Documentos de Académico
Documentos de Profesional
Documentos de Cultura
1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Related Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 Installation Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1 Special Consideration for Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 System Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.3 SAP INM Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
4.4 Technical User Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5 Innovation System Manager Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
4.6 Admin User Setup Checkpoint and Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.7 Acquiring Repository Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.8 Application Security Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.9 Run after Import Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.10 Schedule Batch Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.11 User and Group Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
User Upload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Group Upload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
User Log and Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.12 Automatic Grouping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
4.13 Setting Up DB Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.14 SAML Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Maintaining the Trust Relation between the HANA System and the Identity Provider. . . . . . . . . . . . . 28
Enable SAML Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Troubleshooting SAML Logon Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.15 Innovation Manager Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5 Update Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1 Special Consideration for Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6 Landscape Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
7 Application Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.2 General Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.3 Individual Application Configuration Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Customize your own PPT Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Config Email Notification Rule for Customized Status Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
7.4 Settings in Innovation Office. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
7.5 URL Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
7.6 Export Ideas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
9 Security Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
9.1 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
User Consent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Change Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
11 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
January 2018 Data Protection and Privacy Security Considerations [page 53]
Purpose
This Master Guide is the central starting point for the technical implementation of SAP Innovation Management.
You can find cross-scenario implementation information as well as scenario-specific information in this guide.
Use the Master Guide to get an overview of SAP Innovation Management, and the required steps for installing the
application, setting up the required system landscape, and configuring the system.
● Installation guide
● Update guide
● Landscape setup
● Configurations
Constraints
● You can use the business scenarios as examples of how you can use SAP software in your company. The
business scenarios are only intended as models and do not necessarily run the way they are described here in
your customer-specific system landscape. Ensure to check your requirements and systems to determine
whether these scenarios can be used productively at your site. Furthermore, we recommend that you test
these scenarios thoroughly in your test systems to ensure they are complete and free of errors before going
live.
● This Master Guide primarily discusses the overall technical implementation of SAP Innovation Management,
rather than its subordinate components. This means that additional software dependencies might exist
without being mentioned explicitly in this document. You can find more information on component-specific
software dependencies in the corresponding installation guides.
The following resources provide access to more information about general topics, such as software downloads,
customer incidents, or high availability.
Sizing http://service.sap.com/sizing
Performance http://service.sap.com/performance
The Master Guides for cross-industry applications form the basis of this Master Guide. You can find more
information about the relevant applications in the following documents:
Title Location
Master guide for SAP HANA https://help.sap.com/ and navigate to SAP HANA Platform
Master Guide
SAP Innovation Management 2.2 is based on SAP HANA, SPS 12. Please check note SAP Note 2396823 for
exact HANA revisions that shall be used for SAP Innovation Management.
The operations guide for SAP HANA covers the general operations information for the following areas:
You can find more information about the corresponding operations guide in the following table:
Title Location
Relevant Version
Deployment
The SAP HANA Master Guide covers the deployment of SAP HANA delivery units. You can find more information
about the corresponding section in the following table:
Title Location
Master Guide
Installing and Updating SAP HANA Products https://help.sap.com/ and navigate to SAP HANA Platform
Guide
You must read the following SAP Notes before you start the installation. These SAP Notes contain the most recent
information on the installation, as well as corrections to the installation documentation.
Make sure that you have the up-to-date version of each SAP Note, which you can find at http://support.sap.com/
notes .
SAP Note 2396823 SAP Innovation Management 2.2 Re This note contains the latest information
lease Note about installing SAP Innovation Manage
ment
2.4 Support
You can create SAP Innovation Management specific incidents on https://support.sap.com/incident using the
application component PLM-INM.
3.1 Overview
SAP Innovation Management is used to manage innovation by collecting and filtering ideas of internal or external
users. The basic scenario is innovation management.
● SAP HANA
Note
SAP Innovation Management currently supports SAP HANA 1.0 only.
To download SAP Innovation Management, see Software Center and navigate to Installation and Upgrades or
Support Packages and Patches Alphabetical Index (A-Z) I SAP Innovation Management .
For more information about how to set up the system landscape, see Landscape Setup. Please consult the release
note 2396823 for the exact HANA revision used for setup.
For more information about the system landscape, see SAP Help Portal and navigate to SAP HANA Platform
Relevant Version Installation and Upgrade Master Guide e.
In SAP Innovation Management 2.2, the user interface has been upgraded for most of the application functionality.
To educate the end users of these changes, you would need to consider the following sections.
The new user interface uses different URL paths. Redirects are taken care of, but previous links should be adjusted
and new links should be used instead. The following table gives an overview about the changes in the URL paths:
It is mandatory to assign the role sap.ino.authorizations::analytics_user for users that need to access
SAP Innovation Management data using external analytics tools like SAP Lumira, etc.
To install SAP Innovation Management, you would need to carry out the procedures discussed in the following
sections, in the order in which they appear here.
Note
Even if you are setting up the system as a system's user, you can experience a lack of sufficient authorization.
This applies to the authorizations for the SAP HANA XS Engine based tools.
For more information about SAP HANA XS Administration Roles, see SAP Help Portal and navigate to SAP
HANA Platform Relevant Version Administration SAP HANA Administration Guide Application Run-Time
Services Maintaining the SAP HANA XS Classic Model Run Time SAP HANA XS Administration Tools .
This chapter contains a comprehensive list of the roles required for these tools. Depending on your specific
scenarios, you might need some or all of these roles in addition to the database system privileges.
Installation Checklist
Plan HANA Revision Yes Supported SAP HANA version for Sap In
novation Management is described in
corresponding release information note.
http://
<fully_qualified_host_nam
e>:<por t>/sap/hana/xs/lm
Installation SAP HANA Yes Refer to the SAP Help Portal, navigate to
Sample Code
http://
<fully_qualified_host_n
ame>:<por t>/sap/
hana/xs/lm
Innovation System Manager Setup Yes Innovation System Manager Setup [page
17]
Admin User Setup Checkpoint and Trou Yes For more information, please refer to the
bleshooting following sections:
Run After Import Scripts Yes With a new installation, typically there
will be steps like:
User and Group Administration May There are two approaches for user man
agement:
Setting Up DB Users
● Manual import&DB user manual
creation or
● Manage user in IDP with SAML inte
gration
SAML Setup May There are two approaches for user man
agement:
Innovation Manager Setup Yes Admin User Setup Checkpoint and Trou
bleshooting [page 18]
Note
To install and configure SAP Innovation management, the user requires roles like:
CONTENT_ADMIN
sap.hana.xs.admin.roles::JobSchedulerAdministrator
sap.hana.xs.admin.roles::TrustStoreAdministrator
sap.hana.xs.admin.roles::SQLCCAdministrator
sap.hana.xs.admin.roles::SAMLAdministrator sap.hana.xs.ide.roles::Developer
sap.hana.xs.lm.roles::Administrator
sap.hana.xs.admin.roles::RuntimeConfAdministrator
Additional Hints
It is highly recommended that no application users except the administrator remain logged in during an upgrade.
It is also recommended to not to use different administration tools at the same time to access the same objects.
Do no use the HANA XS Web administration tools and/or HANA Studio and/or the command line tools without
properly logging out from the other tools. Otherwise, there can be pending processes that may lock or deadlock
the concurrent accesses.
