With SAP NetWeaver Application Server ABAP 7.40 it is possible to synchronize ABAP Users to a DBMS system especially to SAP HANA . This blog describes the configuration steps that are necessary to set up the functionality and the different features.
1. In more complex use cases, use SAP Identity Management (SAP ID Management). Such use cases include the following:
2. Currently the possibility to synchronize users to a DBMS system is implemented only for SAP HANA as database system. It is however possible to connect any other database system that is supported by the SAP Neweaver AS ABAP by a customer implementation of the class interface IF_DBMS_USER. The implementation for SAP HANA is done in class CL_DBMS_USER_HDB.
SAP NetWeaver Application Server (SAP NetWeaver AS) uses a database user to perform user management operations on database users. The database user requires the following attributes.
The database user must log on with user name and password.
The database user has a productive password.
Necessary authorizations for SAP HANA user administrators:
Privilege | Privilege Type | Description |
---|---|---|
USER ADMIN | SYSTEM | Enables you to maintain users in the DBMS. |
ROLE ADMIN | SYSTEM | Enables you to grant and revoke roles. Note: This privilege also grants a user in SAP HANA the authorizations to create and delete roles. |
CATALOG READ | SYSTEM | Enables you to display role assignments granted by users other than the user created for the database connection, for example the system user _SYS_REPO. |
EXECUTE on the procedure GRANT_ACTIVATED_ROLE | SQL | Enables you to grant roles created in the SAP HANA repository to DBMS users. |
EXECUTE on the procedure REVOKE_ACTIVATED_ROLE | SQLEnables you to revoke roles created in the SAP HANA repository to DBMS users. |
You can also use several personalized DBMS user administrators instead of one fixed technical user that is configured in the database connection. In this case you need to create DBMS user administrators having the same user name as the ABAP user administrators. In the following step (Setup a database connection) you can select between these 2 options.
In transaction DBCO: Add a database connection in table DBCON with Change View “Description of Database Connections”: Overview for the database user and database type HDB:
If you do not want to use one technical user administrator in SAP HANA you can also define in the database connection that the current ABAP user administrator is authenticated in SAP HANA . Precondition is that the user administrator exists in SAP HANA having exactly the same user name as in the ABAP system and having the authorizations mentioned above. You can then set up the database connection as described in SAP Note 2005856
The current ABAP user is then forwarded to SAP HANA in an assertion ticket.
In both cases we recommend you protect the connection with Secure Sockets Layer (SSL).
For more information, see the SAP HANA Security Guide and SAP Note 1718944
Enter the name of the database connection and the client in the USR_DBMS_SYSTEM view with Maintain Table View (transaction SM30)
Important:
Only customize one ABAP client. The same user ID on different ABAP clients can represent different users with different authorizations. It is not good practice to map user from different clients to the same DBMS user. If you need to support multiple ABAP clients, use SAP Identity Management (SAP ID Management). SAP ID Management has the tools to ensure that users in multiple client represent a single person or identity.
You can use transaction SU01 for single user maintenance or the ABAP report RSUSR_DBMS_USERS for mass synchronization between ABAP and SAP HANA users.
In transaction SU01 a new tab named "DBMS" will appear if all configuration steps have been done correctly:
Note: There is NO synchronization of productive passwords. As soon as a user changes his password on one side they are out of sync.
Changes to the ABAP user do not effect the DBMS user with the following exceptions:
When deleting an ABAP user, you are prompted to confirm the deletion of a corresponding SAP HANA user if it exists. Choosing Yes deletes the users in both systems.
The report RSUSR_DBMS_USERS allows mass synchronization between ABAP and DBMS users. There are several user selection possibilities to exactly select the ABAP users that shall be synchronized to the DBMS system. The report documentation in the system is quite exhaustive. It is recommended to have a look at it.
Please also see SAP Note 1927767 and SAP Note 2068639
Selection criteria for the report:
It is recommended to first start the report in selection mode to check whether the right ABAP users are selected. Then several updates can be run on the DBMS users.
Available functions:
When you synchronize database management system (DBMS) user management with SAP NetWeaver Application Server (SAP NetWeaver AS) user management, you must periodically check that the users SAP NetWeaver AS expects are still available.
This can happen, for example, when a database administrator deletes a DBMS user without the SAP NetWeaver AS administrator knowing about it.
Choose Back F3.
Enter users or ranges of users and select the appropriate action.
Create the DBMS user: SAP NetWeaver AS ABAP creates a matching DBMS user. The user has an initial password. You must inform the owner of the users about the new DBMS user and the initial password.
Remove the mapping: SAP NetWeaver AS ABAP deletes the mapping to the missing DBMS user. Any scenarios dependent on that user in both systems no longer work.
Choose Execute.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |