[[{“value”:”
Introduction
Most Role Collections related to custom application development are handled by the respective application’s transport mechanism.
However, in scenarios where, Role Collections are not tied to custom applications but are needed for team-based access control or setup for some other purpose.
You can now transport role collections using the Content Agent service UI integrated with Cloud Transport Management Service.
Limitations:
This solution is not fully matured. Specifically, the transport mechanism currently fails to ignore application identifiers associated with roles. As a result, you may encounter errors when trying to move a role collection along with its roles.
Due to this issue, we were unable to use this method reliably. SAP has acknowledged the limitation and indicated that a fix is on their roadmap, but as of now, there are no specific timelines for resolution.
Let us deep dive into the procedure of setting cTMS for BTP Role Collections.
cTMS Architecture – BTP Role Collections Transports
Here we have four environments, Dev, QA, UAT, and Prod, each corresponding to a separate BTP subaccount. We have provisioned the Cloud Transport Management Service (cTMS) in a separate subaccount. The Security team sets up their Role Collections and export the same from the Dev subaccount using Content Agent Service integrated with Cloud Transport Management Service (cTMS), which then adds the transport to the QA node. From there, it is imported into QA and the subsequent environments (UAT, Prod) through Solution Manager (SolMan), leveraging Focused Build (FB) or Charm status transitions.
Additionally, this setup can be integrated with SAP Cloud ALM
Setup Steps:
Since several of these SaaS applications share common setup steps, please begin by following the initial setup steps outlined here Setting Up Cloud TMS for Various SAP SaaS Solutions
Step1: Create Service Instance/Key for SAP Authorization and Trust Management Service
SAP changed the way we setup Service Instance/Key for SAP Authorization and Trust Management, it is no longer setup using BTP cockpit, we have to setup by following below steps using BTP CLI
- Log on to the SAP BTP CLI, targeting the relevant global account, directory, or subaccount.
- Enter the following command: from the location where you kept this btp.exe
.btp.exe create security/api-credential –name my-credential
You get API credentials, which enable you to access the REST APIs of the SAP Authorization and Trust Management service
The btp CLI shows the API credential as follows:
Output CodeName: my-credential Credential Type: binding-secret Read-only: false Client Secret: <secret> Certificate: <null> Client ID: sb-full-access!axxxx
Step2: Create SAP Authorizations and Trust Management Service Destination
In all BTP subaccounts where you perform export/import operations, create a destination for SAP Authorization and Trust Management service. This is mandatory, without which you will not be able to export/import content successfully.
Name: Name should be “XSUAARoleCollections”
URL: https://api.authentication.<region>.hana.ondemand.com.
Authentication: OAuth2ClientCredentials
Token Service URL: https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token
Grab Client ID & Secret from Service Key setup for SAP Authorizations and Trust Management Service in step1.
Step3: Create TransportManagementService Destination
SAP Content Agent service supports content transport using SAP Cloud Transport Management. To enable this service to Export the content to the transport queue of cTMS, the destination must be created in the Source SAP BTP account with this name.
Name: Name should be “TransportManagementService”
URL: uri from the cTMS service key
Authentication: OAuth2ClientCredentials
Token Service URL: uaa → url from the cTMS service key
Grab Client ID & Secret from cTMS Service Key.
Step4: Create a Service Instance and Key for Content Agent Service
In the Target SAP BTP account, where you want to perform Import, you create the service instance and service key for the SAP Content Agent service with application plan.
This service key will be used in creating Destinations.
Step5: Create Destinations to CF Subaccounts
In the subaccount where the Cloud Transport Management (cTMS) service is subscribed, create a destination to each target BTP subaccount. We don’t setup any destination for Dev subaccount. Dev node in cTMS will be virtual for this scenario.
Name: Give appropriate name to resemble your CTMS Node
URL:https://content-agent-engine.cfapps.<region>.hana.ondemand.com
Authentication: OAuth2ClientCredentials
Token Service URL: https://<subdomain>.authentication.<region>.hana.ondemand.com/oauth/token
Please use the client ID, client id, secret, from the Content Agent service key created in step4 above.
Step6: Configure Transport Nodes in cTMS
Prerequisites
-
You have been assigned one of the following roles: Administrator or LandscapeOperator.
From the cTMS UI, you can define transport nodes to represent your system landscape. There are multiple ways to create a node:
You can either Create a node on the Landscape Visualization screen or from Transport Nodes screen.
Allow Upload to Node: Enable this checkbox to allow file uploads to the node. Enabled for the Dev node but in this scenario, Dev node will virtual.
Forward Mode: Default value is Auto, You can change this setting based on your landscape and transport flow requirements.
Controlled by SAP Solution Manager: Select this checkbox only if you plan to integrate with SAP Solution Manager (e.g., Charm or Focused Build). We will only enable this for QA and upper environments. When you enable this, it will not allow manual imports from cTMS UI, only through Charm/FB status change.
Note: If you plan to integrate with Cloud ALM, do not check this option.
Content Type: For Content Agent Service, select Multitarget Application archives.
Destination: Select the appropriate target destination you previously configured in your cTMS subaccount in Step5.
Step7: Create Transport routes in cTMS
In SAP Cloud Transport Management, transport routes are used to connect transport nodes.
Name: Provide the appropriate name
Chose the Source node & Target node and click on OK.
Your landscape loos like this
Note: You can also use Transport Landscape Wizard, with which you can setup the all your landscape nodes & routes at a time.
Step8: Subscribe to Content Agent Service in Dev Subaccount
To export the Role Collection content using Content Agent Service, we have to subscribe to CAS in Dev subaccount. Please follow these steps for the same:
-
Navigate to your SAP BTP Dev subaccount, where you want to subscribe to the Content Agent Service.
-
From the left-hand navigation pane, go to: Services → Service Marketplace
-
In the Service Marketplace, search for Content Agent.
-
Select the Content Agent tile from the search results.
-
Click Create
-
From the Plan dropdown, select free (the service type is preselected as Content Agent).
-
Click Create to confirm the subscription.
- Click on Go Application to access Content Agent Service UI
From there you will be able to select the Content and export as transport using cTMS.
Step9: Integrate with Solution Manager
To integrate Cloud Transport Management (cTMS) with SAP Solution Manager (Charm / Focused Build), follow the step6 from below article.
If you want to integrate with Cloud ALM, follow the step7 from below article.
Setting Up Cloud TMS for Various SAP SaaS Solutions
Conclusion:
I hope you learned, how to setup cTMS for BTP Role Collection transports using Content Agent Service. Now the setup is complete and ready for transport the content using cTMS either integrated with SAP Solution Manager or Cloud ALM.
Thank you for reading my article, feel free to provide any feedback or comment for any questions.
Thanks,
Raghu
“}]]
#abap