DBMS Users in SAP NetWeaver AS ABAP 7.40
With SAP NetWeaver Application Server ABAP 7.40 it is possible to synchronize ABAP Users to a DBMS system especially to SAP HANA . This blog describes the configuration steps that are necessary to set up the functionality and the different features.
Use Cases
- SAP NetWeaver Business Warehouse (SAP NetWeaver BW), needs a 1:1 user mapping to map analytic privileges of the database to the virtual analysis authorizations of the SAP NetWeaver BW
- Your users run applications that access the database directly. You must assign privileges to the user in the database.
- As an ABAP developer, to create SAP HANA objects, you must have a SAP HANA user.
- Use the DBMS user management function of SAP NetWeaver AS when you have the users of a single, standalone SAP NetWeaver AS ABAP to synchronize with the users of the DBMS.
Limitations
1. In more complex use cases, use SAP Identity Management (SAP ID Management). Such use cases include the following:
- You need to distribute user data across a variety of systems in a landscape.
- You want to synchronize the users of multiple clients of SAP NetWeaver AS ABAP with the underlying DBMS.
2. Currently the possibility to synchronize users to a DBMS system is implemented only for SAP HANA as database system. It is however possible to connect any other database system that is supported by the SAP Neweaver AS ABAP by a customer implementation of the class interface IF_DBMS_USER. The implementation for SAP HANA is done in class CL_DBMS_USER_HDB.
Configuration Steps
1. Create the Database User for the Database Connection
SAP NetWeaver Application Server (SAP NetWeaver AS) uses a database user to perform user management operations on database users. The database user requires the following attributes.
-
The database user must log on with user name and password.
-
The database user has a productive password.
- You have assigned the database user the following privileges
Necessary authorizations for SAP HANA user administrators:
| Privilege | Privilege Type | Description |
|---|---|---|
| USER ADMIN | SYSTEM | Enables you to maintain users in the DBMS. |
| ROLE ADMIN | SYSTEM |
Enables you to grant and revoke roles. Note: This privilege also grants a user in SAP HANA the authorizations to create and delete roles. |
| CATALOG READ | SYSTEM | Enables you to display role assignments granted by users other than the user created for the database connection, for example the system user _SYS_REPO. |
| EXECUTE on the procedure GRANT_ACTIVATED_ROLE | SQL | Enables you to grant roles created in the SAP HANA repository to DBMS users. |
| EXECUTE on the procedure REVOKE_ACTIVATED_ROLE | Enables you to revoke roles created in the SAP HANA repository to DBMS users. |
You can also use several personalized DBMS user administrators instead of one fixed technical user that is configured in the database connection. In this case you need to create DBMS user administrators having the same user name as the ABAP user administrators. In the following step (Setup a database connection) you can select between these 2 options.
2. Add a Database Connection
In transaction DBCO: Add a database connection in table DBCON with Change View “Description of Database Connections”: Overview for the database user and database type HDB:
Steps in Detail:
- Start transaction DBCO.
- Choose New Entries.
- Enter a name for the database connection.
- Enter „HDB“ for the database type.
- Enter the name of the DBMS user for the connection.
- Enter the password for this user. Note: The password must be productive.
- Enter the connection information: <hostname>:<port>.
- Save your entries.
Optional: Using a Personalized User Administrator in SAP HANA
If you do not want to use one technical user administrator in SAP HANA you can also define in the database connection that the current ABAP user administrator is authenticated in SAP HANA . Precondition is that the user administrator exists in SAP HANA having exactly the same user name as in the ABAP system and having the authorizations mentioned above. You can then set up the database connection as described in SAP Note 2005856
The current ABAP user is then forwarded to SAP HANA in an assertion ticket.
Alternative Steps in Detail (When Using the Personalized User):
- Start transaction DBCO.
- Choose New Entries.
- Enter a name for the database connection.
- Enter „HDB“ for the database type.
- Enter <space>as name of the DBMS user for the connection.
- Enter any password. (It will not be used)
- Enter the connection information: @SSO;HOST=<hostname:port>;DBNAME=<name of DB>
- Save your entries.
