses a semicolon instead of a comma for the German locale. To ensure that
the MS Excel properly handles the CSV format, its list separator must be set to ',' (comma) instead of
something else. Typically, this operating system level setting must be done outside of MS Excel. For more
information about on how to change the list separator, see the screenshot given below. Notice though that this
might break other files that rely on ';' (semi colon) as a list separator.
Steps to Change the Separator to a Comma

4.11.3 Group Upload
The group upload mechanism is similar to the user upload mechanism. Group member assignments are uploaded
by posting a CSV file to the group upload service, by the innovation system manager.
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload.xsjs
The service accepts only three columns as described below:
Column Name Comment
1 GROUP_NAME Name of the group
2 MEMBER_TYPE_CODE Either "GROUP" or "USER"
3 MEMBER_NAME Name of the group Member, DB User

Name in case of User and Group Name in
case of Group
Groups are created as needed. If group assignments are uploaded for a group, all existing assignments for this
group are deleted. Groups that are not present in the upload are not touched.
Note
The referenced group members must exist as Innovation Management Identities. Otherwise, the assignments
result in error messages.
You may want to leverage cUrl again to upload groups

http://<Hana_Server>:<XS_Engine_Port>/sap/ino/xs/rest/admin/system/group_upload.
xsjs --upload-file example.csv
For example your file might contain entries as follows:
"GROUP_NAME","MEMBER_TYPE_CODE","MEMBER_NAME"
Group_1,USER,JOHNSMITH,
Group_1,USER,JANESMITH,
Group_2,GROUP,Group_1
The implied meaning is that John and Jane are members of Group_1 and Group_1 is a member of Group_2. Hence,
John and Jane are also members of Group_2.
Since the upload, service always adds or alters memberships; it becomes impossible to delete groups. Hence,
there exists another service to delete groups.
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload_delete.xsjs
This service is much simpler in its interface. It only expects one column "GROUP_NAME". The following table
describes the format of the CSV files. The mandatory columns are in bold.

Column Name Comment
1 GROUP_NAME Name of the group
A file may thus contain lines as follows:
"GROUP_NAME"
Group_1
Group_2
You might want to leverage cUrl again to upload the file.

http://<Hana_Server>:<XS_Engine_Port>/sap/ino/xs/rest/admin/system/group_upload_
delete.xsjs --upload-file groups_to_delete.csv
4.11.4 User Log and Auditing
SAP HANA provide you a standard auditing functionality that you can log and monitor user data that selected
actions performed in the SAP HANA database
Please refer to: http://help- legacy.sap.com/saphelp_hanaplatform/helpdata/en/dd/

cb6ed2bb5710148183db80e4aca49b/content.html to do the configuration.
4.12 Automatic Grouping
Whenever new users are registered with SAP Innovation Management, they are implicitly assigned to the All users
group and either the External users or Internal users group.
In addition, they are also assigned to the following groups:
● Email Domain Name

The email domain name is normalized to lower case.
Note
If your setup allows users to set their email addresses (and thus their domain names) arbitrarily, it may NOT
be a good idea to use mail domain based groups for restricting user access.
● Cost Center
● Organization
If these groups do not exist when required, the system will automatically create them. Explicit alteration of these
groups is not possible. It is possible though to use these groups as members in other groups. In the exceptional
case that a group was created before the system could possibly implicitly create it, the system will replace this
group accordingly.

4.13 Setting Up DB Users
As mentioned in the introduction the user/group upload will only register the users with the application. They
cannot login to SAP HANA unless there is also a DB user for them. The obvious way is to create them by means of
SQL. This can be automated with the hdbcli command line tool. No additional provisions besides those
mentioned are necessary. Once a HANA DB user logs in to Innovation Management, the application checks if this
is a registered application user and automatically assign the necessary basic privileges to this user.
Automatic DB user creation by means of x.509 authentication is also possible. However, since x.509 certificates
usually do not contain enough attributes, they do not support automatic user enrollment with Innovation
Management. With other words: if you use x.509 you have to upload the users to register them with the
application. The benefits of x.509 are single sign on support and from an administrator perspective that you do not
need to create the DB users in advance (if you configure SAP HANA accordingly).
From an overall perspective SAML is to be preferred though as it supports single sign on and fully automatic user
enrollment.
4.14 SAML Setup
SAP HANA as well as SAP Innovation Management support authentication by SAML. If a user is authenticated by
SAML then the Innovation Management application automatically registers this user. This happens even if the user
was not uploaded earlier. Therefore, user upload is not required in system setups with SAML authentications.
If you are already satisfied with the implicitly generated automatic groups, then the user upload can be avoided as
well.
Since the specific SAML setup does not depend on SAP HANA/Innovation Management alone but also on your
specific SAML Identity provider, we shall only outline what needs to be done on the IDP side.
To setup SAML, you need to establish trust relationships between SAP HANA/Innovation Management and your
Identity Provider (SAML IDP) and vice versa. In addition, you need to ensure that the SAML assertion parameters
are correctly mapped (on the IDP side) for implicit user creation.
For more details on the setup, refer to the SAP Help Portal and navigate to SAP HANA Platform Relevant
Version Administration SAP HANA Administration Guide Application Run-Time Services Maintaining the
SAP HANA XS Classic Model Run Time Maintaining Single Sign On for SAP HANA XS Applications . If you do not
have at least a basic understanding of SAML, you may want to consult a (SAP HANA) security expert for this setup.
4.14.1 Maintaining the Trust Relation between the HANA

System and the Identity Provider
Before we can enable SAML logon, we need to establish the trust relation from HANA (in the role of SAML Service
provider "SP") to the Identity Provider ("IDP"). That is, SP configuration should trust the IDP and vice versa.

Required Privileges
On the HANA (SP) side, your user is required to maintain entries in the 'trust store'. To maintain the trust store (at
least) the sap.hana.xs.admin.roles::TrustStoreAdministrator role must be assigned to the system
administration user.
On the IDP side, the required privileges depend on your specific IDP. Please consult your IDP administrators for the
specific details and requirements.
Setting up the HANA System as a Service Provider
You can configure the HANA System as a SAML service provider with the help of the HANA XS Admin Tool (
http://<Hana_Server>:<XS_Engine_Port>/sap/hana/xs/admin/#/samlSP.
) as follows:
1. Navigate to the SAML Service Provider tab and click Edit

2. Enter (at least) the service provider name
In SAML 2.0 terminology, this is the name of the service provider entity descriptor unique ID.
The fully qualified domain name of your system is a recommended service provider name. However, if there
are several HANA instances running on the same system, the FQDN of the system will not provide a unique ID
anymore. In this case, you may add the instance number to the name, to enforce uniqueness.
3. After you have saved the setup, you need to transfer (for example, copy and paste) the metadata XML to your
identity provider.
Registering the Service Provider at the Identity Provider
Get administrative access to your IDP and register a new service provider (SP). Import the metadata obtained in
the previous step. Although this establishes trust, it is not sufficient to ensure that the SAML assertion attributes
actually match. Please follow the steps below to fix this.
Configuring the Login User Name at the Identity Provider
Your identity provider may allow several choices for the login user name (also known as the "SAML Name ID
Attribute"). The process of creating HANA DB users will use the Name ID attribute. Hence, mapping of this
attribute to something that will establish valid HANA DB user names is mandatory.
Note
Email addresses or IDs that contain special characters like dots or quotation marks are not suitable.
Since the HANA user name will not be visible in the application technical user names, for example, P<nnnnnn>
with <nnnnnn>, a unique number are recommended. For the SAP IDP, such a user name would be the "Profile
ID".

