SAP Joule

BTP

Enterprise Guide

18 Chapters

Joule Deployment & Configuration Center

Enterprise implementation handbook for deploying, configuring, securing, integrating, and operating SAP Joule across public cloud, private cloud, and hybrid SAP landscapes.

Chapter Navigation

1Deployment Overview 2Reference Architecture 3Prerequisites 4Licensing 5SAP Start 6Build Work Zone 7Fiori Launchpad 8S/4HANA Public Cloud 9S/4HANA Private Cloud 10Joule Studio 11CAP Integration 12Build Apps 13Build Process Automation 14Security Architecture 15Monitoring & Operations 16Troubleshooting 17Enterprise Patterns 18SAP References

Joule Deployment Overview

Supported products, deployment scenarios, and the BTP foundation that powers every Joule instance.

What is SAP Joule?

SAP Joule is a generative AI copilot embedded across the SAP portfolio. It is delivered as a managed service on SAP BTP and activated via subscription — customers do not install Joule software; they configure access, trust, and identity to enable the service for their users.

Service type: BTP managed subscription
Deployment model: SaaS — SAP operates the LLM layer
Primary entry points: Fiori LP · SAP Start · Work Zone · Build Code
Skill runtime: SAP Generative AI Hub (AI Foundation)
Custom skills: Joule Studio (BTP — drag & drop)
Min. SAP contract: RISE with SAP or standalone GROW with SAP

Deployment Landscape

Joule Deployment Scenarios Across SAP Landscapes

Rendering diagram…

Public Cloud

SAP-managed BTP, native integration, no Cloud Connector. Enabled via SAP for Me. Fastest time-to-value.

Private Cloud

RISE / PCE landscape with customer-controlled BTP subaccount. Requires trust and destination setup.

On-Premise / Hybrid

SAP Cloud Connector tunnels S/4HANA traffic to BTP Destination. Joule service on BTP subaccount.

Supported Products (Joule GA)

SAP Product	Deployment Type	Joule Entry Point	Notes
S/4HANA Public Cloud	Public Cloud (SAP BTP)	Fiori LP + SAP Start	Auto-enabled with GROW/RISE subscription
S/4HANA Private Cloud (PCE)	Private Cloud (RISE)	Fiori LP	RISE BTP subaccount required; manual config
S/4HANA On-Premise 2022+	Hybrid (Cloud Connector)	Fiori LP	SAP Conn. + BTP destination + IAS trust
SuccessFactors HXM	Public Cloud	SuccessFactors UI	Separate Joule for HXM entitlement required
SAP Build Work Zone Advanced	BTP (Advanced plan)	Portal header button	Advanced edition only; Standard does not include Joule
SAP Build Code	BTP	IDE sidebar	Joule for developers — code generation & review
SAP Ariba (2025+)	Public Cloud	Ariba UI	Procurement-specific skills

BTP is always required

Every Joule deployment — even public cloud — uses SAP BTP as the infrastructure layer for the Joule managed service, Generative AI Hub, and Cloud Identity Services. Your BTP global account and at least one subaccount are non-negotiable prerequisites.

Joule Reference Architecture

End-to-end component map, authentication flow, and layer-by-layer breakdown.

End-to-End Architecture

Joule Reference Architecture — User to Backend

Rendering diagram…

Authentication & Identity Flow

Joule Authentication Flow — SSO to Principal Propagation

Rendering diagram…

1. Corporate SSO

User authenticates with corporate IdP (Azure AD / ADFS / Okta). MFA enforced at IdP level.

2. IAS Federation

IAS acts as a proxy IdP. Receives SAML assertion from corporate IdP, issues OIDC token for BTP.

3. XSUAA OAuth

BTP XSUAA validates the OIDC token, issues a scoped JWT that includes Joule role collection claims.

4. Principal Propagation

User identity forwarded to S/4HANA or other backends. S/4HANA checks business roles — no shared technical user.

Component Layer Breakdown

NLU Engine: Classifies user intent, extracts entities (dates, amounts, IDs). SAP-trained on business vocabulary.
Skill Router: Selects the most relevant pre-built or custom skill based on intent. Falls back to generative response if no skill matches.
Context Manager: Maintains conversation session state (10-turn window), user preferences, and application context (which FLP tile is open).
Generative AI Hub: SAP-managed LLM gateway. Model-agnostic — supports GPT-4o, Claude, and SAP AI Foundation models. No customer data retained.
Skill Layer: Pre-built SAP skills cover Finance, HR, Procurement, Supply Chain. Custom skills built in Joule Studio.
Backends: Skills invoke released OData V4 APIs via BTP Destination Service. S/4HANA, SuccessFactors, and custom CAP services.

