How to build a hybrid analytical platform based on SAP Analytics Cloud and local systems of the company

image



Analytical systems continue to evolve. According to Gartner estimates, the global market for BI platforms and analytical applications will exceed $ 22.8 billion by the end of this year. In the past few years, self-service tools have come to the fore, allowing business users and analysts to create interactive dashboards without involving IT teams. At the same time, companies are starting to look more and more at cloud-based analytical tools that help in building a bimodal architecture and add flexibility to the company's IT landscape.



We wrote a lot here and hereabout our solution SAP Analytics Cloud (SAC), which is designed for interactive and flexible data analysis. Today we will talk about one more SAC feature, namely about the hybrid model of the solution's work with local systems of the company.



Why is Live Mode important?



When using cloud platforms, the question arises about the safety of work and data transfer to the analytical system. Live connection technology allows you to create dashboards using SAP Analytics Cloud without transferring business data to the cloud, which can guarantee the safety of data within the corporate outline of the company.



As we wrote earlier, SAC combines 3 key functionalities for working with data: BI, planning and advanced analytics using machine learning methods. And of course, it is convenient that this is a SaaS BI tool that does not require local deployment, allowing you to create dashboards and analyze information without installing any programs on the user's computer. The work is done in a browser, and system updates are automatic.



SAP Analytics Cloud allows you to connect to sources in two different formats, as shown in Figure 1:



  1. In import mode, when data is loaded into the analytical system and can be updated on a schedule. Here we can use the full set of system capabilities in terms of data visualization and analysis, planning and predictive analytics.
  2. In Live mode, when there is no data uploading to the cloud, and we see the actual data from the source system on the dashboard at the time the report is opened. This connection enables most of the BI and advanced system analytics functionality. It is important that this feature set is regularly updated.


image

Figure 1. Available connection types



The data sources for this mode can be:



  • SAP HANA (cloud or local). In this case SAP Analytics Cloud outputs data from Calculation Views
  • SAP BW / 4HANA and a number of SAP BW versions - BW / BEx Queries
  • SAP S / 4HANA - CDS Views
  • SAP Universe - BO Universe created with Information Design Tool
  • SAP BPC Embedded - BPC Query (in this case, SAP Analytics Cloud can act not only as a data output tool, but also as a data input interface for planning purposes in BPC)
  • SAP Data Warehouse Cloud - Analytics Views


Compatible for Live-connection versions of systems are shown here .



How does Live Connection work?



Live connection - direct interaction between browser and data source. This is clearly seen from the diagram in Fig. 2. It is the browser that is the central component for all interactions: it generates requests to receive data from the source, as well as metadata from SAP Analytics Cloud via Javascript. Then, the information received is combined within the report on the browser page, where the web address of the SAP Analytics Cloud tenant is open.



image

Figure 2. Live connection scheme



This connection is based on the CORS (Cross-origin resource sharing) mechanism, which allows you to request limited resources on a web page from another domain outside the domain from which the first resource was obtained. That is, you can request data from multiple web resources within a single browser page. At the same time, business data does not leave the corporate network and is reliably stored in an existing source. The browser interacts directly with SAP Analytics Cloud, Identity Provider (trusted authorization server) and all connected data sources. It works with three types of connections:



  • Get / Post requests from browser to SAP Analytics Cloud are for metadata.
  • Get / Post requests from the browser to the authorization server are for SAML 2 protocol.
  • Get / Post / Options requests from browser to data sources are for business data.


If the browser connects from outside the client's secure domain, standard security mechanisms (such as VPN) are supported.



SAP Analytics Cloud stores the metadata required to generate a report.



They are fully encrypted and transmitted via the https channel, and are processed in the browser using javascript for display in reports. At the same time, separate objects store the necessary information for generating a request and building this report.



What is business and metadata



Imagine that you have a table that contains field names as well as the business data itself.



