SAP ERP

SAP ERP is an enterprise resource planning software developed by SAP SE. SAP ERP incorporates the key business functions of an organization. The SAP ERP connector for Power Automate and Power Apps allows you to invoke RFC and BAPI functions using on-premises data gateway.

This connector is available in the following products and regions:

Service Class Regions
Power Automate Premium All Power Automate regions
Power Apps Premium All Power Apps regions
Contact
Name Microsoft
URL Microsoft Power Automate Support
Microsoft Power Apps Support
Connector Metadata
Publisher Microsoft
Website https://www.sap.com/products/enterprise-management-erp.html
Privacy policy https://www.sap.com/about/legal/privacy.html

Using the SAP ERP connector

To get started on using this connector, you can read this blog post.

Pre-requisites

The SAP ERP connector have a dependency on the following components, which must be installed on the same machine:

  • On-premise data gateway
    Version required: December 2019 (3000.21.18) or higher

  • SAP .NET Connector 3.0 SDK from SAP.
    NOTE: Access to the download requires a valid S-user. You may need to reach out to your SAP team. The connector comes in 32-bit and 64-bit versions, and you must choose the 64-bit version.When installing, in the Optional setup steps window, make sure you select the Install assemblies to GAC option.

Authentication

The SAP ERP connector supports the following authentication mechanism:

  • SAP Authentication
  • Windows Authentication (using SNC)

Because the connector is designed such that it can be used by multiple users of an app, the connections are not shared. Rather each user will authenticate with the SAP system. The user crendentials are provided in the connection, while additional details required to connect to the SAP system (like the server details, security configuration) are provided as part of the action.

The SAP ERP connector also supports Windows authentication by enabling SAP SNC (Secure Network Communition). This requires additional setup.

Property Description
Use SNC Set to "Yes" if you want to enable SNC
SNC library The SNC library name or path relative to NCo installation location or absolute path. Examples are sapsnc.dll or .\security\sapsnc.dll or c:\security\sapsnc.dll.
SNC SSO Specifies whether the connector will use the identity of the service or the end user credentials
SNC My Name If required, specify the identity to be used
SNC Partner Name The name of the back-end SNC server
SNC Quality of Protection The quality of service to be used for SNC communication of this particular destination or server. The default value is defined by the back-end system. The maximum value is defined by the security product used for SNC.

If Windows Authentication is needed for the SAP ERP Connector you need to:

  • Configure Kerberos-based SSO from Power Platform to on-premises data sources
  • Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)

Configure Kerberos-based SSO from Power Platform to on-premises data sources Pre-requisites

After installation of the Data Gateway the gateway runs as the machine-local service account, NT Service\PBIEgwService. To enable Kerberos constrained delegation, you have two options:

  • The gateway must run as a domain account, see documentation on how to Change Gateway Service Account ; or
  • Have your Azure Active Directory (Azure AD) instance synchronized with your local Active Directory instance (by using Azure AD DirSync/Connect

Configuration Steps:

  • Obtain domain admin rights to configure SPNs (SetSPN) and Kerberos constrained delegation settings
  • Configure Kerberos constrained delegation for the gateway and data source
  • Configure an SPN for the gateway service account
  • Add gateway service account to Windows Authorization and Access Group if required
  • Decide on the type of Kerberos constrained delegation to use:
    • Configure the gateway service account for standard Kerberos constrained delegation
    • Configure the gateway service account for resource-based Kerberos constrained delegation.
  • Grant the gateway service account local policy rights on the gateway machine
  • Set user-mapping configuration parameters on the gateway machine (if necessary)

For more details on how to configure this, refer to Power BI documentation for Configure Kerberos-based SSO from Power BI service to on-premises data sources.

Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)

  1. Ensure that your SAP ERP server is correctly configured for Kerberos SSO using CommonCryptoLib. If it is, you can use SSO to access your SAP ERP server with an SAP tool like SAP GUI that has been configured to use CommonCryptoLib. For more information on setup steps, see SAP Single Sign-On: Authenticate with Kerberos/SPNEGO. Your server should use CommonCryptoLib as its SNC Library and have an SNC name that starts with CN. For more information on SNC name requirements (specifically, the snc/identity/as parameter), see SNC Parameters for Kerberos Configuration.
  2. Ensure that SAP Secure Login Client (SLC) isn't running on the computer the gateway is installed on. SLC caches Kerberos tickets in a way that can interfere with the gateway's ability to use Kerberos for SSO. If SLC is installed, uninstall it or make sure you exit SAP Secure Login Client. Right-click the icon in the system tray and select Log Out and Exit before you attempt an SSO connection by using the gateway. SLC isn't supported for use on Windows Server machines. For more information, see SAP Note 2780475 (s-user required).

