Key Value Maps
The key value maps are all prefixed with ROIAM_.
Each key value map consists of two entries — one unencrypted and one encrypted. The encrypted entry must have exactly the same name as the unencrypted one, but with the suffix _vault. Example:
- ROIAM_Internal_API_Proxy (not encrypted)
- ROIAM_Internal_API_Proxy_vault (encrypted)
Logically, the encrypted map contains sensitive information such as secrets and passwords used for communication with other services, while the unencrypted map contains usernames, client IDs, URLs, and similar non-sensitive values.
ROIAM_Internal_API_Proxy
The key vault is used for storing variables used in the internal communication to ROI iAM.
roiam_schema_endpoint ->
InterfacesService/detailsOfroiam_event_baseURL ->
https://<application_route_of_ROIAM_Runtime_EventConsumer_Service>/odata/v4/runtime/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called
ROIAM_Runtime_EventConsumer_Service. Copy the application route.roiam_landscape_baseURL ->
https://<application_route_of_ROIAM_Home_Service>/odata/v4/home/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called ->
ROIAM_Home_Service. Copy the application route.roiam_process_baseURL ->
https://<application_route_of_ROIAM_Runtime_Process_Service>/odata/v4/runtime/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called ->
ROIAM_Runtime_Process_Service. Copy the application route.roiam_audit_baseURL ->
https://<application_route_of_ROIAM_Runtime_Audit_Service>/odata/v4/runtime/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space, where the apps are deployed and find the app called ->
ROIAM_Runtime_Audit_Service. Copy the application route.roiam_IAS_tokenURL ->
<tenantID>.accounts.ondemand.comTIP
This is the authentication CIS tenant URL assigned to the SAP BTP subaccount where ROI iAM is deployed.
roiam_api_clientID ->
<Client ID from IAS application>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_authentication_ias_consumer". A service key named consumer_key should be available; extract the clientid attribute value.
roiam_processComplete_endpoint ->
process/ProcessInstanceService/completeroiam_processRunning_endpoint ->
process/ProcessInstanceService/runningroiam_auditFail_endpoint ->
audit/AuditService/failroiam_landscapeRepository_endpoint ->
LandscapeService/readRepositoryByNameroiam_eventConsume_endpoint ->
eventconsumer/EventConsumerService/consumeroiam_auditInitialize_endpoint ->
audit/AuditService/initialize
ROIAM_Internal_API_Proxy_vault
roiam_api_clientSecret ->
<clientsecret>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named ROIAM_authentication_ias_consumer. A service key named consumer_key should be available; extract the clientsecret attribute value.
ROIAM_SCIM_API_Proxy
roiam_IAS_tokenURL ->
<tenantID>.accounts.ondemand.comTIP
This is the authentication CIS tenant URL assigned to the SAP BTP subaccount where ROI iAM is deployed.
roiam_scim_clientID ->
<Client ID from IAS application>TIP
In the CIS tenant used for authentication of the SAP BTP subaccount where ROI iAM is deployed, navigate to Applications, find "ROI Intelligent Access Management - Consumer -
<CF space>", open Client Authentication, and copy the Client ID.roiam_scim_baseURL ->
https://<application_route_of_ROIAM_SCIM_REST>/roiam/scim/v2/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to the CF space and find the app called
ROIAM_SCIM_REST. Copy the application route.
ROIAM_SCIM_API_Proxy_vault
roiam_scim_clientSecret ->
<clientsecret>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_authentication_ias_consumer". A service key named consumer_key should be available; extract the clientsecret attribute value.
ROIAM_Send_Event_Proxy
roiam_OAuth_tokenURL ->
<uaa.url>TIP
From the SAP BTP subaccount where SAP Integration Suite is running, navigate to Instances. The instance name was provided during prerequisites setup. The instance is for SAP Integration Suite, Event Mesh with plan message-client. A service key should be present; extract the
uaa.urlattribute. Remove the protocol from the URL and paste the result as the value in the KVM.roiam_customer_targetURL ->
<url>/messagingrest/v1/messagesTIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Integration Suite, Event Mesh with plan “message-client”. A service key should be present and from there take the attribute value of “messaging[protocol=’httprest’].url”
roiam_sendEvent_clientID ->
<uaa.clientID>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Integration Suite, Event Mesh with plan “message-client”. A service key should be present and from there take the attribute value of “uaa.clientID”
roiampublic_targetURL -> same as “roiamcustomer_targetURL”
ROIAM_Send_Event_Proxy_vault
roiam_sendEvent_clientSecret ->
<uaa.clientsecret>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Integration Suite, Event Mesh with plan “message-client”. A service key should be present and from there take the attribute value of “uaa.clientsecret”
ROIAM_GRC_SOAP_RiskAnalysis_Proxy (applicable only for GRC accelerator)
roiam_grcRiskAnalysis_targetURL ->
<ci_deployed_artefact_url>TIP
The URL of the deployed CI iFlow artifact named "ROI iAM - GRC - Authorization Management".
roiam_grcRiskAnalysis_clientID ->
<oauth.clientid>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientid”
ROIAM_GRC_SOAP_RiskAnalysis_Proxy_vault (applicable only for GRC accelerator)
roiam_grcRiskAnalysis_clientSecret ->
<oauth.clientsecret>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientsecret”
ROIAM_Internal_BTP_Proxy
roiam_destination_baseURL ->
<uri>/destination-configuration/v1/destinations/TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name "api-management-key" and from it extract the “url” attribute value.
roiam_OAuth_TokenURL ->
<url> (without protocol)TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name “api-management-key” and from it extract the “url” attribute value without protocol (e.g. http/https).
roiam_destination_clientID ->
<clientid>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name “api-management-key” and from it extract the “clientid” attribute value.
ROIAM_Internal_BTP_Proxy_vault
roiam_destination_clientSecret ->
<clientsecret>TIP
From the SAP BTP subaccount where ROI iAM is deployed, navigate to Instances and locate the instance named "ROIAM_destination". A service key should be available with name “api-management-key” and from it extract the “clientid” attribute value.
ROIAM_Internal_CI_Proxy
roiam_ci_targetURL ->
<oauth.url>/httpTIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.url”
roiam_ci_clientID ->
<oauth.clientid>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientid”
roiam_ci_tokenURL ->
<oauth.tokenurl> (without protocol)TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.tokenurl” - without protocol (e.g. http/https)
ROIAM_Internal_CI_Proxy_vault
roiam_ci_clientSecret ->
<oauth.clientsecret>TIP
From the SAP BTP subaccount where SAP Cloud Integration Suite is running, navigate to Instances. The name was given during the pre-requisite’s setup. The instance is for service -> SAP Process Integration Runtime with plan “integration-flow”. A service key should be present and from there take the attribute value of “oauth.clientsecret”