In both cases we recommend you protect the connection with Secure Sockets Layer (SSL).
For more information, see the SAP HANA Security Guide and SAP Note 1718944
3. Enter Database Connection in Table USR_DBMS_SYSTEM
Enter the name of the database connection and the client in the USR_DBMS_SYSTEM view with Maintain Table View (transaction SM30)
Steps in Detail:
- Start transaction SM30.
- Enter the USR_DBMS_SYSTEM table and choose Maintain.
- Choose New Entries.
- Enter the name of the connection and the ABAP client.
- Save your entries.
Important:
Only customize one ABAP client. The same user ID on different ABAP clients can represent different users with different authorizations. It is not good practice to map user from different clients to the same DBMS user. If you need to support multiple ABAP clients, use SAP Identity Management (SAP ID Management). SAP ID Management has the tools to ensure that users in multiple client represent a single person or identity.
Administration of Users
You can use transaction SU01 for single user maintenance or the ABAP report RSUSR_DBMS_USERS for mass synchronization between ABAP and SAP HANA users.
Maintaining Users in ABAP Transaction SU01
In transaction SU01 a new tab named “DBMS” will appear if all configuration steps have been done correctly:
Creation of Users
Steps in Detail:
- Start transaction SU01.
- Enter the user name and create the new user.
SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP enters the given ABAP user ID for the DBMS user ID by default. Not all DBMS systems support the same user IDs as SAP NetWeaver AS ABAP. Other DBMS systems may have other restrictions. You can change the SAP HANA user name if needed. If the user name is left empty no SAP HANA user will be created. If you desire other default values or blank user names for certain users you can implement the BAdI BADI_DBMS_USERNAME_MAPPING. See also SAP Note 1927767. - Enter data as required, such as Last Name or Initial Password.
- You must also enter an initial password for the DBMS user.
Note: SAP NetWeaver AS ABAP and the DBMS have independent security policies. We recommend that you make these security policies as similar as possible. For example: You can create all possible security policies in SAP NetWeaver AS ABAP to match any security policy in SAP HANA. You cannot create all possible security policies in SAP HANA to match any security policy in SAP NetWeaver AS.
For more information, see chapter 7.1 Password Policy in thehttp://help.sap.com/hana/hana_sec_en.pdf SAP HANA Security Guide. - Save your entries.
Note: There is NO synchronization of productive passwords. As soon as a user changes his password on one side they are out of sync.
Editing Users
Changes to the ABAP user do not effect the DBMS user with the following exceptions:
- Administrative lock: Locking or unlocking theABAP user locks or unlocks the DBMS user.
- Initial password: As the administrator, you set the initial passwords independently. Users change their own passwords in the separate password change facilities of the different systems.
- You cannot change the DBMS user mapped to the ABAP user directly. You must delete the DBMS user assignment and save before you can assign an existing DBMS user.
- Assignment of DBMS authorizations
For SAP HANA, you can only add a remove system privileges for privileges that were assigned by the user configured for the database connection. If you try to remove system privileges assigned by a different user, there is no error message. Although the privilege appears to be removed, the next time you view the user in User Management (transaction SU01), the privilege is still assigned. Exception is repository roles, which are always assigned by the user _SYS_REPO. If you have the required privileges you can remove repository roles.
Deleting Users
When deleting an ABAP user, you are prompted to confirm the deletion of a corresponding SAP HANA user if it exists. Choosing Yes deletes the users in both systems.
Using the Report RSUSR_DBMS_USERS
The report RSUSR_DBMS_USERS allows mass synchronization between ABAP and DBMS users. There are several user selection possibilities to exactly select the ABAP users that shall be synchronized to the DBMS system. The report documentation in the system is quite exhaustive. It is recommended to have a look at it.
Please also see SAP Note 1927767 and SAP Note 2068639
Selection criteria for the report:
- User
- User type
- User group
- Users having a certain ABAP role assigned
- Users without corresponding SAP HANA users
It is recommended to first start the report in selection mode to check whether the right ABAP users are selected. Then several updates can be run on the DBMS users.
