For confidentiality reasons, we will not mention the name of the company in order to reproduce most faithfully problems and successes encountered. We will call it the Company.
This chapter describes the experience of a large private Company which has decided to adopt a full cloud strategy for its entire information system. Leading Company in Service Industry, it has migrated step by step each of its corporate functions in either a public cloud software (Software-as-a-Service) and a cloud hosting services (Infrastructure-as-a-Service) such as SAP HANA Enterprise Cloud (HEC).
This large customer also embraces an ambitious and necessary digital transformation strategy by implementing several confidential and high valuable use cases. Cloud strategy has obviously been adopted for powering these projects by enabling cost optimization, agility and scalability.
Their main objectives are:
- A Financial strategy focused on strengthening financial position.
- An outstanding Customer experience by delivering innovative services, based on new best practices in very competitive market by considering market and technological trends
- An optimization of core competencies
- A necessity to get more agility in a very competitive market
As a strategic Partner, SAP and our Company jointly shaped an ultimate big picture of their target architecture based on SAP portfolio because:
- SAP delivers full functional and technical scopes required for supporting Customer’s ambitious strategy. Customer could choose between pure Public Cloud applications or On-Premise solutions hosted in SAP managed cloud services or in any third-party hosting providers.
- SAP enables hybrid tactical approach, very valuable and convenient to move from on-premise to cloud without any disruption.
- SAP Strategy is fully aligned with Company’s strategy. SAP conveys Live Business features in its Applications, HANA real time in memory platform and Live Analytics, which are key to support Company’s strategy.
- SAP delivers Hybrid Analytics in the Cloud and/or Managed hosted services and/or on-premise.
Project and key success factors
In 2016, our preferred Company decided to prove concept, ability, flexibility and performance of SAP Analytics to support their Analytical strategy. by delivering:
- End-to-end real time Analytical capabilities thru
- Business Intelligence: Dashboarding, Reporting, Data Exploration
- Embedded Predictive features
- And Planning
- Connectivity to a large and diverse Hybrid landscape. Analytics should connect any operational systems wherever located and whatever technology is.
- High performant analytical capabilities on very large datasets and high-speed data stream. SAP Hybris front-end applications generate 1.5 million events a day. Our Company expected to get real time insights based very large operational data stream.
Company owns a large applicative landscape composed by SAP Business ByDesign, SAP SuccessFactors, SAP Hybris, SAP BW on HANA, SAP BW4/HANA, SAP HANA on SAP Cloud Platform, SAP HANA On-Premise, Salesforces, Netezza. All of these applications will be used as data source for Analytics.
Project – Main steps
Connecting Public Software-as-a-Service applications to Data Sources located in private domains (Customer and third-party providers) requires a deep analysis of target architecture, network and security matters. Company landscape is complex, we did not consider connectivity as a sub-task of other projects. Connectivity had been a project of its own right. Then, to be successful project management has been an essential task because connectivity settings is not a one-man project. Connectivity on large scale landscape followed a strict process where different stakeholders had to be aligned, committed and had to deliver their own expertise in their respective area of responsibility at the right time.
Connecting SaaS application to on-premise applications required to first deeply understand the overall big picture of the architecture. Reading Prerequisites has been essentials for all stakeholders. Understanding technologies and concepts of SAP Analytics Cloud and Data Source systems have been crucial. Before starting any settings, we organized an architecture workshop to align all identified necessary stakeholders to perform a fast and smooth settings, on time, on scope. We have composed a connectivity SWAT team with Company’s CIO as sponsor and had recurrent weekly meetings.
Connectivity SWAT team had to analyze:
- Insight needs: to identify required data sources, data volume, data confidentiality and complex calculations. We questioned about moving data or not, calculation location based on complexity and data volume, performance issue, blending, etc. For example, we had large datasets supplied by SAP Hybris with all Business events in HANA database located in HEC. With such large table, we decided to leave data in HANA Database and accessing it thru Live Connection. Calculations have been developed in HANA itself to enable high speed and on fly insight based on fresh operational data. Thanks HANA!
- Data Flows: to classify Inbound and/or outbound requests and type of flow (live connection or data acquisition) based on data sources and calculations. This step has been crucial to elaborate accurate network and security service requests especially for SAP HEC and third-party providers.
- Network: To isolate required network settings based on data flows, such as firewall, load balancer, reverse proxy, etc. We knew that network settings could take time due to the multiple third-party providers and security compliancy of each provider. We did not under-estimate network settings because security was crucial.
- Security: to identify required authorizations and settings such as Identity Provider settings, Users and roles management, valid SSL certificates or x509 certificate for authentication based certificate, etc. Just like network configuration, we anticipated that security could take a lot of time because of the multitude of providers and systems. Team knew that project could be stuck only for simple privilege issues.
SAML 2 single sign-on (SSO) has been generalized to simplify authentication and security. With such technology, each application keeps its own user and role management. SAML 2 enables user and role mapping based on a single identity provider repository. We had to check if applications and data sources could support SAML 2 SSO standard. If not, some other mechanisms have been considered (ie. Kerberos/SPnego).
- Project Management: Customer expected to go fast and to lead several projects in parallel. We had at least 5 projects running at the same time with their own analytics needs. A clear project roadmap had been planned and shared to avoid frustration and side effect. Company embraced a full cloud strategy with no IT. Then, it has been essential to identify who was accountable and could do, support and decide. We had a RACI matrix of all internal and external stakeholders.
