SAP ERP

Reference

SAP ERP is an enterprise resource planning software developed by SAP SE. SAP ERP incorporates the key business functions of an organization. The SAP ERP connector for Power Automate and Power Apps allows you to invoke RFC and BAPI functions using on-premises data gateway.

This connector is available in the following products and regions:

Service	Class	Regions
Power Automate	Premium	All Power Automate regions
Power Apps	Premium	All Power Apps regions

Contact
Name	Microsoft
URL	Microsoft Power Automate Support Microsoft Power Apps Support

Connector Metadata
Publisher	Microsoft
Website	https://www.sap.com/products/enterprise-management-erp.html
Privacy policy	https://www.sap.com/about/legal/privacy.html

Using the SAP ERP connector

To get started on using this connector, you can read this blog post.

Pre-requisites

The SAP ERP connector have a dependency on the following components, which must be installed on the same machine:

On-premise data gateway
Version required: December 2019 (3000.21.18) or higher
SAP .NET Connector 3.0 SDK from SAP.
NOTE: Access to the download requires a valid S-user. You may need to reach out to your SAP team. The connector comes in 32-bit and 64-bit versions, and you must choose the 64-bit version.When installing, in the Optional setup steps window, make sure you select the Install assemblies to GAC option.

Authentication

The SAP ERP connector supports the following authentication mechanism:

SAP Authentication
Windows Authentication (using SNC)

Because the connector is designed such that it can be used by multiple users of an app, the connections are not shared. Rather each user will authenticate with the SAP system. The user crendentials are provided in the connection, while additional details required to connect to the SAP system (like the server details, security configuration) are provided as part of the action.

The SAP ERP connector also supports Windows authentication by enabling SAP SNC (Secure Network Communition). This requires additional setup.

Property	Description
Use SNC	Set to "Yes" if you want to enable SNC
SNC library	The SNC library name or path relative to NCo installation location or absolute path. Examples are `sapsnc.dll` or `.\security\sapsnc.dll` or `c:\security\sapsnc.dll`.
SNC SSO	Specifies whether the connector will use the identity of the service or the end user credentials
SNC My Name	If required, specify the identity to be used
SNC Partner Name	The name of the back-end SNC server
SNC Quality of Protection	The quality of service to be used for SNC communication of this particular destination or server. The default value is defined by the back-end system. The maximum value is defined by the security product used for SNC.

If Windows Authentication is needed for the SAP ERP Connector you need to:

Configure Kerberos-based SSO from Power Platform to on-premises data sources
Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)

Configure Kerberos-based SSO from Power Platform to on-premises data sources Pre-requisites

After installation of the Data Gateway the gateway runs as the machine-local service account, NT Service\PBIEgwService. To enable Kerberos constrained delegation, you have two options:

The gateway must run as a domain account, see documentation on how to Change Gateway Service Account ; or
Have your Azure Active Directory (Azure AD) instance synchronized with your local Active Directory instance (by using Azure AD DirSync/Connect

Configuration Steps:

Obtain domain admin rights to configure SPNs (SetSPN) and Kerberos constrained delegation settings
Configure Kerberos constrained delegation for the gateway and data source
Configure an SPN for the gateway service account
Add gateway service account to Windows Authorization and Access Group if required
Decide on the type of Kerberos constrained delegation to use:
- Configure the gateway service account for standard Kerberos constrained delegation
- Configure the gateway service account for resource-based Kerberos constrained delegation.
Grant the gateway service account local policy rights on the gateway machine
Set user-mapping configuration parameters on the gateway machine (if necessary)

For more details on how to configure this, refer to Power BI documentation for Configure Kerberos-based SSO from Power BI service to on-premises data sources.

Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)

Ensure that your SAP ERP server is correctly configured for Kerberos SSO using CommonCryptoLib. If it is, you can use SSO to access your SAP ERP server with an SAP tool like SAP GUI that has been configured to use CommonCryptoLib. For more information on setup steps, see SAP Single Sign-On: Authenticate with Kerberos/SPNEGO. Your server should use CommonCryptoLib as its SNC Library and have an SNC name that starts with CN. For more information on SNC name requirements (specifically, the snc/identity/as parameter), see SNC Parameters for Kerberos Configuration.
Ensure that SAP Secure Login Client (SLC) isn't running on the computer the gateway is installed on. SLC caches Kerberos tickets in a way that can interfere with the gateway's ability to use Kerberos for SSO. If SLC is installed, uninstall it or make sure you exit SAP Secure Login Client. Right-click the icon in the system tray and select Log Out and Exit before you attempt an SSO connection by using the gateway. SLC isn't supported for use on Windows Server machines. For more information, see SAP Note 2780475 (s-user required).

SAP Secure Login Client

If you uninstall SLC or select Log Out and Exit, open a cmd window and enter klist purge to clear any cached Kerberos tickets before you attempt an SSO connection through the gateway.
Download 64-bit CommonCryptoLib (sapcrypto.dll) version 8.5.25 or greater from the SAP Launchpad, and copy it to a folder on your gateway machine. In the same directory where you copied sapcrypto.dll, create a file named sapcrypto.ini, with the following content:

ccl/snc/enable_kerberos_in_client_role = 1

The .ini file contains configuration information required by CommonCryptoLib to enable SSO in the gateway scenario.

Note

These files must be stored in the same location; in other words, /path/to/sapcrypto/ should contain both sapcrypto.ini and sapcrypto.dll.

Both the gateway service user and the Active Directory (AD) user that the service user impersonates need read and execute permissions for both files. We recommend granting permissions on both the .ini and .dll files to the Authenticated Users group. For testing purposes, you can also explicitly grant these permissions to both the gateway service user and the Active Directory user you use for testing. In the following screenshot we've granted the Authenticated Users group Read & execute permissions for sapcrypto.dll:

Grant Read & execute permissions for Authenticated Users

If you don't already have an SAP BW data source associated with the gateway you want the SSO connection to flow through, add one on the Manage gateways page in the Power BI service. If you already have such a data source, edit it:

Choose SAP Business Warehouse as the Data Source Type if you want to create an SSO connection to a BW Application Server.
Select Sap Business Warehouse Message Server if you want to create an SSO connection to a BW Message Server.

Create a CCL_PROFILE system environment variable and set its value to the path to sapcrypto.ini.

CCL_PROFILE system environment variable:

Create and set system environment variables

The sapcrypto.dll and .ini files must exist in the same location. In the above example, sapcrypto.ini and sapcrypto.dll are both located on the desktop.

Restart the gateway service.

Restart the gateway service

Known Issues and Limitations

The following are some of the known issues and limitations of the SAP ERP connector:

The connector supports only RFCs and BAPIs.
The connector does not support receiving messages from SAP Server.
Transactional RFCs (tRFCs) are not supported.

Collecting logs

The followng logs are useful to troubleshoot SapErp connector issues when contacting Microsoft support:

Enable Additional logging in the Diagnostics settings of your on-premises data gateway app to get Informational SAP Adapter's extended logs and SapErp Adapter's traces.
Update the following setting in the configuration file Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config. Typically, this configuration file sits where your on-premised data gateway is installed (e.g. C:\Program Files\On-premises data gateway\Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config).
```
<setting name="SapTraceLevel" serializeAs="String">
   <value>Verbose</value>
</setting>
```

General Limits

Name	Value
Maximum number of properties supported by dynamic schema. Parse JSON action can be used to generate schema from a sample payload if exceeding maximum number of properties.	1024

Creating a connection

The connector supports the following authentication types:


SAP Authentication	Use SAP username and password to access SAP server.	All regions	Not shareable
Windows Authentication	Use windows username and password to access your SAP Server.	All regions	Not shareable
Default [DEPRECATED]	This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.	All regions	Not shareable