Prerequisites & BTP Setup

BTP account structure, entitlements, Cloud Identity Services, and CLI setup commands.

BTP Account Prerequisites

Required BTP Account Topology for Joule

Rendering diagram…

BTP Requirements

Enterprise (paid) Global Account — trial accounts not supported

BTP Subaccount in a supported Joule region (eu10, us10, ap10, ap11)

Cloud Foundry or Kyma runtime enabled in subaccount

Joule entitlement distributed from Global Account

Audit Log Service entitlement (recommended for compliance)

BTP Destination Service entitlement

Identity Requirements

SAP Cloud Identity Services (IAS) tenant — default or custom domain

IPS (Identity Provisioning) configured with provisioning job

Corporate IdP federated with IAS (optional but recommended)

IAS trust established in BTP subaccount (Security → Trust Configuration)

S/4HANA configured as SAML SP against IAS (Transaction SAML2)

BTP CLI: Entitlement & Subscription

joule-btp-setup.sh

# ── 1. Assign Joule entitlement in Global Account ──────────────────
btp assign accounts/entitlement \
  --to-subaccount <SUBACCOUNT_GUID> \
  --for-service joule \
  --plan standard \
  --amount 1

# ── 2. Subscribe to Joule in the subaccount ────────────────────────
btp subscribe accounts/subaccount \
  --subaccount <SUBACCOUNT_GUID> \
  --to-app joule-standard-tenant-subscription \
  --plan standard

# ── 3. Assign Joule_User role collection to a user ─────────────────
btp assign security/role-collection "Joule_User" \
  --to-user user@example.com \
  --of-type user \
  --subaccount <SUBACCOUNT_GUID>

# ── 4. Verify subscription status ─────────────────────────────────
btp list accounts/subscription \
  --subaccount <SUBACCOUNT_GUID> \
  | grep -i joule

BTP Destination: S/4HANA

S4HANA_SYSTEM destination

{
  "Name": "S4HANA_SYSTEM",
  "Type": "HTTP",
  "URL": "https://my-s4hana.example.com",
  "Authentication": "OAuth2SAMLBearerAssertion",
  "ProxyType": "OnPremise",
  "Description": "S/4HANA backend for Joule principal propagation",
  "audience": "https://my-s4hana.example.com",
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession",
  "clientKey": "<OAUTH_CLIENT_ID>",
  "tokenServiceURL": "https://<IAS_TENANT>.accounts.ondemand.com/oauth2/token",
  "sap-client": "100",
  "HTML5.DynamicDestination": "true",
  "WebIDEEnabled": "true",
  "WebIDEUsage": "odata_abap"
}

ProxyType for on-premise

For SAP S/4HANA On-Premise systems, set ProxyType: OnPremise and ensure the Cloud Connector is configured with a virtual host matching this URL. For public cloud, use Internet.

Network Requirements

Outbound (from corporate network)

BTP control plane: *.hana.ondemand.com (TCP 443)

IAS: <tenant>.accounts.ondemand.com (TCP 443)

Joule service endpoints: *.joule.cfapps.*.hana.ondemand.com

Generative AI Hub: *.ml.hana.ondemand.com

Cloud Connector (on-prem only)

SCC version 2.16+ installed in DMZ or internal network

Connected to correct BTP subaccount

Virtual host mapping for S/4HANA system defined

HTTPS access control rules: /sap/opu/odata4/sap/ (allowlisted)

Licensing Requirements

AI Units, included skills, Joule Booster, and licensing decision framework.

License Tiers

License Tier	Included With	Joule Skills	Custom Skills
RISE with SAP (S/4HANA PCE)	RISE subscription	Core SAP skills (Finance, HR, Procurement baseline)	Requires Joule Booster add-on
GROW with SAP (S/4HANA Public Cloud)	GROW subscription	Full pre-built SAP skills suite	Requires Joule Studio + AI Units
Joule Booster	Add-on purchase	Extended skill catalog	Joule Studio included; AI Units consumed
SAP Business AI (standalone)	Direct purchase	Product-specific skills	Full Joule Studio + AI Unit allocation

AI Units — Consumption Model

What is an AI Unit: Capacity unit consumed per Joule interaction (input + output tokens)
Allocation model: Annual AI Unit allocation in your BTP contract. Unused units do not roll over.
Monitoring: BTP Cockpit → Subaccount → Services → AI Foundation → Usage (real-time dashboard)
Over-usage policy: Throttling applied when allocation exhausted. Upgrade or purchase top-up units.
Cost control: Set AI Unit quotas per subaccount to prevent runaway consumption in dev/test
Custom skill cost: Custom skills calling external LLMs via Generative AI Hub consume additional AI Units

Licensing Decision Framework

Do you have RISE or GROW with SAP?

