Share your productive databases with other accounts in HCP

Context:

Let us consider the following scenario:

John is the CIO of ‘CompanyA’, a big manufacturing corporation and a long time customer of SAP. His company has started its journey towards Digital Transformation, and as a first step they have (rightly..) decided to go for the SAP HANA Cloud Platform (HCP), to form the agile foundation of their digital future.

Jack is a developer in ‘CompanyB’, a trusted cloud-partner of SAP, who has implemented applications(app) on HCP which can help manufacturing companies slice and dice their day-to-day transactional data, to reveal insights on inefficient processes and possibilities of optimization; or the app could also help in building efficient process chains to enhance and optimize the existing processes.

John (CompanyA) has recently purchased a HCP package with a HANA database and an ASE database. He has received a HCP Global Account and an account with the HANA and ASE database systems provisioned in it.

John wants to implement Jack’s HCP app for his company’s needs. For security reasons, John does not want to give Jack access to his account containing the databases and other applications of CompanyA. Jack needs to access the database in John’s HCP account, for his apps to work. 

Both John and Jack are now confused on how to move forward with the HCP app implementation.

This is a very common scenario, among customers trying to implement partner applications on HCP. Is there a way out?!!

SAP HANA Cloud Platform, now provides an option to share your productive SAP HANA and SAP ASE databases with other accounts within the same global account using the SAP HANA Cloud Platform Cockpit. By managing account permissions for your databases, you can control which operations (binding, tunneling, ..) are allowed in each of your accounts.

Note: It is also possible to share your database with accounts that do not belong to your global account using the HCP console client.

Recommended Solution:
What John can now do is, to create a new Account within his HCP global account and adds Jack as the user of the new account. Jack can now deploy his app in the new account and John can share the database within his account to the account where Jack has deployed his app. John can also allot a Java quota from his Global account quota to the new account he has created for Jack.Let us see how this can be done!

This blog will be a step-by-step guide, detailing how we can share a productive database in our account with other accounts within a HCP global account.

Step-by-step guide:

In this guide we showcase a simple scenario where we deploy a simple Java app on one HCP account (henceforth called App Account) and bind this application with an ASE database which is provisioned in another HCP account (henceforth called DB Account).

Prerequisites:

• The user should have a productive HCP account in the factory landscape. This is needed to create multiple accounts, which is not possible on the trial landscape.
• The user should have a Java quota of at-least 1 on one of the accounts to deploy the Java application.
• The user should have an ASE (or HANA) database system provisioned on the other account.

Let us quickly check the pre-requisites needed for the scenario:

1. Login to the HCP cockpit and check the account structures.
   (An informative blog on understanding accounts in HCP can be found Here)In the above figure, (1) refers to the HCP Global Account and (2),(3) depict the accounts within (1). When a customer purchases HCP, he is provided with a global account (1) and a default account (2). Any databases provisioned will be associated with a account (2). The customer can then create any number of accounts like (3) using the steps outlined Here
2. On the DB Account, navigate to Persistence –> Database Systems and verify that the asedb (ASE) system is present in the list.
   Check that a database, based on this system is also created and listed in Persistence –> Databases & Schemas. If not, create a database using the steps outlined Here
3. Check that the App Account has at least 1 Java quota to deploy the application. If not adjust the quota between your accounts using the steps outlined Here 

Execution:

Navigate to the DB Account; which has the database created in it. Go to Persistence –> Databases & Schemas and click on the link of the database which was created a part of the pre-requisite.

Once the database Overview page is open, navigate to the new cockpit option Cross-Account Permissions.

In the permissions page, click on Grant Account button and in the pop up dialog, from the Account drop down list, select the App Account. There are two types of cross-account permissions:

• Permission to access the database for a data source binding to an application: Without this permission, applications in other accounts will not have your database displayed in the list during data source binding
• Permission to open database tunnels to the database: Without this permission, there cannot be any database tunnels which can be opened to this database from the users of other accounts. (As an example, we would require to open a database tunnel to connect to an ASE database using eclipse or SQL clients)

Based on the requirement, select the corresponding checkbox BINDING or TUNNEL and click on SAVE button.

Navigate to the App Account, by clicking on the account name link from the Cross-Account Permissions page.

The database in the DB Account will now be visible in the App Account in the format DB Account name:database name. Check that the permissions are listed accordingly and the Owner account is shown as DB Account.

Click on the App Account Name (numbered as 2) in the bread crumbs on the top of the page (where 1 is the global account, 2 is the account with the Java quota and 3 is the database from the other account) to go to the App Account –> Databases & Schemas page.

The database from the DB Account should be listed here. Check that the Account field shows the DB Account name.

Go to Applications –> Java Applications in the App Account.

Now we need to deploy a simple Java application in the account. We can use sample applications provided by the SAP HANA Cloud Platform SDK, in this scenario. To download the SDK, navigate to the URL https://tools.hana.ondemand.com/#cloud and download and unzip the Java Web Tomcat 7 or Java Web Tomcat 8 versions to your system.

The SDK already provides a set of sample applications. One such application is the ‘persistence-with-jpa’ application.The sample applications can be found under the path /samples/ in the SDK. There should be a target folder in /samples/persistence-with-jpa/ with the persistence-with-jpa.war file present in it.
If not, we need to build the application using maven. Using the command prompt, navigate to the /samples/persistence-with-jpa/ folder, containing the pom.xml file and run the following command to create the war file.

mvn package

The build should result in a Success, thus creating the target folder and within it the persistence-with-jpa.war file. Deploy this .war file in your account using the steps outlined Here

Once the deployment is complete click on the deployed application from the list to navigate to the application overview page.

In the overview page, go to Configuration –> Data Source Binding to create a new database binding.

Click on New Binding button. The database bound from the DB account should be visible by default in the DB/Schema ID and the data source as <default>. Enter the user and password for the database and click on Save.

Note: There are multiple ways John can handle database security. The simplest recommendation would be that John creates a generic technical user in the database and shares the same with Jack, so that he can use the given user to create a binding with the data source.

The new binding will be visible in the list. Start the application and wait till the status becomes Started. Click on arrow in the bread crumbs, to navigate to the DB Account.

Go to Persistence –> Databases & Schemas and check that the Cross account sharing icon is shown beside the database in the list.

Testing:

Open up the deployed application in the App Account. The ‘Persistence with JPA Sample!’ application opens.
Enter ‘hcp’ in First name: ‘user’ in Last name:  and click on Add Person. The record should be created and added to the list Entries in the Database.
The application has JPA code written which will create a table T_PERSON in your database or (in HANA) under the schema of the user mentioned during the creation of data source binding. Check this to make sure that the cross account binding actually works.

Done! You have just shared a database between accounts of a single HCP global account!!

Hoping both John and Jack read this blog and are able to continue with their app implementation project. 🙂