© 2023 SAP SE or an SAP affiliate company. All rights reserved.

PUBLIC
2023-11-30

Joule

THE BEST RUN

Content

1 What is Joule?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Initial Set Up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1 Onboarding Joule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Run the Booster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Post Booster Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 Data Centers Supported by Joule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

3.1 Data Center Mapping between SAP SuccessFactors and Joule. . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4 Supported Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5 Using Joule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6 Joule Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

7 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Authentication of Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.6 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.7 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

8 Accessibility Features in Joule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

9 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Joule
2 PUBLIC Content
1 What is Joule?

Joule is the AI copilot that truly understands your business. Joule revolutionizes how you interact with your
SAP business systems, making every touchpoint count and every task simpler.

It enables the companion of the Intelligent Enterprise, guiding you through content discovery within SAP
Ecosystem, and giving a transparent role-based access to the relevant processes from everywhere. This is the
one assistant experience, a unified and delightful user experience across SAP’s solution portfolio.

Joule offers conversational interactions between humans and computers to simplify access to information and
automate business processes, thus improving both employee and customer satisfaction at scale.

Joule supports three conversational patterns:

1. Navigational
Helps users navigate to the functionality they are looking for
2. Transactional
Assists users in efficient completion of their tasks
3. Informational
Helps users retrieve the information from existing documents

Environment

This service runs in any of the SAP BTP environments - Cloud Foundry, Kyma, Kubernetes or Other.

Multitenancy

Joule is a multitenant application. This means different consumers (tenants) are independently provisioned
and data from these consumers is isolated inside Joule.

Features

Integration with SAP applications

Conversational user interface that is integrated with SAP applications. It is a rich web client that renders
assistant responses using SAP Fiori compliant UI controls.

Enterprise-readiness

Out-of-the-box integration with SAP backend systems. Compliant with AI ethics, GDPR, privacy controls with
SOC-II compliance.

Publish and subscribe mechanism

Joule
What is Joule? PUBLIC 3
Capabilities based on your SAP solution portfolio are bundled into a unique assistant.

Automatic updates

Automatically updated whenever the capabilities are added or changed.

Business Benefits

• Faster work: Streamline tasks with an AI assistant that knows your unique role and acts as your copilot
across SAP applications.
• Smarter Insights: Get quick answers and smart insights on-demand, facilitating faster decision-making
without bottlenecks.
• Better Outcomes : Just ask and get excellent content for job descriptions, coding assistance, and more.
• Full Control : Maintain full control over decision-making and your data privacy while accessing generative AI
in a safe environment.

Prerequisites

See Initial Set Up [page 5].

Regional Availability

Get an overview on the availability of Joule according to region, infrastructure provider in Data Centers
Supported by Joule [page 18].

Joule
4 PUBLIC What is Joule?
2 Initial Set Up

Perform this procedure in the SAP BTP cockpit to use Joule for productive purposes.

This section describes the onboarding process for Joule as well as information related to user authentication
and provisioning. It involved the following steps:

1. Prerequisites [page 6]
2. Run the Booster [page 7]
3. Post Booster Configurations [page 8]

2.1 Onboarding Joule

A step by step guide for setting up Joule and integrating it with SAP solutions.

Overview of the Onboarding Process

Joule includes multiple components that must be integrated for a seamless working solution. The onboarding
process consists of the following steps:

Step Detailed Instructions

Complete the prerequistes related to adding the required Prerequisites [page 6]

entitlements, configuring the authentication and global user
ID.

Run the Joule booster for automatic setup steps on your Run the Booster [page 7]
subaccount.

Configure navigation service destination, CDM content pro- Post Booster Configurations [page 8]
vider and configuration related to user management and
authentication.

Unsubscribing from Joule

Upon unsubscribing from Joule, all new configurations will be deleted. All services that are part of Joule setup
will be unsubscribed, and their persisted data will be deleted. Consequently, you will not be able to access your
assistant and the chat data.

Joule
Initial Set Up PUBLIC 5
2.1.1 Prerequisites

You have met the following prerequisites before onboarding Joule:

 Note

Please contact your account executive if any of the following entitlements is not available in your global
account.

