Modernizing the Employee User Experience with SAP Fiori Cloud

Companies are embracing digital transformation and creating strategies to adapt to the digital age. Leading the way for digital transformation is a delightful user experience. Companies understand now more then ever how important a simple and intuitive user experience is for increasing productivity, staying competitive and fostering employee satisfaction. SAP is offering the tools to streamline a company's journey towards digital transformation.

Regardless of industry, an intuitive user experience is quickly becoming standard for user acceptance and productivity. Below is a table detailing examples of different employee roles and the types of commonly-used SAP Fiori Cloud apps to streamline productivity.  Note, this is a subset of the available SAP Fiori Cloud apps, for a full list please visit the SAP Fiori apps reference library.

Business Example 

A company is driving a global simplification strategy to enhance the user experience of current processes and develop new apps for their employees and external customers. They are running an SAP Business Suite back-end system and would like to achieve their goals while capitalizing on their current investment. The project is being driven by a cloud first mentality and a user shift towards mobile devices, a need to increase productivity and drive better user experience, a requirement for an innovation platform to build new apps, and a desire to separate on-premise systems from the UX.

SAP Fiori Cloud offers apps focused on the most commonly-used business scenarios across industries and lines of business.

Solution Description

The retail company has purchased a license for SAP Fiori Cloud. This license provides them access to all the SAP Fiori Cloud apps and the supporting tools such as the SAP Cloud Platform Web IDE service, OData provisioning service, the SAP Fiori launchpad, the SAP Fiori launchpad configuration cockpit, etc. The company will first implement the My Leave Requests and Approve Leave Requests apps. They have an SAP ERP 6.0 system and are running SAP NetWeaver 7.40. They do not have a separate frontend SAP Gateway system and have decided to leverage the SAP OData provisioning service that comes with their SAP Cloud Platform account, understanding that this service is suited only for SAP Business Suite backends and will not provide full SAP Gateway capabilities. They will download and use the Cloud Connector to achieve the connection from their on-premise system to their SAP Cloud Platform account. 

After a successful launch of the two HCM apps to a small group of 50 employees the company will start phase 2 and introduce the My Timesheet and Approve Timesheet apps. In the third phase they will implement retail specific apps including Lookup Retail Products, Order Products and Receive Products. They have an end goal of rolling these apps out to 2000 employees.

SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely-coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.

SAP Cloud Platform supports scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is part of a company B2E scenario. The B2E scenario is related to services for employees and managers of an organization/customers/partners and it defines certain aspects of the architecture:

• Employees can better manage their time
• Companies can roll out their SAP Fiori launchpad to an unlimited number of employees
• Back-end data can be accessed any place and at any time from any device
• More apps can be added and rolled out without the need for formal training or downtimes

Reference Solution Diagram

The following diagram of the solution illustrates a basic architectural pattern of the runtime environment for implementing SAP Fiori Cloud with an on-premise SAP Business Suite system.

Reference Solution Components

SAP Cloud Platform components for licensing considerations

The packing and pricing components found in this Blueprints are under the assumption that you already have a configured backend SAP system to connect to. SAP Fiori Cloud licensing model is based on the named users accessing the Fiori apps. Start with the base license package and then add the required additional users.

A license for SAP Fiori Cloud provides access to the following SAP Cloud Platform services. Visit the SAP Fiori Cloud page to learn more about the resources included in the SAP Fiori Cloud Packages:

Fiori apps and corresponding content for business suite and S/4HANA backend systems. Automated updates and maintenance activities are included in the subscription.

Portal Service to create and publish freestyle and SAP Fiori launchpad style business sites.

OData provisioning service  enables you to use SAP Gateway OData Services to extract data from SAP Business Suite systems so this data can be consumed freely in the cloud.

Cloud Connector to establish connections between cloud applications and on-premise systems.

Connectivity to securely access remote services that run on the internet or on-premise.

Identity Authentication Service to secure authentication and single sign-on for users in the cloud.

Fiori Configuration Cockpit (FCC) a tool used by administrators to create new and maintain existing content for SAP Fiori launchpad sites.

SAP Web IDE to create and extend applications for browser and mobile devices.

SAP Build to create interactive prototypes without writing any code.

UI Theme Designer to apply your corporate branding to applications based on SAPUI5 technology.

Overview

Security can be a very confusing topic. To make it easier to understand, consider breaking it up into three topics: Authentication, Authorization and Single Sign-on.  

Consider the following topic descriptions:

1. Authentication is the process of proving that an application user is who they say they are.
2. Authorization is the process of providing permissions to the user, giving users the access to the application data that they need.
3. Single Sign-On is the service that permits a user to use one set of login credentials to access multiple applications.

The diagram below depicts at a high level where the three security topics fit in an overall  SAP Cloud Platform solution.

Solution Security Considerations

SAP Cloud Platform Identity Authentication is a cloud solution for identity lifecycle management for SAP Cloud Platform applications, and optionally for on-premise applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer, partners, and consumers.

For this solution, Identity Authentication service was the chosen method for doing authentication.  SAP Cloud Platform Authorization was chosen for as the authorization method and Principle Propagation was chosen for single sign-on. You can go to the security blueprint by clicking on the link in the section.  From the security blueprint, you can link to all the other options you have for authentication, authorization and single sign-on in the blueprint library.

When implementing the solution just described, keep in mind that each of the three security topics described above have a number of options for how they get implemented with the SAP Cloud Platform.

Scenario Authentication

SAP Cloud Platform Identity Authentication Service - This blueprint provides common information, guidance, and direction for implementing the SAP Cloud Platform Identity Authentication Service as the Identity Provider for application on the SAP Cloud Platform. It will allow you to use a common source of identities for all your cloud based application.  It provides a standard, internationally adopted method for authentication using SAML assertions.

For more information visit SAP Cloud Platform Identity Authentication service | SAP Cloud Platform Blueprint  

Scenario Authorization 

Authorization - This blueprint provides common information, guidance as to how authorizations on the SAP Cloud Platform are implemented and how authorizations relate to identity providers and the applications and services on SAP Cloud Platform.

For more information, visit Authorization | SAP Cloud Platform

Scenario Single Sign-On

Principle Propagation - This blueprint provides common information, guidance, and directions for implementing principal propagation with X.509 certificate from SAP Cloud Platform to the back-end system that is running on-premise to achieve Single Sign-On. It will allow you to use this method for any endpoint service that accept X.509 certificate base authentication.

For more information, visit Principal Propagation | SAP Cloud Platform

Other Scenarios

SAP Cloud Platform API Management - The OData Services exposing records from SAP Business Suite systems so that data can be consumed freely in the cloud needs to protected against cyber attacks that range from code injections to gain access to sensitive data, sending inflated data structures to spike server resource consumption or flood target systems with too many calls resulting in denial of service.

SAP Cloud Platform API Management provides one experience for managing and monitoring all APIs across various data platforms and is enriched with real-time analytics. It enables consumers to access relevant data directly in a secure manner. Selective data can be exposed while reducing the risk of security breaches. Rather than app developers consuming services directly, they access APIs created using SAP Cloud Platform API Management handling the security and authorizations required to protect, analyze, and monitor your services.

SAP Cloud Platform, API Management offers many out of the box API Security polices based on the OWASP API security best practices which can be customized for your enterprise requirements.

The diagram below depicts at a high level where the SAP Cloud Platform API Management fit in an overall  SAP Cloud Platform solution.

This blueprint highlights important considerations companies need to analyze when implementing SAP Fiori Cloud apps in order to effectively increase employee job satisfaction and reduce internal training costs. However, it is recommended to review further information to help you design and develop your user experience. The following resources are a starting point.

For more details and how to steps refer to the Back-End Connectivity with SAP Fiori Cloud Extended Demo Account 3 part blog series.

Using Mutliple Subaccounts for Staged Application Development

The SAP Cloud Platform allows you to achieve isolation between the different application life cycle stages (development, testing and productive) by using multiple subaccounts. This approach ensures better stability and security for productive accounts and ideally follows backend setup. Configuration content and applications can be exported and imported to the target account. For more information visit the help documentation.

Enterprise Architecture Explorer describes the various deployment options for the Frontend Server

SAP Fiori Apps Reference Library provides configuration information for Fiori apps. This library should always be referenced as a precursor to starting any Fiori implementation

Landscape Configuration Guide: SAP Fiori Cloud is the official documentation to find out general information about connecting the on-premise back-end system to the SAP Cloud Platform and activating and extending pre-implemented SAP Fiori apps.

• If using Business Suite: click here Landscape Configuration Guide: SAP Fiori Cloud for Business Suite
• If using S/4HANA Landscape Configuration Guide: SAP Fiori Cloud for S/4HANA

Read more about the development environment in the help documentation.

SAP Fiori Cloud Demo: Sign up for an account today!