Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connection restrictions and their relation to user groups in SAP HANA Cloud, SAP HANA Database

pavlomelnyk
Product and Topic Expert
Product and Topic Expert
3 weeks ago

Connect restrictions are access policies and essentially enforcing the limited access to SAP HANA Database for users which belong to a specific user group*. For example, they can be used to restrict access for administrator users to a given IP range, or for technical users to specific applications. 

They enable customers the flexibility to limit access for all users or parts of their user base, for instance, to enable only administrators to log in from the customer's IP range and application range based on the application session variable. 

Benefits: 

  • Provides more fine-granular control over security configuration settings 
  • Allows customers to further secure their systems against attacks from the Internet 

More about connect restrictions you can read in SAP HANA Cloud, SAP HANA Database Security Guide: User Management -> User Groups -> Connect Restrict.... 

 

Setting up the connect restrictions by using SAP HANA Cloud Central 

For a demonstration of how you can make use of connect restrictions, I will use HANA tooling, and more specifically, SAP HANA Cloud Central**. 

A typical customer scenario that is pursued with the usage of this functionality is to limit the access of the users from specific applications they use to access HANA. Also, it is a case when technical users of HANA DB should not be allowed to connect or log into specific apps, with the help of which you can manipulate data or settings in HANA, like HDBSQL or HANA Cockpit/DB Explorer. 

To create connect restriction policies, you need to access SAP HANA Cloud -> section “User & Authorization Management” -> subsection “User groups”. 

pavlomelnyk_0-1712753019294.png

If you cannot see this tile or access SAP HANA Cloud Central, please check SAP HANA Cloud Administration Guide documentation for needed tools subscription and missing authorizations for user. 

Creating a User Group-Specific Connect Restriction 

A single connect restriction can contain multiple applications and IP conditions.  

To configure those conditions, a user requires an OPERATOR object privilege on the given user group. This can be done by a creator of the given user group or another user who has GRANTOR privilege on this given user group. 

1. If not yet created, in the “User & Authorization Management” section, subsection “User groups,” set up a user group, for which you will subsequently create required restrictions. For us, it will be Administrators1Move required users to this Group. 

pavlomelnyk_1-1712753087561.png

2. Scroll down and create a connect restriction NetworkRestrictions1 with conditions for IP addresses in CIDR notation and application. The restriction allows connections for hdbsql application from the mentioned IP addresses and IP ranges. 

pavlomelnyk_2-1712753169309.png

You can define multiple connect restrictions in a single statement. The following example shows how to define connect restrictions for IPS_V4, IPS_V6, and HDBSQL: 

pavlomelnyk_3-1712753193121.png

3. The definition of connect restrictions and a list of connection restrictions by user group can also be viewed in the system view USERGROUP_CONNECT_RESTRICTIONS. 

An example for the USERGROUP_CONNECT_RESTRICTIONS table would be as follows in the SQL console of SAP HANA Cloud Central if you execute the steps above: 

pavlomelnyk_4-1712753259410.png

Additional syntax for user group creation statements with parameters of connect restrictions can be found in SAP HANA Cloud, SAP HANA Database SQL Reference Guide -> CREATE USERGROUP Statement (Access Control). 

Evaluation of Connect Restrictions 

After the user has successfully authenticated, connect restrictions are evaluated as part of the user authentication process. If the user group has connect restrictions, members of that group can only connect if at least one of the defined connect restrictions allows access. 

Note: A single connect restriction can consist of multiple conditions, and all must be met to allow access for the user.

Deactivating connection for all Users of a User Group 

Use the ENABLE | DISABLE CLIENT CONNECT option to control whether or not the users in a user group can connect to the SAP HANA database, for example, to stop users temporarily from connecting during updates or troubleshooting activities. 

Sample Code:  

ALTER USERGROUP MyUserGroup DISABLE CLIENT CONNECT 

If you disable client connects for a user group using this feature, no user of that user group can connect, even if connect restrictions would allow it. 

Validating a User Group-Specific Connect Restriction 

In the connect restriction bar on the top right, you also can validate whether a connect attempt would be possible given the active connect restrictions of a user group: 

pavlomelnyk_5-1712753453762.png

The window will pop up where you can test different options and get the results: 

pavlomelnyk_6-1712753479149.png

Also, you can use the table function PUBLIC.VALIDATE_USERGROUP_CONNECT_RESTRICTION to do that and use the table function PUBLIC.VALIDATE_USERGROUP_CONNECT_RESTRICTION_DETAILS to display details of each connect restriction if a login was allowed for a specific condition. 

Some things to keep in mind about validation views: 

  • This table functions validates all connect restrictions of a user group 
  • Returns a detailed result of each connect restriction if a login is allowed 
  • The check is done for the active and inactive restrictions of a user group: 
    • Client IP Address 
    • Application Name 
  • NULL values will be returned if a condition doesn’t exist in a connect restriction. 
  • The input parameters can be omitted as they are supplemented by default values. 

Authentication/Connect Failures due to Connect Restrictions 

If a user connection cannot be established due to a connect restriction, you can find details about why the connection was rejected in the “Failed Authentications” page of “User & Authorization Management” tile of SAP HANA Cloud Central. We will talk more about these features in our future blog post.

 

Additional resources to check: 

*User groups support a separation of user management tasks, allowing you to manage related users together and efficiently. A user can belong to only one user group. You can create and manage users in user groups in the SAP HANA Cloud Central and SAP HANA Cockpit. 

More about user groups you can read in SAP HANA Cloud, SAP HANA Database Security Guide: User Management -> User Groups, and for more information on how to create, see the SAP HANA Cloud, SAP HANA Database SQL Reference Guide: 

**With the migration of SAP HANA Cockpit functionality in SAP HANA Cloud Central, all of the documentation for these features has also been migrated to theSAP HANA Clouddocu set. 

Moreover, SAP HANA Cloud Central has in-app help that can be accessed by clicking the “?” icon in the shellbar. This in-app help is extensive and contains links to relevant content in the cloud docu set. 

The following links may also be helpful: 

For SAP data lake (SAP HANA Cloud) administration:SAP HANA Cloud, Data Lake Administration Guide for Data Lake Relational Engine 

For SAP HANA Cloud administration:SAP HANA Cloud Administration Guide 

For SAP HANA database (SAP HANA Cloud) administration:SAP HANA Cloud, SAP HANA Database Administration Guide 

Also, theSAP HANA Cloud Database Administration with SAP HANA Cockpitstill exists but will not be updated or maintained.

Labels in this area
Popular Blog Posts