Skip to Content
Personal Insights
Author's profile photo Piotr Tesny
Piotr Tesny
September 25, 2021 8 minute read

Unboxing SAP Analytics Cloud Embedded Edition.

I started writing this unboxing brief more than a year ago. And that writing process had been very much comparable to shooting scenes in different studio spaces and then going through the post-production assembly process to get the final product.

A movie production starts typically with storyboarding.

A storyboard is a graphic representation of how the video will unfold, shot by shot, scene after scene. A storyboard is like a roadmap when you want to make a video.

Disclaimer:

  • The presented insights and ideas may not reflect the official SAP Product positioning and strategy. Please always refer to the official SAP Product documentation and product roadmaps.

Good to know:

  • This instalment had been hugely inspired by the Ealing Studios Movie Hub facilities at Ealing Green in West London.

SAP Analytics Cloud, embedded edition. Qu’est-ce que c’est ?

SAP Analytics Cloud Embedded edition is an analytical service and business applications oriented story boarding tool available on SAP Business Technology Platform [Cloud Foundry runtime].

eSAC allows you to assemble your data sets into models and eventually tell your story.

Furthermore, thanks to the intrinsic app2app integration capabilities one can subsequently combine eSAC assets with the resources from other service providers (cf example with Google Maps beside) in your business applications.

Feature Scope Description SAP Analytics Cloud, Embedded Edition on SAP BTP

The eSAC [FSD] is the official product functionality description as it is released and supported by SAP at any given point in time.

The SAP Analytics Cloud, embedded edition service documentation is here.

 

Unboxing eSAC. It’s all APIs…

You need to be a kind of a developer persona in order to be able to unbox it.

First you need to create an eSAC service instance in your SAP BTP sub-account. Then you will need to create service key as depicted on the left (cf Appendix for details).

1. Let’s cut the ribbon and get the SAP Analytics Cloud tenant management API access token.

The access to the eSAC BTP configuration service APIs is OAuth-protected.

That means, in order to gain access to the eSAC tenant configuration sac_embedded_edition_service_config  endpoint  first you need to obtain the uaa bearer access token. (And this is no different to many other BTP services.)

First, all we need to do is to issue the token oauth POST request using the uaa (user access authorization) credentials as shown below:

HTTP method: POST
Authentication method: basic authentication
Username: value of credentials attribute uaa.clientid
Password: value of credentials attribute uaa.clientsecret 
curl --user 'uaa.clientid':'uaa.clientsecret' --header "Content-Type: application/json" --request POST <uaa.url>/oauth/token?grant_type=client_credentials

Next, we will need to pass this token in the authorization header in a subsequent curl call to the eSAC tenant config endpoint.

For instance the below curl call would return the current configuration of the eSAC tenant:

curl -H 'Authorization: Bearer <access token>' -H 'Content-Type: application/json' <sac-embedded-edition-service-config.url>/api/v1/tenant/<tenant_uuid>
Good to know:

  • All the eSAC tenant configuration needs to be done with sac_embedded_edition_service_config endpoint.
  • Albeit, pretty much everything can be done with CURL from command line I encourage you to consider leveraging the eSAC Configuration and REST APIs packages that SAP ships on on SAP API Business Hub . Please see appendix for more details on this approach.

 

2. Let’s get access to the eSAC cockpit.

As a reminder, you must have added an OAuth client using sac_embedded_edition_service_config to allow us to get access to the SCIM endpoint to manage users programmatically.

That OAuth client will be required to obtain another bearer access token to get access to SCIM endpoint.

AddOAuthClient.json:
{  
   "AddOAuthClient":[  
      {  
         "name":"<AddOAuthClient_name>",
         "apiAccessEnabled":"true",
         "apiRoles":[  
            "PROFILE:sap.epm:SCIM_Public_API"
         ]
      }
   ]
}

// adding an AOuth client to the eSAC tenant
curl -H 'Authorization: Bearer <access_token>' -H 'Content-Type: application/json' <sac-embedded-edition-service-config.url>/api/v1/tenant/<tenant_uuid>/config -d @AddOAuthClient.json

You will need to rerun the command to get the current configuration of the eSAC tenant as to be able to retrieve the clientid and clientsecret of the SCIM OAuth client

Eventually you will be able to use the eSAC SCIM endpoint to manage users, stories, etc…

Please see appendix for more details…

 

After adding a new user (that must exist on the SAML IDP side) we can start using the sac embedded edition service url to log into the eSAC cockpit.

You may need to use either the email address or the login name of the newly created user.
Let’s create a story…
…and here it comes…on the home page

Conclusion

Personally, I consider eSAC to be one of the crown jewels on SAP BTP.  (And there is so much synergy with the other BTP service like API Management and Destination service.)

