| Status | |
| Owner | |
| Stakeholders | The business stakeholders involved in making, reviewing, and endorsing this decision. Type @ to mention people by name |
| LeanIX Link | SAP Analytics Cloud - SyWay |
Introduction
SAP Analytics Cloud is a public Software-as-a-Service (SaaS) product that redefines analytics in the cloud by providing all analytics capabilities (BI, Planning, Predictive) for all users in one product. In SAP Analytics Cloud, you can:
- create models in Sap Analytics Cloud.
- import models from other data sources in Sap Analytics Cloud.
- create live data connection to on-premise or cloud systems without any data replication. This feature allows SAP Analytics Cloud to be used in scenarios where data cannot be moved into the cloud for security or privacy reasons, or your data already exists on a different cloud system.
Purpose
The purpose of this document is to understand the architecture required to support the implementationThe SAP Analytics and Reporting Approach explains what will be implemented and the SAP Analytics and Reporting Standards details how it will be implemented.
This document explains the landscape and integration of the solution
Scope & Objectives
The existing version of SAC being used by HR and BW will be deprecated
Certain SaaS applications have an embedded version of SAC
- SuccessFactors (used extensively as a single instance and security is natively controlled)
- Asset Performance Management (not to be used as 3 instances and offers no benefit to the enterprise version discussed here)
Terminology
- SAP Business Content (BCT): Predefined solution provided by SAP for a functional area
- Instance: An entity refers to the entire system including the software and all technical components (DB, application server etc.). E.g., SAC Production.
- Environment/Tier: Refers to systems that are used for the different stages of the project lifecycle. Each environment serves a distinct purpose and has a dedicated instance to ensure stability and integrity. E.g., Development, QAS.
- Landscape: Refers to all the environment for an application or entire project. E.g., S/4HANA landscape, SyWay landscape.
- CUI: CUI and export controlled data are both highly sensitive.
- CMMC 2: Second iteration of the Cybersecurity Maturity Model Certification
- SaaS Deployment Model: Subscription where you pay for the service vs Consumption where you pay for the usage
Application Architecture
Architectural Decisions and Requirements
Below Table provides the details of the architectural decisions made based on the rationale.
| Architectural Decision | Description | Rationale |
|---|---|---|
| SSL and SNC will be configured for SAC to encrypt web and RFC traffic | Based on SyWay implementation approach, all data in transit must be encrypted. | Security is vital |
| Configure SSO for SAC | As part of SyWay project, a common authentication mechanism (e.g., SAML) will be adopted | For ease of access and unified user experience. |
| Seamless planning | To enable seamless planning, Both DSP and SAC must be deployed in the same data centre and hosted by the same hyperscaler | SAP limitation and meeting Syensqo preferences |
| SAP Business Content (BCT) | Start by leveraging the SAP BCT to deliver reports with less effort | Faster implementation |
| Landscape | 3 tier landscape | SAC is a subscription model so we have to pay per instance |
Application Architecture Design
Customer Number | 3008440 |
|---|---|
Cloud Provider | MS Azure |
Cloud Region | Netherlands |
Service model | Software as a Service |
Licence | SAP Cloud Platform Enterprise Agreement (CPEA) |
Deployment model | We are using the Public model |
Database | HANA Cloud |
Application Architecture Components
SAC is the presentation tool for SAP solutions as depicted below:
| SAC Component | Description |
|---|---|
| Story | Formatted reporting |
| Data Analyser | Self service (slice and dice) reporting tool |
| Excel | SAP Analytics Cloud, add-in for Microsoft Excel |
| Planning | Planning functionality with the ability to retract plan data back into S/4 |
| Catalogue | Easy access to published stories |
Connections
SAP Analytics Cloud provides you the possibility to define live data connections to on-premise or clouds systems.
Data is “live”, meaning that when a user opens a story in SAP Analytics Cloud, changes made to the data in the source system are reflected immediately.
With live connection, data volume is processed in your back-end system. There is no theoretical limitation. Query is executed in back-end system. Query should limit volume returned to Web Browser by applying adequate input control or aggregation.
Some benefits of live data connection are:
- No data replication and prevents transfer of large data sets from source systems
- Automatically updated with current data – “live” data
- Create complex models and calculation in source systems and leverage them within SAC
- Sensitive data can stay in local network, behind your firewall
In case of live data connection, only metadata is stored in SAP Analytics Cloud. The browser is sending the queries direct to the back-end and any chart is rendered in base of queries results.
SAP Datasphere (DSP)
DSP is the cloud data warehouse used to extract transform and load data from SAP systems
SAP Analytics Cloud and SAP Datasphere tenants can only be linked in a 1:1 relationship. One SAP Analytics Cloud tenant can be linked with only one Datasphere tenant.
Freeze stable connections/models/stories and Whitelist Applications to avoid the constant change of these crucial parameters.
We are not planning on importing any data directly from SAP systems into SAC, but rather via DSP. Represented as 1 in the diagram
Live Connection
With Live Connection, data securely remains in your back-end and queries are performed in your data source server. Result of query is sent back to your browser which renders your Dashboard.
Browser interacts directly or thru proxy with SAP Analytics Cloud, identity provider and all connected data sources. Then browser manages three types of communication tunnel:
- Get/Post requests from Browser to SAP Analytics Cloud are dedicated to metadata.
- Get/Post requests from Browser to Identity Provider are dedicated to SAML 2 Assertions.
- Get/Post/Options requests from Browser to Back-end data sources are dedicated to Data.
- Local (Cloud data sources) - represented as 2 in the diagram
All data stays within the SAP Cloud Platform. The data is not replicated to SAP Analytics Cloud. Modelling and model security is managed on the source system. Data connection between systems is secured within SAP Cloud Platform.
