Skip to Content
author's profile photo Former Member
Former Member

[PE4AD] Java and XSJS apps using dedicated DB schema per each user

Hi Experts,

Description of our case:

There is a single, productive HCP instance with one HANA XS database, one Java and one XSJS application. To run the applications, some data from multiple on-premise SAP systems must be obtained using multiple HANA Cloud Connectors. For this reason multiple accounts within this instance have been created. It is possible to use database as well as Java and XS app only from the main account, so all new accounts have been subscribed to the Java app and users are now able to run the Java app hosted on main account using dedicated URL (each account receives dedicated URL). Java app hosted on the main account is then able to obtain data from multiple Cloud Connectors and to recognize by which account it has been executed.

The issue:

Data obtained from each Cloud Connector must be separated, so there are dedicated schemas created within main database. Each user and account should have access only to the dedicated schema and Java app as well as XS app should automatically use only data from schema which is 'mapped' to the user. How to implement such accounts mapping and to disallow access to any schema which should not be used by the particular account? Is there any mechanism in HCP which would allow to implement such process in a secure way? There is no multi-tenant database available on productive HCP instances, so unfortunately tenants cannot be used in this case.

Do you have any idea about possible implementation for the above case?

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Best Answer
    Posted on Jul 20, 2016 at 07:50 AM

    Hi Olga,

    sounds like a pretty weird scenario. :-)

    The separation based on the accessing account is described in the persistence service section of Multitenant Applications - depending if you use JPA or SQL. It should then be quite easy to adapt this also to the additional info regarding the user.

    To your main question:

    in Java, you can separate the data on two different levels: column-based and schema-based (as MDC is not available yet on HANA on HCP).

    From a security perspective, I would prefer using a dedicated scheme per user/tenant.

    Creating a scheme in the HANA db is described in Creating Schemas. You create a new datasource per scheme and do a lookup of the scheme via your discrimminators, as described in Using Dynamic Data Source Lookup.

    In XS, the situation is different.

    by the way:

    you are not right that you cannot use the HANA DB of the main account in your sub accounts.

    You can provide access to a scheme of the HANA DB to applications in a sub-account as well, as described here.

    But in your scenario, the approach with using a central application and subscribing to that from sub-accounts makes even more sense.

    Best regards,

    Timo

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Olga,

      you are right, in XS it works different.

      Just some thoughts how you could do it either:

      Assuming that you manually create the schema by creating a new DB user.

      Then the created user has access to the schema by default. When you now use an XS application, you can connect to exactly that scheme that the user is assigned to.

      The remaining challenge is to detect the logged-in user and use that as variable to define the scheme name you want to access.

      Did you already try this?

      Best regards,

      Timo

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.