SAP ERP on HANA Setup Guide

Follow these instructions to replicate your SAP ERP on HANA database to your destination using Fivetran.

Prerequisites

To connect your SAP ERP on HANA database to Fivetran, you need:

SAP ABAP version 7.5 or above
SAP ABAP must be Unicode-compliant
SAP HANA version 2.0 SPS3 or above
Fivetran NetWeaver API installed on your SAP system
A SAP Communication or System user with the permissions and authorizations specified in the Configure SAP user section
The hostname or IP address of your SAP Application Server
Sysnr (a two-digit instance number of your SAP system)
Client (a three-digit SAP system client number)
The username of the SAP Communication or System user
The password associated with the SAP user

Setup instructions

Configure SAP user

Configure a SAP Communication or System user with the following permissions/authorizations:

RFC access to standard SAP functions to establish connection:
AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
S_RFC ACTVT 16
RFC_TYPE FUGR
RFC_NAME BTCH
RFC1
SDIFRUNTIME
AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
S_RFC ACTVT 16
RFC_TYPE FUNC
RFC_NAME RFCPING
- RFC access to the Fivetran function groups:
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_RFC ACTVT 16
  RFC_TYPE FUGR
  RFC_NAME /FIVETRAN/SAPAPPCONNECT
  /FIVETRAN/TRIGGERS
- Authorization required for batch process administration to schedule background jobs:
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_RFC ACTVT 16
  RFC_TYPE FUGR
  RFC_NAME S_BTCH_JOB
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_BTCH_ADM BTCADMIN Y
  AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE
  S_BTCH_JOB JOBACTION RELE
  JOBGROUP *

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUGR
	RFC_NAME	BTCH RFC1 SDIFRUNTIME

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUNC
	RFC_NAME	RFCPING

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUGR
	RFC_NAME	/FIVETRAN/SAPAPPCONNECT /FIVETRAN/TRIGGERS

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_RFC	ACTVT	16
	RFC_TYPE	FUGR
	RFC_NAME	S_BTCH_JOB

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_BTCH_ADM	BTCADMIN	Y

AUTHORIZATION OBJECT	AUTHORIZATION FIELD	AUTHORIZATION VALUE
S_BTCH_JOB	JOBACTION	RELE
	JOBGROUP	*

Data access authorizations:

The S_TABU_SQL authorization object can be used to manage access rights for every data table in the SAP database. This authorization object consists of four fields namely - ACTVT (activity), DBSID (database name), TABOWNER (database user), TABLE (name of the database table).

To grant full access, apply the following settings:
Authorization Object Authorization Field Authorization Value
S_TABU_SQL ACTVT 33
DBSID *
TABOWNER *
TABLE *
To restrict access, add separate values for each individual table. As an example, the following configuration grants access to the BSEG table:
Authorization Object Authorization Field Authorization Value
S_TABU_SQL ACTVT 33
DBSID *
TABOWNER *
TABLE BSEG

Fivetran needs access to specific HANA tables. If data access is generally restricted, access rights must be enabled for the following tables:

Authorization Object	Authorization Field	Authorization Value
S_TABU_SQL	ACTVT	33
	DBSID	*
	TABOWNER	SYS
	TABLE	DUMMY HAS_NEEDED_SYSTEM_PRIV* M_CS_TABLES M_DATABASE M_OBJECT_LOCKS M_SERVICES M_TABLES P_GRANTEDPRIVS_ P_OBJTYPES_ P_PRINCIPALS_ P_PROCEDURES_ P_SCHEMAS_ P_TRIGGERS_ TRIGGERS _SYS_GRANTED_OBJECTS _SYS_GRANTEE_OIDS _SYS_SCHEMAS_WITH_PRIVILEGES_O

Fivetran needs additional read access to runtime tables it creates, such as /FIVETRAN/DELTRG and shadow tables like /FIVETRAN/DELETES_*`:
Authorization Object Authorization Field Authorization Value
S_TABU_SQL ACTVT 33
DBSID *
TABOWNER *
TABLE /FIVETRAN/*

NOTE: We provide optional files with examples of default authorization roles in section Install Fivetran NetWeaver API. These roles could be used as an alternative to setting up the permissions described above.

Install Fivetran NetWeaver API

The Fivetran NetWeaver API contains Fivetran’s ABAP functions that enable data transfer between the SAP system and Fivetran. The Fivetran NetWeaver API can be downloaded from the connector setup form as well as from the Account Settings -> Downloads menu of the Fivetran dashboard.

To install the Fivetran NetWeaver API on your SAP system, use your company's default method.

