User context for metadata extraction to SAP Datasphere catalog
Since launch of Datasphere catalog back in March 2023, we are continuously making improvements based on your feedback and I am back again to share one such improvement. Customers can now configure a service user for metadata extraction from SAP Analytics Cloud and SAP Datasphere to SAP Datasphere catalog. This will be available with 2023.24 release. Another highlight is the revamped monitoring screens for streamlined user experience; which you can see a glimpse of in the demo video below. I will focus on service user for this blog.
Table of Contents
- Problem statement and use cases
- Scenario and Timelines
- Demo and how-to video
- Tips and Tricks
Today the connection to SAP Analytics Cloud and SAP Datasphere is through a technical user in the backend. In SAP Analytics Cloud case, metadata is only extracted from public folder whereas for SAP Datasphere everything is extracted. We realize that this is not ideal as not all content is useful or desired to be cataloged. For e.g private content that has been created in SAC for self-service BI. The opposite is also true where you might want to extract content from SAP Analytics Cloud workspaces but it currently is not supported
Another case would be where you might have data in particular space in Datasphere whose metadata you don’t want to be available in catalog; like a HR space.
The above scenarios can be achieved by setting up a service user in the tenants and configuring that in catalog while pairing. Datasphere catalog will look at the permissions and application-level privileges of this user and only extract content it has access to – this is applicable to both SAP Analytics Cloud and SAP Datasphere pairing. Customers will have to set -up user once, give them the right permissions be it folders/workspaces in SAP Analytics Cloud or Datasphere spaces and rest will be taken care of by the Datasphere catalog automatically. This will allow customers to have more control on scope of metadata extraction.
This enhanced pairing mechanism will be applicable to any new connections created after 2023.24 wave delivery. During sometime next year, configuring a service user will become mandatory for existing pairings so that we have a consistent scalable way of pairing.
Please refer to the note below for the timelines. Below is a list of scenarios you need to be aware of:
This is a demo video of how to utilize this feature for pairing. It covers setting up the service user, assigning the appropriate role and permissions, pairing the tenant, authenticating service user and synchronizing the tenants.
- First and foremost – Please set-up a user specifically for this use case and don’t use a real user for pairing to avoid disruption in case user leaves the organization.
- Configuring service user – You will need to give a mix of application and object/space level privileges depending on scope of extraction; same ones that come into play in SAP Analytics Cloud and SAP Datasphere today.
- Make sure to not give service user ‘read’ on samples and system folders such as SAC content unless you want them extracted. You can see in video that I overlooked this and this content got extracted. For modifying access to sample folders, please follow this blog.
- Don’t give ‘read’ privilege on application level for private folders. This will avoid getting any private content to end user altogether.
- For SAP Datasphere service user, please follow the new scoped roles guidelines. You can create a role exclusively for service user with viewer privileges in select spaces or add them to an existing scoped role meant for viewers.
- For details on the privileges that come into play, please look at the help documentation below.
- Please watch the video for housekeeping of metadata from existing pairings.
- Help documentation link
- SAP Note for the timelines
- Limitation on pairing across landscapes – Refer SAP Note
Please let me know in comments below in case you have any questions. Looking forward to your feedback as always.