Hi Experts,
I try to disable the client connection (ODBC/JDBC access) of our business users as described by Denys van Kempen in this blog:
https://blogs.sap.com/2015/06/25/sap-hana-sps-10-whats-new-security-by-the-sap-hana-academy/
In my mind, should the business user still be able to access an app (via http) after disabling the client connection (ODBC/JDBC access). But it doesn't work as expected.
I tried to change the client connection more times and came always to the same behaviour:
ALTER USER **** DISABLE CLIENT CONNECT --> user cannot access the app anymore
ALTER USER **** ENABLE CLIENT CONNECT --> user is able to access the app
BR, Dirk
1 Answer
-
Best AnswerNov 28, 2018 at 09:50 PM
That's not quite what the setting does.
As the documentation puts it:
"<client_connect_option>
Enables or disables the client from connecting at all. In case of disabled client connect, only connecting via an XS application is allowed."XS and XSA applications connect very differently to the HANA database. XS classic uses a proprietary HANA internal connect mechanism while XSA apps simply use the HANA JDBC driver.
That means, by disabling a user client connection, you disable the connection for XSA apps as well.
The main reason for using this setting with XSc is that the user management for the application uses the same pool of users as the database users. For every XSc application user there needs to be a database user, even if the application itself just uses a technical user to connect to the database.
Now, with XSA the user management is decoupled from the database that contains the application data. All XSA application user information is stored with the user authorisation service (usually saves data in the SystemDB but as of SP03 this can also be put into a tenant DB).
If your application connects via a technical user, you can still implement a model similar to XSc, where application users cannot logon to the application database, but still use the application.
Add comment
Add comment