To optimize your system for SAP Innovation Management, we recommend some specific server configurations. For
more information about these configurations, see the following chapters.
Timeout Settings
For most users, the default SAP HANA timeout settings are too short. For this reason, we recommend increasing
them substantially. You can see recommended values in the following table:
You can set them either in the SAP HANA Studio or directly from an SQL console, as shown in the following:
Sample Code
SAP Innovation Management sends informational mails to its users. Mail delivery needs to be configured so that
mails can be sent. The configuration requires the host name of the server for mail transfer and the port in the
xsengine.ini file section "smtp".
Some of the mails sent by SAP Innovation Management contain links pointing back to the server. Because of
different DNS mappings for internal and external access, the base URL for such links can differ, depending on the
intended recipient. This means 'internal' and 'external' users receive mails that contain different links. Of course,
the difference is the fully qualified host name and/or the port number. Thus, it is possible to configure two different
base URLs, in the innovation_management section of the xsengine.ini configuration.
All of the mails sent by SAP Innovation Management contain a response e-mail address configured in the
innovation_management section.
Note
At this time, SAP Innovation Management does not evaluate response emails. So, unless somebody handles the
response mails, they are ignored.
Since the system sends out mails asynchronously, the corresponding job must be scheduled. This is configured
later. However, the scheduler must be enabled for the configuration to have any effect.
Installation and upgrade of SAP Innovation Management is carried out with hdbalm, the command line tool of SAP
HANA application lifecycle management, which is available as part of the HANA client installation. You can use the
following command for installing SAP Innovation Management:
Where <port> is the http port of the XS Engine (typically 80nn with nn as the instance number).
For more information, see Installing and Updating Add-On Products and Software Components under SAP Help
Portal and navigate to SAP HANA Platform SAP HANA Administration Guide SAP HANA Application Lifecycle
Management .
SAP Innovation Management is a SAP HANA XS application. The SAP HANA XS Engine executes JavaScript code
where most of the application logic resides. SAP Innovation Management implements its own application-specific
user and authorization concept. This concept is implemented on top of SAP HANA’s user and authorization
concept and extends it.
The persistency resides in the schema SAP_INO. No application user must get access to this schema. Access must
be restricted to the code running in the JavaScript layer. This JavaScript code requires a sqlcc (technical user)
connection that has sufficient privileges though.
You can use the following SQL code to create the technical user:
The technical user can be assigned to the application with the SAP HANA XS Administration Tool.
Navigate to package sap.ino.xs.xslib and assign the technical user HCO_INO_TECHNICAL_USER as the
database user for the application’s SQL connection. Follow the URL below and enter the user name and password
of the technical user (HCO_INO_TECHNICAL_USER).
If you fail to assign this user due to missing authorizations, your user can be missing one or all of the following
roles:
● sap.hana.xs.admin.roles::SQLCCAdministrator
● sap.hana.xs.admin.roles::SQLCCViewer
Note
These roles contain different privileges. None of these is a superset of any of the other during setup. You might
prefer to have the privileges of all three roles.
Application user upload requires elevated privileges. We recommend granting these privileges to a special user for
bootstrapping. For enhanced security, we highly recommend that this user is not an application user. In contrast to
a SAP HANA system manager user, this user can access SAP Innovation Management.
It is possible to assign this role to any administrative user, as long as this user does not become an application user
later. Depending on your system administration approach, it may be reasonable to assign the
Innovation_System_Manager to an SAP HANA system manager user.
Note
Do not combine the roles sap.ino.authorizations::backoffice_user,
sap.ino.authorizations::community_user, or sap.ino.authorizations::innovation_manager
with this role.
After creating this role, you need to grant it to a suitable user as shown below:
Alternatively, you can assign the pre-shipped role directly to the innovation system manager, as shown below:
Note
These users must not get access to user interfaces of SAP Innovation Management. They must especially, they
must not be assigned the roles sap.ino.authorizations::backoffice_user,
sap.ino.authorizations::community_user, or sap.ino.authorizations::innovation_manager.
Once an Innovation_System_Manager user is created, the user must self-register with SAP Innovation
Management as shown below:
call
"SAP_INO"."sap.ino.db.iam.admin::grant_innovation_management_system_admin_privil
eges"('<innovation management system admin>',
'<admin first name>',
'<admin last name>',
'<admin email address>',
?, ?);
Additional Considerations
During setup and/or troubleshooting, it is very helpful to be able to access the application schema SAP_INO. All
required privileges for this are contained in the role (sap.ino.authorizations::technical_user) for the
technical user. If this role is assigned to the innovation system administrator, troubleshooting and setup becomes
easier.
call _sys_repo.grant_activated_role(
'sap.ino.authorizations::technical_user',
'INNOVATION_SYSTEM_MANAGER'
);
Note
Although this assignment is very convenient for the administrators, it may fail to comply with your security
policies. The issue is that these privileges allow the administrators to access and alter any SAP Innovation
Management table content. We recommend granting this authorization to administrators during setup. In
productive systems, you should remove this authorization role after successful installation.
At this stage in the process, the application is functional but not yet ready. To verify if this is the case, call (as SAP
Innovation System Manager) the following URLs with a browser.
<hostname>:<port>/
<hostname>:<port>/sap/ino/xs/rest/support/ping.xsjs
<hostname>:<port>/sap/ino/xs/rest/support/pingDB.xsjs
<hostname>:<port>/sap/ino/xs/rest/support/pingSchema.xsjs
If all four URLs work as desired, you may proceed. Otherwise, you need to figure out what might have failed so far.
If the first URL does not work, the SAP HANA XS engine is not running or unreachable. This is not an SAP
Innovation Management-specific issue. Check the reason for the SAP HANA XS engine being unreachable and fix
this issue.
If ping.xsjs does not respond, either SAP Innovation Management is not deployed or the user calling the ping
has insufficient authorizations. The required privilege is sap.ino.xs.rest.support::execute. This privilege
is contained in the role sap.ino.authorizations::innovation_system_manager.
If pingDB.xsjs fails to respond, most probably, the technical user cannot access the database. Double-check the
technical user connection for SAP Innovation Management and verify the authorizations of the technical user.
Sometimes it is not easy to verify proper SAP HANA XS Engine setup with the UI-based administration tools. In
this case, it is usually helpful to access schema _SYS_XS by means of SQL and verify the content of the tables,
_SYS_XS.SQL_CONNECTIONS and _SYS_XS.RUNTIME_CONFIGURATION.
Some of the following steps require access to the SAP HANA XS Repository. The easiest way to access the
repository is by means of the Web IDE, which can be reached with the URL:
<your_host>:<port>/sap/hana/xs/ide
If you cannot access the IDE, you might be missing suitable privileges and or roles. Users with role
sap.hana.xs.ide.roles::Developer plus CONTENT_ADMIN can usually access it. Depending on your security
policies, you may have to use authorizations that are more constrained.
Use the SAP HANA XS Administration Tool to set up the desired authentication mechanism for SAP Innovation
Management. You must maintain the setup for the package sap.ino.
