How to build a hybrid analytical platform based on SAP Analytics Cloud and local systems of the company

image

Analytical systems continue to evolve. According to Gartner estimates, the global market for BI platforms and analytical applications will exceed $ 22.8 billion by the end of this year. In the past few years, so-called self-service tools have come to the fore, allowing business users and analysts to create interactive dashboards without involving IT teams. At the same time, companies are starting to look more and more at cloud-based analytical tools that help in building a bimodal architecture and add flexibility to the company’s IT landscape.

We have written extensively here and here about our SAP Analytics Cloud (SAC) solution, which is designed for interactive and flexible data analysis. Today we will talk about one more SAC feature, namely about the hybrid model of the solution’s work with local systems of the company.

Why is Live Mode important?

When using cloud platforms, the question arises about the safety of work and data transfer to the analytical system. Live connection technology allows you to create dashboards using SAP Analytics Cloud without transferring business data to the cloud, which can guarantee the safety of data within the corporate outline of the company.

As we wrote earlier, SAC combines 3 key functionalities for working with data: BI, planning and advanced analytics using machine learning methods. And, of course, it is convenient that this is a SaaS BI tool that does not require local deployment, allowing you to create dashboards and analyze information without installing any programs on the user’s computer. The work is done in the browser, and system updates are automatic.

SAP Analytics Cloud allows you to connect to sources in two different formats, as shown in Figure 1:

  1. In import mode, when data is loaded into the analytical system and can be updated on a schedule. Here we can use the full set of system capabilities in terms of data visualization and analysis, planning and predictive analytics.
  2. In Live mode, when there is no data upload to the cloud, and we see on the dashboard the actual data from the source system at the time the report is opened. This connection enables most of the BI and advanced system analytics functionality. It is important that this feature set is regularly updated.

image
Figure 1. Available connection types

The data sources for this mode can be:

  • SAP HANA (cloud or local). In this case SAP Analytics Cloud outputs data from Calculation Views
  • SAP BW / 4HANA and a number of SAP BW versions – BW / BEx Queries
  • SAP S / 4HANA – CDS Views
  • SAP Universe – BO Universe created with Information Design Tool
  • SAP BPC Embedded – BPC Query (in this case, SAP Analytics Cloud can act not only as a data output tool, but also as a data input interface for planning purposes in BPC)
  • SAP Data Warehouse Cloud – Analytics Views

Compatible versions of systems for working with Live-connection are given here

How does Live Connection work?

Live connection – direct interaction between the browser and the data source. This is clearly seen from the diagram in Fig. 2. It is the browser that is the central component for all interactions: it generates requests to receive data from the source, as well as metadata from SAP Analytics Cloud via Javascript. Then, the information received is combined within the report on the browser page, where the web address of the SAP Analytics Cloud tenant is open.

image
Figure 2. Live connection scheme

This connection is based on the CORS (Cross-origin resource sharing) mechanism, which allows you to request limited resources on a web page from another domain outside the domain from which the first resource was obtained. That is, you can request data from multiple web resources within a single browser page. At the same time, business data does not leave the corporate network and is reliably stored in an existing source. The browser interacts directly with SAP Analytics Cloud, Identity Provider (trusted authorization server) and all connected data sources. It works with three types of connections:

  • Get / Post requests from browser to SAP Analytics Cloud are for metadata.
  • Get / Post requests from the browser to the authorization server are for SAML 2 protocol.
  • Get / Post / Options requests from browser to data sources are for business data.

If the browser connects from outside the client’s secure domain, standard security mechanisms (such as VPN) are supported.

SAP Analytics Cloud stores the metadata required to generate a report.

They are fully encrypted and transmitted via the https channel, and are processed in the browser using javascript for display in reports. At the same time, separate objects store the necessary information for generating a request and building this report.

What is business and metadata

Imagine that you have a table that contains field names as well as the business data itself.

