Skip to Content

With SAP NetWeaver Application Server ABAP 7.40 it is possible to synchronize ABAP Users to a DBMS system especially to SAP HANA . This blog describes the configuration steps that are necessary to set up the functionality and the different features.

Use Cases

  • SAP NetWeaver Business Warehouse (SAP NetWeaver BW), needs a 1:1 user mapping to map analytic privileges of the database to the virtual analysis authorizations of the SAP NetWeaver BW
  • Your users run applications that access the database directly. You must assign privileges to the user in the database.
  • As an ABAP developer, to create SAP HANA objects, you must have a SAP HANA user.
  • Use the DBMS user management function of SAP NetWeaver AS when you have the users of a single, standalone SAP NetWeaver AS ABAP to synchronize with the users of the DBMS.


Limitations

1. In more complex use cases, use SAP Identity Management (SAP ID Management). Such use cases include the following:

  • You need to distribute user data across a variety of systems in a landscape.
  • You want to synchronize the users of multiple clients of SAP NetWeaver AS ABAP with the underlying DBMS.


2. Currently the possibility to synchronize users to a DBMS system is implemented only for SAP HANA as database system. It is however possible to connect any other database system that is supported by the SAP Neweaver AS ABAP by a customer implementation of the class interface IF_DBMS_USER. The implementation for SAP HANA is done in class CL_DBMS_USER_HDB.

Configuration Steps

1. Create the Database User for the Database Connection

SAP NetWeaver Application Server (SAP NetWeaver AS) uses a database user to perform user management operations on database users. The database user requires the following attributes.

  • The database user must log on with user name and password.

  • The database user has a productive password.

  • You have assigned the database user the following privileges


Necessary authorizations for SAP HANA user administrators:

SQL

Privilege Privilege Type Description
USER ADMIN SYSTEM Enables you to maintain users in the DBMS.
ROLE ADMIN SYSTEM

Enables you to grant and revoke roles.

Note: This privilege also grants a user in SAP HANA the authorizations to create and delete roles.

CATALOG READ SYSTEM Enables you to display role assignments granted by users other than the user created for the database connection, for example the system user _SYS_REPO.
EXECUTE on the procedure GRANT_ACTIVATED_ROLE SQL Enables you to grant roles created in the SAP HANA repository to DBMS users.
EXECUTE on the procedure REVOKE_ACTIVATED_ROLE Enables you to revoke roles created in the SAP HANA repository to DBMS users.


You can also use several personalized DBMS user administrators instead of one fixed technical user that is configured in the database connection. In this case you need to create DBMS user administrators having the same user name as the ABAP user administrators. In the following step (Setup a database connection) you can select between these 2 options.


2. Add a Database Connection

In transaction DBCO: Add a database connection in table DBCON with Change View “Description of Database Connections”: Overview  for the database user and database type HDB:

DBCO1.png

Steps in Detail:

  1. Start transaction DBCO.
  2. Choose New Entries.
  3. Enter a name for the database connection.
  4. Enter „HDB“ for the database type.
  5. Enter the name of the DBMS user for the connection.
  6. Enter the password for this user. Note: The password must be productive.
  7. Enter the connection information: <hostname>:<port>.
  8. Save your entries.


Optional: Using a Personalized User Administrator in SAP HANA

If you do not want to use one technical user administrator in SAP HANA you can also define in the database connection that the current ABAP user administrator is authenticated in SAP HANA . Precondition is that the user administrator exists in SAP HANA having exactly the same user name as in the ABAP system and having the authorizations mentioned above. You can then set up the database connection as described in SAP Note 2005856

The current ABAP user is then forwarded to SAP HANA in an assertion ticket.


Alternative Steps in Detail (When Using the Personalized User):

  1. Start transaction DBCO.
  2. Choose New Entries.
  3. Enter a name for the database connection.
  4. Enter „HDB“ for the database type.
  5. Enter <space>as name of the DBMS user for the connection.
  6. Enter any password. (It will not be used)
  7. Enter the connection information: @SSO;HOST=<hostname:port>;DBNAME=<name of DB>
  8. Save your entries.

