Overview of Duet Enterprise
Applies to: Duet Enterprise for Microsoft SharePoint and SAP
Duet Enterprise for Microsoft SharePoint and SAP is a new jointly developed product from SAP and Microsoft that enables interoperability between SAP applications and Microsoft SharePoint Server 2010 Enterprise Edition. Duet Enterprise empowers employees to consume and extend SAP processes and information from within SharePoint Server 2010 and Microsoft Office 2010 client applications.
This article helps SharePoint administrators, SAP administrators, and system architects understand Duet Enterprise architecture, the ready-to-use capabilities and how SAP information is surfaced in SharePoint Server and Office applications, and how authentication works. A high-level overview of monitoring and troubleshooting also is included.
In addition to this overview article, a downloadable Duet Enterprise for Microsoft SharePoint and SAP poster is available that includes supplemental information that includes product usage examples, detailed Duet Enterprise architectural descriptions, and graphically presented security information.
Download the poster (https://go.microsoft.com/fwlink/p/?LinkId=205014).
View the Duet Enterprise architecture poster (https://go.microsoft.com/fwlink/p/?LinkId=208381) online where you can zoom and pan to see details.
For more information about Duet Enterprise benefits, see https://microsoft.com/duet (https://go.microsoft.com/fwlink/?LinkId=195937).
How SAP information is surfaced in SharePoint Server and Microsoft Outlook 2010
Duet Enterprise enables users to access and interact with business processes, and information in SAP applications by using Microsoft SharePoint Server 2010 Enterprise Edition and Microsoft Office 2010.
Some examples of tasks that users can do include:
Revise SAP data that exists in a SharePoint list and write these changes back to the SAP system.
Update information about a customer or create a new sales contact from within Microsoft Outlook 2010.
Surface SAP information, which is integrated as external content types in SharePoint Server, in Microsoft Outlook 2010 as contacts, tasks, calendars, and posts.
SharePoint sites can use several alternatives to surface information from SAP applications:
A set of specialized Web Parts that are provided with Duet Enterprise
External lists (which are connected to SAP information in SAP applications)
Document libraries
System architects can use these components to design a solution, use the site templates that are described in the following list, or use a combination of these ready-to-use capabilities.
When deploying Duet Enterprise, SharePoint administrators can choose to do any combination of the following in a Duet Enterprise enabled Web application:
Create one or more reporting sites
Create one or more workflow sites
Create the Duet Enterprise sites
Add Duet Enterprise Web Parts to any SharePoint site
Bring SAP HR data into the SharePoint Profile
Create external lists that surface SAP data in SharePoint Server
Duet Enterprise enables SharePoint administrators to create one or more reporting sites for running SAP reports from within a SharePoint site. A reporting site provides a list of all SAP reports that can be run from within the SharePoint site. Note that the Duet Enterprise sites have a reporting site, by default, but you can create as many customized reporting sites as you want.
Duet Enterprise enables SharePoint administrators to create one or more workflow sites for interacting with SAP workflows. Workflow sites can receive workflow approval requests from SAP workflows that are running in the SAP environment and workflow requests can be sent to Microsoft Outlook. Users can approve requests from the e-mail object or SharePoint tasks folder. The approval object provided with Duet Enterprise provides rich contextual information to help users make decisions to complete the approval process. More information about workflows is provided later in this article.
Duet Enterprise provides Duet Enterprise sites in SharePoint Server. This is a group of sites that are created using a site collection template. The sites contain lists, libraries, and specialized Web Parts that are designed for viewing and managing SAP data. The SharePoint Server sites can be used as the main entry point for viewing and managing SAP information within SharePoint Server or you can build your own solution by adding the specialized Web Parts provided by Duet Enterprise to other sites, or a combination of both.
Duet Enterprise provides the ability to enhance SharePoint My Site Web sites, by surfacing SAP personal data on the SharePoint My Site profile page.
