Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Overview 

This article gives an overview of the security model for the SAP HANA cockpit (the cockpit), and what permissions different users should be given in order to maintain a smooth-running, secure cockpit. 

There are 3 key users that you should be aware of for the cockpit. They are the:

  1. Cockpit user
  2. Technical user
  3. Database user

These 3 users respectively provide access to the cockpit, access to health data from a resource, and access to resource monitoring and administration. Each of these users operates on a different level of security and it is important to be able to differentiate between them.

The illustration below gives a basic outline of where each user belongs in a typical cockpit setup. 

Cockpit User

The cockpit user is the user that controls access to the web-based interface of the cockpit.

There are 2 roles that can be assigned to a new cockpit user, the Cockpit User Role and the Cockpit Resource Administrator role. The Cockpit User role can only monitor resources in specific resource groups through the aggregate My Resources and System Overview page and is not allowed to access the Cockpit Manager. The Cockpit Resource Administrator on the other hand, can access the Cockpit Manager, register resources, create resource groups and assign cockpit users and resources to groups but cannot access the aggregate My Resources and System Overview pages.

Cockpit users must be assigned to at least one resource group, as they are only able to manage resources in the groups to which they are assigned. 

The cockpit user should not be confused with the database user for the SAP HANA databases you monitor. While the cockpit user is used to access the web-based interface of the cockpit, the database user is used to actually manage the database, thus it must have the appropriate roles and privileges to perform the different administration tasks you require (see below for a full description of the database user). To illustrate this difference, a cockpit user that has never authenticated the database user credentials of a resource would never be allowed to see the System Overview page, and would only be allowed to see the aggregate My Resources and Group page. 

The COCKPIT_ADMIN is the only cockpit user created during installation and the only user that can create more cockpit users. To create more cockpit users, follow the instructions below. 

For more documentation on cockpit user management, please see Managing Cockpit Users

Creating a New Cockpit User

Step 1) Log in to the Cockpit Manager as the COCKPIT_ADMIN user, and click Cockpit Users.

Step 2) Click the Create User button 

Step 3) Enter the credentials of the new user you want to create. Click the Step 2 button to proceed to the next step,.

Step 3) Select either the Cockpit User Role, Cockpit Resource Administrator role, or both roles to assign to the new user.

Step 4) On this step, choose which Resource Groups the user will have access to by selecting at least one group. If you do not choose any groups, the user will by default have access to no resources. 

Step 5) You have now successfully created a cockpit user and can review the details associated with it. If you ever want to edit or delete the user, you can do so by clicking the buttons in the bottom right corner. 

Technical User

The technical user is used only to gather general resource information during registration, and is used for collecting health information after registration. You should not use the technical user to actually connect to a resource (use a database user instead). The technical user should only have the minimum privileges necessary for collecting alert and health information and not have any extra privileges. Theoretically, it is possible to only register a resource and never connect to it with a database user but still receive alerts since you are only accessing the health data through the technical user role. 

It is not suggested to use the SYSTEM superuser as a technical user to connect to a resource during registration since the SYSTEM user has too many permissions for a technical user. 

If you are accessing a new database that has never set up a technical user before, instructions are below on how to do so for SAP HANA 1.0 SPS 12 and SAP HANA 2.0 databases. 

SAP HANA 2.0 Databases

In order to create a technical user with the appropriate permissions to collect health data from an SAP HANA 2.0 database, you must create a user with the CATALOG READ system privilege and SELECT on the _SYS_STATISTICS schema as an object privilege. Since there is no pre-existing role with only the CATALOG READ permission assigned to it, you must first create a new role, then create a new user, and finally assign the role to the user. 

The order of the steps should be:

  1. Initial Connection (instructions in Appendix) 
  2. Creating a New Role (instructions in Appendix)
    1. Make sure to add the SELECT privilege for the _SYS_STATISTICS schema as an object privilege. You will have to search "_SYS_STATISTICS" and then scroll to the bottom of the list to find the schema object. 
  3. Creating a New User (instructions in Appendix)
  4. Assigning new role to a user (instructions in Appendix) 
  5. Reconnecting to resource as the new technical user (instructions at end of section) 

Alternatively, you can also create a new technical user through SQL statements:

    • CREATE USER <username> PASSWORD <password> NO FORCE_FIRST_PASSWORD_CHANGE;
    • GRANT CATALOG READ to <username>;
    • GRANT SELECT on SCHEMA _SYS_STATISTICS to <username>

SAP HANA 1.0 SPS 12 Databases

In order to create a technical user with the appropriate permissions to collect health data from an SAP HANA 1.0 SPS 12 database, you must create a user with the sap.hana.admin.roles::Monitoring role. The sap.hana.admin.roles::Monitoring role is a pre-existing role so there is no need to create a new one. 

