Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 


Change enablement and deployment orchestration is still a key to keep the production environment stable and reliable. In SAP Cloud ALM software changes can be managed via features. The business transaction feature holds the change documentation together with the change containers - mainly transport requests.

In this blog post you will learn more about how to enable deployment management in SAP Cloud ALM for SAP S/4HANA and SAP S/4HANA Cloud, private edition. SAP Cloud ALM integrates into Change and Transport System (CTS) which leads to the fact that all SAP NetWeaver Application Server for ABAP systems on-premise can be managed.

Technical checks for connecting your managed systems

First you need to check whether the systems you'd like to connect to SAP Cloud ALM meet the following prerequisites:

  • SAP_BASIS 7.40 SP20 or higher (accordingly 7.50 SP04) and ST-PI 7.40 SP17 or higher. Additionally, please install 3133333 - Collective corrections as of ST-PI 7.40 SP17 for SAP Cloud ALM. If you want to create and release transport requests from SAP Cloud ALM please install SAP Note 3322679 - SAP Cloud ALM - CDM: Master Note and all prerequisite notes. In case your systems do not meet the requirements please install the respective versions. For the latest updates regarding ST-PI level and appropriate notes I recommend to check the Technical Prerequisites for the ABAP System in the SAP Cloud ALM Setup & Admin Guide.

  • Check that the profile parameter icm/HTTPS/client_sni_enabled is set to TRUE. For more information, refer to SAP Note 510007. Transaction code RZ11 can be used to check for the parameter setting.

  • Check that DigiCert Global Root CA, DigiCert Global Root G2 and DigiCert RSA4096 Root G5 are imported in STRUST under SSL Client (Anonymous) and SSL Client (Standard). Go to transaction code STRUST in each ABAP system to be connected (client 000) to check for the Certificates.

Certificate in STRUST

In case the Certificate is not imported yet you need to do the following:

Download and Import the Certificate

You need to import the mentioned certificates to both the SSL Client (Anonymous) as well as the SSL Client (Standard) in the transaction STRUST in your ABAP system.

1) Download the certificates from

2) Log on to your ABAP systems (client 000) you want to connect to SAP Cloud ALM.

3) Go to transaction STRUST.

4) Switch to change mode (Ctrl+F1).

5) Double-click on "SSL client SSL Client (Anonymous)" in the navigation tree on the left side.

6) Click More / Menu "Certificate" > "Import".

  • Use the file path selector to select your DigiCert Root CA certificate downloaded before.

  • Click the button with the green check-mark.

Import Certificate

7) Click More / Menu "Edit" > "Add certificate".

Add Certificate

8) Double-click on "SSL client SSL Client (Standard)" in the navigation tree on the left side.

9) Make sure the certificate information are still visible in the "Certificate" area in the lower right panel

10) Click menu "Edit" > "Add certificate".

11) Click the "Save" button.


SAP BTP Cockpit configuration


Your user has the role Global Account Administrator in the global account that was created when you requested SAP Cloud ALM, and is a member of the subaccount containing your SAP Cloud ALM subscription.

You can verify that you have the necessary authorization by navigating to your global account and checking whether the Security menu is available. If you don't have this role, the global account administrator can assign it to you by following the steps described in Add Members to Your Global Account.

Your user has the role Org Manager in your Cloud Foundry organization.

You can verify that you have the necessary authorization by navigating to your subaccount and choosing Cloud Foundry Org Members. If you don't have this role, the org manager can assign it to you by following the steps described in Add Org Members Using the Cockpit. If Cloud Foundry is not available in the menu, you can enable it by following the steps described in Create Orgs.
Note: If you've requested SAP Cloud ALM, your user has automatically received the required authorizations during the creation of the global account and the subaccount.


Carry out the following steps to enable SAP Cloud ALM API:

Create a Space

1) Open the SAP BTP cockpit.

2) Select the global account that contains your SAP Cloud ALM entitlement, which was created when you requested SAP Cloud ALM.

3 )Under Subaccounts, select the subaccount that contains your SAP Cloud ALM subscription.

4) Choose Cloud Foundry > Spaces.

5) Choose Create Space in case no space available yet.

6) Enter a space name, such as sap_cloud_alm_space, and select the roles that you want to assign to your user for this space. To perform the following steps, your user needs at least Space Developer.

7) Choose Create.