In both cases we recommend you protect the connection with Secure Sockets Layer (SSL).

For more information, see the SAP HANA Security Guide and SAP Note 1718944


3. Enter Database Connection in Table USR_DBMS_SYSTEM

Enter the name of the database connection and the client in the USR_DBMS_SYSTEM view with Maintain Table View (transaction SM30)

DBCO2.png

Steps in Detail:

  1. Start transaction SM30.
  2. Enter the USR_DBMS_SYSTEM table and choose Maintain.
  3. Choose New Entries.
  4. Enter the name of the connection and the ABAP client.
  5. Save your entries.


Important:

Only customize one ABAP client. The same user ID on different ABAP clients can represent different users with different authorizations. It is not good practice to map user from different clients to the same DBMS user. If you need to support multiple ABAP clients, use SAP Identity Management (SAP ID Management). SAP ID Management has the tools to ensure that users in multiple client represent a single person or identity.




Administration of Users

You can use transaction SU01 for single user maintenance or the ABAP report  RSUSR_DBMS_USERS  for mass synchronization between ABAP and SAP HANA users.

Maintaining Users in ABAP Transaction SU01

In transaction SU01 a new tab named “DBMS” will appear if all configuration steps have been done correctly:

SU01.png

Creation  of Users

Steps in Detail:

  1. Start transaction SU01.
  2. Enter the user name and create the new user.
    SAP
    NetWeaver Application Server (SAP NetWeaver AS) ABAP enters the given ABAP user ID for the DBMS user ID by default. Not all DBMS systems support the same user IDs as SAP NetWeaver AS ABAP. Other DBMS systems may have other restrictions. You can change the SAP HANA user name if needed. If the user name is left empty no SAP HANA user will be created.  If you desire other default values or blank user names for certain users you can implement the BAdI BADI_DBMS_USERNAME_MAPPING.  See also SAP Note 1927767.
  3. Enter data as required, such as Last Name or Initial Password.
  4. You must also enter an initial password for the DBMS user. 
    Note: SAP NetWeaver AS ABAP and the DBMS have independent security policies. We recommend that you make these security policies as similar as possible. For example: You can create all possible security policies in SAP NetWeaver AS ABAP to match any security policy in SAP HANA. You cannot create all possible security policies in SAP HANA to match any security policy in SAP NetWeaver AS.
    For more information, see chapter 7.1 Password Policy in thehttp://help.sap.com/hana/hana_sec_en.pdf SAP HANA Security Guide.
  5. Save your entries.

Note: There is NO synchronization of productive passwords. As soon as a user changes his password on one side they are out of sync.

Editing Users

Changes to the ABAP user do not effect the DBMS user with the following exceptions:

  • Administrative lock: Locking or unlocking theABAP user locks or unlocks the DBMS user.
  • Initial password: As the administrator, you set the initial passwords independently. Users change their own passwords in the separate password change facilities of the different systems.
  • You cannot change the DBMS user mapped to the ABAP user directly. You must delete the DBMS user assignment and save before you can assign an existing DBMS user.
  • Assignment of DBMS authorizations
    For SAP HANA, you
    can only add a remove system privileges for privileges that were assigned by the user configured for the database connection. If you try to remove system privileges assigned by a different user, there is no error message. Although the privilege appears to be removed, the next time you view the user in User Management (transaction SU01), the privilege is still assigned. Exception is repository roles, which are always assigned by the user _SYS_REPO. If you have the required privileges you can remove repository roles.

Deleting Users

When deleting an ABAP user, you are prompted to confirm the deletion of a corresponding SAP HANA user if it exists. Choosing Yes deletes the users in both systems.

