Partager via


SAP ERP

SAP ERP is an enterprise resource planning software developed by SAP SE. SAP ERP incorporates the key business functions of an organization. The SAP ERP connector for Power Automate and Power Apps allows you to invoke RFC and BAPI functions using on-premises data gateway.

This connector is available in the following products and regions:

Service Class Regions
Power Automate Premium All Power Automate regions
Power Apps Premium All Power Apps regions
Contact
Name Microsoft
URL Microsoft Power Automate Support
Microsoft Power Apps Support
Connector Metadata
Publisher Microsoft
Website https://www.sap.com/products/enterprise-management-erp.html
Privacy policy https://www.sap.com/about/legal/privacy.html

Using the SAP ERP connector

To get started on using this connector, read the following blog posts:

Pre-requisites

The SAP ERP connector has a dependency on the following components, which must be installed on the same machine:

SAP Authorizations

Your SAP user account needs access to the RFC_METADATA function group and the respective function modules for the following operations:

Operations Access to function modules
RFC actions RFC_GROUP_SEARCH, DD_LANGU_TO_ISOLA
BAPI actions BAPI_TRANSACTION_COMMIT, BAPI_TRANSACTION_ROLLBACK, RPY_BOR_TREE_INIT, SWO_QUERY_METHODS, SWO_QUERY_API_METHODS
IDoc actions IDOCTYPES_LIST_WITH_MESSAGES, IDOCTYPES_FOR_MESTYPE_READ, INBOUND_IDOCS_FOR_TID, OUTBOUND_IDOCS_FOR_TID, GET_STATUS_FROM_IDOCNR, IDOC_RECORD_READ
Read SAP table action RFC BBP_RFC_READ_TABLE or RFC_READ_TABLE
Minimum access RFC_METADATA_GET, RFC_METADATA_GET_TIMESTAMP

Authentication

The connector supports SAP Authentication, Windows Authentication, Microsoft Entra ID with Kerberos, and Microsoft Entra ID with Certificates (Public Preview).

Because the connector is designed to be used by multiple users of an app, the connections are not shared. Rather, each user will authenticate with the SAP system. The user credentials are provided in the connection, while additional details required to connect to the SAP system (like the server details, security configuration) are provided as part of the action.

SAP Authentication

Basic SAP authentication using SAP username and password.

Windows Authentication

Requires additional setup for Secure Network Communication (SNC). Requires additional setup for Kerberos-based SSO from Power Platform to on-premises data sources.

Microsoft Entra ID (with Kerberos)

Requires additional setup for Secure Network Communication (SNC). Requires additional setup for Kerberos-based SSO from Power Platform to on-premises data sources.

Microsoft Entra ID (with Certificates)

Microsoft Entra ID (with Certificates) is in Public Preview.

Requires additional setup for Secure Network Communication (SNC). Requires additional setup for Certificate-based SSO from Power Platform to on-premises data sources.

Configure Kerberos-based SSO

The SAP SNC name for a user (p:CN=JANEDOE@REDMOND.CORP.CONTOSO.COM) must equal the users Microsoft Entra ID fully qualified domain name (JANEDOE@REDMOND.CORP.CONTOSO.COM) for both Windows and Microsoft Entra ID authentication.

SAP SNC Name

Property Description
Use SNC Set to "Yes" if you want to enable SNC
SNC library The SNC library name or path relative to NCo installation location or absolute path. Examples are sapcrypto.dll or .\security\sapcrypto.dll, or c:\security\sapcrypto.dll.
SNC SSO Specifies whether the connector will use the identity of the service or the end user credentials
SNC My Name If required, specify the identity to be used
SNC Partner Name The name of the back-end SNC server
SNC Quality of Protection The quality of service to be used for SNC communication of this particular destination or server. The default value is defined by the back-end system. The maximum value is defined by the security product used for SNC.

If Microsoft Entra ID or Windows Authentication is needed for the SAP ERP Connector you need to:

  • Configure Kerberos-based SSO from Power Platform to on-premises data sources
  • Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)

Configure Kerberos-based SSO from Power Platform to on-premises data sources Pre-requisites

After installation of the Data Gateway, the gateway runs as the machine-local service account, NT Service\PBIEgwService. To enable Kerberos constrained delegation, you have two options:

Configuration Steps:

  • Obtain domain admin rights to configure SPNs (SetSPN) and Kerberos constrained delegation settings
  • Configure Kerberos constrained delegation for the gateway and data source
  • Configure an SPN for the gateway service account
  • Add gateway service account to Windows Authorization and Access Group if required
  • Decide on the type of Kerberos constrained delegation to use:
    • Configure the gateway service account for standard Kerberos constrained delegation
    • Configure the gateway service account for resource-based Kerberos constrained delegation
  • Grant the gateway service account local policy rights on the gateway machine
  • Set user-mapping configuration parameters on the gateway machine (if necessary)

For more details on how to configure this, refer to Power BI documentation for Configure Kerberos-based SSO from Power BI service to on-premises data sources.

Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)

  1. Ensure that your SAP ERP server is correctly configured for Kerberos SSO using CommonCryptoLib. If it is, you can use SSO to access your SAP ERP server with an SAP tool like SAP GUI that has been configured to use CommonCryptoLib. For more information on setup steps, see SAP Single Sign-On: Authenticate with Kerberos/SPNEGO. Your server should use CommonCryptoLib as its SNC Library and have an SNC name that starts with CN. For more information on SNC name requirements (specifically, the snc/identity/as parameter), see SNC Parameters for Kerberos Configuration.
  2. Ensure that SAP Secure Login Client (SLC) isn't running on the computer the gateway is installed on. SLC caches Kerberos tickets in a way that can interfere with the gateway's ability to use Kerberos for SSO. If SLC is installed, uninstall it or make sure you exit SAP Secure Login Client. Right-click the icon in the system tray and select Log Out and Exit before you attempt an SSO connection by using the gateway. SLC isn't supported for use on Windows Server machines. For more information, see SAP Note 2780475 (s-user required).

SAP Secure Login Client

  1. If you uninstall SLC or select Log Out and Exit, open a cmd window and enter klist purge to clear any cached Kerberos tickets before you attempt an SSO connection through the gateway.
  2. Download 64-bit CommonCryptoLib (sapcrypto.dll) version 8.5.25 or greater from the SAP Launchpad, and copy it to a folder on your gateway machine. In the same directory where you copied sapcrypto.dll, create a file named sapcrypto.ini, with the following content:

ccl/snc/enable_kerberos_in_client_role = 1

The .ini file contains configuration information required by CommonCryptoLib to enable SSO in the gateway scenario.

Note

These files must be stored in the same location; in other words, /path/to/sapcrypto/ should contain both sapcrypto.ini and sapcrypto.dll.

Both the gateway service user and the Microsoft Entra ID user that the service user impersonates need read and execute permissions for both files. We recommend granting permissions on both the .ini and .dll files to the Authenticated Users group. For testing purposes, you can also explicitly grant these permissions to both the gateway service user and the Microsoft Entra ID user you use for testing. In the following screenshot we've granted the Authenticated Users group Read & execute permissions for sapcrypto.dll:

Grant Read & execute permissions for Authenticated Users

  1. If you don't already have an SAP BW data source associated with the gateway you want the SSO connection to flow through, add one on the Manage gateways page in the Power BI service. If you already have such a data source, edit it:
  • Choose SAP Business Warehouse as the Data Source Type if you want to create an SSO connection to a BW Application Server.
  • Select Sap Business Warehouse Message Server if you want to create an SSO connection to a BW Message Server.
  1. Create a CCL_PROFILE system environment variable and set its value to the path to sapcrypto.ini.

CCL_PROFILE system environment variable:

Create and set system environment variables

The sapcrypto.dll and .ini files must exist in the same location. In the above example, sapcrypto.ini and sapcrypto.dll are both located on the desktop.

  1. Restart the gateway service.

Restart the gateway service

Microsoft Entra ID Authentication

This authentication type will only work with the following actions:

  • Call SAP function (V2)
  • Create stateful session
  • Read SAP table with parsing

The Microsoft Entra ID SAP Service Principal account must have AES 128 or AES 256 defined on the msDS-SupportedEncryptionType attribute. This blog post contains a table to help calcuate decimal/hex values for supported encryption types.

Known Issues and Limitations

The following are some of the known issues and limitations of the SAP ERP connector:

  • The connector supports only RFCs and BAPIs.
  • The connector does not support receiving messages from SAP Server.
  • Transactional RFCs (tRFCs) are not supported.
  • The gateway has a 2-MB payload limit for write operations and an 8-MB compressed data response limit for read operations.
  • Data gateway clusters in load-balancing mode aren't supported by stateful SAP actions. Stateful communications must remain on the same data gateway cluster node. For stateful SAP actions, use the data gateway either in non-cluster mode or in a cluster that's set up for failover only.
  • Upgrade your On-premises data gateway to the latest version if you receive an error during flow authoring similiar to: Length of the name of the RFC '<RFC_NAME>?honorSapOptionalFlag=1' is larger than the maximum allowed limit of 30
  • RFC/BAPI parameters fetched from SAP are cached within the On-premises data gateway. Restart the On-premises data gateway service to clear the cache and retrieve new values.

