1.  Purpose

This guide serves the integration scenario SAP_COM_0065 – SAP Analytic Cloud Integration. This communication scenario "SAP_COM_0065 " is provided by SAP.

This document explains how to configure S/4HANA Cloud and SAP Analytic Cloud for a communication with OAuth authentication using OAuth 2.0 SAML Bearer Assertion.

SAP Analytics Cloud is used as analytics client consuming SAP S/4HANA data exposed via SAP S/4HANA analytical queries. For this purpose, you can configure a live data connection in SAP Analytics Cloud. This allows you to create a SAP Analytics Cloud model based on an SAP S/4HANA analytical query and consume the result set in an SAP Analytics Cloud Story

The following steps must be carried out by a user who logs on to both the SAP S/4HANA and SAP Analytics Cloud system via the Identity Provider. For the steps in the SAP Analytics Cloud system, the BI Admin role is required. For the steps in the SAP S/4 HANA system, the Administrator role is required.

2. Prerequisites

• SAP S/4HANA Cloud is configured to use IdP as Authentication Service


• SAP Analytics Cloud is configured to use same IdP as SAP S/4HANA Cloud


• Both SAC and S/4HANA is configured to use User Name or User ID as NameID to map to IdP.


• The IdP user is authorized for both applications.


• You are system owner of the SAC tenant (System Owner role)


• You have roles SAP_BR_ADMINISTRATOR, SAP_BR_EMPLOYEE and, SAP_BR_ANALYTICS_SPECIALIST in S/4HANA system

 

 

3.  SAP Analytic Cloud Integration with S/4HANA Cloud

3.1 OAuth Clients and Trusted Identity Providers

We have to use Open Authorization (OAuth) protocol to allow third-party applications access to protected SAP Analytics Cloud resources. Admin role is required to complete this step

1. Go to Main Menu > System> Administration > App Integration > OAuth Clients and note down Authorization URL and token URL. We will need this to complete steps in S4/HANA

 

2. Under Configured Clients, add a new OAuth Client with the following properties:

 

• Name, for example "SAP S/4HANA System"


• OAuth Client ID, for example "my300xxx".


• Purpose, choose API Access, also check boxes Sorry Listing and User Provisioning


• Security Authorization Grant Client Credentials


• Security Secret chosen by you (like a password). Do not specify a lifetime for the secret.


• Token Details Token Lifetime 60 minutes (suggested value).


• Press Add.

3.2 Create S/4HANA Live Data Connection in SAC

In the SAP Analytics Cloud system, navigate to Connection and press the Plus (+) icon to add a new connection. Then select Live Data Connection > SAP S/4HANA. In the dialog New S/4HANA Live Connection, do the following:

1. Enter a Name and Description. SAP Procurement Pre-built content need connection name to be “SAPEMC”. This is explained later in this document under section “Import LOB Business Content”


2. Select Connection Type SAP S/4HANA Cloud.


3. Under Host, enter the host name of the S4/HANA Cloud tenant (for example: my40xxx-api.s4hana.ondemand.com). “-api” suffix is needed for API access of S/4HANA Cloud system. Note down the provider name that is displayed under OAuth 2.0 Identity Provider Configuration and download the signing certificate. No need to save this connection at this point. We have to make the required configurations in S4/HANA Cloud and return to this setup for saving.

 

 

3.3 Create Communication System in S/4HANA Cloud

System administrator role is required to complete steps in S/4HANA Cloud

1. Open S/4HANA Cloud in a new browser window. In the app Communication Systems, click New to create a new communication system.

2. Under Technical Data > General > Host Name enter the host name of the SAP Analytics Cloud tenant.

3. Under Technical Data > OAuth 2.0 Settings enter the authorization endpoint and token endpoint obtained when we created OAuthClient in Section 3.1.1. Enter these endpoints without the https://prefix.

4. Under OAuth 2.0 Identity Provider select Enabled. Enter the provider name and upload the signing certificate obtained in Section 3.2.c.


5. Create a User for Inbound Communication with the Authentication Method User Name and Password and note down the user name and password.

Click on New User

Enter User Name and Password. Alternatively, you can also use propose password.

 

6. Create a new User for Outbound Communication with the Authentication Method OAuth 2.0.

Click on + icon

Select OAuth 2.0 from drop down for Authentication Method

 

Enter OAuth 2.0 Client ID and secret from Section 3.1.2

 

Click on Create

7. Save the Communication System

 

3.4  Communication Arrangement in S/4HANA Cloud

1. In the S/4HANA Cloud system, in the app Communication Arrangements, click New to create a new arrangement.

Select Communication Scenario SAP_COM_0065. Then enter Arrangement Name and click Create

 

2. Enter the Communication System from the previous step

3. Under Additional Properties > Tenant ID (SAP Analytics Cloud tenant) maintain the tenant ID that is visible in the URL of SAP Analytics Cloud. When calling up https://xxx.sapanalytics.cloud, you will be redirected to the full URL where you can find the tenant ID as shown in this example: https://xxx.sapanalytics.cloud/sap/fpa/ui/tenants/«tenant ID»/app.html.

 

4. Under Inbound Communication > User Name > Authentication Method, select Authentication with OAuth 2.0 using the input help of the User Name

 

5. Under Outbound Communication, (where the user from Section 3.1.2. is displayed) set SAML2 Identifierto User Name, note down the SAML2 Issuer (for example https://my300xxx.s4hana.ondemand.com/oa2cs) and download the signing certificate (this is a text file signing_pse.crt).

 

6. Ensure that underOutbound Services, both UI Link Navigation and Retrieve Stories have Service Status checked (= Active)

 

 

3.5  Finish Creating S4/HANA Live connection in SAC

1. Switch back to the browser window with the SAP Analytics Cloud Live Data connection definition
   
   
   
   • Enter the token service user and password that you noted down in Part 2, step 1.d. (the previous procedure, setting up the communication system).
   