Using the Report RSUSR_DBMS_USERS

The  report RSUSR_DBMS_USERS allows mass synchronization between ABAP and DBMS users. There are several user selection possibilities to exactly select the ABAP users that shall be synchronized to the DBMS system.  The report documentation in the system  is quite exhaustive. It is recommended to have a look at it.

Please also see SAP Note 1927767 and SAP Note 2068639

Selection criteria for the report:

  • User
  • User type
  • User group
  • Users having a certain ABAP role assigned
  • Users without corresponding SAP HANA users

DBMS_Users_mass_processing.jpg

It is recommended to first start the report in selection mode to check whether the right ABAP users are selected. Then several updates can be run on the DBMS users.

Available functions:

  • Remove mappings to DBMS users
  • Create and map DBMS users. As in SU01 the BAdI BADI_DBMS_USERNAME_MAPPING can be used to configure the name of the DBMS user that is created.
  • Assign DBMS roles
  • Remove DBMS roles
  • Update user attributes   (Such as e-mail and SNC mapping)

Using the Check Report RSUSR_DBMS_USERS_CHECK

When you synchronize database management system (DBMS) user management with SAP NetWeaver Application Server (SAP NetWeaver AS) user management, you must periodically check that the users SAP NetWeaver AS expects are still available.
This can happen, for example, when a database administrator deletes a DBMS user without the SAP NetWeaver AS administrator knowing about it.

Checkreport.png


Steps in Detail:

  1. Start report RSUSR_DBMS_USERS_CHECK with ABAP: Program Execution (transaction SA38).
  2. Choose Select inconsistent users.
  3. Enter a range of users.
    Note: To reduce the runtime of the report for systems with large numbers of users, you can specify individual user names or ranges to search for inconsistent data.
  4. Choose Execute.
  5. SAP NetWeaver AS ABAP returns the list of users that are inconsistent, if any. These users are SAP NetWeaver AS ABAP users for which a mapping is saved, but the user saved in the mapping does not exist in the DBMS.
  6. Decide how to handle any inconsistent users.
  7. Choose Back F3.

  8. Enter users or ranges of users and select the appropriate action.
    Create the DBMS user: SAP NetWeaver AS ABAP creates a matching DBMS user. The user has an initial password. You must inform the owner of the users about the new DBMS user and the initial password.
    Remove the mapping: SAP NetWeaver AS ABAP deletes the mapping to the missing DBMS user. Any scenarios dependent on that user in both systems no longer work.

  9. Choose Execute.

To report this post you need to login first.

38 Comments

You must be Logged on to comment or reply to a post.

  1. Nitesh Gupta

    Hi Matthias,

    Thanks for sharing this information. We have a similar requirement and planning to go with this. So wanted to clarify. We are using BW 7.40 SP7. So all I need is to create database connection for HANA and maintain the connection details in table USR_DBMS_SYSTEM. Offcourse need to have a database user with enough rights for user administration.

    So then in SU01, I would get the additional tab for DBMS.

    Also we need to assign a role (with couple of privileges in it) to all users in HANA. Can we assign that role to users through SU01 in BW?

    What about authentication property? How do we maintain it (Kerberos/SAML or Password)?

    Thanks.

    Nitesh Gupta

    (0) 
    1. Matthias Buehl Post author

      Hi Nitesh,

      your assumptions are correct. You can assign HANA roles in SU01 and with the Report.

      With NW 7.40 SP7 You cannot configure Kerberos or SAML Logon for HANA from within the ABAP stack. So you will have to do this in HANA.

      With  7.40 SP10 it will be possible to create a Kerberos Mapping in HANA based on the Users SNC Mapping in ABAP.  See SAP Note  2075699  and  SAP Note 2073847.

