View Categories

On-Premise SAP Configuration

3 min read

Table of Contents

This guide describes the SAP-side configuration required to enable Power BI Connector for SAP to read OData services from your on-premise SAP system (S/4HANA Private Cloud, S/4 on-prem, ECC, BW/4HANA, and similar).

The connector reads through an SAP BTP destination configured with ProxyType=OnPremise, which routes via Cloud Connector to a dedicated technical user in the backend. Before the destination can return data, the OData services must be activated in the SAP backend, added to a PFCG role, and assigned to the technical user together with the necessary business authorizations.

i
Where this fits in the install: complete the Multi-Tenant Installation Guide for the BTP-side setup. The steps below are the SAP backend complement.

Prerequisites #

  • An SAP system administrator with rights to create users, run PFCG, and register OData services in /IWFND/MAINT_SERVICE.
  • The SAP client / mandant the destination will use (for example, sap-client=200).
  • Cloud Connector already configured to expose the SAP system to your BTP subaccount. For SAP’s procedure, see the Cloud Connector documentation.

Step 1: Create a technical user #

Transaction: SU01

  1. Open SU01.
  2. Enter the user name — for example, BI_CONNECTOR_TECH.
  3. Choose Technical User.
  4. Set an initial password.
  5. Save.
SU01: create the technical user

i
Use a dedicated technical user for the integration rather than a personal employee user. Create it in the same SAP client that the BTP destination’s sap-client property points to.

Step 2: Activate OData v2 services #

Transaction: /IWFND/MAINT_SERVICE

  1. Open /IWFND/MAINT_SERVICE.
  2. Choose Add Service.
  3. Select the correct System Alias.
  4. Find the OData service you need — for example, API_SALES_CONTRACT_SRV or API_BUSINESS_PARTNER.
  5. Enter the service name and choose Add Selected Services.
  6. Confirm the service registration and the ICF node.
/IWFND/MAINT_SERVICE: Add Service

/IWFND/MAINT_SERVICE: find and select a service

/IWFND/MAINT_SERVICE: Add Selected Services confirmation

Validate by opening the metadata URL in a browser or REST client:

/sap/opu/odata/sap/<SERVICE_NAME>/$metadata
/sap/opu/odata/sap/API_SALES_CONTRACT_SRV/$metadata

Step 3: Create a PFCG role for the technical user #

Transaction: PFCG

Create a separate role — for example, Z_ODATA_TECH_READ — with a description such as “Technical role for OData read access”. After creating the role, switch to the Menu tab.

Step 4: Add OData v2 services to the role #

  1. On the Menu tab, choose Authorization Default.
  2. In the Service Type field, select SAP Gateway Business Suite Enablement — Service.
  3. Add the OData v2 services you registered in Step 2 — for example, API_SALES_CONTRACT_SRV. Choose Copy and save the role.
  4. In the Service Type field, select SAP Gateway: Service Groups Metadata.
  5. Add the corresponding OData v2 service group — for example, ZAPI_SALES_CONTRACT_SRV_0001.
PFCG: Authorization Default

PFCG: add OData service to role

PFCG: add Service Groups Metadata

For OData v2, the service-start authorization is generated through authorization object S_SERVICE.

Step 5: Generate authorizations #

  1. In the role, go to the Authorizations tab.
  2. Choose Change Authorization Data.
  3. Verify that S_SERVICE is present for the added OData v2 services.
  4. Choose Generate and save.

Step 6: Grant business authorizations for data access #

Access to the OData service itself is not enough. The technical user also needs permission to read the business data returned by the service.

For example, API_SALES_CONTRACT_SRV requires SD authorizations for displaying sales contracts. If metadata opens but records are not returned, the most likely cause is missing business authorizations.

Organisational-level values must match the data of the specific tenant. Do not use SAP_ALL as a permanent solution for integration access — scope authorizations to what the connector actually needs to read.

Step 7: Assign the role to the technical user #

  1. In PFCG, open the role created in Step 3 — for example, Z_ODATA_TECH_READ.
  2. Go to the User tab and add the technical user from Step 1 — for example, BI_CONNECTOR_TECH.
  3. Run User Comparison and save the role.
PFCG: assign technical user to role

PFCG: role assignment confirmation

Alternatively, assign the role through SU01 on the Roles tab.

Step 8: Verify access in SAP #

Test as the same technical user that will be configured on the BTP destination.

First verify metadata access, then verify a small data read with $top=1:

/sap/opu/odata/sap/API_SALES_CONTRACT_SRV/$metadata
/sap/opu/odata/sap/API_SALES_CONTRACT_SRV/A_SalesContract?$top=1

If metadata opens but data is not returned, the problem is almost always business authorizations — not the OData service registration.

Step 9: Diagnose authorization issues #

Recommended check sequence:

  1. Execute the OData request with the technical user.
  2. Inspect /IWFND/ERROR_LOG.
  3. Inspect SU53 for the most recent failed authorization check.
  4. If SU53 is empty but data is still missing, use STAUTHTRACE or ST01 to capture all authorization checks during a request.

After adding missing authorization objects, regenerate the role (Step 5) and run User Comparison again.

What next #

Once the SAP backend is configured:

  1. Return to the BTP destination (created in the Multi-Tenant Installation Guide Step 4).
  2. Verify the destination connects — the cockpit’s Check Connection button should report a successful response for the metadata URL.
  3. Sign in to the connector and create a data source against one of the OData services you activated.

If the connector reports fewer services than you expect, see Why is the SAP catalog showing fewer services than I expect?.