Note
You may get an authorization error when you try to access this url. In case of this error, please confirm that the
following roles are assigned to you:
● sap.hana.xs.admin.roles::RuntimeConfAdministrator
● sap.hana.xs.admin.roles::SAMLViewer
For more information about these roles, please see SAP Help Portal and navigate to SAP HANA Platform
Relevant Version Security SAP HANA Security Guide .
If you want to activate SAML authentication, additional steps described in SAML Setup, are necessary. Unless you
have prior experience with advanced authentication mechanisms, it is advised to start with the basic
authentication and verify that everything works. Then establish https and finally enable x.509 or SAML
authentication. Once you have established the desired security level you might disable basic authentication.
After installation and/or upgrade of the SAP Innovation Management deliver unit, the innovation system manager
is required to execute the after import scripts. In order to trigger these scripts, issue a HTTP POST Request to
http://<fully_qualified_host_name>:<port>/sap/ino/setup/rest/run.xsjs
You may issue a POST request with a command line http client with innovation system manager user, for example
with cURL:
Note
The innovation_system_manager user, that has been created previously, should be used as <USER>.
In case of errors during the after import scripts, you should confirm the server response for any details. For further
information, refer to SAP Note 2069930 (After Import Method Driver).
Note
During the after import run, a manual system restart might be required as the driver does not trigger a restart
though. Instead, it terminates with an error message stating that a system restart is required. An administrator
must then manually perform the restart. Once the restart is finished, the driver can be started a second time. It
will then automatically detect that the restart was executed and continue without further errors.
Batch jobs are scheduled with the SAP HANA XS Administration Tool (http://<fully qualified host
name>:<port>/sap/hana/xs/admin/#/package/sap.ino.xs.batch/). Navigate to the package
sap.ino.xs.batch, open the jobs tab, and activate each of the jobs. To activate the jobs you need to click on
Configuration and then select the Active checkbox. In addition, you need to enter the user for the batch job (we
recommend the technical application user, for example, HCO_INO_TECHNICAL_USER). It is also mandatory to
choose a locale. The recommended value is English (en). Do not enter start/end times, as the jobs are intended to
run periodically with their pre-shipped defaults.
If you fail to edit the batch jobs due to missing authorizations, your user might be missing the following role:
sap.hana.xs.admin.roles::JobAdministrator.
http://<fully_qualified_host_name>:<port>/sap/hana/xs/admin/jobs/
If you want to double check whether batch jobs are properly scheduled have a look at the
sap.ino.xs.batch::notification job. This is the job with the highest scheduling frequency (every 5
minutes). Therefore, if this job does not run within 5 minutes of activation, then the activation was not performed
properly.
● Campaign start/end
● Submission start/end
● Registration start/end
sap.ino.xs.batch::setup_hints Takes care that query hints are set for performance critical
SQL queries. This can also be triggered by executing an HTTP
POST on
http://
<fully_qualified_host_name>:<port>
/sap/ino/xs/rest/admin/system/
setup_hints.xsjs
4.11.1 Overview
The user and group concept of SAP Innovation Management assumes that users and groups are typically
imported from some other system, for example, LDAP or some centralized user management. Alternatively, a
SAML identity provider may provide user management and authentication. Depending on your company-specific
security policy, you may decide to go for an upload based administration approach, to rely on an IDP or a mixed
approach.
Before we go into the details of the user management, have a look at how users and groups relate to each other.
Both users and groups are derived from the abstract class Identity. This means, both users and groups are
identities. In addition, groups may refer to any number of other identities. In other words, groups may contain both
users as well as further groups. You can reuse these groups in the same way as, for example, email distribution
lists. This is useful, for example, to assign innovation campaigns to groups instead of enumerating users
repeatedly.
The user upload/delete as well as the group assignment of users and groups is performed by the following
services:
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload.xsjs
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload_delete.xsjs
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload.xsjs
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload_delete.xsjs
For troubleshooting purposes, it is also helpful to understand that HANA DB users are only loosely coupled with
Innovation Management users. There are two user tables; for a user on the DB User table there is not necessarily a
user on the Innovation Management User table and vice versa.
User Tables
This is a desired feature since HANA has technical users that are not intended for application access. On the other
hand, it allows uploading application users without the corresponding database users. This improves performance
● Upload application users from CSV file and create the DB users with CREATE USER statements
● Upload application users from CSV file and have DB users implicitly created by SAML login
● Do not upload application users; have them automatically created by SAML login
For security reasons, the following service does not implicitly create any database users:
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload.xsjs
Therefore, the creation of the database users must be automated by other means, for example, by automatically
issuing CREATE USER statements. Once the users are in place, they can be imported into SAP Innovation
Management by sending suitable CSV files to the user_upload.xsjs service by the innovation system manager.
(mandatory)
(mandatory)
(mandatory)
(mandatory)
"USER_NAME","IS_EXTERNAL","FIRST_NAME","LAST_NAME","NAME","EMAIL","PHONE","MOBILE","
CO
ST_CENTER","ORGANIZATION","OFFICE"
JOHNSMITH,0,John,Smith,John Smith,john.smith@example.com,,,,,
JANESMITH,1,Jane,Smith,Jane Smith,jane.smith@example.com,,,,,
Before you upload any users, you may want to verify if your user has sufficient credentials. You may also want to
get used to the interface. We recommend creating a file empty.csv, which should be blank.
The file can be uploaded with any http client, for example, cURL:
The response of the server is a CSV file with a valid header line that is otherwise empty.
"USER_NAME","IS_EXTERNAL","FIRST_NAME","LAST_NAME","NAME","EMAIL","PHONE","MOBIL
E","FAX","COST_CENTER","ORGANIZATION","MANAGER","OFFICE",
You may notice additional columns in this file. These are for error handling. If a user entry gives rise to errors, these
columns are filled with additional information about the error.
Since the upload service always adds or alters application users, there exists another service to delete users:
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/user_upload_delete.xsjs
This service is much simpler in its interface and only expects one column "USER_NAME".
The following table describes the format of the CSV files. The mandatory columns are in bold.
"USER_NAME"
JOHNSMITH
JANESMITH
If you are using a spreadsheet (for example, MS Excel) to generate CSV files, the spreadsheet might not comply
with the standard, thereby making it impossible to parse the input. In particular, a MS Excel might use a value
separator different from a comma although it states to save the file with 'comma separated values'. This
behavior is locale dependent.
For example, MS Excel by default uses a semicolon instead of a comma for the German locale. To ensure that
the MS Excel properly handles the CSV format, its list separator must be set to ',' (comma) instead of
something else. Typically, this operating system level setting must be done outside of MS Excel. For more
information about on how to change the list separator, see the screenshot given below. Notice though that this
might break other files that rely on ';' (semi colon) as a list separator.
The group upload mechanism is similar to the user upload mechanism. Group member assignments are uploaded
by posting a CSV file to the group upload service, by the innovation system manager.
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload.xsjs
Groups are created as needed. If group assignments are uploaded for a group, all existing assignments for this
group are deleted. Groups that are not present in the upload are not touched.
Note
The referenced group members must exist as Innovation Management Identities. Otherwise, the assignments
result in error messages.
"GROUP_NAME","MEMBER_TYPE_CODE","MEMBER_NAME"
Group_1,USER,JOHNSMITH,
Group_1,USER,JANESMITH,
Group_2,GROUP,Group_1
The implied meaning is that John and Jane are members of Group_1 and Group_1 is a member of Group_2. Hence,
John and Jane are also members of Group_2.
