How to restrict the tables that are allowed for replication
this time I would like to focus on some features about security. The data provisioning UI in the HANA Modeler shows the complete table dictionary that is available on the source system – so you can easy click an choose the table you would like to replicate. When you think about security and authorizations – in some cases you would like to restrict the table which can be replicated to HANA.
How can you achieve this?
SLT come with an control table on the source system IUUC_TAB_ALLOWED. As long as the table remains empty, all tables are considered for load / replication. Once a first table is maintained in IUUC_TAB_ALLOWED, only those are allowed for the replication.
DMIS 2011 SP6 and higher:
The fields in table IUUC_TAB_ALLOWED are described below:
|SLT_SID||The SAP LT Replication Server system ID.|
|CONFIG_GUID||The SAP LT Replication Server system configuration|
|TABNAME||The source system table name.|
|ALL_CLIENTS||In this field, you can specify whether the configuration can only access the client specified in the RFC connection associated with the configuration (a blank entry) or whether the configuration can access data in all clients (an X). Note that read access to a single client is only possible if the option Read from Single Client must be set to active when you created the configuration. If this flag is not active, and the field ALL_CLIENT contains a blank entry, then read access will be completely blocked.|
|SFLIGHT||X||Every configuration in every connected SAP LT Replication Server system can access data in table SFLIGHT in all clients. Read access to all other tables in the source system is blocked.|
|SLT||4713||SFLIGHT||X||Configuration 4713 from the SAP LT Replication Server system ‘SLT’ can access data in table SFLIGHT in all clients. Read access to all other tables in the source system is blocked.|
|PLT||1234||C1ES_GO||Configuration 1234 from SAP LT Replication Server ‘PLT’ can only access data in table C1ES_GO in the client specified in the RFC connection, but only if the ‘Read from Single Client’ option has been set when the configuration was created. If not, then the read access to this table is completely blocked.|
|SLT||4711||SFLIGHT||X||Every configuration in every connected SAP LT Replication Server system can access data in table SFLIGHT in all clients. Read access to all other tables in the source system is blocked.|
Before DMIS 2011 SP6:
1. No table defined
No restrictions defined. Therefore all tables are allowed for load and replication.
2. Some tables defined, ALL_CLIENTS set to space
Only the defined tables can be replicated to HANA (in this example: MARA, MARC, MARD). The respective configuration must be defined as client specific replication.
3. Some tables defined, ALL_CLIENTS set to X
Only the defined tables can be replicated to HANA (in this example: MARA, MARC, MARD). The respective configuration can be defined as client specific or cross client replication.
a.) Now an example with tables SFLIGHT / SBOOK and SCARR – SCARR is in replication.
b.) Use transaction SE16 on the source system to restrict the allowed table. In this example a new entry for table SFLIGHT was created.
c.) Back on the HANA Studio – choose SFLIGHT and SBOOK for replication.
d.) What will be the result? The table SFLIGHT will be replicated because you created a record in IUUC_TAB_ALLOWED.Table SBOOK will be displayed with status “Error”, because no record in IUUC_TAB_ALLOWED is specified.
All other tables – that were in replication before you add a record into IUUC_TAB_ALLOWED – will stay in the same mode.
e.) What will happen when you want to stop table SCARR?
The table SCARR is not part of the allowed tables and cannot be stopped from replication. So you will see an entry that the “Stop” leads to an “Error” and a second entry that table SCARR is in action “Replicate” and the status is still “In Process”.
f.) Add SCARR to table IUUC_TAB_ALLOWED that you can stop the replication.
g.) Stop the replication for table SCARR.
You can see – SCARR switched to Replicate/Executed. This indicates that the table was stopped for replication.
This is all about how the table IUUC_TAB_ALLOWED can be used to resrict the table that are allowed for replication. Please note that this in only working for SAP Source Systems. Hope this gave you some more insight in this feature. Let me know when you need more details.