Live Data Connection to SAP HANA On-Premise Using a Direct Connection

Configure your on-premise SAP HANA system for live data connections that use the direct connection type.

Who does this apply to?
  • Users with any of these permissions for Connections: Create, Read, Update, Delete, and Maintain.
  • Users with Execute permission for Other Data Sources.
  • Users with any of these standard application roles: Admin, Application Creator, BI Content Creator, BI Admin, and Planner Reporter.
  • Setting up a live connection requires working with the SAP Analytics Cloud system owner and different IT and application stakeholders within your organization. Most configuration steps are done on your SAP HANA server before creating the connection in your SAP Analytics Cloud tenant.
Prerequisites
  • If end users will access the live data connection from outside of your corporate network, ensure that the SAP Information Access (InA) service (/sap/bc/ina/service/v2) on your SAP HANA server is exposed to browser users directly.
  • Ensure that the InA package (/sap/bc/ina/service/v2) or a higher-level package is configured for basic authentication.
  • Ensure that the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection. This role is required in addition to the usual roles and authorizations that are granted to users for data access purposes.
  • Ensure that your SAP HANA XS server is configured for HTTPS (SSL) with a signed certificate, and that you know which port it is using for HTTPS requests. For details, see Maintaining HTTP Access to SAP HANA and SAP Knowledge Base Article 2502174.
  • For single sign-on (SSO) (optional):
    • If you want users to have a single sign-on experience to your data, check that you are using the same Identity Provider (IdP) for SAP Analytics Cloud and SAP HANA. For more information on setting up your identity provider in SAP Analytics Cloud, see Enable a Custom SAML Identity Provider.
    • Ensure that all users are SAML configured.
    • Ensure that the InA package (/sap/bc/ina/service/v2) or a higher-level package is configured for SAML authentication. For details, see the SAP HANA XS Classic Configuration Parameters.

  • Configure cross-site cookies: To ensure that Chrome and other browsers allow cross-site access to your SAP on-premise data source cookies from SAP Analytics Cloud, you must configure your SAP on-premise data source to issue cookies with specific attributes. Without these settings, user authentication to your live data connections will fail, and Story visualizations based on these connections will not render.

    For steps on how to do this, see SameSite Cookie Configuration for Live Data Connections.

Note
For SAP HANA version 1.00.112.04 and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to. For more information, see SAP Knowledge Base Article 2353833.
Note
For information on supported versions of SAP HANA, see System Requirements and Technical Prerequisites.
Related Information

Configure Cross-Origin Resource Sharing (CORS) support on your SAP HANA system

Context

You must ensure that the HTTP responses from the InA service to users' web browsers include CORS headers.

Procedure

  1. Log on to your SAP HANA XS Admin page (/sap/hana/xs/admin) as the System user or a user assigned to the following roles: sap.hana.xs.admin.roles::RuntimeConfAdministrator and sap.hana.xs.admin.roles::SAMLViewer.
  2. Go to the XS Artifact Administration panel and navigate to sap.bc.ina.service.v2.
  3. Select the sap.bc.ina.service.v2 package, switch to the CORS panel, and use the following instructions to edit your CORS configuration:
    1. Select Enable Cross Origin Resource Sharing.
    2. Add your SAP Analytics Cloud host to Allowed Origins. For example, https://<Customer-Prefix>.<Data-Center>.sapbusinessobjects.cloud.
      Note

      More than one URL can be added to the allowOrigin variable. For more information on CORS options, see Application-Access File Keyword Options.

    3. If single sign-on (SSO) is used, add the IdP host to Allowed Origins.
    4. Add the following to Allowed Headers:
      • accept
      • authorization
      • content-type
      • x-csrf-token
      • x-request-with
      • x-sap-cid
      • accept-language

    5. Add the following to Exposed Headers: x-csrf-token.
    6. Select the following Allowed Methods: GET, HEAD, POST, OPTIONS.

  4. Save your changes.
  5. For SSO only, enable logout using your SSO credentials.
    Repeat steps 3 and 4 for the sap.hana.xs.formLogin package.

For SSO only, deploy the custom web content to your SAP HANA server

Context

To enable SSO when using a direct connection, you must deploy some custom web content to your SAP HANA server. This web content is what will appear briefly to users once per session when they first create a live data connection to your SAP HANA system, or when they refresh charts or tables against that live data connection.

