Onboarding Guide

Timeline

Overview

1. S-User Setup

FinOptory requires an S-User with read permissions on the SAP for Me portal (me.sap.com) to continuously monitor and analyse your SAP contract data, licence consumption, cloud infrastructure and billing. Without this access, data-driven contract management is not possible.

Access is provided via a dedicated S-User under your SAP customer number, created and managed by your Super Administrator or Cloud Administrator. FinOptory receives read-only access exclusively. Write actions (creating cases, ordering licences, modifying system data) are deliberately excluded. Data processing is governed by the Data Processing Agreement (DPA) between you and FinOptory.

Permission Level

FinOptory recommends granting permissions at the Global level. This ensures that all SAP contracts under your customer number are fully captured, including cross-contract dependencies such as volume discounts, term overlaps and consolidation potential.

If you wish to use the FinOptory Managed Service for selected contracts only, permissions can be restricted to the Installation level. In this case, you grant permissions only for the relevant SAP installation numbers.

SAP for Me Portal

SAP Cloud Products

Installation and System Management

Case Management

Reports

Summary: 15 Permissions

Step-by-Step: Creating the S-User

1. Open SAP for Me and sign in with your administrator S-User (me.sap.com)
2. Navigate to User Management (menu: Users & Contacts > User Management)
3. Create a new S-User: click "Create User" and enter the contact details of the FinOptory consultant provided by us
4. Assign permissions: go to the "Authorizations" tab and grant the 15 permissions from the tables above
5. Select the permission level: choose "Global" (recommended) or the desired installation numbers
6. Save and activate: the new S-User will receive an activation email from SAP

After setup, share the S-User ID (format: S00XXXXXXXXX) with us. FinOptory will verify access and confirm successful setup.

Notes on the S-User

Dedicated access: Your administrator creates a separate S-User for FinOptory. Existing S-User credentials are not shared.

Permissions with "Manage" in the name: Some SAP permissions include the word "Manage" (e.g. Manage Invoices and Payments), even though FinOptory only requires read access. SAP's permission structure does not provide a separate display-only permission for these areas. FinOptory uses these permissions exclusively for reading. During onboarding, we will document the usage boundaries together with you.

Adjustments: If your SAP landscape has specific requirements (e.g. Customer Centre of Expertise with multiple customer numbers), we will align the permission structure individually during onboarding.

2. SAP API Integration

FinOptory synchronises data from your SAP landscape automatically via official SAP APIs. This replaces manual data maintenance for system landscapes, BTP consumption, entitlements and subaccount structures. Synchronisation runs daily and automatically.

Available Connections

Creating a Service Key (BTP APIs)

All three BTP connections (Consumption, Entitlements, Accounts) use the same service key. It only needs to be created once.

Step A: Entitle the Service (Global Account Admin required)

1. Open the SAP BTP Cockpit and navigate to the Global Account (top level, not subaccount)
2. Go to Entitlements > Entity Assignments
3. Select the subaccount where the instance should be created
4. Click "Configure Entitlements" > "Add Service Plans"
5. Search for "cis" or "Cloud Management"
6. Select the central plan > "Add Service Plans" > Save

Step B: Create Service Instance

1. Navigate to the subaccount > Services > Service Marketplace
2. Search for "Cloud Management Service"
3. Click "Create" > plan "central" > provide a name > Create

Step C: Create Service Key

1. Go to Services > Instances and Subscriptions
2. Find and click the instance in the "Instances" tab
3. "Service Keys" tab > "Create Service Key" > provide a name > Create
4. Click "View" and copy the full JSON
5. Paste the JSON in the FinOptory setup wizard (Settings > SAP Connections > "Add Connection")

The JSON contains clientid, clientsecret, url (token URL) and endpoints (API base URL). FinOptory extracts all fields automatically.

Creating a Service Key (Cloud ALM)

Cloud ALM requires its own service key in the Cloud ALM subaccount:

1. Open the SAP BTP Cockpit and navigate to the Cloud ALM subaccount
2. Go to Services > Service Marketplace
3. Search for "SAP Cloud ALM API" (or "calm")
4. Click "Create" > select plan "Landscape Management" > Create
5. Instances and Subscriptions > click on the instance > "Service Keys" > "Create Service Key"
6. Copy the full JSON and paste it into FinOptory

Cloud ALM must be provisioned and activated in your BTP landscape before the API service is available in the marketplace.

Setup in FinOptory

Via the setup wizard in Settings > SAP Connections > "Add Connection":

1. Select the connection type (Cloud ALM, BTP Consumption, Entitlements or Accounts)
2. Paste the full service key JSON
3. Review the extracted fields (Token URL, API Base, Client ID, Secret)
4. Test the connection

Once successfully configured, the connection synchronises automatically on a daily basis.

Troubleshooting

"Service not found in Marketplace": The service may not be entitled for your subaccount. Add the "central" plan for "Cloud Management" under Entitlements > Configure Entitlements.

"No Create button": You need the "Subaccount Administrator" role. Your Global Account Administrator can assign this role.

Cloud Management not available: Your BTP contract may not include this service. Clarify entitlement with your SAP Account Executive.

3. Contract Documents

We need your SAP contract documents for the contract analysis. The more complete the documentation, the more precise the analysis and the faster the start.

Submission: Upload directly in the FinOptory platform (PDF, DOCX, XLSX), or by email to your FinOptory consultant. Contract documents are AI-indexed and assigned to the corresponding contract units.

4. Platform Access and Roles

FinOptory uses a role-based permission model on two levels: tenant-wide and per contract. Setup is carried out together with your FinOptory consultant.

Roles

Sign-In

The default sign-in method is email and password. MFA can be activated per tenant (disabled, optional or required). Single Sign-On via Microsoft Entra ID can optionally be configured (see Step 5).

Contract Access

For each contract in FinOptory, it is defined separately which users have access and with which role. You can, for example, grant a colleague Viewer access to a specific contract without them being able to see other contracts.

Setup

1. FinOptory creates your tenant and invites your first Admin user
2. Your Admin invites further users (Settings > Users > "Invite User")
3. For each contract, access is configured per user

5. Microsoft Entra ID (optional)

FinOptory supports Single Sign-On via Microsoft Entra ID (formerly Azure Active Directory). Your employees sign in with their existing Microsoft account without needing a separate password. The standard email and password sign-in works without Entra ID.

Prerequisites

FinOptory uses a multi-tenant Azure AD integration. Setup does not require an App Registration or Admin Consent in your tenant. The only prerequisite is that your Azure AD tenant allows sign-in to external multi-tenant applications, which is the default setting in Entra ID. If your organisation has restricted this setting via a Conditional Access Policy, the FinOptory application must be permitted there.

How It Works

FinOptory uses domain-based routing: all email addresses from a specific domain (e.g. yourcompany.com) are automatically redirected to Microsoft sign-in. Users with other domains continue to sign in via email and password. The entire authentication flow runs via api.finoptory.ai and login.microsoftonline.com.

Setup

1. Share your domain: Tell your FinOptory consultant your company's email domain (e.g. yourcompany.com)
2. FinOptory configures routing: We enter the domain in your tenant settings
3. Test: A user from your domain signs in and is automatically redirected to Microsoft sign-in

Automatic User Provisioning

When auto-provisioning is enabled, a FinOptory account is automatically created for new users from your Entra ID domain on their first login. You define the default role (Viewer, Editor or Admin) that is automatically assigned. This eliminates the need to manually invite individual users.

6. AI Integration (optional)

FinOptory provides an interface (Model Context Protocol) through which AI tools such as ChatGPT or Google Gemini can directly access your contract data. This allows you to query contract content in natural language without opening the FinOptory platform.

How It Works

The integration uses OAuth 2.0 for authentication via api.finoptory.ai. You create an OAuth Client once in the FinOptory settings and enter the credentials in ChatGPT (as a Custom GPT) or Gemini (as a Gem). The connection is then permanently active.

Available Functions

Setup

1. In FinOptory: Settings > MCP Service > "Create OAuth Client"
2. Note down the Client ID and Client Secret securely (the secret is shown only once)
3. In ChatGPT or Gemini: create a Custom GPT / Gem and enter the OAuth credentials
4. Authorise the connection (one-time sign-in to FinOptory)

Detailed instructions for ChatGPT and Gemini are available after login in the FinOptory platform under Settings > MCP Service.