PUBLIC

SAP BTP Configuration Guide

SAP Subscription Billing
Document Version: 34
TABLE OF CONTENTS
DOCUMENT HISTORY ........................................................................................................................................ 3
1 TECHNICAL SETUP............................................................................................................................. 4
2 SET UP USING BOOSTER AUTOMATION......................................................................................... 4
2.1 Onboard SAP Subscription Billing for Integration with SAP S/4HANA Cloud ............................. 5
2.2 Onboard SAP Subscription Billing ................................................................................................. 10
3 SET UP USING MANUAL STEPS ..................................................................................................... 15
3.1 Technical Setup ................................................................................................................................ 15
3.1.1 Check successful completion of provisioning .............................................................................. 15
3.1.2 Add administrators to global account ............................................................................................ 16
3.1.3 Create subaccounts ......................................................................................................................... 19
3.1.4 Assign entitlements .......................................................................................................................... 22
3.1.5 Subscribe to SAP Subscription Billing .......................................................................................... 25
3.2 Enable UI Access .............................................................................................................................. 27
3.2.1 Give yourself access as an administrator...................................................................................... 27
3.2.2 Define security administrators in your subaccount ..................................................................... 27
3.2.3 Enable authentication and single sign-on for business users .................................................... 29
3.2.4 Assign your own identity provider (IdP) to your subaccount ...................................................... 30
3.2.5 Build role collections ....................................................................................................................... 36
3.2.6 Define roles to restrict authorization by market (optional) .......................................................... 39
3.2.7 Assign role collections to users or user groups ........................................................................... 42
3.3 Enable API Access ........................................................................................................................... 44
3.3.1 Enable Cloud Foundry ..................................................................................................................... 44
3.3.2 Create a space .................................................................................................................................. 45
3.3.3 Add members to spaces and assign roles..................................................................................... 47
3.3.4 Create a service instance................................................................................................................. 49
3.3.5 Create a service key ......................................................................................................................... 53
3.4 Onboard Price Calculation............................................................................................................... 55
3.5 Set Up SAP Event Mesh ................................................................................................................... 56
3.5.1 Assign an Event Mesh entitlement ................................................................................................. 56
3.5.2 Create an Event Mesh instance ....................................................................................................... 58
3.5.3 Prepare access to the SAP Event Mesh application ..................................................................... 63

2
DOCUMENT HISTORY

The table provides an overview of changes from the last 12 months, with the most recent changes at the top.

Document Date of Update Change

Version

34 September 5, 2023 Cloud Availability notification information added in section Technical

Setup.

33 May 22, 2023 The booster for the integration with S/4HANA Cloud was renamed to
Onboard SAP Subscription Billing for Integration with SAP S/4HANA
Cloud.

32 April 21, 2023 Logon URL for the SAP BTP Cockpit adapted in the onboarding sections.

31 March 31, 2023 New region eu11 with EU only access added.

30 January 30, 2023 Link about the integration of SAP Subscription Billing apps with the SAP
Fiori launchpad of SAP S/4HANA Cloud added for to the sections
Onboard SAP Subscription Billing for Integration with SAP S/4HANA
Cloud and Onboard SAP Subscription Billing.

29 January 13, 2023 Section Onboard SAP Subscription Billing for Integration with SAP
S/4HANA Cloud changed as Price Calculation is now a mandatory
service for this booster.

28 December 19, 2022 Wording changed in section Onboard Price Calculation due to Price
Calculation now being the recommended pricing configuration option for
SAP Subscription Billing.

27 July 27, 2022 Section Setup using a booster automation added.

The example API scope JSON file was moved from the section Create a
service instance to the API Guide.

3
1 TECHNICAL SETUP
Once you’ve received an email from SAP welcoming you to SAP Subscription Billing, you can start with the
first steps.

 The technical setup includes the creation of a tenant. Only users with an Administrator role for the
global account can create tenants. At first, only the recipients of the welcome email have this role. If
someone else needs to create a tenant, one of the email recipients must add the relevant user as
Administrator for the global account. This is described in the section Add administrators to global account.
See also the SAP BTP documentation for an overview of all administration roles: Role Collections and
Roles in Global Accounts, Directories, and Subaccounts [Feature Set B].

Cloud Availability
We recommend that you go to SAP for Me and add the e-mail addresses of employees of your company
whom we can contact with Cloud Availability notifications relating to SAP Subscription Billing. You do this
under Systems & Provisioning.
Hint: Ideally, enter the e-mail addresses of your fellow employees who can work with us in critical situations
without delay. For more information, see Get Notified.

Next, decide whether you want to use an automation wizard called “booster” for the onboarding of an SAP
Subscription Billing tenant, or if you want to follow a manual step-by-step guide. If your Global Account is
running on feature set A, please use the booster functionality instead of the manual steps.

Note: The booster also has some settings that need to be configured carefully, for example regarding
subaccounts. Please read the information below carefully.

For the next steps, see:

• Set up using booster automation
• Set up using manual steps

2 SET UP USING BOOSTER AUTOMATION

A booster is a set of guided interactive steps that enable you to select, configure, and consume services on
SAP BTP to achieve a specific technical goal. Boosters automate processes that otherwise require a high
number of manual steps, such as onboarding applications like SAP Subscription Billing. The booster helps you
onboard an SAP Subscription Billing tenant in a new or existing subaccount, including services such as Event
Mesh and Price Calculation depending on the selected configuration.

The following boosters are available for onboarding SAP Subscription Billing:
• Onboard SAP Subscription Billing for integration with SAP S/4HANA Cloud
This booster is specifically designed for the setup of SAP Subscription Billing for the integration with
SAP S/4HANA Cloud (scope items 57Z and 5IK).
• Onboard SAP Subscription Billing
This booster is used for the setup of SAP Subscription Billing as standalone solution.