Configuring the SAML Assertion Attributes
Typically, Identity Providers can be configured to send more attributes than the Name ID attribute. Innovation
management expects the following attributes to be configured and properly mapped (you can find the mandatory
attributes in bold):
SAP Innovation Management Assertion Attribute Description
first_name First name of the user
phone
last_name Last name of the user
name Display name of the user
email Email address of the user
is_external Flag to indicate if a user is "internal" or "external".
Value 0 (=internal) or 1 (=external) (optional)
phone Phone number of the user (optional)
mobile Mobile phone number of the user (optional)
cost_center Cost center assignment of the user (optional)
organization Organization of the user (optional)
company Company of the user(optional)
office Office of the user(optional)
street Street of the user(optional)
city City of the user(optional)
country Country of the user(optional)
zip_code Zip code of the user(optional)
Note
The attributes must be written in lower case and match exactly as stated above.

Registering the Identity Provider at the HANA System
Once you have the IDP configured, export its metadata XML and import it in the HANA System (SP). This can be
done with the HANA XS Admin Tool, under the URL
http://<Hana_Server>:<XS_Engine_Port>/admin/#/samlSP
Use the tool to add a new identity provider entry with your IDP's metadata.
Before you save the new entry, ensure that you have checked the "Dynamic User Creation" flag for your identity
provider. If this flag is checked, user creation begins after user authentication with a SAML assertion. If you do not
check this flag, the users must be distributed to the HANA System before they try to login. This is also a valid
option but requires performing the user upload (as described above).
Since one of the main focus of SAML is to avoid the process of user upload, it is recommended that you check this
box.
4.14.2 Enable SAML Logon
SAML logon can be enabled with the SAP HANA Admin Tool (the URL is
http://<Hana_Server>:<XS_Engine_Port>/sap/hana/xs/admin/#/package/sap.ino
Checkmark the authentication method SAML and chose the desired identity provider in the checkbox. If there is
no identity provider to choose then repeat the step Registering the Identity Provider at the HANA System.
4.14.3 Troubleshooting SAML Logon Configuration
Security mechanisms are designed to be "brittle" and SAML is no exception. Hence, even the smallest mistake
may lead you to a configuration that does not work. Here are some general hints on how to trouble shoot the
configuration in case of failure.
The most common failure in case of a correct configuration is a message "Assertion did not contain a valid
MessageID" during logon. This is usually caused by a SAML assertion timeout. The remedy is to extend the
timeout to at least 30 seconds. To achieve this enter the following SQL (as administrator) in the SQL console:
alter system alter configuration ('indexserver.ini', 'SYSTEM') set ('saml',

'assertion_timeout') = '30' with reconfigure;
Another common source of confusion is the choice of authentication method per package. The system configures
the packages hierarchically and maintains authentication settings on a package level. Thus, even if you maintain
SAML at a package high in the hierarchy, the configuration of a lower package may work differently. This in turn
can lead to strange application behavior. With SQL, you can query the database for the authentication settings of
all packages.
select
"PACKAGE_ID", "CONFIGURATION", "CHANGED_BY", "CHANGED_AT"

from "_SYS_XS"."RUNTIME_CONFIGURATION"
order by
package_id
If these issues are not the cause of your issues, you would need to further investigate the SAML handshake. The
typical approach is to install a browser plugin (for example, SSO Tracer for Firefox) and log the handshake during
login. An analysis of the log files will then typically reveal hints about the root cause of the issues. If you fail to
identify a root cause, you may want to consult some (SAP HANA) SAML expert for further investigations.
4.15 Innovation Manager Setup
After upload of an initial set of users is complete, an innovation manager must be assigned. The innovation
manager controls the business aspects of SAP Innovation Management. In particular, this user can assign
campaign managers who are responsible for currently running campaigns.
Note
Unlike the innovation system manager, the innovation manager can access the user interface of the application.
To assign a user as innovation manager, the corresponding role

sap.ino.authorizations::innovation_manager must be granted.
'sap.ino.authorizations::innovation_manager', '<user>' );
After this step you may login with the innovation manager user to the application. The two URLs are:
● http://<Hana_Server>:<XS_Engine_Port>/sap/ino/
● http://<Hana_Server>:<XS_Engine_Port>/sap/ino/config/
The application is not yet configured with any content so the screens will not show any content. It is acceptable if
the very first start of the application takes some time, as the application caches are initially empty.
Additional Information
For more information about user management in SAP Innovation Management, see the related section in the SAP
Innovation Management Application Help at SAP Help Portal and navigate to SAP Innovation Management
Relevant Version Application Help .

5 Update Guide
5.1 Special Consideration for Update
Campaign Design
You would need to revisit campaigns with multiple design elements, to confirm that their appearance in the new
user interface is still satisfactory. If required, adjustments to background images and page layouts can be adjusted
in campaign configuration.
User Interface Extensibility
Customer extensions to the user interface have been done on a project basis. These extensions need to be
rewritten for the new user interface. Customers should get in touch with their implementation partner before of
the upgrade.
Update Checklist
In case of upgrades, you can skip some of the configuration steps performed during with the previous installation.
However, some steps are mandatory:
Steps Update Status Comments
Notifying Users about Mainte Yes It is a recommended that your

nance Activities [page 35] users are notified before any
updates are performed.
Note
It is recommended to send
an official email in case this
is not a planned downtime
schedule.

Update Guide PUBLIC 33
Perform SAP HANA backup Yes Yes Perform a backup of SAP In
novation Management before
update.
Update SAP HANA May May Plan SAP HANA update in

case required.
Please refer to the SAP Inno

vation Manage release note.
Deactivate the batch jobs Yes Yes Batch Job needs to be deacti
vated before upgrading to the
new version of SAP Innovation
Management. The easiest way
is to deactivate the batch job
scheduler using
http://
<fully_qualified_h
ost_name>:<por
t>/sap/hana/xs/
admin/jobs/
SAP INM Installation [page Yes Yes Install new SAP INM patch or
15] support package is the same
as initial installation.
Application Security Setup May In case SAML authentication

[page 19] is enabled, disable SAML au
thentication for sap.ino be
fore going to Run After Im
port Scripts.
Run after Import Scripts Yes Yes The existing SAML setup may
[page 20] cause the Run After Import
Scripts failure.
To overcome this, you need to

disable SAML logon for
sap.ino before this step.