Since the upload, service always adds or alters memberships; it becomes impossible to delete groups. Hence,
there exists another service to delete groups.
http://<Hostname>:<Port>/sap/ino/xs/rest/admin/system/group_upload_delete.xsjs
This service is much simpler in its interface. It only expects one column "GROUP_NAME". The following table
describes the format of the CSV files. The mandatory columns are in bold.
"GROUP_NAME"
Group_1
Group_2
SAP HANA provide you a standard auditing functionality that you can log and monitor user data that selected
actions performed in the SAP HANA database
Whenever new users are registered with SAP Innovation Management, they are implicitly assigned to the All users
group and either the External users or Internal users group.
Note
If your setup allows users to set their email addresses (and thus their domain names) arbitrarily, it may NOT
be a good idea to use mail domain based groups for restricting user access.
● Cost Center
● Organization
If these groups do not exist when required, the system will automatically create them. Explicit alteration of these
groups is not possible. It is possible though to use these groups as members in other groups. In the exceptional
case that a group was created before the system could possibly implicitly create it, the system will replace this
group accordingly.
As mentioned in the introduction the user/group upload will only register the users with the application. They
cannot login to SAP HANA unless there is also a DB user for them. The obvious way is to create them by means of
SQL. This can be automated with the hdbcli command line tool. No additional provisions besides those
mentioned are necessary. Once a HANA DB user logs in to Innovation Management, the application checks if this
is a registered application user and automatically assign the necessary basic privileges to this user.
Automatic DB user creation by means of x.509 authentication is also possible. However, since x.509 certificates
usually do not contain enough attributes, they do not support automatic user enrollment with Innovation
Management. With other words: if you use x.509 you have to upload the users to register them with the
application. The benefits of x.509 are single sign on support and from an administrator perspective that you do not
need to create the DB users in advance (if you configure SAP HANA accordingly).
From an overall perspective SAML is to be preferred though as it supports single sign on and fully automatic user
enrollment.
SAP HANA as well as SAP Innovation Management support authentication by SAML. If a user is authenticated by
SAML then the Innovation Management application automatically registers this user. This happens even if the user
was not uploaded earlier. Therefore, user upload is not required in system setups with SAML authentications.
If you are already satisfied with the implicitly generated automatic groups, then the user upload can be avoided as
well.
Since the specific SAML setup does not depend on SAP HANA/Innovation Management alone but also on your
specific SAML Identity provider, we shall only outline what needs to be done on the IDP side.
To setup SAML, you need to establish trust relationships between SAP HANA/Innovation Management and your
Identity Provider (SAML IDP) and vice versa. In addition, you need to ensure that the SAML assertion parameters
are correctly mapped (on the IDP side) for implicit user creation.
For more details on the setup, refer to the SAP Help Portal and navigate to SAP HANA Platform Relevant
Version Administration SAP HANA Administration Guide Application Run-Time Services Maintaining the
SAP HANA XS Classic Model Run Time Maintaining Single Sign On for SAP HANA XS Applications . If you do not
have at least a basic understanding of SAML, you may want to consult a (SAP HANA) security expert for this setup.
Before we can enable SAML logon, we need to establish the trust relation from HANA (in the role of SAML Service
provider "SP") to the Identity Provider ("IDP"). That is, SP configuration should trust the IDP and vice versa.
On the HANA (SP) side, your user is required to maintain entries in the 'trust store'. To maintain the trust store (at
least) the sap.hana.xs.admin.roles::TrustStoreAdministrator role must be assigned to the system
administration user.
On the IDP side, the required privileges depend on your specific IDP. Please consult your IDP administrators for the
specific details and requirements.
You can configure the HANA System as a SAML service provider with the help of the HANA XS Admin Tool (
http://<Hana_Server>:<XS_Engine_Port>/sap/hana/xs/admin/#/samlSP.
) as follows:
Get administrative access to your IDP and register a new service provider (SP). Import the metadata obtained in
the previous step. Although this establishes trust, it is not sufficient to ensure that the SAML assertion attributes
actually match. Please follow the steps below to fix this.
Your identity provider may allow several choices for the login user name (also known as the "SAML Name ID
Attribute"). The process of creating HANA DB users will use the Name ID attribute. Hence, mapping of this
attribute to something that will establish valid HANA DB user names is mandatory.
Note
Email addresses or IDs that contain special characters like dots or quotation marks are not suitable.
Since the HANA user name will not be visible in the application technical user names, for example, P<nnnnnn>
with <nnnnnn>, a unique number are recommended. For the SAP IDP, such a user name would be the "Profile
ID".
Typically, Identity Providers can be configured to send more attributes than the Name ID attribute. Innovation
management expects the following attributes to be configured and properly mapped (you can find the mandatory
attributes in bold):
phone
Note
The attributes must be written in lower case and match exactly as stated above.
Once you have the IDP configured, export its metadata XML and import it in the HANA System (SP). This can be
done with the HANA XS Admin Tool, under the URL
http://<Hana_Server>:<XS_Engine_Port>/admin/#/samlSP
Use the tool to add a new identity provider entry with your IDP's metadata.
Before you save the new entry, ensure that you have checked the "Dynamic User Creation" flag for your identity
provider. If this flag is checked, user creation begins after user authentication with a SAML assertion. If you do not
check this flag, the users must be distributed to the HANA System before they try to login. This is also a valid
option but requires performing the user upload (as described above).
Since one of the main focus of SAML is to avoid the process of user upload, it is recommended that you check this
box.
SAML logon can be enabled with the SAP HANA Admin Tool (the URL is
http://<Hana_Server>:<XS_Engine_Port>/sap/hana/xs/admin/#/package/sap.ino
Checkmark the authentication method SAML and chose the desired identity provider in the checkbox. If there is
no identity provider to choose then repeat the step Registering the Identity Provider at the HANA System.
Security mechanisms are designed to be "brittle" and SAML is no exception. Hence, even the smallest mistake
may lead you to a configuration that does not work. Here are some general hints on how to trouble shoot the
configuration in case of failure.
The most common failure in case of a correct configuration is a message "Assertion did not contain a valid
MessageID" during logon. This is usually caused by a SAML assertion timeout. The remedy is to extend the
timeout to at least 30 seconds. To achieve this enter the following SQL (as administrator) in the SQL console:
Another common source of confusion is the choice of authentication method per package. The system configures
the packages hierarchically and maintains authentication settings on a package level. Thus, even if you maintain
SAML at a package high in the hierarchy, the configuration of a lower package may work differently. This in turn
can lead to strange application behavior. With SQL, you can query the database for the authentication settings of
all packages.
select
"PACKAGE_ID", "CONFIGURATION", "CHANGED_BY", "CHANGED_AT"
If these issues are not the cause of your issues, you would need to further investigate the SAML handshake. The
typical approach is to install a browser plugin (for example, SSO Tracer for Firefox) and log the handshake during
login. An analysis of the log files will then typically reveal hints about the root cause of the issues. If you fail to
identify a root cause, you may want to consult some (SAP HANA) SAML expert for further investigations.
After upload of an initial set of users is complete, an innovation manager must be assigned. The innovation
manager controls the business aspects of SAP Innovation Management. In particular, this user can assign
campaign managers who are responsible for currently running campaigns.
Note
Unlike the innovation system manager, the innovation manager can access the user interface of the application.
call _sys_repo.grant_activated_role(
'sap.ino.authorizations::innovation_manager', '<user>' );
After this step you may login with the innovation manager user to the application. The two URLs are:
● http://<Hana_Server>:<XS_Engine_Port>/sap/ino/
● http://<Hana_Server>:<XS_Engine_Port>/sap/ino/config/
The application is not yet configured with any content so the screens will not show any content. It is acceptable if
the very first start of the application takes some time, as the application caches are initially empty.
Additional Information
For more information about user management in SAP Innovation Management, see the related section in the SAP
Innovation Management Application Help at SAP Help Portal and navigate to SAP Innovation Management
Relevant Version Application Help .
Campaign Design
You would need to revisit campaigns with multiple design elements, to confirm that their appearance in the new
user interface is still satisfactory. If required, adjustments to background images and page layouts can be adjusted
in campaign configuration.
Customer extensions to the user interface have been done on a project basis. These extensions need to be
rewritten for the new user interface. Customers should get in touch with their implementation partner before of
the upgrade.
Update Checklist
In case of upgrades, you can skip some of the configuration steps performed during with the previous installation.
However, some steps are mandatory:
Note
It is recommended to send
an official email in case this
is not a planned downtime
schedule.
Perform SAP HANA backup Yes Yes Perform a backup of SAP In
novation Management before
update.
Deactivate the batch jobs Yes Yes Batch Job needs to be deacti
vated before upgrading to the
new version of SAP Innovation
Management. The easiest way
is to deactivate the batch job
scheduler using
http://
<fully_qualified_h
ost_name>:<por
t>/sap/hana/xs/
admin/jobs/
SAP INM Installation [page Yes Yes Install new SAP INM patch or
15] support package is the same
as initial installation.
Run after Import Scripts Yes Yes The existing SAML setup may
[page 20] cause the Run After Import
Scripts failure.
Activate the batch jobs Yes Yes You need to activate batch job
after the upgrade. The easiest
way is to activate the batch
job scheduler if it is deacti
vated.
http://
<fully_qualified_h
ost_name>:<por
t>/sap/hana/xs/
admin/jobs/
Note
Upgrade of SAP Innovation Management is not possible while batch jobs are scheduled.
Thus, it is mandatory to deactivate all SAP Innovation Management batch jobs prior to upgrades. For more
information, see chapter Schedule Batch Jobs on how to activate or deactivate batch jobs.
Consequently, you would need to reactivate batch jobs after the upgrade.
Related Information
You can use the following configuration settings to notify users about maintenance activities.
Note
These settings are stored in the browser cache of users for up to 1 hour.
The minimal landscape setup for SAP Innovation Management is an SAP HANA XS Server. In addition, a
connection to a mail server is required as well.
Landscape Setup
If security policies require a DMZ or similar mechanisms, it is necessary to provide an additional proxy or firewall in
the system. In this case, the proxy also takes load from the system, for example, by terminating https at the proxy.
To increase security, such a proxy may constrain all requests to URLs with the prefix <baseURL>/sap/ino/. To
shift the load from the system to the proxy, it may also cache content for URLs with the prefixes
<baseURL>/sap/ino/ngui, <baseURL>/sap/ino/ui, and <baseURL>/sap/ino/xs/rest/static.
If no proxy is deployed or if the proxy does not cache, the SAP Web Dispatcher must be configured for caching.
This can be done with the following SQL statements:
This configuration implies that the web dispatcher requires three additional directories icm/http/
server_cache_1, icm/http/server_cache_2, and icm/http/server_cache_3 at the OS level. You would
need to log into the operating system and create these directories. They must reside in the same directory icm/
http as the /icm/http/cache directory. You would also need to use the OS commands chown, chgrp, and
chmod to ensure that the web dispatcher has the same privileges on these directories as on the cache directory.
After these changes, you need to restart the web dispatcher. Restarting the XS Engine or restarting the HANA
Server will implicitly restart the web dispatcher as well. If no specific settings have been made, the administration
tool of the web dispatcher can be accessed with the following URL:
http://<Hana_Server>:<XS_Engine_Port>/sap/hana/xs/wdisp/admin
You would need to be assigned the role sap.hana.xs.wdisp.admin::WebDispatcherAdmin for this access.
For more information, see SAP Web Dispatcher Configuration Reference under SAP Help Portal and navigate to
Technology -> User-Interface Add-on for SAP NetWeaver -> Application Help -> English -> Configuration and
Operations.
SAP Innovation management uses URLs with the path <baseURL>/sap/ino/. To enable the browser and mobile
client, access to these URLs must be available. Configure your network firewalls and/or proxies accordingly.
URL Whitelists
In SAP Innovation Management, users can use URL references at various places, for example, in descriptions of
ideas, as part of a campaign description template, or in the HTML code of campaign pages. Ideas can also contain
dedicated links to which these URLs point. By default, these URLs are not restricted. To restrict the URLs, a
whitelist can be maintained. As soon as one whitelist entry is maintained, all URLs not contained in the whitelist
are not valid any more, that is, they are either rejected or rendered inactive for the existing content.
7.1 Overview
Application configuration is organized in HANA repository packages. The package sap.ino.config contains SAP
delivered default configuration. If any customer-specific configuration is required, you would need to implement
the following steps. Otherwise, they are optional.
Customer-specific configuration is maintained in a dedicated package that extends the SAP configuration
package; this means customer-specific configuration overrules SAP configuration
Configuration Packages
The Innovation Manager maintains common non-technical settings in the Innovation Office. Comma-Separated
Values (CSV) files maintain the technical configuration settings directly in the HANA repository.
Triggering the configuration activation is critical for productive usage of CSV settings. The configuration activation
takes care that configuration can be used productively within the application. For more information, see chapter
Activate Configuration.
Customer-specific configuration can be done either directly in the production system or in an upstream
development and/or test system from where it is transported to the production system. For one configuration
package, there must only be one system where its settings are maintained.
SAP HANA delivery units can export and import the CSV files stored in the SAP HANA Repository, Content
maintained in Innovation Office needs to be exported into the repository beforehand, see chapter Configuration
Repository Report. For more information on packages, delivery units, and transport, see SAP Help Portal and
navigate to SAP HANA Platform Relevant version Development SAP HANA Developer Guide .
More Information
For more information, refer to Activate Configuration and Configuration Repository Report under General Steps
[page 42].
Configuration settings are stored as files in the SAP HANA Repository in a dedicated customer package. The
package and its content can be created with SAP HANA Studio or SAP HANA Web IDE. In the following text, we
refer to this package as <your.config.package>. A suitable name for this package may be cust.ino.config
or <your company name>.ino.config. The configuration package is an extension of the package
sap.ino.config, which contains delivered configuration of SAP Innovation Management. All configuration
packages need to directly extend this package.
t_package_extension.csv:
EXT_PACKAGE_ID;BASE_PACKAGE_ID;LAYER
<your.config.package>;sap.ino.config;99
t_package_extension.hdbti:
import = [{
hdbtable = "sap.ino.db.basis::t_package_extension";
file = "<your.config.package>:t_package_extension.csv";
header = true;
delimField = ";";
keys = [ "EXT_PACKAGE_ID" : "<your.config.package>"];
}];
The layer column of the package extension entry is set to 99, to ensure that your configuration settings have
always priority over SAP settings.