We recommend using the booster for non-productive tenants. If you choose to use the booster for a
productive tenant, please note the following:
• All users added with Administrator or Developer roles get full authorization for administrative and
development tasks as well as full access to the SAP Subscription Billing user interface. If this
contradicts your compliance rules for productive tenants, add users manually or remove authorizations
prior to productive use of the tenant.
• The boosters don’t support custom identity providers (IdP). The default IdP SAP ID Service is not
recommended for productive use of SAP Subscription Billing. You can manually adapt the IdP
settings.
• The boosters create an API client for accessing SAP Subscription Billing APIs with all API scopes.
You can manually configure API access with only selected scopes depending on your business
needs.

4
During the booster configuration, you must decide whether you want to create a new subaccount or select an
existing subaccount to which you want to add SAP Subscription Billing.

If you make the wrong selection for your use case, you may run into issues further in the onboarding
process! For more details on which configuration to select, see section 7 in Onboard SAP Subscription
Billing for Integration with SAP S/HANA Cloud or Onboard SAP Subscription Billing (standalone).

After the configuration is completed and the booster is started, the booster assigns entitlements, subscribes
chosen applications, and creates the relevant service instances and the associated service keys automatically.

When the booster has finished all the processing steps, you can access the user interfaces of SAP
Subscription Billing and applications such as Event Mesh and Price Calculation, depending on your chosen
configuration. In addition, you can use the created service key to get OAuth access tokens for the created
service instances.

If you use a booster for the onboarding of SAP Subscription Billing, most of the steps mentioned in the chapter
“Set up using manual steps” are performed automatically.

Note: You can run a booster as many times as you like, for example to add more users or to take
advantage of changes that were made to the booster itself. The booster is a convenient way to make
changes to your subaccount settings and benefit from some in-built checks and validations.
To run the booster on an existing subaccount, make sure you are the Subaccount Administrator and
Space Member.

2.1 Onboard SAP Subscription Billing for Integration with SAP S/4HANA Cloud

To start the onboarding setup of SAP Subscription Billing for the integration with SAP S/4HANA Cloud (57Z
and 5IK), follow these step-by-step instructions.

 Throughout the booster configuration, select Next to get to the next selection screens or Previous to adjust
settings you made in the previous screens.

1. Logon to the SAP • EMEA: https://emea.cockpit.btp.cloud.sap

BTP Cockpit using • Americas: https://amer.cockpit.btp.cloud.sap
either of these • Asia-Pacific, Oceania: https://apac.cockpit.btp.cloud.sap
URLs depending on • EU Access: https://eu-access.cockpit.btp.cloud.sap
your region: • A logon URL in the region closest to you (to avoid latency). See Regions and API
Endpoints Available for the Cloud Foundry Environment in the SAP BTP
documentation.

2. Open the global

account that was
used to order SAP
Subscription Billing.

 To find the right

global account, you
can use the System
& Provisioning
dashboard in SAP
for Me (log on with
your S-user ID).

5
 In the dashboard,
you can find the
global account ID
under System
Name & Number.

 In this guide, we
use
“SubscriptionBilling
Consulting” as the
example account.

3. Choose Boosters in
the navigation
panel.

If you don’t see this entry in the navigation panel, you need to have the
Global Account Administrator role assigned to your user.

4. Select the tile

Onboard SAP
Subscription
Billing from the
Boosters overview
page and click
Start.

5. The overview page

displays:
• Information about
the booster
• Components that are
available for the
booster
• Available additional
resources

6
6. Click Start to begin
the booster
process.

The booster first

checks the
prerequisites
including required
authorizations and
entitlements.

7. Decide whether you Select Create Subaccount and carry on with section a. below
want to create a
new subaccount for
SAP Subscription
Billing or add it to
an existing
subaccount.

Once you have

decided, choose
either Create
Subaccount or
Select Subaccount
and click Next.

This decision has

implications for the or choose Select Subaccount and carry on with section b. below
onboarding of
further applications
such as Event Mesh
(optional). Some
applications MUST
be subscribed in the
same subaccount
as SAP
Subscription Billing.

a. Create Subaccount

To create a new
subaccount, enter
the required
information and
click Next add
users.

7
 The booster prefills
the fields with
suggestions you
can partially
change.
• Entitlements:
Shows the
entitlements of
the applications
that the booster
will subscribe.
• Subaccount
Name: You can
change the
generated
name to
something more
relevant to your
use case.
• Region: Change
the region if the
prefilled region
is not fitting.
• Subdomain: This
will be the name
of your SAP
Subscription
Billing tenant.

b. Select Subaccount

To select an
existing subaccount
for this booster,
choose the relevant
subaccount from
the list under
Subaccount.

Entitlements:
Shows the
entitlements of the
applications that the
booster will
subscribe.

8
8. Add additional users
as Administrators
or Developers. The
booster will assign
the relevant roles
automatically. The
user who is
configuring the
booster is added as
administrator and
developer
automatically.

Note: You can add

additional users
later by running the
booster again.

9. Review the
configuration
settings you made,
especially regarding
the subaccount
mode.

When you are

happy with your
choices, click
Finish.

The booster will

make the settings
according to your
configuration.

10. When the booster The following steps have to be performed manually:
configuration is
complete, some • As the booster can only create user interface access for Administrators
settings still have to and Developers, business users have to be added manually. See Enable
be made manually, authentication and single sign-on for business users.
• Define security administrators in your subaccount

9
 depending on your • Assign your own identity provider (IdP) to your subaccount
configuration needs. • Build role collections
• Define roles to restrict authorization by market (optional)
• Assign role collections to users or user groups
• To enable the integration of SAP Subscription Billing apps with the SAP
Fiori launchpad of SAP S/4HANA Cloud, follow the procedure described
under Integration with the SAP Fiori Launchpad of SAP S/4HANA Cloud
in the Setup and Administration Guide.

Note
API scopes for recently deployed features may not be up to date when you run
the booster for the initial onboarding. Missing API scopes need to be added
manually. For more information, see Create a service instance.

2.2 Onboard SAP Subscription Billing

To start the onboarding setup of SAP Subscription Billing as a standalone solution, follow these step-by-step
instructions.

 Throughout the booster configuration, select Next to get to the next selection screens or Previous to adjust
settings you made in the previous screens.

1. Logon to the SAP BTP • EMEA: https://emea.cockpit.btp.cloud.sap

Cockpit using either • Americas: https://amer.cockpit.btp.cloud.sap
of these URLs • Asia-Pacific, Oceania: https://apac.cockpit.btp.cloud.sap
depending on your • EU Access: https://eu-access.cockpit.btp.cloud.sap
region: • A logon URL in the region closest to you (to avoid latency). See Regions and API
Endpoints Available for the Cloud Foundry Environment in the SAP BTP
documentation.

2. Open the global

account that was
used to order SAP
Subscription Billing.

 To find the right

global account, you
can use the System &
Provisioning
dashboard in SAP for
Me (log on with your
S-user ID).
In the dashboard, you
can find the global
account ID under
System Name &
Number.

 In this guide, we
use
“SubscriptionBilling
Consulting” as the
example account.

3. Choose Boosters in
the navigation panel.

10
 If you don’t see this entry in the navigation panel, you need to have the
Global Account Administrator role assigned to your user.

4. Select the tile

Onboard SAP
Subscription Billing
from the Boosters
overview page and
click Start.

5. The overview page

displays:
• Information about the
booster
• Components that are
available for the
booster
• Available additional
resources

6. Click Start to begin

the booster process.

The booster first

checks the
prerequisites required
for the booster
including required
authorizations and
entitlements.

11
7. Decide whether you Select Create Subaccount and carry on with section a. below
want to create a new
subaccount for SAP
Subscription Billing or
add it to an existing
subaccount.

Once you have

decided, choose
either Create
Subaccount or
Select Subaccount
and click Next.

This decision has

implications for the
onboarding of further or choose Select Subaccount and carry on with section b. below
applications such as
Event Mesh (optional).
Some applications
MUST be subscribed
in the same
subaccount as SAP
Subscription Billing.

a. Create Subaccount

To create a new
subaccount, enter the
required information
and click Next add
users.

The booster prefills

the fields with
suggestions you can
partially change.
• Entitlements:
Depending on
your use case,
you can delete
optional
entitlements of
applications that
you don’t want to
subscribe.
• Subaccount
Name: You can
change the
generated name
to something

12
 more relevant to
your use case.
• Region: Change
the region if the
prefilled region is
not fitting.
• Subdomain: This
will be the name
of your SAP
Subscription
Billing tenant.

You can deselect optional applications in this step under Action.

b. Select Subaccount

To select an existing
subaccount for this
booster, choose the
relevant subaccount
from the list under
Subaccount.

Entitlements:
Depending on your
use case, you can
delete optional
entitlements of
applications that you
don’t want to
subscribe.

You can deselect optional applications in this step under Action.

8. Add additional users

as Administrators or
Developers. The

13
 booster will assign
the relevant roles
automatically. The
user who is
configuring the
booster is added as
administrator and
developer
automatically.

Note: You can add

additional users later
by running the
booster again.

9. Review the
configuration settings
you made, especially
regarding the
subaccount mode.

When you are happy

with your choices,
click Finish.

The booster will make

the settings according
to your configuration.

10. When the booster The following steps have to be performed manually:
configuration is
complete, some • As the booster can only create user interface access for Administrators
settings still have to and Developers, business users have to be added manually. See
be made manually, Enable authentication and single sign-on for business users.
depending on your • Define security administrators in your subaccount
configuration needs. • Assign your own identity provider (IdP) to your subaccount

14
 • Build role collections
• Define roles to restrict authorization by market (optional)
• Assign role collections to users or user groups
• To enable the integration of SAP Subscription Billing apps with the SAP
Fiori launchpad of SAP S/4HANA Cloud, follow the procedure
described under Integration with the SAP Fiori Launchpad of SAP
S/4HANA Cloud in the Setup and Administration Guide.

Note
API scopes for recently deployed features may not be up to date when you run
the booster for the initial onboarding. Missing API scopes need to be added
manually. For more information, see Create a service instance.

3 SET UP USING MANUAL STEPS

3.1 Technical Setup

3.1.1 Check successful completion of provisioning

Log on to the SAP BTP cockpit to check that SAP Subscription Billing is available for your account.

1. Log on to the SAP BTP • EMEA: https://emea.cockpit.btp.cloud.sap

cockpit using the link in • Americas: https://amer.cockpit.btp.cloud.sap
your Welcome email or • Asia-Pacific, Oceania: https://apac.cockpit.btp.cloud.sap
either of these URLs: • EU Access: https://eu-access.cockpit.btp.cloud.sap
• A logon URL in the region closest to you (to avoid latency). See Regions and API
Endpoints Available for the Cloud Foundry Environment in the SAP BTP
documentation.

2. Open the global

account that was used
to order SAP
Subscription Billing.

