Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 
matthias_buehl
Advisor
Advisor
60,554

With SAP NetWeaver Application Server ABAP 7.40 it is possible to synchronize ABAP Users to a DBMS system especially to SAP HANA . This blog describes the configuration steps that are necessary to set up the functionality and the different features.

Use Cases

  • SAP NetWeaver Business Warehouse (SAP NetWeaver BW), needs a 1:1 user mapping to map analytic privileges of the database to the virtual analysis authorizations of the SAP NetWeaver BW
  • Your users run applications that access the database directly. You must assign privileges to the user in the database.
  • As an ABAP developer, to create SAP HANA objects, you must have a SAP HANA user.
  • Use the DBMS user management function of SAP NetWeaver AS when you have the users of a single, standalone SAP NetWeaver AS ABAP to synchronize with the users of the DBMS.


Limitations

1. In more complex use cases, use SAP Identity Management (SAP ID Management). Such use cases include the following:

  • You need to distribute user data across a variety of systems in a landscape.
  • You want to synchronize the users of multiple clients of SAP NetWeaver AS ABAP with the underlying DBMS.


2. Currently the possibility to synchronize users to a DBMS system is implemented only for SAP HANA as database system. It is however possible to connect any other database system that is supported by the SAP Neweaver AS ABAP by a customer implementation of the class interface IF_DBMS_USER. The implementation for SAP HANA is done in class CL_DBMS_USER_HDB.

Configuration Steps

1. Create the Database User for the Database Connection

SAP NetWeaver Application Server (SAP NetWeaver AS) uses a database user to perform user management operations on database users. The database user requires the following attributes.

  • The database user must log on with user name and password.

  • The database user has a productive password.

  • You have assigned the database user the following privileges


Necessary authorizations for SAP HANA user administrators:

SQL
PrivilegePrivilege TypeDescription
USER ADMINSYSTEMEnables you to maintain users in the DBMS.
ROLE ADMINSYSTEM

Enables you to grant and revoke roles.

Note: This privilege also grants a user in SAP HANA the authorizations to create and delete roles.

CATALOG READSYSTEMEnables you to display role assignments granted by users other than the user created for the database connection, for example the system user _SYS_REPO.
EXECUTE on the procedure GRANT_ACTIVATED_ROLESQLEnables you to grant roles created in the SAP HANA repository to DBMS users.
EXECUTE on the procedure REVOKE_ACTIVATED_ROLEEnables you to revoke roles created in the SAP HANA repository to DBMS users.


You can also use several personalized DBMS user administrators instead of one fixed technical user that is configured in the database connection. In this case you need to create DBMS user administrators having the same user name as the ABAP user administrators. In the following step (Setup a database connection) you can select between these 2 options.


2. Add a Database Connection

In transaction DBCO: Add a database connection in table DBCON with Change View “Description of Database Connections”: Overview  for the database user and database type HDB:

Steps in Detail:

  1. Start transaction DBCO.
  2. Choose New Entries.
  3. Enter a name for the database connection.
  4. Enter „HDB“ for the database type.
  5. Enter the name of the DBMS user for the connection.
  6. Enter the password for this user. Note: The password must be productive.
  7. Enter the connection information: <hostname>:<port>.
  8. Save your entries.


Optional: Using a Personalized User Administrator in SAP HANA

If you do not want to use one technical user administrator in SAP HANA you can also define in the database connection that the current ABAP user administrator is authenticated in SAP HANA . Precondition is that the user administrator exists in SAP HANA having exactly the same user name as in the ABAP system and having the authorizations mentioned above. You can then set up the database connection as described in SAP Note 2005856

The current ABAP user is then forwarded to SAP HANA in an assertion ticket.


Alternative Steps in Detail (When Using the Personalized User):

  1. Start transaction DBCO.
  2. Choose New Entries.
  3. Enter a name for the database connection.
  4. Enter „HDB“ for the database type.
  5. Enter <space>as name of the DBMS user for the connection.
  6. Enter any password. (It will not be used)
  7. Enter the connection information: @SSO;HOST=<hostname:port>;DBNAME=<name of DB>
  8. Save your entries.

In both cases we recommend you protect the connection with Secure Sockets Layer (SSL).

For more information, see the SAP HANA Security Guide and SAP Note 1718944


3. Enter Database Connection in Table USR_DBMS_SYSTEM

Enter the name of the database connection and the client in the USR_DBMS_SYSTEM view with Maintain Table View (transaction SM30)

Steps in Detail:

  1. Start transaction SM30.
  2. Enter the USR_DBMS_SYSTEM table and choose Maintain.
  3. Choose New Entries.
  4. Enter the name of the connection and the ABAP client.
  5. Save your entries.


Important:

Only customize one ABAP client. The same user ID on different ABAP clients can represent different users with different authorizations. It is not good practice to map user from different clients to the same DBMS user. If you need to support multiple ABAP clients, use SAP Identity Management (SAP ID Management). SAP ID Management has the tools to ensure that users in multiple client represent a single person or identity.




