This blog explains on security unification in BW on HANA. In older versions (i.e BW on traditional DB) if we create a user in SAP system, data  security restrictions are confined to only that particular SAP system.But in the latest versions of BW on HANA, a new tab DBMS is enabled where  we can create users in SAP systems and it will be automatically created in back end HANA DB without any additional efforts.Next steps of the blog explains  how there will be  security unification between BW & HANA DB and how user administration is done.

Create User:TEST in t.code SU01

During the process on user creation assign SAP_ALL ( as an example) in profiles tab

Click on DBMS Tab ( this tab can be enabled in SU01 by implementing certain steps and SAP Notes )

On saving the user:TEST, Role:Public will be automatically assigned by back end HANA DB which has basic authorizations.Now the user:TEST is created in both SAP system ( Application Server) and in HANA DBMS

Now login to HANA Studio rev74 ( you may use any HANA Studio greater than rev74) and navigate to security folder - users

As we have created user in SU01 along with DBMS user, User:TEST is automatically replicated to HANA DB

Here for user:TEST, all the security and data restrictions are automatically replicated to HANA DB where end users can consume BW generated models for reporting purposes

Now let us look at the snapshot of user administration in two aspects

1. Deleting user in SU01

In t.code:SU01 try deleting user:TEST

System will prompt if the DBMS user which was created in HANA DB need to be deleted or not. If "YES" is clicked then the user in SAP System (Application Server) and in HANA DB will be deleted where there will be no inconsistencies

As explained earlier user:TEST is deleted in HANA DBMS

Now again let us recreate User:TEST again in BW system which will also be recreated in HANA DBMS

2. Deleting user in HANA DBMS

Now delete user:TEST in HANA DB by navigating to Security - > Users - > Right Click on User:TEST - Click on Delete where the user will be deleted

So in the above case there will be inconsistency because HANA database administrator might have deleted DBMS user without the Netweaver Application Server Administrator knowing about it. So in order to remove the inconsistencies of the user perform the below steps

Go to T.Code:SA38

Enter Program: RSUSR_DBMS_USERS_CHECK and Click on Execute

Now enter User:TEST and "Select inconsistent users" and click on Execute to check if the user is consistent or not

As the HANA DB administrator have deleted DBMS user:TEST it is showing as DBMS user does not exist and it implies user is not consistent as it is created from SU01 along with the user in application server

Now select option "Remove DBMS user mapping" and click on execute where the DBMS user mapping will be removed  and henceforth it will be consistent

As DBMS user mapping is adjusted/removed user:TEST will be now consistent

With this it is derived that there is a security unification in BW and HANA. Also the same security/data restrictions can be replicated to Design Studio, Lumira and HANA Live - For BW generated information models.