SAP BTP Cloud Integration Automation Service (CIAS)
Cloud Integration Automation Service provides guided workflows to integrate SAP cloud solutions with on-premise and other SAP cloud solutions. It offers both manual task instructions and automated configuration capabilities.
Table of Contents
- •Quick Reference
- •Core Workflows
- •Service Limitations
- •Security Architecture
- •Common Error Patterns
- •Support Channels
- •OAuth2 API Access
- •Data Protection
- •Glossary
- •Task UI Controls Quick Reference
- •Bundled Resources
- •Documentation Sources
Quick Reference
Service Plans
| Plan | Type | Purpose |
|---|---|---|
| Standard | Application | UI access for scenario planning, task monitoring, integration management |
| OAuth2 | Service | API access for programmatic operations (required for ABAP automation) |
Role Collections
| Role | Collection | Capabilities |
|---|---|---|
| Integration Administrator | CIASIntegrationAdministrator | Full access: Plan for Integration, My Inbox, Monitoring; terminate scenarios |
| Integration Expert | CIASIntegrationExpert | My Inbox access; work on assigned tasks |
| Integration Monitor | CIASIntegrationMonitor | Read-only access to Scenario Execution Monitoring |
Supported Regions
AWS: EU10 (Frankfurt), EU11 (Frankfurt EU Access), US10 (Virginia), AP10 (Sydney), JP10 (Tokyo), CA10 (Montreal) Azure: EU20 (Netherlands), CN20 (China North 3) Alibaba: CN40 (Shanghai)
Core Workflows
1. Subscribe to CIAS (Standard Plan)
- •Navigate to SAP BTP Cockpit → Global Account → Subaccount
- •Go to Services → Service Marketplace
- •Filter by "Cloud Integration Automation Service"
- •Click tile → Create → Select Standard plan
- •Confirm creation
- •Access via Instances and Subscriptions → "Go to Application" icon
2. Assign Roles to Users
- •Navigate to Security → Role Collections in subaccount
- •Select role collection (e.g.,
CIASIntegrationAdministrator) - •Click Edit → Users tab
- •Add users by email ID or login user ID
- •Save changes
Multiple users can be assigned per role using comma-separated user IDs.
3. Plan Integration Scenario
- •Access CIAS application from Instances and Subscriptions
- •Open Plan for Integration tile
- •Browse available solutions in Solutions tab
- •Select scenario and scenario option
- •Choose systems for integration (by customer number)
- •Specify:
- •Target subaccount for workflow
- •SAP BTP Workflow Users (must have subaccount access)
- •Transaction name for monitoring
- •Confirm workflow generation
- •Access tasks in My Inbox tile
4. Work with Tasks (My Inbox)
- •Open My Inbox tile (requires Administrator or Expert role)
- •Click Claim to lock task for your user
- •Follow instructions in Task Instructions tab
- •For automation tasks: Configure parameters → Click Execute Step
- •Click Task Completed when done
- •Click Refresh to display next task
- •Repeat until viewing Execution Summary
5. Create Destination for Automation
- •In My Inbox → Confirm System Components task
- •Click Create Destination link
- •Configure:
- •Name: Valid identifier
- •Description: Purpose description
- •URL: Target system host URL
- •Authentication: Method + credentials
- •Type: HTTP (default)
- •Save configuration
Always use HTTPS for secure communication.
6. Monitor Scenario Execution
- •Open Scenario Execution Monitoring tile (requires Administrator or Monitor role)
- •Filter workflows by status: Running, Completed, Canceled
- •View tabs: Task Details, Targets, Roles and Users, Scope, Support Information
- •Use Terminate Execution to remove scenarios permanently
- •Access Logs tab for automation execution details
Service Limitations
- •Maximum 15 active workflows per subaccount
- •No self-service data deletion (submit ticket to component
BC-INS-CIT-RT) - •Logs retained for 90 days
- •OAuth2 certificate maximum validity: 1 year
- •Execution scope cannot be changed after confirmation
- •Destination cannot be changed if already used in automation task
- •Supported browsers: Google Chrome, Microsoft Edge (Chromium), Mozilla Firefox, Apple Safari (macOS)
Security Architecture
CIAS comprises six core components:
- •Runtime: Backbone framework rendering integration tasks
- •Planning: UI for planning integration scenarios
- •Inbox: UI for end-user task access
- •Monitoring: UI for scenario implementation monitoring
- •Managed System: System configured during integration
- •Automation Runtime: Calls configuration APIs of managed systems
Security features:
- •Role-based access via SAP BTP authorization framework
- •XSRF protection for backend connectivity calls
- •Identity provider integration (SAML assertion Name ID attribute supported)
- •Credentials stored in Credential Store service (inaccessible to external parties)
Common Error Patterns
Empty Destination Dropdown
Symptom: Destination dropdown shows no options during task execution.