 To find the right

global account, you
can use the System &
Provisioning dashboard
in SAP for Me (log on
with your S-user ID).
In the dashboard, you
can find the global
account ID under
System Name &
Number.

 In this guide, we
use “SubscriptionBilling
Consulting” as the
example account.

15
 3. Choose
Entitlements >
Service Assignments
in the navigation panel.

4. In the service
overview, search for
SAP Subscription
Billing.

If the service isn’t

displayed, please
report this to your local
SAP contact.

3.1.2 Add administrators to global account

To enable further users to create a tenant, one of the recipients of the welcome email must add the relevant
user as a global account administrator. You add administrators by assigning them a predefined role collection.
 For more information on the default role collections for administrators, see Role Collections and Roles in
Global Accounts, Directories and Subaccounts [Feature Set B] in the SAP BTP documentation.

1. In your global account,

choose Security >
Users in the navigation
panel.

2. Select Create to add

the user who you want
to make administrator.

16
3. Enter the user name
and email address of
the user. The identity
provider must be
“Default identity
provider”. Then select
Create.

4. Optional: If the user

isn’t part of the identity
provider, you’re asked
to add the user.
Confirm this action.

5. In the overview of
users, open the new
user. Then, under Role
Collections, display
the action menu and
select Assign Role
Collection.

6. Assign the role

collection “Global
Account Administrator”.

17
7. The user has now
administrative access
to the global account.

18
3.1.3 Create subaccounts
Subaccounts on SAP BTP are required for deploying applications and using services. When you create a
subaccount and subscribe to SAP Subscription Billing, a tenant is created.
 You need one subaccount for each tenant to which you are entitled. Repeat the steps below to create each
subaccount.
In case you want to use SAP Event Mesh with SAP Subscription Billing, make sure to add both to the
same subaccount.

1. In the breadcrumb
menu, select the name
of your global account.

2. You return to the Trust

Configuration screen.
In the navigation panel,
choose Account
Explorer.

3. Select Create >

Subaccount.

19
4. Define the subaccount:

1. Specify a display
name and short
description.

 In this guide,
we use “SAP-
DEMO-
SUBACC01” as
the example
subaccount.

2. In the Region list,

scroll to the
provider “Amazon
Web Services
(AWS)” and select
your region:
a. Europe
(cf-eu10)
b. Europe EU
Access (cf-
eu11)
(Restricted to
EU only
contracts.)
c. US East
(cf-us10) The subdomain is the tenant name used for login. Once defined, you can’t
3. Enter a name for change it later.
your subdomain.
The subdomain also becomes part of the application URL for SAP Subscription
Please read
Billing according to this pattern:
the note beneath
<subdomain>.<region>.revenue.cloud.sap
the screenshot
that explains why
The subdomain can contain only letters, digits and hyphens. Hyphens aren’t allowed
this name should
in the beginning or at the end. The subdomain must be unique across all accounts in
be chosen
the same region of the Cloud Foundry environment of SAP BTP.
carefully.
You can use upper case and lower case letters; however, they can’t be used to
4. For productive
differentiate subdomains (“SUBDOMAIN” and “subdomain” are considered the
subaccounts,
same).
don’t select
Enable beta
features.

5. Select Create.

20
You see a tile for your
subaccount on the
Subaccounts tab.
Wait for the
“Onboarding” status to
finish before accessing
the subaccount.

 You are
automatically assigned
to the subaccount as
administrator. To learn
how to add other users
as subaccount
administrators, see
Define security
administrators in your
subaccount.

21
3.1.4 Assign entitlements
You need to assign entitlements if you want to use SAP Subscription Billing and its APIs.
Your SAP BTP global account has entitlements to use resources, such as services and memory. Distribute
quotas of these entitlements to your individual subaccounts (tenants) to define the maximum consumption for
each subaccount.
 You have a total of 3 entitlements to distribute across a maximum of 3 tenants.

1. In your subaccount,
choose
Entitlements in the
navigation panel.

2. You see the table of

subaccount
assignments and
service plans.

Select Configure
Entitlements.

3. To open the list of

resources that
you’re entitled to
use, select Add
Service Plans.

4. Search for SAP

Subscription
Billing. You see
then both services
for the application
and for the API.

22
5. Start with the
application:

Select the service

SAP Subscription
Billing, check the
service plan
“default”, and then
add the service
plan.

6. Repeat the steps 3-

5 for the service
SAP Subscription
Billing API.

This service
enables you to call
Subscription Billing
APIs.

7. Add 1 entitlement
quota to the plan for
the SAP
Subscription
Billing API service
and then save your
changes.

23
 8. Optional:
If you want to
develop your own
applications or
process extensions
on SAP BTP Cloud
Foundry, repeat
these steps for the
entitlement Cloud
Foundry Runtime
with the service plan
“MEMORY”.

You can adjust quotas for only one subaccount at a time. To adjust quotas for multiple subaccounts, complete
these steps for each subaccount.
If you have distributed the maximum of your purchased quotas, you can’t increase it further. However, you can
move quotas between subaccounts in the same global account.

24
3.1.5 Subscribe to SAP Subscription Billing
To use the SAP Subscription Billing solution, you must subscribe to the application for your subaccount.

1. Go to your subaccount
and choose Services >
Service Marketplace
in the navigation panel.

2. You see all the

services that are
available to you.

Search for and select

the application SAP
Subscription Billing.

3. Under Application
Plans, display the
action menu of the plan
for which you want to
create a subscription
and select Create.

25
4. Check the basic info
and then select
Create.

5. The creation process

starts. Select View
Subscription to switch
to the Instances and
Subscriptions screen.