Analyst names are passed to SAP Analytics Cloud for reporting, but business data from table columns is not passed to SAP Analytics Cloud. Let’s analyze this situation using the example of the data from this table.

image

Metadata in this example will be “ID”, “Product Name”, “Region”, “Amount”. And data – Tomatoes, Samara, 200, potatoes, Volgograd and 350.

Configuring Live Connection

For instructions on how to configure Live Connectivity using CORS for different sources, see help.sap.com and are available in Russian, as well as with screenshots on the official resource sapanalytics.cloudso it doesn’t make sense to duplicate all content.
But for a general understanding, let’s see how it looks like using the example of connecting the SAP Analytics Cloud tenant to SAP BW / 4HANA.

The connection has certain requirements, let’s highlight the key ones that we need. Most of them are due to the fact that we work through a browser (Google Chrome is recommended).

  • For correct operation, you must have a signed SSL certificate on the data source side. The certificate cannot be self-signed. Google Chrome checks the data source certificates, as well as the SAC. They must be valid.

    This checks:

    • certificate validity period
    • who issued the certificate (host address)
    • in Subject and Subject Alternative Name you need to specify DNS (not IP)
    • presence of a root certificate (Trusted Root)
    • cryptographic hashing algorithm (sha-1 is deprecated and not suitable)
  • SAP NetWeaver system is configured with InA package (/ sap / bw / ina) for basic authentication.

    You can check this by opening the following URL in your browser: https: /// sap / bw / ina / GetServerInfo? sap-client =

    Moreover, instead of you need to specify the host of your BW system, – Client (client) ID.

A window for entering registration data should appear, after logging in, you will receive a response in the form of JSON.

Therefore, the same address can check the validity of the SSL certificate.

  • The following information access services (Ina / BW InA) must be active in the SICF transaction code: 
    /sap/bw/ina/GetCatalog
/sap/bw/ina/GetResponse
/sap/bw/ina/GetServerInfo
/sap/bw/ina/ValueHelp
/sap/bw/ina/BatchProcessing
/sap/bw/ina/Logoff

  • Configuring SameSite Cookies on the side of the data source (the recommended approach for productive use of the system), or on the side of the user’s browser.

    This is required for Google Chrome and other browsers to allow cross-site access to your local SAP data source cookies from the SAP Analytics Cloud system. You need to configure your local datasource to create cookies with specific attributes. Without these settings, when using a Live Data connection, errors will occur and operation will not be possible.

The BW side is configured as follows:

Create the rewrite.txt file in the ABAP system profiles folder.

Add a rewrite script to the file to add cookie attributes to compatible web browsers:

SetHeader sap-ua-protocol ""

if %{HEADER:clientprotocol} stricmp http [OR]
if %{HEADER:x-forwarded-for-proto} stricmp http [OR]
if %{HEADER:forwarded} regimatch proto=http
begin
    SetHeader sap-ua-protocol "http"
end

if %{HEADER:clientprotocol} stricmp https [OR]
if %{HEADER:x-forwarded-for-proto} stricmp https [OR]
if %{HEADER:forwarded} regimatch proto=https
begin
    SetHeader sap-ua-protocol "https"
end

if %{HEADER:sap-ua-protocol} strcmp "" [AND]
if %{SERVER_PROTOCOL} stricmp https
begin
    SetHeader sap-ua-protocol "https"
end

if %{RESPONSE_HEADER:set-cookie} !strcmp "" [AND]
if %{HEADER:sap-ua-protocol} stricmp https [AND]
if %{HEADER:user-agent} regmatch "^Mozilla" [AND]
if %{HEADER:user-agent} !regmatch "(Chrome|Chromium)/[1-6]?[0-9]." [AND]
if %{HEADER:user-agent} !regmatch "(UCBrowser)/([0-9]|10|11|12)." [AND]
if %{HEADER:user-agent} !regmatch "(iP.+; CPU .*OS 12_.*) AppleWebKit/" [AND]
if %{HEADER:user-agent} !regmatch "(Macintosh;.*Mac OS X 10_14.*(Version/.* Safari.*|AppleWebKit/[0-9.]+.*(KHTML, like Gecko))$"
begin
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*)" "$1$2; SameSite=None; Secure"
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *SameSite=[a-zA-Z]+.*); SameSite=None; Secure" $1$2
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *Secure.*); Secure" $1$2
End