• You have a license for SAP products (SAP SuccessFactors, SAP Start) in one of the supported data
centers, as Joule is an embedded application that is integrated with SAP products. For more information,
see Data Center Mapping between SAP SuccessFactors and Joule [page 18].

 Note

If you want to integrate Joule with SAP Start, you must have a license of SAP SuccessFactors.

• You have integrated the SAP product with Identity Authentication as Joule leverages the IAS setup of the
SAP product for user login. For more information, see Getting Started with Identity Authentication and SAP
SuccessFactors.
• You have an enterprise global account on SAP BTP as Joule is an SAP BTP based application and relies on
SAP BTP services. For more information, see Enterprise Accounts.
• You have the entitlements for Cloud Identity Services- Identity Authentication and Identity Provisioning.
Joule uses the Identity Authentication for user login and Identity Provisioning service to handle
provisioning of identities and their authorizations to various business applications (SAP SuccessFactors,
Identity Authentication Service Tenant, SAP Build Work Zone, standard edition). For more information, see
Tenant Models and licensing information for Identity Authentication and Identity Provisioning.
• Verify that your global account is configured with the following entitlements. For more information, see
Managing Entitlements and Quotas Using the Cockpit.

Application Technical Name Plan Required Quota Remaining Quota

Joule das-application foundation 1 limited

SAP Build Work Zone, SAPLaunchpad foundation or stand- 1 limited

standard edition ard

Service Technical Name Plan Required Quota Remaining Quota

SAP Build Work Zone, build-workzone- foundation or stand- 1 limited

standard edition standard ard

 Note

You don't need a separate license for SAP Build Work Zone, standard edition as it is included with
Joule license. If you already have a license of SAP Build Work Zone, standard edition (foundation or
standard), you can continue to use the same. Make sure that you choose the same plan for SAP Build
Work Zone, standard edition application and service.

Joule uses navigation service component of SAP Build Work Zone, standard edition to resolve intent based
navigation targets and configure additional content providers.

Joule
6 PUBLIC Initial Set Up
 • You have created a subaccount in your global account using the SAP BTP cockpit for provisioning Joule.

 Tip

For more information, see Create a Subaccount in the Cloud Foundry Environment.

• You have established federated trust in your subaccount and configured assertion attribute user_uuid
to Global User ID field in Identity Authentication application corresponding to your subaccount to
allow user identification based on global user ID. For more information, see Global User ID in Integration
Scenarios.

Related Information

SAP BTP Onboarding

SAP Cloud Identity Services
SAP Build Work Zone, standard edition

2.1.2 Run the Booster

Instructions for running the booster to set up Joule.

Before you run the booster, ensure that all the necessary prerequsites are completed. For more information,
see Prerequisites [page 6].

Procedure

1. Login into the BTP account as global account administrator.

2. In the left navigation pane of the global account, click Boosters.
3. In the Boosters screen, search for Setting up Joule and click Start.
4. The following steps are involved in completing the provisioning process:

Steps Action

Check Prerequsites The following validations run in the backend:

• global account administrator role for running the
booster
• service entitlements in the global account
• Identity Authentication tenant to login to the inte-
grated product

Configure Subaccount Select the subaccount that should be used for Joule provi-
sioning and configurations.

Joule
Initial Set Up PUBLIC 7
 Steps Action

Select Integrations • Select the appropriate SAP solution where Joule

should be enabled. This selection also determines the
capabilities that will be provisioned in Joule.
• Choose if Joule should log the conversation data for
your tenant. For more information, see Data Protec-
tion and Privacy [page 28].

Integration Details 1. Provide the required product integration details to

allow integration of Joule.
Example
SAP SuccessFactors tenant login
URL: https://hcm41preview.sapsf.com/
login?company=testacc01
Tenant Domain: https://
hcm41preview.sapsf.com
Company Code: testacc01
2. Click Validate.
The following validations run in the backend:
• the customer ID of the SAP BTP account and
corresponding SAP SuccessFactors tenant
• the capability version that should be provisioned
in Joule

Review Review the information that you have entered on the last
page of the booster and click Finish to trigger Joule provi-
sioning.

5. After a successful provisioning, a confirmation message is displayed.

2.1.3 Post Booster Configurations

The tasks you need to perform after setting up Joule.

You need to perform the following tasks after setting up Joule:

• Configure Navigation Service [page 8]

• Configure Trusted Domains for SAP Authorization and Trust Management Service [page 16]
• Enable Joule in SAP Products [page 17]

2.1.3.1 Configure Navigation Service

Configure the navigation service to resolve intent based navigation targets that are defined in the backend.

Before triggering the configuration process, make sure that the following is in place for your subaccount:

Joule
8 PUBLIC Initial Set Up
 • You have the entitlement for SAP Build Work Zone, standard edition service. For more information, see
Prerequisites [page 6].
• You have created a service instance and generated a service key for SAP Build Work Zone, standard edition
(foundation plan). For more information, see Create SAP Build Work Zone Application and Instance [page
9].

The configuration process involvles the following steps:

• Create SAP Build Work Zone Application and Instance [page 9]

• Configure Destination to Use Navigation Service [page 10]
• Access CDM Content from SAP SuccessFactors [page 11]
• Configure Identity Provisioning Service [page 13]

2.1.3.1.1 Create SAP Build Work Zone Application and

Instance

Steps to create a subscription and instance of SAP Build Work Zone, standard edition.

Make sure that you have the entitlement for SAP Build Work Zone, standard edition (foundation plan) for both
application and service added in your global account. For more information, see Prerequisites [page 6].

 Note

If your subaccount already has the set up for SAP Start or SAP Build Work Zone, standard edition (standard
plan), you can skip these entitlements and continue to use the same and add the missing configurations.

Create a Subscription for SAP Build Work Zone, standard edition

1. In the SAP BTP Cockpit, open your subaccount.

2. Go to Services Service Marketplace in the left navigation pane.
3. Search for SAP Build Work Zone, standard edition, and click the tile.
4. In the top right corner, click Create.
5. In the window that opens, keep all the default settings and click Create.
6. Assign users to the Launchpad_Admin role collection. This role collection enables you to perform all the
administration tasks for a SAP Build Work Zone, standard edition site, and is available out-of-the-box.
1. Go to Security Role Collections in the left navigation pane.
2. Search for the role collection Launchpad_Admin.
3. Open the role collection for editing. Click the arrow at the far right, and in the role collection screen,
click Edit.
4. In the Users section of the screen, search for your email and add it to the list of users by clicking the +
button. Save your changes.

Joule
Initial Set Up PUBLIC 9
Create an Instance for SAP Build Work Zone, standard edition

1. Go to Services Service Marketplace in the left navigation pane.

2. Search for SAP Build Work Zone, standard edition, and click the tile.
3. In the top right corner, click Create and enter the details of the new service instance.

 Note

You must enable Cloud Foundry and create a space before you create a service instance. For more
information, see Creating Service Instances in Cloud Foundry

4. In the window that opens, keep all the default settings and click Create.
5. To create a service key, still in the Instances and Subscriptions screen, click the  (Actions) next to the
service instance entry in the table, and create a service key. For more information, see Creating Service
Keys in Cloud Foundry

Related Information

SAP Build Work Zone, standard edition

2.1.3.1.2 Configure Destination to Use Navigation Service

Steps to configure the destination for using the navigation service.

You need to configure a destination with the name NavigationService in the subaccount with Joule set up
to use the navigation service and ensure that these targets are resolved at runtime.

1. Go to your subaccount for Joule set up and choose Connectivity Destinations and create new
destination with the following information:

Field Value

Name NavigationService

Type HTTP

URL portal url from the service key created for the serv-
ice instance of SAP Build Work Zone, standard edition.

Proxy Type Internet

Authentication OAuth2UserTokenExchange

Client ID Client ID from the service key created for the service in-
stance of SAP Build Work Zone, standard edition.

Joule
10 PUBLIC Initial Set Up
 Field Value

Client Secret Client Secret from the service key created for the service
instance of SAP Build Work Zone, standard edition.

Token Service URL Type Common

Token Service URL https://<uaa url>/oauth/token

2. In the Additional Properties section, enter the following information:

Field Value

Use default JDK trust store Enable this option.

