cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Datasphere error, how to enhance authorization in S4HC Communication User?

Go to solution
MKreitlein
Active Contributor

on ‎09-20-2023 11:33 AM

0 Kudos

Dear Community,

I’ve got a new question regarding SAP Datasphere… especially about the system connection to an S4 HANA Cloud (public) system.

For those who hate long stories, the question in short:

How can I enhance authorization in an S4HC communication user?

For those who want more details:

The goal is to use the Content “Financial Analytics Dashboard” with Remote Tables for which this detailed SAP note exists: https://me.sap.com/notes/3013006 about how you setup the system connections.

My problem occurs with document 52Y_System_and_Connection.pdf

What I did so far in S4HC:

I created a communication user with password

I created a communication system with host name of my Datasphere Web URL

I created a communication scenario SAP_COM_0531 like described here: https://help.sap.com/docs/SAP_S4HANA_CLOUD/0f69f8fb28ac4bf48d2b57b9637e81fa/4a006b43551d4cb5aed6399c...

I used my own Allow-List for all CDS Views (CDS_VIEWS)

In the scenario I can see following URLs:

https://myNUMBER-api.s4hana.cloud.sap/sap/opu/odata4/sap/cdi/default/iwbep/common/0001/?sap-client=1...

https://myNUMBER-api.s4hana.cloud.sap/sap/opu/odata4/sap/cdi/default/sap/cdi/0001/?sap-client=100

plus those of all the enabled CDS Views (I added the $metadata for testing here), e.g.

https://myNUMBER-api.s4hana.cloud.sap/sap/opu/odata4/sap/cdi_cds/cdi_cds/sap/c_billingdocumentitemba...

All of them can be loaded by logging in with my Comm. user & password in the upcoming pop-up window!

See an example of the result:

So, basically I would say my scenario works.

But, when I try to setup the system connection as “Cloud Data Integration” in SAP Datasphere – like described in 52Y_System_and_Connection.pdf - then I see to the following message.

Remote Tables can't be used ... and I don’t know why!

I already found this note: 3202766 - Error getChildrenFailed for remote tables in SAP Datasphere

This exactly matches my error message… but the root cause is not really answered:

How can I enhance authorization for my communication user? How do you do that?

And of course... with which authorization?

Thanks a lot,

Martin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

MKreitlein
Active Contributor
‎09-22-2023 12:13 PM
0 Kudos

cardoso , nicmar ... success 🙂

The firewall rules allow the access to my S4HC now... and my Remote Tables are enabled.

Have a nice weekend veryone!

Show replies
Show replies
NicolasMartinez
Participant
‎09-22-2023 1:45 PM

Great 🙂

So it was a firewall problem between your DP Agent and the S4HC Tenant, correct?

Have a nice weekend!

MKreitlein
Active Contributor
‎09-22-2023 1:51 PM
0 Kudos

Yes, correct.

Answers (4)

Answers (4)

cardoso
Advisor
Advisor
‎09-21-2023 2:14 PM
0 Kudos

Hi m.kreitlein,

Great job!
Is the error reproducible if you open the URL https://myNUMBER-api.s4hana.cloud.sap/sap/opu/odata4/sap/cdi/default/sap/cdi/0001/$metadata directly in browser using the same user/password entered during connection's setting?

BR.

Show replies
Show replies
MKreitlein
Active Contributor
‎09-21-2023 2:20 PM

Hi Ismael,

no, there is no error when I open it from my local Browser - like written in my initial question.

But trying to access the URL from the DPA Server does not work... so this is the root cause.

Too bad that the error message in Datasphere does not reflect the "Error 110 - Connection timed out" 😞

Will update here, as soon as I've been successful.

(But will be out of office next week)

BR, Martin

cardoso
Advisor
Advisor
‎09-21-2023 12:43 PM
0 Kudos

Hi m.kreitlein, nicmar,

Since it's not available from Datasphere's UI, you should ask the DPAgent's owner for the logs.
Usually this is managed/hosted in your (customer) landscape.
I'll update 3202766.

Show replies
Show replies
MKreitlein
Active Contributor
‎09-21-2023 12:53 PM

Hi Isamel,

right while you were writing... I got the logs available in SAP Datasphere, via:

https://help.sap.com/docs/SAP_DATASPHERE/9f804b8efa8043539289f42f372c4862/9a00dde9a5fa492b914e409b4e...