   
   • Enter the following space-separated list as OAuth scope:
   
   
   
   

SAP_BW_INA_BATCHPROCESSING_HTTP SAP_BW_INA_GETCATALOG_HTTP SAP_BW_INA_GETRESPONSE_HTTP SAP_BW_INA_GETSERVERINFO_HTTP SAP_BW_INA_LOGOFF_HTTP SAP_BW_INA_VALUEHELP_HTTP

 

2. Click OK

 

3. This completes the setup of the live data connection to S/4HANA Cloud.

 

4. To complete the outbound connections setup from S/4HANA Cloud to SAP Analytics Cloud, go to the SAP Analytics Cloud system, select System > Administration > App Integration > Configured Clients and add a trusted identity provider (name chosen by you) with a provider name that is equal to the SAML 2 Issuer from Section and to the signing certificate obtained in Section 3.4.5 (copy the text content of the file)

 

 

 

4.    Import LOB Business Content in SAC

1. As an administrator, log on to your SAP Analytics Cloud system


2. From the top left menu, select Browse> Files

 

3. On the left pane, choose Content Library.

4. Choose the type of content that you want to add. This can be either Samples or Business Content. Select Business Content.

 

5. Select Procurement for SAP S4/HANA for example.

 

6. A popup comes up with the details of the content in the package. Choose Import to import the content

 

7. Procurement for SAP S4/HANA Cloud needs connection with the name “SAPEMC”. This connection can be created using steps provided in section 3

8. The SAC stories are now available in below highlighted folder

 

9. To refresh the stories, you will need a business user in S/4HANA Cloud that has role SAP_BR_EMPLOYEE and SAP_BR_ANALYTICS_SPECIALIST. You will have to login with same user in SAC as well as same credentials gets used to refresh story at backend S/4HANA Cloud tenant.

10. Login to SAC tenant and open the story for Procurement.

 

 

5.    Create Tile in S4/HANA Cloud

1. In S/4HANA Cloud, open app Create Tile for Analytic Cloud Story. You will see list of stories that you can create a tile.

 

Click on Create Fiori Application ID for the story you want to create tile. In this case we will create tile for SAP Procurement Off Contract Spend.

2. Enter Tile and Subtitle for the Tile and click Publish

 

3. Click on Add to add Business Catalog this tile to be included.

4. In this case we selected Material Management – Procurement Overview. Check the checkbox against Business Catalog and Click Publish

 

5. Click on OK

 

6. It will take 3 to 5 minutes for Publishing to complete

 

7. From the home page, click on user Icon and then click on Edit Home Page

 

8. Click on + sign under My Home. You could pick any group to add this tile.
   

   

   
   


9. Scroll down to select the catalog where tile was added. In this case it is Material Management – Procurement Overview

 

10. Click on the push pin under the Tile we created earlier.

11. The tile is now added to the My Home. Click to the user icon to go to home and the click Close to save changes

 

12. The Tile for SAP Analytic Cloud is now visible in My Home

 

 

13. Click on the Tile to open the SAC Story. The story will refresh using the same user credentials at the S4/HANA as your SAC User.

 

 

6.    S/4HANA Financial Planning using Prebuild Content

We do not need communication system to be created again since we have already created a communication system for live connection above. We can use the same communication system to create below communication arrangement.

6.1.   Create Communication Arrangement

1. In the S/4HANA Cloud system, in the app Communication Arrangements, click New to create a new arrangement.

Select Communication Scenario SAP_COM_0087. Then enter Arrangement Name and click Create.

Note that communication scenario SAP_COM_0087 is delivered by SAP for Planning Integration.

 

2. Enter the Communication System from the previous step

 

3. Under Inbound Communication > User Name > Authentication Method, notice that User Name is already populated. This user is automatically picked up from the communication system we picked from above step

 

4. Click on Save to save the communication arrangement

 

6.2.    Import Pre-build LOB Content for Financial Planning

1. As an administrator, log on to your SAP Analytics Cloud system


2. From the top left menu, select Browse > Files

 

3. On the left pane, choose Content Library.

 

4. Choose the type of content that you want to add. This can be either Samples or Business Content. Select Business Content.

 

5. Select Financial Planning and Analysis for S/4HANA Cloud for example.

 

6. A popup comes up with the details of the content in the package. Choose Import to import the content

7. The SAC stories are now available in below highlighted folder

Below connection is also imported. Go to Home -> Connection. Notice that below connection is already created

8. To refresh the stories, you will need a business user in S/4HANA Cloud that has role SAP_BR_EMPLOYEE and SAP_BR_ANALYTICS_SPECIALIST. You will have to login with same user in SAC as well as same credentials gets used to refresh story at backend S/4HANA Cloud tenant.

Edit imported connection “FP&A - SAP Best Practices” to configure S/4HANA system as shown below.

Specify Data Service URL, User Name and Password. Please use Inbound User specified on communication arrangement created above with communication scenario SAP_COM_0087.

 

9. Open the story for Financial Planning.

Example:

 

7.  Conclusion

So to summarize, we were able integrate S4/HANA Cloud with SAP Analytic Cloud. We created live and import data connection and also imported pre-built content for Procurement and Finance. We used live connection for Procurement and Import data connection for Financial Planning.

Please leave a comment or ask question below.

 

8.   Additional Information

SAP Analytics Cloud Integration

Get Business Content for SAP Analytic Cloud

SAP Best Practices Explorer

SAP Analytic Cloud Content

Note 2710858 - Custom Analytical Queries are not visible in SAP Analytics Cloud system