SAP ERP on HANA Setup Guide
Follow these instructions to replicate your SAP ERP on HANA database to your destination using Fivetran.
Prerequisites
To connect your SAP ERP on HANA database to Fivetran, you need:
- SAP ABAP version 7.5 or above
- SAP ABAP must be Unicode-compliant
- SAP HANA version 2.0 SPS3 or above
- Fivetran NetWeaver API installed on your SAP system
- A SAP Communication or System user with the permissions and authorizations specified in the Configure SAP user section
- The hostname or IP address of your SAP Application Server
- Sysnr (a two-digit instance number of your SAP system)
- Client (a three-digit SAP system client number)
- The username of the SAP Communication or System user
- The password associated with the SAP user
Setup instructions
Configure SAP user
Configure a SAP Communication or System user with the following permissions/authorizations:
RFC access to standard SAP functions to establish connection:
AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE S_RFC ACTVT 16 RFC_TYPE FUGR RFC_NAME BTCH
RFC1
SDIFRUNTIMEAUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE S_RFC ACTVT 16 RFC_TYPE FUNC RFC_NAME RFCPING RFC access to the Fivetran function groups:
AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE S_RFC ACTVT 16 RFC_TYPE FUGR RFC_NAME /FIVETRAN/SAPAPPCONNECT
/FIVETRAN/TRIGGERSAuthorization required for batch process administration to schedule background jobs:
AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE S_RFC ACTVT 16 RFC_TYPE FUGR RFC_NAME S_BTCH_JOB AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE S_BTCH_ADM BTCADMIN Y AUTHORIZATION OBJECT AUTHORIZATION FIELD AUTHORIZATION VALUE S_BTCH_JOB JOBACTION RELE JOBGROUP *
Data access authorizations:
The S_TABU_SQL authorization object can be used to manage access rights for every data table in the SAP database. This authorization object consists of four fields namely -
ACTVT
(activity),DBSID
(database name),TABOWNER
(database user),TABLE
(name of the database table).To grant full access, apply the following settings:
Authorization Object Authorization Field Authorization Value S_TABU_SQL ACTVT 33 DBSID * TABOWNER * TABLE * To restrict access, add separate values for each individual table. As an example, the following configuration grants access to the BSEG table:
Authorization Object Authorization Field Authorization Value S_TABU_SQL ACTVT 33 DBSID * TABOWNER * TABLE BSEG Fivetran needs access to specific HANA tables. If data access is generally restricted, access rights must be enabled for the following tables:
Authorization Object Authorization Field Authorization Value S_TABU_SQL ACTVT 33 DBSID * TABOWNER SYS TABLE DUMMY
HAS_NEEDED_SYSTEM_PRIV*
M_CS_TABLES
M_DATABASE
M_OBJECT_LOCKS
M_SERVICES
M_TABLES
P_GRANTEDPRIVS_
P_OBJTYPES_
P_PRINCIPALS_
P_PROCEDURES_
P_SCHEMAS_
P_TRIGGERS_
TRIGGERS
_SYS_GRANTED_OBJECTS
_SYS_GRANTEE_OIDS
_SYS_SCHEMAS_WITH_PRIVILEGES_OFivetran needs additional read access to runtime tables it creates, such as
/FIVETRAN/DELTRG and shadow tables like
/FIVETRAN/DELETES_*`:Authorization Object Authorization Field Authorization Value S_TABU_SQL ACTVT 33 DBSID * TABOWNER * TABLE /FIVETRAN/*
NOTE: We provide optional files with examples of default authorization roles in section Install Fivetran NetWeaver API. These roles could be used as an alternative to setting up the permissions described above.
Install Fivetran NetWeaver API
The Fivetran NetWeaver API contains Fivetran’s ABAP functions that enable data transfer between the SAP system and Fivetran. The Fivetran NetWeaver API can be downloaded from the connector setup form as well as from the Account Settings -> Downloads menu of the Fivetran dashboard.
To install the Fivetran NetWeaver API on your SAP system, use your company's default method.
NOTE: While installing, you may need to use the Ignore Invalid Component Version option to suppress import errors.
The Fivetran NetWeaver API also includes optional files containing sample authorization roles that can be uploaded using transaction PFCG
:
/FIVETRAN/SYS
– system role with RFC access rights and data access rights to technical tables/FIVETRAN/TRIGGERS
– additional access to trigger functions for the “trigger deletes capture” scenario/FIVETRAN/DATA_FULL
– example role with full data access
NOTE: Roles
/FIVETRAN/SYS
and/FIVETRAN/TRIGGERS
could be used as an alternative to setting up permissions for your SAP user described in Step 1: Configure SAP user. Either method allows your Fivetran connector to replicate your data.