SAP Authentication

Auth ID: Basic

Applicable: All regions

Use SAP username and password to access SAP server.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name	Type	Description	Required
Gateway	gatewaySetting	On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details	True
SAP Username	securestring	SAP Username for sign in into the SAP System.	True
SAP Password	securestring	SAP Password for sign in into the SAP System.	True

Windows Authentication

Auth ID: Windows

Applicable: All regions

Use windows username and password to access your SAP Server.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name	Type	Description	Required
Gateway	gatewaySetting	On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details	True
Windows Domain and Username	securestring	Windows domain and username used for sign in into the SAP System. Example: DOMAIN\username	True
Windows Password	securestring	Windows password used for sign in into the SAP System.	True

Default [DEPRECATED]

Applicable: All regions

This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name	Type	Description	Required
Gateway	gatewaySetting	On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details	True
Authentication Type	string	Authentication type to connect to the SAP System. Must be basic (username and password).	True
Username	securestring	Username for sign in into the SAP System.	True
Password	securestring	Password for sign in into the SAP System.	True

Throttling Limits

Name	Calls	Renewal Period
API calls per connection	2500	60 seconds

Actions

Call SAP function	Call SAP function.
Run Diagnostics	Run Diagnostics.

Call SAP function

Operation ID:: Invoke

Call SAP function.

Parameters

Name	Key	Required	Type	Description
AS Host	AppServerHost	True	string	The hostname of the SAP Application Server.
Client	Client	True	integer	The SAP client ID to connect to the SAP system.
AS System Number	SystemNumber	True	integer	The SAP System's System Number. It is a number ranging from 00 to 99.
Use SNC	UseSnc		boolean	When selected, the connections will be secured with SNC.
SNC library	SncLibraryPath		string	Path of the SNC library to be used.
SNC SSO	SncSso		string	The SNC SSO specifies whether to use SNC identity or credentials provided on RFC level.
SNC My Name	SncMyName		string	Identity to be used for this particular destination/server (optional).
SNC Partner Name	SncPartnerName		string	The backend's SNC name.
SNC Quality of Protection	SncQop		string	Quality of Service to be used for SNC communication of this particular destination/server.
SAP function name	function	True	string	Specify SAP function name (case-sensitive).
Stateful Session	isSessionStateful	True	string	Create stateful session. Select 'Yes' for write operations, 'No' for read operations.
SAP function input	functionInput		dynamic	Please specify SAP function input.

Returns

The outputs of this operation are dynamic.

Run Diagnostics

Operation ID:: RunDiagnostics

Run Diagnostics.

Parameters

Name	Key	Required	Type	Description
AS Host	AppServerHost	True	string	The hostname of the SAP Application Server.
Client	Client	True	integer	The SAP client ID to connect to the SAP system.
AS System Number	SystemNumber	True	integer	The SAP System's System Number. It is a number ranging from 00 to 99.
Use SNC	UseSnc		boolean	When selected, the connections will be secured with SNC.
SNC library	SncLibraryPath		string	Path of the SNC library to be used.
SNC SSO	SncSso		string	The SNC SSO specifies whether to use SNC identity or credentials provided on RFC level.
SNC My Name	SncMyName		string	Identity to be used for this particular destination/server (optional).
SNC Partner Name	SncPartnerName		string	The backend's SNC name.
SNC Quality of Protection	SncQop		string	Quality of Service to be used for SNC communication of this particular destination/server.

Returns

Body: DiagnosticsOutput

Definitions

DiagnosticsOutput

Name	Path	Type
GatewayRunningStatus	GatewayRunningStatus	boolean
GatewayVersionSupportsRunDiagnostics	GatewayVersionSupportsRunDiagnostics	boolean
CredentialCheck	CredentialCheck	boolean
CanPerformRfcFunctionSearch	CanPerformRfcFunctionSearch	boolean
CanInvokeSTFC_CONNECTION	CanInvokeSTFC_CONNECTION	boolean
DiagnosticsStatus	DiagnosticsStatus	object