SAP ERP on HANA Setup Guide

Follow these instructions to connect SAP ERP on HANA to Fivetran and replicate your data to your destination.

SAP ERP on HANA supports the following connection modes:

NetWeaver Connection: Connects through the SAP NetWeaver application layer using the RFC protocol. Use this option if you want to connect through the SAP application layer. This connection mode requires the Fivetran NetWeaver API to be installed on your SAP system.
HANA Database Connection: Connects directly to the SAP HANA database without using the SAP NetWeaver application layer. Use this option if you want to connect directly to the HANA database. This connection mode does not require the Fivetran NetWeaver API or an SAP user account.

Prerequisites

Review the requirements for each connection mode before you begin the setup.

Requirement	NetWeaver Connection	HANA Database Connection
System	- Unicode-compliant SAP ABAP 7.4 or later - SAP HANA 2.0 SPS 03 or later	SAP HANA 2.0 SPS 03 or later
Fivetran component	Fivetran NetWeaver API installed on your SAP system	None
User account	Dedicated SAP Communication or System user with the required authorizations	Dedicated HANA database user with the required privileges
Credentials	SAP username and password	HANA database username and password
Connection details	SAP Application Server host or IP address, `SYSNR`, and `CLIENT`	HANA database host or IP address, HANA DB port, and schema name

Setup instructions

Select your connection mode and follow the corresponding setup instructions.

Configure SAP user

Configure a SAP Communication or System user with the following permissions/authorizations:

RFC access to standard SAP functions to establish connection:
AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
S_RFC ACTVT 16
RFC_TYPE FUGR
RFC_NAME BTCH
RFC1
SDIFRUNTIME
AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
S_RFC ACTVT 16
RFC_TYPE FUNC
RFC_NAME RFCPING
- RFC access to the Fivetran function groups:
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_RFC ACTVT 16
  RFC_TYPE FUGR
  RFC_NAME /FIVETRAN/SAPAPPCONNECT
  /FIVETRAN/TRIGGERS
  The /FIVETRAN/TRIGGERS function group is required only when using the Default sync mechanism. If you select the No-trigger sync mechanism, this authorization is not needed.
- Authorization required for batch process administration to schedule background jobs:
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_RFC ACTVT 16
  RFC_TYPE FUGR
  RFC_NAME S_BTCH_JOB
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_BTCH_ADM BTCADMIN Y
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_BTCH_JOB JOBACTION RELE
  JOBGROUP *
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_PROGNAM P_ACTION BTCSUBMIT
  P_PROGNAM /FIVETRAN/RETRIEVE

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUGR
	RFC_NAME	BTCH RFC1 SDIFRUNTIME

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUNC
	RFC_NAME	RFCPING

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUGR
	RFC_NAME	/FIVETRAN/SAPAPPCONNECT /FIVETRAN/TRIGGERS

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUGR
	RFC_NAME	S_BTCH_JOB

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_BTCH_ADM	BTCADMIN	Y

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_BTCH_JOB	JOBACTION	RELE
	JOBGROUP	*

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_PROGNAM	P_ACTION	BTCSUBMIT
	P_PROGNAM	/FIVETRAN/RETRIEVE

Data access authorizations:

The S_TABU_SQL authorization object can be used to manage access rights for every data table in the SAP database. This authorization object consists of four fields namely - ACTVT (activity), DBSID (database name), TABOWNER (database user), TABLE (name of the database table).

To grant full access, apply the following settings:
Authorization Object Authorization Field Authorization Value
S_TABU_SQL ACTVT 33
DBSID *
TABOWNER *
TABLE *
To restrict access, add separate values for each individual table. As an example, the following configuration grants access to the BSEG table:
Authorization Object Authorization Field Authorization Value
S_TABU_SQL ACTVT 33
DBSID *
TABOWNER *
TABLE BSEG

Fivetran needs access to specific HANA tables. If data access is generally restricted, access rights must be enabled for the following tables:

Authorization Object	Authorization Field	Authorization Value
S_TABU_SQL	ACTVT	33
	DBSID	*
	TABOWNER	SYS
	TABLE	DUMMY HAS_NEEDED_SYSTEM_PRIV* M_CS_TABLES M_DATABASE M_OBJECT_LOCKS M_RECORD_LOCKS M_SERVICES M_TABLES M_TABLE_LOCKS NUMA_NODE_PREFERENCE_ P_GRANTEDPRIVS_ P_OBJTYPES_ P_PRINCIPALS_ P_PROCEDURES_ P_SCHEMAS_ P_TRIGGERS_ TRIGGERS _SYS_GRANTED_OBJECTS _SYS_GRANTEE_OIDS _SYS_SCHEMAS_WITH_PRIVILEGES_O

Access to P_TRIGGERS_ and TRIGGERS tables is needed only when using the Default sync mechanism. If you select the No-trigger sync mechanism, we do not need authorizations for these tables.

Fivetran needs additional read access to runtime tables it creates, such as /FIVETRAN/DELTRG and shadow tables like /FIVETRAN/DELETES_*:
Authorization Object Authorization Field Authorization Value
S_TABU_SQL ACTVT 33
DBSID *
TABOWNER *
TABLE /FIVETRAN/*
The /FIVETRAN/DELTRG and /FIVETRAN/DELETES_* tables are created only when using the Default sync mechanism. If you select the No-trigger sync mechanism, these tables are not created and this authorization is not required.

We provide optional files with examples of default authorization roles in section Install Fivetran NetWeaver API. These roles could be used as an alternative to setting up the permissions described above.

Install Fivetran NetWeaver API

The Fivetran NetWeaver API contains Fivetran’s ABAP functions that enable data transfer between the SAP system and Fivetran. The Fivetran NetWeaver API can be downloaded from the connection setup form as well as from the Account Settings -> Downloads menu of the Fivetran dashboard.

To install the Fivetran NetWeaver API on your SAP system, use your company's default method.

While installing, you may need to use the Ignore Invalid Component Version option to suppress import errors.

The Fivetran NetWeaver API also includes optional files containing sample authorization roles that can be uploaded using transaction PFCG:

/FIVETRAN/SYS – system role with RFC access rights and data access rights to technical tables
/FIVETRAN/TRIGGERS – additional access to trigger functions for the “trigger deletes capture” scenario. This role is only required when using the Default sync mechanism.
/FIVETRAN/DATA_FULL – example role with full data access

Roles /FIVETRAN/SYS and /FIVETRAN/TRIGGERS could be used as an alternative to setting up permissions for your SAP user described in the Configure SAP user step. Either method allows your Fivetran connection to replicate your data. The /FIVETRAN/TRIGGERS role is only needed when using the Default sync mechanism.

Receiver namespace

Fivetran-specific ABAP code is created in the /FIVETRAN/ namespace. The Fivetran NetWeaver API automatically manages this namespace.

If your destination is configured for Hybrid Deployment, then you cannot connect using an SSH tunnel.

Enable Secure Network Communication (optional)

We support Secure Network Communication (SNC), which provides an additional security layer over the communication between Fivetran and your SAP system. You can enable SNC during the configuration of your connection in the connection setup form.

Steps needed in your SAP system:

Load the Fivetran certificate in the Trust Manager (transaction STRUST) of your SAP system.
Link your SAP user to Fivetran's SNC name.
Safelist Fivetran's SNC name.

Choose connection method

Choose your preferred method for connecting Fivetran to your SAP Application Server. The supported connection methods depend on your deployment model.

For SaaS deployment, we support SSH, private networking, and Proxy Agent connection methods. If you enable SNC mode, direct connection is also available.
For Hybrid Deployment, we support only direct and Proxy Agent connection methods.

Connect directly

For SaaS deployment, direct connection is available only when you enable SNC mode. For Hybrid Deployment, this is the default connection method.

Fivetran connects directly to the desired SAP system's application host (ASHOST). Communication is handled by the RFC protocol.

Connect using private networking

Available only for SaaS deployment.

Private networking allows secure communication between private networks and services without exposing traffic to the public internet. It is the most secure connection method available.