Receiver namespace
Fivetran-specific ABAP code is created in the /FIVETRAN/
namespace. The Fivetran NetWeaver API automatically manages this namespace.
NOTE: If your destination is configured for Hybrid Deployment, then you cannot connect using an SSH tunnel.
Enable Secure Network Communication (optional)
We support Secure Network Communication (SNC), which provides an additional security layer over the communication between Fivetran and your SAP system. You can enable SNC during the configuration of your connector in the connector setup form.
Steps needed in your SAP system:
- Load the Fivetran certificate in the Trust Manager (transaction
STRUST
) of your SAP system. - Link your SAP user to Fivetran's SNC name.
- Safelist Fivetran's SNC name.
Choose connection method
Decide on your preferred method for connecting Fivetran to your SAP Application Server.
IMPORTANT: You must install the Fivetran NetWeaver API on your SAP Application.
Connect directly
Fivetran connects directly to the desired SAP system's application host (ASHOST). Communication is handled by the RFC protocol.
IMPORTANT: You can only connect directly if you enable the SNC mode due to security concerns. Destinations configured for Hybrid Deployment connect directly by default.
Connect using private networking
Private networking enables communication between private networks and services without exposing traffic to the public internet. Private networking is the most secure connection method.
IMPORTANT: You must have a Business Critical plan to use private networking.
We support the following providers:
AWS PrivateLink – used for VPCs and AWS-hosted or on-premises services. See our AWS PrivateLink setup guide for details.
Azure PrivateLink – used for Virtual Networks (VNets) and Azure-hosted or on-premises services. See our Azure PrivateLink setup guide for details.
Connect via SSH
NOTE: You cannot connect using an SSH tunnel if the destination associated with your connector is configured for Hybrid Deployment.
Fivetran connects to a separate server in your network that provides an SSH connection to your SAP Application Server. You must connect through SSH if your SAP Application Server is in an inaccessible subnet.
This connection method require the basic SSH setup on your source system. Follow our SSH connection instructions.
Reverse SSH or VPN tunnel
If Reverse SSH tunnel or VPN tunnel is required, contact our support team as additional steps are required to set up the connector.
IMPORTANT: The SSH High Port should be computed as
3300 + <SYSNR>
. For example, ifSYSNR=00
, then the SSH High Port is3300
. This connection is currently restricted to using only this port. However, if you enable one of the SNC modes, the port number should be computed as4800 + <SYSNR>
. Using the same example withSYSNR=00
, the SSH High Port would then be4800
.
SAP date to LocalDate conversion (optional)
NOTE: This feature is available starting from Fivetran NetWeaver API version 1000202.
By default, we convert SAP DATS data type to STRING.
When you set the Enable SAP date to LocalDate conversion toggle to ON, we do one the following, depending on the column type:
For primary key columns: We keep the original column as a STRING type and create a new column with the original column's name appended with the suffix
_DATE
, with its values converted from DATS to LocalDate type.For non-primary key columns: We always convert the original values to LocalDate type.
When we attempt to convert a DATS value but the date is invalid, we do one of the following, depending on the value:
- For the SAP default value
00000000
and an empty STRING value, we set the converted value toNULL
. - For other invalid dates, such as when the number of months in date value
20241301
is larger than 12, we set the value to the default date1970-01-01
.
This feature follows the general data mapping workflows.
Configure Fivetran in SAP (optional)
Fivetran has a number of configuration parameters that can be optionally used to tune and optimize the data extraction. These parameters can be accessed using the SAP transaction - /N/FIVETRAN/CONFIG
.
NOTE: In most cases, the parameters can be left with the default values.
Available parameters are:
Config | Description |
---|---|
Max wait background, microsec | Maximum runtime timeout for a background operation (default=60'000'000) |
Max wait foreground, microsec | Maximum runtime timeout for a foreground operation (default=60'000'000) |
Allowed source table list | List of tables allowed for data extraction (default=empty, meaning all tables). See our Table list in SAP documentation for more information. |
Version | Current Fivetran NetWeaver API version |
Max wait active DB read, microsec | Inter-process timeout for active DB communication (default=100'000) |
Max wait passive DB read, microsec | Inter-process timeout for passive DB communication (default=1'000'000) |
Max wait passive RFC read, microsec | Inter-process timeout for passive RFC communication (default=30'000'000) |
Memory tunnel size, byte | Inter-process buffer size for communication (default=1'024) |
SAP Archiving job users | If the box is checked, then you can specify a list of SAP users related to the SAP archiving process. See our Handling deleted data during SAP archiving process documentation for more information. IMPORTANT: Once checked, this box cannot be un-checked. This option is applied at the SAP source. |
Max size uncompressed, byte | Maximum data package size when retrieving data during import (default=500'000'000) |
Filter data on client field | Enable MANDT filtering (default=off). See our MANDT filtering documentation for more information. |
DB Connection Name | Used for secondary DB connections. Otherwise, keep default=DEFAULT |
Application server | Specify name of a dedicated application server (default=NONE) |
Logging - Activate event log | Enable event logs to be stored (default=off) |
Logging - Activate RFC trace | Enable RFC tracing logs (default=off) |
Finish Fivetran configuration
This section outlines the steps to configure your connector in the connector setup form within your Fivetran dashboard.