Extensibility of Duet Enterprise
In addition to the site templates and specialized Web Parts that are provided, Duet Enterprise can be extended in many ways. For example:
SAP NetWeaver ABAP developers can create new services, adapt existing ones, and also develop custom logic on SAP NetWeaver.
Business Power Users can create declarative solutions without writing code, create external lists and document libraries, and design views and forms.
Microsoft .NET developers can:
Modify solutions that were created using Microsoft SharePoint Designer 2010.
Develop new Duet Enterprise solutions that provide a custom user experience.
Create a custom user experience by integrating data in different ways, and create and edit building blocks, such as Web parts, to surface SAP information in SharePoint sites.
Microsoft Silverlight developers can leverage Duet Enterprise to create unique user experiences in SharePoint sites around SAP data.
Taking SAP information offline
Information workers can take SAP data offline by using Outlook 2010 or Microsoft SharePoint Workspace 2010. They can work with SAP data in Outlook by creating external content types in SharePoint that are based on the native Outlook data types, Contacts, Tasks, Calendars, and Posts. They can also work with SAP information offline by downloading external lists, SAP reports, and libraries with external data columns to SharePoint Workspace 2010.
Architecture
Duet Enterprise provides two sets of Add-on components. The Duet Enterprise SharePoint Add-on is installed on servers running Microsoft SharePoint Server 2010 Enterprise Edition. The Duet Enterprise SAP Add-on runs on top of SAP NetWeaver 7.02 ABAP.
This section describes:
Components that support thisProduct_2nd_NoVer
Components provided with thisProduct_2nd_NoVer
Heterogeneous system support
Components that support Duet Enterprise
The following figure shows the components of Microsoft SharePoint Server 2010 on which Duet Enterprise is built. The SAP system components that are shown support Duet Enterprise.
Figure 1 – Components that support Duet Enterprise
The following list describes the key components on the SharePoint system (shown in Figure 1) that are used by Duet Enterprise and the key components in the SAP environment, (Shown in Figure 1) that support Duet Enterprise.
SharePoint workflow functionality supports interactions between SharePoint users and SAP workflows.
The Enterprise Content Manager component is used to manage the lifecycle of documents, such as SAP reports.
Duet Enterprise uses the SharePoint Security Token Service to interact with the claims-based authentication provider that is provided by SharePoint Server 2010 to authenticate users using SAML tokens.
The Microsoft Business Connectivity Services provide a connector for communication between Microsoft SharePoint Server and the SAP environment along with other features used to connect to and interact with SAP information.
The reporting modules that run on SAP NetWeaver or SAP Business Information Warehouse provide reporting functionality around SAP data.
The SAP Workflow engine runs all SAP workflows.
SAP Enterprise services are used to interact with the SAP Business Suite and retrieve SAP information and content.
The SAP Shared Master Data and Computing Center Management System tools are used to monitor SAP systems and SAP Duet Enterprise components. These SAP supportability tools are described in the Monitoring and Troubleshooting section, later in this article.
Components provided with Duet Enterprise
This section describes the components that are provided with Duet Enterprise.
Figure 2 – Components that support and are installed with Duet Enterprise
The following list describes the components of the Duet Enterprise SharePoint Add-on (shown in Figure 2).
The Duet Enterprise site templates provide SharePoint users with an entry point into the preconfigured Duet Enterprise experience. The Duet Enterprise sites are composed of an initial set of subsites, including Customers, Products, Quotations and a set of sites for collaboration on customers and other business data. These sites are preconfigured to connect to the corresponding business objects in the SAP environment.
The Duet Enterprise Workflow feature enables SharePoint users to participate in SAP workflows, for example, to approve an expense report.
The Duet Enterprise Reporting feature enables SAP reports from SAP BW or SAP Enterprise Resource Planning to be retrieved directly from and viewed in SharePoint Server.
The Business Connectivity Services Solution Designer feature is used to customize Duet Enterprise solutions.
The Duet Enterprise Collaboration feature enables SharePoint users to collaborate around SAP information and objects. This feature provides a set of templates to set up collaboration sites.
