This blog explains on security unification in BW on HANA. In older versions (i.e BW on traditional DB) if we create a user in SAP system, data  security restrictions are confined to only that particular SAP system.But in the latest versions of BW on HANA, a new tab DBMS is enabled where  we can create users in SAP systems and it will be automatically created in back end HANA DB without any additional efforts.Next steps of the blog explains  how there will be  security unification between BW & HANA DB and how user administration is done.

Create User:TEST in t.code SU01

                             /wp-content/uploads/2014/09/1_539393.jpg

During the process on user creation assign SAP_ALL ( as an example) in profiles tab

                             /wp-content/uploads/2014/09/3_539399.jpg

Click on DBMS Tab ( this tab can be enabled in SU01 by implementing certain steps and SAP Notes )

On saving the user:TEST, Role:Public will be automatically assigned by back end HANA DB which has basic authorizations.Now the user:TEST is created in both SAP system ( Application Server) and in HANA DBMS

                           /wp-content/uploads/2014/09/3_1_539400.jpg

Now login to HANA Studio rev74 ( you may use any HANA Studio greater than rev74) and navigate to security folder – users

                                                                   /wp-content/uploads/2014/09/4_539404.jpg      /wp-content/uploads/2014/09/5_539408.jpg

As we have created user in SU01 along with DBMS user, User:TEST is automatically replicated to HANA DB

Here for user:TEST, all the security and data restrictions are automatically replicated to HANA DB where end users can consume BW generated models for reporting purposes

                                                                                        /wp-content/uploads/2014/09/6_539419.jpg

Now let us look at the snapshot of user administration in two aspects

1. Deleting user in SU01

In t.code:SU01 try deleting user:TEST

System will prompt if the DBMS user which was created in HANA DB need to be deleted or not. If “YES” is clicked then the user in SAP System (Application Server) and in HANA DB will be deleted where there will be no inconsistencies

                                             /wp-content/uploads/2014/09/7_539410.jpg

As explained earlier user:TEST is deleted in HANA DBMS

                                                                                 /wp-content/uploads/2014/09/8_539411.jpg

Now again let us recreate User:TEST again in BW system which will also be recreated in HANA DBMS

                                                      /wp-content/uploads/2014/09/9_539412.jpg

2. Deleting user in HANA DBMS

Now delete user:TEST in HANA DB by navigating to Security – > Users – > Right Click on User:TEST – Click on Delete where the user will be deleted

                                                           /wp-content/uploads/2014/09/10_539413.jpg

So in the above case there will be inconsistency because HANA database administrator might have deleted DBMS user without the Netweaver Application Server Administrator knowing about it. So in order to remove the inconsistencies of the user perform the below steps

Go to T.Code:SA38

Enter Program: RSUSR_DBMS_USERS_CHECK and Click on Execute

                                                      /wp-content/uploads/2014/09/11_539414.jpg

Now enter User:TEST and “Select inconsistent users” and click on Execute to check if the user is consistent or not

                                        /wp-content/uploads/2014/09/12_539415.jpg

As the HANA DB administrator have deleted DBMS user:TEST it is showing as DBMS user does not exist and it implies user is not consistent as it is created from SU01 along with the user in application server

                                  /wp-content/uploads/2014/09/13_539416.jpg

Now select option “Remove DBMS user mapping” and click on execute where the DBMS user mapping will be removed  and henceforth it will be consistent

                                  /wp-content/uploads/2014/09/14_539417.jpg

As DBMS user mapping is adjusted/removed user:TEST will be now consistent

                                   /wp-content/uploads/2014/09/15_539418.jpg

With this it is derived that there is a security unification in BW and HANA. Also the same security/data restrictions can be replicated to Design Studio, Lumira and HANA Live – For BW generated information models.

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Matthieu LEFEUVRE

    Hello Suresh,

    Thanks for the info.

    Do you know if there is a link between this and the RSECADMIN and the automatic replication of BW objects as views ?

    Thank,

    Matthieu

    (0) 
    1. Suresh Koduru Post author

      Hi Matthieu,

      RSECADMIN is used for security restrictions applied in BW and this scenario is closely related to RESECADMIN because whatever security restriction we apply here will be automatically applied in backend HANA DB based on to user to which we assign the roles.

      Automatic replication of BW Objects as views are not related to this.

      Regards,

      Suresh.

      (0) 
  2. Ramakrishnan Ramanathaiah

    Thank you suresh . It is a good document .  This will apply to new users . What will happen to the existing users . Say i do have 500 users which are already there in the BW

    system , then i will move to BW on HANA . Does these 500 users automatically move to HANA database . In our case it’s not moved . Now how can we move these 500 users

    to HANA database along with all the relevant security  with out redoing all the security work, so that these security models can be accessed VIA HANA models/studio and can be consumed by the reporting tools by passing the BW App level Security. Is there any program that we can move existing users along with the security to HANA data base.

    Regards

    Ram

    (0) 
    1. Nitesh Gupta

      Hi Ramakrishnan,

      You can use reports/programs RSUSR_DBMS_USERS to create DBMS mapping of multiple users at a go. This works for users already existing in BW. Even if a user is already existing in HANA, it will map him to corresponding BW user.

      Limitation with above program is: if a user has been mapped to HANA user, but later HANA user is deleted, you will not know it via this program. So you can use program RSUSR_DBMS_USERS_CHECK to find such inconsistent users (as Suresh mentioned in above document) and create them via this program.

      You can use BW tcode RS2HANA_CHECK to transfer BW analysis authorizations to HANA authorizations. You can find more details on tcode on SCN.

      Regards,

      Nitesh

      (0) 
  3. Srinivas V

    Excellent document Suresh..

    I have a question.. Since a user in HANA can be created as a Database user or Restricted user. Is it possible to create user in BW for which a corresponding Restricted user is created in HANA?

    Thanks in advance …

    (0) 

Leave a Reply