Enter a Destination schema prefix of your choice. This prefix applies to each replicated schema and cannot be changed once your connector is created.
Ensure you have installed the Fivetran NetWeaver API on your SAP system.
(Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected in the Select an existing agent drop-down menu. To use a different agent, select the agent of your choice, and then select the same agent for your destination.
(Optional) In the SNC mode field, select your desired SNC mode:
- No SNC
- SNC with certificate
- SNC with certificate and user/password
In the ASHOST field, enter the hostname or IP address of your SAP Application Server.
- If you select Connect via PrivateLink as the Connection method (Step 14 below), specify the fully qualified DNS name of the private endpoint. The DNS name must follow the format:
<private-link-name>.<region>.<cloud_provider>.privatelink.fivetran.com
. For example:- Azure:
sap-erp-privatelink.eastus.azure.privatelink.fivetran.com
- AWS:
sap-erp-privatelink.us-east-1.aws.privatelink.fivetran.com
- Azure:
NOTE: Fivetran provides the DNS name during the private endpoint creation process (see our AWS PrivateLink setup guide or Azure PrivateLink setup guide).
- If you select Connect via PrivateLink as the Connection method (Step 14 below), specify the fully qualified DNS name of the private endpoint. The DNS name must follow the format:
In the SYSNR field, enter a two-digit instance number of your SAP system.
In the CLIENT field, enter a three-digit SAP system client number.
In the USER field, enter the username of the SAP Communication or System user.
NOTE: The field does not appear when you select SNC with certificate as the SNC mode.
In the PASSWORD field, enter the password associated with the specified SAP user.
NOTE: The field does not appear when you select SNC with certificate as the SNC mode.
In the SNC FIVETRAN NAMEfield, copy the SNC name generated by Fivetran and link your SAP user to Fivetran's SNC name in your SAP system. You must safelist Fivetran's SNC name in the SAP system.
NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the FIVETRAN CERTIFICATE, download the SNC certificate generated by Fivetran and load it in the Trust Manager (transaction
STRUST
) of your SAP system.NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the SNC SOURCE NAME, specify the SNC name of your SAP system.
NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
In the SOURCE CERTIFICATE field, upload the SNC certificate of your SAP system.
NOTE: The field appears only when you select SNC with certificate or SNC with certificate and user/password as the SNC mode.
Select your chosen Connection method.
IMPORTANT: The Direct connection method should only be used when you enable the SNC mode due to security concerns.
If you selected Connect via an SSH tunnel, copy or make a note of the Public Key and add it to the
authorized_keys
file while configuring the SSH tunnel, and provide the following information:- SSH Host: Enter the hostname or IP address of your SSH server. Do not use a load balancer's IP address/hostname.
- SSH Port: Enter the port number of your SSH server. The default port number is
22
. - SSH User: Enter the username for SSH access.
Make a note of the Public Key - you will need it to complete your setup.
(Optional) To convert SAP DATS data type fields to LocalDate fields, set the Enable SAP date to LocalDate conversion toggle to ON.
Click Save & Test. Fivetran tests and validates the connection to your SAP system. Upon successful completion of the setup tests, you can sync your data using Fivetran.
Setup tests
Fivetran performs the following tests to ensure that we can connect to your SAP system and that it is properly configured:
- The
Connecting to SSH Tunnel
test validates the SSH tunnel details provided in the setup form. It then checks that we can create an SSH tunnel to your SAP Application Server. If connection method is Direct, then this test is skipped. - The
Validating Credentials
test checks the SAP Application credentials provided in the setup form. - The
Checking SAP SNC setup
test checks the SAP SNC setup, if one of the SNC modes is selected in the setup form. In case No SNC mode is selected, then this test is skipped. - The
Checking SAP source connection
test ensures Fivetran can connect to the SAP system. - The
Checking authorizations and retrieval processes
test ensures the correct authorization permissions are set and retrieval processes can be created. - The
Checking Fivetran NetWeaver API version
test ensures that selected options are supported by the installed Fivetran NetWeaver API in the SAP system.
NOTE: The tests may take a few seconds to finish running, up to a minute.
Related articles
description Connector Overview
account_tree Schema Information