Analyst names are passed to SAP Analytics Cloud for reporting, but business data from table columns is not passed to SAP Analytics Cloud. Let's analyze this situation using the example of the data from this table.



image



Metadata in this example will be “ID”, “Product Name”, “Region”, “Amount”. And data - Tomatoes, Samara, 200, potatoes, Volgograd and 350.



Configuring Live Connection



Instructions for setting up a Live connection using CORS for various sources are given in help.sap.com and are available in Russian, as well as with screenshots on the official resource sapanalytics.cloud , so there is no point in duplicating all the content.

But for a general understanding, let's see how it looks like using the example of connecting the SAP Analytics Cloud tenant to SAP BW / 4HANA.



The connection has certain requirements, let's highlight the key ones that we need. Most of them are due to the fact that we work through a browser (Google Chrome is recommended).



  • SSL . . Google Chrome , SAC. .



    :



    • ( host)
    • Subject Subject Alternative Name DNS ( IP)
    • (Trusted Root)
    • (sha-1 )
  • SAP NetWeaver system is configured with InA package (/ sap / bw / ina) for basic authentication.



    You can check this by opening the following URL in your browser: https: // <Your_ABAP_System_Host> / sap / bw / ina / GetServerInfo? Sap-client = <Your_Client_ID>.



    In this case, instead of <Your_ABAP_System_Host>, you need to specify the host of your BW system, <Your_Client_ID> - the client (client) ID.


A window for entering registration data should appear, after logging in, you will receive a response in the form of JSON.



Therefore, the same address can check the validity of the SSL certificate.



  • The following information access services (Ina / BW InA) must be active in the SICF transaction code:



    /sap/bw/ina/GetCatalog
    /sap/bw/ina/GetResponse
    /sap/bw/ina/GetServerInfo
    /sap/bw/ina/ValueHelp
    /sap/bw/ina/BatchProcessing
    /sap/bw/ina/Logoff


  • Configuring SameSite Cookies on the side of the data source (the recommended approach for productive use of the system), or on the side of the user's browser.



    This is required for Google Chrome and other browsers to allow cross-site access to your local SAP data source cookies from the SAP Analytics Cloud system. You need to configure your local datasource to create cookies with specific attributes. Without these settings, when using a Live Data connection, errors will occur and operation will not be possible.


Configuring on the BW side is done as follows:



In the ABAP system profiles folder, create the rewrite.txt file.



Add a rewrite script to the file to add cookie attributes to compatible web browsers:



SetHeader sap-ua-protocol ""

if %{HEADER:clientprotocol} stricmp http [OR]
if %{HEADER:x-forwarded-for-proto} stricmp http [OR]
if %{HEADER:forwarded} regimatch proto=http
begin
    SetHeader sap-ua-protocol "http"
end

if %{HEADER:clientprotocol} stricmp https [OR]
if %{HEADER:x-forwarded-for-proto} stricmp https [OR]
if %{HEADER:forwarded} regimatch proto=https
begin
    SetHeader sap-ua-protocol "https"
end

if %{HEADER:sap-ua-protocol} strcmp "" [AND]
if %{SERVER_PROTOCOL} stricmp https
begin
    SetHeader sap-ua-protocol "https"
end

if %{RESPONSE_HEADER:set-cookie} !strcmp "" [AND]
if %{HEADER:sap-ua-protocol} stricmp https [AND]
if %{HEADER:user-agent} regmatch "^Mozilla" [AND]
if %{HEADER:user-agent} !regmatch "(Chrome|Chromium)/[1-6]?[0-9]\." [AND]
if %{HEADER:user-agent} !regmatch "(UCBrowser)/([0-9]|10|11|12)\." [AND]
if %{HEADER:user-agent} !regmatch "\(iP.+; CPU .*OS 12_.*\) AppleWebKit\/" [AND]
if %{HEADER:user-agent} !regmatch "\(Macintosh;.*Mac OS X 10_14.*(Version\/.* Safari.*|AppleWebKit\/[0-9\.]+.*\(KHTML, like Gecko\))$"
begin
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*)" "$1$2; SameSite=None; Secure"
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *SameSite=[a-zA-Z]+.*); SameSite=None; Secure" $1$2
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *Secure.*); Secure" $1$2
End


After that, save the file and log into the SAP GUI under the system administrator account. Go to transaction RZ10 and edit the ABAP system DEFAULT profile: enable HTTP rewrite and specify the rewrite file. To do this, add the following profile parameter: icm / HTTP / mod_0 = PREFIX = /, FILE = $ (DIR_PROFILE) /rewrite.txt



Save changes and restart the ABAP system.



After making sure that all the basic requirements are met, we can proceed to configuring CORS:

first, you need to set the value of the icf / cors_enabled = 1 parameter in the RZ11 transaction as in Fig. 3.



image

Figure 3. RZ11 transaction interface



After that, add SAP Analytics Cloud to the HTTP whitelist (UCONCOCKPIT transaction).

First, set the Active Check status for the Cross-Origin Resource Sharing parameter (Fig. 4).



image

Figure: 4. Setting the Active Check status for Cross-Origin resource sharing



Now we need to specify the Origin Host - the address of the SAP Analytics Cloud tenant with which we are setting up the connection. To do this, go to edit mode and click To Whitelist.



image

Figure: 5. Indication of Origin Host



And enter the values.



Add the address of the SAP Analytics Cloud tenant to the Host Rule field.



You also need to specify the allowed methods (Get, Head, Post, Options) and allowed headers:

X-CSRF-TOKEN, X-SAP-CID, AUTHORIZATION, MYSAPSSO2, X-REQUEST-WITH, SAP-REWRITEURL, SAP-URL-SESSION- ID, CONTENT-TYPE, ACCEPT-LANGUAGE



AND visible headers:



X-CSRF-TOKEN, SAP-REWRITEURL, SAP-URL-SESSION-ID, SAP-PERF-FESREC, SAP-SYSTEM.

Set the rest of the parameters as shown on the screen below (Fig. 6).



image

Figure 6. Data entry window for connection



Now let's add a connection on the side of the SAP Analytics Cloud tenant. Let's open it in a browser.



In the menu, select "Connections", then click on "+" to create a new one and select SAP BW in the section "Establish a connection to Live Data". Next, select the type of connection - direct, enter the name of your SAP BW host, HTTPS port and client, and also specify the login and password to test the connection (Fig. 7).



image

Figure 7. Side-by-side setup in SAP Analytics Cloud



After that we start creating data models based on the Live connection and move on to creating logs.



Finally, we can visualize data from BW Queries, as in Figure 8:



image

Figure 8. Report view in SAP Analytics Cloud



We should also say a few words about managing user access and roles when working in Live-connection mode. Using this mode, we rely on the authorizations specified in the source system. For example, when we connect to a BEx query based on the created connection, the system checks our access rights and the data that this query returns. In case of lack of rights, we will not be able to continue working. To do this, the data source system must have a user that corresponds to the SAP Analytics Cloud user. Their mapping can be performed by entering a login-password when connecting to the backend system from SAP Analytics Cloud, or using SAML Single Sign-On. This method, of course, is recommended for productive application of the solution. The user management tool can be integrated with Windows ADFS.



Today we talked about the features of the SAP Analytics Cloud Live Connection mode, as well as how it is configured. Now we can avoid duplicating security settings and copying business data to the cloud.



SAC also allows existing SAP BusinessObjects customers to customize connections to company-created universes, thus preserving the investment and architecture used for the company's self-service analytics module. The plans for product development when working in Live mode: linking multiple Live sources to each other (for example, BW with HANA), adding calculated dimensions and some types of calculated metrics, improving performance, and adding smart features. A 90-day trial is available to familiarize yourself with product featuressolutions.



Author - Evgeny Gorbunov, SAP CIS business solutions architect



All Articles