Show TOC

DBA Cockpit for SAP HANA: AuthorizationsLocate this document in the navigation structure

Use

In addition to the authorizations S_TCODE and S_RZL_ADM, you also require authorizations to be able to use specific functionality.

The sections that follow provide an overview of the SAP authorizations and database privileges required to work with DBA Cockpit for SAP HANA.

Note

An authorization check is performed when you start DBA Cockpit or change to another system in DBA Cockpit.

SAP Authorizations

Authorization Object

Description

S_DBCON

This authorization object has the following fields:

  • DBA_DBHOST: host name of the database

  • DBA_DBSID: database name

  • DBA_DBUSER: database user or database login

  • ACTVT: permitted activity

    • 03 Display

      Display data with little or no security relevance. For example, the database cache hit ratio, the size of individual data files, or the CPU consumption of the database system.

    • 71 Analyze

      This field is not used for SAP HANA.

    • 23 Maintain

      Permission to change database parameters and database settings on the remotely connected database. For example, changing INI parameters or stopping a service.

    • 36 Extended Maintenance

      Authorization to execute all kinds of SQL statements on the database. This authorization is extremely powerful and should not be granted on a routine basis.

S_DBCON allows you to create additional DBA Cockpit entries for the same database using different DB users, and to assign different SAP authorizations for the different DBA Cockpit entries.

Example

If a SAP user has the S_DBCON authorizations (host, DB-name, DB-User, Activity) = (pwdf1234; ABC; USER1; 03) and (pwdf1234; ABC; USER2; 03+23), that user can only execute display applications in the DBA Cockpit entry that has DB user = USER1. Using the DBA Cockpit entry with DB user = USER2, it is only possible to run the DBA Cockpit maintenance applications in addition to the display applications. It is not possible to use the IMPORT function with either of the two DBA Cockpit entries without Authorization 36 = Extended Maintenance.
SAP Roles
Table 1: SAP Roles
SAP Role Description

SAP_BC_S_DBCON_USER

This SAP role contains display authorizations for DBA Cockpit (S_DBCON).

SAP_BC_S_DBCON_ADMIN

This SAP role contains maintenance authorizations for DBA Cockpit (S_DBCON).

With this roll, all nodes in DBA Cockpit are active and all buttons in all applications are enabled, with the following exceptions:

  • IMPORT TABLE function

  • UPDATE/DELETE/INSERT commands in the SQL Editor

To use these features, you need to manually create a role that contains the authorization ACTVT=36 of S_DBCON.
Note

To display the individual authorization objects in the roles SAP_BC_S_DBCON_ADMIN and SAP_BC_S_DBCON_USER, use transaction code PFCG.

SAP HANA Privileges

To be able to access the database, the user used for remote monitoring must be assigned sufficient privileges. The following users can be used:

  • For monitoring tasks, local systems use the user for the primary database connection.

    This user already has sufficient database privileges to perform monitoring tasks.

  • Systems monitored through remote database connections use the user specified for the database connections.

    This user must be assigned sufficient privileges for the tasks to be performed.

Below is an overview of the privileges needed to use all the features in DBA Cockpit for SAP HANA:

Table 2: SAP HANA Privileges

Privilege

Use

BACKUP ADMIN

This system privilege allows you to schedule backups with DBA Planning Calendar.

CATALOG READ

This system privilege allows you to display system and monitoring views.

INIFILE ADMIN

This system privilege allows you to display and change configuration files (.ini files) and statistics server alert thresholds.

SERVICE ADMIN

This privilege allows you to display, stop, cancel, and configure services.

TRACE ADMIN

This system privilege allows you to display, delete and clear traces.

Note

TRACE ADMIN is not used with SAP HANA.

DATA ADMIN

This system privilege allows you to read all data in the system and monitoring views.

it also allows execution of Data Definition Language (DDL) commands in the SAP HANA database.

Users with this system privilege cannot select or change data stored in tables, for which they do not have access privileges, but they can delete tables and change table definitions.

SQL Privileges

Display current alerts and alerts checks information

SELECT on all tables/views of schema _SYS_STATISTICS

SQL Privileges

Read the SAP Release

SELECT on table SAP<SID>.SVERS

SQL Privileges

Read SAP Components

SELECT on table SAP<SID>.CVERS

SQL Privileges

EXECUTE ON SYS.MANAGEMENT_CONSOLE_PROC
Database Roles

The database roles contain the privileges described in the previous section.

Table 3: Database Roles
Database Role Description

DBA_COCKPIT

This role has all the database privileges described in the section System Privileges and Object Privileges.

This role is installed with an SAP system. It is only needed for a SAP system used with SAP HANA database.

MONITORING

This role is a part of the DBA_COCKPIT role.

This role contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data collected by the statistics server.
Database Users

You use DBA Cockpit to monitor the local database, that is, the SAP HANA on which this SAP system is installed, or a remote database. You can also use DBA Cockpit to monitor a remote SAP HANA database. For example: In a Solution Manager system, you can use DBA Cockpit to monitor the SAP HANA of your BW system. Different database users are recommended for each scenario.

Table 4: Database Users
Database User Content

SAP<SID>

 This database user is recommended for use with a local SAP HANA database, as it can access sensitive business data.
DBACOCKPIT The DBACOCKPIT user is recommended for use with a remote SAP HANA database, as it cannot access sensitive business data.

DBACOCKPIT is created during the installation of the SAP system, and has the authorizations required for DBA Cockpit.

Note

For security reasons, we do not recommend using the DB user SAP<SID> to monitor remoste systems.

This is because there could be a risk that a user in the monitoring system could access the business data of the monitored SAP HANA. If this is what you want to do, you can still use the DB user SAP<SID>. However, in this case, you should secure access to the DBA Cockpit with the SAP authorization concept by not giving the SAP authorization to call the SQL Editor of the DBA Cockpit to a SAP user in the monitoring system.
Note

In earlier SAP releases, the DBACOCKPIT user was called DBACOCKPIT<SID>.

Customer-specific user

You can create your own database user with reduced or enhanced privileges.

The user should have at least the following authorizations to be able to use all the functionality of DBA Cockpit:

  • BACKUP ADMIN

  • CATALOG READ

  • INIFILE ADMIN

  • SERVICE ADMIN

  • TRACE ADMIN

  • SQL Privileges: SELECT on all tables/views of schema _SYS_STATISTICS

  • SQL Privileges: SELECT on table SAP<SID>.SVERS

  • SQL Privileges: SELECT on table SAP<SID>.CVERS

More information: Section SAP HANA Privileges
Note

To use DBACOCKPIT for display only, you can:

  • Use the SAP authorization role SAP_BC_S_DBCON_USER.

  • Use a database user with fewer privileges. For example, a database user that has only the database role MONITORING.

More information: SAP Note 1640741 Information published on SAP site (FAQ: "DB users for the DBA Cockpit for SAP HANA"). Refer to this SAP Note for any breaking information about authorizations for DBA Cockpit.

Switching Database Users

To switch from one database user to another, follow the steps described in the section Changing a Database Connection.