Administration of Users

You can use transaction SU01 for single user maintenance or the ABAP report  RSUSR_DBMS_USERS  for mass synchronization between ABAP and SAP HANA users.

Maintaining Users in ABAP Transaction SU01

In transaction SU01 a new tab named "DBMS" will appear if all configuration steps have been done correctly:

Creation  of Users

Steps in Detail:

  1. Start transaction SU01.
  2. Enter the user name and create the new user.
    SAP
    NetWeaver Application Server (SAP NetWeaver AS) ABAP enters the given ABAP user ID for the DBMS user ID by default. Not all DBMS systems support the same user IDs as SAP NetWeaver AS ABAP. Other DBMS systems may have other restrictions. You can change the SAP HANA user name if needed. If the user name is left empty no SAP HANA user will be created.  If you desire other default values or blank user names for certain users you can implement the BAdI BADI_DBMS_USERNAME_MAPPING.  See also SAP Note 1927767.
  3. Enter data as required, such as Last Name or Initial Password.
  4. You must also enter an initial password for the DBMS user. 
    Note: SAP NetWeaver AS ABAP and the DBMS have independent security policies. We recommend that you make these security policies as similar as possible. For example: You can create all possible security policies in SAP NetWeaver AS ABAP to match any security policy in SAP HANA. You cannot create all possible security policies in SAP HANA to match any security policy in SAP NetWeaver AS.
    For more information, see chapter 7.1 Password Policy in thehttp://help.sap.com/hana/hana_sec_en.pdf SAP HANA Security Guide.
  5. Save your entries.

Note: There is NO synchronization of productive passwords. As soon as a user changes his password on one side they are out of sync.

Editing Users

Changes to the ABAP user do not effect the DBMS user with the following exceptions:

  • Administrative lock: Locking or unlocking theABAP user locks or unlocks the DBMS user.
  • Initial password: As the administrator, you set the initial passwords independently. Users change their own passwords in the separate password change facilities of the different systems.
  • You cannot change the DBMS user mapped to the ABAP user directly. You must delete the DBMS user assignment and save before you can assign an existing DBMS user.
  • Assignment of DBMS authorizations
    For SAP HANA, you
    can only add a remove system privileges for privileges that were assigned by the user configured for the database connection. If you try to remove system privileges assigned by a different user, there is no error message. Although the privilege appears to be removed, the next time you view the user in User Management (transaction SU01), the privilege is still assigned. Exception is repository roles, which are always assigned by the user _SYS_REPO. If you have the required privileges you can remove repository roles.

Deleting Users

When deleting an ABAP user, you are prompted to confirm the deletion of a corresponding SAP HANA user if it exists. Choosing Yes deletes the users in both systems.

Using the Report RSUSR_DBMS_USERS

The  report RSUSR_DBMS_USERS allows mass synchronization between ABAP and DBMS users. There are several user selection possibilities to exactly select the ABAP users that shall be synchronized to the DBMS system.  The report documentation in the system  is quite exhaustive. It is recommended to have a look at it.

Please also see SAP Note 1927767 and SAP Note 2068639

Selection criteria for the report:

  • User
  • User type
  • User group
  • Users having a certain ABAP role assigned
  • Users without corresponding SAP HANA users

It is recommended to first start the report in selection mode to check whether the right ABAP users are selected. Then several updates can be run on the DBMS users.

Available functions:

  • Remove mappings to DBMS users
  • Create and map DBMS users. As in SU01 the BAdI BADI_DBMS_USERNAME_MAPPING can be used to configure the name of the DBMS user that is created.
  • Assign DBMS roles
  • Remove DBMS roles
  • Update user attributes   (Such as e-mail and SNC mapping)

Using the Check Report RSUSR_DBMS_USERS_CHECK

When you synchronize database management system (DBMS) user management with SAP NetWeaver Application Server (SAP NetWeaver AS) user management, you must periodically check that the users SAP NetWeaver AS expects are still available.
This can happen, for example, when a database administrator deletes a DBMS user without the SAP NetWeaver AS administrator knowing about it.


Steps in Detail:

  1. Start report RSUSR_DBMS_USERS_CHECK with ABAP: Program Execution (transaction SA38).
  2. Choose Select inconsistent users.
  3. Enter a range of users.
    Note: To reduce the runtime of the report for systems with large numbers of users, you can specify individual user names or ranges to search for inconsistent data.
  4. Choose Execute.
  5. SAP NetWeaver AS ABAP returns the list of users that are inconsistent, if any. These users are SAP NetWeaver AS ABAP users for which a mapping is saved, but the user saved in the mapping does not exist in the DBMS.
  6. Decide how to handle any inconsistent users.
  7. Choose Back F3.

  8. Enter users or ranges of users and select the appropriate action.
    Create the DBMS user: SAP NetWeaver AS ABAP creates a matching DBMS user. The user has an initial password. You must inform the owner of the users about the new DBMS user and the initial password.
    Remove the mapping: SAP NetWeaver AS ABAP deletes the mapping to the missing DBMS user. Any scenarios dependent on that user in both systems no longer work.

  9. Choose Execute.

51 Comments
Labels in this area