After that, save the file and log into the SAP GUI under the system administrator account. Go to transaction RZ10 and edit the DEFAULT profile of the ABAP system: activate HTTP rewrite and specify the rewrite file. To do this, add the following profile parameter: icm / HTTP / mod_0 = PREFIX = /, FILE = $ (DIR_PROFILE) /rewrite.txt

Save changes and restart ABAP system.

After making sure that all the basic requirements are met, we can proceed to configuring CORS:
First, you need to set the value of the icf / cors_enabled = 1 parameter in the RZ11 transaction as in Fig. 3.

image
Figure 3. RZ11 transaction interface

After that, add SAP Analytics Cloud to the HTTP whitelist (UCONCOCKPIT transaction).
First, set the Active Check status for the Cross-Origin Resource Sharing parameter (Fig. 4).

image
Figure: 4. Setting Active Check status for Cross-Origin resource sharing

Now we need to specify the Origin Host – the address of the SAP Analytics Cloud tenant with which we are setting up the connection. To do this, go to edit mode and click To Whitelist.

image
Figure: 5. Specifying the Origin Host

And enter the values.

Add the address of the SAP Analytics Cloud tenant to the Host Rule field.

You also need to specify the allowed methods (Get, Head, Post, Options) and the allowed headers:
X-CSRF-TOKEN, X-SAP-CID, AUTHORIZATION, MYSAPSSO2, X-REQUEST-WITH, SAP-REWRITEURL, SAP-URL-SESSION-ID, CONTENT-TYPE, ACCEPT-LANGUAGE

And the visible headers:

X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID, SAP-PERF-FESREC, SAP-SYSTEM.
Set the rest of the parameters as shown on the screen below (Fig. 6).

image
Figure 6. Data entry window for connection

Now let’s add a connection on the side of the SAP Analytics Cloud tenant. Let’s open it in a browser.

In the menu, select “Connections”, then click on “+” to create a new one and select SAP BW in the section “Establish a connection to Live Data”. Next, select the type of connection – direct, enter the name of your SAP BW host, HTTPS port and client, and also specify the login and password to test the connection (Fig. 7).

image
Figure 7. Side configuration in SAP Analytics Cloud

After that, we start creating data models based on the Live connection and move on to creating logs.

Finally, we can visualize data from BW Queries, as in Figure 8:

image
Figure 8. View of the report in SAP Analytics Cloud

Separately, it is worth saying a few words about managing user access and roles when working in Live connection mode. Using this mode, we rely on the authorizations specified in the source system. For example, when we connect to a BEx query based on the created connection, the system checks our access rights and the data that this query returns. In case of lack of rights, we will not be able to continue working. To do this, the data source system must have a user that corresponds to the SAP Analytics Cloud user. Their mapping can be performed by entering a login-password when connecting to the backend system from SAP Analytics Cloud, or using SAML Single Sign-On. This method, of course, is recommended for productive application of the solution. The user management tool can be integrated with Windows ADFS.

Today we talked about the features of the SAP Analytics Cloud Live Connection mode, as well as how it is configured. Now we can avoid duplicating security settings and copying business data to the cloud.

SAC also allows existing SAP BusinessObjects customers to customize connections to company-created universes, thereby preserving the investment and architecture used for the company’s self-service analytics module. In the plans for product development when working in Live mode: linking multiple Live sources to each other (for example, BW with HANA), adding calculated dimensions and some types of calculated indicators, improving performance, and adding smart features. A 90-day trial is available to try out product features. trial solutions.

Author – Evgeny Gorbunov, SAP CIS business solutions architect

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *