Live Data Connection to SAP HANA Cloud Using an "SAP HANA Cloud" Connection

To access SAP HANA Cloud data without having to set up the SAP HANA Analytics Adapter, you can create a live data connection using the “SAP HANA Cloud” connection type.

Who does this apply to?
  • Users with any of these permissions for Connections: Create, Read, Update, Delete, and Maintain.
  • Users with Execute permission for Other Data Sources.
  • Users with any of these standard application roles: Admin, Application Creator, BI Content Creator, BI Admin, and Planner Reporter.
  • Setting up a live connection requires working with the SAP Analytics Cloud system owner and different IT and application stakeholders within your organization. Most configuration steps are done on your SAP HANA server before creating the connection in your SAP Analytics Cloud tenant.

Prerequisites

Note

This connection type works only in Cloud Foundry environments (non-SAP data centers). For Neo environments (SAP data centers), see Live Data Connection to SAP HANA Cloud Using a Direct Connection and SSO.

SAP Analytics Cloud can be hosted either on SAP data centers or on non-SAP data centers (for example, Amazon Web Services (AWS)). Determine which environmentSAP Analytics Cloud is hosted on by inspecting yourSAP Analytics Cloud URL:

  • A single-digit number, for example us1 or jp1, indicates an SAP data center (Neo environment).
  • A two-digit number, for example eu10 or us30, indicates a non-SAP data center (Cloud Foundry environment).
Note
To grant access to SAP HANA Cloud data, you'll need the access_role and external_privileges_role for the HDI container. For more information, see Assign Roles to a Database User in the SAP HANA Cockpit documentation.
  • For single sign-on (SSO) (optional)
    • To perform these steps, you must use the default DBADMIN user for SAP HANA Cloud (for details, see this page), or an equivalent SAP HANA Cloud user.
    • You have set up the SAP HANA Info Access Service (InA). See this help page for details.
    • Users need to have read access to SAP HANA Cloud database artifacts that will be used by the InA queries generated, to create and view models and stories in SAP Analytics Cloud.
    • SAML Single Sign-On (SSO) must be enabled in SAP Analytics Cloud. For more information, see Enable a Custom SAML Identity Provider.
    • The following steps must be carried out by a user who has administrator-level privileges in SAP HANA Cloud and SAP Analytics Cloud, and logs on to SAP Analytics Cloud via the SAML Identity Provider. For the steps in the SAP Analytics Cloud system, the BI Admin role is required. For the steps in the SAP HANA Cloud system, the Administrator role is required.
    • To display custom analytical queries you must apply SAP Note 2710858.

Add a remote system to SAP Analytics Cloud

Procedure

  1. From the side navigation, choose Start of the navigation path Connections Next navigation step  (Add Connection)End of the navigation path.
    The Select a data source dialog will appear.
  2. Expand Connect to Live Data and select SAP HANA.
  3. In the dialog, enter a name and description for your connection.
    The connection name cannot be changed later.
  4. Set the connection type to SAP HANA Cloud.
  5. Add your SAP HANA Cloud host name.
  6. (Optional) Choose a Default Language from the list.
    This language will always be used for this connection and cannot be changed by users without administrator privileges.
    Note
    You must know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
  7. Under Authentication Method select User Name and Password, or for single sign-on, select SAML Single Sign On.
  8. For the user name and password option:
    1. Provide a user name that exists in SAP HANA Cloud as a database user.
      The database user needs to have roles and privileges for InA, and needs to have access to the SAP HANA artifacts that are needed to retrieve data for the InA request.
    2. Select OK, and skip the remaining steps.
  9. For SSO only, copy the SAML Identity Provider (IdP) from the Provider Name field in the connection dialog, and also download the certificate from this dialog.

    You'll need these two items to perform the trust configuration to set up SAML SSO.

    Continue with the next step now, before you select OK to finish creating this connection.

(SSO only) Set up the trust relationship between SAP HANA Cloud and SAP Analytics Cloud

Procedure

  1. Open the SAP HANA Cockpit.
    For details, see this help topic.
  2. Upload the certificate that you previously downloaded.
    1. Go to Certificate Store, and click the Import button.
    2. Select Import from file to upload the certificate, or copy and paste the content of the downloaded certificate file.
    3. Select OK.
  3. Create a SAML identity provider.
    1. Go to SAML Identity Providers, and click the Add Identity Provider button.
    2. Provide an Identity Provider Name.
    3. Enter the SAML provider name that you copied from the connection dialog into the Entity ID field, and select the newly added certificate.
    4. Select Add.
  4. Create a certificate collection.
    1. Go to the Certificate Collections, and click the Add Collection button.
    2. Type a collection name, and click OK.
    3. Click Add Certificate.
    4. Select the new certificate, and click OK.
    5. Select the Edit Purpose button.
    6. In the Purpose field, choose SAML.
    7. In the Providers field, select the newly created SAML provider.
    8. Click Save.
  5. Go back to SAP Analytics Cloud, and finish creating the connection by selecting OK in the connection dialog.

(SSO only) Map an SAP Analytics Cloud user to an SAP HANA Cloud user

Context

You need to create the user, or you can modify an existing user, and provide the proper role.

Procedure

  1. Go to User Management.
  2. Click Start of the navigation path Next navigation step Create UserEnd of the navigation path.
  3. Set Disable ODBC/JDBC Access to No.
  4. On the Authentication tab, select SAML.
  5. Click Add SAML Identity, and select your identity provider.
  6. Set Automatic Mapping by Provider to OFF.
  7. In your SAP Analytics Cloud tenant, go to Start of the navigation pathSystem Next navigation step AdministrationEnd of the navigation path, and select the Security tab.
  8. In the Authentication Method section, if the default option SAP Cloud Identity is selected, then the email ID of the user who logs in to the SAP Analytics Cloud tenant needs to be mapped with the SAP HANA Cloud database user (as shown in a later step).
    Copy the EMAIL field from the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud.
  9. Or, if SAML Single Sign-On is selected, then you'll need to look at the SAML Single Sign-On (SSO) Configuration section, Step 3: Choose a user attribute to map to your identity provider, and note which option is selected in the User Attribute field.
    • If the User Attribute is set to Email, then the email ID of the user who logs in to the SAP Analytics Cloud tenant needs to be mapped (as shown in a later step). Copy the EMAIL field from the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud.
    • If the User Attribute is set to USER ID, then instead, copy the USER ID field from the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud.
    • If the User Attribute is set to Custom SAML User Mapping, there will be a new column SAML USER MAPPING in the Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path tab in SAP Analytics Cloud, that needs to be mapped with the SAP HANA Cloud database user.
  10. Take the value from the appropriate column for the SAP Analytics Cloud user, and enter that in the External Identity field on the Authentication tab in User Management.
  11. Click Save.
  12. To add the required roles and privileges, click Assign Roles or Assign Privileges.

    For another user from the same SAP Analytics Cloud tenant to be able to access the same SAP HANA Cloud system, you'd need to create another user in SAP HANA and map the appropriate ID, or use the same SAP HANA user and map the appropriate ID.

    You can also add another identity provider in an existing SAP HANA user, because you can attach multiple SAML identities with one SAP HANA user. In that way, you can access the SAP HANA Cloud instance from multiple SAP Analytics Cloud tenants using a single SAP HANA database user, if desired.