This blog explains on security unification in BW on HANA. In older versions (i.e BW on traditional DB) if we create a user in SAP system, data security restrictions are confined to only that particular SAP system.But in the latest versions of BW on HANA, a new tab DBMS is enabled where we can create users in SAP systems and it will be automatically created in back end HANA DB without any additional efforts.Next steps of the blog explains how there will be security unification between BW & HANA DB and how user administration is done.
Create User:TEST in t.code SU01
During the process on user creation assign SAP_ALL ( as an example) in profiles tab
Click on DBMS Tab ( this tab can be enabled in SU01 by implementing certain steps and SAP Notes )
On saving the user:TEST, Role:Public will be automatically assigned by back end HANA DB which has basic authorizations.Now the user:TEST is created in both SAP system ( Application Server) and in HANA DBMS
Now login to HANA Studio rev74 ( you may use any HANA Studio greater than rev74) and navigate to security folder - users
As we have created user in SU01 along with DBMS user, User:TEST is automatically replicated to HANA DB
Here for user:TEST, all the security and data restrictions are automatically replicated to HANA DB where end users can consume BW generated models for reporting purposes
Now let us look at the snapshot of user administration in two aspects
1. Deleting user in SU01
In t.code:SU01 try deleting user:TEST
System will prompt if the DBMS user which was created in HANA DB need to be deleted or not. If "YES" is clicked then the user in SAP System (Application Server) and in HANA DB will be deleted where there will be no inconsistencies
As explained earlier user:TEST is deleted in HANA DBMS
Now again let us recreate User:TEST again in BW system which will also be recreated in HANA DBMS
2. Deleting user in HANA DBMS
Now delete user:TEST in HANA DB by navigating to Security - > Users - > Right Click on User:TEST - Click on Delete where the user will be deleted
So in the above case there will be inconsistency because HANA database administrator might have deleted DBMS user without the Netweaver Application Server Administrator knowing about it. So in order to remove the inconsistencies of the user perform the below steps
Go to T.Code:SA38
Enter Program: RSUSR_DBMS_USERS_CHECK and Click on Execute
Now enter User:TEST and "Select inconsistent users" and click on Execute to check if the user is consistent or not
As the HANA DB administrator have deleted DBMS user:TEST it is showing as DBMS user does not exist and it implies user is not consistent as it is created from SU01 along with the user in application server
Now select option "Remove DBMS user mapping" and click on execute where the DBMS user mapping will be removed and henceforth it will be consistent
As DBMS user mapping is adjusted/removed user:TEST will be now consistent
With this it is derived that there is a security unification in BW and HANA. Also the same security/data restrictions can be replicated to Design Studio, Lumira and HANA Live - For BW generated information models.