3. Save your changes.

2.1.3.1.3 Access CDM Content from SAP SuccessFactors

SAP SuccessFactors provides a REST API to push CDM content to SAP Start. You need to configure a design
time destination and a runtime destination in the SAP BTP subaccount, and a content channel in the SAP Build
Work Zone Content Manager to push the content to the SAP Start site.

Create a Design Time Destination

Create a design-time destination on SAP BTP to access the CDM content API from SAP SuccessFactors.

 Note

Accessing SAP SuccessFactors APIs using Basic Authentication has been deprecated. You can create
certificate based destinations. For more information, see Deprecation of HTTP Basic Authentication for
APIs.

1. Log into your SAP BTP cockpit and go to your subaccount for Joule set up.
2. Choose Connectivity Destinations and create new destination with the following information:

Field Value

Name LPS_SFSF_dt

Type HTTP

Joule
Initial Set Up PUBLIC 11
 Field Value

URL https://<tenant
API URL>/rest/servicesfoundation/
sfcdmcontentservice/v1/SFCDMContent

Proxy Type Internet

Authentication Basic Authentication

User Enter your SAP SuccessFactors username with oData API

access and company in the format of username@COM-
PANY

Password Enter the password for your SAP SuccessFactors

3. In the Additional Properties section, enter the following information:

Field Value

Use default JDK trust store Enable this option

HTML5.Dynamic Destination true

4. Save your changes.

Update the Runtime Destination

LPS_SFSF_rt destination is automatically created when you run the Joule booster. It has the following
configurations:

Field Value

Name LPS_SFSF_rt

Proxy Type Internet

Authentication NoAuthentication

Type HTTP

URL Your SAP SuccessFactors tenant URL

Additional Properties
Field Value

sfsf.companyID SAP SuccessFactors company

However, you may need to update the destination in the following scenarios:

Joule
12 PUBLIC Initial Set Up
 • If you are using SAP Build Work Zone foundation plan (not standard plan), add the following property in the
Additional Properties section by typing sap-start in the field. It is not available in the drop-down menu.

Field Value

sap-start true

• If your SAP SuccessFactors tenant is already migrated to cloud.sap (SAP super domain), update the URL
field in the destination to use new super domain, for example, https://sfsf.cloud.sap.

Add a Content Provider to Consume CDM Content

Add a new content provider to your SAP Start site to consume the CDM content from SAP SuccessFactors. For
information on accessing the Site Manager, see section Open and Manage SAP Build Work Zone Application in
this tutorial .

1. Go to Services Service Marketplace in the left navigation pane.

2. Click the SAP Build Work Zone, standard edition application subscription hyperlink to open the application.
3. Go to the Site Manager page and open the Channel Manager tab.
4. Choose + New Content Provider to add a new content provider.
5. Enter the following information:

Field Value

Title Enter a name for the content provider (recommended

sfsf)

Description Enter a description for the content provider

ID Any unique ID (recommended sfsf)

Design-Time Destination Select the design time destination LPS_SFSF_dt

Runtime Destination Select the runtime destination LPS_SFSF_rt

Runtime Destination for Dynamic Data Select Use default runtime destination

Automatically add all content items to subaccount True

Use the Identity Provisioning service to provision user au- True

thorizations

6. Save the entry.

2.1.3.1.4 Configure Identity Provisioning Service

Steps to configure Identity Provisioning service.

Navigation service of SAP Build Work Zone, standard edition service uses Identity Provisioning service (IPS)
that is used to provision identities and their authorizations between source and target systems.

Joule
Initial Set Up PUBLIC 13
This section describes the steps to configure the source system (SAP SuccessFactors) and target systems
(Identity Authentication and SAP Build Work Zone, standard edition) in the Identity Provisioning of your IAS
application user interface. For some customers, SAP SuccessFactors and the Identity Authentication systems
are already configured as the source and target system by the Upgrade Center.

The following configurations are required to provision:

1. User details like user email, Global User ID and group memberships from SAP SuccessFactors to SAP Build
Work Zone, standard edition.
2. User roles as groups from SAP SuccessFactors (source system) to SAP Build Work Zone, standard edition
with role ID as external ID and group memberships.

 Note

You must have the administrative access to your Identity Provisioning tenant and you need to enable the
Manage Identity Provisioning role for your user. For more information, see Manage Authorizations in SAP
Cloud Identity Infrastructure.

1. Login to your Identity Authentication tenant.

2. Navigate to Identity Provisioning Source System .
3. Select the source system configured for SAP SuccessFactors from the left panel and go to the
Transformations tab. You can switch to the JSON editor by choosing the code-bracket icon.
4. Ensure that the group entity has following configuration:

Property Value Description

Ignore false Ensures groups SCIM entity is consid-

ered during the provisioning jobs

Mappings  Sample Code Ensures the source ID field of the

SCIM entity groups is set to externalId
{
"sourcePath":
"$.id",
"targetPath":
"$.externalId"
},

5. Under the Properties tab, ensure that the field sf.user.filter is configured to fetch all the required and
valid users.
6. Follow these steps if you don’t want the groups to be provisioned in IAS, else skip this step and go to step 8.
1. Navigate to Identity Provisioning Source System .
2. Select the target system configured for Identity Authentication from the left panel and go to the
Transformations tab. You can switch to the JSON editor by choosing the code-bracket icon.
3. Ensure that the group entity has following configuration:

Property Value Description

Ignore true Ensures groups SCIM entity is ig-

nored during the provisioning jobs

Joule
14 PUBLIC Initial Set Up
 7. Create a new target system with following information:

Field Value

Type SAP Build Work Zone, standard edition

Name Any meaningful name (Work Zone-Target)

Description Any meaningful description

Source System Select SuccessFactors source system

8. Select the target system that you created from the left panel and go to the Transformations tab. You can
switch to the JSON editor by choosing the code-bracket icon.
9. Choose Edit. Add the following attribute mapping for the group entity.

Property Value Description

Mapping  Sample Code Ensures the externalId field of the

SCIM entity groups is set to externalId
{
"sourcePath":
"$.externalId",
"targetPath":
"$.externalId",
},

10. Switch to Properties tab and add or confirm if the following properties are available using service key
generated earlier for the SAP Build Work Zone, standard edition (foundation or standard plan):

Field Value

URL portal-service field value under endpoints node

from the service key

Authentication Basic Authentication

User clientid field value under uaa node from the service
key

Password clientsecret field value under uaa node from the

service key

ProxyType Internet

Type HTTP

OAuth2TokenServiceURL https://<uaa url>/oauth/token

ips.trace.failed.entity.content False

Joule
Initial Set Up PUBLIC 15
 Field Value

cflp.user.unique.attribute emails[0].value,
['urn:ietf:params:scim:schemas:extensio
n:2.0:mapping']
['providerId'],externalId

cflp.support.bulk.operation false

cflp.providerId ID field value for content channel configured for SAP Suc-
cessFactors in SAP Build Work Zone

cflp.group.unique.attribute externalId,
['urn:ietf:params:scim:schemas:extensio
n:2.0:mapping']['providerId']

cflp.bulk.operations.max.count 100

11. Navigate to Identity Provisioning Source System .

12. Select the source system configured for SAP SuccessFactors and switch to Jobs tab.
13. Run a Read or a Resync job as per your requirements to provision SAP SuccessFactors users and roles to
SAP Build Work Zone (Navigation Service).

 Note

1. You may need to run Refresh Synthetic Group Data job in SAP SuccessFactors and Update operation in
SAP Build Work Zone content channel to sync the user roles or group permissions.
2. We recommended to run Identity provisioning service (IPS) provisioning job on scheduled basis with
interval less than or equal to twenty four hours for permissions to take effect on time and overlap with
Refresh Synthetic Group Data job in SAP SuccessFactors.

2.1.3.2 Configure Trusted Domains for SAP Authorization

and Trust Management Service

Configure Trusted Domains for SAP Authorization and Trust Management

Service

You need to add the domain of the integration product as trusted domain.

1. Go to your subaccount for Joule set up and choose Security Settings .

2. Choose  (Add)
3. Enter the host name of the integration product as the trusted domain.
For example: https://hcm41preview.sapsf.com or https://*.sapsf.com

Joule
16 PUBLIC Initial Set Up
 4. Save your entries.