The monitoring and supportability components support troubleshooting of both Microsoft and SAP components.
Duet Enterprise Role and Profile Sync enables SAP roles and SAP profiles to be used in SharePoint Server 2010.
The following list describes the components of the Duet Enterprise SAP Add-on (shown in Figure 2).
A. Business Content includes a set of prepackaged SAP business objects.
B. Duet Enterprise Workflow enables SharePoint users to participate in SAP workflows.
C. Duet Enterprise Reporting enables SharePoint users to retrieve reports from SAP. Reporting also enables the configuration of report catalogs, which are then made available on a Reporting Site in SharePoint Server.
D. The Content Publisher is used to transfer content from SAP to SharePoint Server.
E. The Object Instance Cache is used to cache Duet Enterprise specific data and information.
F. The Routing Manager routes requests for reports from SAP NetWeaver to the corresponding SAP system.
G. The Role Provider enables SharePoint Server 2010 to get a list of SAP roles that can be used to grant permissions on securable objects in SharePoint Server.
In the SAP environment, the Duet Enterprise SAP Add-on provides the services, listed above, for enabling the interoperability between SAP business applications, such as the SAP Business Suite, and end-user platforms such as Microsoft Office client applications and SharePoint sites.
Note that Duet Enterprise does not require anything to be installed on the client computers by default. All interaction with client applications is managed by SharePoint Server 2010.
Heterogeneous system support
Duet Enterprise provides heterogeneous support of SAP systems. The following figure shows a high-level example of the SAP systems that Duet Enterprise supports.
Figure 3 - Example of a heterogeneous system
The following list describes Figure 3.
A SharePoint user accesses a site running on SharePoint Server 2010.
The Duet Enterprise SharePoint Add-on and Duet Enterprise SAP Add-ons along with the Microsoft Business Connectivity Services enable communication between SharePoint Server 2010 and SAP NetWeaver 7.02. The Duet Enterprise SAP Add-on that is installed on SAP NetWeaver, together with business logic in the Duet Enterprise SAP Add-on acts as a broker between SharePoint Server 2010 and the SAP systems.
You can connect multiple SAP systems, such as BW and ERP, to one Duet Enterprise environment. Duet Enterprise supports standard high availability (HA), load balancing and scalability mechanisms for both SAP NetWeaver and SharePoint Server 2010.
Duet Enterprise supports different versions of SAP systems as well as distributed systems. This enables you to connect SAP NetWeaver to multiple SAP systems. For example, you can have a Human Resources system for America that runs on SAP ERP 6.0 and a Human Resources system for Europe that runs on SAP ERP 2004. By using system mapping, users in America can be linked to the American system and users in Europe can be linked to the EMEA system.
Ready-to-use capabilities
This section describes the ready-to-use capabilities provided by Duet Enterprise. These capabilities include enabling SharePoint users to:
Run SAP reports within a SharePoint site
Interact with SAP workflows from within SharePoint sites and Outlook 2010
Collaborate on and Interact with SAP information within SharePoint sites
Get access to HR information in SharePoint Profile
SAP Reports in SharePoint Server
Duet Enterprise enables employees to retrieve SAP reports (from an SAP ERP or SAP Business Intelligence system) in a SharePoint document library. SAP reports can be run by an information worker from within a SharePoint site. Duet Enterprise Reporting is implemented as a SharePoint feature and can be enabled at the site collection and site levels. After this feature is enabled for a particular site collection, a site owner can enable the feature on any site in the site collection in order to create a list of reports on the site. Note that these reports are surfaced on the Duet Enterprise sites, by default. The reports are based on a report catalog that is maintained in the SAP environment but SharePoint users can modify the report settings to change or add to parameters of a report.
You can schedule an SAP report or run it on demand. Reports can be viewed in any supported file format. Users can view the historical summary of reports and reports can be shared with other SharePoint users. After a report is shared, users can subscribe to a report to receive notification in e-mail messages when a report is run. When running a report, a SharePoint user can specify whether the report will be an individual report or shared. Shared reports are delivered once by the SAP system and can be viewed by multiple people. Individual reports can only be viewed by the person who requested the report. Note: The ability to subscribe to and display reports is subject to having the necessary level of permissions in the SAP environment.