Available functions:
- Remove mappings to DBMS users
- Create and map DBMS users. As in SU01 the BAdI BADI_DBMS_USERNAME_MAPPING can be used to configure the name of the DBMS user that is created.
- Assign DBMS roles
- Remove DBMS roles
- Update user attributes (Such as e-mail and SNC mapping)
Using the Check Report RSUSR_DBMS_USERS_CHECK
When you synchronize database management system (DBMS) user management with SAP NetWeaver Application Server (SAP NetWeaver AS) user management, you must periodically check that the users SAP NetWeaver AS expects are still available.
This can happen, for example, when a database administrator deletes a DBMS user without the SAP NetWeaver AS administrator knowing about it.
Steps in Detail:
- Start report RSUSR_DBMS_USERS_CHECK with ABAP: Program Execution (transaction SA38).
- Choose Select inconsistent users.
- Enter a range of users.
Note: To reduce the runtime of the report for systems with large numbers of users, you can specify individual user names or ranges to search for inconsistent data. - Choose Execute.
- SAP NetWeaver AS ABAP returns the list of users that are inconsistent, if any. These users are SAP NetWeaver AS ABAP users for which a mapping is saved, but the user saved in the mapping does not exist in the DBMS.
- Decide how to handle any inconsistent users.
-
Choose Back F3.
-
Enter users or ranges of users and select the appropriate action.
Create the DBMS user: SAP NetWeaver AS ABAP creates a matching DBMS user. The user has an initial password. You must inform the owner of the users about the new DBMS user and the initial password.
Remove the mapping: SAP NetWeaver AS ABAP deletes the mapping to the missing DBMS user. Any scenarios dependent on that user in both systems no longer work. -
Choose Execute.
Hi Matthias,
Thanks for sharing this information. We have a similar requirement and planning to go with this. So wanted to clarify. We are using BW 7.40 SP7. So all I need is to create database connection for HANA and maintain the connection details in table USR_DBMS_SYSTEM. Offcourse need to have a database user with enough rights for user administration.
So then in SU01, I would get the additional tab for DBMS.
Also we need to assign a role (with couple of privileges in it) to all users in HANA. Can we assign that role to users through SU01 in BW?
What about authentication property? How do we maintain it (Kerberos/SAML or Password)?
Thanks.
Nitesh Gupta
Hi Nitesh,
your assumptions are correct. You can assign HANA roles in SU01 and with the Report.
With NW 7.40 SP7 You cannot configure Kerberos or SAML Logon for HANA from within the ABAP stack. So you will have to do this in HANA.
With 7.40 SP10 it will be possible to create a Kerberos Mapping in HANA based on the Users SNC Mapping in ABAP. See SAP Note 2075699 and SAP Note 2073847.
With NW 7.40 SP7 you can only set a password. If no password is set the logon with SAP Logon tickets in HANA is automatically activated for the created users. (But works only with identical ABAP and HANA user names)
Best regards
Matthias
Hi Matthias,
Thanks for the information.
Regards,
Nitesh
Hi Matthias,
Till now we had BW 7.4 SP7 and everything was working fine. Recently we upgraded to SP8. The DBMS user mapping to BW user is still working properly. But we faced a strange issue.
We use RS2HANA_CHECK tcode to generate HANA authorization from BW. In SP7, it was working fine, irrespective of DBMS user mapping. In SP8, we observed that if we have not done DBMS user mapping for a user, HANA authorizations cant be generated for him. In RS2HANA_CHECK, we get message that "user XYZ has no database user".
Only once I map this user in SU01 to HANA user XYZ, HANA authorizations are being generated.
Although I am Ok with creating mapping for all required users. But just curious if this is something different in SP8 or are we missing anything.