To ensure that the settings listed above are correct, the following SQL statement can be used:
It should return exactly one row with the content exactly as in t_package_extension.csv. If nothing is
returned, check the spelling of <your.config.package> everywhere it is used and whether the CSV file contains
all necessary line breaks.
Ensure that <your.config.package> is accessible by http, so that text bundles and configuration images are
available to end users. Depending on your overall package structure, you may need to create an empty .xsapp
and an .xsaccess file in <your.config.package>, see SAP Help Portal and navigate to SAP HANA Platform
Relevant version Development SAP HANA Developer Guide .
For example:
.xsapp:
{}
.xsaccess:
{
If you want to enable non-technical configuration in the innovation office, you need to configure
<your.config.package> as the content package. You can do this using the following SQL statement:
call "sap.ino.db.config.admin::set_config_package"('<your.config.package>');
In a multi-system landscape, you can do this only in the source system of the configuration. After you have
maintained configuration in innovation office, ensure this setting is not changed further.
To ensure that the settings listed above are correct, you can use the following SQL statement:
It should return exactly one row returning <your.config.package>. If nothing or a different package is returned,
make sure that the layer in t_package_extension.csv is higher than all other configuration packages that are
in use.
E-Mail templates can contain images that can be transported to another system, since they are stored in the HANA
repository. For this purpose a new package called attachment needs to be created below
<your.config.package>. To be able to upload new images, the technical user is created as in chapter Technical
User Setup and needs additional privileges to write in these package.
Activate Configuration
Activate the application configuration maintained in CSV files, in the system where it is being maintained. To
trigger it, issue an http POST request, as an innovation system manager, to:
You may issue such a POST request with a command line http client, for example, with cURL:
Activation of configuration maintained in innovation office is not required. After transporting configuration to a
different system, you need to trigger activation explicitly, as described above.
For multi-system landscapes, export the configuration settings maintained in innovation office to the HANA
repository, to enable transportation to other systems. Export is also needed for a single system when
configuration content needs to be translated. To trigger the repository export, issue an http PUT request to:
You may issue such a PUT request with a command line http client, for example, with cURL:
This will create CSV and text bundle files in <your.config.package> for configuration maintained in innovation
office. A repeated export overwrites these CSV and text bundle files.
Enable the configuration in innovation office for a successful export. For more information, see the section Create
a Configuration Package above. The privileges REPO.EDIT_NATIVE_OBJECTS,
REPO.ACTIVATE_NATIVE_OBJECTS, and REPO.MAINTAIN_NATIVE_PACKAGE are required on
<your.config.package>. In case change tracking is active, the privileges REPO.MODIFY_CHANGE and
REPO.MODIFY_OWN_CONTRIBUTION are required as well.
You can use the following SQL template to grant those privileges:
Related Information
For common application settings, there is a general key-value-like configuration table. SAP delivers content for this
package. These values are contained in the file sap.ino.config::t_system_setting.csv. Perform the
following steps to change SAP settings:
t_system_setting.csv:
CODE;VALUE
sap.ino.config.PPM_INTEGRATION_ACTIVE;1
The column CODE refers to the code of an SAP delivery setting. To avoid inconsistencies, we recommend copying
the first two rows of the SAP CSV file and then doing the necessary adjustments.
In the example above, setting the column VALUE to 1 activates the integration with SAP Portfolio and Project
Management. Important system setting codes are:
sap.ino.config.PPM_INTEGRATION_ACTIVE
It allows to activate (VALUE = 1) or deactivate (VALUE = 0) integration with SAP Portfolio and Project
Management.
After creation of the CSV file in the SAP HANA Repository, trigger the configuration activation. For more
information, see chapter Activate Configuration.
SAP Innovation Management allows configuring the file types that are allowed as attachments. SAP already
delivers a number of file types. These values are contained in the file
sap.ino.config::t_attachment_allowed_file.csv. You can also use the following SQL statement to
retrieve the delivered values:
You can obtain the active runtime values using the following SQL statement:
t_attachment_allowed_file.csv:
Note
The column MAX_FILE_SIZE is not considered any more. Instead, a global setting for all files is made in
innovation office (see chapter Settings in Innovation Office). After creation of the CSV file in the SAP HANA
Repository, trigger the configuration activation. For more information, see chapter Activate Configuration. Your
changes should now be included in the active runtime table.
The following picture shows your configuration package and its content when you have decided to adapt all
possible system configuration settings:
Related Information
http://<fully_qualified_host_name>:<port>/sap/ino/xs/rest/backoffice/
pptx_template_download.xsjs?FILENA ME=IdeaExport
You can add or remove new fields/labels to the template slide or adjust the pattern based on your requirement.
The field or label you added to the template must follow the rule:Format: {{<<Field Name / LAbel
Name>>}}, you need to replace <<Field Name / Label Name>>.
You can also add idea form related fields to the template, but you have to follow below rule:
Example
Idea Form
To be able to display ‘I have specific know-how to support implementation’ in the ppt, you must add the field
cust.ino.config.SAP.KNOWHOW_AVAILABLE to the template. This will add both the label as well as the value
to the PPT.
Example
Save PPT
Save your PPT and ensure your PPT template filename is IdeaExport.pptx.
Before you upload PPT template, please make sure you have an extension package of base package
sap.ino.config and it is active.
Below your extension package (in our example, cust.ino.config), create a package attachments.
Import your PPT template to the attachment package by right-clicking the package and then Import File .
After you update the customized PPT template, you can test it and check whether it is effective and accurate.
SAP Innovation Management allows configuring customized Status action to trigger the email notifications.
Perform the following steps to enable this functionality:
t_notification_event_role.csv:
CODE;BIZ_EVENT;ROLE_CODE
t_notification_code_mapping_setting.csv:
CODE;OBJECT_TYPE_CODE;NOTIFICATION_CODE;MAPPING_SETTING_CODE;SUBCATEGORY_CODE;
● IDEA_CONTRIBUTOR
● IDEA_SUBMITTER
● IDEA_COACH
● COMMENT_OWNER
● IDEA_EXPERT
● CAMPAIGN_MANAGER
● CAMPAIGN_COACH
The innovation managers can make some application settings in the Settings tab of the innovation office such as,
setting the background image, activating the expert finder, etc. For more information about innovation office
settings, see SAP Help Portal and navigate to SAP Innovation Management Relevant version Application Help
Innovation Office Settings .
Those settings are not transported, that is, hey are only applied in the system where they are made. The following
URL leads the innovation manager directly to those settings:
Note
The usage tracking of the application is activated by default. In certain countries, tracking is subject to data
protection regulations or similar legal frameworks. The typical minimum requirement is a legal disclaimer to
notify the users about the collection of this data. If you activate this feature, be sure to add a suitable legal
disclaimer in your terms and conditions statement.