Yes → Joule is included. Check your contract for the AI Unit allocation and which skills are licensed.

Do you need custom organization-specific skills?

Yes → You need Joule Booster (or SAP Business AI). Joule Studio is the tool; AI Units are the runtime currency.

Do you need Joule in SuccessFactors HXM?

Joule for HXM is a separate entitlement from Joule for S/4HANA. Check your SuccessFactors contract.

SAP for Me — entitlement overview

Log in to SAP for Me → Systems & Provisioning → your S/4HANA system → Cloud Services. This shows your Joule entitlement status, allocated AI Units, and links to activate the service in BTP Cockpit.

Joule in SAP Start

Enabling and configuring Joule as the home page assistant on SAP Start.

What is SAP Start?

SAP Start is the unified entry point for SAP applications in the public cloud portfolio. It replaces the classical Fiori Launchpad home page for S/4HANA Public Cloud users and is the primary surface for Joule in that context. SAP Start is hosted on SAP BTP and requires no separate installation.

Availability: S/4HANA Public Cloud (GROW with SAP) — standard feature
Joule entry point: Persistent Joule button in SAP Start header (top-right)
Auth model: SAP IAS default tenant (pre-configured by SAP in GROW)
User activation: Role-based — SAP Start user must have Joule role assigned
Personalization: Joule is context-aware of which SAP Start page/app is open

Configuration Steps

Confirm GROW with SAP subscription includes Joule entitlement (SAP for Me)

Ensure users are provisioned in IAS via IPS (SCIM sync from corporate directory)

Assign SAP Start business role with Joule catalog to user groups in S/4HANA

Assign BTP role collection 'Joule_User' via IAS group mapping or direct assignment

Verify SAP Start URL is accessible: https://[tenant].sapstart.hana.ondemand.com

Test: Log in as a regular user, confirm Joule button is visible and responds

SAP Start vs Fiori LP

SAP Start and Fiori Launchpad can coexist. In GROW with SAP, SAP Start is the preferred entry point. In RISE with SAP (PCE), Fiori LP is still primary, but SAP Start can be enabled as an additional entry point via BTP managed service activation.

Joule in SAP Build Work Zone

Advanced edition integration, role configuration, and content federation for Joule in Work Zone.

Work Zone Architecture with Joule

SAP Build Work Zone Advanced — Joule Integration Architecture

Rendering diagram…

Standard vs Advanced Edition

Work Zone Standard

Basic portal and launchpad functionality

No Joule integration — Joule NOT included

No Task Center (workflow inbox)

Use Standard for simple portal needs only.

Work Zone Advanced ✓

Full digital workplace: Spaces, Pages, apps

Joule embedded in portal header (persistent)

Task Center: cross-system workflow inbox

Content federation from S/4HANA via CDM

Advanced is required for Joule in Work Zone.

Configuration Steps

Subscribe to Build Work Zone Advanced in BTP subaccount

Configure IAS trust: BTP Subaccount → Security → Trust Configuration

Subscribe to Joule in the same BTP subaccount

Assign role collection 'Joule_WorkZone_User' to users via IAS group

In Work Zone Admin → Manage Configuration → Enable Joule toggle

Configure content providers (S/4HANA CDM, custom apps) for contextual skills

Test: Open Work Zone → confirm Joule button appears in top navigation bar

Task Center + Joule Integration

When Task Center (workflow inbox) is enabled alongside Joule, users can ask Joule to surface pending approvals: "Show my pending purchase order approvals" — Joule queries Task Center via the BTP Task Center service API, not directly against S/4HANA.

Subscribe to SAP Task Center service in BTP subaccount

Configure Task Center connector for S/4HANA (destination + principal propagation)

Assign 'TaskCenter_User' role collection to end users

Joule will automatically surface pending approvals if Task Center is active

Joule in SAP Fiori Launchpad

End-to-end Fiori LP integration — business catalogs, roles, identity trust, Cloud Connector, and troubleshooting.

Fiori LP Integration Architecture

Joule in SAP Fiori Launchpad — Full Architecture

Rendering diagram…

Business Role & Catalog Setup

The Joule button in Fiori LP is delivered via a dedicated business catalog. You must assign this catalog to a business role, and that role must be assigned to the target users.

Required Business Catalog

SAP_BASIS_BC_JOL_CATALOG

Contains Joule Fiori app, navigation target, and the Joule button UI element.

