This guide is for your SAP BTP administrator. It explains how to create the role and service key that let Tekst call your SAP S/4HANA iFlow package.
Once the service key exists, hand the four credential values to whoever connects the integration in Tekst. Entering those values is covered in the "Connect SAP S/4HANA via BTP Service Key" article.
Before you start
You need permissions in SAP BTP to create an SAP Process Integration Runtime instance and to create a service key on it. Adding the role alone is not enough: if you can add the role but cannot create the service key, ask the administrator who holds those permissions to create the key or to grant you the rights.
You will also need access to SAP Integration Suite and your SAP BTP Cockpit.
Why a dedicated role
The Tekst iFlow package uses a dedicated sender role, Tekst.ESBMessaging.send. Every iFlow in the package is configured to accept calls only through this role, so only Tekst can invoke them. This keeps Tekst's access limited to this package, prevents any other client from calling these iFlows, and makes all Tekst calls trackable and auditable.
Step 1: Add the role
In SAP Integration Suite, go to Monitor → Manage Security → User Roles and click Add. Enter the role name exactly:
Tekst.ESBMessaging.send
The role name is case-sensitive and must match exactly, including capitalization.
Step 2: Create a dedicated Process Integration Runtime instance
Create a separate SAP Process Integration Runtime instance for Tekst and attach the role to it. The role is bound at the instance level, and every service key created on an instance inherits that instance's roles. Using a dedicated instance keeps Tekst.ESBMessaging.send on Tekst's keys only, makes the access easy to revoke (delete the instance), and keeps Tekst's activity cleanly auditable.
If you reuse an existing shared instance instead, be aware that any other service key on that instance will also inherit the Tekst role and could call the Tekst iFlows. Only do this if every key on that instance is equally trusted.
To create the instance:
-
In your SAP BTP Cockpit, open your Subaccount and go to Instances and Subscriptions → Create. (The instance runs on Cloud Foundry. If Cloud Foundry is not yet enabled in your subaccount, enable it first using SAP's documentation.)
-
Select the Process Integration Runtime service with the integration-flow plan, choose your runtime environment and space, and give the instance a recognizable name (for example,
tekst-cpi-runtime). -
In the instance parameters, add the role so any key created from it inherits it:
{ "roles": ["Tekst.ESBMessaging.send"] } -
Finish creating the instance.
The service key itself has no roles setting - it inherits the roles from the instance.
Step 3: Create the service key
Open your service instance
-
In your SAP BTP Cockpit, select your Subaccount
-
Click Instances and Subscriptions in the left sidebar
Find the Process Integration Runtime instance you created (Service Technical Name: it-rt). This service provides the permissions needed to execute iFlows with Tekst.
Create the service key
-
Click the instance name to open its details
-
Navigate to the Service Keys tab
-
Click Create to generate a service key (or open an existing one)
-
Click your service key name or the View button to display the JSON
Step 4: Hand over the four credential values
Your service key JSON contains four values that the Tekst integration needs:
{
"oauth": {
"clientid": "sb-xxxxx...",
"clientsecret": "xxxxx...",
"tokenurl": "https://your-tenant.authentication.sap.hana.ondemand.com/oauth/token",
"url": "https://your-tenant.it-cpitrial06-rt.cfapps.us10-001.hana.ondemand.com"
}
}
Share clientid, clientsecret, tokenurl, and url with whoever sets up the connection in Tekst. They enter these in the Tekst platform, as described in the Connect SAP S/4HANA via BTP Service Key article.
0 comments
Please sign in to leave a comment.