Configure Entitlements

An entitlement is your right to provision and consume a resource.

1) Choose Entitlements and check for Service SAP Cloud ALM API. In case you are already entitled to that service you can move to Create a New Instance.
Note: You can increase your global quota, that is, your maximum allowed consumption of this service plan, in the control center.

2) If the service is missing you can click Configure Entitlements.

Configure Entitlement

3) Choose Add Service Plans.

4) Add the required service plan as follows:

  • Select the entitlement SAP Cloud ALM API.

  • Under Available Plans, check the option standard.

  • Choose Add 1 Service Plan.

Add Service Plan

4) Choose Save.

Create a New Instance

1) Choose Cloud Foundry > Spaces.

2) Select the created or already existing space. You now see the application list of your created space.

3) Choose Services > Instances.

Choose Services - Instances

4) Choose the Create dropdown and click on Service Instance.

Create Service Instance

5) Under Basic Info provide the following details:

  • Service: SAP Cloud ALM API

  • Plan: standard

  • Instance Name: Enter a meaningful name, e.g. CALMFeatureDeployment

Instance Creation

6) Choose Next.

7) When creating a service instance for feature deployment, the following configuration in json format is needed in order to assign the required scopes to the service instance.

  • Paste the following json code into the text editor:

          Source Code
"xs-security": {
"xsappname": "<YourInstanceName>",
"authorities": [

  • In the text editor it should look like this:

Source Code in text editor

  • Replace <YourInstanceName> with your instance name. Make sure it’s not already used in another service Instance and doesn’t contain spaces or special characters.

  • Authorities: Make sure to use exactly the string provided above.

8) Choose Create.

9) When your instance has been created, it's added to the instance list. To show the details of the instance click on the newly created instance.

In the next chapter, you will be guided through the steps for creating a service key, which is later needed to maintain the HTTP destination.

Create a Service Key

The service key allows you to configure the transport management in the managed system so that it can connect to an SAP Cloud ALM API service instance.

1) Choose (Actions) and select Create Service Key.

Create Service Key

2) Enter a name for your service key, such as sap_cloud_alm_key.

3) Choose Create.

4) Next to your newly created service key, choose (Actions) and select View.

View Service Key

5) You can now see your service key in JSON format.

  • The service key is structured in the following way:

    • Endpoints: e.g.,

    • OAuth URL: Service Key parameter

    • Client ID: Service key parameter clientid

    • Client secret: Service key parameter clientsecret

Copy this newly created service key in JSON format to the clipboard because it's needed later in the Maintain HTTP Destination section of this guide.
Caution: Outside of the SAP BTP cockpit, service keys must be stored securely. If you need a service key, create the service key directly in the SAP BTP cockpit, and access it from there whenever you need it.

Configuration in ABAP UI

As prerequisite please make sure that your TMS is configured properly. For SAP S/4HANA Cloud, private edition systems you need to make sure that URL * is enabled on your proxy. Please verify / request it via Service Request.

Required Authorizations

You need to consider two users in the managed ABAP system for the setup. Please note that the authorization steps are only needed for system client 000. For other clients these steps can't be performed.

  • To run transaction /SDF/ALM_SETUP, the user needs the PFCG role SAP_SDF_ALM_SETUP.

  • For a SAP S/4HANA Cloud, private edition system you can request user CUST_TC for client 000. The user is authorized to run the setup transaction.

Note (not relevant for SAP S/4HANA Cloud, private edition system): In role SAP_SDF_ALM_SETUP, you need to maintain the authorization field S_BTCH_NAM > BTCUNAME either with "*" or with the user name of the user you plan to use as data collection background job user.

  • The user you specify as background user, requires the PFCG role SAP_SDF_ALM_METRIC_PUSH_FND and the role SAP_BC_TRANSPORT_ADMINISTRATOR.

  • For SAP S/4HANA Cloud, private edition systems user BATCH_USER can be specified as background user.

Note: Download the latest version of the role SAP_SDF_ALM_METRIC_PUSH_FND from SAP Note 3104662 .

Configuration of PUSH data provider

The configuration of the PUSH data provider must be done in client 000 of all systems involved in the deployment management process, usually in development, test, and production system.

1) Log on to the respective ABAP system client 000.

2) Start transaction /n/SDF/ALM_SETUP.

