Administration Guide SAP Mobile Documents 1.0 SP06 Document Version: PUBLIC. SAP Mobile Documents

Transcription

1 Administration Guide 1.0 SP06 Document Version: PUBLIC

2 Content What's New in 1.0 (Release Notes) Support Package 00, Patch Support Package Support Package 01 - Documentation Corrections Support Package 01 - Documentation Corrections (2)....8 Support Package 01 - Documentation Corrections (3)....9 Support Package 01 - Documentation Correction (4) Support Package Support Package 02 - Documentation Corrections Support Package Support Package 03 - Documentation Corrections Support Package 03 - Patch Support Package Support Package Support Package Master Guide Target Audience Glossary Important SAP Notes Architecture Limitations Installation and Update Installing and Updating the Server Installing the KM Connector Installing and Updating Desktop Apps Installing and Updating the Desktop App for Windows Installing and Updating the Desktop App for OS X Rolling Out Mobile Apps Using SAP Afaria Configuration Connecting Repositories Creating a Knowledge Management Repository Authentication Scenarios SAP SE or an SAP affiliate company. All rights reserved. Content

3 Maintaining Repository Destinations Configuring Repositories Assigning UME Roles to Users Displaying User Information Configuring the Server and App Settings Configuring the General Settings Configuring the Additional Settings Configuring the Web App Branding Configuring the ios App Settings Configuring the Android App Settings Configuring the Desktop App Settings Configuring the Outlook Add-In Settings Configuring the Windows Mobile App Settings Configuring the Shared Documents Settings Steps to Configure Notification Mails Using Your Own Icons for File Types Configuring the SAP NetWeaver Application Server for Java Settings Enabling File Sizes Over 100 MB Activating Response Compression Enabling Certificate Authentication on the Desktop App Configuring the Mail Server Scheduling KM Quota Consistency Reports Document Classification Security Policies Supporting the Use of a Reverse Proxy Security Before You Start Authentication and Authorizations Session Security Protection Network and Communication Security Recommendations on Network and Firewall Used URL Endpoints Separation of User and Admin Interfaces Security Aspects of Data, Data Flow, and Processes Data Storage Security Document Classification and Security Policies Operation Monitoring with Usage Statistics Logging and Tracing Viewing Logs Content 2016 SAP SE or an SAP affiliate company. All rights reserved. 3

4 Configuring Logging Monitoring with CA Wily Introscope Backup and Restore Troubleshooting Performance and Capacity Benchmarks Developer's Guides Developing Clients Architecture CMIS Open Standard CMIS Enhancements for REST API URLs for App-to-App Integration of Connecting Your ABAP Back End as a Content Source ABAP Connector Implementing the ABAP Connector CMIS Extension for Search Appendix Supported CMIS 1.1 Features CMIS Extensions Open Source Licenses Apache License, Version Creative Commons License Eclipse License Hypersonic SQL License Mozilla Public License Version The BSD 3-Clause License The MIT License (MIT) REFCONT: URLs for App-to-App Integration SAP SE or an SAP affiliate company. All rights reserved. Content

5 1 is a solution that securely puts critical business documents in the palm of your hand. It gives users anytime, anywhere access to view, edit, and collaborate on corporate and personal documents. It protects your content in easy-to-use native applications. You can run it on the following: Microsoft Windows Apple Mac OS Apple ipad and Apple iphone Android HTML5-enabled browsers Windows Phone and Windows tablet is designed from the ground up to meet the needs of both users and enterprise IT, and reduces corporate risk, ensures compliance, and provides must-have access to content for greater productivity, increased efficiency, and improved operations. In addition, uses industry standard CMIS to ensure broad interoperability with document management systems like Knowledge Management, Microsoft SharePoint, or Alfresco. Therefore, it extends the reach of your documentation management system (DMS) to your mobile workforce. is SAP's solution for mobile content management, running on SAP HANA Cloud Platform as an on-demand offering or installed in your customer environment using SAP NetWeaver Application Server for Java as a platform SAP SE or an SAP affiliate company. All rights reserved. 5

6 2 What's New in 1.0 (Release Notes) The release note gives you an overview of the new features and functions in the on-premise version of the SAP Mobile Documents Support Package 00, Patch 1 The release note gives you an overview of changes and enhancements in release 1.0 SP 00 Patch 1 of the onpremise version for. Table 1: Function Type of Change Description Rebranding New SAP NetWeaver Cloud is now part of SAP HANA Cloud. The documentation now reflects this rebranding. List of PAM links New Added direct links to all Product Availability Maps for. Root URI configuration New Configuration of Root URI is now reflected in the ipad. See SAP Note Support Package 01 This Support Package for the on-premise version of comprises changes and improvements to the Web user interface as well as for the desktop app, and the SAP Mobile Documents ios apps. In addition, we deliver the all new Android app. New Features that Affect All Apps New wizards guide the users through the publishing workflow. Security policies based on document classification now support you in protecting confidential data, as you can disable dedicated actions on the different apps. The administrator defines security levels for each repository and the documents contained in the respective repository inherit the security classification. In addition to this security classification, the administrator selects security policies that enable or disable certain actions for classified documents, for example, the publish action. Quotas per user: If the PUBLISHED DOCUMENTS repository resides in the cloud, administrators can define the space size for uploads to the cloud to limit cost. Administrators can set and modify the default user quotas, including the warning level at which the users get a notification, that they almost used up their space SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

7 The administrator can also set and modify the quotas for single users (cloud-only) to allow exceptions and enable them to still work even if the usually allocated space is used up. Usage statistics are displayed in an analyst section added to the administration UI that is available for users having the analyst role. This new screen area supplies general statistics as well as statistics on usage data on repositories and apps during a defined period of time. Additional security measures for the anonymous access to published folders: An additional protection measure was implemented to prevent guessing the share password using brute-force attacks (throttling of log on attempts). Administrators can configure additional app settings in the form name=property in the text field so that they are transmitted to the related apps in the same form as the specific defined properties. The PUBLISHED DOCUMENTS repository is now also configurable for an on-premise only installation. Administrators can configure additional connections and repositories (on-premise connectivity) for the cloud version of. A new log on page for the on-premise SAP Identity Management is available. The following terms changed: External Sharing Publishing PUBLIC DOCUMENTS repository PUBLISHED DOCUMENTS repository Web User Interface In addition to some small improvements, the Web application has the following new features: Users can upload documents or folders in asynchronous mode from the Mobile Docs folder in the browser (not Microsoft Internet Explorer) to other repositories, for example, to the MY DOCUMENTS or PUBLISHED DOCUMENTS repositories, using drag and drop or copy and paste. This function is also available in the anonymous sharing UI that the recipients of the user s shared link access. Thanks to the asynchronous handling of the delete, upload, copy, move, create, and publish operations, long lasting operations no longer interfere with other tasks users execute in the web UI. The users receive notifications, for example, about file uploads or file deletions. By double-clicking these notifications, the users can display a detailed progress view where the users could also cancel the action. Desktop App The updated desktop app delivers the following features: Enhanced proxy handling and proxy determination, including a proxy auto-detection mode. Users can log on to the app using their X.509 client certificate instead of submitting their user name and password. Users can optimize the bandwidth used for uploading or downloading large documents. This enables the users to simultaneously work on other tasks. On the Mac OS app, deleted files are now moved to the recycle bin, if the recycle bin is enabled. In addition, the Remember Password and the Enable Autostart functions are now also available. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 7

8 Mobile Apps The user interfaces for the ios apps were redesigned, and the iphone is now also supported. You can use custom theming for branding on the ios apps. The presentation mode for the ipad, which enables users to present PDFs on external devices, was redesigned for better user interaction. The new Android app is available through Google Play. It offers similar features as the ios app. In addition, the SD card is supported. If the user switches to or from an SD card for storage, the cached and synced documents are moved between the two, instead of requiring a re-download Support Package 01 - Documentation Corrections The documentation was updated and enhanced. Table 2: Function Type of Change Description Single sign-on for desktop app users. New Enabling Certificate Authentication on the Desktop App [page 92] states that the SAP NetWeaver Application Server for Java must be set-up to support single sign-on. Upgrading the server and app components. New Installation and Upate [page 28] now includes update information Support Package 01 - Documentation Corrections (2) The documentation was updated and enhanced. Table 3: Function Type of Change Description Updated Table of supported CMIS features updated SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

9 2.2.3 Support Package 01 - Documentation Corrections (3) The documentation was updated and enhanced. Table 4: Function Type of Change Description Updated Updated the document to reflect the fact that you can now use the PUBLISHED DOCUMENTS repositories in on-premise scenarios. For more information, see Configuring the PUBLISHED DOCUMENTS Repository with On-Premise System [page 50]. Updated Renamed entry point of the Developer's Guide [page 115], moved it up in the structure Support Package 01 - Documentation Correction (4) The documentation was updated and enhanced. Table 5: Function Type of Change Description Updated Added full download path for installing the server component. For more information, see Installing and Updating the SAP Mobile Documents Server [page 28]. Documentation of automatic configuration for SAP Mobile Documents ios clients using Afaria. New Added documentation on how to configure ios clients using Afaria. For more information, see Integrating Afaria [page 35]. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 9

10 2.3 Support Package 02 This Support Package for the on-premise version of comprises changes and improvements to the Web user interface as well as to the desktop app, and the SAP Mobile Documents mobile apps. New Features Affecting All Apps New Sharing Concept In SP02 there is a new concept for sharing files and folders with other users. Users can still create a public link to a folder (share), and send this link to recipients who may not have installed. In addition, users can now create a share and add named users (members) who have installed SAP Mobile Documents and who are assigned to roles for this share (administrator, contributor, and reader). To inform these members about updates on the share, you can use an internal link that is created automatically and included in a mail if you choose the Mail to Members option. This change is also reflected in the terminology: "Public Folders" and "Publish" are now only used if an app connects to a server 1 SP01. For with SP02 components only, the new terms are "Share" instead of "Published Folder", "Share" instead of "Publish" (the action), and "Shared Documents" instead of "Published Documents". Note If you have used Published Documents in a prior release, existing public folders have been migrated to be compatible with the new sharing solution. Users can find their existing public folders in a special share called Migrated Public Folders and all the public folder settings, including the public URL, are still valid. For more information, see the Sharing Files sections in the User Guide. Web App A redesign of the Web app is available with a mobile-compliant, SAP Fiori-like user interface, including a loading indicator and breadcrumbs. Access to Corporate Documents repositories. New sharing process. The Web app displays up to 50,000 files per folder. If your folder contains more files than this, you can view them using the desktop app. Desktop App Notification on Failed Upload Due to Virus Infection If an upload fails because the file to be uploaded is infected with a virus, the user receives a notification SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

11 Real Time Update of Notification Window Even if the Notifications window is open, the list of notifications is updated automatically with new notifications. Corporate Content Folder Available in Mobile Docs Folder Users can view documents from corporate repositories (for example, Microsoft SharePoint and Knowledge Management) in the Mobile Docs folder of the desktop app. Users can configure the synchronization of these corporate documents. New Icons to Indicate Synchronization Status: No icon: The file or folder is not yet synchronized. Blue arrow: The file or folder is currently being synchronized. Green arrow: The file or folder has been synchronized but might not be up to date if you are in offline mode. The Mobile Docs folder is now listed under Favorites in Microsoft Explorer or Mac Finder. Selective Sync Users can now choose which folders they want to keep in sync. Only the My Documents folder is always synchronized. A new Microsoft Outlook add-in for the desktop app is available for Microsoft Windows. For more information, see Sending Mail Attachments Using the Microsoft Outlook Add-In in the User Guide. Mobile Apps New Icons to Indicate Synchronization Status: No icon: The file or folder is not yet synchronized. Green arrow on white: The file or folder is currently being synchronized. White arrow on green: The file or folder is already synchronized. Resume Download If the synchronization of documents is interrupted because the app stops, the downloads are paused. When the app starts again, the downloads can be resumed manually. This feature saves the user a lot of time and bandwidth because the download does not have to start from the beginning each time. Cancel Upload On ios apps, you can cancel the file upload. This is currently not possible on Android apps. Sync over Cellular Network For more information, see the Synchronizing Documents Automatically section of the User Guide on the Help Portal. Better Branding of UI Texts The Setting screen is branded with standard fonts in the app. If the user changes the global setting for fonts in the device-level settings, is not affected, and standard fonts are applied to ensure a standard look and feel of the app. The branding is not applied to context menu actions and pop-up display lists. Saving Files in Users can open a file from any application using and save this file to any SAP Mobile Documents folder for which they have write permission. Add or Delete Folders Users can create new folders in the My Documents, Company Documents, and Shared Documents folders. Users can also delete folders from these folders. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 11

12 Users can rename folders and files. For more information, see the Working with Selected Files in the Documents List section of the User Guide on the Help Portal. In the My Documents and the Shared Documents folders, the Add action is displayed for documents lists. Improvements for Pictures The document list features thumbnails for PDF files, pictures, and movies (only Apple Quicktime videos) for files that have been downloaded to the device or that are available on the device. Pictures in fullscreen mode can be browsed using swipe gestures. You can import photos, take photos, and use photos. On ios only, the documents list can be sorted by name, type, date, and size. The presentation mode is now available on iphones. Android-Only Features: The Open, Publish, and actions are displayed in the action bar on selection of the relevant folders or files. Users can start the Android app using a mail link with the following format: mobiledocs://<link>. Related Information User Guide Support Package 02 - Documentation Corrections An overview of the most important document changes of the master guide. Table 6: Function Type of Change Description Changed Restructured the opening topics. New Added information that SAP NetWeaver 7.4 is compatible with SP02. Changed Updated information on SSOExt in Architecture [page 24]. Changed Enhanced list of SAP notes to include the notes on the server, dektop, and app patches. See Important SAP Notes [page 24]. Changed Added caution in Installing the KM Connector [page 30]. Changed Added information on using DBFS in: Creating a Knowledge Management Repository [page 38] Configuring the My Documents Repository [page 49] Configuring the Shared Documents Repository [page 50] SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

13 2.4 Support Package 03 This Support Package for the on-premise version of comprises changes and improvements to the Web user interface as well as to the desktop app, and the SAP Mobile Documents mobile apps. New Features Affecting All Apps URL Scheme You can build URLs that perform actions in the app and that can be used for app-toapp integration or as links in s. For more information, see URLs for App-to-App Integration of [page 136]. ABAP Connector The ABAP connector enables ABAP applications to expose a CMIS interface to SAP Mobile Documents. Any CMIS client can use the server to view or update content stored and/or managed in an ABAP system. For more information, see Connecting Your ABAP Back End as a Content Source [page 144]. Pushing Content to Devices Content managers and administrators can collaborate to synchronize content to a user's device or to the devices of a role-based subset of users. This is to ensure that the pushed content is available to all intended recipients in your company independently of the individual user's sync settings. For more information, see Configuring Corporate Documents Repositories. Content Search You can search for content by keywords in any repository and browse the search results quickly and easily. For more information, see Searching for Content or Searching for Files and Folders in the User Guide. Viewing Properties You can view the properties of a file or a folder. For more information, see the Viewing Properties of Files and Folders sections in the User Guide. New language versions available The desktop app is now available in 11 languages, the latest of which is Norwegian. For more information, see the Configuring section in the Desktop Application How-Tos of the User Guide. Suppress the My Documents Repository The administrator can disable the My Documents repository so that end users do not have a My Documents folder. For more information, see Configuring Corporate Documents Repositories [page 52]. Desktop App Using the Microsoft Outlook Add-In you can restrict access to a newly created mail attachment share to the recipients of the mail. In the Mobile Docs Preferences window, the Validity field was renamed to Expires In. For more information, see Sending Mail Attachments Using the Microsoft Outlook Add-In in the User Guide. You can display any file or folder available in your Mobile Docs folder in the Web app. For more information, see Open File or Folder in Web App in the User Guide. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 13

14 The notification that users receive if their desktop app version is lower than the one defined by the administrator can now contain a download link set by the administrator. For more information, see Configuring the Desktop App Settings [page 72]. You can choose a location for your Mobile Docs folder other than the default location. For more information, see Configuring in the User Guide. You can now set a separate synchronization interval for the Shared Documents and the Corporate Documents repositories. For more information, see the Configuring section in the Desktop Application How-Tos of the User Guide. You can display the last 50 files and folders that have been synchronized to your desktop app. For more information, see Displaying Recently Synchronized Files and Folders in the User Guide. You can delete folders once they are deselected for auto-sync. There is a dedicated tray icon ( ) that indicates that the user has logged off. Web App Invitations to Shares Administrators and contributors of a share can invite other users to become share members. If new users who have never logged on to before are invited to a share, they are displayed in the members list of the share as pending users until they log on to for the first time. You can also set up an invitation notification process that automatically sends mail notifications to the newly added members of a share. For more information, see Steps to Configure Notification Mails [page 82] and Receiving an Invitation to a Share in the User Guide. You can remove your own name from a share to which you have been invited. For more information, see Receiving an Invitation to a Share in the User Guide. Versioning of Files You can create new versions of a file, access previous versions, delete any of the versions stored, and restore a previous version of a file. This allows you to track the file history and development of the final version. For more information, see Versioning of Files in the User Guide. ZIP files download You can now download ZIP files using the Web app. For more information, see Downloading Folders in the User Guide. Adding a Public Link to a Share You can create a public link for an existing share. For more information, see Adding a Public Link to a Share in the User Guide. Mobile Apps Enhanced sorting criteria for the mobile apps. During the installation of the mobile app, the setting of the passcode can be postponed using Skip or Skip for Now. For the Pushed Documents repository, the number of unread files is displayed next to the repository. A dot marks unread files that have been pushed to the mobile device SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

15 The SAP Learning Content format is now supported. The learning contents comprises movies with the file extension.slc and can now be opened from the Documents List. For more information, see Working with Selected Files in the Documents List in the User Guide. ios: New navigation using the breadcrumb feature: A long tap on the breadcrumb opens a list of parent folders to which the user can then switch. For more information, see Navigating Using Breadcrumbs in the User Guide. ios: You can use the new help menu ( ) to start the Help Page that your administrator has configured or send a request for support by mail with an attached log file to a preset mail address. Android: When a user selects a client certificate, the certificate is picked from the Android KeyStore. Hence the manual import is not required. Android also supports fetching the user id and server URL from the configuration on the server. Android: If you select one or more files or folders, a Done action is shown, where you can deselect these items again. Android: In the documents list, a long tap on a file or folder selects this item and the actions bar shows the respective actions. Android: In Synced Documents, the actions for selected files and folders are shown. Android: There is background synchronization for new devices that need to download a large number of files and folders. The app does not time out during this synchronization Support Package 03 - Documentation Corrections The following corrections have been made to the SP03 version of this guide. Table 7: Document Version Change 1.0 Added the specification for the CMIS extension for search to the Developer's Guides. For more information, see CMIS Extension for Search [page 158]. 1.1 Updated the links to the Product Availability Matrix. 1.1 Updated the links to the download center. 2.0 Added virus scan information to the security guide Support Package 03 - Patch 01 The following corrections have been made to the SP03 version of. The Modern UI of the desktop app presents the files and folders that the desktop app synchronizes in a more touch-friendly way. The UI is available for Intel-based tablets running on Microsoft Windows 8.1 on which the desktop app is installed. For more information, see Installing the Desktop App Modern UI [page 34] in this guide and Modern UI How- Tos in the User Guide. The steps for rolling out Android apps using SAP Afaria have been updated. For more information, see Rolling Out Mobile Apps Using SAP Afaria [page 35]. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 15

16 2.5 Support Package 04 This support package of comprises changes and improvements to the Web user interface as well as to the desktop app and the mobile apps. Features that are available for only one deployment option are marked accordingly. New Features Affecting All Apps The Web app and the Microsoft Outlook Add-In offer a simplified sharing workflow. For more information, see Sharing Files (Web app) and Sharing Files (Outlook Add-In) in the User Guide. To optimize content distribution, administrators can select public shares to be cached on a Content Delivery Network (CDN). Users get the files from the CDN servers instead of from the server directly. For more information, see Configuring the CDN Access Settings for Shared Documents [page 80]. For the cloud version, there is a new corporate repository type Local Repository Connection to create repositories in the SAP HANA Cloud Platform document service. The subfolders of these repositories use the document service permissions for granting the users access to the files and folders. Permissions for these repositories can be managed directly in the Web app. For more information, see Managing Folders in Document Service Repositories [page 55]. The ABAP connector now fully supports the CMIS 1.1 interface. For more information, see Supported CMIS 1.1 Features [page 160]. For on-premise, the KM connector has an improved TREX search and support quota. For more information, see Scheduling KM Quota Consistency Reports [page 93] The Web app, the Microsoft Outlook Add-In, and the Android app now also support branding. For more information, see Configuring the Web App Branding [page 63] and Configuring the Android App Theming [page 71]. All apps are available in additional languages: Canadian French Chinese (traditional) Colombian Spanish Italian Korean Romanian Russian Thai Turkish The following terms have been updated. Table 8: Terminology Changes Old Term anonymous user Edit Offline, Create Version New Term guest Check Out, Check In SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

17 Desktop App When connected to an on-premise server, the desktop app displays user names instead of user IDs, for example, on the Recently Changed Documents screen. The Selective Sync option is now directly accessible from the context menu of the tray icon. The desktop app supports pushed content to ensure that the user automatically receives documents provided by the content administrator. The Pushed Documents folders are available on the corporate repository level and are displayed on the Selective Sync screen. For more information, see Synchronizing Selected Folders in the User Guide. Users can indicate the number of log files they want to keep before the oldest log file is deleted. For more information, see Configuring in the User Guide. The Microsoft Outlook Add-in for the desktop app has a new and improved workflow with a redesigned user and administration interface. For more information, see Sending Mail Attachments Using the Microsoft Outlook Add-In in the User Guide and Configuring the Outlook Add-In Settings [page 75]. The performance of the desktop app has been enhanced using technical improvements and updates. Web App For the Web app and the sharing UI, administrators can now configure links to a copyright page and a privacy page. For more information, see Configuring the General Settings in the User Guide. Users can now upload more than one file using the upload dialog. For more information, see Uploading and Downloading Files in the User Guide. Users can now remove themselves from shares they have been invited to by using the Unsubscribe action. If users add a public link to shares that were formerly restricted to share members, only the public link is displayed. There is a preview available for certain file types, for example, JPG, PDF, and text files. Clicking the file names opens the preview instead of downloading them. For more information, see Uploading and Downloading Files in the User Guide. Users only need to hover over the line of a file or folder in the documents list to display the properties icon ( ). They no longer have to select the file or folder. Users can now view the properties of files, folders, and shares and also edit basic properties. For more information, see Viewing and Editing Properties of Files, Folders, and Shares in the User Guide. Users can create and edit text files. For more information, see Creating and Editing Text Files in the User Guide. The search has been improved, for example, the three character restriction for an entry in the search field has been removed. The share owner's display name is shown in the documents list and you can use it as a sort criterion. For on-premise, the Web app displays a thumbnail view for files, if the back-end repository supports thumbnails and has the thumbnails feature activated. There are technical improvements and updates, for example, the high contrast black theme. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 17

18 Mobile Apps The read all feature ( ) has been updated for Android and ios with the option to deactivate (and reactivate) the confirmation dialog. Depending on the server configuration, users can now log on using the OAuth logon method. Users can edit additional properties for documents and folders. For more information, see Viewing and Editing Properties of Files and Folders in the User Guide. Android App ios App Users can refresh the list of files and folders on any screen by pulling it down. The Android app displays user names instead of user IDs when connected to an on-premise server. Users have quick access to the most common actions. There is a new executive mode with a clear, simplified user interface. For more information, see Starting and Using Executive Mode for ios in the User Guide. Users can annotate PDF files. For more information, see Editing PDF Files on ios in the User Guide. Users can create and edit text files. For more information, see Adding and Deleting Files and Folders in the User Guide. Users can upload multiple files, photos, or videos. If some files were already imported, you can decide to overwrite the existing ones. There is native support for iphone 6 and iphone 6 Plus devices. There is a new icon indicating the connection status of the ipad app and running synchronization tasks. For more information, see Checking the App Connection Status (ipad) in the User Guide. 2.6 Support Package 05 This support package of comprises changes and improvements to the Web user interface as well as to the desktop app and the mobile apps. Features that are available for only one deployment option are marked accordingly. Web App For the cloud edition, there is now a repository-specific recycle bin with which users can restore files and folders that were deleted. For more information, see Using the Recycle Bin in the User Guide and administration guide. When a user has opened a share, there is a new Share Details button available to change the share settings. For shares for members, there is a new Addresses button available that displays all addresses of the share members. Every share member can copy the addresses and insert them in the address field of a mail containing the link to a share. UI5 no longer supports Internet Explorer 8. Therefore, you have to use a modern browser, for example, Internet Explorer 9 or higher, or Chrome, or Firefox SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

19 Mobile Apps ios App Swipe actions have been implemented for the most commonly used actions. For more information, see Working with Selected Files in the Documents List in the User Guide. Users can now access files from other applications supporting Apple s Document Provider extension to open files and save them back in. Users are able to import documents directly to SAP Mobile Documents from other applications supporting Apple s Document Picker. For more information, see Open Files From Outside of in the User Guide and Activating the Repository Recycle Bin in the administration guide. Users can now use the Apple Watch to control the presentations. For more information, see Presenting PDF Files on ios in the User Guide. Android App The stability has been improved. Custom metadata properties of type URI are displayed as clickable links. Users can enable logs before logging on to the app for first time. Users can create folders while saving one or more files in the Android app. For more information, see Sharing Files in the User Guide. Desktop App The performance and stability of the desktop app have been improved. Users can now log on using OAuth. For more information, see Installing the Desktop App for Microsoft Windows and Installing the Desktop App for Mac OS in the User Guide. The logon user interface has been redesigned. Windows Native App This is a completely new app for on Windows phones and Windows tablets. For more information, see Installing the Microsoft Windows App and Microsoft Windows Application How-Tos in the User Guide. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 19

20 2.7 Support Package 06 Admin App Administrators can now choose whether to enable user quota or not. For more information, see Configuring the General Settings [page 60]. Web App Applications can use MIME type mapping to provide their own icons for the files they want to expose to SAP Mobile Documents. For more information, see Using Your Own Icons for File Types [page 85]. You can configure a display text for a group of custom properties. For more information, see Custom Groups in Properties [page 147]. Administrators can view the up-to-date usage of an individual user with the Recalculate Usage button in the administrators user interface. For more information, see Displaying User Information [page 58]. In the browser and in the sharing UI, users can download multiple files and folders as a ZIP file. For more information, see Downloading Files and Folders in the User Guide. Desktop App Users can easily download the desktop app. The URL for the download is specified by the administrator. For more information, see Downloading Files and Folders and Configuring the Desktop App Settings in the User Guide. Performance has been optimized by improving the sync logic to reduce the number of calls made to the server. ios App You can configure a display text for a group of custom properties. For more information, see Custom Groups in Properties [page 147]. Applications can use MIME type mapping to provide their own icons for the documents they expose to SAP Mobile Documents. For more information, see Using Your Own Icons for File Types [page 85]. Users can unlock the app using a fingerprint instead of specifying a passcode SAP SE or an SAP affiliate company. All rights reserved. What's New in 1.0 (Release Notes)

21 For more information, see Installing the ipad or the iphone App and Defining the App Settings under Touch ID in the User Guide as well as Configuring the Security Settings and Security Policies for ios [page 66]. Queueing is now optimized for downloads that the user has triggered. Android App On their Android devices, users can switch to different accounts on the same server or a different server without having to use the function Reset App. For more information, see Account and Defining the App Settings in the User Guide. A user can now open files located in directly in external editors and, after modifying them, save them back to. For more information, see Editing Files From External Editors in the User Guide. Windows Native App Documents on the device are stored in encrypted format. The files that a user opens are stored in a cache. The administrator specifies the amount of space on the device that is used for this purpose. For more information, see Configuring the Windows Mobile App Settings in the User Guide. What's New in 1.0 (Release Notes) 2016 SAP SE or an SAP affiliate company. All rights reserved. 21

22 3 Master Guide The Master Guide is the central starting point for the technical implementation of SAP Mobile Documents on SAP NetWeaver Application Server 7.3, SAP NetWeaver Application Server 7.3 including enhancement package 1 (EHP 1) and higher, as well as SAP NetWeaver Application Server 7.4. It provides you with information about the overall installation and configuration process, and refers you to the required detailed documentation and SAP Notes. Caution Before you start the installation, check that you have the latest version of this document. Related Information Target Audience [page 22] Glossary [page 22] Important SAP Notes [page 24] Architecture [page 24] 3.1 Target Audience The Master Guide addresses system administrators and technology consultants who install, configure, maintain, and work with on SAP NetWeaver Application Server 7.3 and SAP NetWeaver Application Server 7.3 including enhancement package 1 (EHP 1) and higher, as well as SAP NetWeaver Application Server Glossary Some of the central terms used in are defined below. Table 9: Glossary for Term app passcode Definition Secures the application on mobile devices SAP SE or an SAP affiliate company. All rights reserved. Master Guide

23 Term Content Management Interoperability Services (CMIS) Corporate Documents executive mode mail assets My Documents password Definition OASIS standard that works towards enabling interoperability between content management systems. Repository containing company documents and non-private documents of the user. The user does not own these documents. Executive mode provides a clear, minimized user interface and only shared content. The resources used to configure the mail notifications for new share members in SAP Mobile Documents. The administrator uploads the configuration files, mail templates, and so on. Repository containing the user-specific folder with the user's private documents. Secures the user data on the server. Used for basic authentication. Different passwords are used to secure the access to the link that users create to enable others to access their share. public link Pushed Documents app server share share Shared Documents Sharing UI sync theme assets user quota A link that can be applied to a share. The link makes the share available to anonymous users. Repository that contains files and folders that are automatically synchronized to the user's apps. Administrators can restrict access to this repository to users who are assigned a specific role. Application for accessing and sharing your documents and corporate documents on mobile devices, laptops, and desktops. Native mobile application, running on Microsoft Windows, Apple MAC OS, Apple ipad, Apple iphone, Android, Windows Phone and tablet, and on HTML5-enabled browsers. Server component running on SAP NetWeaver AS for Java. It grants unified access to repositories. To make documents available to other users. The root folder that is used for collaboration with other users. It can contain folders and files. Users can create any number of shares (until their quota is used up). Repository containing the shared documents and folders of a user. User interface to which the recipient of the link to the published documents is taken. The recipient does not need to be a registered user of. Function for synchronizing documents between the server and the app. This function stores the documents on the respective device and keeps the documents in sync. The resources used to adjust the look and feel or graphical appearance of the user interface. For SAP Mobile Documents, the administrator can adjust the appearance of the user interface of the Web app, the ios apps, and the Android apps to a company's branding by using, for example, logos, background images, and lock-screen images. Space that is assigned to an individual user to store documents. Related Information OASIS Web page Master Guide 2016 SAP SE or an SAP affiliate company. All rights reserved. 23

24 3.3 Important SAP Notes These SAP Notes contain the most recent information on the installation. Make sure that you have the up-to-date version of each SAP Note, which you can find on SAP Service Marketplace. Related Information SAP Note SAP Note Server Patches SAP Note Desktop Client Patches SAP Note ios Client Patches SAP Note Android Client Patches 3.4 Architecture consists of server and client components. Overview For information about supported CMIS features and CMIS extensions, see the sections in the appendix SAP SE or an SAP affiliate company. All rights reserved. Master Guide

25 The server is the key component for this infrastructure. The server runs on SAP NetWeaver Application Server for Java and implements the CMIS industry standard for the various apps and back-end systems. Table 10: Entities of an System Landscape Entity server mobile app Description Java application acting as a client for connected CMIS-enabled repositories and as a server for various apps as described below. CMIS-enabled mobile application for repository browsing and document viewing. Available for Android and ios devices. Offline capabilities include caching and synchronization of documents. Master Guide 2016 SAP SE or an SAP affiliate company. All rights reserved. 25

26 Entity desktop app Description Standalone desktop application for Mac OS and Microsoft Windows that keeps the documents in the My Documents repository in sync with the local file system. The desktop app for Microsoft offers a Microsoft Outlook addin that can automatically create a share, include a link to the share in your mail or meeting request, and store the files you want to attach to your mail or meeting request in this share. The desktop app for Microsoft offers the Modern UI that is available for Intel-based tablets running on Microsoft Windows 8.1 on which the desktop app is installed. The desktop app synchronizes the files and folders and the Modern UI presents them in a more touch-friendly way. Web app KM connector SSO Extension Library 2.0 HTML5-based Web application for managing the My Documents, Corporate Documents, and Shared Documents repositories. CMIS-enabled connector for KM repositories. SPNego component for Single Sign-On (SSO) with Kerberos. Related Information Supported CMIS 1.1 Features [page 160] CMIS Extensions [page 162] SAP SE or an SAP affiliate company. All rights reserved. Master Guide

27 4 Limitations Some user expectations are not met with the current release. Table 11: App User Expectation Workaround or Fix ios I want to open very large PDF documents (over 80 MB) with the ios app that is based on the source code release. None. ios In an external application, I want to open files from or save files in SAP Mobile Documents. Only works if you do not use an app passcode. Android I want to play videos for Workforce Performance Builder. None. Web app I am an administrator and want to upload files in the admin UI under Theme Assets or Mail Assets using Internet Explorer 9. Either use a Chrome or Firefox browser to upload files in the admin UI. If you are using Internet Explorer 9, completely reload the admin UI after the upload. Web app For on-premise installations, file names in non- Latin languages are encoded incorrectly when you download a folder as a ZIP file. None. Web app After upgrading on-premise installations with versioned repositories from SP04 to SP05, guest users can access the public UI using a public link but can no longer download any files. Share owners have to disable the public link and then enable it again to enable guest users to download files from the public UI. Web app I want to have a reliable preview for PDF files using a browser. Download the PDF file and use a native PDF viewer. Outlook add-in In Microsoft Outlook 2010: I disabled the SAP Mobile Documents add-in and restarted Microsoft Outlook. I expect the add-in to be disabled. SP04 and SP05: User has to start Microsoft Outlook 2010 as an administrator and then disable the add-in. Limitations 2016 SAP SE or an SAP affiliate company. All rights reserved. 27

28 5 Installation and Update The following sections describe how to install and update the components. server apps Prerequisites Generally, the version required for each entity is listed in the Product Availability Matrix (PAM) for SAP Mobile Documents on SAP Service Marketplace. The plug-in contained within the desktop app for Microsoft Windows desktops supports Microsoft Outlook 2010 and The Modern UI is available for Intel-based tablets running on Microsoft Windows 8.1 on which the desktop app is installed Related Information Product Availability Matrix Server Desktop Client CMIS Connector Android Client ios Client 5.1 Installing and Updating the Server You install the server component of using the standard installation tools provided by the SAP NetWeaver platform. Prerequisites Your SAP NetWeaver Application Server for Java is on at least SAP NetWeaver Application Server 7.3 Support Package Stack 09 or SAP NetWeaver Application Server 7.3 including enhancement package 1 Support Package Stack 05 or on SAP NetWeaver Application Server SAP SE or an SAP affiliate company. All rights reserved. Installation and Update

29 At least usage type Enterprise Portal (EP) is enabled on the SAP NetWeaver Application Server for Java. The latest patches and kernel updates for SAP NetWeaver Application Server for Java including J2EE ENGINE SERVERCORE are installed. Download the latest patch for the SAPUI5 software component from the SAP Service Marketplace and deploy it on your system. The software component is named SAPUI5 CLIENT RT AS JAVA. Select your SAP NetWeaver release and the latest patch for your installed SP. For operating system requirements, see the Product Availability Matrix. To use Software Update Manager (SUM), you must meet at least the following requirements: You have downloaded the latest SUM from SAP Service Marketplace at under Software Logistics Toolset 1.0 SUM. You have downloaded the software. You have met the requirements for the update. The SAPCAR version referenced in the environment variable PATH is identical to the one located in the kernel directory. In addition, no reference to any other SAPCAR version must exist in the PATH variable. All application server instances and their associated services are up and running. You have read SAP Note containing the latest SUM release information, including a detailed list of supported processes. You have read the SAP Notes referenced in the SUM guide. Context To install or update on SAP NetWeaver Application Server 7.3 or SAP NetWeaver Application Server 7.3 enhancement package 1, use the standard installation tools provided by the SAP NetWeaver platform. These tools perform software provisioning processes such as installation and uninstallation. In SAP NetWeaver Application Server 7.3, the SUM replaces the Java Support Package Manager (JSPM). It is part of the SL Toolset delivery. Tip We recommend that you use the SUM toolset to deploy. For more information, see the SUM documentation. Procedure 1. Run SUM. 2. Download and deploy the server component or its SP version from SAP Service Marketplace at under Support Packages and Patches A - Z Index M MOBILE DOCS SERVER MOBILE DOCS SERVER 1.0 Comprised Software Component Versions MOBILE DOCS SERVER 1.0 # OS independent MCMBRIDGE<SP>_<patch><number>.SCA. Installation and Update 2016 SAP SE or an SAP affiliate company. All rights reserved. 29

30 Related Information Product Availability Matrix SAP NetWeaver 7.4 SAP NetWeaver 7.3 including enhancement package 1 SL Toolset Download Center on SAP Service Marketplace SCN blog: Setup Guide 5.2 Installing the KM Connector You use the KM connector to connect your Knowledge Management system to either another on-premise Knowledge Management repository or to the cloud version of. The connector interprets the proprietary language of the Knowledge Management system into CMIS standard language. Prerequisites You either have a subscription for the cloud version of and want to connect to an onpremise Knowledge Management system, or you are using the on-premise version of and want to connect to another (remote) Knowledge Management system. The connector is restricted for use with. As the connector is included in the on-premise version of, the connector can only be installed on servers where is not installed. You should install the connector on the server on which the Knowledge Management system is running. To use server components, you must meet the following requirements: Your SAP NetWeaver Application Server for Java is on at least SAP NetWeaver Application Server 7.3 Support Package Stack 09 or SAP NetWeaver Application Server 7.3 including enhancement package 1 Support Package Stack 05 or SAP NetWeaver Application Server 7.4. At least usage type Enterprise Portal (EP) is enabled on the SAP NetWeaver Application Server. The latest patches and kernel updates for SAP NetWeaver Application Server for Java including J2EE ENGINE SERVERCORE are installed. For operating system requirements, see the Product Availability Matrix. To use Software Update Manager (SUM), you must meet at least the following requirements: You have downloaded the latest SUM and software. You have met the requirements for the update. The SAPCAR version referenced in the environment variable PATH is identical to the one located in the kernel directory. In addition, no reference to any other SAPCAR version must exist in the PATH variable. All application server instances and their associated services are up and running. You have read SAP Note containing the latest SUM release information, including a detailed list of supported processes SAP SE or an SAP affiliate company. All rights reserved. Installation and Update

31 You have read the SAP Notes referenced in the SUM guide. Context Caution Make sure that you do not install the CMIS connector on the same SAP NetWeaver Application Server for Java instance on which the server is already installed. To install or update on SAP NetWeaver Application Server 7.3 or SAP NetWeaver Application Server 7.3 enhancement package 1, use the standard installation tools provided by the SAP NetWeaver platform. These tools perform software provisioning processes such as installation and uninstallation. In SAP NetWeaver Application Server 7.3, the SUM replaces the Java Support Package Manager (JSPM). It is part of the SL Toolset delivery. Tip We recommend that you use the SUM toolset to deploy KM connector. For more information, see the SUM documentation. Procedure 1. Run SUM. For information about installing SUM, see the Related Links. 2. Download and deploy the KM connector component or its SP version from SAP Service Marketplace at under Support Packages and Patches A-Z Index M MOBILE DOCS KM CONNECTOR MOBILE DOCS KM CONNECTOR 1.0 Comprised Software Component Versions MOBILE DOCS KM CONNECTOR 1.0 # OS independent MCMCMISCON<SP>_<patch><number>.SCA Related Information SUM SAP NetWeaver Application Server 7.3 SAP NetWeaver Application Server 7.3 including enhancement package 1 SL Toolset Installation and Update 2016 SAP SE or an SAP affiliate company. All rights reserved. 31

32 5.3 Installing and Updating Desktop Apps You can use in combination with several apps. Prerequisites You have downloaded the desktop app or its SP version from SAP Service Marketplace. Context The following sections describe how to install and update these apps for. Procedure Download and deploy the app component or its SP version from SAP Service Marketplace under Support Packages and Patches A - Z Index M MOBILE DOCS DESKTOP MOBILE DOCS DESKTOP 1.0 MOBILE DOCS DESKTOP 1.0 # OS independent MCMDESKTOP<SP>_<patch><number>.SCA. Related Information Product Availability Matrix Installing and Updating the Desktop App for Windows You install and update the desktop app for Microsoft Windows using SAPSetup. The following installation options, which also apply to the update, are available: Installation from a distribution medium The administrator takes the distribution medium from workstation to workstation. This is mainly for testing or for standalone workstations. Installation from an installation server The administrator sets up an installation server from which the installation of the app is run on many different apps. All necessary files are copied from the server to the app during installation SAP SE or an SAP affiliate company. All rights reserved. Installation and Update

33 Tip We recommend that you use an installation server to install the Windows app on the business users' workstations. The server is more flexible and more efficient, especially if many workstations are involved. For the installation server option using SAPSetup, use the following parameters to provision the desktop app. Table 12: Setup Parameters Parameter Value Description ServerURL ServerURL Optional. Specifies the server URL to connect to the server. Format: ProxyURL Sample value: proxy Optional. Specifies the proxy server used to connect to the server. ProxyPort Sample value: 8080 Optional. Specifies the proxy port used to connect to the server. ProxyUser Sample value: user1 Optional. Specifies the proxy user used to connect to the server. ProxyPassword Sample value: abc123 Optional. Specifies the proxy password used to connect to the SAP Mobile Documents server. Product MCM MCM +MCMOutlookAddi n MCM: Silently installs the desktop app. MCM+MCMOutlookAddin: Silently installs the desktop app as well as the Microsoft Outlook add-in of SAP Mobile Documents. Example Example for Silent Installation SAPMobileDocuments-Installer-Win.exe /silent /Product:"MCM+MCMOutlookAddin"/ ServerURL:" For more information, see the SAPSetup documentation. Related Information SL Toolset Installation and Update 2016 SAP SE or an SAP affiliate company. All rights reserved. 33

34 Installing the Desktop App Modern UI The Modern UI presents the files and folders in a more touch-friendly way than the desktop app that synchronizes the files and folders. Prerequisites The UI is available for Intel-based tablets running on Microsoft Windows 8.1 on which the SAP Mobile Documents desktop app is installed. You have downloaded the Modern UI appx file contained in the desktop app for Windows component from SAP Service Marketplace. Procedure To install the appxbundle on devices in your enterprise, see the sideloading mechanism recommended by Microsoft. Currently, you should consider the following steps: Configure PCs for Sideloading Requirements Add Apps Add Multiple Languages for Apps Remove Apps Related Information Microsoft documentation on sideloading Installing and Updating Desktop Apps [page 32] Installing and Updating the Desktop App for OS X The desktop app for OS X is shipped as an Apple disk image (DMG). Context For a distributed installation, use your preferred tool set or create the image using the final configuration. For a local installation, see the steps below SAP SE or an SAP affiliate company. All rights reserved. Installation and Update

35 Procedure 1. Mount the image to OS X. 2. Drag the application to your local application folder Rolling Out Mobile Apps Using SAP Afaria mobile apps can be automatically configured using SAP Afaria. Prerequisites You can access the latest version of SAP Afaria, which is not part of. You have created a configuration file for SAP Afaria. Your ios devices have version 7.0 or higher installed. Your Android devices have version 4.0 or higher installed. Context When your business users download a mobile app, they get a preconfigured app that you have made available using SAP Afaria. Procedure To enable the automatic configuration option using SAP Afaria, set the following parameters in the Managed App Configuration to provision the mobile app: server.url=<url>, where <URL> is the URL of the server. server.user=<user>, where the <USER> value can be prefilled dynamically, for example, using Microsoft Active Directory and a substitution variable. For the Android app, proceed as follows: a. In the Afaria Managed App Configuration, create a group. b. Create an enrollment policy and assign it to the group on the enrollment policy page. c. Create an Android Enterprise Policy. d. Add the apk to the Android Enterprise Policy. e. Create a text file with the following content and upload it on the Configuration tab. server.url=<the server url you want to access> server.user=%s.username% Installation and Update 2016 SAP SE or an SAP affiliate company. All rights reserved. 35

36 f. On the Group page, assign the Android Enterprise Policy. g. Enroll your device with this Afaria server and receive the settings on the device SAP SE or an SAP affiliate company. All rights reserved. Installation and Update

37 6 Configuration The following sections include all configuration steps required to run on SAP NetWeaver 7.3 or SAP NetWeaver 7.3 including enhancement package 1 (EHP1), as well as SAP NetWeaver 7.4. Related Information Connecting Repositories [page 37] Assigning UME Roles to Users [page 57] Configuring the Server and App Settings [page 59] Configuring the SAP NetWeaver Application Server for Java Settings [page 90] Document Classification [page 94] Supporting the Use of a Reverse Proxy [page 96] 6.1 Connecting Repositories Connecting to a repository comprises several steps and requires you to first decide on the repository type to use. Context uses the following repository types: My Documents This repository enables users to store their personal documents and sync them to all connected clients. Every user has a folder that is marked as his home folder. All folders and documents inside this home folder are only visible and accessible to the user himself. Shared Documents This repository offers the possibility to share documents with other users and external users. If Shared Documents is enabled on the server, every user can create shares, invite members to collaborate, and manage the access rights of these members. You can also create public links to a share with security settings like expiration date, password, and so on. A public link is accessible through a dedicated nonguessable URL, which can be password-protected. If enabled, anonymous users can also upload or delete documents in a share. Corporate Documents Repositories containing company documents and non-private documents of the user. You can use Knowledge Management (KM) to create repositories or you can connect to existing KM repositories. You can also connect to other document servers with CMIS-capable interfaces. In addition, you have the option to push Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 37

38 content to a corporate repository. That is, you can synchronize content on a user's device independently of the user's sync settings for the respective content. A repository configuration consists of the following steps: Procedure 1. Create a repository. For corporate repositories, you can use an existing repository. 2. Choose an authentication scenario. 3. Maintain a destination. 4. Configure the repository. Related Information Creating a Knowledge Management Repository [page 38] Authentication Scenarios [page 41] Maintaining Repository Destinations [page 43] Configuring Repositories [page 45] SCN blog: Setting up to connect to Microsoft Sharepoint using Kerberos Creating a Knowledge Management Repository Setting up the Knowledge Management (KM) repository is only necessary if you do not already have a repository to connect with. Prerequisites At least the system administration role is assigned to your user. Context You need at least one KM repository for using the My Documents repository. KM provides standard repositories after setup, for example, the documents repository. This section describes how to create an alternative database file system (DBFS) repository for the My Documents repository SAP SE or an SAP affiliate company. All rights reserved. Configuration

39 Tip For the My Documents repository you must use a DBFS repository. For more information, see the KM documentation for CM repository manager. Make sure that the Sharing repository uses a different repository. Procedure 1. Start SAP NetWeaver Portal at 2. Choose System Administration System Configuration Knowledge Management Content Management. 3. In the Content Management section, select Repository Managers. 4. To list the predefined CM repositories, choose CM Repository. 5. To create a repository for My Documents, choose New. 6. Enter at least the parameters in the Name, Prefix, Persistence Mode, Repository ID in Database, and Root Directory fields. Table 13: Example Field Name Prefix Persistence Mode Repository ID in Database Root Directory Repository Services Property Search Manager Security Manager ACL Manager Cache Memory Cache Sample Value mydocuments /mydocuments dbfs mydocuments $(sys.global.dir)/config/cm/mydocuments Select properties com.sapportals.wcm.repository.manager.cm.cmpropertysearchmanager AclSecurityManager ca_rsrc_acl ca_cm 7. Select dbfs as Persistence Mode. 8. Optional: Set the Security Manager to AclSecurityManager and the ACL Manager Cache to ca_rsrc_acl, and choose OK. 9. Create a second repository for corporate content. 10. In the file system, navigate to the root directory specified in the Repository Creation Wizard. 11. Create the folders specified in the file system. 12. If the Repository Manager displays an error, restart the SAP NetWeaver Application Server for Java. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 39

40 13. Start SAP NetWeaver Portal at To check your repositories, choose Content Administration KM Content KM Content. Results Caution SAP Knowledge Management provides an insecure default configuration (see SAP Note ). To protect private and confidential data in your repositories, you have to make changes to the repository access control list (ACL). For more information, see SAP Note and Authorizations in the SAP NetWeaver Library. The repositories are listed in the Knowledge Management Content and are ready to use for SAP Mobile Documents. Related Information Authorizations Configuring Knowledge Management Change Log CMIS provides a change log mechanism, the getcontentchanges service, to allow applications to easily discover the set of changes that have occurred in objects stored in the repository for comparison with a previous point in time. This change log can then be used by applications such as search services that maintain the external index of the repository to efficiently determine how to synchronize their index to the current state of the repository. Procedure 1. Navigate to Configuration Infrastructure Java System Properties. 2. Select the Applications tab and search for com.sap.mcm.km.cmis. 3. To enable or disable the change log, set the property com.sap.mcm.km.cmis.changelog.enabled to TRUE or FALSE. The change will take effect without a restart of the application. The change log is disabled by default. 4. To specify which repositories the change log should be supported for, define the repositories as a commaseparated values list in the com.sap.mcm.km.cmis.changelog.enabled.repositories property SAP SE or an SAP affiliate company. All rights reserved. Configuration

41 Recommendation For performance reasons, we recommend that you specify only the KM repositories that are configured in MCM Administration. The change will take effect after a restart of the application. Note This property also supports the wildcard * value, which means all KM repositories. 5. To fine-tune the performance of the change log according to the needs and hardware, you can use the following optional properties: com.sap.mcm.km.cmis.changelog.max.events - Defines how much of the events collected from KM will be processed in order to generate the change log. Its default value is 1, which means all collected events com.sap.mcm.km.cmis.changelog.life.milis - Defines how long (in milliseconds) each event will be available before it is discarded (deleted from the change events table). Its default value is 1 (day). Example If you have configured My Documents and Shared repositories in MCM Administration to use the following KM repositories mydocuments and shareddocuments, and you want to enable the change log for them, proceed as follows: 1. Set the value of the com.sap.mcm.km.cmis.changelog.enabled.repositories property to mydocuments,shareddocuments (without quotes and without any spaces). 2. Set the value of com.sap.mcm.km.cmis.changelog.enabled to TRUE. 3. Restart the com.sap.mcm.km.cmis application by following the substeps below: 1. Navigate to Operations Systems Start&Stop: Java Applications Java Applications. 2. Search for com.sap.mcm.km.cmis and then select it. 3. Choose Restart Authentication Scenarios Depending on your system landscape and the document management systems you want to connect, you need to identify which authentication scenario to use for connecting to the repositories. Connecting to Local SAP KM Repositories If the connected Knowledge Management system (KM) is on the same server as the installation, the recommended and best-performing connection type is Local KM Connection. The SAP Mobile Documents server is then able to save the additional HTTP communication with the repository and reads or writes the data directly into KM. For a local KM connection you still need to create an HTTP destination of the type Basic (User ID and Password) with the credentials of an administrative KM user. For the My Documents and Shared Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 41

42 Documents folders the users home folders are created with this user. For corporate repositories this user is used to sync the repository information between repository and server. Connecting to Remote Servers Using Assertion Tickets Used to enable single sign-on (SSO) between and the remote repository by using assertion tickets. This connection type can be used to connect to SAP KM repositories on a remote server or to connect to servers that are able to validate assertion tickets (a special form of logon tickets). Two HTTP destinations are required: One destination of the type Basic, which is used for administrative purposes, and one destination with the same name and the suffix _USER of the type Assertion Ticket. So, for example, when you create a destination of the type Basic (User ID and Password) with the name KM_REMOTE, you have to create a second destination of the type Assertion Ticket with the name KM_REMOTE_USER. In the SAP Mobile Documents administration UI, create a connection of type SAP Assertion Ticket Connection and the destination name KM_REMOTE. Caution A prerequisite for using SSO with assertion tickets is a trust relationship between both servers. You can set up trust by using the SAP NetWeaver Administrator of the target system. Choose Configuration Security Trusted Systems Single Sign-On with SAP Logon Tickets. Connecting to Remote Servers Using a Service User Connection With the Service User Connection connection type you can connect to a remote repository (server) with a single static user that is defined in the destination maintained in SAP NetWeaver Administrator. All users use this technical user to connect to the repository. This could be suitable for corporate repositories where all users should see the same content. Service user connections are also an easy way to connect a repository as read-only (by using a user that only has read permission). Connecting to Remote Servers Using an HTTP-Header-Based Authentication When this connection type is used, the server sends the user s logon ID as an HTTP header variable. This connection type requires an additional connection option that declares the name of the HTTP header variable where the server injects the logon ID of the current user. The connection option key is com.sap.mcm.useridheadername. An example of a valid configuration is: com.sap.mcm.useridheadername=userlogoncaution. Caution If you do not take appropriate security measures, authentication using header variables can allow attackers to impersonate a user by sending a request with a user ID in the appropriate header variable to the remote SAP SE or an SAP affiliate company. All rights reserved. Configuration

43 repository. In any productive system, this must be prevented by using appropriate infrastructure measures (firewall, mutual SSL authentication, and so on). Connecting to Remote Servers Using SPNego Authentication When the optional component SSO Extensions Library (SSOEXT) is installed on the SAP NetWeaver system, the server is able to connect to backends that support the Kerberos authentication standard by using Kerberos constrained delegation. For more information about the installation and configuration, see Extension for Kerberos Constrained Delegation Implementation Guide in the SAP NetWeaver Library relevant for your release. supports this type of single sign-on using the connection type SPNego authentication. The configured HTTP destination must also use the authentication type SPNego if available for your release or otherwise the authentication type No Authentication. Related Information Extension for Kerberos Constrained Delegation Implementation Guide Maintaining Repository Destinations [page 43] Maintaining Repository Destinations To connect repositories to, you first maintain the destinations of the repositories' backend systems in SAP NetWeaver Administrator. Prerequisites Ensure that all necessary configurations are set up on your SAP NetWeaver Application Server for Java to support your selected authentication scenario. Your user has administrative rights in SAP NetWeaver Administrator. A destination for this connection already exists. Destinations hold security-relevant information in secure storage. Procedure 1. To start the destination service, enter in your browser or choose Configuration Security Destinations in SAP NetWeaver Administrator. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 43

44 2. Log on with an administrative user. 3. To start the wizard, choose Create under Destination List. 4. In the General Data step, enter the following information in the corresponding fields: Table 14: General Data Field Possible Values Description Hosting System Local Java System <SID> System where the destination is located. Destination Name <DESTINATION_NAME> Name of the destination, for example, MCM_LOCAL_KM. Destination Type HTTP Protocol used to communicate with the remote system. supports only HTTP as the destination type. Note You can choose to use the Secure Sockets Layer (SSL) protocol in the next step. 5. In the Connection and Transport Security Settings step, enter at least the URL of your local or remote server to establish the connection, using the endpoint URL of the repository s CMIS interface. The following table contains some sample repository URLs. Table 15: URL Format Connector Format Binding Type KM (remote or local) Browser SharePoint2010 SharePoint2013 Alfresco 4.2 and later _vti_bin/cmis/rest/<repository-id>? getrepositoryinfo _vti_bin/cmis/rest/<repository-id>? getrepositoryinfo default-/public/cmis/versions/1.1/ browser AtomPub AtomPub Browser Tip We recommend that you always use the Secure Sockets Layer (SSL) protocol for all SAP Mobile Documents connections, and that you adjust the SSL Server Certificates section as described in the next step. 6. To accept server certificates, deselect the Ignore SSL Server Certificates checkbox. In the Trusted Server Certificates Keystore View field, select the keystore view from the dropdown box containing the trusted SSL certificates, for example, TrustedCAs. 7. In the Logon Data step, choose the authentication method, and - if applicable - enter the authentication parameters in the corresponding fields. For more information about the supported authentication types, see Authentication Scenarios SAP SE or an SAP affiliate company. All rights reserved. Configuration

45 8. To save your entries, choose Finish. The destination you have created is displayed in the Destination List. 9. To check whether the destination works with the credentials supplied, choose Ping Destination under Destination Detail. The expected response should be similar to this message: Successfully connected to HTTP destination <DESTINATION-NAME> with response code 200. Content type application/ json;charset=utf Repeat these steps for all systems that you want to connect to. Related Information Maintaining HTTP Destinations (SAP NetWeaver Library) Authentication Scenarios [page 41] Configuring Repositories Depending on your use case, you configure some or all of the repository types described below. Related Information Configuring Connections [page 45] Configuring the My Documents Repository [page 49] Configuring the Shared Documents Repository [page 50] Configuring Corporate Documents Repositories [page 52] Configuring Connections Some repository configurations require you to configure a connection as a preliminary step. Prerequisites Read the parameter list below and define the connections required for your scenario. Ensure that all necessary configurations are set up on your SAP NetWeaver Application Server for Java, for example, the trust relationships and the user store, before you start to configure. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 45

46 Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose REPOSITORIES Connections. 3. To create a new connection, choose Create. 4. On the Manage Connections screen, enter the parameters that are appropriate for your back-end system and its repositories: Table 16: Connection Details Setting Possible Values Comment Display Name <DISPLAY-NAME> Arbitrary display name for the repository connection table to identify the connection in the repository configuration. Destination <DESTINATION- NAME> Destination name maintained in SAP NetWeaver Application Server for Java without the _USER extension. See Maintaining Repository Destinations. Connection Type Local KM Connection Service User Connection SAP Assertion Ticket Connection Header Connection SPNego Connection RFC Connection Specifies how the server connects to a repository server. For more information about the values, see the table below. Options Key1=Value1 Key2=Value2 The connection options are key-value pairs. You can use them to define additional parameters or to override default values. For a detailed table with all possible values, see below SAP SE or an SAP affiliate company. All rights reserved. Configuration

47 Table 17: Connection Options Option Default Value Description org.apache.chemistry.opencmis.binding.spi.typ e org.apache.chemistry.opencmis.binding.clientc ompression browser false Defines the binding type that is used to connect to the remote repository. supports the following bindings: browser atompub local The browser binding is used as a default within the SAP Mobile Documents server. If connecting a repository that only offers a CMIS AtomPub interface, configure org.apache.chemistry.openc mis.binding.spi.type=atomp ub in the connection options (for example, for Microsoft Share Point). If the remote repository supports gzip compression of requests, you can activate the compression of requests sent by the server by setting this parameter to true. org.apache.chemistry.opencmis.binding.connect timeout org.apache.chemistry.opencmis.binding.readtim eout Defines the HTTP connect timeout in milliseconds Defines the HTTP read timeout in milliseconds. com.sap.mcm.restrictedquery false The mobile clients send queries to the repositories using the cmis:objectid when documents are marked as synced. Some repositories (for example, Microsoft SharePoint) do not support querying of documents by object ID. If com.sap.mcm.restrictedquer y=true is set, then the SAP Mobile Documents server simulates the query and returns the necessary results even though the query itself is not supported by the back-end repository. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 47

48 Option Default Value Description com.sap.mcm.useridheadername not applicable If the Header Connection connection type is used to connect to repository servers that accept external authentication, the additional com.sap.mcm.useridheaderna me parameter is used to specify the name of the HTTP header where the server injects the logon ID of the current user. org.apache.chemistry.opencmis.workaround.incl udeobjectidoncheckout org.apache.chemistry.opencmis.workaround.incl udeobjectidonmove true Only relevant for SharePoint true Only relevant for SharePoint org.apache.chemistry.opencmis.workaround.omit ChangeTokens org.apache.chemistry.opencmis.workaround.addn ameoncheckin true true Relevant for SharePoint 2010 and Relevant for SharePoint 2010 and com.sap.mcm.contenthttpdestination not applicable Only relevant for RFC connections. Defines the destination that is to be used for content uploads and downloads if the content is transferred using HTTP. 5. Save your entries. 6. Repeat the steps for all systems that you want to connect to. Related Information Maintaining Repository Destinations [page 43] SAP SE or an SAP affiliate company. All rights reserved. Configuration

49 Configuring the My Documents Repository User-specific repository for that contains the documents the user wants to share. Prerequisites You have created a destination with authentication type Basic (user ID and password). The user you entered in the destination has the content_admin_role role to operate on behalf of the users, for example, to create the home folders of the users. Ensure that the required connection for the My Documents repository is available (see Configuring Connections). Context Note Only KM repositories using the (see CM Repository Manager) are supported. You must use a DBFS repository. Make sure that the Sharing repository uses a different repository. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose REPOSITORIES My Documents. 3. In the Connection field, enter the connection you defined for the My Documents repository. Note If you are using a KM installation on the server, use a connection of type Local KM Connection. If your KM installation runs on another server, use SAP Assertion Ticket Connection and make sure you install the KM connector. For more information, see Installing the SAP Mobile Documents KM connector. For more information, see Authentication Scenarios. 4. In the Repository field, select a repository from the list of available repositories for this connection. For more information, see Creating a Knowledge Management Repository. 5. In the Document Classification field, set the classification level for the repository. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 49

50 Note All documents in this repository inherit the classification level of the repository. For more information, see Document Classification. 6. The Disable "My Documents" Repository checkbox is unselected by default. If set, then the end-users do not have a My Documents folder. Caution Even if you want to disable the My Documents repository you still must configure it because it is used to store app configuration settings, themes, mail templates and so on. 7. To save your entries, choose Create. Related Information Authentication Scenarios [page 41] CM Repository Manager Configuring Connections [page 45] Document Classification [page 94] Installing the KM Connector [page 30] Configuring the Shared Documents Repository For users to be able to share documents with other users and external users this Shared Documents repository is used. Prerequisites You have created a destination with authentication type Basic (user ID and password). The user you entered in the destination has the content_admin_role role to operate on behalf of the users, for example, to create the home folders of the users. Ensure that the required connection for the Shared Documents repository is available (see Configuring Connections [page 45]) SAP SE or an SAP affiliate company. All rights reserved. Configuration

51 Context Note Only KM repositories using the (see CM Repository Manager) are supported. You must use a DBFS repository. Make sure that the Sharing repository uses a different repository. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose REPOSITORIES Shared Documents. 3. In the Connection field, enter the connection you defined for the Shared Documents repository. For more information, see Configuring Connections. Note If you are using a KM installation on the server, use a connection of type Local KM Connection. If your KM installation runs on another server, use SAP Assertion Ticket Connection. For more information, see Authentication Scenarios. 4. In the Repository field, select a repository from the list of available repositories for this connection. For more information, see Creating a Knowledge Management Repository. 5. In the Document Classification field, set the classification level for the repository. Note All documents in this repository inherit the classification level of the repository. For more information, see Document Classification. 6. To save your entries, choose Create. Related Information Configuring Connections [page 45] Authentication Scenarios [page 41] Creating a Knowledge Management Repository [page 38] Document Classification [page 94] Maintaining Repository Destinations [page 43] Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 51

52 Configuring Corporate Documents Repositories enables you to set up one or more corporate repositories for your company, containing company documents that are not owned by the app users. Prerequisites Ensure that the required connection for the Corporate Documents repository is available (see Configuring Connections). To connect to an external SAP Knowledge Management system, the KM connector must be installed on the remote server. For more information, see Installing the KM connector. For the Pushed Content option, the following assumptions apply: The administrator informs the content managers about the repositories that are pushed (including this information in the repository description). Content managers have at least write authorization for these repositories so that they can create, delete, or update the content there. Context is CMIS compatible and therefore you can connect CMIS-compatible document repositories, for example, Microsoft SharePoint 2010, Microsoft SharePoint 2013, or Alfresco. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose REPOSITORIES Corporate Content. 3. To create a new repository connection, choose Create. 4. On the Manage Repository screen, enter the following parameters as appropriate: Table 18: Details Setting Possible Values Comment Connection <CONNECTION NAME> The dropdown box lists all available connections defined in Configuring Connections plus the Local Repository Connection used for SAP HANA Cloud Platform document service repositories SAP SE or an SAP affiliate company. All rights reserved. Configuration

53 Setting Possible Values Comment Repository <REPOSITORY NAME> The dropdown box lists all available repositories for the connection parameter. Display Name <DISPLAY NAME> Predefines the name of the repository displayed in the mobile app. To display a custom name for the repository, adjust the setting. Description <DESCRIPTION> Predefines the description of the repository. Is not displayed in the mobile app. Pushed Content Unselected checkbox (default) Selected checkbox Defines whether the corporate repository contains pushed content. For examples of the possible combinations of the pushed content options, see the next table. Restricted To <UME role or a semicolon-separated list of UME roles> Defines that only those users who have at least one of these roles can see the pushed content. For other users the repository is not visible at all. The UME roles are maintained in the user management engine (UME) of the SAP NetWeaver Application Server for Java. Show as corporate content for other users Unselected checkbox (default) Selected checkbox Defines that users who are not assigned any of the UME roles that are specified in the Restricted To field can see the repository. This checkbox is only displayed after the corporate repository has been marked as Pushed Content, a role has been specified in the Restricted To field, and you have clicked into another field. Root URI <REPOSITORY-PATH> Format: /<section1>/<section2> Defines a specific folder within the repository to be the root folder displayed in the mobile app. Document Classification Public Customer Internal Defines the classification level of the repository. This classification is inherited by all documents that the repository contains. Confidential Strictly confidential For more information, see Document Classification. Hide Repository Unselected checkbox (default) Selected checkbox Enable Recycle Bin Unselected checkbox Default Selected checkbox Only available for Local Repository Connection. Only if you enable the recycle bin for the repository can the users restore deleted files and folders of this repository. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 53

54 Setting Possible Values Comment Recycle Bin Retention Time (Days) number of days If you leave this field blank, it will be displayed with a value of 0 the next time you open the Manage Repository dialog for this repository. Only available for Local Repository Connection. Defines a time period in days after which the repository will be emptied by a cleanup job. The maximum retention time is 999 days. If you set the number of days to 0, then the recycle bin will not be emptied. Managed By <userid1>,<userid2>,<userid3> Only available for the Local Repository Connection type. Enter the user IDs (separated by commas) of the user administrators of the root-level folder in the SAP HANA Cloud Platform document service repository. These administrators have the CMIS_ALL permission and manage the access (permissions) of other users to the subfolders that are created in this repository. Table 19: Samples of Combinations of the Pushed Content Options Settings Effect The Pushed Content checkbox is not selected. The Restricted To field is empty. The Pushed Content checkbox is not selected. The Restricted To field contains the Reviewer role. The Pushed Content checkbox is selected. The Restricted To field is empty. The Pushed Content checkbox is selected. The Restricted To field contains the Reviewer role. The Show as corporate content for other users checkbox is not selected. The Pushed Content checkbox is selected. The Restricted To field contains the Reviewer role. The Show as corporate content for other users checkbox is selected. Pushed content is not used. The repository is visible to all users as a corporate repository. Pushed content is not used. The corporate repository is only visible to users who are assigned at least one of the roles listed in the Restricted To field, in our example the Reviewer role. All users see the repository as pushed content. Users who are assigned the Reviewer role see the repository as pushed content. No other users can see the repository. Users who are assigned the Reviewer role see the repository as pushed content. All other users see the repository as a normal corporate repository. 5. Save your entries. 6. Repeat the steps for all systems that you want to connect to. Results The apps use the repository information to determine which of the corporate repositories the current user can view and which of these repositories are marked as pushed content: Repositories that the current user cannot view are not included in the repository information SAP SE or an SAP affiliate company. All rights reserved. Configuration

55 Repositories that are marked as pushed content for the current user have the extension pushedcontent: "true" in the repository information. (Remarks: The value true has type string, not boolean. If a repository is not marked as pushed content, the pushedcontent extension is skipped. There is no such extension as pushedcontent: "false".) Related Information Configuring Connections [page 45] Installing the KM Connector [page 30] Document Classification [page 94] Managing Folders in Document Service Repositories Root folder administrators can create subfolders and assign permissions to other users for accessing these subfolders. Prerequisites Your administrator has set up an SAP HANA Cloud Platform document service repository. Your administrator has assigned the CMIS_ALL (All) permission for the respective document service repository to you, that is, your user ID is listed in the Managed By field of the repository. Context Note Due to the tenant isolation in SAP HANA Cloud Platform, the document service cockpit cannot access or view repostories you create in or vice versa. If you are a root folder administrator, you can do the following: Create a subfolder in the repository. Change the properties of the subfolder. Create an ACL for the subfolder, that is, add users to the subfolder and assign a document service repository permission to each of them. The users are then listed in this order: the folder owner, the Everyone user/role, users whose addresses cannot be resolved, known users in alphabetical order. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 55

56 You can assign the following permissions, listed from the weakest to the most powerful permission: Read: Permission to access files and folders and to read their properties, content, and ACLs. File: Includes the Read permission and in addition the permission to change the children of the folder as well as the parent of the node. Write: Includes the File permission and in addition the permission to change the properties and the content of the children as well as the parent of the node. Delete: Includes the Write permission and in addition the permission to delete a file or folder. All: Includes the Delete permission and in addition the permission to change the ACL. Procedure 1. Log on to the Web app and open Corporate Documents. 2. To create a subfolder in the document service repository, choose Create New Folder. 3. Enter the folder name and confirm with OK. 4. Select the subfolder and choose the Properties icon ( ) to view its properties. 5. Choose the Permissions icon ( ). 6. Choose Edit ( ). 7. Enter the addresses or the IDs of the users separated by semicolons. 8. Select the permission to assign to these users, and choose Add. 9. In the users list, you can change the permission for each user using the dropdown box. 10. To save your changes, choose Save. 11. To delete a user, choose the Remove icon ( ) in edit mode. Related Information SAP HANA Cloud Platform Document Service SAP SE or an SAP affiliate company. All rights reserved. Configuration

57 6.2 Assigning UME Roles to Users To grant users access to the necessary UIs and tasks, assigns UME roles to users using UME groups. Context Table 20: Standard Roles Role MCM_User MCM_Sharing_User MCM_Administrator Comment Enables the business user of to access the SAP Mobile Documents Web UI, the mobile apps as well as the desktop app, and grants permissions for at least MY DOCUMENTS. Enables the user to access shares in the sharing UI to which he or she was invited. The role does not enable the user to create shares. Enables the administrative user for to access to the SAP Mobile Documents administration UI and to perform the corresponding configuration tasks. Administrators without the additional analyst role cannot view the STATISTICS page. MCM_Analyst Enables the user of to access the statistics on the admin Web UI. Analysts without the additional administrator role can only view the STATISTICS page. Note You can use the role assignment to enable or disable for users. For more information on managing users, see Administration of Users and Roles in the SAP NetWeaver Application Server for Java documentation. The procedure below describes how to assign the MCM_Administrator role. The MCM_Analyst role is assigned in the same way. Procedure 1. Start identity management at 2. In Search Criteria, enter Group, and choose Create Group. 3. Enter a name for the group, for example, MCM_Administrators, and choose the Assigned Roles tab. 4. Search for MCM_Administrator, select this role, and choose Add. 5. On the Assigned Users tab, select the required Users who have administrative permissions for SAP Mobile Documents, and add them to the list of Assigned Users. 6. Save your entries. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 57

58 7. Create a second group and name it MCM_Users. 8. On the Roles tab, assign the MCM_Users role to this group. 9. On the Users tab, assign all business users to the group. 10. Save your entries. Related Information Administration of Users and Roles 6.3 Displaying User Information The administrator can, for example, delete users or recalculate how much of their quota they have used on the server. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose USER DATA. 3. Select a search criterion from the dropdown list, for example, the logon ID, and enter the user's details. Note You can use asterisks (*) as wildcards. The search is case sensitive. 4. To view a user's details, click any of the links underlying the user's logon ID, last name, first name, or address. The popup that appears shows the User Details, including the user's quota. To ensure that the quota value is up to date, choose Recalculate Usage. The second half of the popup shows the Repository Details for this user. Table 21: ID Description Home Repository ID ID of the My Documents repository of the instance. Home Folder ID ID of the user's personal folder used for his or her My Documents. Sharing Repository ID ID of the Shared Documents repository of the instance SAP SE or an SAP affiliate company. All rights reserved. Configuration

59 ID Description Sharing Folder ID ID of the user's personal folder used for his or her Shared Documents. Settings Repository ID ID of the settings, which administrators can configure for the clients. Settings Folder ID ID of the settings folder used for this user. There is, for example, a settings repository that enforces app passcodes for mobile clients. Administrators can use this field to assign a specific settings repository to a user. Caution Be very careful and only change these fields if you are very sure of what to do. 5. To delete a user, select the row with this user's data, then choose Delete. Users are automatically added when they first log on to. Administrators can delete users, for example, if a user has left the organization. This user's license is freed up and can be reassigned to another user. Note To prevent the user from accessing any files, remove the User. To delete a user, select the row with this user's role from his or her user profile in your identity management tool. a. To delete the deleted user's documents from the repositories, select the Also delete user's documents checkbox in the confirmation dialog. b. Confirm the deletion with OK. 6. Save your entries. 6.4 Configuring the Server and App Settings The administrator configures the settings that apply to the server and the apps. Related Information Configuring the Additional Settings [page 62] Configuring the Web App Branding [page 63] Configuring the ios App Settings [page 64] Configuring the Android App Settings [page 68] Configuring the Desktop App Settings [page 72] Configuring the Outlook Add-In Settings [page 75] Configuring the Windows Mobile App Settings [page 77] Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 59

60 Configuring the Shared Documents Settings [page 78] Steps to Configure Notification Mails [page 82] Configuring the General Settings The administrator configures general settings that apply to the server. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS General, and then define values as appropriate. Table 22: Quota Settings Setting Possible Values Comment Enable User Quota Unselected checkbox Default Selected checkbox For performance reasons, quota settings are disabled by default. To allocate users only a specific respository space, select the checkbox. This will start the calculation of each user's quota. If a user changes his or her files during the quota calculation, the resulting quota is not accurate. To recalculate the quota of each user, choose Refresh Quota when no or very few users are online. To recalculate the quota of an individual user, see User Data: Recalculate Usage [page 58]. After an upgrade to 1 SP06, you also need to run Refresh Quota. Default User Quota (MB) User Quota Warning Level (%) <numerical value>. Default value: 0. <A number between 0 and 100>. Default value: 80 Defines the standard size in megabytes for the repository space allocated to each user. If the value is 0, there is no space restriction. Defines the quota size limit at which a notification is sent to the user that the allocated space is almost used up. Table 23: Temporary Space Setting Possible Values Comment Temporary Directory Maximum Content Size (Bytes) <file path> Default: Standard directory of the SAP NetWeaver Application Server for Java. <maximum file size> Default: 4 GB The documents are cached in this temporary storage during upload. Defines the maximum size of a file that a user can upload. Larger files are not supported SAP SE or an SAP affiliate company. All rights reserved. Configuration

61 Setting Possible Values Comment Temporary Memory Threshold (Bytes) <file size threshold> Default: 4 MB Defines the maximum size of a file that can be stored in the main memory during upload. Larger files are stored in the temporary directory. Disable Encryption Unselected checkbox (default) Enables encryption. Selected checkbox Encryption is disabled. Encrypts the files in the temporary directory using the Advanced Encryption Standard (AES) 128. Table 24: Security Settings Setting Possible Values Comment Hide Corporate Repositories in Web App No Restriction Default value. Strictly Confidential Allows administrators to not display corporate repositories in the Web app depending on the security classification of the repository. Confidential - Strictly Confidential Internal - Strictly Confidential Customer - Strictly Confidential Public- Strictly Confidential Table 25: Logging Setting Possible Values Comment Statistics Data Unselected checkbox (default) Selected checkbox Enables collection of data about the daily usage, for example, the number of active logons, read accesses, and write accesses per day. Table 26: URLs Setting Possible Values Comment URL to "Privacy" URL to "Legal Disclosure" URL to "More Info" on Landing Page URL for "Help" Link in Web App Common Download URL <URL> <URL> <URL> <URL> <URL> Inserts a button on the landing page and on the sharing UI. If you leave the field blank, the SAP default values are used. To hide the button, select the checkbox Disable URL to "Privacy". Inserts a button on the standard landing page and on the sharing UI. If you leave the field blank, the SAP default values are used. To hide the button, select the checkbox Disable URL to "Legal Disclosure". Inserts a button on the standard landing page. Inserts a link button on the Web app using the URL you indicate, for example, to the SAP Help Portal page at If you leave the field blank, the SAP default values are used. To hide the button, select the checkbox Disable URL for "Help" Link in Web App. Replaces the standard download page. To not display any download button, select the checkbox Disable Common Download URL. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 61

62 Setting Possible Values Comment External Server URL <public_external_server_address> Server address that external apps use to access the server. This URL will be used in all CMIS communications. Enter the complete server address including protocol, host name, and port. Optionally, you can enter a new context path. Examples: For more information, see Supporting the Use of a Reverse Proxy. Table 27: Theme Setting Possible Values Comment Theme Name <SAP UI5 theme name> Name of the theme you created. Currently, the sap_bluecrystal and sap_hcb (High Contrast Black) themes are supported. For more information, see SAPUI5 Theming. Theme Root <theme folder path> Root URL of the theme. 3. Save your entries. Related Information Supporting the Use of a Reverse Proxy [page 96] SAPUI5 Theming Security Policies [page 95] Document Classification [page 94] Configuring the Additional Settings For the ios, Android, Web, and desktop app, you can define the settings using a properties file instead of setting them individually. Context There are the following use cases for setting properties with a file instead of individually in the administration UI: SAP SE or an SAP affiliate company. All rights reserved. Configuration

63 You can import the settings defined for one server to another server, for example, when you define all settings in the test environment and then want to use identical settings in the productive environment. After you set all properties for the app in the admin UI, you can download this settings file and reimport it into another server. The properties file is located in the My Documents repository under Settings. The settings are then applied in the new server. They are displayed in the Additional Settings field and the respective fields on the settings page of the app are set. You have a new app with new options and want to use these with a lower server version. The new app offers more settings than the server admin UI. You can set these additional settings as key-value pairs in the Additional Settings field. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS <respective> App Additional Settings. 3. In the Additional Settings field, paste the content of the properties file or enter key-value pairs as appropriate. 4. Save your entries. 5. For the new settings to take effect, restart the application Configuring the Web App Branding Using, administrators define the look and feel of the Web app and adapt it to your company's branding. Administrators define the page title, the logo, as well as the header logo. Context This task is optional and only required if you want to change the default settings provided by the SAP Mobile Documents server. For the changes to take effect, restart the Web app. Tip The size of uploaded logo images is not adapted automatically. If an image is too large it will cover the entire left-hand side of the Web app. We recommend a size of 80 x 40 pixels. You set the general theme that applies to the Web app (browser) as well as the Web admin UI on the General tab. For more information, see Configuring the General Settings [page 60]. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 63

64 Procedure 1. On the administration UI at log on as an administrative user for. 2. To upload logo images, choose Upload under Settings Theme Assets. 3. To use a custom page title, choose SETTINGS Web App, and then enter your text in the Page Title field. This title is displayed right after the folder name as the tab title in the browser. Most browsers only display one or two title characters. To see the full title, users can hover over the tab page. The full tab title is also used in the browser history to give more details and provide a better overview. 4. To use a custom logo or header logo, choose SETTINGS Web App and select an image from the dropdown box next to the respective logo field. You can select different images for the logo header displayed in the upper left corner and the logo displayed in the lower left corner. 5. Save your entries. 6. For the new settings to take effect, restart the Web app Configuring the ios App Settings Using, administrators define the default settings for the ios app. Context This section is optional and only required if you want to change the default settings provided by the SAP Mobile Documents server. For the changes to take effect, you need to restart the application. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS IOS App General Settings, and then define default values as appropriate. Table 28: General Settings Setting Possible Values Comment Minimum App Version <3_digit_version_number> Defines the minimum version of the app software. If the app is a lower version, the user is instructed to upgrade to a higher version before proceeding SAP SE or an SAP affiliate company. All rights reserved. Configuration

65 Setting Possible Values Comment Recommended App Version <3_digit_version_number> Defines the recommended version of the app software. If the app is a lower version, the user is notified about the higher recommended version. Maximum Cache Size No limit Caching is not limited. Default value. None Disables caching. 50 MB 100 MB 1000 MB 5000 MB Sets the maximum cache size on the device. The user can select a smaller but not a larger maximum cache size. Synced documents are not taken into account in the cache size. Note No Cache means that the documents are downloaded again every time the document is accessed. This increases the traffic and probably the costs. On the other hand, No Cache increases security as the documents are not stored on the device. Disable Support Log Unselected checkbox The user can activate the support log. Default value. Selected checkbox The user cannot activate the support log. Allows or disallows users to activate application logging on their app. Mail Address for Support Requests Mail Address for Support Requests in Executive Mode Help Link for Support Requests <Mail address of support person> <Mail address of support person> URL of help page Defines the mail address for support requests. Defines the mail address for support requests that is displayed on the screen of the executive mode. Enables you to link to a help page. If set, the Help Page entry in the help menu is displayed on the ios screen. Disable Automatic Sync Over Cellular Unselected checkbox The user can activate the support log. Default value. Defines whether users can prevent synchronization of their files when they cannot use a WiFi network. Selected checkbox The user cannot activate the support log. Cellular Data Threshold (MB) <integer> Triggers the display of a warning for downloads of or above this threshold size. 3. Save your entries. 4. For the new settings to take effect, restart the ipad or iphone application. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 65

66 Configuring the Security Settings and Security Policies for ios Using, administrators define the security requirements that users have to fulfill when defining their passcodes. In addition, administrators use the security policies to define which actions are available to users in the mobile apps. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS IOS App Security Settings or Security Policies, and then define values as appropriate. Table 29: Security Settings Setting Possible Values Comment Application Passcode Required Checkbox selected Application passcode is enforced. Defines whether the application passcode that the user sets is enforced. Default value. Checkbox not selected Application passcode is not enforced. Allow Local Storage of Passcode Checkbox selected Application passcode is enforced. Required for Touch ID support. Default value. Checkbox not selected Application passcode is not enforced. Enable Touch ID Support Checkbox selected Application passcode is enforced. Default value. Checkbox not selected Application passcode is not enforced. Allows users to unlock the app using their fingerprint instead of their passcode. You can only enable this setting, if you have enabled Allow Local Storage of Passcode. Lock Timeout Immediately The user has to enter the passcode immediately. Default value. 60 seconds 300 seconds 600 seconds Defines the period of inactivity after which users have to re-enter their passcode. The user may select a shorter but not a longer timeout. Maximum Number of Failed Passcode Attempts 20 Default value Defines how many times users can attempt to enter their passcode. If all attempts fail, all data is erased from the app. The user can set a lower number of passcode attempts but not a higher number SAP SE or an SAP affiliate company. All rights reserved. Configuration

67 Setting Possible Values Comment Minimum Passcode Length 8 Default value. <Any number> Defines the minimum number of characters required for a passcode. Passcode Must Contain: Checkbox not selected The passcode does not have to contain such a Defines whether the passcode must contain the listed character. Lowercase Characters Uppercase Characters character. Default value. Checkbox selected The passcode must contain such a character. Digits Special Characters 3. Save your entries. 4. To define which actions are available to users in their ios app, set the security policies. For more information, see Security Policies. 5. Save your entries. 6. For the new settings to take effect, restart the ipad or iphone app. Related Information Security Policies [page 95] Configuring the ios App Theming Using, administrators define the look and feel of the ios apps and adapt them to your company's branding. Administrators define the highlight color as well as background or lock screen images. Context This section is optional and only required if you want to change the default settings provided by the SAP Mobile Documents server. For the changes to take effect, users need to restart the ios app. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 67

68 The following file formats are supported: Table 30: Supported Formats Format File Name Extension Tagged Image File Format (TIFF).tiff,.tif Joint Photographic Experts Group (JPEG).jpg,.jpeg Graphic Interchange Format (GIF).gif Portable Network Graphic (PNG).png Windows Bitmap Format (DIB).bmp,.BMPf XWindow bitmap.xbm Procedure 1. On the administration UI at log on as an administrative user for. 2. To upload background or lock screen images, choose Upload under SETTINGS Theme Assets. 3. To define the highlight color and images, choose SETTINGS IOS App Theming. 4. To define the highlight color for the ipad or iphone app, click inside the entry field and choose a color by moving the slider, clicking the colors field, or entering values. 5. To set the theme images, select an image from the dropdown box next to the respective resolution field. You can select different images, for example, for the portrait or landscape mode. 6. Save your entries. 7. For the new settings to take effect, users restart the ipad or iphone app Configuring the Android App Settings Using, administrators define the default settings for the Android app. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Android App General Settings. and then define default values as appropriate SAP SE or an SAP affiliate company. All rights reserved. Configuration

69 Table 31: General Settings Setting Possible Values Comment Minimum App Version Recommended App Version <Version> <Version> Defines the minimum version of the app software. If the app is a lower version, the user is instructed to upgrade to a higher version before proceeding. Defines the recommended version of the app software. If the app is a lower version, the user is notified about the higher recommended version. Maximum Cache Size No Limit Caching is not limited. Default value. No Cache Disables caching. 50 MB 100 MB 1000 MB 5000 MB Sets the maximum cache size on the device. The user can select a smaller but not a larger maximum cache size. Synced documents are not taken into account in the cache size. Note No Cache means that the documents are downloaded again every time the document is accessed. This increases the traffic and probably the costs. On the other hand, No Cache increases security as the documents are not stored on the device. Disable Support Log Unselected checkbox The user can activate the support log. Default value. Selected checkbox The user cannot activate the support log. Allows or does not allow users to activate application logging on their app. Mail Address for Support Requests <Mail address of support person> Defines the address for support requests. Disable Automatic Sync Over Cellular Unselected checkbox The user can activate the sup Defines whether users can prevent synchronization of their files when they cannot use a WiFi network. port log. Default value. Selected checkbox The user cannot activate the support log. Cellular Data Threshold (MB) <integer> Triggers the display of a warning for downloads of or above this threshold size. 3. Save your entries. 4. For the new settings to take effect, restart the Android app. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 69

70 Configuring the Security Settings and Security Policies for Android Using, administrators define the security requirements that users have to fulfill when defining their passcodes. In addition, administrators use the security policies to define which actions are available to users in the mobile apps. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Android App Security Settings, and then define values as appropriate. Table 32: Security Settings Setting Possible Values Comment Application Passcode Required Checkbox selected Application passcode is enforced. Defines whether the application passcode that the user sets is enforced. Default value. Checkbox not selected Application passcode is not enforced. Lock Timeout Immediately The user has to enter the passcode immediately. Default value. 60 seconds 300 seconds 600 seconds Defines the period of inactivity after which users have to re-enter their passcode. The user may select a shorter but not a longer timeout. Maximum Number of Failed Passcode Attempts Minimum Passcode Length 20 Default value Default value. <Any number> Defines how many times users can attempt to enter their passcode. If all attempts fail, all data is erased from the app. The user can set a lower number of passcode attempts but not a higher number. Defines the minimum number of characters required for a passcode. Device Encryption Required Checkbox selected Default value. Checkbox not selected Defines whether the device must have device-level encryption enabled by the Android OS to run SAP Mobile Documents. If this flag is set and the device is not encrypted by Android OS, then will not run on this device SAP SE or an SAP affiliate company. All rights reserved. Configuration

71 Setting Possible Values Comment Disable Use of Removable Storage Checkbox selected Default value. Defines whether removable storage, for example, an SD card, can be used. Checkbox not selected Passcode Must Contain: Lowercase Characters Uppercase Characters Digits Special Characters Checkbox not selected The passcode does not have to contain such a character. Default value. Checkbox selected The passcode must contain such a character. Defines whether the passcode must contain the listed character. 3. Save your entries. 4. To define which actions are available to users in their Android app, set the security policies. For more information, see Security Policies. 5. For the new settings to take effect, restart the Android app. Related Information Security Policies [page 95] Configuring the Android App Theming Using, administrators define the look and feel of the Android apps and adapt them to your company's branding. Administrators define the background or lock-screen images. Context This section is optional and only required if you want to change the default settings provided by the SAP Mobile Documents server. For the changes to take effect, users need to restart the app. The following file formats are supported: Table 33: Supported Formats Format File Name Extension Joint Photographic Experts Group (JPEG) JPEG (jpg) Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 71

72 Format File Name Extension Graphic Interchange Format (GIF) GIF (.gif) Portable Network Graphic (PNG) PNG (.png) Windows Bitmap Format BMP (.bmp) WebP WebP (.webp) Procedure 1. On the administration UI at log on as an administrative user for. 2. To upload background or lock-screen images, choose Upload under SETTINGS Theme Assets. 3. To set the theme images, select an image from the dropdown box next to the respective resolution field. You can select different images, for example, for the portrait and landscape mode. 4. Save your entries. 5. For the new settings to take effect, restart the Android app Configuring the Desktop App Settings The administrator defines default settings for the desktop app of. Context This section is optional and only required if you want to change the default settings provided by the SAP Mobile Documents server. For the changes to take effect, users need to restart the application. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Desktop App General Settings, and then define default values as appropriate SAP SE or an SAP affiliate company. All rights reserved. Configuration

73 Table 34: General Settings Setting Possible Values Comment Minimum App Version <Version> Defines the minimum version of the app software. If the app is a lower version, the user is instructed to upgrade to a higher version before proceeding. Recommended App Version <Version> Defines the recommended version of the app software. If the app is a lower version, the user is informed about the higher recommended version. Minimum Synchronization Interval for 'My Documents' 1 minute Default value. 5 minutes 15 minutes Defines the synchronization interval of the My Documents repository. Users can choose larger but not smaller intervals than the default interval. 30 minutes 60 minutes 90 minutes 120 minutes Minimum Synchronization Interval for 'Corporate Documents' 1 minute 5 minutes 15 minutes 30 minutes 60 minutes Default value. Defines the synchronization interval of the Corporate Documents repository. Users can choose larger but not smaller intervals than the default interval. 90 minutes 120 minutes Minimum Synchronization Interval for 'Shared Documents' 1 minute 5 minutes 15 minutes Default value. 30 minutes Defines the synchronization interval of the Shared Documents repository. Users can choose larger but not smaller intervals than the default interval. 60 minutes 90 minutes 120 minutes Maximum Bandwidth No limit Largest possible value. Default value. 64 KB 128 KB 256 KB 512 KB 1024 KB Defines the maximum bandwidth. Users can choose larger but not smaller values than the default value set by the administrator. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 73

74 Setting Possible Values Comment Disable support log Unselected checkbox The user can activate the support log in the app settings. Default value. Selected checkbox The user cannot activate the support log. Allows or does not allow users to activate the application logging on their app. Mail Address for Support Requests <Mail address of support person> Defines the address for support requests. Download URL for Desktop App Updates <URL to the download page for the desktop app> The URL must consist of the protocol or followed by the host and page location. The link is used in these places: The URL is displayed in the notification that users get if their desktop app version is lower than the one defined in the Recommended App Version field. The URL is called up from the context menu of the SAP Mobile Documents tray icon. Under Help Download Latest Desktop App. 3. Save your entries. 4. For the new settings to take effect, restart the desktop app Configuring the Security Settings for the Desktop App You use these settings to define the security requirements that users have to fulfill when defining their passcodes. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Desktop App Security Settings, and then define default values as appropriate SAP SE or an SAP affiliate company. All rights reserved. Configuration

75 Table 35: Security Settings Setting Possible Values Comment Allow Local Storage of Mobile Docs Logon Password Checkbox selected Local storage is allowed. Defines whether the users are allowed to save the logon password locally on the desktop app. Default value. Checkbox not selected Local storage is not allowed. 3. Choose SETTINGS Desktop App Security Policies, and then define default values as appropriate. Table 36: Security Policies Setting Possible Values Comment Disable Sync for Corporate Repositories <Security policy> Defines whether the users are allowed to disable the synchronization of files in the corporate content repository on the desktop app. For more information, see Security Policies. 4. Save your entries. 5. For the new settings to take effect, restart the desktop app. Related Information Security Policies [page 95] Configuring the Outlook Add-In Settings On the administration UI, you define the default settings of the Outlook Add-In. Context This section is optional and only required if you want to change the default settings provided by the SAP Mobile Documents server. For the changes to take effect, users need to restart the Outlook Add-In. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Outlook Add-In, and then define default values as appropriate. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 75

76 Table 37: General Settings Setting Possible Values Comment Minimum File Size (MB) Currently not supported. Defines the minimum size of a file that is sent using instead of as a mail attachment. Table 38: Text Settings of the Sharing Dialog Setting Default Values Comment Dialog Header Text <> Allows you as administrator to enter the product name that appears in the sharing dialog header. Tab Header Text <> Allows you to define the product name that appears on all Outlook Add-In tabs. Table 39: Tab Color Settings of the Sharing Dialog Setting Default Values Comment Font Color #FFFFFF Allows you to set the tab font color of the sharing dialog using the color picker dialog box. Headers Background Color #009CE3 Allows you to set the headers background color of the sharing dialog using the color picker dialog box. Background Color #FFFFFF Allows you to set the background color of the sharing dialog using the color picker dialog box. Table 40: Table Settings of the HTML Table Setting Default Values Comment Header Settings Font Arial Font Color #009de0 Allows you to define the font, font color, and background color of the table header using the fonts dropdown list and the color picker dialog box. Background Color #FFFFFF Divider Row Settings Background Color #26A8E0 Uploader Row Settings Font Arial Font Color # Background Color #E6F2F9 Files Section Settings Font Arial Allows you to define the background color of the divider row of the table using the color picker dialog box. Allows you to define the font, font color, and background color of the table uploader row using the fonts dropdown list and the color picker dialog box. Allows you to define the font, font color, and background color of the ta SAP SE or an SAP affiliate company. All rights reserved. Configuration

77 Setting Default Values Comment Font Color # ble files section using the fonts dropdown Background Color #FFFFFF list and the color picker dialog box. Title Settings Font Arial Font Color # Allows you to define the table title font and font color settings using the fonts dropdown list and the color picker dialog box. 3. Save your entries. 4. For the new settings to take effect, restart the Outlook Add-In Configuring the Windows Mobile App Settings On the administration UI, you define the default settings of the Windows App. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Windows App and define default values as appropriate. Table 41: General Settings Setting Possible Values Comment Minimum App Version Recommended App Version 3_digit_version_number 3_digit_version_number Defines the minimum version of the app software. If the app is a lower version, the user is instructed to upgrade to a higher version before proceeding. Defines the recommended version of the app software. If the app is a lower version, the user is notified about the higher recommended version. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 77

78 Setting Possible Values Comment Maximum Cache Size No limit Caching is not limited. Default value. None Disables caching. 50 MB 100 MB 1000 MB 5000 MB Sets the maximum cache size on the device. The user can select a smaller but not a larger maximum cache size. Synced documents are not taken into account in the cache size. Note No Cache means that the documents are downloaded again every time the document is accessed. This increases the traffic and probably the costs. On the other hand, No Cache increases security as the documents are not stored on the device. Disable Support Log Unselected checkbox The user can activate the support log. Allows or denies users the option of activating application logging on their app. Default value. Selected checkbox The user cannot activate the support log. 3. Save your entries. 4. For the new settings to take effect, restart the Windows app Configuring the Shared Documents Settings On the cloud administration UI, you define the default settings for the Shared Documents repository. Context A Shared Documents repository offers the possibility to share documents with other users and external users. If Shared Documents is enabled on the server, every user can create shares, invite members to collaborate, and manage the access rights of these members. You can also create public links to a share with security settings such as expiration date, password, and so on. A public link can be accessed through a dedicated non guessable URL, which can be password protected. If enabled, anonymous users can also upload or delete documents in a share. Procedure 1. On the administration UI at log on as an administrative user for SAP SE or an SAP affiliate company. All rights reserved. Configuration

79 2. Choose SETTINGS Shared Documents, and then define values as appropriate. Table 42: General Settings Setting Possible Values Comment Allow Sharing Selected checkbox Enabled. Unselected checkbox Disabled. Default value. Defines whether sharing is enabled. Maximum Expiration Time (Days) Default Expiration Time (Days) Minimum Password Length <number of days> Default: 0 0 means that the validity is not limited. <number of days> Default: 0 0 means that the validity is not limited. <minimum number of characters> Default: 8 0 means that no password is enforced. Defines availability period (in days) of public links. This setting affects only the public access to documents. Named share members can access documents in a share for as long as they remain share members. If a user tries to set an expiration date that is too far in the future, the system automatically sets the expiration date to the allowed maximum. Defines default period (in days) for which public links are available. This default is displayed in the UIs before you enter a value. Defines minimum number of characters in your public link passwords. This setting affects only the public access to documents. Named share members can access documents in a share without presenting a password. Allow Upload Selected checkbox Enabled. Unselected checkbox Disabled. Default value. Enables users to decide whether they want to allow users who are not share members to upload files to their share. This setting affects only the public access to documents. Named share members can upload documents to a share depending on their member role. Share Lock Time (Seconds) <Integer value> Length of time for which the public link is locked for users who are not share members if any one user enters a wrong password to access the public link. Invitation Mail None No s are sent. Default value. Internal The server sends e- mails. Determines whether s are sent. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 79

80 Setting Possible Values Comment Invitation Mail Domains (Comma- Separated) Blank Users can send s to any mail address. Default value. <Name of your mail domain> Determines which recipients users can send s to. Example sap.com,sap.de Users can only send s to recipients whose mail account belongs to one of the listed mail domains. Enable Recycle Bin Unselected checkbox Default Selected checkbox Only available for Local Repository Connection. Only if you enable the recycle bin for the repository can the users restore deleted files and folders of this repository. Recycle Bin Retention Time (Days) number of days If you leave this field blank, it will be displayed with a value of 0 the next time you open the Manage Repository dialog for this repository. Only available for Local Repository Connection. Defines a time period in days after which the repository will be emptied by a cleanup job. The maximum retention time is 999 days. If you set the number of days to 0, then the recycle bin will not be emptied. Table 43: Maximum and Default Validity of Public Links Maximum Expiration Value Default Expiration Value By default, a new public link expires never 0 21 in 21 days 30 0 in 30 days in 21 days 3. Save your entries Configuring the CDN Access Settings for Shared Documents On the administration UI, you specify which shares can be hosted by a Content Delivery Network (CDN). Prerequisites The share you want to share using a CDN must not be shared with members only but must be accessible by anybody who receives the link to the share SAP SE or an SAP affiliate company. All rights reserved. Configuration

81 The link to the share must not be protected with a password. Context Because every gigabyte that is transferred using a CDN raises costs, you define that only specific shares are allowed to be hosted by a CDN, using a whitelist. You can combine the following options to create the whitelist: You specify individual shares that can be hosted. You specify that all shares owned by certain users can be hosted. This option makes maintaining the list easier for administrators. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Shared Documents, and then list the respective shares. Table 44: Settings for CDN Access Setting Possible Values Comment Shares of Owners (User IDs Separated by Commas) user_id_1; user_id_2 The shares of the owners you list here can be hosted by a CDN. Shares (One Share ID per Line) share_id_1 share_id_2 share_id_3 share_id_4 The shares you list here can be hosted by a CDN. You find the share ID in the Web UI on the Access Settings of Share tab. The last part of the Link to Share entry is the share ID, that is, everything following shr=. Example In this sample URL shr=hsx3tyfls4mww8zxpvpgpfdncbrw1m_zuiy5bdwh3hm, the share ID is hsx3tyfls4mww8zxpvpgpfdncbrw1m_zuiy5bdwh3hm. 3. Save your entries. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 81

82 Steps to Configure Notification Mails The server provides a notification process with configurable HTML mail templates. Currently, you can automatically send invitation mails to new members of a share if you have executed the following setup steps: 1. Configure your on-premise mail server. For more information, see Configuring the Mail Server [page 93]. 2. Configure your mail template as described in Configuring the Mail Templates [page 82]. 3. Enable the sending of mail invitations to future share members in the General settings. For more information, see the entries referring to mails in Configuring the Shared Documents Settings [page 78]. 4. Enable future share members to access the share: The future member has a user that is linked to his or her mail address. The user is either created by the administrator or by the users themselves in a company-specific workflow. The future member is assigned the MCM_Sharing role Configuring the Mail Templates If the server is configured to send mails, the mail templates have to be configured. Prerequisites The server has been configured to send mails. A mail template has been uploaded to the server. See Creating a Mail Template Configuration File [page 83]. An SMTP server has been connected to the SAP NetWeaver Application Server for Java on which the SAP Mobile Documents server is running. Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Mail Assets. 3. To upload a properties file with the template key and the corresponding files, choose Upload SAP SE or an SAP affiliate company. All rights reserved. Configuration

83 Creating a Mail Template Configuration File To send mail notifications in, you must upload a properties file with a defined name that contains the configuration of the mail template. Procedure 1. Create the <template key>.properties configuration file that consists of key/value pairs that build the configuration. Currently, the following template keys are available: Table 45: Template Configuration Keys invitation Comment Send to all members that are added to a share. The template configuration is a property file that has the name <template key>.properties and consists of key/value pairs that build the configuration. Java properties are encoded using ISO character encoding. Therefore, Unicode characters that cannot be directly represented in this encoding must be escaped. Table 46: Template Configuration Parameter Mandatory Comment template x The file name of the HTML mail template. subject x The subject of the mail. You can use the same placeholders as in the mail template. sender charset The mail address of the sender. If no sender address is specified, the user who creates the invitation is the sender. The charset of the template. If no charset is specified, the value defaults to "text/html; charset=windows-1250". 2. To configure additional MIME resources, for example, inline images or attachments, use the key resource.<index>.<parameter>. The index starts with zero and every resource has the same three mandatory parameters. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 83

84 Table 47: Resource Parameter Mandatory Comment cid x The content ID according to RFC-2392 that is used to refer to the resource file in the mail template. name x The file name of the resource file. contenttype x The content type of the resource file according to RFC disposition Content disposition type according to RFC Possible values are inline (default) and attachment. Example This example template is for sending share invitations including an inline logo to share members. The uploaded assets are as follows: invitation.properties invitation.html logo.jpg The configuration file is called invitation.properties: template=invitation.html subject=${sender.displayname} has invited you to the share "${name}" resource.0.cid=logo resource.0.name=logo.jpg resource.0.contenttype=image/jpeg 3. To use variables in HTML mail templates as placeholders, use the ${variablename} pattern for variables. Table 48: All Possible Variables of the Invitation Template Variable repositoryid objectid name description url sender.displayname sender. sender.firstname sender.lastname Comment The ID of the sharing repositoryid. The object ID of the share. The name of the share. The description of the share. The URL that opens the share directly. The display name (first name plus last name) of the inviting user. The mail address of the inviting user. The first name of the inviting user. The last name of the inviting user SAP SE or an SAP affiliate company. All rights reserved. Configuration

85 Variable recipient.displayname recipient. recipient.firstname recipient.lastname Comment The display name (first name plus last name) of the invited user. The mail address of the invited user. The first name of the invited user. The last name of the invited user. Example To use the first name of the invited user in the salutation of the mail template: Hello $ {recipient.firstname} Using Your Own Icons for File Types Applications can provide their own icons for the files they expose to. To use customerspecific icons, you map the icon to a MIME type and upload the mapping file using the administration user interface. Prerequisites You created an icon.json file as described in Creating an Icon.JSON File [page 86]. Context To provide a flexible solution, the server can provide additional mappings of MIME types to the corresponding icons for all apps. This is not only possible for MIME types, but also for object types or even single objects. A mapping can also be restricted to certain repositories. The naming convention for files ensures that the app-specific icon is used, if available. If none is available, no icon is displayed. Only the ios app has a fallback solution: The server looks for a standard icon. If this is also not defined, then the fallback icon is used, which is displayed for all unkown file types. This icon is also displayed in the following situation: If you create a mapping to an already known MIME type, for which no icon can be found on the server, the first fallback solution is to use the default icon for this MIME type. But if this icon does not exist, that is, the MIME type is not known, the icon for unknown file types is used. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 85

86 Procedure 1. On the administration UI at log on as an administrative user for. 2. Choose SETTINGS Icon Assets. 3. To upload the icon.json file containing the mapping of an icon file to a MIME type, choose Upload. 4. To download or delete a file, select it and choose Download or Delete Creating an Icon.JSON File To create an icon mapping, you need to provide an icon file to upload. You create an icon.json file using the elements, file syntax, and rules listed below. Icon File Properties Table 49: Web App ios App Android App Mac Desktop App Windows Desktop App Windows Native -ldpi none -mdpi (default) (default).scale-140 -hdpi.scale-150 -xhdpi.scale-160, -xxhdpi.scale-180.scale SAP SE or an SAP affiliate company. All rights reserved. Configuration

87 Web App ios App Android App Mac Desktop App Windows Desktop App Windows Native App Required Icon Files <file name>.<ext> <file name>.<ext> <file name>.<ext> <file name>.icns <file name>.ico <file name>.<ext> <file <file > <file > <file name>ldpi.<ext> <file name>hdpi.<ext> <file name>xhdpi.<ext> <file name>xxhdpi.<ext > <file name>.scale -140.<ext> <file name>.scale -150.<ext> <file name><.scal e-160.<ext> <file name>.scale -180.<ext> <file name>.scale -240.<ext> Comment n.a. n.a. The Android app has to parse the file name and put it as <file name>.<ext> under the corresponding resource folder. n.a. n.a. n.a. The mapping is a rule that consists of one or more of the following key fields: MIME type Object type Object ID Repository The key maps to a localized display name and app-specific or generic icon files. Rules Engine Rules contain the following elements: Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 87

88 MIME type Table 50: Key Values Comment mimetype An array of technical MIME types for which the rule is valid, for example, application/pdf. The values are case-insensitive, for example, application/pdf is the same as "application/pdf". Parameters for mime types are not supported and cut if existing, for example, text/plain;charset=usascii. Object type Table 51: Key Values Comment objecttype An array of IDs as defined in the CMIS property cmis:objecttypeid or cmis:secondaryobjecttypeid s, for example, cmis:document. The values are matched against the values of the mentioned CMIS properties of the object. Object ID Table 52: Key Values Comment objectid An array of IDs of a folder or a file, if the mapping should only be valid for certain objects, for example, drnmfrd5tjcciq6tu6afm2jw8h BrRKtqeWXp5NycGXs. The option to define specific object IDs is only for use with folders not with documents. Repository Table 53: Key Values Comment repository An array of IDs of the repository for which the rule should be valid, for example, be6348c15c552fc071e If no value is specified, the rule is valid for all repositories. Display Name SAP SE or an SAP affiliate company. All rights reserved. Configuration

89 Table 54: Key Values Comment names A map of localized display names where the key is a two-letter locale according to ISO 639-1, for example, en. Texts for all supported languages of SAP Document Center should be provided, but the field is optional. If no name for a specific language is defined, the fallback language is English. Therefore, if the field is specified, at least the display name for English must be provided. The display name of a specified language must not be null. File Name Table 55: Key Values Comment filename A list of icon file names for the specific apps or a default icon if no specific icon is specified for a app, for example, ios : iconinvoice.png. Possible keys: ios, android, web, desktop, windows, standard The specified icon files, including the ones for the different resolutions, have to exist in the Settings repository under the folder icons. Mandatory field that must contain at least one key with a value. JSON File Syntax File Format Code Syntax { "icons" : [{ "mimetype" : ["...","..."], "objecttype" : ["...","..."], "objectid" : ["...","..."], "repository" : ["...","..."], "names" : { "<locale>" : "...",... }, "filename" : { "<app>" : "...", "standard" : "...",... } }, {... }] } Sample Code { "icons" : [{ "mimetype" : ["application/invoice","application/order"], "objecttype" : null, "objectid" : null, Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 89

90 } "repository" : ["be6348c15c552fc071e04515"], "names" : {"en":"invoice", "de":"rechnung"}, "filename" : {"ios":"invoice-ios.png", "standard":"invoice.png"} }] Rule Evaluation Examples Example 1 Rule 1: MIME type = application/invoice, file name = invoice.png Rule 2: Object type = cmis:document, file name = document.png Object: Object type = cmis:document, MIME type = application/invoice Result: The invoice.png icon is used, because the MIME type is more specific than the object type. Example 2 Rule 1: MIME type = application/invoice, file name = invoice.png Rule 2: Object type = cmis:document, repository = 12345, file name = document.png Object: Object type = cmis:document, MIME type = application/invoice, repository = Result: The invoice.png icon is used, because the MIME type is more specific than the object type and repository restriction together. Example 3 Rule 1: Object ID = abcd1234, file name = demo.png Rule 2: Object type = cmis:document, MIME type = application/invoice, repository = 12345, file name = invoice.png Object: Object type = cmis:document, MIME type = application/invoice, repository = 12345, object ID = abcd1234 Result: The demo.png icon is used, because the object ID is the most specific key element. Example 4 Rule 1: Object ID = abcd1234, file name = demo.png Rule 2: Object ID = abcd1234, file name = invoice.png Object: Object ID = abcd1234 Result: Invalid state! Should have been prevented before the configuration became active. The app should use neither of the icons, but display the default fallback icon of the app and log an error. 6.5 Configuring the SAP NetWeaver Application Server for Java Settings There are optional configuration settings for that are only required if you want to change the default settings provided by the SAP NetWeaver Application Server for Java. Tip We recommend that you deactivate the file size restriction of 100 MB in the Internet Connection Manager (ICM), as this is not desirable when working with documents. In addition, we recommend that you activate HTTP response compression for the communication between the clients and the server SAP SE or an SAP affiliate company. All rights reserved. Configuration

91 Related Information Enabling File Sizes Over 100 MB [page 91] Activating Response Compression [page 92] Enabling File Sizes Over 100 MB In the context of, you can prevent the Internet Communication Manager (ICM) from rejecting requests where the content size exceeds the specified value or default value (102400). Procedure 1. Open the DEFAULT.PFL default profile located at /usr/sap/<sid>/sys/profile/default.pfl using your preferred text editor. 2. To prevent the Internet Communication Manager (ICM) from rejecting requests where the content size exceeds the specified value or default value (102400), add or change the icm/http/ max_request_size_kb = -1 setting. A value of -1 deactivates the check. For more information, see icm/ <PROT>/max_request_size_KB. Caution Change these settings with care. Make sure that they have the desired effect. 3. For the changes to take effect, restart the SAP NetWeaver Application Server for Java. Related Information icm/<prot>/max_request_size_kb Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 91

92 6.5.2 Activating Response Compression To reduce the network traffic and increase the performance of clients, we recommend that you activate the compression of HTTP responses on SAP NetWeaver Application Server for Java. Procedure 1. Start SAP NetWeaver Administrator. For more information, see the release-specific version of SAP NetWeaver Administrator. 2. Configure HTTP response compression. For more information, see the release-specific version of Configuring Rules for HTTP Response Compression. 3. Make sure that the AlwaysCompressed parameter contains the following values (values are a commaseparated list) and use Modify to add missing values: text/plain,text/html,text/xml,text/javascript,text/css,text/javascript,text/ json,application/javascript,application/json,application/atomsvc+xml,application/ xml,application/atom+xml,application/cmisquery+xml,application/ cmisallowableactions+xml,application/cmisatom+xml,application/cmistree +xml,application/cmisacl+xml 4. For the changes to take effect, restart the SAP NetWeaver Application Server for Java. Related Information SAP NetWeaver Administrator Configuring Rules for HTTP Response Compression Enabling Certificate Authentication on the Desktop App For users to log on to the desktop app of using their X.509 client certificate, an administrative user has to set up single sign-on using client certificates on the SAP NetWeaver Application Server for Java. For more information, see the SAP NetWeaver Application Server for Java documentation. Related Information Using X.509 Client Certificates on the AS Java SAP SE or an SAP affiliate company. All rights reserved. Configuration

93 6.5.4 Configuring the Mail Server In, the SAP NetWeaver Application Server for Java uses an SMTP server to send invitation mails. Procedure 1. In SAP NetWeaver Administrator, configure the Java System Properties. For more information, see Java System Properties in the SAP NetWeaver documentation for your application server release on the Help Portal, for example, Java System Properties. 2. On the Services tab, set the properties for the JavaMail Client service. For more information, see Configuring the JavaMail Client Service in the SAP NetWeaver for your application server release on the Help Portal, for example, Configuring the JavaMail Client Service Scheduling KM Quota Consistency Reports Context Scheduling a KM quota consistency report allows you as administrator to keep track of the total used space per user (in the case of existing content in the repository) or missed KM events. The report processes all resources in the selected repositories, finds their owner, and calculates the total used space per owner and updates the database entries. You can configure it to run at regular intervals or you can start and stop it manually. Procedure 1. Navigate to Configuration Infrastructure Java System Properties. 2. Choose the Applications tab. 3. Search for com.sap.mcm.km.cmis. 4. To enable and fine-tune the scheduling of the KM quota consistency report, use the following properties: com.sap.mcm.km.cmis.quota.report.enabled - Allows you to enable/disable the report execution. The report is disabled by default; to enable it you have to choose Modify and set its value to TRUE. com.sap.mcm.km.cmis.quota.report.repositories - Shows you the list of KM repositories for which CMIS supports the quota report. Defines the repositories as a comma-separated values list of KM repositories that are configured in the MCM Administration. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 93

94 Note For performance reasons, we recommend that you specify only the KM repositories that are configured in MCM Administration. com.sap.mcm.km.cmis.quota.report.minutes - Defines the intervals between quota report executions in minutes. The default value is one day. 5. Choose Save. Results You have enabled and set up a KM quota consistency report for a particular system. Note Any changes made after the KM quota consistency report has been scheduled are applied immediately. However, the report interval is reset. For example, if the interval is 24 hours, the next execution will be 24 hours after the moment when changes are saved in SAP NetWeaver Administrator. 6.6 Document Classification Administrators can use document classification to control which actions are available to users in the different SAP Mobile Documents apps, based on the document confidentiality level. The solution enables users to access corporate documents from a variety of apps, including a desktop app, a Web app, an iphone or ipad app, and an Android app. As mobile devices often leave the company premises and the Web app might be accessed from outside the corporate network, you want to restrict the possible actions that can be performed on corporate documents based on their document classification. Therefore, supports enforcing a secure container for confidential documents. Security policies based on document classification determine the allowed actions. Therefore, administrators can control the available actions in the apps, for example, whether a document can be printed, ed, or opened using a specific program. The policies only apply to documents and repositories, not to folders. Note can only guide the users by providing a security-compliant solution. It cannot prevent the intentional violation of security policies by users, for example, by taking screenshots. Currently, document classification supports a fixed set of security classifications for repositories only. The administrator classifies the confidentiality level for one or all repositories by choosing one of the predefined confidentiality levels in the app settings of the administration UI: Strictly Confidential Confidential SAP SE or an SAP affiliate company. All rights reserved. Configuration

95 Internal Customer Public The server adds the confidentiality level as a property to each document. In combination with the security policies, the effect for the users is that they can still see the disabled action, but it is grayed out and cannot be executed for the selected document Security Policies In, administrators use a combination of security policies and the document classification level of the repositories to define which actions are available to users in the mobile apps. The security policies are defined for mobile apps in the administration UI. The following policies are available for the ios app and the Android app: Disable Open Disable Sync Disable Print Disable Clipboard Disable Send Disable Sharing Disable Open In The following policies are available for the ios app: Disable Document Provider Each of these policies can be disabled for certain document classification levels with the following choice of settings: Table 56: Security Policy Settings Setting No Restriction Strictly Confidential Confidential - Strictly Confidential Internal - Strictly Confidential Customer - Strictly Confidential Public - Strictly Confidential Description This function is available in all repositories irrespective of the document classification level. This function is disabled in repositories classified as strictly confidential. This function is disabled in repositories classified as confidential or strictly confidential. This function is disabled in repositories classified as internal, confidential, or strictly confidential. This function is disabled in repositories classified as customer, internal, confidential, or strictly confidential. This function is disabled in all repositories. Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 95

96 6.7 Supporting the Use of a Reverse Proxy supports system infrastructures in which application servers are protected by application firewalls or load balancers with reverse proxy functions. The main issue here is that the URL for accessing the server from outside the corporate network differs from the internal server address. Context A reverse proxy is a server running in front of a group of servers. It presents a single interface to the caller. The reverse proxy routes all incoming connections to the servers and dispatches the inbound network traffic among them. Then, the reverse proxy returns the responses to the clients, changing the HTTP headers so that the clients are unaware that the requests were actually served by machines other than the reverse proxy. For example, the internal address of the server is but the clients use the proxy server s public external address The CMIS responses generated by the server contain fully qualified URLs. In a system infrastructure with reverse proxies, the client-server communication contains the internal server addresses, which the clients cannot access from outside the corporate network. To resolve this problem without rewriting all the server responses, offers the following options: Configuring the external server address in the administration user interface See the procedure below. Note If you use the setting External Server URL, the configured address is used in all CMIS responses. You cannot have different server addresses for internal- and external-facing communication. Forwarding the original host that the client requested in an HTTP request header Without any additional configuration steps, the server can read the HTTP header X- Forwarded-Host and X-Forwarded-Proto, which some reverse proxies (for example, the Apache mod_proxy module) support. Note If the request passes through several proxies, this option does not work, as can only handle a single host value in the header. Procedure 1. On the administration UI at log on with an administrative user. 2. Choose SETTINGS General and enter the external server address SAP SE or an SAP affiliate company. All rights reserved. Configuration

97 Table 57: URLs Setting Possible Values Comment External Server URL <public_external_server _address> Server address that external clients use to access the server. This URL will be used in all CMIS communications. Enter the complete server address including protocol, host name, and port. Optionally, you can enter a new context path. Examples: For more information, see Supporting the Use of a Reverse Proxy. 3. Save your entries. 4. Restart the server. Related Information Supporting the Use of a Reverse Proxy [page 96] Configuration 2016 SAP SE or an SAP affiliate company. All rights reserved. 97

98 7 Security The security guide provides an overview of the security-relevant information that applies to SAP Mobile Documents on premise. Caution This guide does not replace the administration or operation guides that are available for productive operations. Target Audience Technology consultants Security consultants System administrators This document is different from the installation guides, configuration guides, technical operation manuals, and upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases. Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also intensified. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to. To assist you in securing SAP Mobile Documents, we provide this security guide. Related Information Before You Start [page 99] Authentication and Authorizations [page 99] Session Security Protection [page 100] Network and Communication Security [page 101] Security Aspects of Data, Data Flow, and Processes [page 103] Data Storage Security [page 104] Document Classification and Security Policies [page 104] SAP SE or an SAP affiliate company. All rights reserved. Security

99 7.1 Before You Start Review the information provided here before you begin your security configuration. Fundamental Security Guides uses features of SAP NetWeaver Application Server for Java. Therefore, the corresponding security guides also apply to. If your scenario uses the Knowledge Management content management system (CMS), the Knowledge Management Security Guide for your CMS also applies. Related Information SAP NetWeaver <release>, see Security Information 7.2 Authentication and Authorizations uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server for Java. Therefore, the basic principles for authentication and authorization, as well as recommendations and guidelines for user administration and authentication, as described in the SAP NetWeaver Application Server for Java Security Guide, also apply to. For authentication, we recommend that you integrate SAP Mobile Documents into the existing corporate ID management system for LDAP or Active Directory Server, for example, SAP ID Management. Currently, users in cannot be mapped to the back-end systems. Therefore, the users must have the same name in both systems. All the apps support the use of basic authentication (user name and password) and X.509 client certificate authentication. The SAP NetWeaver Application Server for Java needs to be configured to support certificate authentication. manages users and permissions using the user management engine of SAP NetWeaver Application Server for Java. The standard roles included in the shipment are described in Assigning UME Roles in. In addition to the role-based authorizations, uses ACL-based authorizations as supplied by the underlying components and connected back-end systems. Access Control Lists (ACLs) limit the access to individual objects. For repository connections, the existing ACLs of the repositories are used within the application. Ensure that newly created repository connections fit your needs regarding ACLs. Security 2016 SAP SE or an SAP affiliate company. All rights reserved. 99

100 Related Information Assigning UME Roles to Users [page 57] Using X.509 Client Certificates on the AS Java 7.3 Session Security Protection You use secure session management to increase security and prevent access to assertion tickets and security session cookies. Web applications use these session cookies to persist user data during sessions. Tip We highly recommended that you use SSL to protect the network communications where these securityrelevant cookies are transferred. In addition to the information in the SAP NetWeaver Application Server for Java Security Guide, SAP Mobile Documents offers the following protection: Cross-Site Scripting Protection Cross-site scripting (XSS) describes the manipulation of user entries that are transferred to a Web application when an attacker embeds harmful program code into a correct environment, so that this code is executed on the client side. XSS can occur whenever the application dynamically creates its HTML, JavaScript, or CSS content, which is passed to the user's Web browser, and attacker-controlled values are used in this process. uses common encoding techniques from frameworks (SAPUI5) as a countermeasure against XSS attacks. In addition, documents can contain malicious code. To avoid such risks, the possibility to open documents directly in the browser is deactivated for all browsers and cannot be reactivated. For the same reason, the handling of attachments is restricted to Internet Explorer as the only browser that can open attachments in the context of the existing session. Cross-Site Request Forgery Protection Cross-site request forgery (XSRF or CSRF) refers to the manipulation of a Web browser with the goal of performing the actions of an authorized user in a Web application. An XSRF attack is successful when attackers manage to send their own queries to the Web application using the browser of the authorized user. To avoid XSRF attacks, has implemented a mechanism on top of the CMIS protocol used, which works with unique security tokens that are only valid for a single session SAP SE or an SAP affiliate company. All rights reserved. Security

101 7.4 Network and Communication Security Your network infrastructure is important for the protection of your system. Your network must support the communication means necessary for your enterprise and your requirements, without allowing unauthorized access. A clearly defined network topology can remove many security risks caused by software errors (at the level of the operating system or application) or eliminate attacks on the network, such as eavesdropping. If users cannot log on to your application server or database server at operating-system or database level, it is impossible for intruders to abuse the machines or to access the database of files on the backend system. If users cannot connect with the server LAN (Local Area Network), they cannot exploit any known errors or security gaps in the network services on the servers. The network topology for is based on the topology used by the SAP NetWeaver platform. Consequently, the security guidelines and recommendations described in the security guide for SAP NetWeaver also apply to. For more information, see the SAP NetWeaver security guide, especially Network and Communication Security and Connectivity and Interoperability Technologies. Related Information SAP SAP NetWeaver Security Guide (7.4) Recommendations on Network and Firewall Your network infrastructure is an important element in protecting your scenario. The network topology for the server is based on the topology used by the underlying SAP NetWeaver platform. For more information, see the SAP NetWeaver Application Server for Java Security Guide. Security 2016 SAP SE or an SAP affiliate company. All rights reserved. 101

102 The figure above only showcases one of the possible setups. In this example, the clients all reside in the Internet area using the Advanced Encryption Standard (AES) to connect to the application gateways that reside in the outer demilitarized zone (DMZ) using HTTPS. These gateways access the server using HTTPS in the inner DMZ. The server then accesses the remote KM repositories or another content management repository, for example, Microsoft SharePoint 2010, in the high security area of your system landscape using HTTP or HTTPS. For your final decision you should take into account the corporate security and network policies Used URL Endpoints If you want to implement any URL-based rule check, you need to consider these endpoints. apps connect to the following URL endpoints: Table 58: URL Endpoints URL Endpoint /mcm/browser/* /mcm/admin/* /sapui5/* Description Web UI (browser app). administration UI (browser app). SAPUI5 delivered with SAP NetWeaver for all UIs. Note To use the sharing UI these endpoints must be accessible without requiring authentication. /mcm/json/* /mcm/atom/* /cmis/json/* CMIS browser binding used by the apps. CMIS AtomPub binding used by the third-party apps. CMIS browser binding used by the KM connector. This endpoint is only required with a distributed installation of KM and the server. /mcm/public/* sharing UI (browser app) and the public REST APIs. Note These endpoints must be accessible without requiring authentication. Otherwise, there may be restrictions for the app Separation of User and Admin Interfaces provides user management engine (UME) roles to separate the access to administrative and business user functions. Some sections of the administration Web UI are not visible to users who have the SAP SE or an SAP affiliate company. All rights reserved. Security

103 administrator role. These sections are only displayed if the user has the analyst role. One user can be assigned both roles. In addition, you can restrict the access to administrative UIs by using network-based rules. SAP NetWeaver Administrator, for example, applies such rules by default. You maintain these network-based rules as specific Internet Communication Manager (ICM) rules. For more information, see SAP Note Security Aspects of Data, Data Flow, and Processes To improve the security of your installation you have to consider several security aspects. The figure above describes the security aspects within the infrastructure as described in Architecture [page 24]. The business users log on using desktop, mobile app, or Web UI using either X.509 certificates or basic authentication with a user name and password. These credentials or certificates are sent SSL-encrypted to the server, which forwards them to the integrated identity management of the SAP NetWeaver Application Server for Java for verification. After verification of their credentials or certificates and the corresponding UME roles, the users have access to the server and the connected repositories. The connections between the server and these systems are secured using Secure Sockets Layer (SSL) protocol and by a trust relationship. Using, you can protect your files at each stage. Security policies prevent leakage of confidential data. The data on the users' devices and in the repository is encrypted during transport using SSL. In addition, all synced documents on the user's mobile app are secured Security 2016 SAP SE or an SAP affiliate company. All rights reserved. 103

104 using Advanced Encryption Standard (AES). All documents are kept either in the repositories or on the apps, but not on the server. 7.6 Data Storage Security Data saved in this area is encrypted using a secret key that is provided and created explicitly for the application or service component by the corresponding SAP NetWeaver Application Server for Java. uses the secure storage provided by the underlying SAP NetWeaver Application Server for Java, where the applications or service components store sensitive data, such as passwords or communication destinations, in encrypted form. For more information, see Data Storage Security in the SAP NetWeaver Application Server for Java Security Guide. uses strong encryption for documents on mobile devices and in the document repository as follows: During data transfer using secure sockets layer (SSL) protocol and transport layer security (TLS) For storage on mobile devices using Advanced Encryption Standard (AES) During temporary storage in the case of large documents (over 4 MB) The desktop app uses folders, which are under the control of the currently logged-on user, to download documents and store configurations. This protects the folders in the case of a multiuser operation system. The business user remains responsible for documents downloaded over Web UIs and the desktop app on public PCs, for example, an internet café or PCs with shared access. The security of the data stored in the back-end systems depends on the possibilities, for example, virus scanning, of the content management systems used, for example, Knowledge Management, Microsoft SharePoint. It is out of the scope of this document. Related Information Data Storage Security Java-Specific Configuration Virus Scanner Service 7.7 Document Classification and Security Policies enhances data security by assigning document classification levels to the repositories. The administrator can, for example, classify a Corporate Documents repository as strictly confidential. If the administrator then defines the security policies for the various actions available on the mobile device, for example, the Disable Sharing security policy, the user cannot share any document contained in a Corporate Documents repository. For the desktop app, the administrator can currently set only one security policy: Disable Sync for SAP SE or an SAP affiliate company. All rights reserved. Security

105 Corporate Repositories. Depending on the document classification of the repositories, users cannot sync the corporate repositories with their desktop apps. In addition, administrators can hide the corporate repositories so they are not displayed in the Web app, that is in the users' browsers. This setting is also based on classification. In the security settings of the General tab on the administration UI, administrators select the classification level, for example, Confidential - Strictly Confidential. With this setting, the users can no longer see corporate repositories that are classified as confidential or strictly confidential in their browsers. When configuring a corporate repository, administrators can also restrict the access to this corporate repository to users with specific roles. Related Information Document Classification [page 94] Security Policies [page 95] Configuring Corporate Documents Repositories [page 52] Security 2016 SAP SE or an SAP affiliate company. All rights reserved. 105

106 8 Operation The following sections describe the monitoring and troubleshooting tasks required to smoothly run SAP Mobile Documents. Related Information Monitoring with Usage Statistics [page 106] Logging and Tracing [page 107] Monitoring with CA Wily Introscope [page 109] Backup and Restore [page 110] Troubleshooting [page 111] 8.1 Monitoring with Usage Statistics The analyst UI provides an impression of how the users and the user apps use the system. Analysts either use the dashboard to get an overview of the system usage or they export the raw data file in XML format to carry out further evaluations of the data. Prerequisites To enable data collection, a user with the MCM_Administrator role must have activated logging by selecting the Statistics Data checkbox under SETTINGS General Logging. You are assigned the MCM_Analyst role. Procedure 1. On the administration UI at log on as an administrative user for. 2. On the STATISTICS page, choose either General Statistics or Usage Statistics. The General Statistics page displays only the number of registered users, that is, users who are registered and who have logged on at least once. 3. On the Usage Statistics page, choose a time interval and a repository from the respective dropdown lists SAP SE or an SAP affiliate company. All rights reserved. Operation

107 4. To display the usage statistics, choose Show Dashboards. 5. To export the data to a file, choose the file format Export Raw Data (xml), Export Raw Data (json), or Export Raw Data (csv). The download evaluates the entries in the dropdown boxes and exports a file accordingly. Results The XML file contains entries that are created per day, per user agent (usually apps), and per repository. An entry contains the following data: Number of times a app has logged on Number of read or downloaded documents Number of new documents Number of changed documents (this only reflects changes to the content and not formal changes, for example, renaming a document) Size of all documents read Size of all updated or newly created documents The dashboard displays the same data, but the data for newly created and updated documents is shown in a single graph. 8.2 Logging and Tracing uses logs to trace problems. Viewing Logs [page 107] Configuring Logging [page 108] Viewing Logs uses the Log Viewer to diagnose problems. Context You use Log Viewer to view all log and trace messages generated in the whole SAP NetWeaver system landscape. These log records help you to monitor and diagnose problems. Operation 2016 SAP SE or an SAP affiliate company. All rights reserved. 107

108 Procedure In SAP NetWeaver Administrator, start Log Viewer by choosing Troubleshooting Logs and Traces Log Viewer. Alternatively, start it in the browser at Related Information Log Viewer Configuring Logging You use log configuration to configure the severities of log controllers online in the whole system or in certain system instances. Context When a configuration is deployed on SAP NetWeaver Application Server for Java, the logs are managed in logging framework of SAP NetWeaver Application Server for Java. writes log messages and debug traces to the following log controllers: Table 59: Category Category System/Security/MCM Applications/MCM Default Severity INFO INFO Table 60: Location Location com.sap.mcm.km.cmis.server (and subnodes) com.sap.mcm.server.server (and subnodes) Default Location ERROR ERROR To view log and debug entries with a lower severity, change the log configuration in the log configurator. The changes are effective immediately. For more information, see Log Configuration with SAP NetWeaver Administrator SAP SE or an SAP affiliate company. All rights reserved. Operation

109 Procedure To start log configuration, open SAP NetWeaver Administrator and choose Troubleshooting Logs and Traces Log Configuration. Alternatively, start it in the browser at Related Information Log Configuration with SAP NetWeaver Administrator 8.3 Monitoring with CA Wily Introscope You can monitor with Wily Introscope. Wily Introscope provides mechanisms to instrument Java code and analyze performance issues. Prerequisites requires the Wily Introscope Agent version that is compatible with the underlying components. Context There are no -specific Wily agents as has no own-managed resources. You can use the available agents for SAP J2EE - Basis and SAP J2EE - NetWeaver Portal. For information about Wily Introscope, see the Wily Introscope documentation on the Root Cause Analysis page. Procedure 1. Download Wily Introscope from SAP Support Portal; choose Installations and Upgrades Browse your Download Catalog SAP Solution Extensions by Partners SAP Ext. DIAGN. BY CA WILY SAP EXT. DIAGN. BY CA WILY <version>. 2. Analyze the nodes of interest. For, for example, the following nodes are relevant: Backends <Server-Host> SQL Dynamic Query Update SQL SQL operations triggered by can be identified using the relevant table. All tables from start with MCM_. Operation 2016 SAP SE or an SAP affiliate company. All rights reserved. 109

110 Frontends com.sap.mcm.km.cmis.server This is the KM connector. Servlets org.apache.chemistry.opencmis.server.impl.atompub.cmisatompubservlet This servlet is mainly used by the third-party clients and represents the AtomPub connections to SAP Mobile Documents. Servlets org.apache.chemistry.opencmis.server.impl.browser.cmisbrowserbindingservlet This servlet represents the browser binding connections to. It is the access point for the clients. JEE_jsp_admin_index* This is the administration UI component. JEE_jsp_browser_index* This is the Web UI component. Related Information Performance Metrics Monitoring with Introscope by Wily SAP Support Portal Root Cause Analysis 8.4 Backup and Restore You use backup and restore to prevent data-loss in case of hardware crashes or other disasters. Tip We recommend that you execute offline backups once a week and online backups on a daily basis. This includes backing up the database and the file system. For more information about backup and restore of SAP NetWeaver Application Server for Java, see the AS Java Backup and Restore topic relevant for your release. If you configured root directories outside of /usr/sap/<sid> during the creation of the repositories for My Documents and Shared Documents, these directories have to be included in your file system backup. Since these repositories are DBFS repositories, there is a special backup flow that is described in Backing Up and Restoring CM Repositories in DBFS Mode. Related Information AS Java Backup and Restore Backing Up and Restoring CM Repositories in DBFS Mode SAP SE or an SAP affiliate company. All rights reserved. Operation

111 8.5 Troubleshooting Consider the following best practices when troubleshooting errors that occur in. Web App (/mcm/browser) and Administration UI (/mcm/admin) Show Empty Screen Check the following: Are you using a supported browser? For more information, see the official browser support in the Product Availability Matrix (PAM) for NW UI Extensions. Is the user interface add-on 1.0 for SAP NetWeaver (SAPUI5 CLIENT RT AS JAVA) software component installed on your system? To verify, enter in your browser. If the server responds with a 404 Page not found message, the mandatory SAP UI Development Toolkit for HTML5 is not installed on your system. Is the correct SAP UI version installed on your system? The minimum version for 1.0 SP2 is To verify your installed version, enter in your browser and press Ctrl+Alt +Shift+P. A popup with the SAP UI5 version and other information appears. Error Message Appears when Saving Repository Configuration in SAP Mobile Documents Administration When you save a repository, the system tries to connect to the back-end system using the connection data you defined in the corresponding destination to collect the necessary repository information. If the connection fails, the repository configuration cannot be saved. This could happen for the following reasons: Host is not reachable from the server (configuration of DNS, proxy, or firewall is not correct). The SSL handshake cannot be executed because the certificates were not exchanged or because the remote certificate was not imported to the correct keystore, namely the TrustedCAs keystore. The user does not exist or is not authorized to call the back-end repository. Business User Cannot Access My Documents To access, users need the MCM_User role. When users access the application with an app for the first time, the users are created in the MCM database and the users' home folders are created in the repository that is used for My Documents. This step might fail for one of the following reasons: The repository cannot be accessed. Operation 2016 SAP SE or an SAP affiliate company. All rights reserved. 111

112 The home folder for the specific user cannot be created: The service user defined in the destination for the My Documents repository is not authorized to create folders at root level. The home folder for the specific user already exists, but has ACL permissions that prevent the user from accessing it. (The home folder's name is the user's logon ID in the system.) Related Information Configuring the My Documents Repository [page 49] PAM for NW UI Extensions SAP SE or an SAP affiliate company. All rights reserved. Operation

113 9 Performance and Capacity Benchmarks This section provides initial sizing information for in the on-premise scenario. To help you determine the hardware and software configuration for the best performance of your system, some performance and capacity benchmarks have been measured. These measurements are based on the specific scenario and configuration that were defined for the performance tests of. Other scenarios and configurations might yield different results. Precise recommendations for each customer can be determined on a case-by-case basis for each customer s specific requirements. The SAP Sales and support team, your internal IT department, and your hardware vendor can help to define the best configuration for your environment. Test Scenario Each user creates a connection to the server and performs the following sequential operations with a think time of 30 seconds between each test step: 1. Create a folder. 2. Create a document with a file size of 5 MB. 3. Open the document. 4. Move the document. 5. Delete the folder including its dependent objects. Configuration The following configuration of components was used during the test of this on-premise scenario: Server Hardware CPU: Intel Xeon CPU E7-4830, 4 x 2.13 GHz Memory: 32 GB Software Microsoft Windows Server 2008 R2 64 bit SAP NetWeaver Application Server for Java 7.30 SP09, Usage Type: EP ICM Parameters Used icm/max_conn = icm/max_sockets = wdisp/http/max_pooled_con = wdisp/https/max_pooled_con = icm/req_queue_len = 8000 icm/min_threads = 100 Performance and Capacity Benchmarks 2016 SAP SE or an SAP affiliate company. All rights reserved. 113

114 icm/max_threads = 300 mpi/total_size_mb = 700 mpi/buffer_size = Results We assume two classes of users: Concurrent users: Execute test steps with a think time of 30 seconds between steps. Active users: Do not execute actions and only have the desktop client running. We define the maximum server load as when CPU utilization reaches 60%. Table 61: Test Results Concurrent Users (25 % of Active Users) Active Users Think Time CPU % SAP SE or an SAP affiliate company. All rights reserved. Performance and Capacity Benchmarks

115 10 Developer's Guides You can develop your own clients or servers for using the respective developer's guide. Developing Clients [page 115] Connecting Your ABAP Back End as a Content Source [page 144] Related Information CMIS Extension for Search [page 158] 10.1 Developing Clients To develop your own clients, you need to be familiar with the architecture of, the CMIS open standard, and its extensions. You can develop your own clients that connect to the server or you can integrate SAP Mobile Documents functionality into existing platforms. Related Information Architecture [page 115] CMIS Open Standard [page 116] CMIS Enhancements for [page 119] REST API [page 134] URLs for App-to-App Integration of [page 136] Architecture The main components of the solution are the clients, the server, and the document repositories. To ensure interoperability and extensibility, the OASIS standard CMIS (Content Management Interoperability Services) is used for all document-related communication between the clients and the server as well as between the server and the repositories. In the current version of the solution (1.0 SP2), we deliver clients for the desktop (Windows and OS-X), for mobile devices (iphone, ipad, and Android phones), and a JavaScript-based Web UI. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 115

116 All clients connect to and communicate with a single server, the server, using the CMIS protocol. The server is offered as an on-premise installation (SAP NetWeaver Application Server for Java). On the server, you can configure settings, users, and connectivity configurations for integrating CMIS-compliant document management systems. As well as connecting additional (corporate) repositories to the server, offers dedicated repositories to the clients: The My Documents repository The repository where every user can store their personal files and then synchronize the repository content with all connected clients. Every user has a folder that is marked as their "home" folder. All folders and files in this home folder are only visible and accessible to the user. The Shared Documents repository The repository where users can share files with each other as well as with external users. If Shared Documents is enabled on the server, every user can create shares, invite members to collaborate, and manage the access rights of these members. To share files with external parties, users must create public links to shares with security settings such as expiration date or password. A public link is accessible through a dedicated non-guessable URL, which you can additionally protect with a password. If you enable the write option for a share, anonymous users can also upload or delete documents in this share CMIS Open Standard CMIS (Content Management Interoperability Services) is an open standard that defines a common interface for various operations offered by content management systems. CMIS defines a domain model and operations for different binding types. CMIS is language-independent, which gives it a significant advantage over other specifications, and many vendors offer (or are going to offer) CMIS interfaces to their systems. In addition, CMIS client libraries already exist in different programming languages. Many of them are available as Open Source implementations under the SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

117 umbrella project Apache Chemistry. SAP uses the Chemistry components for both app and server implementations. Prerequisites for Developers To develop an app or to integrate functions, developers need to familiarize themselves with CMIS and Apache Chemistry. If you are a Java developer, OpenCMIS is the tool of choice. Many of the examples in this guide are based on using OpenCMIS to connect to the server. Related Information Apache Chemistry OpenCMIS Client API Developer's Guide CMIS 1.1 Specification on OASIS Web page Object Model uses document and folder objects. CMIS 1.1 defines the following primary base types: Document objects Folder objects Relationship objects Policy objects Item objects Currently, supports only document and folder objects. A document object is an item of content. The document can have a content stream, which is the actual file associated with the document. A content stream exists only as part of its containing document object. A content stream has a mime type associated with it. A document object may contain one or more renditions, which are alternative views of the content. Document objects are the only objects that are versionable. Each version of a document has its own object ID. All the versions of a document make up a version series and share a version series ID. You can create, read, update, and delete documents using OpenCMIS methods. A folder object is a container used to organize the document objects. A repository has one root folder. All other folder objects have one parent folder. A folder has a folder path representing its place in the repository's folder hierarchy. A folder object can have renditions. For example, a folder can have a thumbnail as a rendition representing the contents of the folder. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 117

118 Bindings supports two of the three binding types defined in CMIS 1.1: the AtomPub and the JSONbased browser binding. This means that you can connect apps with both bindings. It also means that you can connect repositories to the server that offer one of the two binding types. If you are developing a new app or an extension, opt for the new browser binding if it is technically feasible, since it has better performance. For more information about the bindings, see the CMIS 1.1 specifications for AtomPub Binding and Browser Binding. The following service URLs are available for these bindings: <protocol>://<server>:<port>/mcm/json <protocol>://<server>:<port>/mcm/atom The "/b" after the context root "/mcm" means that the server requests BASIC authentication. Related Information AtomPubBinding on OASIS Web page Browser Binding on OASIS Web page Repository Information apps can use the repository information to connect to a repository. For each repository, the server provides repository information (RepositoryInfo) that describes a repository's general information and its capabilities. When a app calls a binding service URL without parameters, it gets a list of RepositoryInfo objects, one for every repository that is connected to. Apps can then use the repository ID and the provided navigation information to connect to one of the repositories. For more information, see the OASIS Web page for getrepositoryinfo. If you send a GET request to the service URL for AtomPub (/mcm/atom), you get the service document XML, which contains service definitions and a list of repositories. If you send a GET request to the service URL of the browser binding (/mcm/json), the server responds with a JSON representation of a list of RepositoryInfo objects. Example Getting the list of RepositoryInfo objects with OpenCMIS SessionFactory sessionfactory = SessionFactoryImpl.newInstance(); Map parameter = new HashMap(); parameter.put(sessionparameter.user, "admin"); parameter.put(sessionparameter.password, "admin"); parameter.put(sessionparameter.browser_url, server+"/mcm/json/"); parameter.put(sessionparameter.binding_type, BindingType.BROWSER.value()); SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

119 List<Repository> repositories = sessionfactory.getrepositories(parameters); For examples of basic operations such as reading, creating, updating, and deleting objects and folder navigation with OpenCMIS, see the OpenCMIS Client API Developer's Guide. Related Information getrepositoryinfo on OASIS Web page OpenCMIS Client API Developer's Guide CMIS Enhancements for comes with CMIS enhancements to enable secure and smooth document management. The following enhancements are available and are described in the following topics: Token-based protection mechanism against cross-site request forgery attacks My Documents repository Public Documents repository Exceptions Opening a Session The following CMIS enhancement is used to connect to the server. To open a session with exactly one repository in an OpenCMIS client, specify a set of session parameters. Then, connect to the server. Example SessionFactory sessionfactory = SessionFactoryImpl.newInstance(); Map parameter = new HashMap(); parameter.put(sessionparameter.user, "admin"); parameter.put(sessionparameter.password, "admin"); parameter.put(sessionparameter.browser_url, server+ "/mcm/b/json/"); parameter.put(sessionparameter.binding_type, BindingType.BROWSER.value()); parameter.put(sessionparameter.repository_id, mydocumentsid); parameters.put(sessionparameter.cookies, "true"); Session session = sessionfactory.createsession(parameter); For examples of basic operations such as reading, creating, updating, and deleting objects, and folder navigation with OpenCMIS, see the OpenCMIS Client API Developer's Guide. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 119

120 Custom Authentication Provider Let's take a closer look at the AUTHENTICATION_PROVIDER_CLASS session parameter as specified in the example above. This parameter tells the session to use your custom authentication provider instead of the default one. In, using a custom authentication provider is mandatory for the following reasons: To use, the app must set cookies in the HTTP header. As the OpenCMIS Java client hides specifics to bindings and HTTP calls, you cannot set an HTTP request header directly, but you can use additional headers, which the OpenCMIS Java client provides for the HTTP calls it executes. Specify a Java class (in the example below it is called CustomAuthenticationProvider) that implements the org.apache.chemistry.opencmis.commons.spi.authenticationprovider interface and overrides the gethttpheaders(string url) method. During an HTTP call to the server, gethttpheaders() is invoked and arbitrary headers can be added to the HTTP request. public class CustomAuthenticationProvider extends StandardAuthenticationProvider public Map<String, List<String>> gethttpheaders(string url) { } } Related Information OpenCMIS Client API Developer's Guide Using the CSRF Token The server offers a token-based mechanism to protect against cross-site request forgery attacks. Note The CSRF protection was simplified with SP02. The differences are as follows: The token is no longer repository-specific. It is valid for a session and for any repository that is connected within that session. The token can be fetched with HTTP headers. It is no longer necessary to parse RepositoryInfo. The HTTP header name was changed to harmonize it with other SAP product names. With the exception of the call to the service URLs, all calls to the server require a valid CSRF token. For the call to the service URLs, the token is provided as an HTTP header (as of version 1.0 SP02). All other requests require the apps to send the token value via the CSRF-token HTTP header. If the app does not supply a token or if the token has expired, the server sends the HTTP response 403: INVALID_TOKEN_PROVIDED SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

121 Process Flow 1. When the app creates a session and connects to the server, it first calls getrepositoryinfos. To fetch a CRSF token, the app must send a request header called X-CSRF-Token with the value fetch in this call. 2. The server generates a token, stores it in the user's session table, and sends the value in the X-CSRF-Token HTTP response header. 3. The app reads the value of the X-CSRF-Token HTTP response header and stores it for later use. 4. For each call in this CMIS session, the app sends the token value it obtained from the X-CSRF-Token HTTP header. Example Extracting the token with HTTP and browser binding 1) Get Repository Info and request a token Request: GET /mcm/json Request Header: X-CSRF-Token=fetch Response: 200 OK Response Header: X-CSRF-Token=79E85CA37351BBADF02661F64FC21D3C 2) Get the home folder Request: GET /mcm/json/4caf284f-81f4-4b2a-a77a-3fe c2/root? cmisselector=object&objectid=qn913l3f5e7breuvipj3ub3kkx2yyepxvivcqticico Request Header: X-CSRF-Token=79E85CA37351BBADF02661F64FC21D3C Response: 200 OK Example Token handling in Authentication Provider public class CustomAuthenticationProvider extends StandardAuthenticationProvider { private String token = public Map<String, List<String>> gethttpheaders(string url) { Map<String, List<String>> httpheaders = super.gethttpheaders(url); if(httpheaders==null) { httpheaders = new HashMap<String, List<String>>(); } httpheaders.put("x-csrf-token", Collections.singletonList(token)); return httpheaders; public void putresponseheaders(string url, int statuscode, Map<String, List<String>> headers) { super.putresponseheaders(url, statuscode, headers); if(headers!=null) { for(string headername:headers.keyset()) { // loop for a ignore case check - > header names are case-insensitive (RFC 2616) if(headername!=null && headername.equalsignorecase("x-csrf-token") &&! headers.get(headername).isempty()) { this.token = headers.get(headername).get(0); } } } } } Because OpenCMIS executes a call to get the RepositoryInfos when a session is created, this AuthenticationProvider adds the X-CSRF-Token=fetch HTTP request header. Then the server sends the Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 121

122 response to the AuthenticationProvider. The AuthenticationProvider stores the value returned by the server for further requests. Browser Binding Example In JavaScript-based applications, you first read the repository info by sending a GET request to /mcm/json. Every other repository contains a token for the communication with this /mcm/json repository. In the following example, jquery is used to read the token and set it for all subsequent AJAX requests. // read repositoryinfos extract token and set it to following requests jquery.ajax("/mcm/json",{ type: "GET", contenttype: 'application/json', datatype: 'json', beforesend: function(xhr){ xhr.setrequestheader('x-csrf-token', 'fetch'); }, complete : function(response) { jquery.ajaxsetup({ beforesend: function(xhr) { xhr.setrequestheader("x-csrf-token",response.getresponseheader('x-csrf- Token')); } }); } }); Static Cookie Manager Because the repository ID is a parameter when creating a session with an OpenCMIS client, a app would open a session on the server for each repository. To avoid multiple server sessions for the same app, we highly recommend using the same server session for multiple CMIS sessions by re-using the cookies that are used for the state management between the apps and the server. To do this, use a static CookieManager instead of one cookie per instance. If a app application opens several sessions for the same user, it must use the same authentication provider with the static CookieManager. Additionally, it has to override the putresponseheaders() and gethandlecookies() methods as described in the following example. Overriding the gethandlecookies() method has the effect that the COOKIES session parameter is ignored. Example public class CustomAuthenticationProvider extends StandardAuthenticationProvider { // The use of a singleton cookie manager ensures that all created cmis sessions // use the same session cookies and therefore avoids multiple server session for each app private static final CmisCookieManager cookiemanager = new public Map<String, List<String>> gethttpheaders(string url) { Map<String, List<String>> httpheaders = super.gethttpheaders(url); if (httpheaders == null) { SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

123 httpheaders = new HashMap<String, List<String>>(); } Map<String, List<String>> cookies = cookiemanager.get(url, httpheaders); if (!cookies.isempty()) { httpheaders.putall(cookies); } return httpheaders; public void putresponseheaders(string url, int statuscode, Map<String, List<String>> headers) { super.putresponseheaders(url, statuscode, headers); cookiemanager.put(url, headers); protected boolean gethandlecookies() { // deactivate standard opencmis session handling // cmis session parameter "COOKIES" will be ignored return false; } } My Documents Every user has their own home folder in the My Documents repository. To enable clients to easily get the home folder, the repository used to store the My Documents repository contains a CMIS extension called mydocuments (namespace: name: mydocuments). The value of this extension contains the ID of the home folder of the currently logged-on user. A repository with this extension is easily identifiable as the My Documents repository. Example Getting the My Documents repository Repository mydocumentsrepository = getrepository(repositories, "mydocuments"); // use the repositories list of chapter Repository Information public static Repository getrepository(list<repository> repositories, String extension) { for (Repository rep : repositories) { if(getextensionvalue(rep.getextensions(), extension)!=null) { return rep; } } return null; } Example Getting the user's home folder String homefolderid = null; List<CmisExtensionElement> extensions = mydocumentsrepositoryinfo.getextensions(); if (extensions!= null) { for (CmisExtensionElement extension : extensions) { if ("mydocuments".equals(extension.getname())) { Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 123

124 homefolderid = extension.getvalue(); } } } if (homefolderid!= null) { // Obtain a session see chapter Working with the CSRF token Session session = sessionfactory.createsession(parameter); Folder userhomefolder = (Folder) session.getobject(homefolderid); } Example Getting the user's home folder with browser binding and jquery // read repositoryinfos jquery.getjson("/mcm/json").done(function(data){ for(id in data) { // loop repositories and find mydocuments if(data[id].mydocuments) { $.ajaxsetup({ // set token for following calls beforesend: function(xhr) { xhr.setrequestheader("x-token",data["4caf284f-81f4-4b2aa77a-3fe c2"].token); } }); // read the home folder and alert its displayname var homefolderid = data[id].mydocuments; jquery.getjson("/mcm/json/4caf284f-81f4-4b2a-a77a-3fe c2/root? cmisselector=object&objectid="+homefolderid).done(function(data) { alert(data.properties["cmis:name"].value); }); } } }); Creating and Integrating a Custom View with an Existing Plug-In allows you to create a custom view and integrate it with an existing plug-in, and also allows you to return back to the plug-in after having displayed the custom view. To implement a custom view, for example, in My Document plug-ins, follow the procedures below: Adding a Custom View 1. Under resources\com\sap\mcm\browser\views, create a new folder with the name of the custom view. For example, search. 2. The newly created location (resources\com\sap\mcm\browser\views\search) is the location for creating your custom view and controller. For example, search.controller.js and search.view.js SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

125 Integrating a Custom View into a Plug-In Once you have created your custom view, you can integrate it into any of the provided plug-ins (My Documents, Corporate, Shared) based on the triggering of an event. Here is an example of how the search results view is integrated into the My Documents plug-in. 1. In order to be able to display the custom view from the plug-in, based on the triggering of some event, there should be a mapping of the type {pluginid, event,view}. This mapping defines that for the plug-in with the ID pluginid, the view view will be displayed when the event event is triggered. As a result the search results view should be displayed when mcm.util.constants.events.searchtriggered.event is triggered. 2. To create this mapping, use the addpluginviewitem (pluginid, id, event, getviewtoopen, onviewopen, viewcontext) function defined in mcm.plugin.api, where: Table 62: addpluginviewitem pluginid id event getviewtoopen onviewopen viewcontext The ID of the plug-in in which the custom view is integrated. Uniquely identifies the custom view. The event that will trigger the display of the custom view. The function that returns the custom view. The optional function executed as soon as the initial view provided with function getviewtoopen() is to be displayed. The optional parameter storing additional information that should be passed to the custom view from the plug-in, for example, callback functions, etc. Note The mapping {pluginid, event,view} is unique, which means that for each plug-in, there cannot be two different views that are mapped to the same event. Example 1. In mydocumentsplugin.js, define the mapping between plug-in, event, and view that is done in onframeworkloaded: plugininterface.addpluginviewitem(constants.plugin_id, constants.search_id, mcm.util.constants.events.searchtriggered.event,getsearchview, jquery.noop, { /* * Reference to allownotification of plugin inherited custom actions when table selection is changedin the plugin view */ notifycustomactionscallback: mydocuments.services.mydocumentsservice.notifycallbacks }); functiongetsearchview() { if(!searchview) { searchview = newsap.ui.core.mvc.jsview({viewname: mcm.util.apputil.createmcmnamespace('searchview')}); } returnsearchview;} In the My Documents plug-in, the viewcontext optional parameter holds the reference to the mydocuments.services.mydocumentsservice.notifycallbacks function. This way, when a selection in the search view is changed, the search view will be aware which function it should call in order to check whether the SHARE action should be displayed or not. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 125

126 2. In search.controller.js define the onviewopened function as follows: functiononviewopened(oeventdata) { } This function is the entry point to your custom view controller. In this function, you could place all the initializations needed in order to display your custom view. Returning to the Initial Plug-in from the Custom View To return from your custom view back to the initial plug-in, trigger the navigationfromview event from your custom view controller: events = mcm.util.constants.events;sap.ui.getcore().geteventbus().publish(events.navigationfr omview.publisher, events.navigationfromview.event, callbackdata); In the callbackdata parameter you can store all the information that the plug-in needs in order to initialize its content. Example To return from the search results view to the My Documents plug-in: 1. In mydocumentsplugin.js, register the function that will be called once you return from the custom view: plugininterface.addpluginviewcallback(constants.plugin_id, pluginviewcallback);functionpluginviewcallback(pluginviewdata) { if(pluginviewdata.params.obj) { pluginstartedwithhistory = true; getmydocumentsview(); mydocumentsview.getcontroller().inittablefromhistory(pluginviewdata); }} The call to addpluginviewcallback is made in onframeworkloaded. 2. In your custom view, trigger the navigationfromview event defined in mcm.util.constants.events: events = mcm.util.constants.events;sap.ui.getcore().geteventbus().publish(events.navigat ionfromview.publisher, events.navigationfromview.event, callbackdata); callbackdata will be passed on as a parameter to pluginviewcallback, previously defined in mydocumentsplugin.js SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

127 Shared Documents provides a repository called Shared Documents for collaborating on documents with other users. The following table clarifies the terms used to implement Shared Documents. Table 63: Terms Relevant for Shared Documents Term share owner public link member Definition The root folder that is used for collaboration with other users. It can contain folders and files. Users can create any number of shares (until their quota is used up). The user who creates the share automatically becomes its owner. The share's size is billed to the owner's quota. A link that can be applied to a share, to folders, or to files residing in the share. The link makes the share, the folder, or the file available to anonymous users. Any user that has one of the defined roles for the share and can access it. For each share, the following roles are available. The table below maps these roles to the respective CMIS permissions. Table 64: Share Roles Role Description CMIS Permission owner Permission to create a share. cmis:all administrator contributor Permission to delete a share, to manage user rights, and to allow public links. Permission to create, to update, and to delete files and folders. This permission also enables the user to create and to delete public links. cmis:all sap:delete reader Permission to read documents. cmis:read Similar to the My Documents repository, every user has their own personal sharing home folder. Beneath this home folder are the shares of the user. The ID of the sharing home folder is specified in the RepositoryInfo with the sharing extension. If public links are enabled, there are some general settings with which every public link must comply. These general settings are transported as CMIS extensions in the RepositoryInfo of the sharing repository. In addition to the general settings, every public link has its own set of properties, where a user can define validity and security for this public link. In any case, a user is only allowed to define values that are stricter than the general ones defined by an administrator. If, for example, an administrator defines a minimum password length of four characters, the user can only choose to use a password with more characters. The user cannot choose to use less than four characters or even no password at all. Table 65: CMIS Extensions (on RepositoryInfo Level, Valid for All Public Links) Name Description Type sharing sharing.uploadallo wed Similar to the mydocuments extension, this extension contains the ID of the user's Shared Documents home folder. Indicates whether the administrator allows uploads by anonymous users or not. String Boolean Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 127

128 Name Description Type sharing.baseurl sharing.maxepirati ondays sharing.minpasswor dlength Contains the base URL of the public sharing Web link. The app can use this information to create a public link by appending the object ID of the public link to this base URL. The administrator can define the maximum period in days for which anonymous users can access a shared folder. This extension contains the number of days. When a public link is created, the expiration date must not be later than the current date plus the number of days specified. If the value is 0, no expiration date is predefined. For values greater than 0, the user must set a password for the public links of this share. This password must be longer than or of the same length as the value of this extension. String int int Table 66: CMIS Extensions (on Folder Level, Valid for All Shares) Name Description Type owner.isoutofspace Indicates whether the share owner has enough quota left to upload files to the share. True: No content upload allowed. False: Content upload allowed, as far as the quota is concerned. Boolean App Operations for Sharing You can use app operations for shared documents in. Getting All Shares of a User To list all shares that a user can access (with any of the roles specified for share access), the app sends a query to the server. Since shares have the specific mcm:share CMIS type the query is simply: select * from mcm:share. The result is a list of all shares where the calling user has an entry in the share's access control list (ACL). Creating a Share Shares must be created under a user's sharing home folder. They have the specific mcm:share type with the cmis:folder base type SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

129 Managing Share Members Members are entries in a share's access control list (ACL). An ACL is a list of ACEs (access control entries) that consist of a principal ID and a list of permissions. The permissions are listed in the roles table in Shared Documents. For on-premise installations, the principal ID is a user's unique ID, for SAP HANA Cloud Platform it is the user's logon ID. You can pass the ACL as an input parameter while creating a share or modify the ACL by calling the applyacl CMIS service on an existing share. When adding a new member to a share, the share administrator wants to use known user attributes, for example, the name or the address, but not the user ID. To help apps to search for users and to assemble an ACL with the correct IDs, offers a REST API (see REST API). In the members overview for a share, apps should display user names rather than IDs. To prevent extra server roundtrips or extra non-cmis APIs, OpenCMIS offers the possibility to add generic extensions to various objects. When a app reads the members of a share, technically this is a getobject operation (with ACLs included) on the folder representing the share. The ACL is a list of ACEs and each ACE contains a principal object. OpenCMIS only defines an ID for a principal; additional attributes can be added as extensions. The server extends the principal object with an extension called principal that has the following children as extensions: _firstname lastname displayname logonid id Example Example response of an ACL with a single contributor. { } "acl": { "aces": [ { "principal": { "principalid": "USER.PRIVATE_DATASOURCE.un:testuser", "principal": { "firstname": "Manfred", "lastname": "Mustermann", " ": "[email protected]", "logonid": "testuser", "id": "USER.PRIVATE_DATASOURCE.un:testuser", "displayname": "Manfred Mustermann" } }, "permissions": [ "sap:delete" ], "isdirect": true } ] }, "exactacl": true Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 129

130 Managing Public Links To make a share accessible to external users using a public link, it must be given a CMIS secondary type called mcm:publiclink. CMIS defines the standard multi-value cmis:secondaryobjecttypeids property that can contain 0..n secondary type IDs. To make a share public, the mcm:publiclink ID must be added to the cmis:secondaryobjecttypeids. Secondary types contain a set of properties that can be attached or detached from an object. Public links have properties, for example, a password or an expiration date. These are the properties: Table 67: Name Description ID Namespace Type Valid to Date Defines the date after which the shared documents in this folder are no longer accessible for anonymous users. The creator of the share can still access it. mcm:validto Date com.sap.mcm DATE TIME Share Password Can be used to protect the access to the shared file with a password. Administrators can enforce the setting of a password. mcm:share Password com.sap.mcm String Note Because the server never exposes the hashed password to the apps, the server returns "null" as a value if no password has been set for an existing folder. If a password has been set the value is an empty string. Controls whether anonymous users have write access to shared documents. If set to Yes, anonymous users are allowed to create, update, or delete documents within the share. Public write access mcm:enableupload com.sap.mcm Boolean Table 68: Name Description ID Namespace Type Valid to Date If users enter the wrong password, they are not allowed to access the share until the time set in the value of this property. The administrators can configure a default for this setting. mcm:validfrom Date com.sap.mcm DATE TIME Share Owner Indicates the owner of the share. If quota is enabled, everything within this share is counted in the owner's quota. mcm:shareowner com.sap.mcm String Example Code Samples: OpenCMIS // Getting the sharing home folder String sharinghomefolderid = null; for (CmisExtensionElement extension : sharingrepositoryinfo.getextensions()) { if ("sharing".equals(extension.getname())) { sharinghomefolderid = extension.getvalue(); } } Folder sharinghomefolder = session.getobject(sharinghomefolderid); // Getting all shares for a user ItemIterable<QueryResult> result = session.query("select * from mcm:share",true); for(queryresult result:results) { String sharename = result.getpropertyvaluebyid("cmis:name"); SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

131 } // Create share "Share 1" with administrator "User01" Map<String, Object> properties = new HashMap<String, Object>(); properties.put("cmis:name", "Share 1"); properties.put("cmis:description", "A description"); properties.put("cmis:objecttypeid", "mcm:share"); List<Ace> aces = new ArrayList<Ace>(); aces.add(session.getobjectfactory().createace("user01", Collections.singletonList("cmis:all"))); ObjectId shareid = session.createfolder(properties, sharinghomefolder, null, aces, null); // adding contributor "User02" List<Ace> addaces = new ArrayList<Ace>(); addaces.add(session.getobjectfactory().createace("user02", Collections.singletonList("sap:delete"))); session.applyacl(shareid, addaces, null, AclPropagation.PROPAGATE); // Creating a public link Folder share = session.getobject(shareid); properties = new HashMap<String, Object>(); properties.put("cmis:secondaryobjecttypeids", Collections.singletonList("mcm:publicLink")); properties.put("mcm:sharepassword", "secret"); properties.put("mcm:enableupload",true); GregorianCalendar cal = new GregorianCalendar(); cal.settime(new Date()); cal.add(calendar.day_of_month, 7); // one week properties.put("mcm:validtodate", cal); share.updateproperties(properties); Example Code Samples: JavaScript / jquery // Getting all shares for a user var repositoryid = sharingrepositoryinfo.id; var queryurl = "/mcm/json/"+repositoryid+ "?cmisselector=query&q=select+*+from +mcm%3ashare&maxitems=1000&skipcount=0"; jquery.getjson(queryurl).done(function(data){ for( var i=0;i<data.results.length;i++) { // loop results var sharename = data.results[i].properties[ "cmis:name"].value; // do something } }); // Create share "Share 1" var sharinghomefolderid = sharingrepositoryinfo.sharing; jquery.ajax( "/mcm/json/"+repositoryid+ "/root", { type : 'POST', async : false, data : { objectid : sharinghomefolderid, cmisaction : "createfolder", "propertyid[0]" : "cmis:name", "propertyvalue[0]" : "Share 1", "propertyid[1]" : "cmis:objecttypeid", "propertyvalue[1]" : "mcm:share", "propertyid[2]" "propertyvalue[2]" : "A description" : "cmis:description", } }).done(function(data){ shareid = data.properties[ "cmis:objectid"].value; }); // adding contributor "User02"jQuery.ajax( "/mcm/json/"+repositoryid+ "/ root", { type : 'POST', Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 131

132 async : false, data : { objectid : shareid, cmisaction : "applyacl", ACLPropagation : "propagate", "addaceprincipal[0]" : "User02", "addacepermission[0][0]" : "sap:delete" } }); // Creating a public link var currenttime = new Date(); var expirationdate = currenttime.setdate(currenttime.getdate()+7); jquery.ajax( "/mcm/json/"+repositoryid+ "/root", { type : 'POST', async : false, data : { objectid : shareid, cmisaction : "update", "propertyid[0]" : "cmis:secondaryobjecttypeids", "propertyvalue[0]" : "mcm:publiclink", "propertyid[1]" : "mcm:sharepassword", "propertyvalue[1]" : "secret", "propertyid[2]" : "mcm:enableupload", "propertyvalue[2]" : "true ", "propertyid[3]" : "mcm:validtodate", "propertyvalue[3]" : expirationdate } }); Determine Whether Upload to a Share Possible (Quota Handling) Apps can only determine the quota and the used disc space of their own logged-on user. However, in the context of sharing, apps typically also upload files to shares of other users. In this situation, the user who wants to upload files is not the share owner. It is not possible to get the quota information of another user, but it is possible to determine if the share owner has enough quota left to upload more files. apps can and should use this information to inform the user that no more uploads are allowed and to avoid triggering uploads to this share. For all shares that are folders of type mcm:share the server provides a CMIS extension named owner.isoutofspace Corporate Repositories Corporate repositories can have a configured root URI that clients use as a start folder in a repository. For more information on the root URI, see Configuring Corporate Documents Repositories. To set the root URI, you configure a path, for example, /folder1/folder2; clients should initially display the folder structure beneath this path instead of displaying the contents of the root folder. If you configure a root URI, it is transported to the clients similarly to the user's home folder of My Documents as an extension containing the ID of the configured path. The extension's name is corporate, so you can apply the same example code as in the My Documents example. You only need to replace the extension name mydocuments with the extension name corporate SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

133 Related Information Configuring Corporate Documents Repositories [page 52] My Documents [page 123] Exceptions To notify users that they have made incorrect user entries, uses specific messages in exception texts. In general, adheres to the exception behavior described in the CMIS specification. If the exception is used to express incorrect user entries, uses specific messages in the exception text. Table 69: Specific Messages in Exception Text Exception Name Message Description CmisPermissionDeni edexception CmisInvalidArgumen texception CmisInvalidArgumen texception CmisInvalidArgumen texception CmisInvalidArgumen texception CmisInvalidArgumen texception CmisInvalidArgumen texception CmisConstraintExce ption CmisConstraintExce ption INVALID_TOKEN_PR OVIDED PASSWORD_NOT_SET PASSWORD_TOO_SHO RT PASSWORD_INVALID PASSWORD_REQUIRE D SHARE_LOCKED<unl ock_date_in_ms> EXPIRATION_DATE_ IN_PAST QUOTA_EXCEEDED Virus VIRUS virus The app must provide a token in every operation except getrepositoryinfos. If no token or the wrong token is provided, this exception is thrown. Thrown when creating a public link without a password if the administrative settings require a password. Thrown when creating a public link if the provided password does not meet the requirements specified in the administrative settings. Thrown when a password-protected public link is anonymously accessed with a wrong password. Thrown when a password-protected public link is anonymously accessed without a password. Thrown when a password-protected public link is currently locked because it was accessed with a wrong password. The exception key is followed by the date when the public link is accessible again (in milliseconds from 1970/1/1). Thrown when creating a share. The expiration date for the share is a link with a validtodate in the past. The quota for the currently logged-on user is used up. No write operations are allowed until the user frees up some space. When uploading a document, the repository can reject the document if a virus is detected. If the app tries again to upload this document to the server, the same exception is thrown. Therefore, the app should not retry uploading the document. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 133

134 REST API In some cases the apps need server calls that cannot be mapped to CMIS services. For these calls, the SAP Mobile Documents server offers a proprietary REST API that apps can use. User Validation With this API, apps can validate the existence of principals using attributes. A principal is a user management object, for example, a user, a group, or a role. The response contains JSON representations of the found principal objects as well as a list of terms for which no principals can be found. In, this API is used in the context of the Shared Documents repository when adding members to a share. Wildcards are not supported, because this API is meant for validating, not for searching. Note For on-premise installations of SAP NetWeaver, principal search uses the user management engine (UME) and supports the logon ID and the attributes. Table 70: Title URL Method URL Params Validate Users /mcm/rest/v1/users/validate GET term=[url Encoded] 1...n term parameters are possible. Note that a URL including parameters must not exceed 2000 characters. Example to validate 3 users at a time:.../mcm/rest/v1/users/validate? term=d123456&term=c654321&term=i SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

135 Title Validate Users Success Response Code: 200 Content sample for single entry response: { } "foundprincipals": { "displayname": "Horst Sapbox", " ": "[email protected]", "firstname": "Horst", "id": "admin", "lastname": "Sapbox", "type": "USER" }, "nothingfoundfor": "d736367" Content sample for multiple entry response: { } "foundprincipals": [ { "displayname": "Horst Sapbox", " ": "[email protected]", "firstname": "Horst", "id": "admin", "lastname": "Sapbox", "type": "USER" }, { "displayname": "Heinz Ketchup", " ": "[email protected]", "firstname": "Heinz", "id": "user1", "lastname": "Ketchup", "type": "USER" } ], "nothingfoundfor": [ "d736367", "admin1" ] Error Response Code 400 for bad requests, for example, parameters contain invalid characters. Code 403 for unauthorized requests, for example, user has no permission to call this URL. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 135

136 Title Sample Call Validate Users Validate users within a JavaScript-based app using jquery var resturlstart = "/mcm/rest/v1/users/validate?"; var resturl = resturlstart + 'term=d012345&term=i012345'; $.ajax(encodeuri(url), { type: 'GET', async: false }). done(function (data) { // Handle successful call // data = JSON response from server as described above }). fail(function (cause) { // Handle Server Exception }); URLs for App-to-App Integration of SAP Mobile Documents You can build URLs that perform actions in the app and that can be used for app-to-app integration or as links in s. These URLs are either custom URLs (mobiledocs://) or HTTP URLs. Not all apps support both types. In addition, there is a distinction between URLs for links for share members and URLs for public links, which can be accessed by anyone who receives the link (and the password, if any). App Support Table 71: URL Types URL Type Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App Custom URL x x x HTTP URL x x SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

137 Table 72: Available Actions Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App select The folder containing the object identified with the parameter obj is Supported as of Web app SP3 (1.3.x). Supported as of ios SP2 (1.2.x). Supported as of Android SP3 (1.3.x). Supported as of Windows desktop app SP4 (1.4.x). opened and the object itself is selected in the documents list. mobiled ocs://: //v1/ select? rep= &obj= https: // myhost: 8080/mc m/ browser /v1/ select? rep= &obj= Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 137

138 Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App open If the pa Supported as Supported as Supported as Supported as rameter of Web app of ios SP2 of Android of Windows obj is SP3 (1.3.x). (1.2.x). SP3 (1.3.x). desktop app the ID of SP4 (1.4.x). a folder, the folder is opened and its content is displayed. If the parameter obj is the ID of a file, the folder is opened and the file is downloaded. mobiled ocs://: //v1/ open? rep= &obj= https: // myhost: 8080/mc m/ browser /v1/ open? rep= &obj= SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

139 Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App present Only for PDF files. Opens a PDF file in presentation mode. Supported as of ios SP2 (1.2.x). mobiled ocs://: //v1/ present? rep= &obj= configure Server configuration URL, together with the server.url =http(s): // <host>(:<p ort>) parameter Supported as of ios SP4 (1.4.x). mobiled ocs://: //v1/ configu re? server. url=htt ps:// myhost: 8080 Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 139

140 Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App create Link to create share page: Only in combination with rep=share Supported as of Web app SP5 (1.5.x). https: // myhost: 8080/mc m/ browser /v1/ create? rep=sha re Available URL Parameters rep [page 186] has the following values: <repository ID> mydocuments share corporate obj [page 186] has the following values: <object ID> path [page 186] has the following case-sensitive values: </folder1/folder2> <server.url> has the following values: http(s)://<host>(:<port>) page [page 186], ios-only chapter [page 186], ios-only Note You cannot use the obj and the path parameters in the same URL. Custom URL Syntax The custom URL syntax is: mobiledocs://://<version>/<action>?parameters SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

141 Example mobiledocs://://v1/open?obj=1234&rep=abcdef This URL opens the document with the CMIS object ID 1234 from the repository with ID abcdef, using version v1 of the URL scheme and the open action. The syntax contains the following elements: version string, required Denotes the scheme version of ; the current version is v1. action string, required: Is an action that the app performs on the provided parameters. Available actions are listed in the table above. The syntax contains the following URL parameters: rep string (URL-encoded), required repository ID. mydocuments, share, and corporate are reserved keywords. mydocuments and share can be used instead of the corresponding repository ID. If no path or object ID is provided or found, the repository root is selected. rep=corporate can be used to address the list of all corporate repositories. For rep=corporate, the parameters obj and path are ignored. obj string (URL-encoded), optional CMIS object ID of a file or folder. If provided, the path is ignored. path string (URL-encoded), optional The absolute path inside the specified repository. The start URI is not considered here. The path is URL encoded before it is passed to. If the repository is share, the path parameter is not considered, as a link to a document or folder within a share would have the logon ID as part of the URL. Supported as of ios SP3 (1.3.x), Android SP3 (1.3.x), Web app SP3 (1.3.x), and Windows desktop app SP4 (1.4.x). page string, optional If the object is a PDF document, this parameter can display a given page on opening the document. If the object is not a PDF document or the given page is outside the range of the document, this parameter is ignored. Example: mobiledocs://://v1/open?rep=abcdef&obj=1234&page=27 chapter string, optional If the object is a PDF document that has a table of contents (ToC), this parameter can display the given chapter on opening the document. The chapter must be specified using the URL-encoding (percent representation) of the exact chapter name in the table of contents of the PDF document. If the object is not a PDF document or the given chapter is not part of its table of contents in that sense, this parameter is ignored. Examples: mobiledocs://://v1/open?rep=abcdef&obj=1234&chapter=examplechaptername (for ToC entry "ExampleChapterName") mobiledocs://://v1/open?rep=abcdef&obj=1234&chapter=example%20chapter%20name (for ToC entry "Example Chapter Name") Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 141

142 HTTP URL Syntax for All Non-Public Links The HTTP URL syntax is: http(s)://<server>:<port>/mcm/browser/<version>/<action>?parameters Example This URL starts the Web app and triggers navigation to the repository The URL then opens all possible subfolders until object is found. The URL selects this object. The select action does not differentiate between folders or documents. The respective object is selected in the documents list of SAP Mobile Documents. The syntax contains the following elements: version string, required Denotes the scheme version of ; the current version is v1. action string, required: Is an action that the app performs on the provided parameters. Available actions are listed in the table above. The syntax contains the following URL parameters: rep string (URL-encoded), required repository ID. mydocuments, share, and corporate are reserved keywords. mydocuments and share can be used instead of the corresponding repository ID. If no path or object ID is provided or found, the repository root is selected. rep=corporate can be used to address the list of all corporate repositories. For rep=corporate, the parameters obj and path are ignored. obj string (URL-encoded), optional CMIS object ID of a file or folder. If provided, the path is ignored. path string (URL-encoded), optional The absolute path inside the specified repository. The start URI is not considered here. The path is URL encoded before it is passed to. If the repository is share, the path parameter is not considered, as a link to a document or folder within a share would have the logon ID as part of the URL. Supported as of ios SP3 (1.3.x), Android SP3 (1.3.x), Web app SP3 (1.3.x), and Windows desktop app SP4 (1.4.x). HTTP URL Syntax for Public Links The public HTTP URL syntax is: http(s)://<server>:<port>/mcm/public/<version>/<action>?parameters Example SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

143 version string, required Denotes the scheme version of ; the current version is v1. action string, required: Is an action that the app performs on the provided parameters. Available actions are listed in the table above. The syntax contains the following URL parameters: shr string (URL-encoded), required Provides the ID of the share to display. obj string (URL-encoded), optional Specifies the object on which the provided action should be executed. If the obj parameter is not present, the share is opened in the sharing UI and the action is ignored. For shares with a public link, the share properties only show the URL for share members because the public link is already available using the link icon ( ). For an object (folder or file) in a share with a public link, the object properties show the Public URL of the Folder or Public URL of the Document, as this link is currently not available elsewhere. Path Handling for HTTP URLs Path handling for shares is explicitly switched off, as the user ID would have to be a visible part of the URL, which is not wanted. In addition, the caller (who is creating the URL and calling it) cannot determine the ID of the user who owns the share that is addressed. For objects under My Documents, the user ID must also be part of the URL as stated in the CMIS specification. However, apps parsing the URL know which ID must be used in the path: the ID of the logged-on user. Therefore, the path does not need to contain the user ID. When the apps parse the URL, they add the user ID to the beginning of the path. With this adjusted path, getobjectbypath() works. Example The apps receive the following URL: The apps use the following URL to send the getobjectbypath() request: folder2 Related Information Configuring the Server URL with a URL Scheme [page 144] Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 143

144 Configuring the Server URL with a URL Scheme If your company does not use the automatic server URL configuration available with a Mobile Device Management (MDM) solution, you can supply the server URL for the app using a URL scheme and provide this URL scheme to your users. The URL scheme syntax for configuring the server URL is: mobiledocs://v1/configure?server.url=<http(s)>://<host>(:<port>) Example mobiledocs://v1/configure?server.url= This URL configures the server URL of the app. The syntax contains the following elements: version string, required Denotes the scheme version of ; the current version is v1. configure action that the app performs. Supported as of ios SP4 (1.4.x) and Android SP4 (1.4.x). server.url string, required. Server URL parameter to connect to the server. Supported as of ios SP4 (1.4.x) and Android SP4 (1.4.x) Connecting Your ABAP Back End as a Content Source You can use your ABAP system as a content source for. With an ABAP system as a content source, you can easily access documents stored, for example, in SAP ERP system repositories. These documents are then available like any other repository file and can be downloaded to a mobile device for offline access. Related Information ABAP Connector [page 144] Implementing the ABAP Connector [page 146] ABAP Connector The ABAP connector enables ABAP applications to expose a CMIS interface to SAP Mobile Documents. Content stored and/or managed in an ABAP system can be retrieved using the runtime by any CMIS client. The ABAP CMIS server can provide any kind of folder hierarchy and any kind of metadata SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

145 Both can be mapped to an existing back end or can be virtual and assembled at runtime. The current connector version only allows reading of data. The ABAP connector consists of two parts. The connector provides an ABAP interface and helper classes to build a CMIS 1.1-compliant server. The data is provided by RFC to the SAP Mobile Documents server. The other part resides in the server. It accepts calls from a CMIS client, converts the data, calls the appropriate RFC, converts the response, and sends it back to the client. The ABAP connector connects the runtime to the SAP ERP system. Whenever possible, document content is not routed through SAP NetWeaver AS for ABAP. If content is stored in an external document store and if that store provides an HTTP interface, the content can be directly pulled from that store. In this case, the ABAP connector implementation must provide a URL to the document instead of sending the content. This allows content streaming and handling of large documents. This document explains how to implement the ABAP connector and how to attach it to. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 145

146 Implementing the ABAP Connector To provide documents, content, folder hierarchies, and metadata to, you must implement the ABAP connector. This interface adheres closely to the CMIS 1.1 specification, that is, there is a method for each CMIS operation. Each method takes the same parameters and returns data structures similar to those described in the CMIS specification. There are only a few instances where the input and output deviate from the specification, either to avoid technical restrictions or to enable optimizations. The connector allows you to use the full fidelity of the CMIS standard. This freedom increases complexity in some areas, specifically to the data structures. To mitigate the complexity, the ABAP connector also provides an abstract class that implements the interface. It provides convenience code for several methods. That is, for most scenarios you only have to implement a small set of methods; the abstract class covers everything else, but can be overridden where necessary. Tip We strongly recommend that you extend this abstract class instead of implementing the interface directly. Additionally, helper and factory classes are provided. These help fill the data structures. Among other things, the factory provides CMIS-compliant type definitions for documents and folders and provides repository info data structures for the most common use cases. There is also a simple query parser for the CMIS query language Enhancements to the CMIS Specification To provide a full-featured CMIS interface, some enhancements to the CMIS specification were necessary Tree Handling CMIS specifies some recursive structures that cannot be directly mapped to ABAP. If you are dealing with treelike structures, for example, the extensions, then the corresponding structure contains two additional fields named TRANSPORT_ID and TRANSPORT_PARENT_ID. With these two fields, you can create the tree as a flat structure. The transport ID can be any string-like value. You must not set a transport parent ID for the root element. If you set a transport parent ID it must exist, otherwise the element is discarded as it cannot be mapped to a parent SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

147 Properties The property structure in CMIS defines only a table of value objects, which can be of any type. The property structure in CMIS defines only a table of value objects, which can be of any type. The ABAP implementation of the property structure is different; there is a table containing not single values but value structures. Each value structure contains fields for the following data types: string value boolean value int value decimal value date time value Depending on the property type, the corresponding value must be supplied: Table 73: Property Type Value Field boolean BOOLEAN_VALUE string STRING_VALUE id STRING_VALUE integer INT_VALUE datetime DATE_TIME_VALUE decimal DECIMAL_VALUE html STRING_VALUE uri STRING_VALUE Custom Groups If your back-end repository provides custom properties, you can group them and define a display text for each group. In addition, you can configure whether a property group is initially displayed expanded or collapsed, or is completely hidden. The order of the groups and the order of the properties inside each group are also configurable. To achieve these changes, you modify the typedefinition of the respective repository using the following elements: propertygroups displayname: This property defines the name of the group displayed on the user interface. If you do not provide a display name, then the technical name (the prefix) of the group is displayed. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 147

148 position: This property defines the position of this group in relation to other groups defined in this type definition. If you do not define it, the different properties of the group are rendered in alphabetical order. expanded: This property defines whether the group is initially expanded or collapsed. Possible values are true and false, default value is false. hidden: This property defines whether the group is displayed on the user interface at all or whether it is hidden. Possible values are true and false, default is false. propertydefinitions position: This defines the order of the property in relation to the other properties of the group. TypeDefinition Syntax Code Syntax typedefinition : { "name": "...", "displayname": "...", "propertygroups" : { "ppm" : { "displayname": "My nice Name for this Property Group", "position": "1", "expanded": "true", "hidden": "true" }, "ppm2": { "displayname": "My nice Name for this second Property Group", "position": "2", "expanded": "false", "hidden": "false" } }, "propertydefinitions: [ { "id" : "ppm:custompropertyone", "displayname" : "Nice Name for Property One", "position" : "1" }, { "id" : "ppm:custompropertytwo", "displayname" : "Nice Name for Property Two", "position" : "2" } ] } Example The following example demonstrates how to configure the custom properties group in SAP NetWeaver Application Server for ABAP. Sample Code "Extend the property definition by the position DATA: prop1 TYPE cmis_s_property_definition, prop_position type cmis_s_extension. "The Id will be used in the later example to map it to the group prop1-id = 'grp1:prop1'. prop1-display_name = 'Property 1'. "Add the position extension to the property definition prop_position-name = 'position'. prop_position-value = '1' SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

149 APPEND prop_position to prop1-extensions. "Add the groupmapping to your type definition DATA: ls_type type cmis_s_type_definition, DATA: property_group TYPE cmis_s_extension, group TYPE cmis_s_extension, displayname TYPE cmis_s_extension, position TYPE cmis_s_extension, expanded TYPE cmis_s_extension, hidden TYPE cmis_s_extension. "Define the property group extension that contains all group extensions property_group-name = 'propertygroups'. property_group-transport_id = 'propertygroup'. "Define the group for properties starting with 'grp1' and create the mapping to the property group extension group-name = 'grp1'. group-transport_id = 'grp1'. group-transport_parent_id = property_group-transport_id. "Define the other extensions and add map them to the group extension displayname-name = 'displayname'. displayname-value = 'Property Group 1'. displayname-transport_id = 'disp_grp1'. displayname-transport_parent_id = group-transport_id. position-name = 'position'. position-value = '3'. position-transport_id = 'pos_grp1'. position-transport_parent_id = group-transport_id. expanded-name = 'expanded'. expanded-value = 'true'. expanded-transport_id = 'exp_grp1'. expanded-transport_parent_id = group-transport_id. hidden-name = 'hidden'. hidden-value = 'false'. hidden-transport_id = 'hidden_grp1'. hidden-transport_parent_id = group-transport_id. APPEND property_group TO es_type-extensions. APPEND group TO es_type-extensions. APPEND displayname TO es_type-extensions. APPEND position TO es_type-extensions. APPEND expanded TO es_type-extensions. APPEND hidden TO es_type-extensions Repository Info The repository info has an additional field that contains information about the implementation capabilities. Currently, the structure that is used in this field contains two values. These contain information about the content delivery abilities of the repository. The content delivery behavior is determined by what the repository returns for these values. See the table below for more information. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 149

150 DEFAULT_CONTENT_DELIVERY Table 74: Value full chunked document_specific Comment Content is always delivered as a complete xstring. Content is delivered in chunks. Content is delivered as stated in the export parameter of the create_document method. To deliver the content using a URL, use this option. DEFAULT_CHUNK_SIZE If the content is delivered in chunks, set the default chunk size for this parameter. The chuck size should not exceed 1 MB. Chuck sizes over 16 MB are not supported Constants and Enum Values The CL_CMIS_PROPERTY_IDS class contains constants for all property IDs that are defined in the CMIS 1.1 specification. All other constants and enum values used in the specification can be found in the CL_CMIS_CONSTANTS class. Example Using Constants ls_property = cl_cmis_object_factory=>create_string_prop_single ( iv_property_id = cl_cmis_property_ids=>created_by iv_value = 'Joe' ) Exceptions The CMIS exceptions defined in the standard are assigned to specific ABAP exceptions. These exceptions are passed on to the respective app. Table 75: CMIS Exception invalidargument notsupported ABAP Exception CX_CMIS_INVALID_ARGUMENT CX_CMIS_NOT_SUPPORTED SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

151 CMIS Exception objectnotfound permissiondenied runtime constraint contentalreadyexists filternotvalid nameconstraintviolation storage streamnotsupported updateconflict versioning ABAP Exception CX_CMIS_OBJECT_NOT_FOUND CX_CMIS_PERMISSION_DENIED CX_CMIS_RUNTIME CX_CMIS_CONSTRAINT CX_CMIS_CONTENT_ALREADY_EXISTS CX_CMIS_FILTER_NOT_VALID CX_CMIS_NAME_CONSTRAINT_VIOLATION CX_CMIS_STORAGE CX_CMIS_STREAM_NOT_SUPPORTED CX_CMIS_UPDATE_CONFLICT CX_CMIS_VERSIONING To throw a CMIS exception, use the following code snippet: RAISE EXCEPTION TYPE cx_cmis_invalid_argument EXPORTING message_text = 'Invalid object ID.' Content Handling Read The GET_CONTENT method can deliver document content in different ways. It can either provide an HTTP URL to the content or provide the content itself as one or more xstrings. If a URL is provided, the server tries to retrieve the content directly from that URL. Keep in mind that the server must be able to reach the URL and must be authorized to retrieve the content. If no URL is provided, the server forwards the content sent in the STREAM export parameter. If the parameter contains the full content, set the HAS_MORE export parameter false. We recommend that you only transfer content of up to 1 MB in this way. The maximum size is 15 MB. Transfer larger content in chunks. In this way, the GET_CONTENT method only returns the first few bytes in the STREAM parameter and sets the HAS_MORE parameter to true. The server then calls the GET_CONTENT method again with an offset pointing to the next byte after this chunk. The server repeats the call until the entire content is transferred and HAS_MORE is set to false. To the clients, this looks like one continuous stream. Note The size of a chunk should not exceed 1 MB and must not exceed 15 MB. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 151

152 The GET_CONTENT method must supply a MIME type for the content. If no MIME type is provided and the content is pulled from an external store using HTTP, the MIME type provided by the external store is used (HTTP header Content-Type). If the content source does not provide a MIME type, application/octet-stream is used. Write Similarly to the GET_CONTENT method, there are also different ways to create content. The content can be delivered as one xstring, it can be directly pushed to an HTTP URL, or it can be delivered in chunks. The method that the repository supports can be expressed with the repository info (see Repository Info [page 149]). The flow differs depending on the chosen method: full In this case, CREATE_CONTENT receives the full content as an xstring within the IS_CONTENT structure and the HAS_MORE parameter is set to false. The implementation only needs to return the new object ID using the EV_OBJECT_ID parameter. Use this method if you expect small content (<1 MB, max 15 MB). chunked In this case the content is delivered in chunks, the CREATE_DOCUMENT method is called, and the first chunk is transported using the IS_CONTENT structure. If there is only one chunk, the HAS_MORE parameter is set to false. If the HAS_MORE parameter is set to true, the CREATE_CONTENT method is then called. The same logic as for the CREATE_DOCUMENT method applies to the CREATE_CONTENT method: If the HAS_MORE parameter is set to true, it is called again until the complete content is transferred, as indicated by the HAS_MORE parameter. In this case it is sufficient for the CREATE_DOCUMENT method to return the object ID using the EV_OBJECT_ID parameter. Use this method if you expect medium-size content (<100 MB). document_specific In this case the CREATE_DOCUMENT method is called with only the document metadata and without content. The repository must also ensure that the properties are saved and an empty document is created. In addition,the repository has to send back the ES_CONTENT_DELIVERY_INFO structure that contains the information on how to deliver the content. If you choose to deliver the content using a URL, then the repository must provide an HTTP URL and the method (POST/PUT) to use. The content is then directly pushed to that URL. After the content upload and regardless of whether the upload succeeded or failed, the ON_CONTENT_UPLOADED method is called. The parameter IV_UPLOAD_RESULT is set to "OK" if the upload was successful. Any other value indicates an upload failure. If you choose a chunked or a full delivery, the CREATE_CONTENT method is called either with the complete content or the first chunk of it Query The ABAP connector contains a simple query parser. It splits CMIS queries into the four main parts of a query: SELECT, FROM, WHERE, and ORDER BY. It also parses the SELECT, FROM, and ORDER BY parts and provides the results in appropriate data structures. The WHERE clause is not parsed, but is provided as a single string SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

153 Example Using the Query Parser DATA: iv_query_statement TYPE cmis_string, rs_simple_parse_result TYPE cl_cmis_simple_query_parser=>parse_result, select TYPE STANDARD TABLE OF cl_cmis_simple_query_parser=>name_alias WITH DEFAULT KEY, from TYPE cl_cmis_simple_query_parser=>name_alias, where TYPE cmis_string, orderby TYPE cl_cmis_simple_query_parser=>sort_order_tab. iv_query_statement = 'SELECT cmis:name AS name, cmis:contentstreamlength FROM cmis:document WHERE cmis:contentstreamlength < 1024 ORDER BY cmis:name'. rs_simple_parse_result = cl_cmis_simple_query_parser=>parse( iv_query_statement ). select = rs_simple_parse_result-property-query_names. from = rs_simple_parse_result-property-type_query_name. where = rs_simple_parse_result-property-where_clause. orderby = rs_simple_parse_result-property-sort_order Building a CMIS Server for The end-user clients require the following set of methods to work properly. Other CMIS clients may require more. Table 76: Methods Service CMIS Method ABAP Method Convenience Implementation in Abstract Class Required (ro = readonly, rw = read-write) Repository Service getrepositorie s X ro / rw getrepositoryi nfo gettypechildre n REP_INFO - ro / rw GET_TYPE_CHILDREN - ro / rw gettypedecenda nts GET_TYPE_DESCENDAN TS X ro / rw gettypedefinit ion GET_ TYPE_DEFINITION - ro / rw createtype - - updatetype - - deletetype - - Navigation Service getchildren GET_CHILDREN - ro / rw getdecendants X - getfoldertree X - Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 153

154 Service CMIS Method ABAP Method Convenience Implementation in Abstract Class Required (ro = readonly, rw = read-write) getfolderparen t getobjectparen ts getcheckedoutd ocs - ro / rw GET_OBJECT_PARENTS - ro / rw - - Object Service createdocument - rw createdocument FromSource - rw createfolder - rw createrelation ship - - createpolicy - - createitem - - getobject GET_OBJECT - ro / rw getallowableac tions X ro / rw getproperties X ro / rw getobjectbypat h getcontentstre am - ro / rw GET_CONTENT - ro / rw getrenditions X - updateproperti es bulkupdateprop erties - rw X - moveobject - ro / rw deleteobject - ro / rw deletetree - ro / rw setcontentstre am appendcontents tream deletecontents tream - ro / rw ro / rw Versioning Service SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

155 Service CMIS Method ABAP Method Convenience Implementation in Abstract Class Required (ro = readonly, rw = read-write) checkout - rw cancelcheckout - rw checkin - rw getobjectoflat estversion getpropertieso flatestversion - ro / rw X - getallversions - rw Discovery Service query QUERY - ro / rw (metadata query is required, fulltext query is optional) getcontentchan ges - - (used if available) ACL Service getacl - - applyacl - - Relationship Service getobjectrelat ionships - - Policy Service - - Multifiling Service applypolicy - - removepolicy - - getappliedpoli cies addobjecttofol der removeobjectfr omfolder Queries The following queries must be supported: Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 155

156 SELECT * from cmis:folder WHERE cmis:name LIKE '%@' SELECT * from cmis:document WHERE cmis:name LIKE '%@' SELECT * FROM cmis:folder WHERE cmis:name LIKE '%@' AND LIKE '%@'... AND IN_TREE('%@') SELECT * FROM cmis:document WHERE cmis:name LIKE '%@' AND LIKE '%@'... AND IN_TREE('%@') SELECT * FROM cmis:folder WHERE cmis:objectid = '%@' SELECT * FROM cmis:document WHERE cmis:objectid = '%@' SELECT * FROM cmis:folder WHERE cmis:objectid IN (%@) SELECT * FROM cmis:document WHERE cmis:objectid IN (%@) Building a CMIS Repository in an ABAP System These first steps allow you to create a read-only implementation of the ABAP repository. Procedure 1. Create a class that extends the CL_CMIS_ABSTRACT_SERVICE class. 2. Define a repository ID for your new repository implementation. A repository ID must be unique within the system and can be any case-insensitive string up to 100 characters. Note Avoid special characters. The ID will be part of URLs and debugging is easier if the ID does not need to be encoded or decoded. 3. Add the repository ID and the name of your class to the CMISD_SERVICE table. 4. Implement the GET_REPOSITORY_INFO method in your class. Make sure that you use the same repository ID that you entered in the CMISD_SERVICE table. Note The CL_CMIS_OBJECT_FACTORY class provides a CREATE_REPOSITORY_INFO_READ method that creates a stub of a repository info structure. The returned structure is sufficient for most read-only repositories. Repositories that support create and update operations have to modify this structure depending on their capabilities. Example Using the Object Factory to Create a Repository Info Object es_repository_info = cl_cmis_object_factory=>create_repository_info_read( iv_name = 'My Repository' iv_description = 'This is my first repository' SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

157 iv_id = 'MY_REPOSITORY_ID' iv_vendor = 'Example Inc' iv_product_name = 'Document Store' iv_product_version = '1.0' iv_root_folder_id = ' ' iv_acl_supported = abap_false ). 5. Implement the GET_OBJECT, the GET_OBJECT_BY_PATH, and the GET_OBJECT_LATEST_VERSION methods. These methods are all quite similar. Focus on the properties. Everything else can be added later. Note GET_OBJECT returns a structure of type CMIS_S_OBJECT. This structure is used in many places. Consider using a central method that can be reused by other methods and that fills a CMIS_S_OBJECT structure. Note The CL_CMIS_OBJECT_FACTORY class provides methods to fill CMIS_S_PROPERTY structures. These structures hold property values and you need one for every property value that you have to return. There are three methods for each data type: CREATE_<XXX>_PROP_SINGLE CREATE_<XXX>_PROP_MULTI CREATE_<XXX>_PROP_NOTSET <XXX> is a placeholder for one of the CMIS data types: ID, String, Integer, Decimal, Boolean, DateTime, URI, and HTML. The CREATE_XXX_PROP_SINGLE methods return a structure for a single-value property. The CREATE_XXX_PROP_MULTI methods return a structure for a multivalue property. If the property (singlevalue or multivalue) has no value, use the CREATE_XXX_PROP_NOTSET method. Example Using the Object Factory to Create a Property Value ls_name_property = cl_cmis_object_factory=>create_string_prop_single( iv_property_id = cl_cmis_property_ids=>name iv_value = 'test.txt' ). 6. Implement the GET_CHILDREN, the GET_FOLDER_PARENT, and the GET_OBJECT_PARENTS methods. You can reuse a lot of the code from the GET_OBJECT method. At this point, you can browse through your repository, but the clients do not allow you to do anything else. 7. Go back to the GET_OBJECT method and add support for Allowable Actions. If your repository supports ACLs, also add ACL support. The clients use the Allowable Actions to determine which buttons are active and which buttons are deactivated. Once you have added support for Allowable Actions, the SAP Mobile Documents clients provide you with more options. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 157

158 8. Implement the GET_CONTENT method. Note It is preferable to send a URL to the content rather than sending the content as an xstring. The performance is better and the content size is not limited. You should now be able to use most features of the clients, except syncing and querying. These depend on the QUERY method. 9. Implement the QUERY method. This is the most complex task. If you just want to support clients, only add support for the queries mentioned above. The simple query parser that is included in the ABAP connector helps you identify the queries and return the correct result set. Once the query is implemented, this server supports all read-only operations that requires CMIS Extension for Search This specification defines a new predicate function PREVIEW() in the CMIS Query Language that returns a content snippet with the found match in the searched CMIS objects. When displaying search results, CMIS clients can display a content snippet with the matched content. Specification BNF grammar structure: PREVIEW () Usage This is a predicate function that encapsulates the full-text search capability that may be provided by a repository. It offers a string content snippet for the matched content in a CMIS object. Inputs No inputs must be provided for this predicate function. Return Value The PREVIEW () predicate function returns a string with HTML formatting such as <b>matched term</ b>. Constraints The PREVIEW () function must only be used in queries that also include a CONTAINS() predicate function. The PREVIEW () function must only be used in the SELECT clause of a query. It must not be used in the WHERE clause or in the ORDER BY clause SAP SE or an SAP affiliate company. All rights reserved. Developer's Guides

159 If PREVIEW() is included in the SELECT clause and an alias column name is not provided, then a query name of SEARCH_PREVIEW is used for the query output, and the property definition id is repositoryspecific. Extension Definition (CMIS 1.1) The repository MUST provide the following feature extension in the repository info. Table 77: Feature Extension Attribute ID URL Common Name Value n.a. Full Text Search Content Preview Version Label 1.0 Description Allows the CMIS query language to support the PREVIEW() function which returns a content snippet of the matching text in the selected resources. Developer's Guides 2016 SAP SE or an SAP affiliate company. All rights reserved. 159

160 11 Appendix 11.1 Supported CMIS 1.1 Features supports the following CMIS methods in browser and AtomPub bindings. Note For performance reasons, we recommend using the browser binding. Table 78: CMIS 1.0 Features Service Method Support for KM Repositories* Comment Repository Service getrepositories Yes See 2) getrepositoryinfo Yes See 2) gettypechildren gettypedecendants gettypedefinition Yes Yes Yes Navigation Service getchildren Yes See 1) getdecendants Yes See 1) getfoldertree Yes See 1) getfolderparent Yes See 1) getobjectparents Yes See 1) getcheckedoutdocs No See 1) Object Service createdocument createdocumentfromsource createfolder createrelationship createpolicy getallowableactions Yes Yes Yes No No Yes getobject Yes See 1) SAP SE or an SAP affiliate company. All rights reserved. Appendix

161 Service Method Support for KM Repositories* Comment getproperties Yes See 1) getobjectbypath Yes See 1) getcontentstream getrenditions updateproperties moveobject deleteobject deletetree setcontentstream deletecontentstream Yes No Yes Yes Yes Yes Yes No Versioning Service checkout cancelcheckout checkin getobjectoflatestversion getpropertiesoflatestversion getallversions Yes Yes Yes No No Yes Discovery Service query getcontentchanges Yes Yes ACL Service getacl applyacl Yes Yes Relationship Service getobjectrelationships No Policy Service applypolicy removepolicy getappliedpolicies No No No Multifiling Service addobjecttofolder removeobjectfromfolder No No * For other repositories, the supported functions depend on the CMIS support of the respective DMS. 1) When fetching resources, do not specify that you need all properties, but use the filter parameter to specify only the properties you need. Otherwise expensive properties like the path property have to be computed. Appendix 2016 SAP SE or an SAP affiliate company. All rights reserved. 161

162 2) Only information about the configured repositories is returned CMIS Extensions uses the following CMIS extensions, which are added to the repository info if applicable. All these extensions share the same namespace, (namespaces are only used for AtomPub bindings). Table 79: CMIS Extensions Extension Name Value Comment My Documents mydocuments User home folder ID for My Documents The mydocuments extension identifies the My Documents repository and contains the user s home folder ID. Settings settings SETTINGS folder ID The settings extension contains the ID of the settings folder where app settings are saved. Sharing sharing User home folder ID for Shared Documents The sharing extension identifies the Shared Documents repository and contains the user s home folder ID. Sharing Upload Allowed sharing.uploadallowed true false Only available if sharing is configured. See Configuring the Shared Documents Settings. Only available if sharing is configured. Sharing Minimum Password Length sharing.minpasswordlength Integer value. 0 means no password required. See Configuring the Shared Documents Settings. Only available if sharing is configured. Sharing Max Expiration Days sharing.maxexpirationdays Integer value describing the maximum validity period of a share. See Configuring the Shared Documents Settings. Only available if sharing is configured. Sharing Base URL sharing.baseurl URL path that is the basis of the external link to the share. The final URL is baseurl plus the object ID of the share. Contains the URL that is used for external access to public links. Apps have to add the object ID of the public link to construct a valid public link URL. Only available if sharing is configured. Corporate Repository corporate Entry point folder ID of corporate repositories The corporate extension identifies corporate repositories and contains the configured root URI. See Configuring Corporate Document Repositories. If no root URI is configured, the extension contains the root folder ID SAP SE or an SAP affiliate company. All rights reserved. Appendix

163 Extension Name Value Comment Default Classification defaultclassification strictly_confidential confidential internal customer public The default classification value that is configured for this repository. See Document Classification. Backend Repository ID cmisrepositoryid Repository ID of the connected repository The repository ID that the SAP Mobile Documents server uses to connect to the back-end repository. Related Information Configuring the Shared Documents Settings [page 78] Configuring Corporate Documents Repositories [page 52] Appendix 2016 SAP SE or an SAP affiliate company. All rights reserved. 163

164 12 Open Source Licenses This document contains licensing information relating to SAP's use of free and open-source software with or within the product identified above (collectively, "FOSS"). Any terms, conditions, and restrictions governing the use or distribution of FOSS that are not contained within the license(s) governing use and distribution of the FOSS (the "FOSS Licenses") are offered and imposed by SAP alone. The authors, licensors, and distributors of the FOSS have disclaimed all warranties relating to any liability arising from the use and distribution of the FOSS. This document identifies the FOSS components used and the FOSS Licenses that SAP believes govern those FOSS components. While SAP has sought to provide complete and accurate licensing information for each FOSS component, SAP does not represent or warrant that the licensing information provided herein is correct or errorfree. Recipients of this product should investigate the identified FOSS components to confirm the accuracy of the licensing information provided herein. Recipients are also encouraged to notify SAP of any inaccurate information or errors found in this document. Certain FOSS Licenses require that SAP make available to recipients the source code corresponding to FOSS binaries distributed under those licenses. Recipients who would like to receive a copy of such source code should submit a request to SAP by to [email protected]. Please provide the following information in submitted requests: the FOSS components for which you are requesting source code; the SAP product and version number with which the requested FOSS component is distributed; an address at which SAP may contact you regarding the request (if available); and the postal address for delivery of the requested source code. If you have any questions or concerns, contact [email protected]. Table 80: Licenses for FOSS Components FOSS Component License Android Beacon Library Apache License v 2.0 Apache Active MQ Apache v.2.0 License Apache Chemistry ObjectiveCMIS Apache License v 2.0 Apache Chemistry OpenCMIS Apache License v 2.0 Apache CXF Apache License v 2.0 Apache-Jakarta BeanUtils Apache License v 2.0 Apache Jakarta Log4j Apache License v 2.0 Apache log4net Apache Regexp - Reuse from Portal KM (bc.util.public_api-1.0.jar). Approved from code center Base64 adp ELCImagePickerController Illegal Argument Exception Blog - Java: synchronizing on an ID Apache v.2.0 License Apache License v 2.0 Rene Nyffenegger License MIT License V2 MIT License V SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

165 FOSS Component ios Developer Library - AdvancedURLConnections CocoaHTTPServer Eclipse SWT Google GSON HSQLDB (HyperSQL) License Apple Disclaimer BSD 2.0 License Eclipse Foundation Software User Agreement Apache v.2.0 License Hypersonic SQL License Jettison Apache License v 2.0 JQuery Json.NET LiquiBase MGSwipeTableCell Mozilla Rhino: JavaScript for Java NanoHttpd Objective-Zip MIT License V2 MIT License V2 Apache v.2.0 License MIT License V2 Basic Mozilla Style License BSD 2.0 License BSD 2.0 License pdf.js Apache License v 2.0 Proxy Vole Quartz BSD 2.0 License Apache v.2.0 License Sardine Apache License v 2.0 SharpShell Simple Logging Facade for Java (SLF4J) Some SecureRandom Thoughts MIT License The MIT License (MIT) Some SecureRandom Thoughts License 12.1 Apache License, Version 2.0 Apache License Apache License Version 2.0, January TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 165

166 "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

167 You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: 1. You must give any other recipients of the Work or Derivative Works a copy of this License; and 2. You must cause any modified files to carry prominent notices stating that You changed the files; and 3. You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and 4. If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 167

168 each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License Creative Commons License LEGAL CODE Attribution 2.5 CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE. License THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1. Definitions a. "Collective Work" means a work, such as a periodical issue, anthology or encyclopedia, in which the Work in its entirety in unmodified form, along with a number of other contributions, constituting separate and independent SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

169 works in themselves, are assembled into a collective whole. A work that constitutes a Collective Work will not be considered a Derivative Work (as defined below) for the purposes of this License. b. "Derivative Work" means a work based upon the Work or upon the Work and other pre-existing works, such as a translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which the Work may be recast, transformed, or adapted, except that a work that constitutes a Collective Work will not be considered a Derivative Work for the purpose of this License. For the avoidance of doubt, where the Work is a musical composition or sound recording, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered a Derivative Work for the purpose of this License. c. "Licensor" means the individual or entity that offers the Work under the terms of this License. d. "Original Author" means the individual or entity who created the Work. e. "Work" means the copyrightable work of authorship offered under the terms of this License. f. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. 2. Fair Use Rights. Nothing in this license is intended to reduce, limit, or restrict any rights arising from fair use, first sale or other limitations on the exclusive rights of the copyright owner under copyright law or other applicable laws. 3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: a. to reproduce the Work, to incorporate the Work into one or more Collective Works, and to reproduce the Work as incorporated in the Collective Works; b. to create and reproduce Derivative Works; c. to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission the Work including as incorporated in Collective Works; d. to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission Derivative Works. e. For the avoidance of doubt, where the work is a musical composition: i. Performance Royalties Under Blanket Licenses. Licensor waives the exclusive right to collect, whether individually or via a performance rights society (e.g. ASCAP, BMI, SESAC), royalties for the public performance or public digital performance (e.g. webcast) of the Work. ii. Mechanical Rights and Statutory Royalties. Licensor waives the exclusive right to collect, whether individually or via a music rights agency or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord You create from the Work ("cover version") and distribute, subject to the compulsory license created by 17 USC Section 115 of the US Copyright Act (or the equivalent in other jurisdictions). f. Webcasting Rights and Statutory Royalties. For the avoidance of doubt, where the Work is a sound recording, Licensor waives the exclusive right to collect, whether individually or via a performance-rights society (e.g. SoundExchange), royalties for the public digital performance (e.g. webcast) of the Work, subject to the compulsory license created by 17 USC Section 114 of the US Copyright Act (or the equivalent in other jurisdictions). Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 169

170 The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. All rights not expressly granted by Licensor are hereby reserved. 4. Restrictions.The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: a. You may distribute, publicly display, publicly perform, or publicly digitally perform the Work only under the terms of this License, and You must include a copy of, or the Uniform Resource Identifier for, this License with every copy or phonorecord of the Work You distribute, publicly display, publicly perform, or publicly digitally perform. You may not offer or impose any terms on the Work that alter or restrict the terms of this License or the recipients' exercise of the rights granted hereunder. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties. You may not distribute, publicly display, publicly perform, or publicly digitally perform the Work with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License Agreement. The above applies to the Work as incorporated in a Collective Work, but this does not require the Collective Work apart from the Work itself to be made subject to the terms of this License. If You create a Collective Work, upon notice from any Licensor You must, to the extent practicable, remove from the Collective Work any credit as required by clause 4(b), as requested. If You create a Derivative Work, upon notice from any Licensor You must, to the extent practicable, remove from the Derivative Work any credit as required by clause 4(b), as requested. b. If you distribute, publicly display, publicly perform, or publicly digitally perform the Work or any Derivative Works or Collective Works, You must keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or (ii) if the Original Author and/or Licensor designate another party or parties (e.g. a sponsor institute, publishing entity, journal) for attribution in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; the title of the Work if supplied; to the extent reasonably practicable, the Uniform Resource Identifier, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and in the case of a Derivative Work, a credit identifying the use of the Work in the Derivative Work (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). Such credit may be implemented in any reasonable manner; provided, however, that in the case of a Derivative Work or Collective Work, at a minimum such credit will appear where any other comparable authorship credit appears and in a manner at least as prominent as such other comparable authorship credit. 5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS- IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. Termination a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Derivative Works or Collective Works from You under this SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

171 License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. 8. Miscellaneous a. Each time You distribute or publicly digitally perform the Work or a Collective Work, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. b. Each time You distribute or publicly digitally perform a Derivative Work, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. e. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You. Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor. Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, neither party will use the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. Creative Commons may be contacted at Eclipse License Eclipse Foundation Software User Agreement April 9, 2014 Usage Of Content Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 171

172 THE ECLIPSE FOUNDATION MAKES AVAILABLE SOFTWARE, DOCUMENTATION, INFORMATION AND/OR OTHER MATERIALS FOR OPEN SOURCE PROJECTS (COLLECTIVELY "CONTENT"). USE OF THE CONTENT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT AND/OR THE TERMS AND CONDITIONS OF LICENSE AGREEMENTS OR NOTICES INDICATED OR REFERENCED BELOW. BY USING THE CONTENT, YOU AGREE THAT YOUR USE OF THE CONTENT IS GOVERNED BY THIS AGREEMENT AND/OR THE TERMS AND CONDITIONS OF ANY APPLICABLE LICENSE AGREEMENTS OR NOTICES INDICATED OR REFERENCED BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT AND THE TERMS AND CONDITIONS OF ANY APPLICABLE LICENSE AGREEMENTS OR NOTICES INDICATED OR REFERENCED BELOW, THEN YOU MAY NOT USE THE CONTENT. Applicable Licenses Unless otherwise indicated, all Content made available by the Eclipse Foundation is provided to you under the terms and conditions of the Eclipse Public License Version 1.0 ("EPL"). A copy of the EPL is provided with this Content and is also available at For purposes of the EPL, "Program" will mean the Content. Content includes, but is not limited to, source code, object code, documentation and other files maintained in the Eclipse Foundation source code repository ("Repository") in software modules ("Modules") and made available as downloadable archives ("Downloads"). Content may be structured and packaged into modules to facilitate delivering, extending, and upgrading the Content. Typical modules may include plug-ins ("Plug-ins"), plug-in fragments ("Fragments"), and features ("Features"). Each Plug-in or Fragment may be packaged as a sub-directory or JAR (Java ARchive) in a directory named "plugins". A Feature is a bundle of one or more Plug-ins and/or Fragments and associated material. Each Feature may be packaged as a sub-directory in a directory named "features". Within a Feature, files named "feature.xml" may contain a list of the names and version numbers of the Plug-ins and/or Fragments associated with that Feature. Features may also include other Features ("Included Features"). Within a Feature, files named "feature.xml" may contain a list of the names and version numbers of Included Features. The terms and conditions governing Plug-ins and Fragments should be contained in files named "about.html" ("Abouts"). The terms and conditions governing Features and Included Features should be contained in files named "license.html" ("Feature Licenses"). Abouts and Feature Licenses may be located in any directory of a Download or Module including, but not limited to the following locations: The top-level (root) directory Plug-in and Fragment directories Inside Plug-ins and Fragments packaged as JARs Sub-directories of the directory named "src" of certain Plug-ins Feature directories Note: if a Feature made available by the Eclipse Foundation is installed using the Provisioning Technology (as defined below), you must agree to a license ("Feature Update License") during the installation process. If the Feature contains Included Features, the Feature Update License should either provide you with the terms and conditions governing the Included Features or inform you where you can locate them. Feature Update Licenses may be found in the "license" property of files named "feature.properties" found within a Feature. Such Abouts, Feature Licenses, and Feature Update Licenses contain the terms and conditions (or references to such terms and conditions) that govern your use of the associated Content in that directory SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

173 THE ABOUTS, FEATURE LICENSES, AND FEATURE UPDATE LICENSES MAY REFER TO THE EPL OR OTHER LICENSE AGREEMENTS, NOTICES OR TERMS AND CONDITIONS. SOME OF THESE OTHER LICENSE AGREEMENTS MAY INCLUDE (BUT ARE NOT LIMITED TO): Eclipse Distribution License Version 1.0 (available at Common Public License Version 1.0 (available at Apache Software License 1.1 (available at Apache Software License 2.0 (available at Mozilla Public License Version 1.1 (available at IT IS YOUR OBLIGATION TO READ AND ACCEPT ALL SUCH TERMS AND CONDITIONS PRIOR TO USE OF THE CONTENT. If no About, Feature License, or Feature Update License is provided, please contact the Eclipse Foundation to determine what terms and conditions govern that particular Content. Use of Provisioning Technology The Eclipse Foundation makes available provisioning software, examples of which include, but are not limited to, p2 and the Eclipse Update Manager ("Provisioning Technology") for the purpose of allowing users to install software, documentation, information and/or other materials (collectively "Installable Software"). This capability is provided with the intent of allowing such users to install, extend and update Eclipse-based products. Information about packaging Installable Software is available at repository_packaging.html ("Specification"). You may use Provisioning Technology to allow other parties to install Installable Software. You shall be responsible for enabling the applicable license agreements relating to the Installable Software to be presented to, and accepted by, the users of the Provisioning Technology in accordance with the Specification. By using Provisioning Technology in such a manner and making it available in accordance with the Specification, you further acknowledge your agreement to, and the acquisition of all necessary rights to permit the following: 1. A series of actions may occur ("Provisioning Process") in which a user may execute the Provisioning Technology on a machine ("Target Machine") with the intent of installing, extending or updating the functionality of an Eclipse-based product. 2. During the Provisioning Process, the Provisioning Technology may cause third party Installable Software or a portion thereof to be accessed and copied to the Target Machine. 3. Pursuant to the Specification, you will provide to the user the terms and conditions that govern the use of the Installable Software ("Installable Software Agreement") and such Installable Software Agreement shall be accessed from the Target Machine in accordance with the Specification. Such Installable Software Agreement must inform the user of the terms and conditions that govern the Installable Software and must solicit acceptance by the end user in the manner prescribed in such Installable Software Agreement. Upon such indication of agreement by the user, the provisioning Technology will complete installation of the Installable Software. Cryptography Content may contain encryption software. The country in which you are currently may have restrictions on the import, possession, and use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check the country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. Java and all Java-based trademarks are trademarks of Oracle Corporation in the United States, other countries, or both. Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 173

174 12.4 Hypersonic SQL License Copyright (c) by the Hypersonic SQL Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes Hypersonic SQL." Products derived from this software may not be called "Hypersonic SQL" nor may "Hypersonic SQL" appear in their names without prior written permission of the Hypersonic SQL Group. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes Hypersonic SQL." This software is provided "as is" and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the Hypersonic SQL Group or its contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption). However caused any on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. This software consists of voluntary contributions made by many individuals on behalf of the Hypersonic SQL Group Mozilla Public License Version Mozilla Public License Version Definitions 1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software. 2. Contributor Version SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

175 means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor s Contribution. 3. Contribution means Covered Software of a particular Contributor. 4. Covered Software means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof. 5. Incompatible With Secondary Licenses means a. that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or b. that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License. 6. Executable Form means any form of the work other than Source Code Form. 7. Larger Work means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software. 8. License means this document. 9. Licensable means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License. 10. Modifications means any of the following: a. any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or b. any new file in Source Code Form that contains any Covered Software. 11. Patent Claims of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version. 12. Secondary License means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses. 13. Source Code Form means the form of the work preferred for making modifications. 14. You (or Your ) means an individual or a legal entity exercising rights under this License. For legal entities, You includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, control means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. License Grants and Conditions 1. Grants Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 175

176 Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license: a. under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and b. under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version. 2. Effective Date The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution. 3. Limitations on Grant Scope The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor: a. for any code that a Contributor has removed from Covered Software; or b. for infringements caused by: (i) Your and any other third party s modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or c. under Patent Claims infringed by Covered Software in the absence of its Contributions. This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4). 4. Subsequent Licenses No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3). 5. Representation Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License. 6. Fair Use This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents. 7. Conditions Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section Responsibilities 1. Distribution of Source Form All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients rights in the Source Code Form. 2. Distribution of Executable Form If You distribute Covered Software in Executable Form then: a. such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and b. You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients rights in the Source Code Form under this License. 3. Distribution of a Larger Work SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

177 You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s). 4. Notices You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies. 5. Application of Additional Terms You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction. 4. Inability to Comply Due to Statute or Regulation If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Termination 1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the noncompliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice. 2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. 3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination. 6. Disclaimer of Warranty Covered Software is provided under this License on an as is basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 177

178 respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer. 7. Limitation of Liability Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party s negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You. 8. Litigation Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party s ability to bring cross-claims or counter-claims. 9. Miscellaneous This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. 10. Versions of the License 1. New Versions Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number. 2. Effect of New Versions You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward. 3. Modified Versions If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License). 4. Distributing Source Code Form that is Incompatible With Secondary Licenses If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached. Exhibit A - Source Code Form License Notice This Source Code Form is subject to the terms of the Mozilla Public License, v If a copy of the MPL was not distributed with this file, You can obtain one at mozilla.org/mpl/2.0/ SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

179 If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice. You may add additional accurate notices of copyright ownership. Exhibit B - Incompatible With Secondary Licenses Notice This Source Code Form is Incompatible With Secondary Licenses, as defined by the Mozilla Public License, v The BSD 3-Clause License The BSD 3-Clause License The following is a BSD 3-Clause ("BSD New" or "BSD Simplified") license template. To generate your own license, change the values of OWNER and YEAR from their original values as given here, and substitute your own. Note: You may omit clause 3 and still be OSD-conformant. Despite its colloquial name "BSD New", this is not the newest version of the BSD license; it was followed by the even newer BSD-2-Clause version, sometimes known as the "Simplified BSD License". On January 9th, 2008 the OSI Board approved BSD-2-Clause, which is used by FreeBSD and others. It omits the final "no-endorsement" clause and is thus roughly equivalent to the MIT License. Historical Background: The original license used on BSD Unix had four clauses. The advertising clause (the third of four clauses) required you to acknowledge use of U.C. Berkeley code in your advertising of any product using that code. It was officially rescinded by the Director of the Office of Technology Licensing of the University of California on July 22nd, He states that clause 3 is "hereby deleted in its entirety." The four clause license has not been approved by OSI. The license below does not contain the advertising clause. This prelude is not part of the license. <OWNER> = Regents of the University of California <ORGANIZATION> = University of California, Berkeley <YEAR> = 1998 In the original BSD license, both occurrences of the phrase "COPYRIGHT HOLDERS AND CONTRIBUTORS" in the disclaimer read "REGENTS AND CONTRIBUTORS". Here is the license template: Copyright (c) <YEAR>, <OWNER> All rights reserved. Open Source Licenses 2016 SAP SE or an SAP affiliate company. All rights reserved. 179

180 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The MIT License (MIT) Copyright (c) <year> <copyright holders> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE SAP SE or an SAP affiliate company. All rights reserved. Open Source Licenses

181 13 REFCONT: URLs for App-to-App Integration These URLs are either custom URLs (mobiledocs://) or HTTP URLs. Not all apps support both types. In addition, there is a distinction between URLs for links for share members and URLs for public links, which can be accessed by anyone who receives the link (and the password, if any). App Support Table 81: URL Types URL Type Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App Custom URL x x x HTTP URL x x REFCONT: URLs for App-to-App Integration 2016 SAP SE or an SAP affiliate company. All rights reserved. 181

182 Table 82: Available Actions Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App select The folder containing the object identified with the parameter obj is Supported as of Web app SP3 (1.3.x). Supported as of ios SP2 (1.2.x). Supported as of Android SP3 (1.3.x). Supported as of Windows desktop app SP4 (1.4.x). opened and the object itself is selected in the documents list. mobiled ocs://: //v1/ select? rep= &obj= https: // myhost: 8080/mc m/ browser /v1/ select? rep= &obj= SAP SE or an SAP affiliate company. All rights reserved. REFCONT: URLs for App-to-App Integration

183 Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App open If the pa Supported as Supported as Supported as Supported as rameter of Web app of ios SP2 of Android of Windows obj is SP3 (1.3.x). (1.2.x). SP3 (1.3.x). desktop app the ID of SP4 (1.4.x). a folder, the folder is opened and its content is displayed. If the parameter obj is the ID of a file, the folder is opened and the file is downloaded. mobiled ocs://: //v1/ open? rep= &obj= https: // myhost: 8080/mc m/ browser /v1/ open? rep= &obj= REFCONT: URLs for App-to-App Integration 2016 SAP SE or an SAP affiliate company. All rights reserved. 183

184 Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App present Only for PDF files. Opens a PDF file in presentation mode. Supported as of ios SP2 (1.2.x). mobiled ocs://: //v1/ present? rep= &obj= configure Server configuration URL, together with the server.url =http(s): // <host>(:<p ort>) parameter Supported as of ios SP4 (1.4.x). mobiled ocs://: //v1/ configu re? server. url=htt ps:// myhost: SAP SE or an SAP affiliate company. All rights reserved. REFCONT: URLs for App-to-App Integration

185 Action Comment Web App ios App Android App Windows Desktop App Mac Desktop App Windows Native App create Link to create share page: Only in combination with rep=share Supported as of Web app SP5 (1.5.x). https: // myhost: 8080/mc m/ browser /v1/ create? rep=sha re Available URL Parameters rep [page 186] has the following values: <repository ID> mydocuments share corporate obj [page 186] has the following values: <object ID> path [page 186] has the following case-sensitive values: </folder1/folder2> <server.url> has the following values: http(s)://<host>(:<port>) page [page 186], ios-only chapter [page 186], ios-only Note You cannot use the obj and the path parameters in the same URL. Custom URL Syntax The custom URL syntax is: mobiledocs://://<version>/<action>?parameters REFCONT: URLs for App-to-App Integration 2016 SAP SE or an SAP affiliate company. All rights reserved. 185

186 Example mobiledocs://://v1/open?obj=1234&rep=abcdef This URL opens the document with the CMIS object ID 1234 from the repository with ID abcdef, using version v1 of the URL scheme and the open action. The syntax contains the following elements: version string, required Denotes the scheme version of ; the current version is v1. action string, required: Is an action that the app performs on the provided parameters. Available actions are listed in the table above. The syntax contains the following URL parameters: rep string (URL-encoded), required repository ID. mydocuments, share, and corporate are reserved keywords. mydocuments and share can be used instead of the corresponding repository ID. If no path or object ID is provided or found, the repository root is selected. rep=corporate can be used to address the list of all corporate repositories. For rep=corporate, the parameters obj and path are ignored. obj string (URL-encoded), optional CMIS object ID of a file or folder. If provided, the path is ignored. path string (URL-encoded), optional The absolute path inside the specified repository. The start URI is not considered here. The path is URL encoded before it is passed to. If the repository is share, the path parameter is not considered, as a link to a document or folder within a share would have the logon ID as part of the URL. Supported as of ios SP3 (1.3.x), Android SP3 (1.3.x), Web app SP3 (1.3.x), and Windows desktop app SP4 (1.4.x). page string, optional If the object is a PDF document, this parameter can display a given page on opening the document. If the object is not a PDF document or the given page is outside the range of the document, this parameter is ignored. Example: mobiledocs://://v1/open?rep=abcdef&obj=1234&page=27 chapter string, optional If the object is a PDF document that has a table of contents (ToC), this parameter can display the given chapter on opening the document. The chapter must be specified using the URL-encoding (percent representation) of the exact chapter name in the table of contents of the PDF document. If the object is not a PDF document or the given chapter is not part of its table of contents in that sense, this parameter is ignored. Examples: mobiledocs://://v1/open?rep=abcdef&obj=1234&chapter=examplechaptername (for ToC entry "ExampleChapterName") mobiledocs://://v1/open?rep=abcdef&obj=1234&chapter=example%20chapter%20name (for ToC entry "Example Chapter Name") SAP SE or an SAP affiliate company. All rights reserved. REFCONT: URLs for App-to-App Integration

187 HTTP URL Syntax for All Non-Public Links The HTTP URL syntax is: http(s)://<server>:<port>/mcm/browser/<version>/<action>?parameters Example This URL starts the Web app and triggers navigation to the repository The URL then opens all possible subfolders until object is found. The URL selects this object. The select action does not differentiate between folders or documents. The respective object is selected in the documents list of SAP Mobile Documents. The syntax contains the following elements: version string, required Denotes the scheme version of ; the current version is v1. action string, required: Is an action that the app performs on the provided parameters. Available actions are listed in the table above. The syntax contains the following URL parameters: rep string (URL-encoded), required repository ID. mydocuments, share, and corporate are reserved keywords. mydocuments and share can be used instead of the corresponding repository ID. If no path or object ID is provided or found, the repository root is selected. rep=corporate can be used to address the list of all corporate repositories. For rep=corporate, the parameters obj and path are ignored. obj string (URL-encoded), optional CMIS object ID of a file or folder. If provided, the path is ignored. path string (URL-encoded), optional The absolute path inside the specified repository. The start URI is not considered here. The path is URL encoded before it is passed to. If the repository is share, the path parameter is not considered, as a link to a document or folder within a share would have the logon ID as part of the URL. Supported as of ios SP3 (1.3.x), Android SP3 (1.3.x), Web app SP3 (1.3.x), and Windows desktop app SP4 (1.4.x). HTTP URL Syntax for Public Links The public HTTP URL syntax is: http(s)://<server>:<port>/mcm/public/<version>/<action>?parameters Example REFCONT: URLs for App-to-App Integration 2016 SAP SE or an SAP affiliate company. All rights reserved. 187

188 version string, required Denotes the scheme version of ; the current version is v1. action string, required: Is an action that the app performs on the provided parameters. Available actions are listed in the table above. The syntax contains the following URL parameters: shr string (URL-encoded), required Provides the ID of the share to display. obj string (URL-encoded), optional Specifies the object on which the provided action should be executed. If the obj parameter is not present, the share is opened in the sharing UI and the action is ignored. For shares with a public link, the share properties only show the URL for share members because the public link is already available using the link icon ( ). For an object (folder or file) in a share with a public link, the object properties show the Public URL of the Folder or Public URL of the Document, as this link is currently not available elsewhere. Path Handling for HTTP URLs Path handling for shares is explicitly switched off, as the user ID would have to be a visible part of the URL, which is not wanted. In addition, the caller (who is creating the URL and calling it) cannot determine the ID of the user who owns the share that is addressed. For objects under My Documents, the user ID must also be part of the URL as stated in the CMIS specification. However, apps parsing the URL know which ID must be used in the path: the ID of the logged-on user. Therefore, the path does not need to contain the user ID. When the apps parse the URL, they add the user ID to the beginning of the path. With this adjusted path, getobjectbypath() works. Example The apps receive the following URL: The apps use the following URL to send the getobjectbypath() request: folder SAP SE or an SAP affiliate company. All rights reserved. REFCONT: URLs for App-to-App Integration

189 Important Disclaimers and Legal Information Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: Important Disclaimers and Legal Information 2016 SAP SE or an SAP affiliate company. All rights reserved. 189

190 go.sap.com/registration/ contact.html 2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see index.epx for additional trademark information and notices.