SAP Analytics Cloud – Technical and Administration Overview
If you’re starting out with SAP Analytics Cloud and would like to understand more about the technical aspects then this article is perfect for you!
My article covers a very broad set of topics including:
- Authentication and how SAP Analytics Cloud is typically configured with your own custom Identity Provider. I include a bunch of best practice recommendations and gotcha’s to avoid!
- Authorisations and the key concepts within SAP Analytics Cloud of Roles, Teams and Users and the best practice setup.
- Data Security. Its a complex topic!
- I include an overview of the options available to manage ‘row’ level security for acquired data.
- Many customers are surprised how live data connections actually works! Thus I describe how this very clever technology works so you head off in the right direction for implementing SAP Analytics Cloud.
- On-premise components. There can be some depending upon your requirements, typically these are the Cloud Connector and the Agent. I present what the components are, when you might need them, the basic architecture, recommended setup and best practice. And I’ve added in a few handy tips too!
- Advanced live-connection options. Further down your SAP Analytics Cloud adoption journey you may need to use some of our more advanced ‘live’ features. So I present a high-level overview and the key things you need to know. Things in this section include connectivity and architecture overview of: advanced Mobile App, scheduling/publishing, data blending, Smart Predict and the R-server.
- On-premise dependencies and keeping up-to-date. How exactly do you keep any on-premise components up-to-date and what happens if you didn’t? Well these and other very common questions are addressed in my article too.
- Transporting. I present the mechanisms for transporting content around the landscape and the best practices
- Monitoring and Usage Tracking. Here I provide a quick overview of the various tools available to help you understand what’s going on inside your SAP Analytics Cloud Service.
- Finally I finish with other System Administration Tasks and Tips.
I’ve really crammed in the content to help answer the vast majority of your initial questions when first adopting SAP Analytics Cloud.
Like most things, when you start to understand something, you’ll then have even more questions! This is expected so please don’t expect every question to be answered, but I’ve done my best to address the most common ones.
You’ll find 7 demos in the article, a PPT download and if you prefer you can watch a video of me presenting it all. The video is whopping 1 hour 34 minutes!
Access the article which is held in the wiki so you can easily follow updates!
Your feedback is most welcome. Before posting a question, please do read the article carefully and take note of any replies I’ve made to others. Please hit the ‘like’ button on this article or comments to indicate its usefulness.
Sadly, for personal reasons, I will not be replying to posts until about September. So I’m looking forward to seeing your comments upon my return.
Matthew Shaw @MattShaw_on_BI
Thanks a lot Mathew for the detailed insights on the SAC components.Appreciate your time and thought.Could you also please share if you have any document focusing on security in SAC
Matthew has created a wiki page for that:
Good article Mathew on Administration of
Great Effort MAtthew. Your each article helps to ensure complete understanding of the topic. Many thanks for your constant efforts.
Overall what sort of future in SAC security we are looking at, direction wise? More inclined towards how we manage in SAP BI platform? bcoz i slowly see we are tilting towards that shift in sense of inheritance, row level security, model level data security etc.
Many thanks for your feedback.
Indeed, the security model, much like most other parts of SAC, will improve and mature overtime. There's been a number of incremental security improvements made this year and it will only continue. I need to update my article because of the number of improvements and I'm aware more improvements will come soon.
The roadmap https://roadmaps.sap.com/board?PRODUCT=67838200100800006884 is a good way to see what's committed and what to expect. This new 'Roadmap explorer' is updated on a more regular basis, rather than before it was about once a quarter.
Sorry, my role isn't in Product Management or development so I personally can't set your expectation or provide commitment, but my understanding is very much more enterprise security features are planned.
Very clear explanation, specially on live connection options.
A question though, we have deployed SAC Stories used via browser on-premise using CORS and S/4HANA database endpoint via our web dispatcher, next step is to allow access to iOS devices connecting externally.
From your schema I understand SAP best practice for external iOS devices is to pull data via Cloud Connector, is this using the same live connection that browser on-premise? In other words, can Stories using the same live connection be consumed from on-premise or by mobile devices connecting externally?
Thanks in advance for any clarification.
Many thanks for your feedback and a great question that many are asking. Thanks for asking here.
I've very recently added to my Support Wiki page this table https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+Support+Matrix#SAPAnalyticsCloudSupportMatrix-LiveModelConnectionSupport
It shows that a 'Direct' connection, which is what you are using, works for the browser. And there's an 'advanced' option for this 'Direct' connection to enable the SAP Analytics Cloud Mobile App on the iOS platform to connect via the SAP Cloud Connector. In my table I call this 'Direct+CC'. This is the connection you are referring to as it allows iOS SAC Mobile App users (who are not connected directly, or indirectly via a VPN, to your organisation network) to consume data from your S/4HANA on-premise database.