Like other SharePoint lists, the Reports list can be filtered and sorted. For example, you can filter by the Category column to view only certain categories of reports, such as sales reports.
Reporting extensibility
Customers can customize reporting in Duet Enterprise in the following ways:
Add the Related Reports Web Part to various SharePoint sites. For example, you can add an “Employees Compliance Report” to the “Leave Approval” workflow work items, so that the approver of the Leave Approval workflow can run the Employees Compliance Report within the workflow task form of the Leave Approval workflow. Another example is a Customer Service Manager approving or rejecting a customer return request and then using the Related Report Web Part to generate additional conversations or collaborations on the report.
Enable a new report from the Duet Enterprise Reports Catalog in the Reports Center. For example you can add “Stock Overview” reports to the “Material Reports List” in a Duet Enterprise Reporting site.
Enable new SAP System Reports in SharePoint Server. For example, you can add a new Business Warehouse (BW) report called “General Quotation Information at Sales Area” as part of the Customer Quotation workspace.
Create one or more dedicated reporting sites in SharePoint Server that are based on new SAP System reports. For example, you can build a “Product Life Cycle Management Report” site that gathers lists of reports from different aspects: Project Managements, Quality Management, Profitability Analysis, and so on.
Workflows in Duet Enterprise
SAP workflows run on the SAP system, but Duet Enterprise enables SAP workflow approval steps to be surfaced through SharePoint Server so that the tasks, which require user interaction, can be completed on SharePoint sites or in Outlook 2010. SAP workflow steps that are imported as SharePoint workflows can be customized by using the SharePoint Server 2010 workflow capabilities.
An SAP administrator uses SAP Workflow Builder to determine the existing workflow approval steps that will be surfaced in SharePoint Server and creates a mapping to determine which fields that are available to the SAP workflow will be displayed in SharePoint Server 2010. After this is done for a particular SAP workflow, a SharePoint workflow, which the SAP workflow triggers when the SAP workflow needs to interact with SharePoint users, can be declaratively configured in SharePoint Server.
An SAP workflow can start a SharePoint workflow and wait for the SharePoint workflow to complete before continuing to the next step. The user’s action is synced up with SAP instantaneously. This provides tight integration of workflow processes across the SAP and SharePoint applications.
While interacting with a workflow, a SharePoint user, in this case the approver of the workflow can use related reports and related links that will help the user make a decision. For example, before approving a discount for a customer, the approver can run a report to see the average sales volume for this customer or open the discount policy of their organization. In addition, the SharePoint user can use a template to create a related collaboration site that will enable collaboration on the work item.
In addition to the workflows provided with Duet Enterprise, you can use SAP Workflow Builder to create custom SAP Workflows and Microsoft SharePoint Designer 2010 to customize the tasks that run in the SharePoint environment.
Templates and other building blocks
Duet Enterprise provides templates and other building blocks that you can use to access SAP data objects. In addition to being able to create one or more workflow and reporting sites, as described earlier, site collection administrators can use the included site collection template to create Duet Enterprise sites in SharePoint Server. This site collection template contains a hierarchy of sites, lists, libraries, and other types of Web Parts that are designed for viewing and managing SAP data.
SharePoint users can use these sites for activities such as collaborating around SAP information, exploring HR information, and managing customer information.
SharePoint farm administrators can use the site collection template provided with Duet Enterprise to create as many site collections as needed. Solution architects can choose to use Duet Enterprise sites as a starting point for building a solution for their organization, use the Web Parts and other components provided with Duet Enterprise sites to create their own solution, or a combination of these strategies.
Monitoring and Troubleshooting
End-to-end monitoring of components that are on servers that are running both SAP and SharePoint Server is critical to the trouble-free operation of Duet Enterprise. This monitoring is done by using both SAP standard tools and Microsoft standard tools, as shown in the following figure.