NOTE: While installing, you may need to use the Ignore Invalid Component Version option to suppress import errors.

The Fivetran NetWeaver API also includes optional files containing sample authorization roles that can be uploaded using transaction PFCG:

/FIVETRAN/SYS – system role with RFC access rights and data access rights to technical tables
/FIVETRAN/TRIGGERS – additional access to trigger functions for the “trigger deletes capture” scenario
/FIVETRAN/DATA_FULL – example role with full data access

NOTE: Roles /FIVETRAN/SYS and /FIVETRAN/TRIGGERS could be used as an alternative to setting up permissions for your SAP user described in Step 1: Configure SAP user. Either method allows your Fivetran connector to replicate your data.

Receiver namespace

Fivetran-specific ABAP code is created in the /FIVETRAN/ namespace. The Fivetran NetWeaver API automatically manages this namespace.

NOTE: If your destination is configured for Hybrid Deployment, then you cannot connect using an SSH tunnel.

Enable Secure Network Communication (optional)

We support Secure Network Communication (SNC), which provides an additional security layer over the communication between Fivetran and your SAP system. You can enable SNC during the configuration of your connector in the connector setup form.

Steps needed in your SAP system:

Load the Fivetran certificate in the Trust Manager (transaction STRUST) of your SAP system.
Link your SAP user to Fivetran's SNC name.
Safelist Fivetran's SNC name.

Choose connection method

Decide on your preferred method for connecting Fivetran to your SAP Application Server.

IMPORTANT: You must install the Fivetran NetWeaver API on your SAP Application.

Connect directly

Fivetran connects directly to the desired SAP system's application host (ASHOST). Communication is handled by the RFC protocol.

IMPORTANT: You can only connect directly if you enable the SNC mode due to security concerns. Destinations configured for Hybrid Deployment connect directly by default.

Connect using private networking

Private networking enables communication between private networks and services without exposing traffic to the public internet. Private networking is the most secure connection method.

IMPORTANT: You must have a Business Critical plan to use private networking.

We support the following providers:

AWS PrivateLink – used for VPCs and AWS-hosted or on-premises services. See our AWS PrivateLink setup guide for details.
Azure PrivateLink – used for Virtual Networks (VNets) and Azure-hosted or on-premises services. See our Azure PrivateLink setup guide for details.

Connect via SSH

NOTE: You cannot connect using an SSH tunnel if the destination associated with your connector is configured for Hybrid Deployment.

Fivetran connects to a separate server in your network that provides an SSH connection to your SAP Application Server. You must connect through SSH if your SAP Application Server is in an inaccessible subnet.

This connection method require the basic SSH setup on your source system. Follow our SSH connection instructions.

Reverse SSH or VPN tunnel

If Reverse SSH tunnel or VPN tunnel is required, contact our support team as additional steps are required to set up the connector.

IMPORTANT: The SSH High Port should be computed as 3300 + <SYSNR>. For example, if SYSNR=00, then the SSH High Port is 3300. This connection is currently restricted to using only this port. However, if you enable one of the SNC modes, the port number should be computed as 4800 + <SYSNR>. Using the same example with SYSNR=00, the SSH High Port would then be 4800.

SAP date to LocalDate conversion (optional)

NOTE: This feature is available starting from Fivetran NetWeaver API version 1000202.

By default, we convert SAP DATS data type to STRING.

When you set the Enable SAP date to LocalDate conversion toggle to ON, we do one the following, depending on the column type:

For primary key columns: We keep the original column as a STRING type and create a new column with the original column's name appended with the suffix _DATE, with its values converted from DATS to LocalDate type.
For non-primary key columns: We always convert the original values to LocalDate type.

When we attempt to convert a DATS value but the date is invalid, we do one of the following, depending on the value:

For the SAP default value 00000000 and an empty STRING value, we set the converted value to NULL.
For other invalid dates, such as when the number of months in date value 20241301 is larger than 12, we set the value to the default date 1970-01-01.

This feature follows the general data mapping workflows.

Configure Fivetran in SAP (optional)

Fivetran has a number of configuration parameters that can be optionally used to tune and optimize the data extraction. These parameters can be accessed using the SAP transaction - /N/FIVETRAN/CONFIG.

NOTE: In most cases, the parameters can be left with the default values.

Available parameters are:

Config	Description
Max wait background, microsec	Maximum runtime timeout for a background operation (default=60'000'000)
Max wait foreground, microsec	Maximum runtime timeout for a foreground operation (default=60'000'000)
Allowed source table list	List of tables allowed for data extraction (default=empty, meaning all tables). See our Table list in SAP documentation for more information.
Version	Current Fivetran NetWeaver API version
Max wait active DB read, microsec	Inter-process timeout for active DB communication (default=100'000)
Max wait passive DB read, microsec	Inter-process timeout for passive DB communication (default=1'000'000)
Max wait passive RFC read, microsec	Inter-process timeout for passive RFC communication (default=30'000'000)
Memory tunnel size, byte	Inter-process buffer size for communication (default=1'024)
SAP Archiving job users	If the box is checked, then you can specify a list of SAP users related to the SAP archiving process. See our Handling deleted data during SAP archiving process documentation for more information. IMPORTANT: Once checked, this box cannot be un-checked. This option is applied at the SAP source.
Max size uncompressed, byte	Maximum data package size when retrieving data during import (default=500'000'000)
Filter data on client field	Enable MANDT filtering (default=off). See our MANDT filtering documentation for more information.
DB Connection Name	Used for secondary DB connections. Otherwise, keep default=DEFAULT
Application server	Specify name of a dedicated application server (default=NONE)
Logging - Activate event log	Enable event logs to be stored (default=off)
Logging - Activate RFC trace	Enable RFC tracing logs (default=off)

Finish Fivetran configuration

This section outlines the steps to configure your connector in the connector setup form within your Fivetran dashboard.

Enter a Destination schema prefix of your choice. This prefix applies to each replicated schema and cannot be changed once your connector is created.
Ensure you have installed the Fivetran NetWeaver API on your SAP system.
(Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected in the Select an existing agent drop-down menu. To use a different agent, select the agent of your choice, and then select the same agent for your destination.
(Optional) In the SNC mode field, select your desired SNC mode:
- No SNC
- SNC with certificate
- SNC with certificate and user/password
In the ASHOST field, enter the hostname or IP address of your SAP Application Server.
In the SYSNR field, enter a two-digit instance number of your SAP system.
In the CLIENT field, enter a three-digit SAP system client number.
In the USER field, enter the username of the SAP Communication or System user.
NOTE: The field does not appear when you select SNC with certificate as the SNC mode.
In the PASSWORD field, enter the password associated with the specified SAP user.
NOTE: The field does not appear when you select SNC with certificate as the SNC mode.
In the SNC FIVETRAN NAMEfield, copy the SNC name generated by Fivetran and link your SAP user to Fivetran's SNC name in your SAP system. You must safelist Fivetran's SNC name in the SAP system.
NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the FIVETRAN CERTIFICATE, download the SNC certificate generated by Fivetran and load it in the Trust Manager (transaction STRUST) of your SAP system.
NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the SNC SOURCE NAME, specify the SNC name of your SAP system.
NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the SOURCE CERTIFICATE field, upload the SNC certificate of your SAP system.
NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
Select your chosen Connection method.
IMPORTANT: The Direct connection method should only be used when you enable the SNC mode due to security concerns.
If you selected Connect via an SSH tunnel, copy or make a note of the Public Key and add it to the authorized_keys file while configuring the SSH tunnel, and provide the following information:
- SSH Host: Enter the hostname or IP address of your SSH server. Do not use a load balancer's IP address/hostname.
- SSH Port: Enter the port number of your SSH server. The default port number is 22.
- SSH User: Enter the username for SSH access.
Make a note of the Public Key - you will need it to complete your setup.
(Optional) To convert SAP DATS data type fields to LocalDate fields, set the Enable SAP date to LocalDate conversion toggle to ON.
Click Save & Test. Fivetran tests and validates the connection to your SAP system. Upon successful completion of the setup tests, you can sync your data using Fivetran.

Setup tests

Fivetran performs the following tests to ensure that we can connect to your SAP system and that it is properly configured:

The Connecting to SSH Tunnel test validates the SSH tunnel details provided in the setup form. It then checks that we can create an SSH tunnel to your SAP Application Server. If connection method is Direct, then this test is skipped.
The Validating Credentials test checks the SAP Application credentials provided in the setup form.
The Checking SAP SNC setup test checks the SAP SNC setup, if one of the SNC modes is selected in the setup form. In case No SNC mode is selected, then this test is skipped.
The Checking SAP source connection test ensures Fivetran can connect to the SAP system.
The Checking authorizations and retrieval processes test ensures the correct authorization permissions are set and retrieval processes can be created.
The Checking Fivetran NetWeaver API version test ensures that selected options are supported by the installed Fivetran NetWeaver API in the SAP system.

NOTE: The tests may take a few seconds to finish running, up to a minute.