Thanks
Hello Nitesh,
first off and within the SAP HANA Model Generation context there are two options how you can "map" a BW user to a specific DBMS user. You can maintain the option to be used in transaction RS2HANA_VIEW. There you will find a parameter called "SAP HANA User Mapping" where you can choose between explicit mapping as maintained in transaction SU01 (tab "DBMS", value D) or a mixture where first the mapping in transaction SU01 is checked and if nothing is maintained then a lookup is started for a same named DBMS user in SAP HANA.
A possible root cause in your case may be that you have selected option D (explicit mapping) in transaction RS2HANA_VIEW and as you have not mapped any BW user to any DBMS user the authorization replication terminates. Options to solve this would be to either switch the setting in transaction RS2HANA_VIEW or adjust the user mapping in transaction SU01 accordingly.
For more information please refer to the official documentation: Authorizations for Generating SAP HANA Views - Using the SAP HANA Database - SAP Library
Or the official first Guidance document: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/101d6e00-2685-3110-8db4-da77db6194f0?QuickLink=index&…
Best regards,
Jascha
Hi Jascha,
Thanks. This was really helpful. I noticed that in SP7 we didn't have this option in RS2HANA_VIEW tcode, but in SP8 this option is available. I changed the value to "C" and my issue was resolved.
Thanks
Nitesh
Hi Matthias,
Our BW system got upgraded to SP11 recently. With this SP, I can find option to select authentication type (SAML) in DBMS tab of SU01. But there is no option to maintain SAML idendity provider. For Kerberos, I can see it.
Do you know if there is any way to maintain SAML Identity Provider from BW system, in SP11?
Thanks
Nitesh Gupta
This can only be done in the HANA Studio. There should be an option to maintain the IDP.
Also to create the SAML user mapping a HANA job is required. It could be created like this:
Thanks Matthias. We have been maintaining SAML IDP using HANA Studio only. We are using below script (for mass changes):
ALTER USER <user_name> ADD IDENTITY <SAML Idendity> FOR SAML PROVIDER <IDP>
This works fine. Just wanted to know if this can be maitained from BW system, just like other details.
Regards,
Nitesh
Hello Matthias,
The user u1234567 will be created during execution of SU01 or user should be exists on Hana DB?
Regards
Hi Ruben,
the HANA user will be created when saving the SU01 screen. If a user with this name already exists in HANA it will be mapped to the ABAP user.
best regards
Matthias
Hello Matthias, I´ve tried it but the user is not created in Hana DB. I´ve created user BWHANA without rol/profiles and I've put initial password in both sides (logon data and dbms tabs) and I saved it but I get the message: Error DBMS: insufficient privilege: Not authorized What privileges I need to assign him? Regards
The authorizations are documented on the Help Portal:
Configuring DBMS User Management for SAP HANA - Identity Management - SAP Library
-Michael
This information is at the start of Matthias's blog post.
I have a question on user deletion in HANA DBMS, from SU01 we can delete HANA user too by mapping with ABAP user ID, but is it possible to check and delete users in HANA using ABAP report RSLDAPSYNC_USER in BW when user ID is not available at LDAP active directory?
We are looking to terminate HANA users by comparing active directory.
Best Regards
Sri
This is a great article. However, I have a question. We are attempting to do all our provisioning (via IDM) to the NW 7.4 ABAP stack and HANA SP7 all through the NW 7.4 ABAP stack. With that in mind, when I create the user, of course all of the normal data is populated in all the normal SU01 fields. However, the DBMS tab field that contains the username is blank. Even though the field is blank, has the user been created in the HANA DB? I'm thinking not. The only way (it seems) to get that user created in the HANA DB is to populate that field (in the DBMS tab) and save (which creates the user in the HANA DB and sets the initial password). Then come back and assign the DB roles or access.
Is this the best way, in your opinion, to provision users into the HANA DB (via IdM) or do you think it should done directly or differently?
Update: I do understand there is a BAdi that can be used to set default values for that field, but does it auto-populate that field with the SU01 username or still with a blank? No, it does not auto-populate that field when a user is created from IdM. But IT DOES if you do a direct SU01 user create. Odd! It's called BADI_DBMS_USERNAME_MAPPING.
Thanks,
Hi Andrew,
we recommend to use the HANA IDM adapter that is available in the SAP Netweaver IDM. With this adapter you can create the HANA users directly without using the ABAP Server as some sort of proxy.
And yes, the BAdI is not called when an ABAP user is updated via IDM.
Best regards
Matthias
Hi Matthias,
can I reference your Blog in this Document as well? - SAP First Guidance - Migration BW on HANA using the DMO option in SUM
Best Regards Roland
Thanks Matthias. I am going to do it the way you suggested. One issue I ran into was that, since we generate passwords, that HANA DB only allows $ and # special characters. It rejects all other special characters in a password. Why it only allows those but all other ABAP systems allow the full gamut was also odd to me. Is there an explanation on that? Ultimately, I'll setup SAML, generate a password (in IdM) that can be used to meet the criteria just to create the user, so its not a gigantic issue, but still...with S/4 Business Suite coming down the pike seems like this might get a little more attention.
Hi Andrew,
How are you setting up SAML with this approach? Is it possible to maintain SAML idendity of HANA users via BW?
Regards,
Nitesh
Yes, I intend on using SAML. I'm working through that design now in our DEV environment.
Please share if you can achieve that.
Thanks
Hi Andrew,
Could you please share how SAML identity provider is maintained via BW?
Thanks.
UPDATE:
We haven't yet configured SAML due to other priorities. However, we were able to set a password set in HANA DB (via IDM) using all special characters by changing the following in the Provisioning Framework when IdM was creating or updating a users password:
FROM
FUNCTION.sap_core_getPassword(%MX_ENCRYPTED_PASSWORD%)$$
TO:
"FUNCTION.sap_core_getPassword(%MX_ENCRYPTED_PASSWORD%)$$"
Adding the quotes around this function allows the setting of a password with all special characters.
Hi Matthias:
Wonderful article, thank you very much for sharing the knowledge. Would you have any pointers on whether/how this could be used alongside an ABAP CUA environment? We have a CUA for DEV/QA and another for PROD.
The table USR_DBMS_SYSTEM has entries for DBCON and client. Are there any plans to enhance that with a 'system' or 'logical system name' field to cater to CUA scenarios?
Regards
Sid
Hi Matthias,
This a great article, thanks for sharing !
I have a question from my customer that lately they upgraded their testing system to NW7.4 SP11 and another is SP13. They found both of the version has "new function" enabled : "Restricted User" check box appears. They are able to create user with/without checking this box, then a HDB user will be created accordingly. However, once they checked it/not check it, the check box will be in gray color that they are not able to modified it anymore. So they would like to understand :1. Is this check box is new function in SP11+ ? Any SAP document discuss about it? 2. Is there has any flexibility to change the user to be "restricted user" or not by check/uncheck the box later if they want to modified it in future ?
BTW, they are using HANA SPS11, and no IdM .
Thanks a lot!!
Hi,
HANA does not allow to change a user once he is created. There are two SQL statements to create users: CREATE USER and CREATE RESTRICTED USER
Once the user exists the type is fixed.
Best regards
Matthias
thanks a lot Matthias.
FYI. HANA 2.0 Allows you to convert users from either type. You can now grant / revoke the PUBLIC role and other items that were locked down for restricted users.
Hello,
How to secure DBMS tab, so that user with access to ABAP user maintenance with transaction SU01 would not be able to modify this tab of the user record?
I tried to trace authorizations check for changes in DBMS tab for a user. All I could see is below.
I tried with different activities like assigning/removing HANA roles, enabling SAML authentication, Password; but got same result every time. It seems there is no way to restrict DBMS tab maintenance, unless there is some SAP note to help out.
Yes, this is true. We currently do not have an additional authorization check. We already discussed it but it is not implemented and not yet decided.
Hello Collegaues,
Thank you for the response.
We have this solution so far only on sandbox system, but we discovered that due to high authorizations of database connection user it is possible to assign almost any HANA privilege from ABAP, which is a major security threat.