Figure 4 - Standard tools used to monitor SharePoint and SAP environments
SAP administrators can monitor critical components on servers that are running both SAP and SharePoint Server by using SAP Computing Center Management System (CCMS). CCMS provides administrators with e-mail alerts or SMS alerts for failed Duet Enterprise components and provides administrators the option to schedule reports for monitoring purposes. Drilling down to the Service consumption layer node in CCMS enables SAP administrators to see exactly what failed and how to fix it. SAP administrators can also monitor system performance, as shown in the following figure, and view system configuration changes in SAP Solution Manager Diagnostics (SMD).
Figure 5 - Monitor system performance
SharePoint administrators can use Microsoft System Center Operations Manager 2010 (SCOM) to monitor client computers and servers that are running SharePoint Server. They can also maintain and execute health rules, and view detailed results of Microsoft Operations Monitor (MoM) alerts. Because Duet Enterprise uses a Microsoft Business Connectivity Services connector, you can use the Microsoft Business Connectivity Services node in SCOM to monitor Duet Enterprise. For more information about SCOM, see the Microsoft System Center Operations Manager (https://go.microsoft.com/fwlink/?LinkID=187743) site.
Duet Enterprise also provides the tools to help administrators troubleshoot components that are critical to the health of Duet Enterprise. For example, SAP administrators can do the following:
Troubleshoot SAP errors and malfunctions from within the ABAP environment.
Browse through the log messages, identify the exact step that failed, and determine how the problem can be fixed.
Run end-to-end tracing and see the trace results in SAP SMD.
SharePoint administrators can use a unique ID to trace a specific problem in SharePoint trace logs, use the MMC console to troubleshoot deployment issues, and remotely view errors on client computers. They can also use the Health Status pages on the Central Administration Web site to view the health of components.
Security
SharePoint user accounts cannot be used to directly access information in SAP. To provide authentication and authorization across both the Microsoft and SAP platforms, Duet Enterprise enables SAP administrators to map the Windows domain accounts of SharePoint Server users to SAP user accounts. Duet Enterprise also enables the use of SAP roles, which SAP administrators map to SAP users in the SAP environment.
The mapping of SharePoint users to SAP users enables SAP applications to authenticate SharePoint users by looking up the SAP account that is mapped to a particular SharePoint user. Duet Enterprise also enables the use of SAP Roles as claims-based security principals in SharePoint Server. This enables SharePoint users and administrators to grant SAP users access to SharePoint securable objects, such as sites, lists, and items, by using SAP roles to secure those securable objects. SAP roles are defined and the SAP user-to-role assignment is managed in the SAP environment. The ability to use SAP roles to secure SharePoint objects saves the administrative overhead of redefining those same roles in SharePoint Server.
After the SharePoint users are mapped to SAP users, a SharePoint farm administrator can synchronize the user profile properties from SAP with the SharePoint User Profile Store. Duet Enterprise enables a custom Business Data Connectivity service connection that SharePoint farm administrators can use for this synchronization process. The process populates a custom property in the SharePoint User Profile Store. The custom property contains a list of SAP Roles for each SharePoint user who has been mapped to an SAP user in the SAP environment. This synchronization does not copy anything from the SharePoint User Profile Store to the SAP environment. Because profile synchronization is costly in terms of performance and resources, and because role assignments do not typically change frequently, we recommend that SharePoint farm administrators resynchronize the profiles only when needed.
The ability to map SharePoint users to SAP users and synchronize user profiles provides the benefits of ensuring secure communications across the SharePoint and SAP environments, enabling single sign-on, and awareness and compliance with existing SAP authorization settings.
Note
Duet Enterprise provides a feature that enables users and administrators to grant access to SharePoint securable objects based on SAP roles. Before this capability is available, a SharePoint farm administrator activates the Duet Enterprise Claim Provider feature at the farm-level which makes the claims provider available and must synchronize the user properties from an SAP application with the SharePoint User Profile Store.