The latest version 1.1 of eSAC service offers some additional functionality as compared to version 1.0.

Please refer to help pages for more details.

Despite the fact the supported connectivity is still limited to SAP HANA live connections, the eSAC version 1.1 adds HANA Extended Connectivity aimed at the consumption of business ready content in CDS views in HANA HDI containers [link].

 

__________

Appendix

 

Unboxing notes

The issued token grants access to the SAP Analytics Cloud tenant management API, namely to the sac_embedded_edition_service_config endpoint:

{"access_token":"eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vb3JjYXN0YXJraWxsZXIuYXV0aGVudGljYXRpb24u
.............................(truncated).............................................
vk6Qqir357LDZN3OZKmEYh5n8dwGlNuvgq8V_HBNIZFA7o75BOTbtddVVtyHF8ozSIuaV5W5MNS1iY_L0gBWlKk91LTzYBw","token_type":"bearer","expires_in":43199,"scope":"uaa.resource","jti":"fbdab069f2d54cb5b8e05639060d02f2"}

FYI: here goes its decoded representation (jwt.ms or jwt.io):

 

As aforementioned, you could copy the relevant API packages from API Business Hub to your APIM (API Management – part of SAP Integration Suite) tenant and then implement all the logic without writing a single line of code.

eSAC Configuration and REST APIs

Learn how to configure your SAP Analytics Cloud tenant and how to use SAP Analytics Cloud, embedded edition REST APIs.
SAC tenant APIs for Stories/Users/Groups/Resources/Metadata management

Adding a new user

 

Creating a user…
Let’s double check the user got created.Retrieving a user with the userid
Good to know:

  • x-csrf-token is required for all modify (write) operations with the REST APIs.
  • You may also need to populate the session cookie from set-cookie response header in the POST/PUT/PATCH/DELETE request cookie header. FYI: I talk more broadly about it in the following blog post:403 when trying to create user with the SCIM REST API

 

eSAC service details

Service Availability:

The eSAC service is available to qualifying partners and customers through the cloud credits payment mechanism (CPEA – or Cloud Platform Enterprise Agreement).

More importantly, it is a native Cloud Foundry (CF) service which means it obeys all the rules any other CF service must obey.
Service Provisionning:

From the moment you have allocated the service quota to your CF sub-account you can start creating eSAC service instances.

When you create an eSAC service instance a single SAP Analytics Cloud tenant gets self-provisioned on the spot.
Service Scalability:

An eSAC tenant is locked down to merely officially supporting the SAP HANA live data sources (SAP HANA cubes or CDS views in HDI containers) and has a capacity limit of up to 150 concurrent sessions.
Service Credentials:

The service credentials exposed via service binding or at service key creation give access to all APIs required to manage and monitor the SAP Analytics Cloud tenant, the eSAC users and user groups (teams).
Service Deletion:

On deletion of an eSAC service instance the associated SAP Analytics Cloud tenant will be de-provisioned. In other words all the assets and configuration will be lost.

Thus it is advised to export all the valuable assets either via Content Network or through a package Transport/Deployment.

A few notes on technical capabilities and restrictions of the service

  • The “SAP Analytics Cloud, embedded edition” service is not tenant aware. With one eSAC service instance there is exactly one SAP Analytics Cloud tenant provisioned.
  • Authentication to the client business application is managed by an identity provider that supports SAML 2.0 protocol. By default, SAP Analytics Cloud, embedded edition uses SAP Cloud Platform Identity Authentication. Please note, this default identity provider is different from the default SAP ID of the BTP platform. It is recommended the default eSAC’s IDP be replaced with your own Identity Provider so you can exercise full control of eSAC business users identities.
    • It seems that even if one does not configure a custom SAML IDP with eSAC tenant, the default SAP’s IDP, assigned to this eSAC tenant, will let you add a new user to the eSAC tenant,
    • Furthermore, if the newly added user does not exist in this default SAP eSAC’s IDP, an onboarding email would be send to the email address of the newly added eSAC user.
    • Actually this is neither explicitly documented in the eSAC’s help pages, nor recommended at all. Why not recommended? Primarily because only SAP has control of its own IDPs.  Furthermore, the eSAC tenant business users would end up together with the crowd of many other users that this SAP IDP happens to handle.
    • So please consider refraining from adding your business users to a default SAP IDP your eSAC tenant has been provisioned with.
    • Please always configure your own SAML 2.0 IDP and keep your business users in sync between your eSAC tenant and your SAML 2.0 IDP.
  • Authorization to the client business application is managed by the Authorization and Trust Management (xsuaa) Service.
  • The Application Router on SAP BTP Platform is used as single point-of-entry for the client business application.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Denys van Kempen
      Denys van Kempen

      For the reader interested, we recently recorded two video tutorial series on the topic