S/4HANA Steps

Open 'Maintain Business Roles' Fiori app

Create or edit a business role for Joule users

Add SAP_BASIS_BC_JOL_CATALOG to the role's Business Catalogs tab

Assign the business role to target users or user groups

Identity Trust Configuration

Step 1: S/4HANA → IAS Trust (SAML 2.0)

In S/4HANA: Run Transaction SAML2

Go to 'Create SAML 2.0 Identity Provider'

Import IAS metadata: https://[tenant].accounts.ondemand.com/saml2/metadata

Set IAS as default identity provider for the ABAP system

Enable 'Use IAS as Identity Provider for Fiori Launchpad'

Step 2: BTP Subaccount → IAS Trust (OIDC)

BTP Cockpit → Subaccount → Security → Trust Configuration

Click 'Establish Trust' → select your IAS tenant

Download IAS OIDC metadata and configure in BTP

Set IAS as the 'Default Identity Provider' for the subaccount

Verify trust: test SSO login via the Trust Configuration test button

Cloud Connector Setup (On-Premise Only)

Only needed for on-premise S/4HANA

If you are deploying Joule for S/4HANA Public Cloud (GROW) or PCE/RISE, skip this section — Cloud Connector is not required. The Cloud Connector section applies only to S/4HANA 2022+ on-premise.

Install SCC 2.16+ on a dedicated server in your on-premise network

SCC → Cloud Connector → Cloud to On-Premise → Add System Mapping

Internal host: actual S/4HANA hostname; Virtual host: alias used in BTP destination

Protocol: HTTPS; Port: 443

Add resource: /sap/ (all paths) or /sap/opu/odata4/ (more restrictive)

In BTP Destination, set ProxyType: OnPremise and use virtual host as URL

Test connectivity: BTP Cockpit → Destination → Check Connection

BTP Role Collections for Joule FLP

Role Collection	Purpose	Assignment
Joule_User	Standard end-user access — can chat with Joule	Assign to all Joule end users via IAS group mapping or direct
Joule_Administrator	Manage Joule configuration, skills, system settings	Assign to Joule admins only
Joule_ContentAdministrator	Manage knowledge sources and custom skills in Studio	Assign to content/skill developers

End-to-End Configuration Sequence

1Subscribe to Joule in BTP subaccount (standard plan)
2Subscribe to Cloud Identity Services in BTP subaccount (if not already)
3Establish IAS trust in BTP subaccount (Security → Trust Configuration)
4Configure SAML 2.0 trust in S/4HANA: Transaction SAML2 → import IAS metadata
5Set up IPS provisioning job: sync users from corporate AD/LDAP to BTP
6[On-prem only] Install and configure SAP Cloud Connector
7[On-prem only] Create BTP Destination for S/4HANA (ProxyType: OnPremise)
8Create business role in S/4HANA with SAP_BASIS_BC_JOL_CATALOG catalog
9Assign business role to target users in S/4HANA User Management
10Assign Joule_User role collection in BTP to target users or IAS groups
11Test: Open Fiori LP, verify Joule button visible in bottom-right corner
12Test: Click Joule button, verify chat panel opens and responds to a query

Joule in SAP S/4HANA Public Cloud

Prerequisites, activation via SAP for Me, business roles, and identity for GROW with SAP.

Public Cloud Architecture

Joule in S/4HANA Public Cloud — SAP-Managed BTP

Rendering diagram…

Activation Prerequisites

Contract Requirements

GROW with SAP subscription that includes Joule entitlement

AI Unit allocation confirmed in SAP for Me contract overview

IAS default tenant activated (auto-provisioned in GROW)

Activation Steps

Select your S/4HANA Public Cloud system

Cloud Services → SAP Joule → Activate

SAP auto-configures BTP subscription, IAS trust, and entitlements

Users automatically get Joule access based on their S/4HANA roles

Business Roles (Public Cloud)

In S/4HANA Public Cloud, business roles are SAP-delivered templates. Joule requires the business catalog to be included in the user's assigned role. For most public cloud users this is automatic once Joule is activated via SAP for Me.

Required catalog: SAP_BASIS_BC_JOL_CATALOG (auto-assigned in GROW)
Role assignment: Manage Business Roles Fiori app → add catalog to existing roles
Admin role: SAP_BR_ADMINISTRATOR includes Joule admin capabilities
User management: IPS sync from IAS → S/4HANA; users must be in both systems

Public Cloud Joule — minimal manual setup

Public Cloud Joule is designed for minimal customer effort. SAP provisions the BTP subscription, trust configuration, and IAS connection automatically. Your main tasks are: (1) activate via SAP for Me, (2) ensure users are provisioned via IPS, and (3) assign the business catalog to the target role.

Joule in SAP S/4HANA Private Cloud (RISE/PCE)

Architecture, Cloud Connector setup, BTP dependencies, and configuration for RISE with SAP.

Private Cloud Architecture

Joule in S/4HANA Private Cloud (RISE/PCE) — Architecture

Rendering diagram…

RISE BTP Subaccount

With RISE with SAP, you receive a dedicated BTP subaccount within the SAP-managed Global Account. This subaccount is where Joule is subscribed and configured. You have customer-level admin access to this subaccount — SAP manages the underlying infrastructure.

