Creating an OAuth Client for BPC Data Acquisition with SAP Analytics Cloud
Compared to basic authentication, OAuth can provide you a more secure way to split the client credentials of your BPC system from SAP Analytics Cloud by configuring authorization in the OAuth authorization server.
Prerequisites
-
The minimum BPC versions required for OAuth are as follows:
BPC Version Minimum Support Package BPC10.1 on BW740 BPC SP17 BPC10.1 on BW750 BPC SP15 BPC10.1 on BW751 BW SP08 BPC10.1 on BW752 BW SP04 BPC10.1 on BW753 BW SP02 BPC 11.0 on BW/4HANA 1.0 BPC SP06 BPC 11.1 on BW/4HANA 2.0 BPC SP00 -
In HANA Cloud Connector, add "/sap/bc" as an accessible resource URL to corresponding BPC hosts.
-
Minimum BPC support packages for SAP_BASIS: upgrade BPC 740 to SP22, BPC 750 to SP12, BPC751 to SP06, BPC 752 to SP02; or apply the note 2602370 .
-
Apply the note 2687977 to register OAuth scope in BPC.
-
When requesting an authorization code, a SAP Analytics Cloud user either needs to be on same intranet with BPC or needs to maintain a reverse proxy.
Limitations:
Refresh token is currently not supported.
Context
Previously, when you entered your BPC credentials in SAP Analytics Cloud and the BPC connection authorization dialog popped up for the first time, the credentials were stored in SAP Analytics Cloud. Now with the support of OAuth, BPC user credentials won't be stored directly in SAP Analytics Cloud; instead an OAuth token is generated and used in subsequent calls to BPC.
The token can also be revoked if the user credentials are leaked accidentally; the life cycle of the token is decided by the authorization server. You can configure in BPC how frequently the SAP Analytics Cloud client should refresh the token. After the token expires, SAP Analytics Cloud users need to re-authenticate to access BPC.
If you combine OAuth with SAML, users no longer need to enter their BPC credentials again after single-sign to the system.