Creating an OAuth Client for BPC Data Acquisition with SAP Analytics Cloud

Compared to basic authentication, OAuth can provide you a more secure way to split the client credentials of your BPC system from SAP Analytics Cloud by configuring authorization in the OAuth authorization server.

Prerequisites

  1. The minimum BPC versions required for OAuth are as follows:

    BPC Version Minimum Support Package
    BPC10.1 on BW740 BPC SP17
    BPC10.1 on BW750 BPC SP15
    BPC10.1 on BW751 BW SP08
    BPC10.1 on BW752 BW SP04
    BPC10.1 on BW753 BW SP02
    BPC 11.0 on BW/4HANA 1.0 BPC SP06
    BPC 11.1 on BW/4HANA 2.0 BPC SP00
  2. In the SAP Business Technology Platform (BTP) Cloud Connector, add "/sap/bc" as an accessible resource URL to corresponding BPC hosts.

  3. Minimum BPC support packages for SAP_BASIS: upgrade BPC 740 to SP22, BPC 750 to SP12, BPC751 to SP06, BPC 752 to SP02; or apply the note 2602370 Information published on SAP site.

  4. Apply the note 2687977 Information published on SAP site to register OAuth scope in BPC.

  5. When requesting an authorization code, a SAP Analytics Cloud user either needs to be on same intranet with BPC or needs to maintain a reverse proxy.

Unsupported Features:

Refresh token is currently not supported.

Context

Previously, when you entered your BPC credentials in SAP Analytics Cloud and the BPC connection authorization dialog popped up for the first time, the credentials were stored in SAP Analytics Cloud. Now with the support of OAuth, BPC user credentials won't be stored directly in SAP Analytics Cloud; instead an OAuth token is generated and used in subsequent calls to BPC.

The token can also be revoked if the user credentials are leaked accidentally; the life cycle of the token is decided by the authorization server. You can configure in BPC how frequently the SAP Analytics Cloud client should refresh the token. After the token expires, SAP Analytics Cloud users need to re-authenticate to access BPC.

If you combine OAuth with SAML, users no longer need to enter their BPC credentials again after single-sign to the system.

Procedure

  1. In the BPC back end, enter the transaction code SOAUTH2.
  2. Create a new OAuth client or edit an existing one.
  3. Add OAuth scope "SAP_BPC_REST_PUBLIC_HTTP" to the OAuth client.
  4. In the General Settings area, set Token Lifetime. The token lifetime controls when the token expires. After the token expires, SAP Analytics Cloud users need to re-authenticate to get a new access token to access BPC.
  5. In the Client Authentication area, check Client User ID and Password.
  6. In the Resource Owner Authentication area, enable the option Grant Type Authorization Code Active, and deselect Grant Type SAML 2.0 Bearer Active and Refresh Allowed.
  7. Set Redirect URI according to following rules:
    • For an EUDP flagged tenant, use "https://bocauth.eu1.sapbusinessobjects.cloud:443".

    • For an SAP Analytics Cloud host name that ends with "hana.ondemand.com", "analyticscloud.sap.com", "sapanalytics.cloud", "sapanalytics.cn", "hanacloudservices.cloud.sap", "hcs.cloud.sap", or "sapbusinessobjects.cloud", use "https://bocauth.us1.sapbusinessobjects.cloud:443".

    • For an SAP Analytics Cloud host name that ends with "int.sap.hana.ondemand.com" or others, use "https://oauth-r.cnry.projectorca.cloud:443".

  8. In BPC backend, assign the authorization object S_SCOPE to BPC users who will use this OAuth client to set up a connection. In the field OAuth 2.0 Scope ID, enter SAP_BPC_REST_PUBLIC_HTTP; In the field OAuth 2.0 Client ID, enter the ID of the OAuth client.