You must have a Business Critical plan to use private networking.

We support the following providers:

AWS PrivateLink – used for VPCs and AWS-hosted or on-premises services. See our AWS PrivateLink setup guide for details.
Azure PrivateLink – used for Virtual Networks (VNets) and Azure-hosted or on-premises services. See our Azure PrivateLink setup guide for details.

Troubleshooting connection issues

If you experience a connection error when using private networking (AWS PrivateLink or Azure Private Link), the issue may occur because the SAP Gateway rejects the connection due to an unrecognized hostname, typically the private endpoint URL associated with your cloud provider.

To resolve this issue, configure the SAP Gateway to accept the connection from the new hostname by doing one of the following:

Set the SAP parameter gw/alternative_hostnames to include the new hostname.
Add the new hostname to the hosts file on the SAP application server.

In either case, you must flush the hostname buffer for the changes to take effect. To do this, open transaction SMGW in your SAP system, then navigate to Goto → Expert Function → Host Name Buffer → Invalidate Buffer, and confirm by selecting Yes.

Connect via SSH

Available only for SaaS deployment.

Fivetran connects to a separate server in your network that provides an SSH connection to your SAP Application Server. You must connect through SSH if your SAP Application Server is in an inaccessible subnet.

This connection method require the basic SSH setup on your source system. Follow our SSH connection instructions.

Reverse SSH or VPN tunnel

If Reverse SSH tunnel or VPN tunnel is required, contact our support team as additional steps are required to set up the connection.

The SSH High Port should be computed as 3300 + <SYSNR>. For example, if SYSNR=15, then the SSH High Port is 3315. This connection is currently restricted to using only this port. However, if you enable one of the SNC modes, the port number should be computed as 4800 + <SYSNR>. Using the same example with SYSNR=15, the SSH High Port would then be 4815.

Connect via Proxy Agent

Available for SaaS deployment and Hybrid Deployment.

Fivetran connects to your SAP Application Server through a Proxy Agent. This method is used when your SAP Application Server is behind a firewall or in a private network.

If you selected Connect via Proxy Agent, choose the necessary proxy agent from the Proxy agents drop-down list (if available) or configure a new proxy agent.

Use SAP Message Server (optional)

By default, Fivetran connects to a specific SAP Application Server using its host address and instance number. If your SAP landscape includes multiple application server instances, you can use SAP Message Server instead.

SAP Message Server is a component of your SAP system that manages communication between application servers and handles logon load balancing. When Fivetran connects through Message Server, SAP automatically routes the logon to the least-loaded available application server in the specified logon group, and redirects to a healthy instance if one becomes unavailable.

Consider using SAP Message Server when:

Your SAP landscape has multiple application server instances
You want to use SAP's built-in load balancing across application servers
You need automatic failover if an application server becomes unavailable

To use SAP Message Server, ask your SAP administrator for the following:

Message Server Host: Hostname or IP address of your SAP Message Server
Message Server Port: Service port of the Message Server (for example, 3601 for system number 01)
R3 Name: Three-character SAP System ID (for example PRD)
Group: SAP Logon Group name (for example PUBLIC)

When using SAP Message Server, you must configure the SAP Router connection string, even if the Message Server is directly reachable. This is required to ensure proper routing to the selected application server instance.

Use SAP Router (optional)

SAP Router is an SAP program that acts as a proxy and intermediate station for RFC traffic between external systems and your SAP landscape. It operates at the SAP application layer and is typically deployed in a DMZ to control which systems can establish RFC connections to your SAP Application Server.

Consider using SAP Router when:

Your SAP system is only accessible through an SAP Router node
Your organisation's network security policy requires RFC traffic to pass through SAP Router

To use SAP Router, ask your SAP administrator for the SAP Router connection string. The string uses the following format: /H/hostname/S/port. For connections that route through multiple SAP Router nodes, chain the hops in sequence, for example: /H/router1/S/port1/H/router2/S/port2.

The default SAP Router port is 3299.

