Live Data Connection to SAP BPC Embedded Using a Direct CORS Connection via Unified
Connectivity
Setup Cross-origin resource sharing (CORS) between your SAP BPC embedded system and SAP Analytics Cloud to establish a
direct live connection.
Who does this apply to?
- Users with Create, Read,
Update, Delete and
Maintain permissions for
Connections.
- Users with Execute permission for Other Data
Sources.
- Admin, Application Creator, BI
Content Creator, BI Admin, and
Planner Reporter standard application roles.
- Setting up a live connection requires working with the SAP Analytics Cloud
system owner and different IT and application stakeholders
within your organization. Most configuration steps are done on your SAP
NetWeaver ABAP Application Server (AS) before creating the connection in your
SAP Analytics Cloud
tenant.
Prerequisites
- Check that you are using a supported version
of SAP BPC embedded configuration. For more information, see System Requirements and Technical Prerequisites.
Note
Additional correction notes must be applied for some versions of SAP
BW. For more information, see SAP Note 2541557
If your SAP NetWeaver ABAP AS version does not meet the
specifications in SAP Note 2547381, stop here and follow the steps
in this article instead: Live Data Connection to SAP BPC Embedded Using a Direct CORS Connection via ICM Script
- Configure SSL on your SAP NetWeaver ABAP
AS. For more information, see Configuring SAP NetWeaver AS for ABAP to
Support SSL, and SAP Note 510007.
-
Configure cross-site cookies: To ensure that Chrome and
other browsers allow cross-site access to your SAP on-premise data source
cookies from SAP Analytics Cloud, you
must configure your SAP on-premise data source to issue cookies with specific
attributes. Without these settings, user authentication to your live data
connections will fail, and Story visualizations based on these connections will
not render.
For steps on how to do this, see SameSite Cookie Configuration for Live Data Connections.
- Setup SSO (optional): If you want users to have a single sign-on experience to your data, check you are using same Identity Provider (IdP) for SAP Analytics Cloud
and SAP NetWeaver. For more information on setting up
your identity provider in SAP Analytics Cloud, see Enable a Custom SAML Identity Provider.
- If you have multiple authentication methods configured on your ABAP
AS, see Alternative Logon Order.
Enable InA on your ABAP Application Server
Context
SAP Information Access (InA) is a REST HTTP-based protocol used by SAP Analytics Cloud to query
your data sources in real time. Confirm that your InA package is enabled and
services are running on the ABAP AS for your data source.
Procedure
-
Check that your InA package is enabled.
To check if the Ina package is enabled, open the following URL in your
browser:
https://<Your_ABAP_Server>/sap/bw/ina/GetServerInfo?sap-client=<Your_Client_ID>.
Make sure you are prompted for user credentials, and after login you get
a JSON response. Replace <Your_ABAP_Server> with your
ABAP system host, and <Your_Client_ID> with your
SAP BW client ID.
-
Check that the required Information Access Services are active in your SAP
BW/4HANA or SAP BW system.
-
Access your system using SAP Logon.
-
Enter transaction code: SICF.
-
Enter the Service Path: /sap/bw/ina and then
select Execute.
The following dialog will appear:
-
Under Virtual Hosts/Services go to: .
-
Make sure that the following services are active:
BatchProcessing
GetCatalog
GetResponse
GetServerInfo
Logoff
ValueHelp
Configure CORS on your ABAP Application Server
Context
Cross-Origin Resource Sharing (CORS) is the method you'll use to let your users
successfully access live data in an SAP Analytics Cloud page
from their Web browser. Configure CORS on your ABAP AS data source.
Note
If you are using SAP NetWeaver ABAP AS version 7.52 or above, you must apply
SAP Note 2531811 or import ABAP 7.52 SP1 to fix CORS related issues, and
then follow the steps below.
Procedure
-
Enable CORS in your system parameters without restarting ABAP AS.
Note
These changes will disappear after a restart of ABAP AS.
- Access your SAP BW/4HANA or SAP BW system using SAP Logon.
- Enter transaction code: RZ11.
- Enter Parameter:
icf/cors_enabled
- Click Display.
- Select Changes Value.
- Set New Value to
1.
- Select Save.
-
Permanently enable CORS in your system parameters.
- Enter transaction code: rz10
- In Profile, if you have multiple
authentication methods configured on your ABAP system, choose
DEFAULT from the list.
- Select Extended Maintenance.
- Click Change.
- Click .
- Set the parameter name to
icf/cors_enabled.
- Set the parameter value to 1.
- Click Exit and Yes to
save.
- Click Profile | Save.
- Click Yes to activate.
- Click Continue.
- Click Exit and Yes to
log off.
- Restart ABAP AS for the changes to take effect.
-
Add SAP Analytics Cloud to
the HTTP allowlist.
- Enter transaction code: /NUCONCOCKPIT.
- Change Scenario to HTTP Allowlist
Scenario.
- Change the Mode of Cross-origin
Resource Sharing to Active
Check.
- Double-click Cross-origin Resource
Sharing.
- Select Display / Change.
-
For SAP BW, under Allowlist, select
Add. For SAP BW/4HANA, select
To Allowlist.
- In the Input Window, add the following
information:
- Service Path:
/sap/bw/ina.
- Host rule: Add your SAP Analytics Cloud host. For example,
mytenant.us1.sapbusinessobjects.cloud.
- Allowed Methods: Select
GET, HEAD,
POST, and
OPTIONS.