If you start the transaction the first time, it will look like this:


Perform the following steps:

3) Target SAP Cloud ALM Destination

  • To create a new SAP Cloud ALM Destination, enter a name (e.g. SAP Cloud ALM) and confirm your input with the Enter.

  • To change an existing SAP Cloud ALM destination, select one from the F4 input help and press Enter.

  • By pressing Enter the subsequent fields are filled out automatically.

4) Maintain HTTP Destination

  • Choose Update Destination.

  • Copy the content of the JSON file you've created by following the steps in the Create a Service Key section of this guide. Choose Paste Service Keys and paste it into the text field popup.

Alternatively, you can enter the required fields for SAP Cloud ALM manually:

    • Token Endpoint: Enter the SAP Cloud ALM OAuth URL. Example for an OAuth URL: url + /oauth/token, e.g.

    • Client ID: Enter SAP Cloud ALM client ID.

    • Client Secret: Enter SAP Cloud ALM client secret.

    • Proxy User (if necessary)

    • Proxy Password (if necessary)

    • Proxy Host (if required by your network infrastructure. For SAP S/4HANA Cloud, private edition, enter value: proxy)

    • Proxy Port (if required by your network infrastructure. For SAP S/4HANA Cloud, private edition, enter value: 3128)

  • Choose Continue.

5) Enter Registration Target

  • Enter the target SAP Cloud ALM root URL depending on your region,                                        e.g.

  • Enter the background user you created to perform the data collection.

  • Choose Register to call SAP Cloud ALM and register the system.

  • Choose Continue.

If it’s successful, an LMS ID is retrieved and is displayed.

  • To unregister a system, choose Unregister.

Note: This stops all data collection.

6) Click the Activate usecases button to select the use cases related to SAP Cloud ALM Change & Deployment Management you want to collect and push data for. The push mechanism supports the following use-cases:

  • For the domain controller: Feature Deployment: Read Transport Landscape

  • For development systems: Feature Deployment: Manage Transports

  • All other systems (test or production): Feature Deployment: Import Transports

  • For all development clients: Feature Deployment: Manage Transport per Client (to create and release transport requests from SAP Cloud ALM)

Example for a 3-tier landscape:

  • Transport route: O11~100 --> O12~100 --> O13~100

  • Domain controller: O11

Use case / Client O11 ~000 O11~100 O12~000 O13~000
Feature Deployment: Manage Transport per Client Active
Feature Deployment: Import Transports Active Active
Feature Deployment: Read Transport Landscape Active
Feature Deployment: Manage Transports Active

Activate usecases

Note: In the scheduling column you can define the job scheduling period in minutes. We recommend the following settings:

  • Feature Deployment: Import Transports > Scheduling 5-10

  • Feature Deployment: Read Transport Landscape > Scheduling 10-15

  • Feature Deployment: Manage Transports > Scheduling 1-5

After you've selected the use case, choose Continue.
Further information about activating use cases:

Feature Deployment: Read Transport Landscape

  • Reports the STMS landscape configuration to SAP Cloud ALM.

  • Only necessary to set up on one system per domain (that is preferably the domain controller system).

  • Currently supported landscapes:

    • Landscapes with at least two systems per route (also virtual systems)

    • Landscapes with basic consolidation and/or delivery targets (no target groups, delivery confirmation procedures, workflow-driven transports)

    • Landscapes with client-specific transport routes (CTC, optional)

Feature Deployment: Manage Transports

  • Reports transport requests to SAP Cloud ALM for assignment to features.

  • It’s only necessary to set up on source systems, specifically DEV systems.

Feature Deployment: Import Transports

  • Queries to-be-imported transports from SAP Cloud ALM and triggers the import job.

  • It's only necessary to set up on consolidation and target systems for import (that is, QA and PRD)

7) If everything is set up correctly, it should look like this:

Result screen

Check successful registration in SAP Cloud ALM

In SAP Cloud ALM you can check for the successful registration in the Landscape Management application.

Open the Landscape Management application:

Landscape Management application

Check in the On-Premise Systems section for the recently registered systems:

Systems in Landscape Management


Now you are ready to use Change & Deployment Management in SAP Cloud ALM for SAP S/4HANA and SAP S/4HANA Cloud, private edition. Assign transports to features in order to document your changes properly and move into the direction of continuous feature delivery.

Feature details

Looking forward to receiving feedback. For latest updates and notifications you can follow me by clicking mgysler.