SAP Group Reporting Data Collection is a companion app of SAP S/4HANA for group reporting. It is designed to provide agile and flexible data collection capability and let you collect additional financial or non-financial data required for consolidation.
This article will give you a clear understanding of the overall architecture of SAP Group Reporting Data Collection.
It will then guide you through the required configuration steps to integrate with SAP S/4HANA for group reporting On-Premise edition.
From a tech perspective, SAP Group Reporting Data Collection a set of cloud native apps deployed on SAP Business Technology Platform (SAP BTP), which connects to SAP S/4HANA – the apps aren’t part of SAP S/4HANA. Our native cloud app follows SAP Cloud Application Programming Model, exposing SAP Fiori user interface, and relying on a backend which handles business objects.
SAP Group Reporting Data Collection uses services available on SAP BTP, such as the “SAP HANA services as database” to store all your configured items. Our app can also be integrated with services like “Audit Log” or “Personal Data Manager” to ensure regulatory and GDPR compliance.
Communication with the SAP S/4HANA backend rely on the “Connectivity” and “Destination” services. With these services, you can define the location of the SAP S/4HANA instance linked to your subscription, and establish a tunnel to access it.
The integration with SAP S/4HANA is achieved through Remote Function Call and public APIs, such as Reported Financial Data for Group Reporting – Bulk Import, Master Data for Group Reporting – Read or Transaction Data for Group Reporting – Read. SAP Group Reporting Data Collection is always used in combination with SAP S/4HANA for group reporting is mandatory, as all the master data and financials figures are stored in SAP S/4HANA (in the ACDOCU table).
The following steps will guide through the configuration required for SAP Group Reporting Data Collection.
For more details, you can access all our documentation from the SAP Help Portal: https://help.sap.com/viewer/product/SAP_Group_Reporting_Data_Collection/1.0/en-US
Note: following configuration has been done by using the SAP S/4HANA 2020, Fully Activated Appliance from the Cloud Appliance Library
PuTTy has been used as tool to connect to the Application Server OS and execute command lines.
For more information, see the SAP Business Technology Patform Basic Platform Concepts Regions documentation: https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/350356d1dc314d3199dca15bd2a....
In the case of integration with an On Premise instance of S/4HANA, it will require to use the SAP Cloud Connector which will act as a reverse proxy to access your instance.
Communication with the S/4HANA backend use both HTTPS and RFC SNC protocol. It will require specific configuration for each of them
The configuration will require to:
A big part of the configuration is to allow Principal Propagation. This mean that the identity of the user connected to SAP Group Reporting Data Collection will be sent along while calling SAP S/4HANA backend.
User connected to SAP Group Reporting Data Collection get a JSON Web Token emitted by the User Account and Authentication service from the SAP Business Technology Platform
While calling SAP S/4HANA backend, this token will be sent to the Cloud Connector. It will extract the identity of the user (principal propagation can based on email address or login name according to your configuration) and encapsulate it into a x.509 certificate.
This certificate is then sent to the SAP S/4HANA backend where the user will be authenticated using rules defines in the backend.
This is done through transaction SNCWIZARD
you will have to restart the Application Server after modifying this
We have to configure three certificates in Cloud Connector.
Login to Cloud Connector and go to Tab "On Premise" of the Configuration section
Create System and CA certificates (if required, you can use self-signed certificates at this stage)
in Principal Propagation section, define Subject Pattern as CN=${email}
In order to achieve the Secure Network Communication, the Cloud Connector will have to get access to a cryptographic library (SAP CryptoLib in our example) and its own Personal Security Environment (PSE)
In order to enable the Cloud Connector for that, you can perform the following steps
This is the lazy way : configuration will be lost if you update your Cloud Connector
For a more sustainable way, you can check following note : 2845890
To do the necessary configurations, we need to perform the following steps:
A good reference for this is the following blog entry: https://blogs.sap.com/2020/12/23/principal-propagation-setup-with-sap-s-4hana-on-premise-system-and-...
Certificate Exchange for RFC SNC
Export SNC SAPCryptolib Certificate (as snc_s4h.crt)
Create PSE for Cloud Connector :
Tips : once files SCC.pse and cred_v2 are created : give read access to sccadmin
Add SCC PSE certificate (SCC_SNC2.crt) to SNC SAPCryptolib PSE using STRUST transaction
Maintain Access Control List for SNC connections
The ABAP uses an additional security measure to protect access. To enable the SNC communication for the Cloud Connector you need to maintain the ACL for SNC connections.
These settings are done through transaction SNC0
Once preparation of the landscape is achieved, you can go with configuration of the Cloud Connector.
First, you have to add the Subaccount from which you will subscribed to SAP Group Reporting Data Collection.
From the "Cloud To On-Premise" section, go to Maintain Access Control and add required mappings as detailed in https://help.sap.com/viewer/e29950571a2b4065b1dacaf881c67413/1.0/en-US/b2d3a4028641456cac64c9cc11bf6...
The result should look as follow:
Tips : SNC Partner Name can be found through transaction RZ10 - Parameter snc/identity/as
Enable services of SAP S/4HANA
To enable communication through SOAP web services, you must activate the SAP Application Interface Framework content and create an inbound web service.
OData services need to be configured in SAP S/4HANA.
your first step here, will be (if it is not done yet) to subscribe to SAP Group Reporting Data Collection.
For this step, you need to get the correct Entitlement for GRDC
Entitlements are automatically handled through the CRM when you order our Material Number: 8007701
To connect to SAP S/4HANA, you need to set up destinations using the destination service in SAP Business Technology Platform Cockpit.
They will rely on the mappings created in the Cloud Connector.
Refer to: https://help.sap.com/viewer/e29950571a2b4065b1dacaf881c67413/1.0/en-US/ca59c5b3af2c448296fe1b32bac0c...
The result should be like the following:
Security must be maintained in SAP Business Technology Platform sub account for SAP Group Reporting Data Collection.
Refer to: https://help.sap.com/viewer/e29950571a2b4065b1dacaf881c67413/1.0/en-US/c3401bd8e9354359a777b264d0b16...
Once all the steps has been done, you have to establish trust between your subaccount and the Cloud Connector.
It will allow the Cloud Connector to trust the JSON Web Token emitted by the User Account and Authentication service.
To do so, go back to the "Cloud to On-Premise" section from the Cloud Connector.
Under Principal Propagation tab, click on Synchronize
If you reached this steps, you should have a working instance of SAP Group Reporting Data Collection, fully integrated with your SAP S/4HANA instance.
So have a look to our User Guides and start leveraging all the great capabilities of this product 😉
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 |