34 PUBLIC Update Guide
Activate the batch jobs Yes Yes You need to activate batch job
after the upgrade. The easiest
way is to activate the batch
job scheduler if it is deacti
vated.
http://
<fully_qualified_h
ost_name>:<por
t>/sap/hana/xs/
admin/jobs/
Application Security Setup May In case SAML authentication

[page 19] is disabled, enable SAML au
thentication before after 3.10
if required.
Note
Upgrade of SAP Innovation Management is not possible while batch jobs are scheduled.
Thus, it is mandatory to deactivate all SAP Innovation Management batch jobs prior to upgrades. For more
information, see chapter Schedule Batch Jobs on how to activate or deactivate batch jobs.
Consequently, you would need to reactivate batch jobs after the upgrade.
Related Information
Schedule Batch Jobs [page 20]
5.2 Notifying Users about Maintenance Activities
You can use the following configuration settings to notify users about maintenance activities.
Note
These settings are stored in the browser cache of users for up to 1 hour.

Update Guide PUBLIC 35
Configuration File Section Parameter Value
xsengine.ini innovation_managem system_message Text The text entered here

ent will be shown at the top
of the application and
can be used to notify
users about upcoming
maintenance activities
xsengine.ini innovation_managem maintenance_mode 1 Setting this value to "1"

ent will show users a mes
sage after login that
maintenance activities
are ongoing. The user
interface is not availa
ble any more.

36 PUBLIC Update Guide
6 Landscape Setup
The minimal landscape setup for SAP Innovation Management is an SAP HANA XS Server. In addition, a
connection to a mail server is required as well.
Landscape Setup
If security policies require a DMZ or similar mechanisms, it is necessary to provide an additional proxy or firewall in
the system. In this case, the proxy also takes load from the system, for example, by terminating https at the proxy.
To increase security, such a proxy may constrain all requests to URLs with the prefix <baseURL>/sap/ino/. To
shift the load from the system to the proxy, it may also cache content for URLs with the prefixes
<baseURL>/sap/ino/ngui, <baseURL>/sap/ino/ui, and <baseURL>/sap/ino/xs/rest/static.

Landscape Setup PUBLIC 37
Landscape Setup with Enhanced Security
SAP Web Dispatcher Setup
If no proxy is deployed or if the proxy does not cache, the SAP Web Dispatcher must be configured for caching.
This can be done with the following SQL statements:
alter system alter configuration ('webdispatcher.ini', 'SYSTEM') set ('profile',

'icm/http/server_cache_0') = 'PREFIX=/sap/ui5/, CACHEDIR=$(DIR_INSTANCE)/wdisp/
cache'
with reconfigure;
'icm/http/server_cache_0/max_entries') = '100000' with reconfigure;
'icm/http/server_cache_1') = 'PREFIX=/sap/ino/ui/,
CACHEDIR=$(DIR_INSTANCE)/wdisp/cache_1' with reconfigure;
'icm/http/server_cache_2') = 'PREFIX=/sap/ino/xs/rest/static/,
'icm/http/server_cache_2/memory_size_mb') = '500' with reconfigure;

38 PUBLIC Landscape Setup
'icm/http/server_cache_2/size_mb') = '2000' with reconfigure;
'icm/http/server_cache_3') = 'PREFIX=/sap/ino/ngui/,
This configuration implies that the web dispatcher requires three additional directories icm/http/
server_cache_1, icm/http/server_cache_2, and icm/http/server_cache_3 at the OS level. You would
need to log into the operating system and create these directories. They must reside in the same directory icm/
http as the /icm/http/cache directory. You would also need to use the OS commands chown, chgrp, and
chmod to ensure that the web dispatcher has the same privileges on these directories as on the cache directory.
After these changes, you need to restart the web dispatcher. Restarting the XS Engine or restarting the HANA
Server will implicitly restart the web dispatcher as well. If no specific settings have been made, the administration
tool of the web dispatcher can be accessed with the following URL:
http://<Hana_Server>:<XS_Engine_Port>/sap/hana/xs/wdisp/admin
You would need to be assigned the role sap.hana.xs.wdisp.admin::WebDispatcherAdmin for this access.
For more information, see SAP Web Dispatcher Configuration Reference under SAP Help Portal and navigate to
Technology -> User-Interface Add-on for SAP NetWeaver -> Application Help -> English -> Configuration and
Operations.
Browser and Mobile Client Setup
SAP Innovation management uses URLs with the path <baseURL>/sap/ino/. To enable the browser and mobile
client, access to these URLs must be available. Configure your network firewalls and/or proxies accordingly.
URL Whitelists
In SAP Innovation Management, users can use URL references at various places, for example, in descriptions of
ideas, as part of a campaign description template, or in the HTML code of campaign pages. Ideas can also contain
dedicated links to which these URLs point. By default, these URLs are not restricted. To restrict the URLs, a
whitelist can be maintained. As soon as one whitelist entry is maintained, all URLs not contained in the whitelist
are not valid any more, that is, they are either rejected or rendered inactive for the existing content.
The whitelist is maintained by inserting values in table sap.ino.db.basis::t_url_whitelist
insert into "sap.ino.db.basis::t_url_whitelist" (protocol, host, port, path)

values ('http','www.sap.com', null, null)
The following columns are available:
● PROTOCOL: The protocol of the URL

● HOST: The host of the URL
● PORT: The port of the URL

Landscape Setup PUBLIC 39
● PATH: The path of the URL
If a column is set to null, it is treated as a wildcard (*).

40 PUBLIC Landscape Setup
7 Application Configuration
7.1 Overview
Application configuration is organized in HANA repository packages. The package sap.ino.config contains SAP
delivered default configuration. If any customer-specific configuration is required, you would need to implement
the following steps. Otherwise, they are optional.
Customer-specific configuration is maintained in a dedicated package that extends the SAP configuration
package; this means customer-specific configuration overrules SAP configuration
Configuration Packages
The Innovation Manager maintains common non-technical settings in the Innovation Office. Comma-Separated
Values (CSV) files maintain the technical configuration settings directly in the HANA repository.
Triggering the configuration activation is critical for productive usage of CSV settings. The configuration activation
takes care that configuration can be used productively within the application. For more information, see chapter
Activate Configuration.
Customer-specific configuration can be done either directly in the production system or in an upstream
development and/or test system from where it is transported to the production system. For one configuration
package, there must only be one system where its settings are maintained.
SAP HANA delivery units can export and import the CSV files stored in the SAP HANA Repository, Content
maintained in Innovation Office needs to be exported into the repository beforehand, see chapter Configuration
Repository Report. For more information on packages, delivery units, and transport, see SAP Help Portal and
navigate to SAP HANA Platform Relevant version Development SAP HANA Developer Guide .
More Information
For more information, refer to Activate Configuration and Configuration Repository Report under General Steps
[page 42].