SAP Secure Login Client

  1. If you uninstall SLC or select Log Out and Exit, open a cmd window and enter klist purge to clear any cached Kerberos tickets before you attempt an SSO connection through the gateway.
  2. Download 64-bit CommonCryptoLib (sapcrypto.dll) version 8.5.25 or greater from the SAP Launchpad, and copy it to a folder on your gateway machine. In the same directory where you copied sapcrypto.dll, create a file named sapcrypto.ini, with the following content:

ccl/snc/enable_kerberos_in_client_role = 1

The .ini file contains configuration information required by CommonCryptoLib to enable SSO in the gateway scenario.

Note

These files must be stored in the same location; in other words, /path/to/sapcrypto/ should contain both sapcrypto.ini and sapcrypto.dll.

Both the gateway service user and the Active Directory (AD) user that the service user impersonates need read and execute permissions for both files. We recommend granting permissions on both the .ini and .dll files to the Authenticated Users group. For testing purposes, you can also explicitly grant these permissions to both the gateway service user and the Active Directory user you use for testing. In the following screenshot we've granted the Authenticated Users group Read & execute permissions for sapcrypto.dll:

Grant Read & execute permissions for Authenticated Users

  1. If you don't already have an SAP BW data source associated with the gateway you want the SSO connection to flow through, add one on the Manage gateways page in the Power BI service. If you already have such a data source, edit it:
  • Choose SAP Business Warehouse as the Data Source Type if you want to create an SSO connection to a BW Application Server.
  • Select Sap Business Warehouse Message Server if you want to create an SSO connection to a BW Message Server.
  1. Create a CCL_PROFILE system environment variable and set its value to the path to sapcrypto.ini.

CCL_PROFILE system environment variable:

Create and set system environment variables

The sapcrypto.dll and .ini files must exist in the same location. In the above example, sapcrypto.ini and sapcrypto.dll are both located on the desktop.

  1. Restart the gateway service.

Restart the gateway service

Known Issues and Limitations

The following are some of the known issues and limitations of the SAP ERP connector:

  1. The connector supports only RFCs and BAPIs.
  2. The connector does not support receiving messages from SAP Server.
  3. Transactional RFCs (tRFCs) are not supported.

Collecting logs

The followng logs are useful to troubleshoot SapErp connector issues when contacting Microsoft support:

  1. Enable Additional logging in the Diagnostics settings of your on-premises data gateway app to get Informational SAP Adapter's extended logs and SapErp Adapter's traces.
  2. Update the following setting in the configuration file Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config. Typically, this configuration file sits where your on-premised data gateway is installed (e.g. C:\Program Files\On-premises data gateway\Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config).
    <setting name="SapTraceLevel" serializeAs="String">
       <value>Verbose</value>
    </setting>
    
    

General Limits

Name Value
Maximum number of properties supported by dynamic schema. Parse JSON action can be used to generate schema from a sample payload if exceeding maximum number of properties. 1024

Creating a connection

The connector supports the following authentication types:

SAP Authentication Use SAP username and password to access SAP server. All regions Not shareable
Windows Authentication Use windows username and password to access your SAP Server. All regions Not shareable
Default [DEPRECATED] This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility. All regions Not shareable

SAP Authentication

Auth ID: Basic

Applicable: All regions

Use SAP username and password to access SAP server.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True
SAP Username securestring SAP Username for sign in into the SAP System. True
SAP Password securestring SAP Password for sign in into the SAP System. True

Windows Authentication

Auth ID: Windows

Applicable: All regions

Use windows username and password to access your SAP Server.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True
Windows Domain and Username securestring Windows domain and username used for sign in into the SAP System. Example: DOMAIN\username True
Windows Password securestring Windows password used for sign in into the SAP System. True

Default [DEPRECATED]

Applicable: All regions

This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True
Authentication Type string Authentication type to connect to the SAP System. Must be basic (username and password). True
Username securestring Username for sign in into the SAP System. True
Password securestring Password for sign in into the SAP System. True

Throttling Limits

Name Calls Renewal Period
API calls per connection250060 seconds

Actions

Call SAP function

Call SAP function.

