Skip to Content

XSA Users: Only from SYSTEM TENANT DB ?

Hi there,

While i was configuring a new Tenant Database on SAP HANA Express 2.0 SPS 2, i figured that you could only load Users from the SYSTEM TENANT DB into XSA (like SAP Web IDE for Instance), that the other Users created on my new Tenants could not be found to be configured for XSA ?

Is this real ?
Can only the SYSTEM TENANT DB hold Users for XSA ?

Thank you.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Dec 13, 2017 at 01:05 AM

    Yes this is correct. The XSA user store and role information can only be used with a single tenant. You only have one UAA and its connected to a single tenant even in an MDC scenario.

    Add comment
    10|10000 characters needed characters exceeded

    • Thomas Jung Andrii Ivanyshyn

      >as functionality let existing user to use XSA is a little bit useless as in system db supposed only admins to work and XSA would be more used by developers or functional teams.


      You misunderstand how XSA is using the SYSTEMDB. Although it uses the SYSTEMDB for persistence, this doesn't mean that the users have to be setup with access to the SYSTEMDB. Even when you use the HDB User Store instead of an External Identity Provider, those users can be setup with no DB access. XSA is just using the User Information to authenticate them at the application level. For DB access you are connecting with a different technical user anyway (and often to a different tenant).

  • 5 days ago
    -1

    I am a little confused as well.

    I get that the db objects are run by the HDI tech user but how does this work for application access

    Example

    • 1000+ users on a Tenant system today that consume XSC applications.
    • These users also consume A4O and need to have a db account on the Tenant to support our A4O security setup
    • When we convert our XSC applications to XSA it is our intent to continue using the HANA database user store from the Tenent.
    • Does this work or will each of these users also need to now have an account created on the system database as well.
    Add comment
    10|10000 characters needed characters exceeded

    • Right now each of these users would have to be setup twice - once in the tenant for the A4O access (direct DB security) and in the SYSTEMDB for the XSA application account. We plan in the near future (XSA Runtime revision at the end of October 2018) to introduce the installation option to install XSA into a single tenant instead of the SYSTEMDB. This is functionality only for new installations, however. Then further down the road (probably SPS 04 next year), we plan to give you the further option to install multiple XSA instances - one per tenant each with their own user persistence in the local tenant.