BTP access: Customer admin access to RISE BTP subaccount
Joule subscription: Manual — customer subscribes to Joule in their RISE BTP subaccount
IAS tenant: Provided by SAP in RISE; or bring your own IAS custom domain
Cloud Connector: Managed by SAP (PCE), but you configure virtual mappings and access control
Destination: Customer creates BTP Destination for S/4HANA PCE system

Configuration Steps (RISE/PCE)

Entitlements → Add Joule service plan 'standard'

Subscriptions → Subscribe to Joule (standard plan)

Security → Trust Configuration → Establish IAS trust (your RISE IAS tenant)

Connectivity → Destinations → New Destination for S4HANA PCE system

Cloud Connector (SAP-managed) → configure virtual host and resource mapping

S/4HANA PCE: Transaction SAML2 → trust IAS as identity provider

S/4HANA PCE: Maintain Business Roles → add SAP_BASIS_BC_JOL_CATALOG

BTP → Security → Role Collections → assign Joule_User to target users

IPS → configure provisioning job to sync PCE users to BTP

Validate: Fiori LP opens, Joule button visible, test conversation works

SAP Cloud Connector in PCE — SAP responsibility

In RISE with SAP (PCE), the Cloud Connector is SAP-managed infrastructure. You do NOT have OS-level access. To add virtual host mappings or modify access control, raise a service request in SAP for Me against the PCE Cloud Connector component.

Joule Studio Integration

Setting up Joule Studio, building custom skills, actions, knowledge sources, and publishing workflows.

Joule Studio Overview

Joule Studio is the low-code/no-code tool on SAP BTP for building custom Joule skills. A skill extends Joule with domain-specific capabilities — custom vocabulary, organization-specific workflows, integration with non-SAP systems, and enterprise knowledge bases.

BTP service: Joule Studio (subscription-based, part of Joule Booster)
Skill components: Intents · Entities · Actions (REST calls) · Knowledge Sources · Dialogs
Action target: Any REST/OData endpoint accessible via BTP Destination Service
Knowledge source: SharePoint, files (PDF/DOCX), custom APIs, Confluence
Publish target: Joule in Fiori LP / Work Zone / SAP Start (same BTP subaccount)

Skill Development Lifecycle

1Subscribe to Joule Studio in BTP subaccount (requires Joule Booster or SAP Business AI)
2Assign Joule_ContentAdministrator role collection to skill developers
3Open Joule Studio from BTP Cockpit → Instances & Subscriptions → Joule Studio
4Create New Skill → define the skill name, description, and scope
5Design Intents: define what users say to trigger this skill (training phrases)
6Configure Actions: point to REST/OData API via BTP Destination (HTTP action descriptor)
7Add Knowledge Sources: upload PDFs, connect SharePoint/Confluence for RAG responses
8Build Dialogs (optional): multi-turn conversation flows for complex workflows
9Test skill in Studio: use the integrated chat simulator
10Publish skill to Joule production endpoint in the same BTP subaccount
11Verify in Fiori LP / Work Zone: test with a user who has Joule_User role

Action Descriptor (REST Action)

joule-action-descriptor.json

{
  "skillId": "com.acme.procurement.order-status",
  "version": "1.0.0",
  "displayName": "Check Purchase Order Status",
  "description": "Retrieves the current status and details of a purchase order by number",
  "actions": [
    {
      "id": "getPurchaseOrderStatus",
      "type": "REST",
      "destination": "S4HANA_SYSTEM",
      "path": "/sap/opu/odata4/sap/api_purchaseorder_2/srvd_a2x/sap/api_purchaseorder_2/0001/A_PurchaseOrder",
      "method": "GET",
      "parameters": [
        {
          "name": "$filter",
          "value": "PurchaseOrder eq '{purchaseOrderNumber}'"
        },
        {
          "name": "$select",
          "value": "PurchaseOrder,OrderStatus,NetOrderAmount,DocumentCurrency,Supplier,CreationDate"
        }
      ],
      "principalPropagation": true
    }
  ],
  "requiredParameters": [
    {
      "name": "purchaseOrderNumber",
      "type": "string",
      "description": "SAP purchase order number (10 digits)"
    }
  ]
}

Joule + CAP Integration

Architecture for invoking CAP services from Joule custom skills via BTP Destination and principal propagation.