Call SAP function (V2) (Preview)

Calls an sRFC, tRFC or qRFC on the SAP system.

Create stateful session (Preview)

Creates a stateful connection session to the SAP system. This action only works with Call SAP function (V2)

Read SAP table with parsing (Preview)

This action requires that the user has access to 'BBP_RFC_READ_TABLE' or 'RFC_READ_TABLE' RFC.

Run Diagnostics

Run Diagnostics.

Call SAP function

Call SAP function.

Parameters

Name Key Required Type Description
AS Host
AppServerHost True string

The hostname of the SAP Application Server.

Client
Client True integer

The SAP client ID to connect to the SAP system.

AS System Number
SystemNumber True integer

The SAP System's System Number. It is a number ranging from 00 to 99.

Use SNC
UseSnc boolean

When selected, the connections will be secured with SNC.

SNC library
SncLibraryPath string

Path of the SNC library to be used.

SNC SSO
SncSso string

The SNC SSO specifies whether to use SNC identity or credentials provided on RFC level.

SNC My Name
SncMyName string

Identity to be used for this particular destination/server (optional).

SNC Partner Name
SncPartnerName string

The backend's SNC name.

SNC Quality of Protection
SncQop string

Quality of Service to be used for SNC communication of this particular destination/server.

SAP function name
function True string

Specify SAP function name (case-sensitive).

Stateful Session
isSessionStateful True string

Create stateful session. Select 'Yes' for write operations, 'No' for read operations.

SAP function input
functionInput dynamic

Please specify SAP function input.

Returns

The outputs of this operation are dynamic.

Call SAP function (V2) (Preview)

Calls an sRFC, tRFC or qRFC on the SAP system.

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

RFC name
rfcName True string

The RFC to be called, e.g. 'STFC_CONNECTION'.

SAP function input
rfcInputs True dynamic

The SAP function inputs.

RFC Group filter
rfcGroupFilter string

The optional RFC group filter, such as 'STFC', to filter the RFCs.

Auto commit
autoCommit boolean

Automatically commits the RFC transaction if adding the qRFC/tRFC to the transaction has no error. Auto-commit only takes effect if either {tId} or {queueName} is provided.

Session Id
sessionId string

The optional stateful session Id as a string for stateful RFC. If no session Id is provided, the call is made on a stateless connection.

Returns

The outputs of this operation are dynamic.

Create stateful session (Preview)

Creates a stateful connection session to the SAP system. This action only works with Call SAP function (V2)

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

Returns

Result for Create Session operation.

Read SAP table with parsing (Preview)

This action requires that the user has access to 'BBP_RFC_READ_TABLE' or 'RFC_READ_TABLE' RFC.

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

Table name
tableName True string

The name of the SAP table to read

Fields to read
Fields to read string
Where filters
Where filters string
Starting row index
StartIndex integer

Starting row index, e.g. 0

Count of rows to read
RowCount integer

The count of rows to read, e.g. 10

Returns

The outputs of this operation are dynamic.

Run Diagnostics

Run Diagnostics.

Parameters

Name Key Required Type Description
AS Host
AppServerHost True string

The hostname of the SAP Application Server.

Client
Client True integer

The SAP client ID to connect to the SAP system.

AS System Number
SystemNumber True integer

The SAP System's System Number. It is a number ranging from 00 to 99.

Use SNC
UseSnc boolean

When selected, the connections will be secured with SNC.

SNC library
SncLibraryPath string

Path of the SNC library to be used.

SNC SSO
SncSso string

The SNC SSO specifies whether to use SNC identity or credentials provided on RFC level.

SNC My Name
SncMyName string

Identity to be used for this particular destination/server (optional).

SNC Partner Name
SncPartnerName string

The backend's SNC name.

SNC Quality of Protection
SncQop string

Quality of Service to be used for SNC communication of this particular destination/server.

Returns

Definitions

DiagnosticsOutput

Name Path Type Description
GatewayRunningStatus
GatewayRunningStatus boolean
GatewayVersionSupportsRunDiagnostics
GatewayVersionSupportsRunDiagnostics boolean
CredentialCheck
CredentialCheck boolean
CanPerformRfcFunctionSearch
CanPerformRfcFunctionSearch boolean
CanInvokeSTFC_CONNECTION
CanInvokeSTFC_CONNECTION boolean
DiagnosticsStatus
DiagnosticsStatus object

CreateSessionResponse

Result for Create Session operation.

Name Path Type Description
Session Id
SessionId string

Id for the stateful session.