Live Data Connection to SAP HANA Using a Direct Connection with Password Authentication
You must configure your on-premise SAP HANA system in order to support user name and password authentication for live data connections that use the direct connection type.
- Ensure that the SAP Information Access (InA) service (/sap/bc/ina/service/v2) on your SAP HANA server is exposed to browser users, either directly, or via a reverse-proxy.
- Ensure that the InA package (/sap/bc/ina/service/v2) or a higher-level package is configured for basic authentication.
- Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection. This role is required in addition to the usual roles and authorizations that are granted to users for data access purposes.
- Ensure that your SAP HANA XS server is configured for HTTPS (SSL) with a signed certificate, and that you know which port it is using for HTTPS requests. For details, see Maintaining HTTP Access to SAP HANA and SAP Knowledge Base Article 2502174.
For SAP HANA version 1.00.112.04 and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to. For more information, see SAP Knowledge Base Article 2353833.
For information on supported versions of SAP HANA, see System Requirements and Technical Prerequisites.
Configure Cross-Origin Resource Sharing (CORS) support on your SAP HANA
You must ensure that the HTTP responses from the InA service to users' web browsers include CORS headers.NoteIf you are using a reverse proxy to issue your CORS headers instead of using SAP HANA directly, skip Step 1, and update your reverse proxy configuration using the information in the Next Steps below.
- Log on to your SAP HANA XS Admin page (/sap/hana/xs/admin) as the System user or a user assigned to the following roles: sap.hana.xs.admin.roles::RuntimeConfAdministrator and sap.hana.xs.admin.roles::SAMLViewer.
- Go to the XS Artifact Administration panel and navigate to sap.bc.ina.service.v2.
Select the sap.bc.ina.service.v2 package, switch
to the CORS panel, and use the following
instructions to edit your CORS configuration:
- Select Enable Cross Origin Resource Sharing.
- Add your SAP Analytics Cloud host to Allowed Origins. For
More than one URL can be added to the allowOrigin variable. For more information on CORS options, see Application-Access File Keyword Options.
- Add the following to Allowed
- Add the following to Exposed Headers: x-csrf-token.
- Select the following Allowed Methods: GET, HEAD, POST, OPTIONS.
- Save your changes.
Increase the session timeout configuration parameters in SAP HANA
To do this, you will need to increase the sessiontimeout parameter in the httpserver section of the xsengine.ini file. For example, if you change the parameter to 43200, the session will be active for 12 hours.
For more information, see the SAP HANA XS documentation.
Verify end-users' web browser configuration and access.
Your end users' web browsers must be configured to:
- Allow 3rd party cookies from the SAP HANA server's domain or the domain of your reverse proxy. For example, in Internet Explorer 11, go to , add your domain name, then select Enable Protected Mode.
Add a remote system to SAP Analytics Cloud:
The Select a datasource dialog will appear.
- Expand Connect to Live Data and select SAP HANA.
In the dialog, enter a name and description for your connection.
The connection name cannot be changed later.
- Set the connection type to Direct.
- Add your SAP HANA host name, and HTTPS port.
(Optional) Choose a Default Language from the list.
This language will always be used for this connection and cannot be changed by users without administrator privileges.NoteYou must know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
- Under Authentication Method select User Name and Password.
Enter an SAP HANA user name and password.
NoteThe user must be assigned to the sap.bc.ina.service.v2.userRole::INA_USER role in SAP HANA.
NoteAfter creating a connection to a remote system and before creating a model from a remote system, you must log off and log on to SAP Analytics Cloud again.
- Go to
If the user logs out of SAP Analytics Cloud, or closes the browser, they will need to enter their user name and password to use the remote connection again.
The connection is not tested until you create a model. For more information, see Creating a Model from a Live Data Connection.
Access-Control-Allow-Origin "https://<customer-prefix>.<data-center>.sapbusinessobjects.cloud" Access-Control-Allow-Credentials = true Access-Control-Allow-Methods = "GET, POST, HEAD, OPTIONS" Access-Control-Allow-Headers = " x-csrf-token, x-sap-cid, content-type, authorization, accept, x-request-with, accept-language" Access-Control-Expose-Headers= " x-csrf-token, x-sap-cid, content-type, authorization, accept, x-request-with"
The Access-Allow-Origin attribute should be set to your SAP Analytics Cloud tenant URL.