6. You’re subscribed to
the SAP Subscription
Billing application. With
this step, your tenant is
created.

26
3.2 Enable UI Access
This chapter describes how to configure authentication and authorization for the users of your application.
Thus, you can enable them to log on to the SAP Subscription Billing UI and get access to the appropriate apps
and data.

3.2.1 Give yourself access as an administrator

To give yourself access to the SAP Subscription Billing UI, you need to do the following:

1. Build at least one role collection, as described in the section Build role collections.
 To administrators, we recommend the role ui_applications_all, which provides you with the complete
set of authorizations and allows you to test all apps.
2. Assign at least one role collection to your user, as described in the section Assign role collections to users
or user groups.
3. Log on to the SAP Subscription Billing application.

To enable UI access for further users, repeat steps 1 and 2 for these users to assign the appropriate role.
Please consider that these users must be available in the identity provider (IdP) that is attached to the
subaccount. You find more information on authentication and single sign-on of business users in the sections
Enable authentication and single sign-on for business users and Assign your own identity provider (IdP) to
your subaccount.

3.2.2 Define security administrators in your subaccount

To configure authentication and authorization for business users, you need a platform user with the specific
role User & Role Administrator. When you create a subaccount, SAP BTP automatically grants this role to
your user.
If you want to enable other users to configure authentication and authorization, you can assign the role by
adding the users as security administrators in your subaccount. In cloud management tools feature set B, this
role is bundled in the role collection Subaccount Administrator.

For more information, see Role Collections and Roles in Global Accounts, Directories, and Subaccounts
[Feature Set B] in the SAP BTP documentation.

The following instructions show how a security administrator; for example, the user who created the
subaccount, can authorize another platform user to also become a security administrator.

The users that you want to add as security administrators in a subaccount must have at least one of the
following memberships:
• Member of the Cloud Foundry organization (if available) in the subaccount.
• Member of any Cloud Foundry space that belongs to the organization.
• Members of the global account that contains your subaccount: see the section Add administrators to
global account.

1. In your subaccount,
choose Security >
Role Collections in
the navigation panel.

Search for the role

collection “Subaccount
Administrator”.

27
2. Ensure that the
collection contains the
role User and Role
Administrator. This is
the key role for security
administrators.

3. To assign to the role

collection the users
that you want as
security administrators,
select Edit.

4. With the edit mode

enabled, add the
security administrators
under Users:

For each user, enter

the ID and the identity
provider, then select
the + icon.

Once you have added

all users, select Save
to close the edit mode.

5. The added users have

now access to the
subaccount as security
administrators.

28
3.2.3 Enable authentication and single sign-on for business users
On SAP BTP, identity information is provided by identity providers (IdPs) and not stored on SAP BTP itself.
Accordingly, the authentication of business users to access the SAP Subscription Billing UI is delegated to the
identity providers, and users log on with the mechanisms and credentials defined there; for example, with their
username and password. For an overview, see Security in the SAP BTP documentation.

SAP BTP supports the following identity providers:

• SAML 2.0 standard compliant IdP
• Identity Authentication service (SAP's cloud solution for identity life cycle management) on SAP BTP
• SAP ID service (SAP-administered IdP)

For SAP ID Service, trust is preconfigured on SAP BTP by default, so that you can start using the service
without further configuration. Business users with an account in SAP ID service (https://accounts.sap.com/)
and who are authorized for SAP Subscription Billing can log on using their email address and the respective
password.

 For productive scenarios of SAP Subscription Billing, we recommend to use your own identity provider,
and not SAP ID service. As an SAP-administered IdP, SAP ID service doesn’t support administrative
access and has the following restrictions:

• User registration works through self-service: You can’t provision users to SAP ID service, you can’t
lock users (for example, if their responsibility within the company changes or if they leave the
company).
• You can’t create user groups to simplify the assignment of role collections.
• You can’t configure single sign-on to work with other applications controlled by your own identity
provider. In other words, you can’t configure IdP proxying with SAP ID service.

In the following section, the instructions guide you through connecting your own identity provider.

29
3.2.4 Assign your own identity provider (IdP) to your subaccount
If you use the Identity Authentication service in SAP BTP, you can find more information in the SAP BTP
documentation under Manually Establish Trust and Federation Between UAA and Identity Authentication.

If you use a different IdP, you can find more information under Establish Trust and Federation with UAA Using
Any SAML Identity Provider.

The following instructions show how to assign Identity Authentication in SAP BTP to a subaccount as an
identity provider. You do this by defining a mutual trust relationship between the identity provider and the SAP
BTP subaccount in the SAP BTP cockpit and the admin console of the Identity Authentication service.

1. Download the SAML For the Identity Authentication service, enter the URL
2.0 metadata of your https://<Identity_Authentication_tenant>.accounts.ondemand.com/saml2/metadata
identity provider. in your browser.
Replace <Identity_Authentication_tenant> with the subdomain of your tenant for the
Identity Authentication service.

 The subdomain of the Identity Authentication service isn’t the same as the
subdomain of the subaccount that you use for your SAP Subscription Billing
application.

2. In your global account,

select your
subaccount and
ensure that the
Security menu is
available.

 If the menu isn’t

available, your user
isn’t a security
administrator and not
authorized for
assigning an IdP. See
the section Define
security administrators
in your subaccount in
this guide for more
details.

3. Choose Trust
Configuration and
then select
New Trust
Configuration.

30
4. Select Upload and add
the file with the SAML
2.0 metadata of your
identity provider that
you downloaded in
step 1.

5. Enter a Name and

Origin Key for your
identity provider. Then
select Save.

The name is
displayed when the
identity provider can be
selected; for example,
when business users
log in.
In this guide, we use
“My Corporate IdP” as
the example provider.