- Add the following to Allowed Headers:
x-csrf-token
x-sap-cid
authorization
mysapsso2
x-request-with
sap-rewriteurl
sap-url-session-id
content-type
accept-language
- Add the following to Exposed Headers:
x-csrf-token
sap-rewriteurl
sap-url-session-id
sap-perf-fesrec
sap-system
-
Ensure Allow Credentials and
Allow Private Network Access
are selected.
Allow Private Network Access
ensures that your ABAP AS responds with
theAccess-Control-Allow-Private-Network:
true header to Google Chrome and other
browsers when they send a CORS preflight request ahead
of any private network request for a subresource.
-
Save your changes.
(Optional SSO) Add a Dummy HTML File to Your ABAP Application Server
Context
If you've set up SAML 2.0 Single Sign-On (SSO) for SAP Analytics Cloud and your
data source system with the same Identity Provider, you must add a dummy HTML
file to authenticate your users and follow the SAML HTTP redirects.
If you are using User Name and Password or None authentication methods, skip this section.
Procedure
- Enter transaction code: SE24.
- Enter Object Type:
ZCL_DUMMYAUTH_SERVICE, select
Create, and then select
Save.
- Go to the Interfaces tab, and add
IF_HTTP_EXTENSION, plus a
description.
- Go to the Methods tab, and add the following
information:
- Method:
IF_HTTP_EXTENSION~HANDLE_REQUEST
- Level: Instance
Method
- Visibility:
Public
- Description: Add a description
- Double click on
IF_HTTP_EXTENSION~HANDLE_REQUEST and add
the following code:
method IF_HTTP_EXTENSION~HANDLE_REQUEST.
DATA:
html_content TYPE string.
html_content = '<html><script type="text/javascript">window.close();</script></html>'.
server->response->set_header_field( name = 'Cache-Control' value = 'no-cache,no-store').
server->response->set_cdata( data = html_content ).
endmethod.
- Select Save, and then
Activate.
- Enter transaction code: SICF.
- Enter Service Path:
/sap/bw/ina, and then press Enter.
- Under , right click ina, then choose
New Sub-Element.
- In Service Name, enter auth then select
Input.
- Add a description.
- Open the Handler List tab, and enter
ZCL_DUMMYAUTH_SERVICE
- Save and return to the main menu.
- (Optional) Check if the auth package is installed.
Open the following URL in your browser:
https://<Your_ABAP_Server>/sap/bw/ina/GetServerInfo?sap-client=<Your_ABAP_Client_ID>.
Make sure yo're redirected to your IdP login page, and that you don't
see a 404 page after login.
You can see the HTML file merely closes the dialog. This is needed
because SAP Analytics Cloud
will trigger this URL (/sap/bw/ina/auth). As this
URL is SAML protected the browser first redirects to your IdP. The IdP
then recognizes that the user is already authenticated from SAP Analytics Cloud
and has a session. So your browser follows the redirects by the IdP and
finally the dummy HTML content is delivered which closes the dialog.
Configure Your Web Browsers
Context
Your user's browsers must allow 3rd party cookies from the ABAP AS domain and pop-ups from the SAP Analytics Cloud domain.
This can be easily configured in the browser's settings. As an example, see the
steps below for Google Chrome.
Procedure
-
At the top-right of your Google Chrome browser, click .
-
Under Privacy and security click .
-
In the Allow section, add the domains relevant for
your SAP Analytics Cloud
tenant.
[*.]sapanalytics.cloud
[*.]hanacloudservices.cloud.sap
[*.]hcs.cloud.sap
[*.]analytics.sapcloud.cn
-
Go back to Privacy and security and click
Cookies and other site data.
-
Under Sites that can always use cookies add your
ABAP AS domain.
Create the Live Connection in SAP Analytics Cloud
Context
Now that you've configured your data source, you can finally create the live
conection in SAP Analytics Cloud.
Procedure
-
From the side navigation, choose .
The Select a data source dialog will
appear.
-
Expand Connect to Live Data and select
SAP BPC.
-
In the dialog, enter a name and description for your
connection.
The connection name cannot be changed later.
-
Set the connection type to Direct.
-
Add your data source's host name, HTTPS port, and Client.
-
(Optional) Choose a Default Language from
the list.
This language will always be used for this connection and cannot be
changed by users without administrator privileges.
Note
You must know
which languages are installed on your data source system before
adding a language code. If the language code you enter is invalid,
SAP Analytics Cloud will default to the language specified by your system
metadata.
-
Under Authentication Method select one of the following:
- None - Using the None
authentication option allows you to connect to data source systems that
use SSO that are not based on SAML 2.0. For more information, see Using the 'None' Authentication Option.
- User Name and Password - Enter a user name
and password for your data source system. Only the user whose
credentials you added will have access to the live data
connection.
- SAML Single Sign On - Select this option if
you've completed the necessary prerequistes and steps for SSO outlined
in the rest of this article.
Note
To enable single sign-on for the mobile app, see the "Cloud
Connector-based Mobile Single Sign-On" topic in the
SAP Analytics
Cloud Mobile Administration Guide.
-
(Optional) Select Let SAP support user sign in using basic
authentication for this connection. By enabling this
feature, support users are granted access to the new live data connection
using basic authentication.
Note
Advanced features are not available when the Authentication Method is
set to none.
To enable an Advanced Feature, you must allow live on-premise data to
securely leave your network.
Results
Once you've created your live data connection, test it by
creating a model.