CAP Integration Architecture

Joule Custom Skill → CAP Service → S/4HANA Backend

Rendering diagram…

CAP Service: Joule Action Endpoint

Define a CDS service with an action matching the Joule action descriptor. CAP handles JWT validation automatically when configured with IAS/XSUAA authentication. Use cds.connect.to() to delegate backend calls to the BTP Destination.

srv/joule-actions.cds

service JouleActionsService @(requires: 'authenticated-user') {
  action getPurchaseOrderStatus(purchaseOrderNumber: String)
    returns {
      PurchaseOrder:    String;
      OrderStatus:      String;
      NetOrderAmount:   Decimal;
      DocumentCurrency: String;
      Supplier:         String;
      CreationDate:     Date;
    };
}

srv/joule-actions.js

const cds = require('@sap/cds')

module.exports = cds.service.impl(async function (srv) {
  // Connects via the BTP Destination 'S4HANA_SYSTEM'
  // Principal propagation forwards the logged-in user's JWT
  const S4 = await cds.connect.to('S4HANA_SYSTEM')

  srv.on('getPurchaseOrderStatus', async (req) => {
    const { purchaseOrderNumber } = req.data

    const result = await S4.run(
      SELECT.one
        .from('API_PURCHASEORDER_2.A_PurchaseOrder')
        .where({ PurchaseOrder: purchaseOrderNumber })
        .columns('PurchaseOrder', 'OrderStatus', 'NetOrderAmount',
                 'DocumentCurrency', 'Supplier', 'CreationDate')
    )

    if (!result) {
      req.error(404, `Purchase order ${purchaseOrderNumber} not found`)
    }

    return result
  })
})

BTP Destination for CAP → S/4HANA

package.json cds.requires

{
  "cds": {
    "requires": {
      "S4HANA_SYSTEM": {
        "kind": "odata-v4",
        "model": "srv/external/API_PURCHASEORDER_2",
        "[production]": {
          "credentials": {
            "destination": "S4HANA_SYSTEM",
            "path": "/sap/opu/odata4/sap/api_purchaseorder_2/srvd_a2x"
          }
        }
      }
    }
  }
}

Principal propagation is key

Set principalPropagation: true in the Joule action descriptor AND configure the BTP Destination with Authentication: OAuth2SAMLBearerAssertion. This ensures S/4HANA sees the real end-user identity — not a technical system user — for audit and authorization purposes.

Joule + SAP Build Apps

Integration patterns and enterprise use cases for combining Joule with SAP Build Apps.

Integration Patterns

Low-Code Backend

Joule Action → Build Apps API

Custom Joule skill calls a SAP Build Apps REST API endpoint to create, read, or update records in a Build Apps application. Build Apps acts as the data layer behind Joule's conversational interface.

UI Embedding

Build Apps Embedding Joule

Build Apps UI embeds a Joule chat widget (via the Joule BTP service UI5 component) inside a custom application screen. Users get contextual AI assistance within the custom app.

Process Trigger

Workflow Trigger via Build Apps

Joule skill invokes a Build Apps workflow action (e.g., create a service ticket, submit a form). Build Apps coordinates the data entry flow, Joule provides the conversational UX.

Data Aggregation

Data Lookup Delegation

Build Apps serves as a microservice aggregating data from multiple sources. Joule action calls the Build Apps OData endpoint to get consolidated answers for the user.

Prerequisites

SAP Build Apps subscription in the same BTP subaccount as Joule

Build Apps application deployed with OData V4 or REST endpoints

BTP Destination created for the Build Apps API URL

XSUAA application plan configured for Build Apps (JWT token exchange)

Joule Studio: create custom skill with action pointing to Build Apps destination

Joule + SAP Build Process Automation

Triggering workflows, surfacing approvals, and multi-step automation orchestration via Joule.

SBPA + Joule Integration

SAP Build Process Automation (SBPA) provides workflow automation, RPA bots, and decision rules. Integrated with Joule, users can trigger workflows and receive approval notifications entirely through natural language conversations in the Joule chat panel.

Trigger mechanism: Joule action calls SBPA Workflow REST API via BTP Destination
Approval surface: SAP Task Center aggregates SBPA workflow approvals; Joule queries Task Center
Inbox integration: SBPA tasks appear in Task Center when both services are in same BTP subaccount
Decision rules: Joule can explain decision table outcomes (read-only) via SBPA decision API
RPA bot trigger: Advanced: Joule action → SBPA API → triggers unattended RPA bot execution

Workflow Trigger Configuration

joule-sbpa-action.json

{
  "skillId": "com.acme.hr.leave-request",
  "version": "1.0.0",
  "displayName": "Submit Leave Request",
  "description": "Creates a new leave request workflow in SAP Build Process Automation",
  "actions": [
    {
      "id": "createLeaveRequest",
      "type": "REST",
      "destination": "SBPA_API",
      "path": "/workflow/rest/v1/workflow-instances",
      "method": "POST",
      "headers": {
        "Content-Type": "application/json"
      },
      "body": {
        "definitionId": "leave-request-workflow",
        "context": {
          "employeeId": "{employeeId}",
          "leaveType": "{leaveType}",
          "startDate": "{startDate}",
          "endDate": "{endDate}",
          "reason": "{reason}"
        }
      },
      "principalPropagation": true
    }
  ]
}

Prerequisites & Setup

SBPA subscription in same BTP subaccount as Joule (standard or advanced plan)

Task Center subscription — for approval surfacing via Joule

BTP Destination 'SBPA_API' with OAuth2ClientCredentials authentication

SBPA workflow published and activated with a known definition ID

Joule Studio: custom skill with action descriptor targeting SBPA_API destination

Test: chat 'Submit leave request for next Monday and Tuesday' → verify workflow created in SBPA monitor

Joule Security Architecture

IAS/IPS/XSUAA trust topology, principal propagation, authorization model, and data security.

Security Architecture Diagram

Joule End-to-End Security Architecture

Rendering diagram…

Identity & Access Management

Corporate IdP Layer

Azure AD, ADFS, or Okta as the authoritative user directory

MFA enforced at the corporate IdP (not in SAP IAS)

Conditional Access policies applied before SAML assertion is issued

Service accounts and robot users excluded from Joule access

SAP IAS / IPS

IAS acts as proxy — receives SAML from corporate IdP, issues OIDC tokens for BTP

IPS provisions users to BTP via SCIM 2.0 (nightly sync recommended)

Risk-based authentication in IAS for step-up MFA on sensitive operations

IAS groups mapped to BTP role collections (e.g., AD group → Joule_User)

BTP XSUAA & Authorization

Token type: OAuth 2.0 JWT issued by XSUAA; short-lived (60 min default)
Scope enforcement: Joule service validates JWT scope contains Joule role template claim
Role collections: Joule_User (end users), Joule_Administrator, Joule_ContentAdministrator
Group mapping: IAS groups from corporate AD mapped to BTP role collections — no individual assignment needed at scale
Least privilege: Joule_User has no access to Joule Studio configuration — separate role collection required
Token refresh: Silent refresh handled by Joule UI SDK; users are not re-prompted unless session expires

Principal Propagation Deep Dive

Principal propagation ensures that Joule never accesses S/4HANA with a shared technical user. The logged-in user's identity is forwarded to S/4HANA, which enforces its own business role and authorization checks. This means users cannot see data they are not authorized to see — even through Joule.

BTP Destination must use Authentication: OAuth2SAMLBearerAssertion

IAS must be the IdP for both BTP and S/4HANA (common trust chain)

S/4HANA: the ABAP user must match the IAS user (same email/username)

XSUAA issues a SAML bearer assertion containing the user's IAS subject

S/4HANA validates the SAML assertion and maps to a local ABAP user

S/4HANA applies its own authorization objects — Joule cannot bypass PFCG roles

Data & Content Security

No customer data stored in LLM layer

SAP Joule's Generative AI Hub is stateless with respect to customer data. User conversation turns are processed in-memory and not persisted to any SAP-managed storage outside of the Audit Log Service. The LLM model does not learn from your customer data.

Input filtering: PII detection scans prompts before sending to LLM

Prompt injection guard: system-level instruction injection attempts are blocked

Output grounding: responses are anchored to SAP API data — hallucination is minimized by retrieval-augmented patterns

Conversation data: retained in SAP Audit Log Service for compliance (configurable retention period)

No cross-tenant data leakage: Joule service is isolated per BTP subaccount

EU data residency: deploy Joule in eu10/eu20 region for GDPR data residency requirements

Monitoring & Operations

Monitoring Joule usage, audit logging, health checks, alerting, and AI governance practices.

Monitoring Stack

BTP Cockpit: Subscription health, service status, AI Unit consumption dashboard
Audit Log Service: All Joule conversation events logged: user, timestamp, intent, data access
Alert Notification: BTP Alert Notification Service for threshold alerts (AI Unit budget, error rates)
ABAP System Log: S/4HANA SM21 — logs backend API calls triggered by Joule principal propagation
SAP Cloud ALM: For RISE/PCE customers: SAP Cloud ALM provides end-to-end operations visibility
AI Foundation Monitoring: Generative AI Hub metrics: request count, latency, token usage per skill

Alert Notification Setup

alert-notification-condition.json

{
  "name": "JouleAIUnitThreshold",
  "description": "Alert when AI Units exceed 80% of allocation",
  "condition": {
    "propertyKey": "aiUnitsConsumedPercent",
    "predicate": "GREATER_THAN",
    "propertyValue": "80"
  },
  "actions": [
    {
      "type": "EMAIL",
      "destination": {
        "name": "OpsTeamEmail"
      }
    },
    {
      "type": "SLACK",
      "destination": {
        "name": "OpsSlackChannel"
      }
    }
  ]
}