Application Configuration PUBLIC 41
7.2 General Steps
Create a Configuration Package
Configuration settings are stored as files in the SAP HANA Repository in a dedicated customer package. The
package and its content can be created with SAP HANA Studio or SAP HANA Web IDE. In the following text, we
refer to this package as <your.config.package>. A suitable name for this package may be cust.ino.config
or <your company name>.ino.config. The configuration package is an extension of the package
sap.ino.config, which contains delivered configuration of SAP Innovation Management. All configuration
packages need to directly extend this package.
Create the files t_package_extension.csv and t_package_extension.hdbti in the package

<your.config.package>. Please replace <your.config.package> in the following files with your actual
package name:
t_package_extension.csv:
EXT_PACKAGE_ID;BASE_PACKAGE_ID;LAYER
<your.config.package>;sap.ino.config;99
t_package_extension.hdbti:
import = [{
hdbtable = "sap.ino.db.basis::t_package_extension";
file = "<your.config.package>:t_package_extension.csv";
header = true;
delimField = ";";
keys = [ "EXT_PACKAGE_ID" : "<your.config.package>"];
}];
The layer column of the package extension entry is set to 99, to ensure that your configuration settings have
always priority over SAP settings.
To ensure that the settings listed above are correct, the following SQL statement can be used:
select * from "sap.ino.db.basis::t_package_extension" where ext_package_id =

'<your.config.package>'
It should return exactly one row with the content exactly as in t_package_extension.csv. If nothing is
returned, check the spelling of <your.config.package> everywhere it is used and whether the CSV file contains
all necessary line breaks.
Ensure that <your.config.package> is accessible by http, so that text bundles and configuration images are
available to end users. Depending on your overall package structure, you may need to create an empty .xsapp
and an .xsaccess file in <your.config.package>, see SAP Help Portal and navigate to SAP HANA Platform
Relevant version Development SAP HANA Developer Guide .
For example:
.xsapp:
{}
.xsaccess:
{

42 PUBLIC Application Configuration
"exposed": true
}
If you want to enable non-technical configuration in the innovation office, you need to configure
<your.config.package> as the content package. You can do this using the following SQL statement:
call "sap.ino.db.config.admin::set_config_package"('<your.config.package>');
In a multi-system landscape, you can do this only in the source system of the configuration. After you have
maintained configuration in innovation office, ensure this setting is not changed further.
To ensure that the settings listed above are correct, you can use the following SQL statement:
select * from "sap.ino.db.config::v_config_content_package"
It should return exactly one row returning <your.config.package>. If nothing or a different package is returned,
make sure that the layer in t_package_extension.csv is higher than all other configuration packages that are
in use.
Create Configuration Package for E-Mail Template Images
E-Mail templates can contain images that can be transported to another system, since they are stored in the HANA
repository. For this purpose a new package called attachment needs to be created below
<your.config.package>. To be able to upload new images, the technical user is created as in chapter Technical
User Setup and needs additional privileges to write in these package.
The privileges can be granted by using the following SQL statements:
grant REPO.READ on "<your.config.package>.attachment" to <TECHNICAL_USER>;

grant REPO.EDIT_NATIVE_OBJECTS on "<your.config.package>.attachment" to
<TECHNICAL_USER>;
grant REPO.ACTIVATE_NATIVE_OBJECTS on "<your.config.package>.attachment" to
<TECHNICAL_USER>;
grant REPO.MAINTAIN_NATIVE_PACKAGES on "<your.config.package>.attachment" to
<TECHNICAL_USER>;
Activate Configuration
Activate the application configuration maintained in CSV files, in the system where it is being maintained. To
trigger it, issue an http POST request, as an innovation system manager, to:
http://<fully qualified host name>:<port>/sap/ino/xs/rest/admin/system/config.xsjs
You may issue such a POST request with a command line http client, for example, with cURL:
curl --user <User>:<Password> -X POST

http://<fully qualified host name>:<port>/sap/ino/xs/rest/admin/system/config.xsjs
Activation of configuration maintained in innovation office is not required. After transporting configuration to a
different system, you need to trigger activation explicitly, as described above.

The privilege REPO.READ for all configuration packages is required to successfully activate. The role
sap.ino.authorizations::innovation_system_manager already contains the privilege for the package
sap.ino.config. Additionally, the privilege for the customer specific extension package must be granted.
The following SQL statement can be used to grant that privilege:
grant REPO.READ on "<your.config.package>" to <Innovation_System_Admin>;
Configuration Repository Export
For multi-system landscapes, export the configuration settings maintained in innovation office to the HANA
repository, to enable transportation to other systems. Export is also needed for a single system when
configuration content needs to be translated. To trigger the repository export, issue an http PUT request to:

name>:<port>/sap/ino/xs/rest/admin/system/config_export.xsjs
You may issue such a PUT request with a command line http client, for example, with cURL:
curl --user <User>:<Password> -X PUT

name>:<port>/sap/ino/xs/rest/admin/system/config_export.xsjs
This will create CSV and text bundle files in <your.config.package> for configuration maintained in innovation
office. A repeated export overwrites these CSV and text bundle files.
Enable the configuration in innovation office for a successful export. For more information, see the section Create
a Configuration Package above. The privileges REPO.EDIT_NATIVE_OBJECTS,
REPO.ACTIVATE_NATIVE_OBJECTS, and REPO.MAINTAIN_NATIVE_PACKAGE are required on
<your.config.package>. In case change tracking is active, the privileges REPO.MODIFY_CHANGE and
REPO.MODIFY_OWN_CONTRIBUTION are required as well.
You can use the following SQL template to grant those privileges:
grant REPO.EDIT_NATIVE_OBJECTS on "<your.config.package>"

to <Innovation_System_Admin>;
grant REPO.ACTIVATE_NATIVE_OBJECTS on "<your.config.package>"

grant REPO.MAINTAIN_NATIVE_PACKAGES on "<your.config.package>"

Related Information
Technical User Setup [page 16]

7.3 Individual Application Configuration Settings
Common Application Settings
For common application settings, there is a general key-value-like configuration table. SAP delivers content for this
package. These values are contained in the file sap.ino.config::t_system_setting.csv. Perform the
following steps to change SAP settings:
Create the file t_system_setting.csv in <your.config.package>:
t_system_setting.csv:
CODE;VALUE
sap.ino.config.PPM_INTEGRATION_ACTIVE;1
The column CODE refers to the code of an SAP delivery setting. To avoid inconsistencies, we recommend copying
the first two rows of the SAP CSV file and then doing the necessary adjustments.
In the example above, setting the column VALUE to 1 activates the integration with SAP Portfolio and Project
Management. Important system setting codes are:
sap.ino.config.PPM_INTEGRATION_ACTIVE
It allows to activate (VALUE = 1) or deactivate (VALUE = 0) integration with SAP Portfolio and Project
Management.
After creation of the CSV file in the SAP HANA Repository, trigger the configuration activation. For more
information, see chapter Activate Configuration.
Allowed File Types
SAP Innovation Management allows configuring the file types that are allowed as attachments. SAP already
delivers a number of file types. These values are contained in the file
sap.ino.config::t_attachment_allowed_file.csv. You can also use the following SQL statement to
retrieve the delivered values:
select * from "sap.ino.db.attachment::t_attachment_allowed_file_stage"

where package_id = 'sap.ino.config'
You can obtain the active runtime values using the following SQL statement:
select * from "sap.ino.db.attachment::t_attachment_allowed_file"
Perform the following steps to change SAP settings:
1. Create the file t_attachment_allowed_file.csv in <your.config.package>:
t_attachment_allowed_file.csv:

CODE;FILE_EXT;MEDIA_TYPE
cust.ino.config.DXF;dxf;image/vnd.dxf
In this example, a new file type XPS is registered.

2. Prefix the code with <your.config.package> when creating your own settings. To avoid inconsistencies, we
recommend that you copy the first two rows of the SAP CSV file, and then do the necessary adjustments.
Note
The column MAX_FILE_SIZE is not considered any more. Instead, a global setting for all files is made in
innovation office (see chapter Settings in Innovation Office). After creation of the CSV file in the SAP HANA
Repository, trigger the configuration activation. For more information, see chapter Activate Configuration. Your
changes should now be included in the active runtime table.
Package Content at a Glance
The following picture shows your configuration package and its content when you have decided to adapt all
possible system configuration settings:
Customer-Specific Configuration Content
Related Information
Settings in Innovation Office [page 50]

7.3.1 Customize your own PPT Template
Download Current PPT Export Template
Access the following URL:
http://<fully_qualified_host_name>:<port>/sap/ino/xs/rest/backoffice/
pptx_template_download.xsjs?FILENA ME=IdeaExport
Current PPT export template will be downloaded.
Edit Downloaded PPT Export Template
You can add or remove new fields/labels to the template slide or adjust the pattern based on your requirement.
The field or label you added to the template must follow the rule:Format: {{<<Field Name / LAbel
Name>>}}, you need to replace <<Field Name / Label Name>>.
The following fields are available:
Field Name Label Name Description
AUTHOR_NAME AUTHOR_TEXT Idea author
COACH_NAME COACH_TEXT Idea coach
IDEA_PHASE PHASE_TEXT Idea phase
IDEA_STATUS STATUS_TEXT Idea status
CHANGE_REASON REASON_TEXT Change reason
IDEA_NAME IDEA_TITLE Idea name
CAMPAIGN_NAME CAMPAIGN_TEXT Campaign name
IDEA_SHORT_DESCRIPTION IDEA_SHORT_DESCRIPTION_TEXT Idea short description
CHANGE_REASON_CODE Change reason code
RESP_NAME Responsibility list name
RESP_VALUE Responsibility list value
CAMPAIGN_TEXT_COLOR Campaign text color

Field Name Label Name Description
PROCESS_INDICATOR Progress indicator of idea
You can also add idea form related fields to the template, but you have to follow below rule:
Field format must be :
<<package>>. <<Idea form technical name>>. <<Field technical name>>
Example
There is an idea form in the system, with two fields:
Idea Form
To be able to display ‘I have specific know-how to support implementation’ in the ppt, you must add the field
cust.ino.config.SAP.KNOWHOW_AVAILABLE to the template. This will add both the label as well as the value
to the PPT.
Example

Idea Form Fields
Save PPT
Save your PPT and ensure your PPT template filename is IdeaExport.pptx.
Upload your PPT Template
Before you upload PPT template, please make sure you have an extension package of base package
sap.ino.config and it is active.
Below your extension package (in our example, cust.ino.config), create a package attachments.
Import your PPT template to the attachment package by right-clicking the package and then Import File .
Importing PPT Template
After you update the customized PPT template, you can test it and check whether it is effective and accurate.
7.3.2 Config Email Notification Rule for Customized Status

Action
SAP Innovation Management allows configuring customized Status action to trigger the email notifications.
Perform the following steps to enable this functionality:

1. Create the file t_notification_event_role.csv in <your.config.package>:
t_notification_event_role.csv:
CODE;BIZ_EVENT;ROLE_CODE
2. Create the file t_notification_code_mapping_setting.csv in <your.config.package>:
t_notification_code_mapping_setting.csv:
CODE;OBJECT_TYPE_CODE;NOTIFICATION_CODE;MAPPING_SETTING_CODE;SUBCATEGORY_CODE;
The following roles can be used for the mapping:
● IDEA_CONTRIBUTOR
● IDEA_SUBMITTER
● IDEA_COACH
● COMMENT_OWNER
● IDEA_EXPERT
● CAMPAIGN_MANAGER
● CAMPAIGN_COACH
These file formats should be used for t_notification_event_role.csv.
7.4 Settings in Innovation Office
The innovation managers can make some application settings in the Settings tab of the innovation office such as,
setting the background image, activating the expert finder, etc. For more information about innovation office
settings, see SAP Help Portal and navigate to SAP Innovation Management Relevant version Application Help
Innovation Office Settings .
Those settings are not transported, that is, hey are only applied in the system where they are made. The following
URL leads the innovation manager directly to those settings:
http://<fully qualified host name>:<port> sap/ino/config/#settings
Note
The usage tracking of the application is activated by default. In certain countries, tracking is subject to data
protection regulations or similar legal frameworks. The typical minimum requirement is a legal disclaimer to
notify the users about the collection of this data. If you activate this feature, be sure to add a suitable legal
disclaimer in your terms and conditions statement.

7.5 URL Parameters
SAP Innovation Management allows idea form to be filled with URL parameters when creating an idea. The
parameters can be added to the URL with a ‘?’ after the hash/fragment identifier and can be concatenated with a
‘&’. For exampl,
http://<fully qualified host name>:<port> sap/ino/#/idea-

create?campaign=<campaign id>&title=<title>&description=<
description>&tags=[<tag1>,<tag2>…]&subresponsiblity=<responsibility list value
code>
The parameters are as follows:
● Campaign: <Campaign ID>

● Title: <string>
● Description: The port of the URL
● Tags: [<string>, <string>, …]
● Subresponsiblity: <Responsibility List Value Code>
7.6 Export Ideas
All exported ideas will be stored in the SAP Innovation Manager server and the export files will be cleared after 7
days.
Note
This setting cannot be reconfigured.
To be able to receive export notification e-mails, ensure that the connected user has maintained an e-mail address.

8 Business Scenario of SAP Innovation
Management
8.1 Run an Idea Campaign for Product Innovation
Overview
You can run an idea campaign for product innovation using SAP Innovation Management.
Software Units
● SAP HANA Platform

● SAP Innovation Management
Further Information
The following documents provide more information about Run an Idea Campaign for Product Innovation:
Content Location
Scenario Description See the documentation in Business Scenarios Description in

SAP Innovation Management
Configuration Documentation See the documentation in Business Scenarios Description in

SAP Innovation Management
Scenario Security Guide

52 PUBLIC Business Scenario of SAP Innovation Management
9 Security Considerations
SAP Innovation Management is built on the SAP HANA Platform. Therefore, the security settings of the SAP HANA
Platform apply to SAP Innovation Management.
Fundamental Security Guides
The basic document to refer to for security considerations is the SAP HANA Security Guide. For more information,
see SAP Help Portal and navigate to SAP HANA Platform Relevant version Security SAP HANA Security
Guide .
9.1 Data Protection and Privacy
9.1.1 Introduction
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy regulation, it is necessary to consider compliance with industry-specific legislation in
different countries. SAP provides specific features and functions to support compliance with regards to relevant
legal requirements, including data protection. SAP does not give any advice on whether these features and
functions are the best method to support company, industry, regional, or country-specific requirements.
Furthermore, this information does not give any advice or recommendation in regards to additional features that
would be required in particular IT environments; decisions related to data protection must be made on a case-by-
case basis, under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with applicable data protection and privacy laws will not be covered by a
product feature. SAP software supports data protection compliance by providing security features and specific
data protection-relevant functions, such as simplified blocking and deletion of personal data. SAP does not
provide legal advice in any form. Definitions and other terms used in this document are not taken from any given
legal source.
9.1.2 Glossary

Security Considerations PUBLIC 53
Term Definition
Personal data Any information relating to an identified or identifiable natural

person ("data subject"). An identifiable natural person is one
who can be identified, directly or indirectly, in particular by ref
erence to an identifier such as a name, an identification num
ber, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, eco
nomic, cultural, or social identity of that natural person.
Purpose A legal, contractual, or in other form justified reason for the

processing of personal data. The assumption is that any pur
pose has an end that is usually already defined when the pur
pose starts.
Blocking A method of restricting access to data for which the primary

business purpose has ended.
Deletion The irreversible destruction of personal data.
Retention period The period of time between the end of purpose (EoP) for a
data set and when this data set is deleted subject to applicable
laws. It is a combination of the residence period and the block
ing period.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization (e.g. tax auditors).
Sensitive personal data A category of personal data that usually includes the following
type of information:
● Special categories of personal data such as data revealing

racial or ethnic origin, political opinions, religious or philo
sophical beliefs, or trade union membership and the proc
essing of genetic data, biometric data, data concerning
health or sex life or sexual orientation
● Personal data subject to professional secrecy
● Personal data relating to criminal or administrative of
fenses
● Personal data concerning insurances and bank or credit
card accounts
Residence period The period of time after the end of purpose (EoP) for a data
set during which the data remains in the database and can be
used in case of subsequent processes related to the original
purpose. At the end of the longest configured residence pe
riod, the data is blocked or deleted. The residence period is
part of the overall retention period.

54 PUBLIC Security Considerations
Term Definition
Where-used check (WUC) A process designed to ensure data integrity in the case of po
tential blocking of business partner data. An application's
where-used check (WUC) determines if there is any depend
ent data for a certain business partner in the database. If de
pendent data exists, this means the data is still required for
business activities. Therefore, the blocking of business part
ners referenced in the data is prevented.
Consent The action of the data subject confirming that the usage of his
or her personal data shall be allowed for a given purpose. A
consent functionality allows the storage of a consent record in
relation to a specific purpose and shows if a data subject has
granted, withdrawn, or denied consent.
9.1.3 User Consent
Terms and Conditions
Text modules in the innovation office can be created specifically to provide terms and conditions to the community
users. If the innovation manager configures the application accordingly, users shall be prompted to accept the
terms and conditions when they first log in.
Note
Users cannot proceed into the application without accepting these terms and conditions.
In case there are changes made to the existing terms and conditions, users shall be prompted to review and accept
these when they log in next. Similar to their first log in, users cannot proceed to using the application without
accepting the terms and conditions.
For more information about this, refer to the SAP Help Portal and navigate to SAP Innovation Management
Application Help Application Help for SAP Innovation Management Innovation Office Configuration Creating
a Text Module .

9.1.4 Read Access Logging
Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized
as sensitive by law, by external company policy, or by internal company policy. These common questions might be
of interest for an application that uses Read Access Logging:
● Who accessed the data of a given business entity, for example a bank account?
● Who accessed personal data, for example of a business partner?
● Which employee accessed personal information, for example religion?
● Which accounts or business partners were accessed by which users?
These questions can be answered using information about who accessed particular data within a specified time
frame. Technically, this means that all remote API and UI infostructures (that access the data) must be enabled for
logging.
Use
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions. SAP delivers sample configurations for applications. The application component scenario logs data in
order to describe business processes. You can find the configurations as described in this chapter.
Displaying Personal User Data
SAP Innovation Management provides a functionality for disclosure, where the system administrator (or innovation
manager) can check the individual user's disclosure permissions under User Management tab in the innovation
office, by accepting the terms and conditions for access authorizations. The system will create an access log entry
every time a user's personal data is disclosed, depending on the settings made by the administrator (or innovation
manager).
Application Help Application Help for SAP Innovation Management Idea Community User List .
Viewing Access Log for User Data
To view the access log for a user, select the relevant record in the User Management tab in the innovation office
and select View User Content Access Log. The log shows a record for each time that the data disclosure overview
was accessed and by which user.
Application Help Application Help for SAP Innovation Management Innovation Office User Management
Viewing User Profiles .

9.1.5 Deletion of Personal Data
Deletion of personal data: The handling of personal data is subject to applicable laws related to the deletion of
such data at the end of purpose (EoP). If there is no longer a legitimate purpose that requires the use of personal
data, it must be deleted. When deleting data in a data set, all referenced objects related to that data set must be
deleted as well. It is also necessary to consider industry-specific legislation in different countries in addition to
general data protection laws. After the expiration of the longest retention period, the data must be deleted.
SAP Innovation Management might process data (personal data) that is subject to the data protection laws
applicable in specific countries.
Deleting Personal User Data
During the process of creating user profiles in SAP Innovation Management, the system administrator is required
to enter a end of validity date for these profiles. SAP Innovation Management then uses these dates to determine a
validity period for the user profiles. Once the validity date is crossed, the user data is archived and then deleted
after a pre-determined period, unless the profile is renewed.
For more information about setting and viewing validity of user profiles, refer to http://help.sap.com and navigate
to SAP Innovation Management Application Help Application Help for SAP Innovation Management
Innovation Office User Management .
As a community user, you can also view the validity of the connected user's profile, refer to SAP Help Portal and
navigate to SAP Innovation Management Application Help Application Help for SAP Innovation Management
Idea Communty Configuring User Settings and Personal Data Account Settings .
9.1.6 Change Log
Personal data is subject to frequent changes. Therefore, for revision purposes or as a result of legal regulations, it
may be necessary to be able to track the changes made to this data. If these changes are logged, you can check
which employee made which change and when at any time. It is also possible to analyze errors in this way. You can
use a report to display these changes. You can further download this report as an Excel or a text file, for offline
access.
Logging User Profile Changes
To avoid discrepancies during update of personal user data, SAP Innovation Management requires the innovation
manager to select specific attributes of the user profile, for which log entries are created in case of any
modifications. These are global selections and applicable to all users. No log entries would be created for the
attributes that are not selected by the innovation manager.

For more information about creating a log of changes to user profiles, refer to http://help.sap.com and navigate to
SAP Innovation Management Application Help Application Help for SAP Innovation Management
Innovation Office User Management Logging Changes to User Profiles .

10 Integration with SAP Portfolio and Project
Management
Integration of SAP Portfolio and Project Management with SAP Innovation Management requires advanced system
administration skills and privileges. In particular, it is easily possible to setup a configuration that seems to work
but is insecure. We recommend that you take support from consulting for this task.
10.1 Integration from SAP Portfolio and Project Management

to SAP Innovation Management
SAP Innovation management uses http requests to link an object in the SAP Portfolio and Project Management to
ideas in the Innovation Management application. These requests use a secure connection (SSL) and transmit the
user authentication information in an SAP assertion ticket. Since there is no user mapping available, it is
mandatory that the user names on both the Innovation Management as well as the Project Management side are
identical.
For the Project and Portfolio Planning relevant settings and supported releases, refer to the attachment
ConfigContPPM in SAP Note 2026421 (Relevant section: Setting up Object Links to Ideas in SAP Innovation
Management), before you start the configuration.
Integration between Portfolio and Project Management and SAP Innovation Management
Configure Innovation Management to Accept SSL Connections
As a prerequisite for connections from PPM to SAP Innovation Management, the Innovation Management side
must be setup to accept https connections.
For more information on how to setup SAP HANA to accept HTTPS connections, see SAP Help Portal and navigate
to SAP HANA Platform Relevant Version Administration SAP HANA Administration Guide SAP HANA XS
Administration Tools .

Integration with SAP Portfolio and Project Management PUBLIC 59
Import the Innovation Management Server Certificate into Portfolio and
Project Management
For the customization of SAP PPM, maintenance of a HTTP RFC destination is critical. As a prerequisite, this
destination must be maintained with transaction SM59. As a prerequisite for this intermediate step, the SSL server
certificate of the SAP Innovation Management system must be imported into the Portfolio and Project
Management system. You can use transaction strust to import the certificate into the PPM system. Depending
on your desired setup, you may either import the certificate into the System PSE or into a dedicated PSE.
For more information, see SAP Help Portal and navigate to SAP NetWeaver SAP NetWeaver Platform SAP
NetWeaver 7.0 Including Enhancement Package 3 Security SAP NetWeaver Security Guide Network and
Communication Security Transport Layer Security Configuring the AS ABAP for Supporting SSL .
Configure Innovation Management Users
As of the current release of SAP HANA, there is no explicit mapping between the user names in the Portfolio and
Project Management Server and SAP HANA. The user names on both systems must be an exact match. The users
authenticated by Portfolio and Project Management are also recognized by Innovation Management. Every
Portfolio and Project Management user who is supposed to create Portfolio and Project Management object links
to ideas in the Innovation Management must also be a user of Innovation Management.
For upload of users into innovation management, see chapter User and Group Administration. Assign the role of
an innovation office user to these users.
For more information, see SAP Help Portal and naviagte to SAP Innovation Management Application Help
Application Help for SAP Innovation Management Innovation Office User Management Roles in SAP
Innovation Management .
Additionally, enable and authenticate the users with a SAP logon ticket. For more information about this, see SAP
Help Portal and navigate to SAP HANA Platform Security SAP HANA Security Guide User Configuration .
In the SAP HANA Security Guide, you can also see SAP HANA Authentication and Single Sign-On Single Sign-
On Integration Single Sign-On Using SAP Logon and Assertion Tickets .
Configure Single Sign-On with SAP Assertion Tickets
When a user in Portfolio and Project Management triggers a request to the Innovation Management system, the
user is authenticated in Innovation Management automatically.
To enable the validation of the assertion tickets, the innovation management needs to trust assertion tickets from
the PPM system, that is, the HANA system needs to trust the PPM System's certificate. In other words the server
certificate (or its root certificate) used by the PPM System needs to be in the HANA System trust store.
For more information, see SAP Help Portal and navigate to SAP HANA PlatformRelevant versionSecuritySecurity
GuideSAP HANA Authentication and Single Sign-OnSingle Sign-On IntegrationSingle Sign-On Using SAP Logon and
Assertion Tickets.

60 PUBLIC Integration with SAP Portfolio and Project Management
For more information, see also SAP Help Portal and navigate to SAP HANA Platform Relevant version
Administration SAP HANA Administration Guide Application Run-Tine Services Maintaining the SAP HANA XS
Classic Model Run Time Maintaining Single Sign-On for SAP HANA XS Applications Configure SSO with SAP
Logon Tickets for SAP HANA XS Applications .
10.2 Integration from SAP Innovation Management to the

Portfolio and Project Management
In the innovation office, all existing object links from Portfolio and Project Management are displayed, if the
connected user has required privileges in Portfolio and Project Management. To enable this scenario innovation
management sends a secure request to a service on the Portfolio and Project Management side. Again, single sign-
on with an SAP assertion ticket transfers the authentication information. This requires the following configuration
steps:
Integration from Innovation Management to Portfolio and Project Management
Enable Portfolio and Project Management for SSL
For more information, see SAP Help Portal and navigate to SAP NetWeaver SAP NetWeaver Platform SAP
NetWeaver 7.0 Including Enhancement Package 3 Security SAP NetWeaver Security Guide Network and
Communication Security Transport Layer Security Configuring the AS ABAP for Supporting SSL .
Import the Portfolio and Project Management Certificate into Innovation

Management
For more information about Importing a Server Certificate, see SAP Help Portal and navigate to SAP HANA
Platform Relevant version Administration SAP HANA Administration Guide Application Run-Time Services
Maintaining the SAP HANA XS Classic Model Run Time Managing Trust Relationships Import a Server
Certificate .

Configure Single Sign-On with SAP Assertion Tickets
To pass user authentication information from innovation management to Portfolio and Project Management the
Portfolio and Project Management server must trust the innovation management's logon assertion tickets. To
establish the trust relationship the innovation management's server certificate, used for signing the assertion
tickets, must be imported into the Portfolio and Project Management system.
The steps to enable the creation of the assertion ticket and to establish the trust between Portfolio and Project
Management and innovation management are described in Configure Outbound SSO with Assertion Tickets,
steps 1 through 5.
For more information, see SAP Help Portal and navigate to SAP HANA Platform Administration
Administration Guide Application Run-Time Services Maintaining the SAP HANA XS Classic Maintaining
Single Sign-On for SAP HANA XS Applications Configure Outbound SSO with Assertion Tickets .
Maintain the Portfolio and Project Management Destination in Innovation

Management
Innovation Management uses a logical pointer to the Portfolio and Project Management service, which provides
the set of existing object links to a given idea. SAP Hana XS Administration tool maintains this logical pointer as a
URL. Open the administration tool and select the
sap/ino/xs/rest/ppm.httpdest
object in the tree of application objects (
http://<system>:<port>/sap/hana/xs/admin/#/package/sap.ino.xs.rest/
httpDestination/ppm
) and create an extension for it (or edit an existing extension). Enter your Project and Portfolio Management's
system host and (ssl) port number as the target destination and set the path prefix to
"/sap/opu/odata/sap/inm_im_obl_integration_srv/"
Then, follow the steps 7 and 8 in the chapter Configure Outbound SSO with Assertion Tickets in the SAP HANA
Administration Guide.
Enter your Project and Portfolio Management's system host and (ssl) port number as the target destination and
set the path prefix to
/sap/opu/odata/sap/inm_im_obl_integration_srv/
For more information, see SAP Help Portal and navigate to SAP HANA Platform Administration
Administration Guide Application Run-Time Services Maintaining the SAP HANA XS Classic Maintaining
Single Sign-On for SAP HANA XS Applications Configure Outbound SSO with Assertion Tickets .

62 PUBLIC Integration with SAP Portfolio and Project Management
Settings on SAP Portfolio and Project Management
For more information, see the attachment ConfigContPPM in SAP Note 2026421 .

11 References
List of Documents
The following table lists all documents mentioned in this Master Guide:
Title Location
SAP HANA Platform SAP Help Portal and navigate to SAP HANA Platform
SAP HANA Master Guide SAP Help Portal and navigate to SAP HANA Platform
Relevant version Installation and Upgrade SAP HANA
Master Guide
SAP HANA Security Guide SAP Help Portal and navigate to SAP HANA Platform
Relevant version Security SAP HANA Security Guide
SAP HANA Operations and Administration Guides SAP Help Portal and navigate to SAP HANA Platform
Relevant version Administration SAP HANA
Administration Guide
SAP HANA Developer Guide SAP Help Portal and navigate to SAP HANA Platform
Relevant version Development SAP HANA Developer
Guide
SAP Web Dispatcher Configuration Reference SAP Help Poral and navigate to User Interface Add-On for
SAP NetWeaver Application Help SAP Library
Configuration and Operations
SAP Innovation Management Application Help http://help.sap.com/ and navigate to SAP Innovation
Management Application Help
List of SAP Notes
The following table lists all SAP Notes mentioned in this Master Guide.

64 PUBLIC References
SAP Note Number Title Description
SAP Note 2037158 SAP Innovation Management 1.0 Release This note contains the latest information
Note about installing SAP Innovation Manage
ment
SAP Note 2388775 Release Note SAP Innovation Manage This note contains the latest information
ment 2.1 about installing SAP Innovation Manage
ment
SAP Note 2576723 SAP Innovation Management 2.2.6 Patch This note contains the latest information
Note about installing SAP Innovation Manage
ment

References PUBLIC 65
12 Release Availability Information
For more information about currently available releases for SAP Innovation Management (for each release), the
SAP standard software required to install and use the solution, see http://www.service.sap.com/fbs/availability .

66 PUBLIC Release Availability Information
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see:
https://help.sap.com/viewer/disclaimer).

Important Disclaimers and Legal Information PUBLIC 67
go.sap.com/registration/
contact.html
© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see https://www.sap.com/corporate/en/legal/copyright.html
for additional trademark information and notices.

SAP Innovation Management Master Guide

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

SAP Innovation Management Master Guide

Cargado por

Copyright:

Formatos disponibles

PUBLIC

Document Version: 2.0 – 2018-01-31

SAP Innovation Management: Master Guide

3 SAP Innovation Management Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

SAP Innovation Management: Master Guide

8 Business Scenario of SAP Innovation Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

10 Integration with SAP Portfolio and Project Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

12 Release Availability Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

SAP Innovation Management: Master Guide

Publishing Date Change Related Links

SAP Innovation Management: Master Guide

2.1 About this Document

The Master Guide consists of the following main sections:

SAP Innovation Management: Master Guide

Resource Where to Find It

User assistance for SAP Innovation Management http://help.sap.com/inm

Information about creating customer incidents http://support.sap.com/incident

SAP Notes search http://support.sap.com/notes

SAP Software Download Center http://support.sap.com/swdc

Product Availability Matrix http://support.sap.com/pam

Early Knowledge Transfer and role-specific learning maps http://support.sap.com/ekt

Network security http://service.sap.com/securityguide

High availability http://www.sdn.sap.com/irj/sdn/ha

Information about support package stacks, latest software http://support.sap.com/sp-stacks

Information about Unicode technology http://www.sdn.sap.com/irj/sdn/i18n

Related Master Guides

Relevant Version Installation and Upgrade SAP HANA

SAP Innovation Management: Master Guide

● Technical system landscape

SAP HANA Platform https://help.sap.com/ and navigate to SAP HANA Platform

SAP HANA Content https://help.sap.com/ and navigate to SAP HANA Platform

Relevant Version Installation and Upgrade SAP HANA

SAP Innovation Management: Master Guide

Relevant Version Development SAP HANA Developer

2.3 Important SAP Notes

SAP Note Number Title Description

SAP Innovation Management: Master Guide

SAP Innovation Management uses the following software components:

● SAP Innovation Management

3.2 What's New

New User Interface

Changed URL Paths

SAP Innovation Management: Master Guide

/sap/ino/ui/frontoffice /sap/ino/ Please note the trailing slash

/sap/ino/ui/mobile /sap/ino/ Mobile is handled responsive

/sap/ino/ui/mashup /sap/ino/ui/mashup Unchanged

/sap/ino/ui/backoffice /sap/ino/ A common user interface now handles

New Role for External Analytics Tools

SAP Innovation Management: Master Guide

4.1 Special Consideration for Installation

Steps Installation Comments

Besides SAP INM Installation, SAP In­

For more information, please refer to

SAP Innovation Management: Master Guide

SAP HANA Platform Relevant

Version Installation and Upgrade ,

System Configuration Yes System Configuration [page 14]

SAP INM Installation Yes SAP INM Installation [page 15]

SAP Innovation Management can also be

Technical User Setup Yes Technical User Setup [page 16]

● Admin User Setup Checkpoint and

Application Security Setup Yes Application Security Setup [page 19]

If you want to enable SAML as well, refer

1. Run after import scripts

Besides SAP INM Installation, SAP In