Collecting Logs

The following logs are useful to troubleshoot SapErp connector issues when contacting Microsoft support:

  1. Enable Additional logging in the Diagnostics settings of your on-premises data gateway app to get Informational SAP Adapter's extended logs and SapErp Adapter's traces.
  2. Update the following setting in the configuration file Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config. Typically, this configuration file sits where your on-premised data gateway is installed (e.g. C:\Program Files\On-premises data gateway\Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config).
    <setting name="SapTraceLevel" serializeAs="String">
       <value>Verbose</value>
    </setting>
    

SAP System Property Guidance

For actions that support the SAP system parameter, use the following table for guidance.

Property Description
AppServerHost The hostname of the SAP Application Server.
AppServerService The service name or port number of the specific SAP Application Server to connect to (Optional for connection type (Logon) A - Application Server).
Client The SAP client ID to connect to the SAP system. The SAP backends' client (or 'Mandant') into which to log in. It is a number ranging from 000 to 999.
Language The language code to connect to the SAP system with. A two letter ISO 639-1 code. Must be installed within SAP. This overrides the browsers language setting.
LogonGroup The Logon Group for the SAP System, from which the Message Server shall select an Application Server (Only available if connection type (Logon) is B - Message Server (Group)).
LogonType The type of logon to the SAP System, either Application Server Logon (Type A) or Group Logon (Type B aka Message Server).
Allowed values: ApplicationServer, Group
MessageServerHost The hostname of the SAP System's Message Server (central instance) aka R3 System Name (Mandatory if connection type (Logon) is B - Message Server (Group)).
MessageServerService The Service Name (as defined in etc/services) or the Port Number under which the Message Server is listening for load-balancing requests (Mandatory if connection type (Logon) is B - Message Server (Group) and System ID is not present).
SafeTyping By default, when you create your SAP connection, strong typing is used to check for invalid values by performing validation against the schema. This behavior can help you detect issues earlier. The Safe Typing option is available for backward compatibility and only checks the string length.
Allowed values: true, false
SncCertificate X.509 certificate in Base64 encoded form, without the begin or end certificate tags.
SncMyName The installed SNC solution usually knows its own SNC name. Only for solutions supporting 'multiple identities', you may need to specify the identity to be used for this destination/server (optional).
SncLibraryPath Name or path of the SNC library to be used. With the On-Premises Data Gateway, the path can be an absolute or relative to the NCo library.
SncPartnerName The backends' SNC name (Required when Logon Type is Application Server).
SncQop Quality of Service to be used for SNC communication of this destination/server.
Allowed values: Authentication, Integrity, Privacy, Default, Maximum
SncSso The SNC SSO specifies whether to use SNC identity or credentials provided on RFC level.
SsoCertificateSubject Subject of the certificate on the OPDG Windows machine for Certificate-based authentication with Microsoft Entra ID
SystemId The SAP system's three-letter system ID (Mandatory if connection type (Logon) is B - Message Server (Group) and Message Server Service is not present).
SystemNumber The SAP System's System Number. It is a number ranging from 00 to 99 (Mandatory if connection type (Logon) is A - Application Server).
UseSnc When selected, the connections will be secured with SNC.
Allowed values: Yes

Migrating from Call SAP Function to Call SAP Function (v2)

The Call SAP Function was deprecated in July of 2023, and support will end in July 2026. Users will need to migrate their existing v1 actions before that time, or their flows will break.

  1. Replace multiple form fields with a single JSON string for connection properties.
  2. Use the following property mapping:
v1 Field Label v2 Property
AS Host AppServerHost
Client Client
AS System Number SystemNumber
SAP function name N/A - not relevant to connection string
Stateful Session N/A - Stateful sessions are available in "Advanced Options" where an ID may be specified for Session Id. Steps with the same Session Id will be run as part of the same stateful session.
Use SNC UseSnc
SNC library SncLibraryPath
SNC SSO SncSso
SNC My Name SncMyName
SNC Partner Name SncPartnerName
SNC Quality of Protection SncQop

Example

Call SAP Function V1:

Call SAP Function v1

Call SAP Function V2:

Call SAP Function v2

Given the screenshot, the connection string would look like this:

{
  "AppServerHost": "sap.example.com",
  "Client": 100,
  "SystemNumber": "00"
}

Since Use SNC is "No" in the screenshot, no property is needed. The default is "false"

Using Environment Variables

Flows built in solutions can manage these connection string using Environment Variables. This is the recommended method, as it allows you to change connection parameters based on the environment. If your flow is not in a solution, keep the string handy for copy/paste.