      With NW 7.40 SP7 you can only set a password. If no password is set the logon with SAP Logon tickets in HANA  is automatically activated for the created users. (But works only with identical ABAP and HANA user names)

      Best regards

      Matthias

      (0) 
        1. Nitesh Gupta

          Hi Matthias,

          Till now we had BW 7.4 SP7 and everything was working fine. Recently we upgraded to SP8. The DBMS user mapping to BW user is still working properly. But we faced a strange issue.

          We use RS2HANA_CHECK tcode to generate HANA authorization from BW. In SP7, it was working fine, irrespective of DBMS user mapping. In SP8, we observed that if we have not done DBMS user mapping for a user, HANA authorizations cant be generated for him. In RS2HANA_CHECK, we get message that “user XYZ has no database user“.

          Only once I map this user in SU01 to HANA user XYZ, HANA authorizations are being generated.

          Although I am Ok with creating mapping for all required users. But just curious if this is something different in SP8 or are we missing anything.

          Thanks

          (0) 
          1. Jascha Kanngiesser

            Hello Nitesh,

            first off and within the SAP HANA Model Generation context there are two options how you can “map” a BW user to a specific DBMS user. You can maintain the option to be used in transaction RS2HANA_VIEW. There you will find a parameter called “SAP HANA User Mapping” where you can choose between explicit mapping as maintained in transaction SU01 (tab “DBMS”, value D) or a mixture where first the mapping in transaction SU01 is checked and if nothing is maintained then a lookup is started for a same named DBMS user in SAP HANA.

            A possible root cause in your case may be that you have selected option D (explicit mapping) in transaction RS2HANA_VIEW and as you have not mapped any BW user to any DBMS user the authorization replication terminates. Options to solve this would be to either switch the setting in transaction RS2HANA_VIEW or adjust the user mapping in transaction SU01 accordingly.

            For more information please refer to the official documentation: Authorizations for Generating SAP HANA Views – Using the SAP HANA Database – SAP Library

            Or the official first Guidance document: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/101d6e00-2685-3110-8db4-da77db6194f0?QuickLink=index&&hellip;

            Best regards,

            Jascha

            (0) 
            1. Nitesh Gupta

              Hi Jascha,

              Thanks. This was really helpful. I noticed that in SP7 we didn’t have this option in RS2HANA_VIEW tcode, but in SP8 this option is available. I changed the value to “C” and my issue was resolved.

              Thanks

              Nitesh

              (0) 
        2. Nitesh Gupta

          Hi Matthias,

          Our BW system got upgraded to SP11 recently. With this SP, I can find option to select authentication type (SAML) in DBMS tab of SU01. But there is no option to maintain SAML idendity provider. For Kerberos, I can see it.

          Do you know if there is any way to maintain SAML Identity Provider from BW system, in SP11?

          Thanks

          Nitesh Gupta

          (0) 
          1. Matthias Buehl Post author

            This can only be done in the HANA Studio.  There should be an option to maintain the IDP.

            Also to create the SAML user mapping a HANA job is required. It could be created like this:

            (0) 
            1. Nitesh Gupta

              Thanks Matthias. We have been maintaining SAML IDP using HANA Studio only. We are using below script (for mass changes):

              ALTER USER <user_name> ADD IDENTITY <SAML Idendity> FOR SAML PROVIDER <IDP>

              This works fine. Just wanted to know if this can be maitained from BW system, just like other details.

              Regards,

              Nitesh

              (0) 
    1. Matthias Buehl Post author

      Hi Ruben,

      the HANA user will be created when saving the SU01 screen. If a user with this name already exists in HANA it will be mapped to the ABAP user.

      best regards

      Matthias

      (0) 
      1. ruben torres

        Hello Matthias, I´ve tried it but the user is not created in Hana DB. I´ve created user BWHANA without rol/profiles and I’ve put initial password in both sides (logon data and dbms tabs) and I saved it but I get the message: Error DBMS: insufficient privilege: Not authorized What privileges I need to assign him? Regards

        (0) 
      2. Gali Srikanth

        I have a question on user deletion in HANA DBMS, from SU01 we can delete HANA user too by mapping with ABAP user ID, but is it possible to check and delete users in HANA using ABAP report RSLDAPSYNC_USER  in BW when user ID is not available at LDAP active directory?

        We are looking to terminate HANA users by comparing active directory.

        Best Regards

        Sri

        (0) 
  2. Andrew Leonard Jennings

    This is a great article.  However, I have a question.  We are attempting to do all our provisioning (via IDM) to the NW 7.4 ABAP stack and HANA SP7 all through the NW 7.4 ABAP stack.  With that in mind, when I create the user, of course all of the normal data is populated in all the normal SU01 fields.  However, the DBMS tab field that contains the username is blank.  Even though the field is blank, has the user been created in the HANA DB?  I’m thinking not.  The only way (it seems) to get that user created in the HANA DB is to populate that field (in the DBMS tab) and save (which creates the user in the HANA DB and sets the initial password).  Then come back and assign the DB roles or access.

    Is this the best way, in your opinion, to provision users into the HANA DB (via IdM) or do you think it should done directly or differently?

    Update: I do understand there is a BAdi that can be used to set default values for that field, but does it auto-populate that field with the SU01 username or still with a blank? No, it does not auto-populate that field when a user is created from IdM.  But IT DOES if you do a direct SU01 user create.  Odd!   It’s called BADI_DBMS_USERNAME_MAPPING.

    Thanks,

    (0) 
    1. Matthias Buehl Post author

      Hi Andrew,

      we recommend to use the HANA IDM adapter that is available in the SAP Netweaver IDM. With this adapter you can create the HANA users directly without using the ABAP Server as some sort of proxy.

      And yes, the BAdI is not called when an ABAP user is updated via IDM.

      Best regards

      Matthias

      (0) 
  3. Andrew Leonard Jennings

    Thanks Matthias.  I am going to do it the way you suggested.  One issue I ran into was that, since we generate passwords, that HANA DB only allows $ and # special characters.  It rejects all other special characters in a password.  Why it only allows those but all other ABAP systems allow the full gamut was also odd to me.  Is there an explanation on that?  Ultimately, I’ll setup SAML, generate a password (in IdM) that can be used to meet the criteria just to create the user, so its not a gigantic issue, but still…with S/4 Business Suite coming down the pike seems like this might get a little more attention.

    (0) 
    1. Nitesh Gupta

      Hi Andrew,

      How are you setting up SAML with this approach? Is it possible to maintain SAML idendity of HANA users via BW?

      Regards,

      Nitesh

      (0) 
    2. Andrew Leonard Jennings

      UPDATE:

      We haven’t yet configured SAML due to other priorities.  However, we were able to set a password set in HANA DB (via IDM) using all special characters by changing the following in the Provisioning Framework when IdM was creating or updating a users password:

      FROM

      FUNCTION.sap_core_getPassword(%MX_ENCRYPTED_PASSWORD%)$$

      TO:

      “FUNCTION.sap_core_getPassword(%MX_ENCRYPTED_PASSWORD%)$$”

      Adding the quotes around this function allows the setting of a password with all special characters.

      (0) 
  4. Suddhasattwa Chakraborty

    Hi Matthias:

    Wonderful article, thank you very much for sharing the knowledge. Would you have any pointers on whether/how this could be used alongside an ABAP CUA environment? We have a CUA for DEV/QA and another for PROD.

    The table USR_DBMS_SYSTEM has entries for DBCON and client. Are there any plans to enhance that with a ‘system’ or ‘logical system name’ field to cater to CUA scenarios?


    Regards

    Sid

    (0) 
  5. Tian Song

    Hi Matthias,

    This a great article, thanks for sharing !

    I have a question from my customer that lately they upgraded their testing system to NW7.4 SP11 and another is SP13. They found both of the version has “new function” enabled : “Restricted User” check box appears. They are able to create user with/without checking this box, then a HDB user will be created accordingly. However, once they checked it/not check it, the check box will be in gray color that they are not able to modified it anymore. So they would like to understand :1. Is this check box is new function in SP11+ ? Any SAP document discuss about it? 2. Is there has any flexibility to change the user to be “restricted user” or not by check/uncheck the box later if they want to modified it in future ?

    BTW, they are using HANA SPS11, and no IdM .

    Thanks a lot!!

    Capture.PNG

    (0) 
    1. Matthias Buehl Post author

      Hi,

      HANA does not allow to change a user once he is created. There are two SQL statements to create users:  CREATE USER and CREATE RESTRICTED USER

      Once the user exists the type is fixed.

      Best regards

      Matthias

      (0) 
  6. Rafal Wojda

    Hello,

    How to secure DBMS tab, so that user with access to ABAP user maintenance with transaction SU01 would not be able to modify this tab of the user record?

    (0) 
    1. Nitesh Gupta

      I tried to trace authorizations check for changes in DBMS tab for a user. All I could see is below.

      Auth Trace.JPG

      I tried with different activities like assigning/removing HANA roles, enabling SAML authentication, Password; but got same result every time. It seems there is no way to restrict DBMS tab maintenance, unless there is some SAP note to help out.

      (0) 
  7. Matthias Buehl Post author

    Yes, this is true. We currently do not have an additional authorization check. We already discussed it but it is not implemented and not yet decided.

    (0) 
    1. Rafal Wojda

      Hello Collegaues,

      Thank you for the response.

      We have this solution so far only on sandbox system, but we discovered that due to high authorizations of database connection user it is possible to assign almost any HANA privilege from ABAP, which is a major security threat.

      Some solution for this would be much appreciated

      (0) 
      1. Matthias Buehl Post author

        As a possible solution you can implement what is described in chapter

        “Optional: Using a Personalized User Administrator in SAP HANA”

        In this case every user administrator can have specific authorizations in the HANA DB

        (0) 
  8. keith doley

    Hello Matthias,

    I need some help in setting up the BW security (roles/user) definition in Native hana.

    Your blog was certainly helpful. However, i have few doubts that need clarity.

    Can i please have your email id so that i can connect with you.

    or Can you please mail me on below- doley.keith@gmail.com

    Thanks in advance

    Regards

    Keith

    (0) 
      1. keith doley
        SAP_BW 740 0013 SAPKW74013 SAP Business Warehouse

        All roles are defined in BW and we need to enable data reporting in Native Hana Via calculation views (generated from BW).

        Have certain doubts and need clarity on those. Contact email would be good.

        Many documents are available online but they don’t cover all the steps in clear process.

        (0) 
        1. Jascha Kanngiesser

          Hi Keith,

          the officially available First Guidance documents (1) or the information you can find on SAP Help (2) should in general cover the topic and describe everything so you can set up your system correcly. However you may also have a look at the notes available on component BW-WHM-MTD-HMOD which may adress any issue you are facing.

          Thanks,

          Jascha

          (1) http://help.sap.com/saphelp_nw74/helpdata/en/a0/f2b32ffcaa40deb60ba4515bbb559e/content.htm

          (2)  http://sapassets.edgesuite.net/sapcom/docs/2014/03/a877be1c-517c-0010-82c7-eda71af511fa.pdf

          (0) 
  9. Robert Hofmann

    Hi Matthias,

    thanks for share the Information, I see there only some security problems for ex. outsourcer. Usually ha an Outsourcer nothing to do with user management in a productive client. But if you can assign every database role and so every privilege is it very dangerous. In SAP is also an description named

    „How To…Define Standard for Administrators and Developers in SAP HANA Database „

    here is exactly described what we can doe make two separate admin domains.

    The these two concept don’t fir together. Is it possible for ex. to change the  Grant command in program to call an an database procedure like described in the guide ?

    Thanks

    Robert

    (0) 

Leave a Reply