Skip to content

sap-successfactors-employee-central-payroll-ea4533a.md

Latest commit

 

History

History
300 lines (181 loc) · 15.5 KB

sap-successfactors-employee-central-payroll-ea4533a.md

File metadata and controls

300 lines (181 loc) · 15.5 KB

SAP SuccessFactors Employee Central Payroll

This page explains how to connect SAP SuccessFactors Employee Central Payroll to SAP Cloud ALM to enable monitoring.

Currently, SAP SuccessFactors Employee Central Payroll supports the following monitoring applications:

Prerequisites

You can obtain the SAP Cloud ALM service key to connect to the SAP Cloud ALM system. More under Managing Your Service Credentials.

Technical Prerequisites

Set up your ABAP system in transaction /SDF/ALM_SETUP, with the following requirements:

  • SAP_BASIS release:

    • 7.40 SP16 or higher (accordingly 7.50 SP05)
    • Or 7.40 SP09 - SP15 (7.50 SP00 - 7.50 SP04) with SAP Note 2283880 - Logon Username not used in RFC API

  • SAP_UI version: SAP_UI 740 SP15 or higher

  • Implement ST-PI 7.40 support packages and keep them up to date, including the collective corrections suited for your ST-PI support package from the required SAP Notes listed after this.

    Operate your ABAP managed system with at least the latest or second latest support package that's available on the SAP Support Portal.

  • For Business Process Monitoring in SAP S/4HANA and SAP Business Suite 7, at least ST-A/PI version higher that 01U_731 must be available. Always keep it up to date.

    If using ST-A/PI version 01W, implement the latest versions of SAP Notes listed on this page.

  • The profile parameter icm/HTTPS/client_sni_enabled is set to TRUE. See also SAP Note 510007 (Additional considerations for setting up SSL on Application Server ABAP).

  • Profile parameter ssl/client_ciphersuites is defined as described in section 7 of SAP Note 510007.

  • DigiCert Global Root G2 has been imported in STRUST under SSL Client (Anonymous) and SSL Client (Standard).

  • DigiCert TLS RSA4096 Root G5 has been imported in STRUST under SSL Client (Anonymous) and SSL Client (Standard).

  • You've installed the latest version of the following SAP Notes for ST-PI:

    • SAP Note 3639977 – Collective corrections as of ST-PI 7.40 SP32 for SAP Cloud ALM (including SP33)
    • SAP Note 3575903 – Collective corrections as of ST-PI 7.40 SP30 for SAP Cloud ALM (including SP31)
    • SAP Note 3502641 – Collective corrections as of ST-PI 7.40 SP28 for SAP Cloud ALM (including SP29)
    • SAP Note 3421256 – Collective corrections as of ST-PI 7.40 SP26 for SAP Cloud ALM (including SP27)
    • SAP Note 3374186 – Collective corrections as of ST-PI 7.40 SP24 for SAP Cloud ALM (including SP25)
    • SAP Note 3312428 – Collective corrections for Integration & Exception Monitoring in SAP Cloud ALM
    • SAP Note 3281776 – Job & Automation Monitoring: ST-PI 740 SP21+ fixes for on-premise jobs (ABAP jobs and BW process chains)

Network Prerequisites

The communication between your ABAP system and SAP Cloud ALM happens from the ABAP system towards SAP Cloud ALM. You don't need to install an SAP Cloud Connector if you only want to set up monitoring or transport management in SAP Cloud ALM.

You only need an SAP Cloud Connector if your use case requires an endpoint to be created from SAP Cloud ALM towards the ABAP system. Currently, this is only the case for ABAP systems of the type SAP Focused Run and SAP Solution Manager or if you want to use the use SAP Business Transformation Center.

To establish the connection from the ABAP system to SAP Cloud ALM:

  • You can obtain the SAP Cloud ALM service key to connect to the SAP Cloud ALM system. More under Managing Your Service Credentials.

