SAP Hana User Self-Service Configuration

In my documentation I’ll explain how to configure and use the self-service feature in SAP Hana, in my scenario I’ll use the case when you have external corporate user who wants to access some test application by requesting user creation

For my setup I will use Hana rev122 with SAP Hana SHINE deployed on SLES 12 virtual machine from ESXi 6.0

Disclaimer: My deployment is only for test purpose, I make the security simple from a network perspective in order to realize this configuration and use open source software

In order execution

• Setup SMTP server in Hana
• Setup Self-Service Administrator and Technical user
• Maintain USS initialization parameters
• Maintain Email Template
• Request new user account
• Accept and Activate account
• Maintain user profile
• Optional : change background USS picture

Guide used

SAP HANA Administrator Guide

Link used

Help SAP Hana Administration SPS 12

Detail Architecture
From a process perspective the remote user access the panel of available application from the Hana portal, from the self-service link on the web page the user request to have an account created in order to access the application wanted.

Once the request made, a confirmation email is send to notify the administrator of the system to activate the account if the automatic creation is enable or to create the new account.

At the same time an email is send back to the external to notify him/her that the request has been submitted.

When the administrator has accepted and activated the account, an email is send automatically to the external with his/her credential.

Setup SMTP in Hana

In order to configure my SMTP server I will go on the SMTP configuration application from the cockpit

Setup Self-Service Administrator and Technical user

The User Self-Service tool required to have two specific user to work, an administrator user who manages the self-service requests and access lists must be assigned the role and a technical dedicated user who is used to execute tasks associated with user self-service requests, for example, sending e-mails in response to user requests.

I will start by the administrator user account, this can be done by the studio or the cockpit

And I grant the role sap.hana.xs.selfService.admin.roles::USSAdministrator

Now create i access the USS administration at the following url : http://<myserver>:<port>/sap/hana/xs/selfService/admin.

My administrator created do the technical user by the same proceed and assign the role sap.hana.xs.selfService.user.roles::USSExecutor

Once done I need to assign the selfservice.xssqlcc artifact, in order to proceed I need to go in the artifact administration

Follow the path up to selfService.xssqlcc

Once there go on edit node and provide the user/password create for the purpose and activate

Note : you probably notice that a user was already selected, this user is generated when Hana is installed.

Maintain USS initialization parameters

My two user created and my xs artifact activated, I can now start to maintain and initialize the necessary USS.
To do this i need to be connected as USSADMIN user and select the “INI PARAMETERS”

Several option are available, I’ll turn all of them except “Automatic User Creation” so I can control the activation of the account

Maintain Email Template

My service is now up and running, I can customize the content of the email send during the process of creation, request, activation and forgot password

This can be done by selection “Email Templates” from the left side menu

Once you have change the content of the template, we just need to hit save.

Request new user account

We are ready to make some testing and check our process, do so I’ll access my hana SHINE page where I have made some change in order to make it public accessible for the page presentation.

And when I click on the app I would like to use I can see the introduction of the app

And if I click on continue it is requested for a user/pass, I can now do so by clicking on “request account” and fill up the necessary information

Once submitted, the following message shows

I check my mail box, and I can see the auto reply from my request asked me to verify my email

When I click in the link I can now create my password

Accept and Activate account

My request submitted, a notification is send to my internal lab admin user

I can see now from the admin request cockpit that I have a pending request waiting to be activate or rejected

If I check from the studio, we can see the user create automatically but deactivated because of the option I have chosen earlier

Before to activate the account, I need to provide this new user the necessary role and authorization in order to be able to use the application wanted.

Once done, I activate the account and notify the user

And finally check my user mail box and can see that I have receive my confirmation email for my account activation

So I click on the link and access the application with my new user activated

And I’m in

Maintain user profile

Each user account is associated with a profile, the user who owns the profile must adjust the settings to suit personal preferences.
In order to be able to manage its own preference the following role needs to be provide to the users “sap.hana.xs.formLogin.profile::ProfileOwner”

Once done, the use can manage his/her preference from the link /sap/hana/xs/formLogin/profile/

Optional: change background USS picture

It is possible to customize the background image displayed in the logon Web page, for example, by specifying the URL to the image displayed as background in the logon screen.

To do so, I need to add the following parameter in the xengine.ini under httpserver

The url of the picture if base from my package

So now when I access my default web page and request for a new account I have the following
My configuration is now completed to setup User Self-Service feature.