Some solution for this would be much appreciated
As a possible solution you can implement what is described in chapter
"Optional: Using a Personalized User Administrator in SAP HANA"
In this case every user administrator can have specific authorizations in the HANA DB
Hi Matthias,
As we had this same issue, I did some modifications in the code and included an authority check for role assignment. Please consider releasing this as a note
For everyone wanting to use it: Please be aware it has not been used productively and is still in testing phase for us.
You need to additionally create the auth object and the messages.
Class CL_IDENTITY
Method CHECK_DBMS_ROLES_INTERNAL
Starting at line 89 (where the developer already added a comment regarding auth check):
IF lr_dbms_role->change_mode EQ if_identity=>co_insert.
AUTHORITY-CHECK OBJECT ‘Z_DBMS_ROL’
ID ‘Z_DBMS_ROL’ FIELD lr_dbms_role->dbms_role
ID ‘ACTVT’ FIELD ’78’. “Insert
IF sy-subrc <> 0.
” BREAK-POINT.
ls_msg-msgty = ‘E’.
ls_msg-msgid = ‘SUSR_DBMS’.
ls_msg-msgno = 024.
ls_msg-msgv1 = lr_dbms_role->dbms_role.
ENDIF.
ELSEIF lr_dbms_role->change_mode EQ if_identity=>co_delete.
AUTHORITY-CHECK OBJECT ‘Z_DBMS_ROL’
ID ‘Z_DBMS_ROL’ FIELD lr_dbms_role->dbms_role
ID ‘ACTVT’ FIELD ’75’. “Delete
IF sy-subrc <> 0.
” BREAK-POINT.
ls_msg-msgty = ‘E’.
ls_msg-msgid = ‘SUSR_DBMS’.
ls_msg-msgno = 025.
ls_msg-msgv1 = lr_dbms_role->dbms_role.
ENDIF.
ENDIF.
IF ls_msg IS NOT INITIAL.
CALL METHOD io_msg_buffer->add_object_message_symsg
EXPORTING
iv_bname = iv_bname
iv_nodename = if_identity_definition=>gc_node_dbms_role
iv_field = if_identity_definition=>gc_field_dbms_user_role
iv_lifetime = if_suid_msg_buffer=>co_lifetime_once
is_msg = ls_msg
iv_key = gv_macro_key
iv_key_handle = lr_dbms_role->key_handle.
.
lr_dbms_role->change_mode = if_identity=>co_failed_create.
ENDIF.
Hello Matthias,
I need some help in setting up the BW security (roles/user) definition in Native hana.
Your blog was certainly helpful. However, i have few doubts that need clarity.
Can i please have your email id so that i can connect with you.
or Can you please mail me on below- doley.keith@gmail.com
Thanks in advance
Regards
Keith
Hi Keith,
what kind of application are you running on your native HANA? As a general guideline you can have a look at this blog post How to Define Standard Roles for SAP HANA Systems.
Best wishes,
Martin.
All roles are defined in BW and we need to enable data reporting in Native Hana Via calculation views (generated from BW).
Have certain doubts and need clarity on those. Contact email would be good.
Many documents are available online but they don't cover all the steps in clear process.
Hi Keith,
the officially available First Guidance documents (1) or the information you can find on SAP Help (2) should in general cover the topic and describe everything so you can set up your system correcly. However you may also have a look at the notes available on component BW-WHM-MTD-HMOD which may adress any issue you are facing.
Thanks,
Jascha
(1) http://help.sap.com/saphelp_nw74/helpdata/en/a0/f2b32ffcaa40deb60ba4515bbb559e/content.htm
(2) http://sapassets.edgesuite.net/sapcom/docs/2014/03/a877be1c-517c-0010-82c7-eda71af511fa.pdf
Hi Matthias,
thanks for share the Information, I see there only some security problems for ex. outsourcer. Usually ha an Outsourcer nothing to do with user management in a productive client. But if you can assign every database role and so every privilege is it very dangerous. In SAP is also an description named
„How To...Define Standard for Administrators and Developers in SAP HANA Database „
here is exactly described what we can doe make two separate admin domains.