SAP Innovation Management allows idea form to be filled with URL parameters when creating an idea. The
parameters can be added to the URL with a ‘?’ after the hash/fragment identifier and can be concatenated with a
‘&’. For exampl,
All exported ideas will be stored in the SAP Innovation Manager server and the export files will be cleared after 7
days.
Note
This setting cannot be reconfigured.
To be able to receive export notification e-mails, ensure that the connected user has maintained an e-mail address.
Overview
You can run an idea campaign for product innovation using SAP Innovation Management.
Software Units
Further Information
The following documents provide more information about Run an Idea Campaign for Product Innovation:
Content Location
SAP Innovation Management is built on the SAP HANA Platform. Therefore, the security settings of the SAP HANA
Platform apply to SAP Innovation Management.
The basic document to refer to for security considerations is the SAP HANA Security Guide. For more information,
see SAP Help Portal and navigate to SAP HANA Platform Relevant version Security SAP HANA Security
Guide .
9.1.1 Introduction
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy regulation, it is necessary to consider compliance with industry-specific legislation in
different countries. SAP provides specific features and functions to support compliance with regards to relevant
legal requirements, including data protection. SAP does not give any advice on whether these features and
functions are the best method to support company, industry, regional, or country-specific requirements.
Furthermore, this information does not give any advice or recommendation in regards to additional features that
would be required in particular IT environments; decisions related to data protection must be made on a case-by-
case basis, under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with applicable data protection and privacy laws will not be covered by a
product feature. SAP software supports data protection compliance by providing security features and specific
data protection-relevant functions, such as simplified blocking and deletion of personal data. SAP does not
provide legal advice in any form. Definitions and other terms used in this document are not taken from any given
legal source.
9.1.2 Glossary
Retention period The period of time between the end of purpose (EoP) for a
data set and when this data set is deleted subject to applicable
laws. It is a combination of the residence period and the block
ing period.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization (e.g. tax auditors).
Sensitive personal data A category of personal data that usually includes the following
type of information:
Residence period The period of time after the end of purpose (EoP) for a data
set during which the data remains in the database and can be
used in case of subsequent processes related to the original
purpose. At the end of the longest configured residence pe
riod, the data is blocked or deleted. The residence period is
part of the overall retention period.
Where-used check (WUC) A process designed to ensure data integrity in the case of po
tential blocking of business partner data. An application's
where-used check (WUC) determines if there is any depend
ent data for a certain business partner in the database. If de
pendent data exists, this means the data is still required for
business activities. Therefore, the blocking of business part
ners referenced in the data is prevented.
Consent The action of the data subject confirming that the usage of his
or her personal data shall be allowed for a given purpose. A
consent functionality allows the storage of a consent record in
relation to a specific purpose and shows if a data subject has
granted, withdrawn, or denied consent.
Text modules in the innovation office can be created specifically to provide terms and conditions to the community
users. If the innovation manager configures the application accordingly, users shall be prompted to accept the
terms and conditions when they first log in.
Note
Users cannot proceed into the application without accepting these terms and conditions.
In case there are changes made to the existing terms and conditions, users shall be prompted to review and accept
these when they log in next. Similar to their first log in, users cannot proceed to using the application without
accepting the terms and conditions.
For more information about this, refer to the SAP Help Portal and navigate to SAP Innovation Management
Application Help Application Help for SAP Innovation Management Innovation Office Configuration Creating
a Text Module .
Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized
as sensitive by law, by external company policy, or by internal company policy. These common questions might be
of interest for an application that uses Read Access Logging:
● Who accessed the data of a given business entity, for example a bank account?
● Who accessed personal data, for example of a business partner?
● Which employee accessed personal information, for example religion?
● Which accounts or business partners were accessed by which users?
These questions can be answered using information about who accessed particular data within a specified time
frame. Technically, this means that all remote API and UI infostructures (that access the data) must be enabled for
logging.
Use
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions. SAP delivers sample configurations for applications. The application component scenario logs data in
order to describe business processes. You can find the configurations as described in this chapter.
SAP Innovation Management provides a functionality for disclosure, where the system administrator (or innovation
manager) can check the individual user's disclosure permissions under User Management tab in the innovation
office, by accepting the terms and conditions for access authorizations. The system will create an access log entry
every time a user's personal data is disclosed, depending on the settings made by the administrator (or innovation
manager).
For more information about this, refer to the SAP Help Portal and navigate to SAP Innovation Management
Application Help Application Help for SAP Innovation Management Idea Community User List .
To view the access log for a user, select the relevant record in the User Management tab in the innovation office
and select View User Content Access Log. The log shows a record for each time that the data disclosure overview
was accessed and by which user.
For more information about this, refer to the SAP Help Portal and navigate to SAP Innovation Management
Application Help Application Help for SAP Innovation Management Innovation Office User Management
Viewing User Profiles .
Deletion of personal data: The handling of personal data is subject to applicable laws related to the deletion of
such data at the end of purpose (EoP). If there is no longer a legitimate purpose that requires the use of personal
data, it must be deleted. When deleting data in a data set, all referenced objects related to that data set must be
deleted as well. It is also necessary to consider industry-specific legislation in different countries in addition to
general data protection laws. After the expiration of the longest retention period, the data must be deleted.
SAP Innovation Management might process data (personal data) that is subject to the data protection laws
applicable in specific countries.
During the process of creating user profiles in SAP Innovation Management, the system administrator is required
to enter a end of validity date for these profiles. SAP Innovation Management then uses these dates to determine a
validity period for the user profiles. Once the validity date is crossed, the user data is archived and then deleted
after a pre-determined period, unless the profile is renewed.
For more information about setting and viewing validity of user profiles, refer to http://help.sap.com and navigate
to SAP Innovation Management Application Help Application Help for SAP Innovation Management
Innovation Office User Management .
As a community user, you can also view the validity of the connected user's profile, refer to SAP Help Portal and
navigate to SAP Innovation Management Application Help Application Help for SAP Innovation Management
Idea Communty Configuring User Settings and Personal Data Account Settings .
Personal data is subject to frequent changes. Therefore, for revision purposes or as a result of legal regulations, it
may be necessary to be able to track the changes made to this data. If these changes are logged, you can check
which employee made which change and when at any time. It is also possible to analyze errors in this way. You can
use a report to display these changes. You can further download this report as an Excel or a text file, for offline
access.
To avoid discrepancies during update of personal user data, SAP Innovation Management requires the innovation
manager to select specific attributes of the user profile, for which log entries are created in case of any
modifications. These are global selections and applicable to all users. No log entries would be created for the
attributes that are not selected by the innovation manager.
Integration of SAP Portfolio and Project Management with SAP Innovation Management requires advanced system
administration skills and privileges. In particular, it is easily possible to setup a configuration that seems to work
but is insecure. We recommend that you take support from consulting for this task.
SAP Innovation management uses http requests to link an object in the SAP Portfolio and Project Management to
ideas in the Innovation Management application. These requests use a secure connection (SSL) and transmit the
user authentication information in an SAP assertion ticket. Since there is no user mapping available, it is
mandatory that the user names on both the Innovation Management as well as the Project Management side are
identical.
For the Project and Portfolio Planning relevant settings and supported releases, refer to the attachment
ConfigContPPM in SAP Note 2026421 (Relevant section: Setting up Object Links to Ideas in SAP Innovation
Management), before you start the configuration.
Integration between Portfolio and Project Management and SAP Innovation Management
As a prerequisite for connections from PPM to SAP Innovation Management, the Innovation Management side
must be setup to accept https connections.
For more information on how to setup SAP HANA to accept HTTPS connections, see SAP Help Portal and navigate
to SAP HANA Platform Relevant Version Administration SAP HANA Administration Guide SAP HANA XS
Administration Tools .
For the customization of SAP PPM, maintenance of a HTTP RFC destination is critical. As a prerequisite, this
destination must be maintained with transaction SM59. As a prerequisite for this intermediate step, the SSL server
certificate of the SAP Innovation Management system must be imported into the Portfolio and Project
Management system. You can use transaction strust to import the certificate into the PPM system. Depending
on your desired setup, you may either import the certificate into the System PSE or into a dedicated PSE.
For more information, see SAP Help Portal and navigate to SAP NetWeaver SAP NetWeaver Platform SAP
NetWeaver 7.0 Including Enhancement Package 3 Security SAP NetWeaver Security Guide Network and
Communication Security Transport Layer Security Configuring the AS ABAP for Supporting SSL .
As of the current release of SAP HANA, there is no explicit mapping between the user names in the Portfolio and
Project Management Server and SAP HANA. The user names on both systems must be an exact match. The users
authenticated by Portfolio and Project Management are also recognized by Innovation Management. Every
Portfolio and Project Management user who is supposed to create Portfolio and Project Management object links
to ideas in the Innovation Management must also be a user of Innovation Management.
For upload of users into innovation management, see chapter User and Group Administration. Assign the role of
an innovation office user to these users.
For more information, see SAP Help Portal and naviagte to SAP Innovation Management Application Help
Application Help for SAP Innovation Management Innovation Office User Management Roles in SAP
Innovation Management .
Additionally, enable and authenticate the users with a SAP logon ticket. For more information about this, see SAP
Help Portal and navigate to SAP HANA Platform Security SAP HANA Security Guide User Configuration .
In the SAP HANA Security Guide, you can also see SAP HANA Authentication and Single Sign-On Single Sign-
On Integration Single Sign-On Using SAP Logon and Assertion Tickets .
When a user in Portfolio and Project Management triggers a request to the Innovation Management system, the
user is authenticated in Innovation Management automatically.
To enable the validation of the assertion tickets, the innovation management needs to trust assertion tickets from
the PPM system, that is, the HANA system needs to trust the PPM System's certificate. In other words the server
certificate (or its root certificate) used by the PPM System needs to be in the HANA System trust store.
For more information, see SAP Help Portal and navigate to SAP HANA PlatformRelevant versionSecuritySecurity
GuideSAP HANA Authentication and Single Sign-OnSingle Sign-On IntegrationSingle Sign-On Using SAP Logon and
Assertion Tickets.
In the innovation office, all existing object links from Portfolio and Project Management are displayed, if the
connected user has required privileges in Portfolio and Project Management. To enable this scenario innovation
management sends a secure request to a service on the Portfolio and Project Management side. Again, single sign-
on with an SAP assertion ticket transfers the authentication information. This requires the following configuration
steps:
For more information, see SAP Help Portal and navigate to SAP NetWeaver SAP NetWeaver Platform SAP
NetWeaver 7.0 Including Enhancement Package 3 Security SAP NetWeaver Security Guide Network and
Communication Security Transport Layer Security Configuring the AS ABAP for Supporting SSL .
For more information about Importing a Server Certificate, see SAP Help Portal and navigate to SAP HANA
Platform Relevant version Administration SAP HANA Administration Guide Application Run-Time Services
Maintaining the SAP HANA XS Classic Model Run Time Managing Trust Relationships Import a Server
Certificate .
To pass user authentication information from innovation management to Portfolio and Project Management the
Portfolio and Project Management server must trust the innovation management's logon assertion tickets. To
establish the trust relationship the innovation management's server certificate, used for signing the assertion
tickets, must be imported into the Portfolio and Project Management system.
The steps to enable the creation of the assertion ticket and to establish the trust between Portfolio and Project
Management and innovation management are described in Configure Outbound SSO with Assertion Tickets,
steps 1 through 5.
For more information, see SAP Help Portal and navigate to SAP HANA Platform Administration
Administration Guide Application Run-Time Services Maintaining the SAP HANA XS Classic Maintaining
Single Sign-On for SAP HANA XS Applications Configure Outbound SSO with Assertion Tickets .
Innovation Management uses a logical pointer to the Portfolio and Project Management service, which provides
the set of existing object links to a given idea. SAP Hana XS Administration tool maintains this logical pointer as a
URL. Open the administration tool and select the
sap/ino/xs/rest/ppm.httpdest
http://<system>:<port>/sap/hana/xs/admin/#/package/sap.ino.xs.rest/
httpDestination/ppm
) and create an extension for it (or edit an existing extension). Enter your Project and Portfolio Management's
system host and (ssl) port number as the target destination and set the path prefix to
"/sap/opu/odata/sap/inm_im_obl_integration_srv/"
Then, follow the steps 7 and 8 in the chapter Configure Outbound SSO with Assertion Tickets in the SAP HANA
Administration Guide.
Enter your Project and Portfolio Management's system host and (ssl) port number as the target destination and
set the path prefix to
/sap/opu/odata/sap/inm_im_obl_integration_srv/
For more information, see SAP Help Portal and navigate to SAP HANA Platform Administration
Administration Guide Application Run-Time Services Maintaining the SAP HANA XS Classic Maintaining
Single Sign-On for SAP HANA XS Applications Configure Outbound SSO with Assertion Tickets .
For more information, see the attachment ConfigContPPM in SAP Note 2026421 .
List of Documents
The following table lists all documents mentioned in this Master Guide:
Title Location
SAP HANA Platform SAP Help Portal and navigate to SAP HANA Platform
SAP HANA Master Guide SAP Help Portal and navigate to SAP HANA Platform
Master Guide
SAP HANA Security Guide SAP Help Portal and navigate to SAP HANA Platform
SAP HANA Operations and Administration Guides SAP Help Portal and navigate to SAP HANA Platform
Administration Guide
SAP HANA Developer Guide SAP Help Portal and navigate to SAP HANA Platform
Guide
SAP Web Dispatcher Configuration Reference SAP Help Poral and navigate to User Interface Add-On for
SAP Innovation Management Application Help http://help.sap.com/ and navigate to SAP Innovation
The following table lists all SAP Notes mentioned in this Master Guide.
SAP Note 2037158 SAP Innovation Management 1.0 Release This note contains the latest information
Note about installing SAP Innovation Manage
ment
SAP Note 2388775 Release Note SAP Innovation Manage This note contains the latest information
ment 2.1 about installing SAP Innovation Manage
ment
SAP Note 2576723 SAP Innovation Management 2.2.6 Patch This note contains the latest information
Note about installing SAP Innovation Manage
ment
For more information about currently available releases for SAP Innovation Management (for each release), the
SAP standard software required to install and use the solution, see http://www.service.sap.com/fbs/availability .
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see:
https://help.sap.com/viewer/disclaimer).