2.1.3.3 Enable Joule in SAP Products

Tasks to enable Joule in SAP products

Enable Joule in SAP SuccessFactors

For more information, see Enabling Joule in SAP SuccessFactors.

Enable Joule in SAP Start

Joule is automatically enabled in SAP Start, if you have selected this option while running the booster. For more
information, seeRun the Booster [page 7]

Joule
Initial Set Up PUBLIC 17
3 Data Centers Supported by Joule

Joule supports the following data centers:

Region Infrastructure Provider Application Identifier

Europe (Frankfurt) Amazon Web Services (AWS)

das-application!b188376

US (Virginia) Amazon Web Services (AWS) das-application!b188376

3.1 Data Center Mapping between SAP SuccessFactors and

Joule

The following table shows the mappings between SAP SuccessFactors data centers and Joule data centers
that are currently supported.

Data Center Mapping

SAP SuccessFactors Data Centers Joule Data Centers

DC33 (Frankfurt) Europe (Frankfurt)

DC55 (Frankfurt) Europe (Frankfurt)

DC41 (Virginia) US (Virginia)

DC68 (Virginia) US (Virginia)

DC70 (Virginia) US (Virginia)

 Note

Europe (Frankfurt) data center is available only for Non-EU (European Union) access customers.

Joule
18 PUBLIC Data Centers Supported by Joule
4 Supported Browsers

Joule supports all modern browsers. The following is the list of browsers that are supported on Microsoft
Windows and on Mac OS:

Supported Browsers
Browser Version

Google Chrome Latest version

 Note
Ensure that you have enabled the Allow third-party cook-
ies option under the Privacy and security section of your
browser settings.

Microsoft Edge (Chromium) Latest version

 Note
Web Client does not support IE mode in Microsoft Edge
and MS Edge strict mode.

Mozilla Firefox Extended Support Release (ESR) and latest version

Safari Latest version

 Note
To launch Joule in Safari, you must disable Cross Site
Tracking under the Privacy settings of your browser.

 Note

Joule Web Client runs inside an iframe. As a result, when integrated into applications having domain other
than the SAP product domain cloud.sap or it’s subdomains, third party cookies should be allowed in the
browser. Based on the device or browser used, you may also have to set up custom profile for tracking
protection to enable the third party cookies.

Joule
Supported Browsers PUBLIC 19
5 Using Joule

Opening Joule

Depending on the integration scenario, can either be opened using the built-in Launcher (a floating button at
the bottom right of the screen), or via a custom launch option implemented by the integrating web platform.
For example, the SAP S/4HANA Fiori Launchpad offers a button in its Shell Bar right toolbar.

Once opened, Joule offers useful functions in its header:

• Close: Joule can be closed at anytime

• Expand: Joule can be expanded in order to fill the available screen space and offer a better user experience
• Reset conversation: the user can reset the conversation at anytime
• Manage Settings: you can Turn off Animations on the welcome screen using the Settings screen in Joule.
Once you start the conversation with Joule, the settings page will appear in the header

 Remember

Joule must not be used in shared desktop environments where different users share the same browser
(so-called kiosk mode). Users should use an own session on operating system level, and not rely on browser
logout only.

Chatting with Joule

1. Open Joule.
A welcome screen with help text and recommended actions will be displayed.

Joule
20 PUBLIC Using Joule
Joule
Using Joule PUBLIC 21
2. You can either use the recommended actions to trigger a conversation or enter a request in the input field
and press Enter or click Send in Joule.
If the Speech-To-Text has been implemented by the integrating platform, you can click on the microphone
icon to make a verbal request to the assistant.
To recall the last requests typed (or spoken), use the up arrow key on your keyboard, while having the focus
in the input field.

Conversation Expiration
Conversations expire after 15 minutes of inactivity. Upon expiration you'll be notified and provided with an
option to trigger a new conversation.

Joule
22 PUBLIC Using Joule
6 Joule Capabilities

Find out the list of capabilities that are available for Joule. For more information, see Joule Capabilities.