SAP date to LOCALDATE conversion (optional)

This feature is available starting from Fivetran NetWeaver API version 1000202.

By default, we convert SAP DATS data type to STRING.

When you set the Enable SAP date to LocalDate conversion toggle to ON, we do one the following, depending on the column type:

For primary key columns: We keep the original column as a STRING type and create a new column with the original column's name appended with the suffix _DATE, with its values converted from DATS to LOCALDATE type.
For non-primary key columns: We always convert the original values to LOCALDATE type.

When we attempt to convert a DATS value but the date is invalid, we do one of the following, depending on the value:

For the SAP default value 00000000 and an empty STRING value, we set the converted value to NULL.
For other invalid dates, such as when the number of months in date value 20241301 is larger than 12, we set the value to the default date 1970-01-01.

This feature follows the general data mapping workflows.

Configure Fivetran in SAP (optional)

We offer several configuration parameters that you can optionally use to tune and optimize data extraction. You can access these parameters using the SAP transaction /N/FIVETRAN/CONFIG. In most cases, the parameters can be left with the default values.

Expand to view all configuration parameters

You must save any changes to the configuration parameters using a variant name. While ACTIVE is the recommended standard for consistency, any variant name will work as long as it's the only existing variant. If the configuration is not saved in a variant, the features will not work correctly, and transactions may appear to complete but will not be stored properly.

Config	Description
Max wait background, microsec	Maximum runtime timeout for a background operation (default=120'000'000)
Max wait foreground, microsec	Maximum runtime timeout for a foreground operation (default=120'000'000)
Source tables	List of tables allowed for data extraction (default=empty, meaning all tables). See our Limiting table availability documentation for more information.
Version	Current Fivetran NetWeaver API version
Max size uncompressed, byte	Maximum data package size when retrieving data during import (default=200'000'000)
SAP Archiving job users	To activate archive detection, access the configuration settings and switch it ON. Note that this setting cannot be switched back to OFF. Next, configure the user name(s) that run your archiving jobs. It is critical to save the settings into a screen variant (for example, with the name `ACTIVE`) by clicking the Save (diskette) icon. This step is required for the configuration to take effect. For more details, see Handling deleted data during SAP archiving process. IMPORTANT: This setting applies at the SAP source level.
Deletes detection using triggers	Users can specify which tables use triggers to capture delete operations. Delete operations in other tables will not be synced. This setting applies only when using the Default sync mechanism. For more details, see Disable delete triggers for specified tables.
MANDT filter	Enables filtering of data on client field (default=off). See our MANDT filtering documentation for more information.
Parallel extraction	Maximum number of parallel background (BTC) processes SAP uses for data extraction or reading (default=4)
DB Connection Name	Used for secondary database connections. Otherwise, keep DEFAULT.
Application server	Name of a dedicated application server (default=NONE).
Max wait active DB read, microsec	Inter-process timeout for active database communication (default=100'000)
Max wait passive DB read, microsec	Inter-process timeout for passive database communication (default=1'000'000)
Max wait passive RFC read, microsec	Inter-process timeout for passive RFC communication (default=30'000'000)
Memory tunnel size, byte	Inter-process buffer size for communication (default=1'024)
Logging - Activate event log	Enable event logs to be stored (default=off).
Logging - Activate RFC trace	Enable RFC tracing logs (default=off).

Disable delete triggers for specific tables

This feature is available for the Fivetran NetWeaver API version 1900280 and higher and only when using Default sync mechanism.

By default, Fivetran creates delete-capture triggers for all supported standard tables. You can limit delete capture to specific tables in SAP. When limited, only the listed tables' deletes are recorded and synced; deletes on other tables are not captured. Inserts and updates continue to sync for all tables.

Use the Deletes detection using triggers setting in /N/FIVETRAN/CONFIG to control where Fivetran creates delete-capture triggers.

Available options:

Use for all (default): Create delete-capture triggers for all supported tables.
Use only for selected tables: Create triggers only for tables you specify. You can enter multiple table names.

To configure:

Run /N/FIVETRAN/CONFIG in your SAP system.
In the Deletes detection using triggers dialog, select either Use for all or Use only for selected tables.
If you selected Use only for selected tables, enter the table names.
Save your changes using a variant name (recommended: ACTIVE).

Finish Fivetran configuration

This section outlines the steps to configure your connection in the connection setup form within your Fivetran dashboard.

Enter a Destination schema prefix of your choice. This prefix applies to each replicated schema and cannot be changed once your connection is created.
In the Destination schema names field, choose the naming convention you want Fivetran to use for the schemas, tables, and columns in your destination:
- Fivetran naming: Standardizes the schema, table, and column names in your destination according to the Fivetran naming conventions.
- Source naming: Preserves the original schema, table, and column names from the source system in your destination.
The Source naming feature is not compatible with Quickstart transformations. To ensure successful syncs, we automatically disable Quickstart transformations for connections configured with Source naming.
If you want to modify your selection, make sure you do it before you start the initial sync.
(Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected for the connection. To assign a different agent, click Replace agent, select the agent you want to use, and click Use Agent.
In the Connection mode field, NetWeaver Connection is selected by default. You cannot modify this setting after you click Save & Test.
Ensure you have installed the Fivetran NetWeaver API on your SAP system.
(Optional) In the SNC mode field, select your desired SNC mode:
- No SNC (default)
- SNC with certificate
- SNC with certificate and user/password
(Optional) Set the Use SAP Message Server toggle to ON to use SAP Message Server for load balancing across multiple application server instances. When enabled, the ASHOST and SYSNR fields are replaced by the following fields:
- Message Server Host: Enter the hostname or IP address of your SAP Message Server.
- Message Server Port: Enter the service port of the SAP Message Server (for example, 3601 for system number 01).
- R3 Name: Enter the three-character SAP System ID (for example, PRD).
- Group: Enter the SAP logon group name (for example, PUBLIC).
In the ASHOST field, enter the hostname or IP address of your SAP Application Server.
- If you select Connect via private networking in the Connection method step below, specify the fully qualified DNS name of the private endpoint. The DNS name must follow the format: <private-link-name>.<region>.<cloud_provider>.privatelink.fivetran.com. For example:
  - Azure: sap-erp-privatelink.eastus.azure.privatelink.fivetran.com
  - AWS: sap-erp-privatelink.us-east-1.aws.privatelink.fivetran.com
Fivetran provides the DNS name during the private endpoint creation process (see our AWS PrivateLink setup guide or Azure PrivateLink setup guide).
This field does not appear when the Use SAP Message Server toggle is ON.
In the SYSNR field, enter a two-digit instance number of your SAP system.
This field does not appear when the Use SAP Message Server toggle is ON.
In the CLIENT field, enter a three-digit SAP system client number.
In the USER field, enter the username of the SAP Communication or System user.
The field does not appear when you select SNC with certificate as the SNC mode.
In the PASSWORD field, enter the password associated with the specified SAP user.
The field does not appear when you select SNC with certificate as the SNC mode.
In the SNC FIVETRAN NAME field, copy the SNC name generated by Fivetran and link your SAP user to Fivetran's SNC name in your SAP system. You must safelist Fivetran's SNC name in the SAP system.
The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the FIVETRAN CERTIFICATE, download the SNC certificate generated by Fivetran and load it in the Trust Manager (transaction STRUST) of your SAP system.
The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the SNC SOURCE NAME field, enter the SNC name of your SAP system.
The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the SOURCE CERTIFICATE field, upload the SNC certificate of your SAP system.
The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
(Optional) Set the Use SAP Router toggle to ON to route the connection through an SAP Router. In the SAP Router field, enter the SAP Router connection string.
The Use SAP Router toggle does not appear when the Use SAP Message Server toggle is ON. In that case, the SAP Router field is displayed directly and is required.
Select your chosen Connection method.
For SaaS deployment, the direct connection method is available only when you enable SNC mode, due to security concerns. For Hybrid Deployment, direct connection is available by default.
- If you selected Connect via an SSH tunnel, copy or make a note of the Public Key and add it to the authorized_keys file while configuring the SSH tunnel, and provide the following information:
  - SSH Host: Enter the hostname or IP address of your SSH server. Do not use a load balancer's IP address/hostname.
  - SSH Port: Enter the port number of your SSH server. The default port number is 22.
  - SSH User: Enter the username for SSH access.
- If you selected Connect via Proxy Agent, choose the necessary proxy agent from the Proxy agents drop-down list (if available) or configure a new proxy agent.
In the Sync mechanism field, select the sync mechanism for your connection. You cannot change this setting after you save the connection.
- Default: Fivetran creates delete triggers and associated shadow tables in your SAP system to capture deletes. Column-store transparent tables retain their original primary keys.
- No-trigger: Fivetran uses queries only to detect changes, including deletes. No triggers or shadow tables are created in your SAP system. Column-store transparent tables replicate in Live mode with a Fivetran-generated _fivetran_id column as the primary key.
For more information, see our Sync mechanism documentation.
(Optional) The Enable SAP date to LocalDate conversion toggle converts SAP DATS data type fields from STRING to LOCALDATE. The toggle is ON by default — turn it OFF to keep DATS fields as STRING. You cannot change this setting after you click Save & Test.
(Not applicable to Hybrid Deployment) Copy the Fivetran IPs /Host names (or CIDR) that you must safelist in your firewall.
Click Save & Test. Fivetran saves your configuration and runs a series of tests to validate your connection.
View all tests
- The Connecting to SSH Tunnel test validates the SSH tunnel details provided in the setup form. It then checks that we can create an SSH tunnel to your SAP Application Server. If connection method is Direct, then this test is skipped.
- The Validating Credentials test checks the credentials provided in the setup form.
- The Checking SAP SNC setup test checks the SAP SNC setup, if one of the SNC modes is selected in the setup form. In case No SNC mode is selected, this test is skipped.
- The Checking SAP source connection test ensures Fivetran can connect to the SAP system.
- The Checking authorizations and retrieval processes test ensures the correct authorization permissions are set and retrieval processes can be created.
The tests may take a few seconds to finish running, up to a minute.
After all tests pass successfully, click Continue to proceed to the next step - selecting data to sync.

Select data to sync

This section outlines the steps to select tables or views to replicate in the Select Data to Sync page before running the initial sync. At this stage, no tables are selected by default.

Each connection supports only one source schema. To replicate tables from multiple schemas, create a separate connection for each schema.

In the search field, enter one or more terms to find the tables or views you want to sync.
Search syntax and guidelines
Search input:
- Enter exact table or view names (for example, T000, T001, T002).
- Use wildcards to broaden your search (for example, T00*, *BAK).
- Combine exact names and wildcards in the same search (for example, VBAK, T00*, DD0*).
Formatting rules:
- Separate multiple search terms with commas. Spaces are optional and ignored.
- Each search term must contain at least three alphanumeric characters.
- Allowed special characters: *, ?, _, -, ., /.
Search results:
- Each search returns matching tables or views, sorted alphabetically.
- An object appears in the results only if it exists in both the SAP HANA database and the SAP application layer.
If your SAP administrator restricted table availability using /N/FIVETRAN/CONFIG → Source tables list, only those tables will appear in the search results. For more information, see our Limiting table availability documentation.
Select the schemas/tables you want to sync and click Save & Continue. Fivetran takes you to the connection’s Status tab.
(Optional) Choose the sync mode per table. On the Schema tab, the Sync mode column defaults to Soft delete mode. Leave it as is or switch individual tables to the History mode.
- Soft delete mode: Fivetran marks records as deleted in the destination when they are deleted in the source. This mode requires less storage in your destination and is suitable for most use cases.
- History mode: Fivetran retains all historical changes, including deletions, by adding metadata columns to track changes over time. This mode is useful for auditing and compliance purposes but requires more storage in your destination.
You can't pick sync mode for views and row-store tables, they are synced in Live mode only.
For more information about the sync modes in the SAP ERP on HANA connector, see our Updating data documentation.
(Optional) Add row filters to replicate only the rows you need. Filters are defined per table. For steps on how to add filters, as well as supported operators and data types, see our Row Filtering documentation.
To begin replication, open the Status tab and click Start initial sync.

You can change your table selection, row filters, and sync mode anytime on your connection’s Schema tab.

Configure HANA database user

Create a dedicated HANA database user and grant it the following privileges.

Access to read source tables

You need to grant the user access to the tables you want to sync. You can grant access at the table level or at the schema level. For example:

GRANT SELECT ON <schema_name>.<table_name> TO <username>; -- access to read table data (table level access)

GRANT SELECT ON SCHEMA <schema_name> TO <username>; -- access to read all tables in the schema (schema level access)

Access to create necessary objects to capture deletes

This connector creates triggers and shadow tables to capture deletes. For HANA database connection mode, shadow tables are created in a separate schema FIVETRAN_DB and triggers are created on source schema tables. Grant the following privileges for delete capture to work:

GRANT CREATE ANY, SELECT, DELETE, DROP ON SCHEMA FIVETRAN_DB TO <username>; -- access to manage shadow tables in FIVETRAN_DB schema

GRANT TRIGGER ON <schema_name>.<table_name> TO <username>; -- access to create triggers on source tables

You can also grant trigger access on the whole schema with the following command:

GRANT TRIGGER ON SCHEMA <schema_name> TO <username>; -- access to create triggers on all tables in the schema.

Access to monitoring objects

Fivetran needs read access to SYS. We use it to read metadata so sync works properly. You can provide access to it by granting either the CATALOG READ or MONITORING role to the user:

GRANT "CATALOG READ" TO <username>;

OR

GRANT "MONITORING" TO <username>;

Choose connection method

Choose your preferred method for connecting Fivetran to your HANA database server. The supported connection methods depend on your deployment model.

For SaaS deployment, we support only SSH, private networking, and Proxy Agent connection methods.
For Hybrid Deployment, we support only direct and Proxy Agent connection methods.

Connect directly

Available only for Hybrid Deployment.

Fivetran connects directly to the desired HANA database server. Destinations configured for Hybrid Deployment connect directly by default.

Connect using private networking

Available only for SaaS Deployment.

Private networking allows secure communication between private networks and services without exposing traffic to the public internet. It is the most secure connection method available.

You must have a Business Critical plan to use private networking.

We support the following providers:

AWS PrivateLink – used for VPCs and AWS-hosted or on-premises services. See our AWS PrivateLink setup guide for details.
Azure PrivateLink – used for Virtual Networks (VNets) and Azure-hosted or on-premises services. See our Azure PrivateLink setup guide for details.

Connect via SSH

Available only for SaaS Deployment.

Fivetran connects to a separate server in your network that provides an SSH connection to your HANA database server. You must connect through SSH if your HANA database server is in an inaccessible subnet.

This connection method requires the basic SSH setup on your source system. Follow our SSH connection instructions.

Reverse SSH or VPN tunnel

If Reverse SSH tunnel or VPN tunnel is required, contact our support team as additional steps are required to set up the connection.

Connect via Proxy Agent

Available for SaaS Deployment and Hybrid Deployment.

Fivetran connects to your HANA database server through a Proxy Agent. This method is used when your HANA database server is behind a firewall or in a private network.

If you selected Connect via Proxy Agent, choose the necessary proxy agent from the Proxy agents drop-down list (if available) or configure a new proxy agent.

Finish Fivetran configuration

This section outlines the steps to configure your connection in the connection setup form within your Fivetran dashboard.

Enter a Destination schema prefix of your choice. This prefix applies to each replicated schema and cannot be changed once your connection is created.
In the Destination schema names field, choose the naming convention you want Fivetran to use for the schemas, tables, and columns in your destination:
- Fivetran naming: Standardizes the schema, table, and column names in your destination according to the Fivetran naming conventions.
- Source naming: Preserves the original schema, table, and column names from the source system in your destination.
The Source naming feature is not compatible with Quickstart transformations. To ensure successful syncs, we automatically disable Quickstart transformations for connections configured with Source naming.
If you want to modify your selection, make sure you do it before you start the initial sync.
(Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected for the connection. To assign a different agent, click Replace agent, select the agent you want to use, and click Use Agent.
In the Connection mode field, select HANA Database Connection. You cannot modify this setting after you click Save & Test.
In the HOST field, enter the hostname or IP address of your HANA database server.
In the USER field, enter the username of your HANA database user.
In the PASSWORD field, enter the password associated with the specified HANA database user.
In the HANA DB Port field, enter the port number of your HANA database.
In the SCHEMA NAME field, enter the name of the HANA database schema to replicate.
Select your chosen Connection method.
For SaaS deployment, the direct connection method is not available due to security concerns. For Hybrid Deployment, direct connection is available by default.
- If you selected Connect via an SSH tunnel, copy or make a note of the Public Key and add it to the authorized_keys file while configuring the SSH tunnel, and provide the following information:
  - SSH Host: Enter the hostname or IP address of your SSH server. Do not use a load balancer's IP address/hostname.
  - SSH Port: Enter the port number of your SSH server. The default port number is 22.
  - SSH User: Enter the username for SSH access.
- If you selected Connect via Proxy Agent, choose the necessary proxy agent from the Proxy agents drop-down list (if available) or configure a new proxy agent.
The Sync mechanism field is set to Default for HANA Database Connection and cannot be changed. For more information, see our Sync mechanism documentation.
(Not applicable to Hybrid Deployment) Copy the Fivetran IPs / Host names (or CIDR) that you must safelist in your firewall.
Click Save & Test. Fivetran saves your configuration and runs a series of tests to validate your connection.
View all tests
- The Connecting to SSH Tunnel test validates the SSH tunnel details and checks that Fivetran can create an SSH tunnel to your HANA database server. This test is skipped if the connection method is not SSH Tunnel.
- The Validating Credentials test checks that the HOST, USER, PASSWORD, HANA DB port, and Schema name values provided in the setup form are valid.
- The Checking database connection test ensures Fivetran can connect to the HANA database server.
- The Checking authorizations and retrieval processes test ensures the correct authorization privileges are set for the HANA database user.
The tests may take a few seconds to finish running, up to a minute.
After all tests pass successfully, click Continue to proceed to the next step - selecting data to sync.

Select data to sync

This section outlines the steps to select tables or views to replicate in the Select Data to Sync page before running the initial sync. At this stage, no tables are selected by default.

In the search field, enter one or more terms to find the tables or views you want to sync.
Search syntax and guidelines
Search input:
- Enter exact table or view names (for example, T000, T001, T002).
- Use wildcards to broaden your search (for example, T00*, *BAK).
- Combine exact names and wildcards in the same search (for example, VBAK, T00*, DD0*).
Formatting rules:
- Separate multiple search terms with commas. Spaces are optional and ignored.
- Each search term must contain at least three alphanumeric characters.
- Allowed special characters: *, ?, _, -, ., /.
Search results:
- Search returns matching tables or views, sorted alphabetically.
Select tables you want to sync and click Save & Continue. Fivetran takes you to the connection's Status tab.
(Optional) Choose the sync mode per table. On the Schema tab, the Sync mode column defaults to Soft delete mode. Leave it as is or switch individual tables to the History mode.
- Soft delete mode: Fivetran marks records as deleted in the destination when they are deleted in the source. This mode requires less storage in your destination and is suitable for most use cases.
- History mode: Fivetran retains all historical changes, including deletions, by adding metadata columns to track changes over time. This mode is useful for auditing and compliance purposes but requires more storage in your destination.
You can't pick sync mode for views and row-store tables, they are synced in Live mode only.
For more information about the sync modes in the SAP ERP on HANA connector, see our Updating data documentation.
(Optional) Add row filters to replicate only the rows you need. Filters are defined per table. For steps on how to add filters, as well as supported operators and data types, see our Row Filtering documentation.
To begin replication, open the Status tab and click Start initial sync.