The order of the steps should be:

  1. Initial Connection (instructions in Appendix) 
  2. Creating a New User (instructions in Appendix)
  3. Assigning new role to a user (instructions in Appendix) 
    1. Instead of adding the custom CATALOG_READ role, add the sap.hana.admin.roles::Monitoring role
  4. Reconnecting to resource as the new technical user (instructions at end of section) 

Reconnecting to the Resource as a New Technical User

Once you have created the appropriate technical user, you can now go back to your cockpit manager, and change the technical user from SYSTEM to your newly created user. 

Step 1) Log in to the Cockpit Manager and click the Registered Resources tab. From the Registered Resources page, select the Resource you are interested in, and click the Edit button.

Step 2) Enter the credentials of the new technical user account and then click the Save button. 

Step 3) Notice how you have now successfully changed the technical user. 

Database User

The database user is the user that actually connects to the database, and is used to preform monitoring and administration tasks for the database. Depending on what permissions you have as the database user, certain tiles and apps will be accessible on the System Overview page. The database user is also the user that connects to resources in the Database Explorer. Without a database user, you cannot see the System Overview page of a resource in cockpit.

Creating roles for database users is much more complex than creating roles for the technical user due to the multiple object and system privileges necessary. Whenever a new user is created, the PUBLIC role is automatically assigned to them allowing them to open the System Overview page, but not actually see any information from the tiles. Other roles must be added if you want to allow users to execute actions against the database. 

It is highly recommended that you do not use SYSTEM for day-to-day activities in production environments. Instead, use it to create database users with the minimum privilege set required for their duties (for example, user administration, system administration). Then deactivate SYSTEM .

Assuming you have already registered the resource successfully, the order of the steps should be: 

  1. Creating a New Role (instructions in Appendix)
    1. To create a new role, follow the instructions in the appendix, but in Step 6, instead of searching "Catalog" scroll through the list of system privileges. You can choose from privileges such as BACKUP OPERATOR, DATABASE ADMIN, LOG ADMIN, MONITOR ADMIN, WORKLOAD CAPTURE ADMIN, WORKLOAD REPLAY ADMIN and more. 
  2. Creating a New User (instructions in Appendix)
  3. Assigning new role to a user (instructions in Appendix) 
  4. Reconnecting to resource as the new database user (instructions at end of section) 

Reconnecting to the Resource as a New Database User

Step 1) From the Resource Directory, click the Manage Credentials link for the resource you want to reconnect to

Step 2) Select the Log on with a different user radio button, and once you have filled out the appropriate fields, confirm by clicking OK.

Appendix

Initial Connection to a Resource

Step 1) Register the resource that you want to connect to. During the initial connection, you will have to use SYSTEM as the technical user. Once we have created a new user with the suitable permissions, we will come back and change the technical user. Finish the registration as you would normally. 

Step 2) Log into your cockpit aggregate My Resources page, and from the Resource Directory, click Enter Credentials. 

Step 3) Although it is not suggested to use SYSTEM as a database user, since this is the first time we are connecting to the database, we will have to use SYSTEM. If you have another user that also has the necessary user management credentials, you can log in as the database user with those credentials. 

Creating a New Role

Step 1) On the System Overview Page, click Manage roles.

Step 2) From the Manage roles app, click the plus icon to add a new role.

 

Step 3) Enter a name for the role, and click Save. For the purpose of this guide, we are going to name the role CATALOG_READ but you can choose another suitable name. 

 

Step 4) Click the System Privileges tab, and then click the Edit button. 

Step 5) Click the Add button to add a privilege.

Step 6) Search "catalog" in and select the "CATALOG READ" privilege. Click the OK button. 

Step 7) Click the Save button to save your edits to the role. 

Step 8) Notice how the CATALOG READ privilege has been added to the CATALOG_READ role. You can now click the back button or the System Overview button to return to the System Overview page. 

Creating a New User

Step 1) From the System Overview page, click the Manage users link. 

 

Step 2) From the Manage users app click the plus icon, and then click Create User.

Step 3) Enter the user name of your new user and choose an authentication method for the new user. In this guide, we are going to use passwords as the authentication method and complete the appropriate fields. You can also configure other properties of the user on this screen. Once you are happy with your user, click the Save button. 

 

You have now successfully created a new user.

Assigning Roles to a New User

Step 1) From the System Overview page, click the Assign role to users link. 

Step 2) Search the name of the user you want to assign a role to and select the appropriate entry when it appears. 

Step 3) Click the Edit button beside the search bar. 

Step 4) Click the Assign Roles button beside the search bar. 

Step 5) Search for the role you want to add, select the role, and then click OK. 

Step 6) Click the Save button. 

Step 7) You have now successfully assigned a role to your user. You can see the new role that was added in the table of Assigned Roles. 

Related Documents

 

 

 

  • No labels