Add the URL of your SAP Analytics Cloud as a trusted origin in your SAP Datasphere system.
When using the SAC – Datasphere live connection, SAC currently has the following product limitations:
Analytics
- Custom Shapes for Geo Maps are not supported
- Version based variance features are not supported on SAP Datasphere data.
- Version Mapping is not supported for SAP Datasphere data.
- Blending is not supported.
- Linked Dimension is only supported for SAP Datasphere models from the same Space. It is not supported across Spaces.
- R-Visualizations are not supported.
- Comment Widgets are not supported
- Copy Widgets between stories is not supported
- Import Pages from Stories that contain Datasphere models is not supported
Planning
SAC Planning data can now be stored in Datasphere with seamless planning. However, seamless planning still requires the import of data into the SAC model and is not based on the SAP Datasphere live connection.
- Remote (On-premise data sources like S/4) - represented as 3 in the diagram
- With CORS, all data stays within the remote (customer) landscape. The data is not replicated to SAP Analytics Cloud. Modelling and model security is managed on the source system.
- With tunnel, the data is returned to SAC momentarily while being used
The capability exists but it is not envisaged that this type of connection will be required, as it connects to a single system.
We can route S/4 via remote tables in DSP and union the data before being analysed in SAC.
OData
With seamless planning the data resides in DSP, but retraction only works from SAC to S/4, hence the data needs to be loaded into SAC first.
OAuth 2.0 Authorization Code with the values for your SAP Datasphere OAuth client ID
OAuth clients with a Technical User purpose cannot, at this time, consume data from assets that are protected by data access controls.
SAML2 flow
SAML 2 (Security Assertion Markup Language) is an Oasis standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider and a web service provider (SAP Analytics Cloud). SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO)
With the provided Identity Provider (IdP) by SAP it is recommended to activate the SAML2/SSL Provider. To authenticate a user with SAC, the system uses assertion tickets based on Security Assertion Markup Language, version 2.0 (SAML2).
The use of HTTPS with valid SSL certificate is mandatory
Application Security
Classification
Security configuration or hardening depends on the classification and the associated risks. Security controls are implemented depending on the classification of the data per IT policy and risk management policy.Authentication
End to end SSO is accomplished with SAML 2. In order, both SAP Analytics Cloud and on-premise data source has to be configured to trust the same identity provider, such as your SAP Cloud Identity or your Active Directory using ADFS (Active Directory Federation Services). This means that the data security implemented at the source data will always be respected for each request.
All communications between browser and SAP Analytics Cloud are always encrypted. The on-premise communications from your reverse proxy to back-end data sources should also be encrypted using TLS. All data and metadata persisted on SAP Analytics Cloud are also fully encrypted.
When custom Identity Provider is set, you have to map users between your Identity Provider and SAP Analytics Cloud. The login credential depends on the User Attribute you selected when you set Identity Provider. If you have selected custom SAML User the login credential should be the user Id of your account on your SAML Identity Provider.
If Email is selected, the login credential should be the email address of your account on your SAML Identity Provider. If User is selected, Login Credential is set to your SAP Analytics Cloud user name by default.
At the beginning, it is very important to have an alignment between Identity Provider and Service Provider (SAC) user list. You can manually enter user, but, mapping attribute is case sensitive.
Authorisation
Provide the authorization guidelines/principles followed for the applicationCommunication Security
The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. It is a critical security mechanism for isolating potentially malicious documents.
In Live Connection, browser has to access Both SAP Analytics Cloud for metadata and back-end data sources (HANA, BW, S4/HANA or Universe). Then, SAP Analytics Cloud provides two ways to enable Cross Sharing Resources accessed by the same web page in Browser:
- Via CORS (recommended): Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin web page, images, stylesheets, scripts, iframes, and videos.
Data Security
Provide the details of the data security controls implemented based on the classificationOther Controls
Provide the details of any other controls implemented based on the classificationSystem Landscape
Development Environment
Include the DEV environment detailsProject Test Environment
Include the Project Test environment details. Mention Not Applicable, if the environment is not relevant for the applicationQuality Environment
Include the Quality environment details. Mention Not Applicable, if the environment is not relevant for the applicationProduction Environment
Include the PROD environment detailsOperation Architecture
Change and Configuration Management
This section will include the details related to change and configuration management of SAP and non-SAP systems.Transport Management
Provide the details on how transport management will be handledRelease Management
Provide the details on how release management will be handledMonitoring
This section will include the details related to monitoring enabled for the applicationApplication Monitoring
Provide the details of application monitoring configurationSystem Monitoring
Provide the details of System monitoring configurationSizing
Provide the details of sizing approach and the future recommendationsHigh Availability
Provide the details of High Availability. You may provide a reference to other document or attach a document, if the section contains lot of contentDisaster Recovery
Provide the details of Disaster Recovery. You may provide a reference to other document or attach a document, if the section contains lot of contentBackup/Restore
Provide the details of Backup/Restore. You may provide a reference to other document or attach a document, if the section contains lot of contentMaintenance Plan
Provide the details of system and application maintenance plan. This should follow the upgrade strategyService Introduction
Application Category
Provide the details of application category based on application classification. Application category is defined based on RPO, RTO requirementsSupport Team
Provide the details of support team that may be required to support the applicationSkill required
SAP Analytics Cloud System Owner | SAP Analytics Cloud settings such as data source configuration, SAC SAML 2 settings, Users and roles management, Connection settings |
Data source expert | Connectivity layer and security (HANA, BW, Universe, S4/HANA…) |
Network expert | Proxy, firewall, DNS server, etc. |
Security expert | SAML 2, customer’s Identity Provider, SSL certificate, etc. |
Information system architecture expertise | General Architecture topics |
Application expert | SAP or non-SAP depending on your data sources: Connectivity, security, modelling |
