Skip to Content
Technical Articles

SAP Analytics Cloud Live Data Connection to HANA on-premise using CORS

The HANA CORS (Cross Origin Resource Sharing) configuration is straight forward but as the old saying goes, a picture paints a thousand words.  Such a shame that the SAP documentation policy does not allow screenshots.  I have captured the configuration steps here.

SAP Analytics Cloud Version 2018.1.0
SAP HANA Version 1.00.111 (SPS 11).

The official SAP Analytics Cloud documentation is good and could be found here.
Live Data Connection to SAP HANA

This CORS setup is pretty simple.

  1. Configure HANA HTTPS (SSL)
  2. InA (Information Access)
  3. CORS Configuration
  4. XS Timeout
  5. SameSite Cookie Settings

1. Configure HANA HTTPS (SSL)

The Configuration of the SSL certificate is within the Web Dispatcher at the URL below.
The following role is required.



For me that is


Once completed you must be able to access XS classic urls via HTTPS, without any security pop-ups or certificate errors. Usually this is port 4300, if your SAP HANA instance number is 00, but 24 in my case, therefore port 4324.

The full configuration steps for HTTPS are outlined within the SAP HANA help documentation so I won’t repeat those here.

Configure HTTPS (SSL) for Client Application Access


2. Information Access (InA) using EPM-MDS

Verify InA is installed and you have rights to access this service.


For me that is


The response from InA is in JSON, using a JSON browser extension makes the response more readable.

If InA is not working it may not be installed (as below).  Errors such as

“InformationAccess Service GetServerInfo is not available. Install the SAP HANA EPM-MDS plugin.”

You will need to download the the HANA EPM-MDS package from SWDC.

Check that your user has access to this package via the sap.bc.ina.service.v2.userRole::INA_USER role.

Verify that you can access Metadata via InA


For me that is{%22Metadata%22:{%22Expand%22:[%22Cubes%22]}}


3. CORS Configuration

Be aware the CORS config below needs to be repeated after each and every HANA update, e.g moving from revision 122.12 to 122.15.

To access the XS admin site your user requires the following roles.

sap.hana.xs.admin.roles::RuntimeConfAdministrator  sap.hana.xs.admin.roles::SAMLViewer

Login to your XS (classic) admin site, the URL would be something like


For me that becomes


Verify that Basic Authentication is allowed as below

Configure CORS, with the Allowed Origins, Allowed Headers and Exposed Headers as specified below.

# Allowed Headers

# Exposed Headers

As an alternative, or if you experience any issues with the XS user interface, SQL can be used.
An example SQL statement is show, that can apply this configuration. The SQL needs to be modified with your appropriate SAP Analytics Cloud URL.

SET "CONFIGURATION" = ' {"cors":{"enabled":true,"allowOrigin":["https://<url_address>"],"exposeHeaders":["x-csrf-token"],"allowHeaders":["accept-language","x-sap-cid","x-request-with","x-csrf-token","content-type","authorization","accept"],"allowMethods":["GET","HEAD","POST","OPTIONS"],"maxAge":3600}}' 
WHERE "PACKAGE_ID" = 'sap.bc.ina.service.v2';

This is also described in the SAP Note 2655556

4. XS Timeout

We should also increase the XS timeout from the default of 900 seconds (15 minutes) to 43200 (12 hours). Below is the SQL to do this.

alter system alter configuration ('xsengine.ini','SYSTEM') set ('httpserver','sessiontimeout')='43200' with reconfigure;

This can also be changed in HANA Studio.

5. SameSite Cookies Settings

I have captured these steps in a separate blogpost that can be found here

SAP Analytics Cloud

With the CORS configuration now completed we can establish the Live Direct HANA connection within SAP Analytics Cloud.


Recently (during 2020 and early 2021) Google Chrome has included additional privacy settings for blocking third-party cookies. The impact of this is that live HANA connections can fail due to the site being seen as a third-party.

You can check for third-party cookies being blocked.

With Chrome Site Settings, you can allow the blocked Cookies


If SAC refuses to connect, then further information can be seen in the web browser Developer  Console (F12) or (View/Tools -> Web Developer -> Console)

You must be Logged on to comment or reply to a post.
  • Agree that this was a very helpful document.  The use of screenshots and actual URLs helped immensely.

    I realized from the screenshots provided that I had entered the allowed headers as a single string instead of 6 discreet headers.

    Changing that solved my connectivity issue.

    • Hi Mario,

      There is a hack that you can try for testing, that allows self-signed certs to work.

      **Updated 18th Sept 2019**

      You need to tell your browser to ignore certificate errors and trust the self signed certificates.

      To do this you need to modify the browser start-up parameters, and add –ignore-certificate-errors
      On windows this is the windows shortcut to Chrome.exe,  on Mac you can launch chrome via the terminal.

      cd /Applications/Google\

      ./Google\ Chrome –ignore-certificate-errors 2>/dev/null &

      If launched successfully, you will then receive a warning that this is an unsupported command line flag, but SAC will now connect to HANA ?

  • Is anybody else having a problem adding the exposed header 'x-csrf-token'?  I can do everything else but I get a UI5 error in JavaScript console when trying to add this particular one...

    • Hi Mike,

      I have not come across that one, could be browser related - perhaps try with a different browser, or clear browser the cache?



        I ruled all that out. Tried different browsers and killed cache/cookies etc.  It's a genuine code bug, at least in 2.0 SP3...  For clarity's sake, I'm using the XS Classic HANA admin services (not XSA that pulls its stuff from a public CDN, so I've heard) which may explain why not everybody is struggling with this, as I'm probably an oddity with still only using XS Classic.  I managed to "hot fix" it by modifying a JS file to prevent the JS error and now I've got the connection working in SAC.  Screenshot below shows the hot fix. (Yeah, yeah, not supported by SAP, but whatever, I'm using HANA Express, and the code was broken, and now it's not)



        • Wow, thanks for sharing Mike.

          I'm on 2.0 SP2, so I haven't come across this one yet.

          I did see that HANA 2.0 SPS03 Revision 31 is now available, let's hope that fixes it too.


    • I've come across this in the past with some HANA systems.  Use the reset button to reset the CORS configuration and add x-csrf-token to the Expose Headers area first.  Add the additional "Allowed Headers" after.


    • Hi Praveen,

      I am not sure what you are after?

      There is no CORS code per say, just the configuration of CORS, which I have described above.


  • Yes, that looks to be good.  It looks like you haven't applied the configuration yet.

    Your screenshot is cut off - do you see the Edit option as below?

  • Hello Ian,

    your introduction is about SAC connect to HANA XS classic Views, how about XS Advanced Information Views? they will not present in _SYS_BIC schema, and XS Advanced has its application role setting, so I assume there is a different way to config, right?




  • Hi Ian,

    Thanks very much for your documents. It's pretty usefull.

    Currently SAP HANA 2.0 doesn't inlcude HANA EPM-MDS package. May I know what does it

    use for? Is there any impact of Hana XS application which we developed?


    • Hi Frank,

      The EPM-MDS has always been an additional plugin that you had to download. It is available for botht HANA 1.0 and HANA 2.0.
      MDS is Multi Dimensional Services.

      In HANA the EPM-MDS gives us the Information Access Protocol (InA), this provides analytic, planning, metadata and search services over http/s.

      Sorry, I don't understand you second question.

      • Hi lan,


        Thanks very much for your feedback. just ignore the send question. I think I already get the answer.

        Truly appreciate for your post.