Operational Health Checks

Daily Checks

BTP Cockpit: Joule subscription status = Active

AI Unit consumption trending (not exceeding daily quota)

IPS provisioning job last run: no errors

BTP Destination connectivity test: all S/4HANA destinations pass

Weekly Checks

Audit Log Service: review unusual access patterns or failed auth events

Custom skill version: check for Joule skill catalog updates from SAP

IAS user provisioning: resolve any sync errors from IPS job

Cloud Connector (on-prem): verify certificate expiry dates

AI Governance Practices

Usage Review

Monthly review of most-used skills, intents, and fallback rates. Identify gaps where custom skills would improve user experience.

Model Update Policy

SAP updates the underlying LLM periodically. Test custom skills with each SAP Joule release in dev/test subaccount before accepting in production.

Access Governance

Quarterly review of role collection assignments via SAP Identity Governance. Remove Joule_User access for leavers promptly via IPS deprovisioning.

Troubleshooting Center

Diagnosis matrix for common Joule deployment issues, error codes, and resolution steps.

Issue Resolution Matrix

Symptom

Root Cause

Resolution

Joule button not visible in Fiori LP

Business catalog SAP_BASIS_BC_JOL_CATALOG not assigned to user's business role

Maintain Business Roles app → add catalog → re-login

Joule button visible but panel shows 'Authentication Error'

Joule_User role collection not assigned in BTP, or IAS trust misconfigured

BTP Cockpit → Security → Role Collections → assign Joule_User; check IAS trust

IAS login loop / redirect loop after SSO

IAS configured as default IdP but BTP subaccount still trusts old default (SAP ID Service)

BTP → Trust Configuration → set IAS as default; disable SAP ID Service for end users

'Could not load data' when Joule skill is invoked

BTP Destination misconfigured or Cloud Connector not running

BTP Cockpit → Destinations → Check Connection; SCC: verify active connection to BTP

User gets 403 Forbidden from S/4HANA backend via Joule

Principal propagation user not found in S/4HANA, or missing PFCG authorization

Verify ABAP user exists with same email as IAS user; check SU53 authorization trace

IPS sync job fails — users not appearing in BTP

IPS source system connectivity issue or attribute mapping error

IPS Admin Console → Provisioning → check Job logs; fix source system credentials or attribute mappings

Joule responds with generic answer instead of skill response

Custom skill not published, or intent training phrases insufficient for NLU classification

Joule Studio → verify skill is Published; add more diverse training phrases for the intent

'AI Unit quota exceeded' error

Subaccount AI Unit consumption has reached the allocated limit

BTP Cockpit → AI Foundation → request quota increase; or optimise skill prompts to reduce token usage

Mermaid/blank response — no LLM output

Generative AI Hub endpoint unreachable or temporary service interruption

Check SAP BTP Status Page → https://status.cloud.sap for AI Foundation incidents; retry after 5 min

Joule in Work Zone missing — button not visible

Work Zone Standard plan (not Advanced); or Joule toggle not enabled in Work Zone Admin

Confirm Advanced edition subscription; Work Zone Admin → Manage Configuration → Joule → Enable

Diagnostic Queries (ABAP System Log)

S/4HANA diagnostic transactions

# ── S/4HANA Diagnostic Transactions ──────────────────────────────

# Check authentication events (IAS SAML assertions)
Transaction: SM21
Filter:      Message class = SAML, Level = Error/Warning

# Check authorization failures for Joule backend calls
Transaction: SU53
User:        <joule-user-email>
Shows:       Last failed authorization check (object, field, value)

# Verify IAS trust configuration
Transaction: SAML2
Shows:       All configured SAML identity providers; check IAS entry

# Test user exists and has correct role in S/4HANA
Transaction: SU01D
User:        <email-from-IAS>
Tab:         Roles — verify Joule business role assigned

# Check Fiori LP tile catalog assignment
Transaction: /n/UI2/FLPD_CUST
Shows:       Catalog assignments; search for JOL catalog

BTP-Side Diagnostics

BTP CLI diagnostics

# Check Joule subscription status
btp list accounts/subscription \
  --subaccount <SUBACCOUNT_ID>

# Verify role collection assignments
btp list security/role-collection \
  --subaccount <SUBACCOUNT_ID> | grep -i joule

# Check destination connectivity
btp list connectivity/destination \
  --subaccount <SUBACCOUNT_ID>

# View IAS trust configurations
btp list security/trust \
  --subaccount <SUBACCOUNT_ID>

# Check recent audit log entries (SAP Audit Log Service)
btp list auditlog/security-events \
  --subaccount <SUBACCOUNT_ID> \
  --from "2025-01-01T00:00:00Z"