Joule
Joule Capabilities PUBLIC 23
7 Security

The security guide provides an overview of the security-relevant information that applies to Joule.

General Information

With the increasing use of distributed systems and the internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data
and processes support your business needs without allowing unauthorized access to critical information.
User errors, negligence, or attempted manipulation of your system should not result in loss of information
or processing time. These demands on security apply likewise to Joule. This guide helps you in securely
consuming Joule.

7.1 Introduction

Target Audience

End-users

Overview of the Main Sections

The security guide comprises the following main sections:

• Before You Start [page 25]

This section describes how to use this document and provides links to other relevant security guides
• Technical System Landscape [page 25]
This section provides an overview of the technical components and communication paths that are used by
Joule.
• User Administration and Authentication [page 26]
This section provides an overview of the user administration and authentication aspects.
• Authorizations [page 28]
This section provides an overview of the authorization concept that applies to Joule.
• Network and Communication Security [page 28]
This section provides an overview of the secure communication paths used by Joule and the security
mechanisms that apply.
• Data Protection and Privacy [page 28]
This section describes how Joule protects personal or sensitive data.

Joule
24 PUBLIC Security
•
This sections describes the events that are logged by Joule per category.

7.2 Before You Start

You need to first subscribe to the Joule application in SAP Business Technology Platform.

The foundation plan provides your business users access to Joule user interface and the runtime for Joule
capabilities. For more information, see Initial Set Up [page 5].

Important SAP Notes

For a list of security-relevant SAP Hot News and SAP Notes, see SAP Service Marketplace at http://
support.sap.com/securitynotes .

Additional Information

For more information about specific topics, see the quick links in the table below.

Content Quick Link

Security https://www.sap.com/community/topic/security.html

Security guides http://help.sap.com

Related SAP Notes https://support.sap.com/notes

https://support.sap.com/securitynotes

Released platforms https://support.sap.com/pam

SAP Trust Center https://www.sap.com/trust-center

7.3 Technical System Landscape

Joule is built on SAP Business Technology Platform, Cloud Foundry environment (feature set B).

The following figure shows an overview of the technical system landscape for Joule integrated with an SAP
application.

Joule
Security PUBLIC 25
Joule application provides the business users access to assistant runtime and the Joule UI which is integrated
into the homepage of an SAP applications like SAP Start or SAP SuccessFactors HXR homepage. For more
information, see Using Joule [page 20].

When a business user accesses the homepage of the SAP application, an initial authentication via SAP Identity
Authentication (IAS) is done.

Once the user launches Joule, it is loaded in an iFrame in the browser and the user is authenticated via IAS. The
utterances that are typed by the user are interpreted by the runtime. If the assistant needs to fetch data from
the backend system of an SAP application to respond to the user, the runtime uses a destination with principal
propagation (SAML Assertion or OAuth2SAMLBearer) to retrieve the data on behalf of the user.

7.4 User Administration and Authentication

Joule uses the standard SAP Business Technology Platform mechanisms for setting up trust to a custom
Identity Provider.

• User Management
• Authentication of Requests

Joule
26 PUBLIC Security
7.4.1 User Management

User management is handled by SAP Authorization and Trust Management service in the Cloud Foundry
environment. For more information on user management, see SAP Authorization and Trust Management
Service in the Cloud Foundry Environment (click Trust and Federate in the graphic).

7.4.2 Authentication of Requests

This topic explains how requests to Joule are authenticated.

Business User

Since Joule is built on SAP BTP, Cloud Foundry environment, all requests to the user interface are handled by a
central AppRouter which requires an OAuth Authorization Code grant flow.

The XSUAA acts as the issuer of the authorization code and requires the user to authenticate, as configured in
the Trust Configuration for the corresponding SAP BTP subaccount.

Recommendations

By default, Joule is not configured for single log-out (SLO) with the using application. Since Joule is intended to
be used in multiple SAP applications, SLO from one application (for example, SAP SuccessFactors) should not
impact the usage of Joule in other application (for example, SAP Start).

 Remember

Joule must not be used in shared desktop environments where different users share the same browser
(so-called kiosk mode). Users should use an own session on operating system level, and not rely on browser
logout only.