Data Acquisition versus Live Connection
Customer expectations were mostly oriented to Live connection for enabling real time insights. Obviously, all configurations were not usable for different reasons, volumes, confidentiality and available analytics features. We had to choose based analytics features, nature of data, insights and data source types.
Before starting, all members of connectivity SWAT team have cautiously read System Requirements and Technical Prerequisites document and checked if company’s landscape was conformed with what is supported, version and connection type. This step is crucial to avoid any unplanned stop during project. We have also checked roadmaps to anticipate future capabilities and supports which could be positioned in project plan.
Our experience, best practices but also restrictions have conducted our choices. Several criteria have been considered:
- Analytics functional needs
- Performance constraints
- Data Privacy constraints
- Data volume constraints
|Data Acquisition||Analytic Model||All data (from whatever source is selected) is ‘uploaded’ (replicated) to SAP Analytics Cloud in-memory HANA Database. SAP Analytics Cloud then stores the model and data. Security can be added to the model within SAP Analytics Cloud. Both Analytic and Planning models generate an account type model.|
|Live Connection||Local (Cloud data sources)||
SAP Cloud Platform
SAP S4/HANA Cloud
|All data stays within the SAP Cloud Platform or SAP S4/HANA Cloud. The data is not replicated to SAP Analytics Cloud. Modelling and model security is managed on the source system. Data connection between systems is secured within SAP Cloud Platform.|
|Remote (On-premise data sources)||
All data stays within the remote (customer) landscape. The data is not replicated to SAP Analytics Cloud. Modelling and model security is managed on the source system.
data connection between systems is secured.
Company decided to use on-premise SAP BusinessObjects Enterprise (BOE) Analytics in HEC to perform high performant calculation on large table directly connected to HANA Database. This option has been chosen to get direct live connectivity with no additional network and security layers. Even if SAP Analytics Cloud could do the Job, proximity of SAP BOE with very large dataset was much more convenient to run high speed insight by simplifying network and security layers.
Performance was specifically required for a very large table feeds by SAP Hybris in real time. All calculations were developed in HANA Calculation views which are accessible by either SAP Analytics Cloud or SAP BusinessObjects Entreprise. These views have required optimization at HANA level to enable on-fly aggregation based on adequate input control to avoid transfer of large volume.
Data Privacy constraints
With live connection, data stays in your back-end. As soon as customer expected to keep fully control of data privacy, live connection was the best choice, even if data are encrypted and secured in data acquisition type.
Data volume constraints
With live connection, data volume is processed in your back-end system. There is no theoretical limitation. Query is executed in back-end system. Query should limit volume returned to Web Browser by applying adequate input control or aggregation.
With Data acquisition, it exists volume limitations as follow. Data acquisition restrictions:
- Columns: 100
- Rows: 800,000
- Dimension members:
- Planning models: 250,000
- Analytic models: if there are more than 250,000 unique members, dimension will be only
- Dimension members with attributes: 150,000
- Dimension members with geo enrichment: 200,000
- Dimension members in hierarchy: 150,000
- Hierarchy depth: 1,000
We followed these restrictions to adapt connectivity roadmap.
SAP BW4/HANA as Corporate Analytical repository
To simplify connectivity, BW4/HANA has been chosen as the main analytics repository because BW4/HANA can collect and connect to any data, in real time. It is a next-generation data warehouse built entirely on SAP advanced in-memory HANA platform. It offers enhanced data modeling and governance, Business contents, high-performance solution development, a modern user experience (UX), and incredible flexibility. It leverages huge amounts of data – SAP application data, third-party data, unstructured data, geo-spatial data, Hadoop data, and more – live and in the moment. It can be connected by SAP Analytics Cloud and SAP BusinessObjects Enterprise, Live or in Data Acquisition.
Such centralized configuration drastically simplifies overall connectivity and also enables better data lifecycle management. It also simplifies decommissioning of BW on HANA and Netezza in mid-term perspective.
Best practices and feedbacks from experiences
- Consider connectivity as a project of its own right as soon as your landscape is large and complex. In such context, it is not a one-man-project.
- Read documentation and prerequisites first. SAP delivers exhaustive and up-to-date documentations, guidelines, wiki and blogs.
- Early involve your third-party providers in project. We need accountable stakeholders from their organization to enable data source access, settings, security and network connectivity.
- Organize enablement workshops to learn about Analytics capabilities and technologies. Do not hesitate to ask SAP to deliver such educational workshop.
- Cautiously check roadmaps, supported platforms and releases. Verify if your landscape requires upgrades before starting any settings. Do not be stopped because of a patch level.
- Organize your project around a SWAT Team composed by network, security, database, analytics and architecture skills. Organize a weekly project steering committee with executive sponsor (ie. CIO). Define a RACI matrix with internal and external stakeholders.
- Put Governance in place to manage network addresses, naming, host names, virtual host names, logins and passwords, etc. Project can be slowed down due to lack of knowledge of the configurations implemented. It is important to share knowledge while respecting basic rules of security. Identify several admin profiles and use delegation features.
- Design a detailed target architecture and share it with project stakeholders. Organize workshop to evangelize, promote and explain it.
- Promote direct live connection (CORS) as best choice to simplify data lifecycle management and security.
- Deploy SAML2 Single Sign-on on all applications to simplify security management.
- Promote HANA platform (BW4/HANA) and especially calculation views to build your query in back-end for large datasets.
- Do not under-estimate time to set network and security in your landscape. The different security compliances to be respected can become obstacles to your projects. Make sure you fully respect them. SAP Analytics solutions have been developed with the best and most proven security technologies.