The following illustration and numbered list describe a high-level view of the data flow and components of the Duet Enterprise Role and Profile Sync feature that enables SharePoint administrators to use SAP roles to secure SharePoint securable objects.
Figure 6 - Securing objects in SharePoint using SAP roles
The following list describes the process of adding an SAP role to a securable object in SharePoint Server (as seen in Figure 6).
A SharePoint user or administrator opens the People Picker to assign SAP roles to SharePoint securable objects, such as sites, lists, and items.
The People Picker uses the Duet Enterprise Claims Provider to access the list of SAP roles that have been authorized for use in SharePoint Server. The Duet Enterprise Claims provider requests the SAP role definitions from the SAP application.
The SAP application sends the SAP role definitions back to the Duet Enterprise Claims Provider and the SAP role definitions are then displayed in the People Picker.
The SharePoint administrator selects the SAP role he wants to use from the People Picker and grants that SAP role the appropriate permission for the SharePoint securable object that he is securing.
The following illustration and numbered list describe a high-level overview of the user authorization process.
Figure 7 - User authorization process
The following list describes the authorization process of a user requesting access to a securable object in SharePoint Server that has been secured by using an SAP role.
A SharePoint farm administrator synchronizes the user profiles in SAP with the SharePoint User Profile Store over a Business Data Connectivity service connector. This synchronization process stores the SAP user accounts and the SAP roles to which they are mapped in the SharePoint User Profile Store.
A SharePoint user or administrator logs onto a SharePoint site and attempts to access a site, list, or items that are secured by using an SAP role.
Note
At user log on, the token issuance process augments the SAML security token of the user with his or her SAP roles from the User Profile Store. This token is then referenced by SharePoint Server to authorize user access to an item that has been secured by using an SAP role.
SharePoint Server uses the Duet Enterprise Claims Provider to access the User Profile Store to determine to which SAP roles the SharePoint user or administrator has been assigned. SharePoint Server then grants or denies the SharePoint user access to the securable object based on the role that the user is assigned to and the permissions granted to the SAP role on the securable object.
When a SharePoint user runs an SAP report from a SharePoint site, a file that contains the report is delivered to a SharePoint document library and secured by using one or more SAP roles. Because the file is secured by using an SAP role rather than the user account of the SharePoint user who ran the report, SharePoint Server must look up the SAP role in the user profile store for SharePoint users who want to view the report.
Note: SAP administrators specify which SAP roles will be available to assign to SharePoint securable objects.
How authentication works in Duet Enterprise
Although Duet Enterprise supports multiple authentication methods, only claims-based authentication uses SAP roles to secure objects in SharePoint Server. For this reason, claims-based authentication is the recommended authentication method for Duet Enterprise enabled Web applications.
The following illustration shows a high-level view of how authentication works in a Duet Enterprise environment.
Figure 8 - Duet Enterprise authentication
The following list describes the steps shown in Figure 8. This illustration assumes that a SharePoint user has attempted to access SAP information that is surfaced in SharePoint Server.
The SharePoint user’s identity is sent to the Microsoft Business Connectivity Services Windows Communication Foundation connector.
The connector sends the SharePoint user’s identity to the SharePoint Security Token Service.
The SharePoint Security Token Service returns a token that identifies the SharePoint user.
The token is then sent to SAP NetWeaver in a SOAP request packet.
During deployment, a trust relationship is created between the SAP NetWeaver and the Security Token Service. This enables SAP NetWeaver to use the token to look up the SAP user who is mapped to the SharePoint user who is identified by the token.
The SAP user account that is mapped to the SharePoint user is returned to SAP NetWeaver.
SAP NetWeaver uses the SAP user account to request access to information in the SAP system and, if the user is authorized to access the information, the requested information is sent to SAP NetWeaver.
SAP NetWeaver sends the requested information to the Microsoft Business Connectivity Services WCF connector as a SOAP response.
The Microsoft Business Connectivity Services connector passes the information to the SharePoint user.
For more information about the SharePoint security token service, see Configure the security token service (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=182064).