Skip to Content
Author's profile photo Former Member

Security Unification – BW on HANA

This blog explains on security unification in BW on HANA. In older versions (i.e BW on traditional DB) if we create a user in SAP system, data  security restrictions are confined to only that particular SAP system.But in the latest versions of BW on HANA, a new tab DBMS is enabled where  we can create users in SAP systems and it will be automatically created in back end HANA DB without any additional efforts.Next steps of the blog explains  how there will be  security unification between BW & HANA DB and how user administration is done.

Create User:TEST in t.code SU01


During the process on user creation assign SAP_ALL ( as an example) in profiles tab


Click on DBMS Tab ( this tab can be enabled in SU01 by implementing certain steps and SAP Notes )

On saving the user:TEST, Role:Public will be automatically assigned by back end HANA DB which has basic authorizations.Now the user:TEST is created in both SAP system ( Application Server) and in HANA DBMS


Now login to HANA Studio rev74 ( you may use any HANA Studio greater than rev74) and navigate to security folder – users

                                                                   /wp-content/uploads/2014/09/4_539404.jpg      /wp-content/uploads/2014/09/5_539408.jpg

As we have created user in SU01 along with DBMS user, User:TEST is automatically replicated to HANA DB

Here for user:TEST, all the security and data restrictions are automatically replicated to HANA DB where end users can consume BW generated models for reporting purposes


Now let us look at the snapshot of user administration in two aspects

1. Deleting user in SU01

In t.code:SU01 try deleting user:TEST

System will prompt if the DBMS user which was created in HANA DB need to be deleted or not. If “YES” is clicked then the user in SAP System (Application Server) and in HANA DB will be deleted where there will be no inconsistencies


As explained earlier user:TEST is deleted in HANA DBMS


Now again let us recreate User:TEST again in BW system which will also be recreated in HANA DBMS


2. Deleting user in HANA DBMS

Now delete user:TEST in HANA DB by navigating to Security – > Users – > Right Click on User:TEST – Click on Delete where the user will be deleted


So in the above case there will be inconsistency because HANA database administrator might have deleted DBMS user without the Netweaver Application Server Administrator knowing about it. So in order to remove the inconsistencies of the user perform the below steps

Go to T.Code:SA38

Enter Program: RSUSR_DBMS_USERS_CHECK and Click on Execute


Now enter User:TEST and “Select inconsistent users” and click on Execute to check if the user is consistent or not


As the HANA DB administrator have deleted DBMS user:TEST it is showing as DBMS user does not exist and it implies user is not consistent as it is created from SU01 along with the user in application server


Now select option “Remove DBMS user mapping” and click on execute where the DBMS user mapping will be removed  and henceforth it will be consistent


As DBMS user mapping is adjusted/removed user:TEST will be now consistent


With this it is derived that there is a security unification in BW and HANA. Also the same security/data restrictions can be replicated to Design Studio, Lumira and HANA Live – For BW generated information models.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hello Suresh,

      Thanks for the info.

      Do you know if there is a link between this and the RSECADMIN and the automatic replication of BW objects as views ?



      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Matthieu,

      RSECADMIN is used for security restrictions applied in BW and this scenario is closely related to RESECADMIN because whatever security restriction we apply here will be automatically applied in backend HANA DB based on to user to which we assign the roles.

      Automatic replication of BW Objects as views are not related to this.



      Author's profile photo Ramakrishnan Ramanathaiah
      Ramakrishnan Ramanathaiah

      Thank you suresh . It is a good document .  This will apply to new users . What will happen to the existing users . Say i do have 500 users which are already there in the BW

      system , then i will move to BW on HANA . Does these 500 users automatically move to HANA database . In our case it's not moved . Now how can we move these 500 users

      to HANA database along with all the relevant security  with out redoing all the security work, so that these security models can be accessed VIA HANA models/studio and can be consumed by the reporting tools by passing the BW App level Security. Is there any program that we can move existing users along with the security to HANA data base.



      Author's profile photo Nitesh Gupta
      Nitesh Gupta

      Hi Ramakrishnan,

      You can use reports/programs RSUSR_DBMS_USERS to create DBMS mapping of multiple users at a go. This works for users already existing in BW. Even if a user is already existing in HANA, it will map him to corresponding BW user.

      Limitation with above program is: if a user has been mapped to HANA user, but later HANA user is deleted, you will not know it via this program. So you can use program RSUSR_DBMS_USERS_CHECK to find such inconsistent users (as Suresh mentioned in above document) and create them via this program.

      You can use BW tcode RS2HANA_CHECK to transfer BW analysis authorizations to HANA authorizations. You can find more details on tcode on SCN.



      Author's profile photo Srinivas V
      Srinivas V

      Excellent document Suresh..

      I have a question.. Since a user in HANA can be created as a Database user or Restricted user. Is it possible to create user in BW for which a corresponding Restricted user is created in HANA?

      Thanks in advance ...

      Author's profile photo Srinivas V
      Srinivas V

      Thanks.. I just found out that in BW 7.5, it is possible to create a user in BW with a Restricted user in HANA.

      Author's profile photo Former Member
      Former Member

      Hi Suresh,

      this is a very interesting read, thanks for sharing. We are using SAP BW 7.5 and SAP HANA 1 SPS12, The question i have is if we create the user as per your method and if we change the roles or add or delete few roles for the USER at SAP BW end will it update the SAP HANA user automatically?

      Its a urgent topic of discussion at my end and would appreciate if i can get some feedback from this post.