And right now I could see the issue ... which obviously is related to our Firewall.:

2023-09-21 13:42:00.522000000,"ERROR","[af129954-800f-4d8d-a750-2fd9646832e745693] ODataV4Handler | ODataV4Handler.connectToSource [] - Failed to get odata metadata from https://myNUMBER-api.s4hana.cloud.sap/sap/opu/odata4/sap/cdi/default/sap/cdi/0001/$metadata, remote exception: org.apache.olingo.client.api.http.HttpClientException: org.apache.http.conn.HttpHostConnectException: Connect to myNUMBER-api.s4hana.cloud.sap:443 [myNUMBER-api.s4hana.cloud.sap/IP] failed: error 110 - Connection timed out (Connection timed out) (local port 49654 to address 0.0.0.0, remote port 443 to address IP)","framework_alert.trc"

...

Context: Invalid odata connection! Getting odata metadata failed because of org.apache.http.conn.HttpHostConnectException: Connect to myNUMBER-api.s4hana.cloud.sap:443 [myNUMBER-api.s4hana.cloud.sap/IP] failed: error 110 - Connection timed out (Connection timed out) (local port 49654 to address 0.0.0.0, remote port 443 to address IP)

I will try to get the Firewall settings updated and then try to connect again.

nicmar maybe you have the same issue?

BR, Martin

cardoso
Advisor
Advisor
‎09-20-2023 11:43 PM
0 Kudos

Hi m.kreitlein, nicmar,

Validate the connection in Datasphere or even consume remote table in a Graphical view to reproduce similar error).
Then collect further info from DPAgent's logs (framework.trc in specific).

3202766 should not be relevant since you're using connection type "S/4HANA Cloud".

BR.
Ismael

Show replies
Show replies
MKreitlein
Active Contributor
‎09-21-2023 7:01 AM
0 Kudos

Hello Ismael,

thanks for your feedback! Are you able to trigger an update for note 3202766 so that there is an information that this is not appliable to S/4HANA Cloud? - I'm wondering why there is no different error message 😞

Are the developers not able to produce self-explaining messages? 😞

The error message during remote table creation is a bit longer, but still the same content:

Regarding the log... I guess this can do only an admin? I cannot execute here:

Would the "Restart all connection" help? Currently I have only 1 active connection to an S4H on Prem.

Regards, Martin

MKreitlein
Active Contributor
‎09-21-2023 7:17 AM
0 Kudos

cardoso ... what right now came to my mind: Could it be that there is a scope item missing in S4HC?

I know that, for example, these must be activated separately in S4HC if they are needed, since they are not active by default:

Import Connection setup with SAP Analytics Cloud (‏1YB‏)

Core Data Services-Based Extraction with SAP S/4HANA Cloud (‏35D‏)

ABAP Core Data Services Extraction for SAP Data Warehouse Cloud (‏53L‏)

ABAP Core Data Services Extraction for SAP Data Intelligence (‏53M‏)

NicolasMartinez
Participant
‎09-21-2023 8:39 AM

For me, it looks exactly like it does for Martin.

Unfortunately I also can't access the DPAgent Logs

NicolasMartinez
Participant
‎09-20-2023 11:50 AM
0 Kudos

Hi Martin,

This is very similar to the error I'm describing here:

SAP S/4HANA Cloud Connection Error - internal error: Cannot get remote source objects

Unfortunately I haven't found a solution so far.

Can anybody confirm, that a S/4HANA Cloud connection is currently possible without this error?
We had an old S4HC system connected to our Datasphere tenant, but this was before the authorisation group for SAP_COM_0531 was mandatory.

Kind regards

Nicolas

Show replies
Show replies
MKreitlein
Active Contributor
‎09-20-2023 11:59 AM
0 Kudos

Hello Nicolas,

thanks for your hint... I didn't look for the same issue, before. But you are right, it is the same topic.

What I'm wondering about that the "52Y_System_and_Connection" describes to use the URL (with -api, what I did) without any client information - but this fails for me with more errors:

So I don't know if you can trust the document...Also the Content requests another connection name specified in there... so I think it is not very reliable?!

I really hope some SAP Expert has an answer for us.

BR, Martin

Ask a Question