The origin key is used

in the audit log; for
example, to uniquely
identify the source of
an authenticated user.

6. Download the SAML a) Replace <subaccount_subdomain> with the subdomain of your subaccount and
2.0 metadata of your <region> with the region your subaccount is located, such as eu10 or us10.
subaccount.

b) In the Trust Configuration screen, select SAML Metadata.

31
7. Go to the For the Identity Authentication service, replace <Identity_Authentication_tenant> with the
administration UI of name of your IAS tenant:
your identity provider.

Your user needs the administration roles.

8. Ensure that your user
has the required
authorizations in the
identity provider.

 In IAS, your user

must be added as
Administrator and at
least have the
authorization to
Manage Applications.

9. To add SAP
Subscription Billing as
an application (SAML
service provider),
choose Applications
& Resources >
Applications and
select Add.

32
10. Enter the application
name and select Save.

11. For the newly created

application, select
SAML 2.0
Configuration.

12. Under Define from

Metadata, upload the
SAML 2.0 metadata of
your subaccount that
you previously
downloaded.

33
13. Back in the application,
select Subject Name
Identifier.

14. Under Basic

Configuration, choose
the attribute E-Mail
and then save.

34
15. Optional: If you want to
assign role collections
to groups rather than to
individual users,
choose Trust >
Assertion Attributes,
select Add and assign
Groups as an
additional attribute.

The assertion
attribute must be
“Groups” (case-
sensitive).

35
3.2.5 Build role collections
You need to define role collections to control user authorization for the SAP Subscription Billing UI and apps.

1. In your global
account, open the
subaccount. In the
navigation panel,
choose Security >
Role Collections.

2. To create a new role

collection, select
the + icon on the right
of the search field.

3. Name your role

collection and select
Create.

In this guide, we use

“My Role Collection”
as the example
name.

4. To start adding roles,

search for the new
role collection in the
table and select the
row.

36
5. In the overview of the
role collection, select
Edit to open the
screen in edit mode.

6. Under Roles > Role

Name, select the icon
of the input field to
open the role
selector.

7. In the list
Application
Identifier, choose the
identifier that begins
with “revenue-cloud”.
This identifier filters
by the roles from
SAP Subscription
Billing.

37
8. The table Roles
shows all the
available roles for
SAP Subscription
Billing. You can filter
by roles and
templates to reduce
the number of rows.
Then select the roles
that you want in your
collection.

 You can find

information about the
available role
templates under Build
Role Collections in
the Setup and
Administration Guide.

9. Once you have

selected all the roles
for the collection,
confirm the selection
by clicking Add.

 The screenshot
shows the role
“ui_applications_all”,
which provides the
complete set of
authorizations, as an
example. For
productive use, we
recommend that you
configure suitable
roles for your users.

10. Select Save to close

the edit mode.

11. Now your role

collection shows the
assigned roles.

Repeat these steps if

you want to add
further roles to the
collection.

38
3.2.6 Define roles to restrict authorization by market (optional)
You can restrict user access to data that is associated with certain markets. For example, a user can be
allowed to only display billing data for subscriptions in a particular market.
You restrict the markets for which users have authorization by assigning them a role collection that contains at
least one role based on the role template “ui_market_restriction”. The role for market authorization restriction
doesn’t determine whether the user has permission to view or manage data for an object type. Therefore, in
the relevant role collections you need to combine the market restriction role with the functional roles
(view/manage) for object types.
Users without a role that restricts market authorization have access to data for all markets.
For detailed information about the data that is visible to users who are authorized only for certain markets, see
Build Role Collections in the Setup and Administration Guide.

1. In the navigation
panel, choose
Security > Roles.

2. Enter “market” in the

search field to find the
role that restricts
authorization for
markets.

3. In the row that

contains the role
template
“ui_market_restriction”,
select Add Using
Same Role Template.

39
4. Follow the guided
steps to create a new
role with one or
several market values.

Enter a name and

description for the role.
Make sure that you
clearly identify the
markets for which the
role restricts
authorization.

5. Under Values, enter

the IDs of the markets
for which the role
grants authorization
(press Enter after
entering an ID).
Leave the source set
as Static.

Make sure that you

enter the IDs exactly
as they are defined in
Business
Configuration.

40
 6. We recommend that
you use separate role
collections for market
restrictions, rather than
using collections that
combine market and
functional roles
(view/manage).

By keeping the role

types separate, you
have more
transparency.

You can skip this step

and create a new role
collection for market
authorization
afterwards.

7. Review the role data

and finish the creation
process.

 To create a new role collection for market authorization and assign the roles for markets, follow the steps in
the section Build role collections.

41
3.2.7 Assign role collections to users or user groups
In the SAP BTP cockpit, you must assign role collections to IdP users or user groups. The following
description shows how to assign collections to individual users with the example identity provider that we
set up in the section Assign your own identity provider (IdP) to your subaccount in this guide.

8. Create or open the

role collection. In the
overview, select Edit
to open the screen in
edit mode.

9. Under Users, enter

the ID of the user and
choose the identity
provider in the first
row. Then select
the + icon.

10. The user is now

added.

Repeat the previous

step to add further
users to the collection.

11. Select Save to close

the edit mode.

42
12. Now your role
collection should have
at least one user.

43
3.3 Enable API Access

3.3.1 Enable Cloud Foundry

You need to set up the Cloud Foundry environment for your subaccount if you want to call SAP Subscription
Billing APIs, develop your own applications, and process extensions on SAP BTP Cloud Foundry.

1. In your global account,

open the subaccount.
In the overview, select
Enable Cloud
Foundry.

