In today’s business landscape, accessing on-premise SAP S/4HANA data from cloud-based applications on SAP Business Technology Platform (SAP BTP) is a common requirement. This allows businesses to harness the power of cloud capabilities, such as analytics and integration, while accessing real-time data from their S/4HANA systems. However, securely connecting SAP BTP to on-premise SAP S/4HANA is essential for data integrity and compliance. This guide will walk you through a practical business scenario and the steps required to securely configure SAP BTP to access SAP S/4HANA OData services.
Business Scenario: Real-Time Sales Data for Cloud Analytics
Imagine a retail company that relies on SAP S/4HANA as its ERP system for managing sales, inventory, and financial data. The management team wants to leverage SAP Analytics Cloud on SAP BTP to analyze real-time sales data, helping them make faster decisions about product demand and inventory. To achieve this, they need to configure SAP BTP to securely access S/4HANA’s sales data via OData services.
More Such Questions
- How to Create a Fiori Elements App on SAP BTP Using CDS Views
- How to Configure SAP BTP to Securely Access SAP S/4HANA OData Services
- How to Use OData Filters and Query Parameters in SAP Fiori Applications
- How to Optimize CDS Views for Performance in SAP HANA
- How to Set Up Destinations in SAP BTP for Accessing On-Premise OData Services
- How to Test and Debug OData Services in SAP Gateway
- How to Integrate On-Premise SAP Data with SAP BTP Using SAP Cloud Connector
- How to Consume SAP OData Services in SAP UI5 Applications on SAP BTP
- How to Enable Authorization Checks on CDS Views for Secure Data Access
- How to Create and Expose a CDS View with Multiple Joins as an OData Service
- How to Expose a CDS View as an OData Service for SAP BTP Applications
Solution Overview
To securely connect SAP BTP with the SAP S/4HANA system, we’ll utilize SAP Cloud Connector, Destination configuration in SAP BTP, and SAP S/4HANA OData services. Below are the steps to configure this integration.
Step 1: Set Up SAP Cloud Connector
The SAP Cloud Connector acts as a bridge between SAP BTP and on-premise systems like SAP S/4HANA, ensuring data security and controlled access.
- Download and Install SAP Cloud Connector
- Download the SAP Cloud Connector installer from the SAP website.
- Install SAP Cloud Connector on a server within the same network as your SAP S/4HANA system.
- Log in to SAP Cloud Connector
- Open the SAP Cloud Connector on your server and log in using the administrator credentials.
- Use the default URL:
https://localhost:8443
.
- Add SAP BTP Subaccount in SAP Cloud Connector
- Navigate to Subaccount on the left menu.
- Click Add Subaccount and enter your SAP BTP subaccount details.
- Choose Region, provide the Subaccount ID, and Display Name.
- Set Location ID if you plan to use multiple Cloud Connectors.
- Establish Connection with SAP S/4HANA System
- In the Cloud To On-Premise section, select Add System Mapping.
- Set Backend Type as ABAP System for SAP S/4HANA.
- Enter the internal hostname and instance number of your S/4HANA system.
- Choose Principal Type as None initially, and later configure this based on your security needs.
Step 2: Expose SAP S/4HANA OData Services
Now, we’ll expose the required OData service from SAP S/4HANA, allowing it to be accessible for SAP BTP.
- Identify the Required OData Service
- Use transaction
/IWFND/MAINT_SERVICE
in your SAP S/4HANA system to manage OData services. - Search for the required OData service or add it if not already registered.
- Use transaction
- Register the OData Service
- If the OData service is not yet registered, select Add Service.
- Choose the relevant package and enter your System Alias.
- Activate the OData service, which will enable its use from SAP BTP.
- Define Access Permissions in SAP S/4HANA
- Go to transaction
PFCG
and create a new role if necessary. - Assign the required authorization objects to control data access for the OData service.
- Assign this role to the users who need access to this data through SAP BTP.
- Go to transaction
Step 3: Configure Access Control in SAP Cloud Connector
Now, configure the SAP Cloud Connector to allow access to specific OData services securely.
- Define Resources in SAP Cloud Connector
- Go to your SAP BTP Subaccount in Cloud Connector.
- Under Cloud To On-Premise, select your SAP S/4HANA system and click Add.
- Set the Resource Path as
/sap/opu/odata
, allowing access only to the OData services. - Define the access policy as Path and All Sub-Paths for comprehensive access to all OData services.
- Set Principal Propagation (Optional)
- For secure user authentication, enable Principal Propagation.
- Principal propagation allows SAP BTP to authenticate users via their SAP Identity Provider (IDP) credentials, preserving user information.
- Choose Principal Type as X.509 or SAML Assertion based on your authentication configuration.
Step 4: Create a Destination in SAP BTP
SAP BTP destinations define the connection parameters to SAP S/4HANA for SAP BTP applications.
- Access Destinations in SAP BTP
- Go to your SAP BTP subaccount.
- Navigate to Connectivity > Destinations.
- Create a New Destination
- Click New Destination and enter the following details:
- Name: A unique name for your destination (e.g.,
S4HANA_OData
). - Type: Choose HTTP.
- URL: Use the URL format
https://<hostname>:<port>/sap/opu/odata
. - Proxy Type: Set as OnPremise for connections through SAP Cloud Connector.
- Authentication: Choose PrincipalPropagation if configured in the Cloud Connector.
- Location ID: Match the Location ID set in SAP Cloud Connector.
- Name: A unique name for your destination (e.g.,
- Click New Destination and enter the following details:
- Add Additional Properties
- To allow OData metadata access, add properties like:
sap-client
: S/4HANA client number.WebIDEEnabled
:true
for enabling SAP Web IDE access.HTML5.DynamicDestination
:true
for dynamic destinations in HTML5 apps.
- To allow OData metadata access, add properties like:
- Save and Test the Destination
- Save your destination and click Check Connection to test connectivity.
- Ensure the connection is successful, confirming that SAP BTP can access SAP S/4HANA’s OData service.
Step 5: Consume the OData Service in SAP BTP Applications
With the destination configured, you can now use it in SAP BTP applications to fetch real-time data from SAP S/4HANA.
- Accessing OData Service from SAP Fiori/UI5 Apps
- In SAP Fiori or SAP UI5, bind your models to the destination defined in SAP BTP.
- Use the OData model with the destination name to load data directly into your app.
- Accessing OData from Other SAP BTP Services
- Use the destination in SAP BTP services such as SAP Analytics Cloud, SAP Business Application Studio, or SAP API Management to access the OData service.
- Testing with SAP API Management
- If using SAP API Management, configure an API Proxy to access and control the OData service.
- Set policies for rate limiting, security, and data transformation.
Key Tips for Secure and Effective Configuration
- Restrict Resource Paths: In Cloud Connector, specify only the OData paths needed, ensuring restricted access to sensitive data.
- Use Principal Propagation: To maintain user identity, enable principal propagation and configure X.509 certificates or SAML for secure authentication.
- Limit Access Permissions: Set up roles carefully in SAP S/4HANA to allow only necessary access to the OData service.
- Regularly Monitor Connectivity: Use SAP BTP monitoring tools to track the connection and ensure reliable access to on-premise data.
Configuring SAP BTP to access SAP S/4HANA OData services securely ensures a seamless, compliant data flow between cloud and on-premise environments. This setup empowers your cloud-based applications with the data they need to drive analytics, insights, and operational efficiency while protecting enterprise data assets.