Your question is, can I have users using the browser interface connect in a similar way? (That is consume data on-premise, without the need to have the connect via a VPN and without the need to expose my S/4HANA on-premise to the internet). The answer is currently no. You cannot.
You CAN create a new connection of type 'Tunnel' AND this WILL work for the browser interface, but then it won't work for the SAC Mobile App! It's a catch 22. You need two connections but the problem is a model can only refer to one connection.
Today the Tunnel WILL work for the browser (outside the organisation network), but NOT the SAC Mobile App.
Today the Direct+CC will NOT work for the browser (outside the organisation network), but WILL work for the SAC Mobile App.
What you need is for the 'Tunnel' to also work for the SAC Mobile App, and today this isn't possible, but it is a planned feature as its understood this is a much needed requirement. I don't have any dates yet available to share, but when I do I'll post a comment here. You might find it pop-up in our roadmap pages soon: https://roadmaps.sap.com/board?PRODUCT=67838200100800006884
I hope this helps answer your question. Feel free press 'like' to indicate its helpfulness.
Many thanks, Matthew
Thanks Matthew, it does help.
If I understand this right if we setup Direct+CC we will allow users using iOS App on devices connecting externally via internet to consume data on-premise, however this requires a different live data connection -and therefore specific Stories for external use in SAC- am I correct?
Could you provide updated links for the full procedure to configure Direct+CC and Tunnel?
Matthew Shaw Thank you for an informative blog post.
We are experiencing challenges connecting our SAC Tenant => Cloud Connector => S/4.
Would you be able to explain what is the role of Cloud Platform connectivity?
System=> Administration=>SAP Cloud Platform (SAP CP) Account.
Hi Maulik Thakkar
simply put - the cloud connector .exe is used to establish trust between our cloud service and your on-premise system. once it's setup, it's like a secure vpn tunnel
the SAC system owner needs to do the administration you describe to make that initial 'handshake' between the two landscapes.
SAC is a hana-based application developed using sap cloud platform, that's why it has this notion of CP account - it's like an internal service account that underpins the software service.
this cloud connector 'bridge' is then use for connectivity workflows, such as "Import from S/4HANA" into SAC Planning models, or alternatively the real-time BI use-case "Live connection to S/4HANA (via Tunnel)
Hope this helps. What are you getting stuck on exactly?
Thank you Henry Banks for providing guidance. That is my understanding as well. I am assuming we have to do a physical connection setup from CP to CC.
This blog ignores the important role of SAP Cloud Platform and I find it a bit misleading. Since this an official tech blog from SAP, it should have covered it.
Hi Matthew Shaw
On the topic of 'row' level security, your article and webinar outlines the two methods available to us in SAC: read / write properties in the dimensions ("Data Access Control"), and data access filter in roles ("Model Data Privacy").
How do these methods work in combination? Does one supercede the other? For example, if I:
Would USERX end up with read or write access to MEMBER1? And likewise for similar scenarios where Model Data Privacy based 'row' level security might provide more access than the Data Access Control equivalent.
Finally, is there guidance / best practice on when to use each method? Is it generally recommended to use one or the other, or is it acceptable to use both in combination?
Thanks for the question about the two methods of performing 'row' level security.
Much of your question is covered in another wiki article of mine here and also directly below that here
These two links gives you an example of performing the 'row' level security controls and what happens when you combine the two methods. Take a few moments to read the details in my comments on that wiki page.
My last sentence in the section of the second link reads:
which I think answers your last question about general recommendation. But you'd need to read the sections I've linked to in order to understand that sentence.
I hope this helps?
Thanks Matthew, that's helpful.
Another advantage of using Data Access Controls rather than Model Data Privacy is that you have the option to "Hide Parents", which seems to hide dimension members that the user does not have at least read access to, even when unbooked data is enabled or input controls are used in stories.
The key disadvantage I see is where many teams require access to the same member, e.g. if you were using Data Access Controls on the version dimension. You could end up with a large maintenance effort on the read / write columns. Though I suppose a workaround would be to set up teams in such a way that this is minimised.
From the workflow you describe in the wiki article, it sounds like the main advantage of using Model Data Privacy is where you want place stricter controls on who can populate data into new public versions via "Publish As". It won't prevent users from creating new public versions, but would at least stop them from being able to book data to them.
Very interesting article on SAC Administration overview.
Now, can you tell who will be reponsible of SAC Administration, I mean, we(SAP Partner) have many customers using BI Platform, but seems for what I've read, in the future SAP target is to move customers to SAC for many new and improved Analysis features used on BI and also move it to BusiessObjects PCE for the customers that still need the On-Premise solution/functionallity. So, who is intended to have the Administration on SAC and the interaction between other solutions like BusinessObjects PCE?
Are there any space/role considered for SAP pártners dealing with current On-Premise solutions that are intended to move to SAP Cloud solutions?