2. Enter an organization
name and select
Create.

 In this guide, we
use the default
suggestion as the
example name.

3. Cloud Foundry is
enabled.

44
3.3.2 Create a space
The Cloud Foundry environment uses spaces within subaccounts to allow you to deploy applications or
services. You need at least one space to create the service instance that provides credentials for access to
the SAP Subscription Billing APIs and enables further integration capabilities.

1. Choose Subaccounts
in the navigation panel.

2. Choose the
subaccount that
contains the Cloud
Foundry organization
in which you'd like to
create a space.

 Subaccounts and
orgs have a 1:1
relationship. They have
the same name and
therefore also the
same navigation level
in the cockpit.

3. Choose Cloud
Foundry > Spaces in
the navigation panel.

45
4. Select
Create Space.

5. Enter a space name,

check the permissions
you'd like to assign to
your user, and then
select Create.

 In this guide, we
use the same name as
the subaccount for the
space example.

6. Your space is created.

46
3.3.3 Add members to spaces and assign roles
To allow users to configure access to SAP Subscription Billing APIs , you need to add them as members to
your spaces and assign the relevant roles for authorization. Access configuration is described in the section
Enable API Access in this guide.

1. Access your space.

2. To assign members
and roles to instances,
choose Members in
the navigation panel.

3. Select
Add Members.

47
4. Enter the email
addresses of the
users that you want to
add.

 Members need
the role “Space
Developer” to read the
credentials for the
service instance.

For more information

about the Cloud
Foundry roles, see the
Cloud Foundry
Documentation.

5. Select OK to save
your changes.

6. The users are now

members of your
space.

48
3.3.4 Create a service instance
When you create an instance of the SAP Subscription Billing API service, you provide a set of scopes that
define which of the APIs can be called and which activities can be done using service keys created for the
instance.

1. In your space,
choose Services >
Service
Marketplace in the
navigation panel.

2. You see all the

services that are
available to you.

Search for and

select the service
SAP Subscription
Billing API.

3. Under Service
Plans, display the
action menu of the
plan for which you
want to create an
instance and select
Create.

 In this guide,
we use the default
plan for the
example.

49
4. Name the instance
and select Next.

 In this guide,
we use
“INSTANCEDEMO”
as the example
name.

5. To define the For an up-to-date list of scopes with their descriptions, see the API Guide.
relevant scopes,
specify a JSON file There may be a delay in updating this example when a new scope is introduced.
or specify
parameters in 
JSON format. The example JSON file on the right contains all the available API scopes. Adjust the file to
restrict access according to your requirements. For testing purposes, you may want to start
with a complete set up scopes for restricted users.

50
6. After providing the
instance
parameters,
select Next.

7. Check that
everything is
correct and select
Create.

51
 8. The creation
process starts.
Select View
Instance to switch
to the Instances
screen.

9. Your instance is
created.

You can create multiple instances to provide different sets of scopes to different users. If you want to consume
new APIs or new functionality of SAP Subscription Billing that require further scopes, you can also update an
existing service instance and upload a new JSON file.

 Note:
If you create an additional service instance in the same subaccount, you must use a different value for the
attribute xsappname in the JSON file that contains the scopes. The xsappname must be unique within the
subaccount.

52
3.3.5 Create a service key
To access APIs, technical users need a service key to get an access token.

1. In the Instances
screen, display the
action menu of the
instance and choose
Create Service Key.

2. Name the service key

and select Create.

3. To see the newly

created service key,
display its action menu
and choose View.

53
 4. The details of the
service key are
displayed.

 The service key

contains the
information needed to
generate an access
token to access the
APIs of SAP
Subscription Billing.

For information on
generating a token, see
Generate an Access
Token in the API
Guide.

MORE INFORMATION
If you need more details, including explanations of the SAP BTP concepts, refer to the documentation Getting
Started with an Enterprise Account in the Cloud Foundry Environment, where you can use the interactive
graphics to navigate to more information.

54
3.4 Onboard Price Calculation

Onboard the Price Calculation service for SAP Subscription Billing to enable pricing with pricing schemes.
We recommend that you do this after completing the onboarding of SAP Subscription Billing.

Please follow the steps in the SAP BTP Configuration Guide for Price Calculation to onboard the service. Note
that the service subscription step may take a few minutes.

We recommend that you define pricing models using pricing schemes, as we only plan to add new features to
this pricing configuration option.

55
3.5 Set Up SAP Event Mesh
Complete the setup steps in this section if you want to receive events sent outwards from SAP Subscription
Billing through the SAP Event Mesh service.
Events are messages that can be sent to notify a consumer about life cycle changes to an object, such as
creation, update, or a status change. You can use events to trigger follow-up processes, for example to send a
confirmation email after a subscription has been created or to deactivate the service after a subscription has
been withdrawn or canceled.
For an overview of the available events in SAP Subscription Billing and how to use them, see Events in the
API Guide.

 You need to purchase a separate license for the SAP Event Mesh service. The service must be
provisioned in the same SAP BTP global account as SAP Subscription Billing.

3.5.1 Assign an Event Mesh entitlement

As described in Assign entitlements in this guide, you need to assign entitlement quotas to your subaccount.

1. In your subaccount,
choose Entitlements
in the navigation
panel.

You must use the

same subaccount as
the one in which you
subscribed to SAP
Subscription Billing.

2. To start, select
Configure
Entitlements.

3. Now select Add

Service Plans.

56
4. Search for Event
Mesh, choose the
service, and enable
the service plan
default.

 If you don’t see

this entitlement in the
list, then either you still
need to purchase a
license, or all the
purchased
entitlements are used
up.