  • Ensure the following URLs can be reached:

    • The SAP Cloud ALM API URL, service key endpoints:Api, without /api.
    • The SAP Cloud ALM OAuth URL, service key uaa:url followed by /oauth/token.
    • If you want to activate mTLS-based authentication, you also need the SAP Cloud ALM OAuth cert URL, service key uaa:certurl extended by /oauth/token. You find this URL in the X.509-enabled service key, which is created after the mTLS-based authentication has been activated in the next section, where the PUSH Data Provider is configured.

  • If you use a proxy in your network, ensure it's configured to allow calls to these URLs. For more information, check the Region-Specific IP Address Ranges.

  • If your SAP ABAP system is hosted with SAP Enterprise Cloud Services (ECS), create a service request with SAP ECS to add the following URLs to the allowlist for your environment. This does not apply for SAP SuccessFactors Employee Central Payroll.

    • Root URL: SAP Cloud ALM service key parameter endpoints:api without /api.
    • OAuth URL: SAP Cloud ALM service key parameter uaa:URL.
    • If you want to activate mTLS-based authentication, you also need the OAuth Cert URL: SAP Cloud ALM service key parameter uaa:certurl. You find this URL in the X.509-enabled service key, which is created in the next section, where the PUSH Data Provider is configured.

Required Authorizations

For the setup, consider two users in the managed ABAP system:

  • The user performing the setup: To run transaction /SDF/ALM_SETUP, your personal user needs the PFCG role SAP_SDF_ALM_SETUP.

    Note: In this role, maintain the authorization field S_BTCH_NAM > BTCUNAME either with an asterisk (*) or with the user name of the user that you plan to use for the background job for the data collection.

  • The user to run the background job for the data collection: Assign the roles as described in the following table:

    ST-PI Release

    Required Authorizations

    ST-PI 7.40 SP31 for DVM

    The Data Volume Efficiency (also known as Data Volume Management) KPIs featured on the RISE with SAP Methodology dashboard require data collection through the data collector available from ST-PI 7.40 SP31.

    To ensure data collection runs without errors, assign the following role to the existing batch user: SAP_SDF_ALM_METRIC_PUSH_DVM

    ST-PI 7.40 SP29 for certificate-based authentication

    If you want to use certificate-based authentication, you can either create a dedicated user for the certificate rotation or assign the following role to the existing background user:

    SAP_SDF_ALM_MTLS. For systems with SAP_BASIS below 7.51, you can ignore S_PSE_ADM.

    Note: With ST-PI 7.40 SP29, Exception Monitoring is no longer a standalone use case. Therefore, the PFCG role SAP_SDF_ALM_METRIC_PUSH_EXMON has been removed and the Exception Monitoring permissions are now included in the respective PCFG roles for Integration Monitoring and Job and Automation Monitoring.

    ST-PI 7.40 SP25 and higher

    In addition to the authorizations for ST-PI 7.40 SP24, you need:

    • SAP_SDF_ALM_METRIC_PUSH_CSA
    • SAP_SDF_ALM_METRIC_PUSH_CSA_S. This role allows the detection of special users (such as SAP*) that use default passwords.

    In versions below ST-PI 7.40 SP25, you can either use the existing SAP Focused Run roles for Configuration and Security Analysis or the roles that are delivered with SAP Note 3372078 (recommended).

    ST-PI 7.40 SP18 and higher

    In addition to the authorizations for ST-PI 7.40 SP16, you need:

    • SAP_FRN_SDAGENT_CSA_MS. This role contains authorization objects that are delivered by SAP without an authorization. To use Configuration and Security Analysis in SAP Cloud ALM, maintain the following authorization objects:

      • S_RFC_ADM: ICF_VALUE = '*'
      • S_DATASET: FILENAME = '*', PROGRAM = '*'
      • S_LOG_COM: HOST = '*', OPSYSTEM = '*'

    • SAP_FRN_SDAGENT_CSA_SEC_MS. This role allows the detection of special users (such as SAP*) that use default passwords.

    ST-PI 7.40 SP16 and higher
    • SAP_SDF_ALM_METRIC_PUSH_FND*

    Assign the following authorizations depending on the SAP Cloud ALM use cases that you plan to activate:

    • SAP_SDF_ALM_METRIC_PUSH_BPMON
    • SAP_SDF_ALM_METRIC_PUSH_EXMON *
    • SAP_SDF_ALM_METRIC_PUSH_HEALTH *
    • SAP_SDF_ALM_METRIC_PUSH_INTMON
    • SAP_SDF_ALM_METRIC_PUSH_JOBMON
    • SAP_SDF_ALM_METRIC_PUSH_PERF
    • SAP_BC_TRANSPORT_ADMINISTRATOR (in client 000 and in the client of your development system where the target is created)

    * Download the latest version of the roles from SAP Note 3372078.

    ST-PI 7.40 SP15
    • SAP_SDF_ALM_METRIC_PUSH_FND *
    • SAP_SDF_ALM_METRIC_PUSH_BPMON *
    • SAP_SDF_ALM_METRIC_PUSH_EXMON *

    * Download the latest version of the roles from SAP Note 3054258.

Configuration of PUSH Data Provider

The monitoring for SAP SuccessFactors Employee Central Payroll uses a PUSH mechanism to push monitoring data to SAP Cloud ALM.

  1. Log on to the production client.

  2. Start transaction /n/SDF/ALM_SETUP.

  3. Enter Target ALM Description.

    • To create a new ALM destination, enter a name, such as SAP Cloud ALM, and choose Enter.
    • To change an existing ALM destination, select one from the F4 input help and choose Enter.

    The subsequent fields are filled.

  4. Maintain the HTTP destination:

    • Choose Update destination.

    • You can copy and paste the content from the JSON file created during the enablement of the SAP Cloud ALM APIs by choosing Paste Service Keys. (More information under Enabling SAP Cloud ALM API.)

      Or you can fill the required fields manually:

      1. Token Endpoint: SAP Cloud ALM service key parameter url followed by /oauth/token.
      2. Client ID: SAP Cloud ALM service key parameter clientid.
      3. Client Secret: SAP Cloud ALM service key parameter clientsecret.
      4. Proxy User: if required by your network infrastructure.
      5. Proxy Password: if required by your network infrastructure.
      6. Proxy Host: if required by your network infrastructure.
      7. Proxy Port: if required by your network infrastructure.
      8. Root URL: Enter the SAP Cloud ALM service key parameter Api without /api, for example https://eu10.alm.cloud.sap.

    • Choose Ok to close the pop-up window.

    • To delete a destination, choose Delete destination.

  5. Enter a background user and register the system:

    • Enter the background user that you've created to perform the data collection.

      Ensure that it has the authorizations as described under Prerequisites.

    • Choose Register to call SAP Cloud ALM and register the system. If the call is successful, an LMS ID from the Landscape Management is retrieved and displayed.

    • To unregister a system, choose Unregister. Caution: This stops all data collection and heartbeat measurements.

  6. Select the use cases for that you want to collect and push data.

Additional Health Monitoring Metrics for SAP HANA

If you are using Health Monitoring and the SAP HANA database host is not running directly on the application host, you can add metrics as described in Additional SAP HANA Database Health Monitoring Metrics for SAP S/4HANA.

Setup in SAP Cloud ALM

After the successful setup that's described in the previous section, the SAP S/4HANA Cloud Private Edition system appears as a registered service in the Landscape Management app of SAP Cloud ALM.

When you've set up the monitoring push to SAP Cloud ALM in SAP BTP Cockpit for your managed service, the data collection is active, with default monitoring configurations.

You can adjust the monitoring setup within the monitoring app in SAP Cloud ALM. Find more information on the configuration for the apps under SAP Cloud ALM for Operations.

For SAP Health Monitoring, also refer to Additional SAP HANA Database Health Monitoring Metrics for SAP S/4HANA.

Troubleshooting

To troubleshoot any issues with the setup or the data collection, refer to Troubleshooting for ABAP Systems.