Connect restrictions are access policies and essentially enforcing the limited access to SAP HANA Database for users which belong to a specific user group*. For example, they can be used to restrict access for administrator users to a given IP range, or for technical users to specific applications.
They enable customers the flexibility to limit access for all users or parts of their user base, for instance, to enable only administrators to log in from the customer's IP range and application range based on the application session variable.
Benefits:
More about connect restrictions you can read in SAP HANA Cloud, SAP HANA Database Security Guide: User Management -> User Groups -> Connect Restrict....
Setting up the connect restrictions by using SAP HANA Cloud Central
For a demonstration of how you can make use of connect restrictions, I will use HANA tooling, and more specifically, SAP HANA Cloud Central**.
A typical customer scenario that is pursued with the usage of this functionality is to limit the access of the users from specific applications they use to access HANA. Also, it is a case when technical users of HANA DB should not be allowed to connect or log into specific apps, with the help of which you can manipulate data or settings in HANA, like HDBSQL or HANA Cockpit/DB Explorer.
To create connect restriction policies, you need to access SAP HANA Cloud -> section “User & Authorization Management” -> subsection “User groups”.
If you cannot see this tile or access SAP HANA Cloud Central, please check SAP HANA Cloud Administration Guide documentation for needed tools subscription and missing authorizations for user.
Creating a User Group-Specific Connect Restriction
A single connect restriction can contain multiple applications and IP conditions.
To configure those conditions, a user requires an OPERATOR object privilege on the given user group. This can be done by a creator of the given user group or another user who has GRANTOR privilege on this given user group.
1. If not yet created, in the “User & Authorization Management” section, subsection “User groups,” set up a user group, for which you will subsequently create required restrictions. For us, it will be Administrators1. Move required users to this Group.
2. Scroll down and create a connect restriction NetworkRestrictions1 with conditions for IP addresses in CIDR notation and application. The restriction allows connections for hdbsql application from the mentioned IP addresses and IP ranges.
You can define multiple connect restrictions in a single statement. The following example shows how to define connect restrictions for IPS_V4, IPS_V6, and HDBSQL:
3. The definition of connect restrictions and a list of connection restrictions by user group can also be viewed in the system view USERGROUP_CONNECT_RESTRICTIONS.
An example for the USERGROUP_CONNECT_RESTRICTIONS table would be as follows in the SQL console of SAP HANA Cloud Central if you execute the steps above:
Additional syntax for user group creation statements with parameters of connect restrictions can be found in SAP HANA Cloud, SAP HANA Database SQL Reference Guide -> CREATE USERGROUP Statement (Access Control).
Evaluation of Connect Restrictions
After the user has successfully authenticated, connect restrictions are evaluated as part of the user authentication process. If the user group has connect restrictions, members of that group can only connect if at least one of the defined connect restrictions allows access.
Note: A single connect restriction can consist of multiple conditions, and all must be met to allow access for the user.
Deactivating connection for all Users of a User Group
Use the ENABLE | DISABLE CLIENT CONNECT option to control whether or not the users in a user group can connect to the SAP HANA database, for example, to stop users temporarily from connecting during updates or troubleshooting activities.
Sample Code:
ALTER USERGROUP MyUserGroup DISABLE CLIENT CONNECT
If you disable client connects for a user group using this feature, no user of that user group can connect, even if connect restrictions would allow it.
Validating a User Group-Specific Connect Restriction
In the connect restriction bar on the top right, you also can validate whether a connect attempt would be possible given the active connect restrictions of a user group:
The window will pop up where you can test different options and get the results:
Also, you can use the table function PUBLIC.VALIDATE_USERGROUP_CONNECT_RESTRICTION to do that and use the table function PUBLIC.VALIDATE_USERGROUP_CONNECT_RESTRICTION_DETAILS to display details of each connect restriction if a login was allowed for a specific condition.
Some things to keep in mind about validation views:
Authentication/Connect Failures due to Connect Restrictions
If a user connection cannot be established due to a connect restriction, you can find details about why the connection was rejected in the “Failed Authentications” page of “User & Authorization Management” tile of SAP HANA Cloud Central. We will talk more about these features in our future blog post.
Additional resources to check:
*User groups support a separation of user management tasks, allowing you to manage related users together and efficiently. A user can belong to only one user group. You can create and manage users in user groups in the SAP HANA Cloud Central and SAP HANA Cockpit.
More about user groups you can read in SAP HANA Cloud, SAP HANA Database Security Guide: User Management -> User Groups, and for more information on how to create, see the SAP HANA Cloud, SAP HANA Database SQL Reference Guide:
**With the migration of SAP HANA Cockpit functionality in SAP HANA Cloud Central, all of the documentation for these features has also been migrated to the SAP HANA Cloud docu set.
Moreover, SAP HANA Cloud Central has in-app help that can be accessed by clicking the “?” icon in the shellbar. This in-app help is extensive and contains links to relevant content in the cloud docu set.
The following links may also be helpful:
For SAP data lake (SAP HANA Cloud) administration: SAP HANA Cloud, Data Lake Administration Guide for Data Lake Relational Engine
For SAP HANA Cloud administration: SAP HANA Cloud Administration Guide
For SAP HANA database (SAP HANA Cloud) administration: SAP HANA Cloud, SAP HANA Database Administration Guide
Also, the SAP HANA Cloud Database Administration with SAP HANA Cockpit still exists but will not be updated or maintained.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
25 | |
17 | |
11 | |
11 | |
9 | |
9 | |
9 | |
8 | |
8 | |
7 |