5. Confirm the change by

selecting Add 1
Service Plan.

6. Assign the quota and

select Save to finish.

57
3.5.2 Create an Event Mesh instance
 For the consumption of events, the prices set in the SAP Event Mesh price list apply. 
You can create a new Event Mesh instance by using the SAP BTP cockpit or by using the Cloud Foundry
Command Line Interface. In this section, we provide instructions for the SAP BTP cockpit.

Make sure that SAP Event Mesh and SAP Subscription Billing are in the same subaccount.
For more information, see Initial Setup in the SAP Event Mesh documentation.

1. In your subaccount,
choose Cloud
Foundry > Spaces in
the navigation panel.

You must use the

same subaccount as
the one in which you
subscribed to SAP
Subscription Billing.

2. Open the space in

which you want to
create a service
instance.

3. Choose Services
> Service
Marketplace in the
navigation panel.

58
4. You see all the
services that are
available to you.

Search for and select

the service
Event Mesh.

5. Under Service Plans,

display the action
menu of the plan for
which you want to
create an instance and
select Create.

 Your user must be

a member of the
space and have the
role Space Developer
assigned. If not, you
won’t see the button
Create.

59
6. Name the instance
and select Next.

 In this guide,
we use
“DEMOSUBACC01”
as the example name
for the instance.

60
7. Upload a JSON file or {
specify the parameters "emname": "<yourmessageclientname>",
in JSON format. "namespace":
"<yourorgname>/<yourmessageclientname>/<uniqueID>",
"version": "1.1.0",
"options": {
"management": true,
"messagingrest": true,
"messaging": true
},
"rules": {
"queueRules": {
"publishFilter": [
"${namespace}/*"
],
"subscribeFilter": [
"${namespace}/*"
]
},
"topicRules": {
"publishFilter": [
"${namespace}/*"
],
"subscribeFilter": [
"sap/billing/sb/*"
]
}
}
}

Provide the parameters for which the placeholders are highlighted in yellow: name of
message client, namespace, and connection rules for the message client.

 The namespace must contain alphanumeric characters with 3 segments (a/b/c) and
have a maximum length of 24 characters. Don’t use the term “sap” in your namespace
because it’s reserved for SAP applications.

For more information, see Syntax for Service Descriptor in the SAP Event Mesh
documentation.

To receive events from SAP Subscription Billing, you must define a subscribeFilter
rule as highlighted in green in the service description. With this configuration, you
specifically subscribe to the topics for SAP Subscription Billing.

8. After providing the

parameters, select
Next.

61
 9. Check that everything
is correct and select
Create.

10. The creation process

starts. Select View
Instance to switch to
the Instances screen.

11. Your instance is

created.

After you have set up the Event Mesh instance, you can create service keys as described in the section
Create a service key in this guide.

If you decide to deploy an application to SAP BTP, you can receive the credentials via binding to the Event
Mesh instance. For more details, see Bind an Application to an Event Mesh Service Instance in the SAP Event
Mesh documentation.

62
3.5.3 Prepare access to the SAP Event Mesh application
SAP Event Mesh is a software as a service (SaaS) application that allows your authorized business users to
manage queues and webhooks. It also allows them to view the connection rules and service descriptor that
you provided when you created a service instance. For more information, see Using Event Mesh in the SAP
Event Mesh documentation.

 Only a security administrator of the subaccount can perform the steps in this section. For detailed
information on defining your security administrators, see the section Define security administrators in your
subaccount in this guide.

1. Subscribe to the
SAP Event Mesh
application:

Go to the subaccount
in which you
subscribed to SAP
Event Mesh and SAP
Subscription Billing.
Choose Services >
Service Marketplace
in the navigation
panel.

2. You see all the

services that are
available to you.

Search for and select

the service
Event Mesh.

63
3. Under Application
Plans, display the
action menu of the
plan for which you
want to create a
subscription and
select Create.

 In this guide, we
use the standard plan
for the example.

4. Check the basic info

and then select
Create.

5. The creation process

starts. Select View
Subscription to
switch to the
Instances and
Subscriptions
screen.

64
6. You’re subscribed to
the Event Mesh
application.

7. Now give your users

access to the
application:

In your subaccount,
choose Security >
Rolle Collections in
the navigation panel.
Then filter by
“Enterprise
Messaging” (former
name of Event Mesh).

You see the standard

role collections for
Event Mesh.

For details on the

Event Mesh roles, see
Assign Roles to Users
in the SAP Event
Mesh documentation.

8. Assign your users to

the standard role
collections according
to the necessary
authorizations.

For example, assign

administrators to the
collection Enterprise
Messaging
Administrator.

9. Follow the same steps

as described in Assign
role collections to
users or user groups.

 If you need more

apart from the
standard collections,
you can also create
your own role
collections for Event
Mesh. See Build role
collections for the
steps.

65
 10. To access the
application, return to
the overview of your
subaccount and
choose Services >
Instances and
Subscriptions. In the
list of subscriptions,
select the Go to
Application icon of
Event Mesh.

 Only the business

users that you
authorized in the
previous step can
enter the application.

11. The SAP Event Mesh

application loads.

You will see a tile for

each Event Mesh
instance of plan
DEFAULT from your
subaccount.

To continue, select the

tile for your messaging
client.

You will see the settings for this messaging client. You can then define queues or webhook subscriptions and
display further details.

You need a webhook subscription if you want to receive the events via a push mechanism. The Event Mesh
service calls your registered endpoint (webhook URL) via a HTTP post request with the event payload.

66
www.sap.com/contactsap

© 2023 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See https://www.sap.com/copyright for additional trademark information and notices.