Related Information

OAuth Password Authentication

OAuth Authorization Code Authentication

Joule
Security PUBLIC 27
7.5 Authorizations

The end_user role in the SAP Business Technology Platform grants authorization to access Joule.

7.6 Network and Communication Security

Joule is an application on SAP BTP, Cloud Foundry Environment and, as such, based on SAP BTP’s network
topology.

See Transport Layer Security (TLS) Connectivity Support for details on TLS Connectivity and Trusted
Certificate Authentication for trusted CAs.

For outbound connectivity, destinations are configured in the SAP BTP subaccount during the provisioning
process to connect to different SAP systems. For more information, see Initial Set Up [page 5].

For more information on security for the SAP BTP Connectivity in general, see Security.

7.7 Data Protection and Privacy

We protect user's privacy and handle data in a transparent and responsible way. This section provides
information about how we collect, store, process, and dispose of data entered into Joule.

Why and How Is User Data Stored?

We collect data submitted by users in Joule to evaluate whether and how well Joule responds to user requests,
allowing us to continuously improve Joule's understanding of user intents and its overall performance, as
part of the commissioned data processing. We anonymize the personal data before conducting continuous
improvement of Joule. The personal data could consist of the following data categories: first name, last name,
business email address, and phone number. Your users will be presented with a note in the functionality to warn
them about not submitting sensitive personal data to Joule.

Submitted data is stored in log files within Joule, where it is analyzed by SAP to continuously improve the
functionality and accuracy of Joule. After the log rotation threshold is met, the submitted data is automatically
purged.

The customer, in its capacity as a data controller, shall fulfil the obligations of the data controller towards the
user as set out in the relevant legislation and the Data Processing Agreement, including providing users with
information about their personal data processing, providing the legal basis for the data processing and dealing
with any user’s complaints and exercising rights relating to the processing of personal data in Joule. For more
information, see Data Centers Supported by Joule [page 18].

Joule
28 PUBLIC Security
What Submitted Data Is Used for the Continuous Improvement of Joule?

We may use any submitted data, excluding personal data, to continuously improve Joule natural language
processing engine. Personal data submitted by users will be anonymized before any such continuous
improvement is conducted.

Who Can Access Data?

Only the SAP product teams working on Joule can access the submitted data, on a need-to-know basis, in
connection with the continuous improvement of Joule.

What Should You Know Before Interacting with Joule?

If users are not comfortable with personal data being processed, they are advised not to submit any personal
data when interacting with Joule, as stated in the note displayed in the user interface. Users are further advised
not to submit any sensitive personal data or other sensitive information (such as personal data revealing racial
or ethnic origin, religious beliefs, health, or sexual orientation) in Joule. We shall not be held liable in any way for
the risk, danger, or loss caused to users as a result of their submission of any sensitive personal data or other
sensitive information to Joule.

Joule
Security PUBLIC 29
8 Accessibility Features in Joule

To optimize your experience of Joule, SAP Business Technology Platform (SAP BTP) provides features and
settings that help you use the software efficiently.

 Note

Joule runs on the SAP BTP cockpit. For this reason, the accessibility features for SAP BTP cockpit apply.
For more information, see the accessibility documentation for SAP BTP cockpit on SAP Help Portal at
Accessibility Features in SAP BTP Cockpit.

For more information on keyboard handling for SAPUI5 UI elements and screen-reader support for SAPUI5
controls, see Accessibility for End Users.

Joule
30 PUBLIC Accessibility Features in Joule
9 Troubleshooting

Find out how to get support.

Getting Support

If you encounter an issue with Joule, you can report an incident or error through the SAP Support Portal. For
more information, see Getting Support.

Please use the following component for your incident:

Component Name Component Description

CA-JOULE JOULE

When submitting the incident, we recommend including the following information:

• Region information (EU10, US10, for example)

• Subaccount ID
• The steps used to replicate the error
• Screenshots and network trace

Joule
Troubleshooting PUBLIC 31
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:

• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.

• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using
such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.

Joule
32 PUBLIC Important Disclaimers and Legal Information
Joule
Important Disclaimers and Legal Information PUBLIC 33
www.sap.com/contactsap

© 2023 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN