SAP Analytics Cloud

What is SAP Analytics Cloud Tunnel Connection? Configure SAC & HANA to use Tunnel Connection with Password Authentication


We know SAP Analytics Cloud can connect to various data sources both cloud and on-premise. Two most common methods are Live and Import data connection. The solution works when users are on vpn. In case, users are outside corporate firewall they could connect through a SAP Web Dispatcher. Web Dispatcher has its own advantages like load balancing or act as a reverse proxy. While web dispatcher has advantages it does come with some overhead, like cost and maintenance.

In recent past we introduced SAP Analytics cloud Tunnel Connection option, which allows users to make a live connection. This connection type is great new feature and allows user to consume on-primise data through SAC, live. Please note this does not replace SAP Web Dispatcher in any way and it is not a good idea to compare the two. They both serve separate purpose.

When a client issues the HTTP request to a HTTP proxy server. This proxy server makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Based on Tunnel Connection principle, SAP Analytics Cloud Tunnel connection works in the same way.

When should to use SAP Analytics Cloud ‘Tunnel Connection’?

Consider SAP Analytics Cloud Tunnel Connection if there is a need to share business findings and insights with external stakeholders, without giving VPN rights.

For example: if your organization wants to expose some of your data to users outside of your corporate network, without giving them VPN rights.

What is the difference between SAP Analytics Cloud Tunnel Connection, Direct Connection and Import Connection?

Tunnel Connection Import Connection   Direct Connection 

This is a live data connection.

DATA: No data replication happens in this connection type.

Requirements: SAP Cloud Connector

Not Live.

DATA: In import connection, the data is imported to SAP Analytics Cloud.

Requirements: SAP Cloud Connector and/or cloud agent

Direct connection a.k.a. CORS – Cross-Origin Resource Sharing is a live data connection.

DATA: No data replication happens in this connection type.

Requirements: CORS Configuration

Please Note

  • Systems on SAP data centers support only SAML connections, while systems on non-SAP data centers support Basic and SAML connections. A two-digit number in your SAP Analytics Cloud URL, for example eu10 or us30, indicates a non-SAP data center.
  • Tunnel connection types are not supported on mobile devices today, in roadmap for 2021.
  • Data Sources currently supported under tunnel connection are listed below:
    • HANA
    • BW
    • S4HANA

How to setup an SAP Analytics Cloud Tunnel Connection?

We will now setup a tunnel connection to backend data source, in this example we will work on SAP HANA using user name and password.


Ensure that the SAP Information Access (InA) service (/sap/bc/ina/service/v2) on your SAP HANA server is exposed to browser users directly.
Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection.  
Ensure that your SAP HANA XS server is configured for HTTPS (SSL) with a signed certificate, and that you know which port it is using for HTTPS requests.   
For SAP HANA version and above, users require both the INA_USER role, and additional object rights. The SAP HANA administrator must grant users SELECT privileges on all view items in the _SYS_BIC schema that users should have access to.  


Step 1: Configure Your On-Premise Systems to Use the SAP Cloud Connector

Log in to the Cloud Connector Administration

In the left-side menu, select Cloud to On-Premise

In the Subaccount field, choose your SAP Analytics Cloud subaccount.

On the Access Control tab, in the Mapping Virtual To Internal System section, click (Add) to add a new mapping to your live data system.

In the Add System Mapping dialog, use the following values:

Back-end Type SAP HANA 
Protocol  HTTPS

Internal Host

Internal Port 

<system host>

<system port> 

Virtual Host

Virtual Port 

<can use the same host as the internal host>

<can use the same port as the internal port>

Principal Type   None 

Allow access to your system paths:

1. In the Resources Of section, click (Add).
2. Enter the URL Path:“/”.
For SAP HANA, if you don’t want to allow access to all paths under “/”, set the path to /sap/bc/ina/service/v2/.
3. Choose Path and all sub-paths.
4. Select Save.

Step 2. Increase the session timeout configuration parameters in SAP HANA XS server.

To do this, you will need to increase the sessiontimeout parameter in the httpserver section of the xsengine.ini file. For example, if you change the parameter to 43200, the session will be active for 12 hours.

Step 3 Add the remote HANA system to SAP Analytics Cloud:

Before you add the system, make sure under System–> Administration–>Datasource Configuration

  1. Click ‘Allow live data to securely leave my network’
  2. Add ‘Default Location’

Go to (Main Menu) Connection Connections (Add Connection)

The Select a datasource dialog will appear.

Expand Connect to Live Data and select SAP HANA.

1. In the dialog, enter a name and description for your connection. The connection name cannot be changed later.
2. Set the connection type to Tunnel.
3. Add your SAP HANA host name, and HTTPS port.
Use the virtual host name and virtual port that were configured in the cloud connector
4. (Optional) Choose a Default Language from the list.
This language will always be used for this connection and cannot be changed by users without administrator privileges.

5. Under Authentication Method select User Name and Password.

6. Enter an SAP HANA user name and password.


The user must be assigned to the sap.bc.ina.service.v2.userrole::INA_USER role in SAP HANA.

Select OK

Common Errors and Solution

Error 1.

Solution 1

  • Ensure that the SAP Information Access (ina) service (/sap/bc/ina/service/v2) on your SAP HANAserver is exposed to browser users directly.
  • Ensure the bc.ina.service.v2.userrole::INA_USERrole is assigned to all users who will use the live connection.

Error 2

Solution 2

My firewall was blocking, once I disabled it worked

Leave a Reply

Your email address will not be published. Required fields are marked *