General Limits

Name Value
Maximum number of properties supported by dynamic schema. Parse JSON action can be used to generate schema from a sample payload if exceeding maximum number of properties. 1024

Creating a connection

The connector supports the following authentication types:

Azure AD Integrated Use Azure Active Directory to access SAP. Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only Not shareable
Microsoft Entra ID (with certificates) Use Microsoft Entra ID Principal Propagation via X509 certificates to access SAP. All regions Not shareable
Microsoft Entra ID (with Kerberos) Use Microsoft Entra ID Principal Propagation via Kerberos to access SAP. All regions except Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) Not shareable
SAP Authentication Use SAP username and password to access SAP server. All regions Not shareable
Windows Authentication Use windows username and password to access your SAP Server. All regions Not shareable
Default [DEPRECATED] This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility. All regions Not shareable

Azure AD Integrated

Auth ID: OAuthSso

Applicable: Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only

Use Azure Active Directory to access SAP.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True

Microsoft Entra ID (with certificates)

Auth ID: UpnX509Certificate

Applicable: All regions

Use Microsoft Entra ID Principal Propagation via X509 certificates to access SAP.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True

Microsoft Entra ID (with Kerberos)

Auth ID: OAuthSso

Applicable: All regions except Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High)

Use Microsoft Entra ID Principal Propagation via Kerberos to access SAP.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True

SAP Authentication

Auth ID: Basic

Applicable: All regions

Use SAP username and password to access SAP server.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True
SAP Username securestring SAP Username for sign in into the SAP System. True
SAP Password securestring SAP Password for sign in into the SAP System. True

Windows Authentication

Auth ID: Windows

Applicable: All regions

Use windows username and password to access your SAP Server.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True
Windows Domain and Username securestring Windows domain and username used for sign in into the SAP System. Example: DOMAIN\username True
Windows Password securestring Windows password used for sign in into the SAP System. True

Default [DEPRECATED]

Applicable: All regions

This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Gateway gatewaySetting On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details True
Authentication Type string Authentication type to connect to the SAP System. Must be basic (username and password). True
Username securestring Username for sign in into the SAP System. True
Password securestring Password for sign in into the SAP System. True

Throttling Limits

Name Calls Renewal Period
API calls per connection 2500 60 seconds

Actions

Call SAP function (deprecated) [DEPRECATED]

This action has been deprecated. Please use Call SAP function (V3) instead.

Call SAP function. (deprecated)

Call SAP function (V2)

Calls an sRFC, tRFC or qRFC on the SAP system.

Call SAP function (V3) (Preview)

Calls an sRFC, tRFC or qRFC on the SAP system.

Close stateful session

Closes an existing stateful connection session to the SAP system.

Create stateful session

Creates a stateful connection session to the SAP system. This action only works with Call SAP function (V2)

Read SAP table with parsing

This action requires that the user has access to 'BBP_RFC_READ_TABLE' or 'RFC_READ_TABLE' RFC.

Run Diagnostics

Run Diagnostics.

Call SAP function (deprecated) [DEPRECATED]

This action has been deprecated. Please use Call SAP function (V3) instead.

Call SAP function. (deprecated)

Parameters

Name Key Required Type Description
AS Host
AppServerHost True string

The hostname of the SAP Application Server.

Client
Client True integer

The SAP client ID to connect to the SAP system.

AS System Number
SystemNumber True integer

The SAP System's System Number. It is a number ranging from 00 to 99.

Use SNC
UseSnc boolean

When selected, the connections will be secured with SNC.

SNC library
SncLibraryPath string

Path of the SNC library to be used.

SNC SSO
SncSso string

The SNC SSO specifies whether to use SNC identity or credentials provided on RFC level.

SNC My Name
SncMyName string

Identity to be used for this particular destination/server (optional).

SNC Partner Name
SncPartnerName string

The backend's SNC name.

SNC Quality of Protection
SncQop string

Quality of Service to be used for SNC communication of this particular destination/server.