Procedure

  1. Log on to your SAP HANA server's Web IDE at https://<xs-host:port>/sap/hana/ide/editor/ with the system user credentials.
    Replace <xs-host:port> with your SAP HANA XS server host and port.
  2. Navigate to sap.bc.ina.service.v2.
  3. Right-click the v2 package, and select Start of the navigation pathNew Next navigation step PackageEnd of the navigation path.
  4. In Package Name enter cors and click Create.
  5. Right-click the cors package and select Start of the navigation pathNew Next navigation step FileEnd of the navigation path.
  6. Enter auth.html and click Create.
  7. Open auth.html, and add the following code: 
    <html>
  <script type="text/javascript">
    open(location, '_self').close();
  </script>
</html>
  8. Save auth.html.
  9. Create another file under the cors package, and name it .xsaccess.
  10. Open .xsaccess, and add the following code: 
    {"cache_control" : "no-cache, no-store"}
  11. Save .xsaccess.
  12. Right-click the cors package, and click Activate All.
  13. In a new browser tab, go to the following URL: https://<xs-host:port>/sap/bc/ina/service/v2/cors/auth.html.
    If the html page is configured correctly, the page will load and close automatically.
    Note
    You will need to repeat the configuration in this procedure after every SAP HANA or SAP EPM library upgrade.

Increase the session timeout configuration parameters in SAP HANA XS server

Procedure

You'll need to increase the sessiontimeout parameter in the httpserver section of the xsengine.ini file.

For example, if you change the parameter to 43200, the session will be active for 12 hours.

For more information, see the SAP HANA XS Classic Configuration Parameters.

Verify end-users' web browser configuration and access

Procedure

Your user's browsers must allow 3rd party cookies from the SAP HANA server's domain and pop-ups from the SAP Analytics Cloud domain. This can be easily configured in the browser's settings. As an example, see the steps below for Google Chrome.
  1. At the top-right of your Google Chrome browser, click Start of the navigation path Next navigation step SettingsEnd of the navigation path.
  2. Under Privacy and security click Start of the navigation pathSite Settings Next navigation step Pop-ups and redirectsEnd of the navigation path.
  3. In the Allow section, add the domains relevant for your SAP Analytics Cloud tenant. 
    [*.]sapanalytics.cloud
[*.]hanacloudservices.cloud.sap
[*.]hcs.cloud.sap
[*.]analytics.sapcloud.cn
  4. Go back to Privacy and security and click Cookies and other site data.
  5. Under Sites that can always use cookies add your SAP HANA server's domain.

Add a remote system to SAP Analytics Cloud

Procedure

  1. From the side navigation, choose Start of the navigation path Connections Next navigation step  (Add Connection)End of the navigation path.
    The Select a data source dialog will appear.
  2. Expand Connect to Live Data and select SAP HANA.
  3. In the dialog, enter a name and description for your connection.
    The connection name cannot be changed later.
  4. Set the connection type to Direct.
  5. Add your SAP HANA host name, and HTTPS port.
  6. (Optional) Choose a Default Language from the list.
    This language will always be used for this connection and cannot be changed by users without administrator privileges.
    Note
    You must know which languages are installed on your SAP HANA system before adding a language code. If the language code you enter is invalid, SAP Analytics Cloud will default to the language specified by your system metadata.
  7. Under Authentication Method select None for no authentication, or select User Name and Password, or for single sign-on, select SAML Single Sign On.
    • Using the None authentication option allows you to connect to an SAP HANA system that uses SSO that is not based on SAML 2.0. For more information, see Using the 'None' Authentication Option.
    • For the User Name and Password option, enter an SAP HANA user name and password.
    Note
    To enable single sign-on for the mobile app, see the "Single Sign-On Requirements" topic in the SAP Analytics Cloud Mobile Administration Guide
  8. Select OK.
    Note
    After creating a connection to a remote system and before creating a model from a remote system, you must log off and log on to SAP Analytics Cloud again.
    Note
    Select the Enable users to schedule for story publishing option if you want to let your users schedule the publishing of stories. For details on scheduling, see Schedule a Publication.
    Note
    Select the Enable model metadata generation option in Advanced Features if you want to access Smart Insights on the models in your connection. For details on how to generate model metadata see Manually Generating Model Metadata on a Live SAP HANA Model. To learn more about Smart Insights, see Smart Insights.

Results

The connection is saved.
Note
The connection is not tested until you create a model. For more information, see Create a New Model.