The these two concept don't fir together. Is it possible for ex. to change the Grant command in program to call an an database procedure like described in the guide ?
Thanks
Robert
Hi,
Is it possible with the mass user replication in HANA DB, to mantain the same application
password?
Thanks.
Andrea
Hi,
Wondering if there is any way to report on user assignment of DBMS roles in a similar way to the regular ECC roles in SUIM?
Regards
Steven
Hi,
After setting up the configuration, when I create a user in DMBS, its takes the same user in DMBS tab and user gets created in HANA.
Can I restrict a new user to not have HANA id access created by default? which means DMBS tab should remain blank initially and if required security administrator can fill the user id in DBMS tab. thanks.
Regards
Neerav
Help, we getting this error message. We only have two options (default, client 100); how can we fix this issue?
Hello,
Do we know, if there is any way to maintain SAML Identity Provider from BW system or it still to be done via HANA Studio/ Cockpit?
Can we write any stored procedure in HANA Database that can get it done?
Hello Matthias,
Very interesting blog. I have however a scenario in my company that I hope you can share some tips about. Our brand new BW4HANA system is intended to be used in hybdrid reporting scenario's for every user. So this means that every user that has a BW user, should automatically receive a HANA user with the same data access. Therefor we are thinking of a way to make this a fully automated procedure for any new user that gets created as we will eventually hope to bring the entire company (+20000) users on the platform.
I think you understand that maintaining HANA users and passwords separately for all these users is simply not an option 🙂
To make it a bit more "complex", we use CUA out of our Solman system. So the process which we would like to have in place is:
Is this something that is possible to set up? If so, could you guide us in the right direction please?
Many kind regards,
Christophe Posson
BW4HANA (ABAP) and HANA (DB) are using different user management systems - and different authorization concepts (as you've already described).
The capabilities regarding password authentication (-> password rules, etc.) are also different - and decoupled: when an user is changing the ABAP password this will not have any impact of the DB password, and vice versa.
To achieve a Single Sign-On experience you might consider to use some authentication mechanism which is supported by both, ABAP and HANA DB. For example: SPNego aka Kerberos-based authentication.
But as mentioned before:
ABAP and HANA DB are separate entities; you'd have to setup the SPNego trust configuration (Keytab, Mappings) for both, individually. But of course you can set it up in a way that both, ABAP and HANA DB, trust the same Kerberos Token issuer, e.g. an MS Active Directory (Domain Controler, KDC).
Kind regards,
Wolfgang Janzen
Hi Wolfgang,
very kind of you to respond. We are aware of the different password policies but we would align then both BW and HANA with regards to that.
We are also using Kerberos authentication which works perfectly fine for the company users which have an AD account. However, we have a lot of external employees as well and for them this does not work.
in fact the only thing we want is a kind of script or program that updates the users password in the BW SU01 DBMS tab whenever the users resets his Bw appserver password.
is that really not possible?
Kind regards,
Christophe
Sorry, but that's not possible.
There's no password synchronization - neither between different ABAP systems, nor between ABAP and HANA DB.
Actually, users are supposed not to use the same password for accessing different systems.
Best regards, Wolfgang
Hi Wolfgang,
I understand that point. But then the problem shifts to somewhere else 🙂 Suppose we set the users initial password in the DBMS tab as initial HANA password.
Most of our HANA users will access the HANA layer via tools like PowerBI etc. There is no way for them to change the initial password through these non-SAP front ends. In fact he only tool according to me that allows that is HANA studio, and we do not want to roll that out for 20000 users 🙂
So any other thoughts on this are more than welcome.
Kind regards,
Christophe
Kindly see what my colleague, Martin Kittel, has replied (on December 21st, 2021).
Hi,
looking at the password change and coming from the HANA side, maybe it is an option to provide a thin web-service that will just allow a user to log into HANA database. On successful login the user would be asked to change his/her password which is then updated.
In general, for scenarios such as the one you describe, SAP strongly recommends using an identity management system to manage user and credentials across different systems.
Best wishes,
Martin.