Authorizations for Using DBA Cockpit

An authorization check is performed when you start DBA Cockpit or change to another system entry in DBA Cockpit.

Basic authorization objects for using DBA Cockpit are S_TCODE and S_RZL_ADM.

To be able to use specific functions, you additionally require one or several of the following authorizations.

SAP Authorization

Authorization Object	Description
`S_DBCON`	This authorization object has the following fields: DBA_DBHOST: host name of the database DBA_DBSID: database name DBA_DBUSER: database user or database login ACTVT: permitted activity 03 Display Display data with little or no security relevance. For example, the database cache hit ratio, the size of individual data files, or the CPU consumption of the database. 71 Analyze This value is not used for SAP HANA. 23 Maintain Permission to change database parameters and database settings on a remotely connected database. For example, changing INI parameters or stopping a service. 36 Extended Maintenance Authorization to execute all kinds of SQL statements on the database. This authorization is extremely powerful and should not be granted on a routine basis. S_DBCON allows you to add database systems to the overview of system entries. You can also add more entries for an already existing system to add users to that system. This way, you can assign different SAP authorizations to individual users of a database. Example If a SAP user has been assigned the S_DBCON role (host, DB-name, DB-User, Activity) = (pwdf1234; ABC; USER1; 03) and (pwdf1234; ABC; USER2; 03+23), that user can only execute display applications in the DBA Cockpit entry that has DB user = USER1. Using the DBA Cockpit entry with DB user = USER2, it is only possible to run the DBA Cockpit maintenance applications in addition to the display applications. It is not possible to use the IMPORT function with either of the two DBA Cockpit entries without Authorization 36 = Extended Maintenance.

Authorization Object

Description

S_DBCON

This authorization object has the following fields:

DBA_DBHOST: host name of the database
DBA_DBSID: database name
DBA_DBUSER: database user or database login
ACTVT: permitted activity
- 03 Display
  Display data with little or no security relevance. For example, the database cache hit ratio, the size of individual data files, or the CPU consumption of the database.
- 71 Analyze
  This value is not used for SAP HANA.
- 23 Maintain
  Permission to change database parameters and database settings on a remotely connected database. For example, changing INI parameters or stopping a service.
- 36 Extended Maintenance
  Authorization to execute all kinds of SQL statements on the database. This authorization is extremely powerful and should not be granted on a routine basis.

S_DBCON allows you to add database systems to the overview of system entries. You can also add more entries for an already existing system to add users to that system. This way, you can assign different SAP authorizations to individual users of a database.

Example

If a SAP user has been assigned the S_DBCON role (host, DB-name, DB-User, Activity) = (pwdf1234; ABC; USER1; 03) and (pwdf1234; ABC; USER2; 03+23), that user can only execute display applications in the DBA Cockpit entry that has DB user = USER1. Using the DBA Cockpit entry with DB user = USER2, it is only possible to run the DBA Cockpit maintenance applications in addition to the display applications. It is not possible to use the IMPORT function with either of the two DBA Cockpit entries without Authorization 36 = Extended Maintenance.

SAP Roles

SAP Role	Description
`SAP_BC_S_DBCON_USER`	Contains the authorizations for executing all transactions in DBA Cockpit (see: SAP Authorization, S_DBCON)
`SAP_BC_S_DBCON_ADMIN`	Contains authorizations for executing all transactions in DBA Cockpit (see: SAP Authorization, S_DBCON) With this roll, all nodes in DBA Cockpit are active and all buttons in all applications are enabled, with the following exceptions: IMPORT TABLE function UPDATE/DELETE/INSERT commands in the SQL Editor To use these features, you need to manually create a role that contains the authorization ACTVT=36 of S_DBCON.

SAP Role

Description

SAP_BC_S_DBCON_USER

Contains the authorizations for executing all transactions in DBA Cockpit (see: SAP Authorization, S_DBCON)

SAP_BC_S_DBCON_ADMIN

Contains authorizations for executing all transactions in DBA Cockpit (see: SAP Authorization, S_DBCON)

With this roll, all nodes in DBA Cockpit are active and all buttons in all applications are enabled, with the following exceptions:

IMPORT TABLE function
UPDATE/DELETE/INSERT commands in the SQL Editor

To use these features, you need to manually create a role that contains the authorization ACTVT=36 of S_DBCON.