SAP function name
function True string

Specify SAP function name (case-sensitive).

Stateful Session
isSessionStateful True string

Create stateful session. Select 'Yes' for write operations, 'No' for read operations.

SAP function input
functionInput dynamic

Please specify SAP function input.

Returns

The outputs of this operation are dynamic.

Call SAP function (V2)

Calls an sRFC, tRFC or qRFC on the SAP system.

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

RFC name
rfcName True string

The RFC to be called, e.g. 'STFC_CONNECTION'.

SAP function input
rfcInputs True dynamic

The SAP function inputs.

RFC Group filter
rfcGroupFilter string

The optional RFC group filter, such as 'STFC', to filter the RFCs.

Auto commit
autoCommit boolean

Automatically commits the RFC transaction if adding the qRFC/tRFC to the transaction has no error. Auto-commit only takes effect if either {tId} or {queueName} is provided.

Session Id
sessionId string

The optional stateful session Id as a string for stateful RFC. If no session Id is provided, the call is made on a stateless connection.

Returns

The outputs of this operation are dynamic.

Call SAP function (V3) (Preview)

Calls an sRFC, tRFC or qRFC on the SAP system.

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

RFC name
rfcName True string

The RFC to be called, e.g. 'STFC_CONNECTION'.

SAP function input
rfcInputs True dynamic

The SAP function inputs.

RFC Group filter
rfcGroupFilter string

The optional RFC group filter, such as 'STFC', to filter the RFCs.

Auto commit
autoCommit boolean

Automatically commits the RFC transaction if adding the qRFC/tRFC to the transaction has no error. Auto-commit only takes effect if either {tId} or {queueName} is provided.

Session Id
sessionId string

The optional stateful session Id as a string for stateful RFC. If no session Id is provided, the call is made on a stateless connection.

Returns

The outputs of this operation are dynamic.

Close stateful session

Closes an existing stateful connection session to the SAP system.

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

Session Id
sessionId True string

The stateful session Id as a string.

Returns

response
object

Create stateful session

Creates a stateful connection session to the SAP system. This action only works with Call SAP function (V2)

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

Returns

Result for Create Session operation.

Read SAP table with parsing

This action requires that the user has access to 'BBP_RFC_READ_TABLE' or 'RFC_READ_TABLE' RFC.

Parameters

Name Key Required Type Description
SAP system
x-ms-sap-system True byte

JSON string containing system parameters Host, system number, client etc.

Table name
tableName True string

The name of the SAP table to read

Fields to read
FieldNames array of string

The list of fields to read

Where filters
WhereFilters array of string

The list of where filter clauses, e.g. "MTART = 'ROH' AND MEINS = 'PAK'"

Starting row index
StartIndex integer

Starting row index, e.g. 0

Count of rows to read
RowCount integer

The count of rows to read, e.g. 10

Returns

The outputs of this operation are dynamic.

Run Diagnostics

Run Diagnostics.

Parameters

Name Key Required Type Description
AS Host
AppServerHost True string

The hostname of the SAP Application Server.

Client
Client True integer

The SAP client ID to connect to the SAP system.

AS System Number
SystemNumber True integer

The SAP System's System Number. It is a number ranging from 00 to 99.

Use SNC
UseSnc boolean

When selected, the connections will be secured with SNC.

SNC library
SncLibraryPath string

Path of the SNC library to be used.

SNC SSO
SncSso string

The SNC SSO specifies whether to use SNC identity or credentials provided on RFC level.

SNC My Name
SncMyName string

Identity to be used for this particular destination/server (optional).

SNC Partner Name
SncPartnerName string

The backend's SNC name.

SNC Quality of Protection
SncQop string

Quality of Service to be used for SNC communication of this particular destination/server.

Returns

Definitions

DiagnosticsOutput

Name Path Type Description
GatewayRunningStatus
GatewayRunningStatus boolean
GatewayVersionSupportsRunDiagnostics
GatewayVersionSupportsRunDiagnostics boolean
CredentialCheck
CredentialCheck boolean
CanPerformRfcFunctionSearch
CanPerformRfcFunctionSearch boolean
CanInvokeSTFC_CONNECTION
CanInvokeSTFC_CONNECTION boolean
DiagnosticsStatus
DiagnosticsStatus object

CreateSessionResponse

Result for Create Session operation.

Name Path Type Description
Session Id
SessionId string

Id for the stateful session.

object

This is the type 'object'.