Cause: No destinations exist matching the tenant's Host Base URL.
Solution:
- •Create destination manually following Destination Creation steps
- •Ensure destination URL matches tenant Host Base URL exactly
- •Refresh the dropdown after creation
Workflow Conflict Lock
Symptom: Cannot proceed with task; execution lock activated.
Cause: Multiple integration workflows exist with identical system components.
Solutions:
- •Proceed: Continue without resolving (manual resolution later)
- •Terminate: End selected conflicting instances
- •Terminate Current Instance: Stop active workflow only
- •Cancel: Halt operation entirely
Application Access Denied After IdP Change
Symptom: Users cannot access CIAS application after identity provider change.
Cause: Users not managed by newly configured identity provider.
Solution:
- •Add users to new identity provider
- •Reassign role collections in subaccount Security settings
- •Verify user IDs exist in configured IdP
Task Marked as Reserved
Symptom: Cannot claim task; shows "Reserved" status.
Cause: Another assigned user has already claimed the task.
Solution: Coordinate with team; only one user can work on claimed task at a time.
Support Channels
| Issue Type | Component | Action |
|---|---|---|
| General CIAS support | BC-INS-CIT-RT | Create support ticket |
| Manual task instructions | Check Support Information tab | Submit incident to listed component |
| Data deletion request | BC-INS-CIT-RT | Include email ID and subaccount name |
| Service availability | Consumer account | Check Service Availability feature |
OAuth2 API Access
For programmatic access (required for ABAP automation):
- •Navigate to subaccount → Services → Service Marketplace
- •Select Cloud Integration Automation Service → Create
- •Choose OAuth2 plan
- •Select runtime: "Other" or "Cloud Foundry"
- •Provide instance name → Create
Create Service Key (for API calls)
With mTLS (Certificate):
{
"xsuaa": {
"credential-type": "x509",
"x509": {
"key-length": 2048,
"validity": 365,
"validity-type": "DAYS"
}
}
}
Without Certificate: Create with name only.
Use generated client ID and client secret to create OAuth JWT token for API authentication.
Data Protection
- •Email IDs and subaccount names stored in service database
- •System/tenant selection data preserved for workflow execution
- •Logs do not store user-related personal data
- •Audit logs follow SAP BTP Audit Log retention policy
- •Sensitive data stored in Credential Store service
Glossary
| Term | Definition |
|---|---|
| Personal Data | Any information relating to identified/identifiable natural person |
| Sensitive Personal Data | Racial/ethnic origin, political opinions, religious beliefs, genetic/biometric data |
| Residence Period | Time between business end and end-of-purpose when data remains accessible |
| Retention Period | Time from last business activity through data deletion |
| Blocking | Restricting access to data whose primary business purpose has ended |
Task UI Controls Quick Reference
Automation Task Controls
| Control | Function |
|---|---|
| Refresh | Update automation statuses |
| Expand All | Show all parameter panels |
| Collapse All | Hide all parameter panels |
| Show/Hide Read-Only Parameters | Toggle read-only visibility |
| Save Parameters | Preserve current values |
| Logs | View execution records |
| Information | Parameter descriptions |
| Execute Step | Run automation (async) |
Error Recovery
After automation failure:
- •Only Failed Automations - Retry failed steps only
- •All Automations - Retry entire sequence
Bundled Resources
Reference Files
- •
references/setup-guide.md- Complete subscription, OAuth2, and destination configuration procedures - •
references/security-guide.md- Security architecture, identity provider configuration, and role management - •
references/integration-scenarios.md- Full list of 100+ supported integration scenarios with codes (1M1, 22K, 4A1, etc.) - •
references/troubleshooting.md- Detailed error resolution procedures and common issues - •
references/maintenance-planner.md- Maintenance Planner integration guide and workflow invocation - •
references/task-ui-guide.md- Complete task UI controls, tabs, behaviors, and automation steps - •
references/whats-new.md- Complete release notes from 2021-2025 with feature updates
Template Files
- •
templates/destination-config.md- Destination configuration templates by target system type - •
templates/role-assignment.md- Role assignment procedures and checklists for different scenarios
Documentation Sources
Primary:
- •GitHub: https://github.com/SAP-docs/btp-cloud-integration-automation-service/tree/main/docs
- •SAP Help Portal: https://help.sap.com/docs/cloud-integration-automation-service
Related:
- •Maintenance Planner: https://maintenanceplanner.cfapps.eu10.hana.ondemand.com
- •Credential Store: https://help.sap.com/viewer/601525c6e5604e4192451d5e7328fa3c/Cloud/en-US/02e8f7d1016740b8adf68690f36df142.html
- •SAP BTP Destinations: https://help.sap.com/docs/btp/sap-business-technology-platform/destination