Note To display the individual authorization objects in the roles SAP_BC_S_DBCON_ADMIN and SAP_BC_S_DBCON_USER, use transaction code PFCG.

SAP HANA Privileges

Table 1: System Privileges
Privilege	Description
`BACKUP ADMIN`	Schedule backups with DBA Planning Calendar
`CATALOG READ`	Display system and monitoring views
`INIFILE ADMIN`	Display and change configuration files (.ini files) and statistics server alert thresholds
`SERVICE ADMIN`	Display, stop, cancel, and configure services
`TRACE ADMIN`	Display, delete and clear traces

Table 2: SQL Privileges
Privilege	Description
SELECT, UPDATE, and DELETE on all tables/views of schema _SYS_STATISTICS	Display current alerts and alerts checks information
SELECT on table SAP<SID>.SVERS	Read the SAP Release
SELECT on table SAP<SID>.CVERS	Read SAP Components
EXECUTE on procedure MANAGEMENT-CONSOLE-PROC	Activate the kernel profiler
SELECT on table SAP <SID>.LCAALERTS	Read liveCache-specific alerts

Database Roles

The database roles described in the following contain the privileges described in the previous section.

Database Role	Description
`DBA_COCKPIT`	Contains all the database privileges described in the section SAP HANA Privileges. This role is only needed for a SAP system used with SAP HANA database. It is installed when the relevant SAP system is installed.
`MONITORING`	Is a part of the DBA_COCKPIT role Contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data collected by the statistics server.

Database Role

Description

DBA_COCKPIT

Contains all the database privileges described in the section SAP HANA Privileges.

This role is only needed for a SAP system used with SAP HANA database. It is installed when the relevant SAP system is installed.

MONITORING

Is a part of the DBA_COCKPIT role

Contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data collected by the statistics server.

Database Users

The user to be used, mainly depends on the fact whether you want to monitor a local database or a database that can be accessed via remote connection only. We recommend that you create different database users for each scenario.

For monitoring local databases, use the user of the primary database connection. This user already has sufficient database privileges to perform monitoring tasks.
For monitoring systems via a remote database connection (secondary database connection), use a user specified for that database connection. This user should be assigned the minimum privileges required for the tasks to be performed.

Note

For security reasons, we do not recommend that the user SAP<SID> is used to monitor remote systems, because this user can also access the business data of the monitored SAP HANA database. If this is what you want to do, you can still use the SAP<SID> database user. However, in this case, you should secure access to the DBA Cockpit with the SAP authorization concept.

For the same reasons, do not give the SAP authorization for calling the SQL Editor of the DBA Cockpit to a database user in the system monitoring.

Table 3: Database Users
Database User	Content
`SAP<SID>`	Recommended for use with a local SAP HANA database, as it is the database user used by every application
`DBACOCKPIT`	Recommended for use with a remote SAP HANA database, as it cannot access sensitive business data The `DBACOCKPIT` user is created during the installation of the SAP system, and has the authorizations required for DBA Cockpit. Note In earlier SAP releases, the `DBACOCKPIT` user was called `DBACOCKPIT<SID>`.
Customer-specific user	You can create customer-specific database users with reduced or enhanced privileges. These users should have at least the following authorizations to be able to use all the functions of DBA Cockpit: BACKUP ADMIN CATALOG READ INIFILE ADMIN SERVICE ADMIN TRACE ADMIN SQL Privileges: SELECT on all tables/views of schema _SYS_STATISTICS SQL Privileges: SELECT on table SAP<SID>.SVERS SQL Privileges: SELECT on table SAP<SID>.CVERS More information: Section SAP HANA Privileges

Note To use DBA Cockpit for display only, you can choose one of the following. Your decision should be based on user-specific or database-specific security considerations.

Use the SAP role SAP_BC_S_DBCON_USER
Use a database user with fewer privileges than the DBACOCKPIT user
For example, a database user that has only the database role MONITORING.

More information: SAP Note 1640741 Information published on SAP site (FAQ: "DB users for the DBA Cockpit for SAP HANA"). Refer to this SAP Note for any breaking information about authorizations for DBA Cockpit.

Add or Change Database Users

To add several database users with different authorizations for a system administered in DBA Cockpit, proceed as described in Add a Database Connection.

To change from one database user to another for a system entry, follow the steps described in Update a Database Connection .