Vous êtes sur la page 1sur 67

Best Practices to Administrate,

Operate, and Monitor an SAP


HANA System

Dr. Bjarne Berg


COMERIT
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2015 Wellesley Information Services. All rights reserved.
What Well Cover
Licensing and Update Maintenance
Hardware Options and Sizing
Performance Monitoring and Load Balancing
Managing Roles, Privileges, and Security
High Availability, Disaster Recovery and Backup Planning
Wrap up

2
Introduction Dr. Berg

3
Key Responsibilities for HANA Admin and Installs

4
Updating the SAP HANA Appliance
SAP hardware partners ship SAP HANA pre-configured and with the most recent support
package stack at the time when the SAP HANA appliance is shipped

The customer is responsible for the subsequent implementation of SAP HANA patches,
revisions, or support packages, and support package stacks

Systems that were installed with the SAP HANA Unified Installer can use the automated
update procedure

This requires a backup be completed, data replication to be suspended, and the business
made aware of the planned outage

It is recommended that you do this on a quarterly basis, or when other


systems are scheduled for maintenance at the same time (i.e., holidays)
5
Updating the SAP HANA Appliance and SUM
The Software Update Manager (SUM) for SAP HANA Support Package Stack (SPS) can
execute automatic updates of the Lifecycle Management perspective as part of self-update

Because it is not part of the base SAP HANA install, unless the hardware partner installed
SUM as part of the install, you have to first install it from the SAP Marketplace before you
can use it

During install, it is important to note that all archives, including SUMFORHANA, must be
located in the same directory as the stack.xml file

After the SUM is installed, you can choose to apply either SPSs that contain larger
upgrades, or individual support packages based on your needs or upgrade schedule

Additional details can be found in SAP note: 1545815


6
Updating SAP HANA Studio
You can choose to update the software automatically based on periodic
updates with SUM or execute the software update manually
The Lifecycle Management perspective of the SAP HANA Studio is updated
when you update SAP HANA Studio

To update the SAP HANA studio, choose Help > Check for Updates
7
Updating SAP HANA Studio
You can enter the settings for the automated
update of SAP HANA Studio under Windows>
Preferences> Install/Update
The site you add should be in the following
format:
file:////update_server/hdbstudio/repository/ or
http://<host_name>:<port_number>/tools/hdb.
studio.update
There are also numerous options regarding
Automatic Updates in HANA Studio

Make sure your SAP HANA Studio contains the Lifecycle


Management perspective
8
Licensing
The two types of license keys for SAP
HANA are:
Temporary keys (typically 90 days)
Permanent keys

To check your type of license keys and


expiration dates, right-click on a system in
the Navigator pane in Studio, select
Properties, and choose Licenses

More information on monitoring of license keys is found in SAP Note 1704499

9
Licensing
License Keys can be enforced or unenforced. This means that if you have enforced keys, the
SAP HANA system will shut down if you try to use the system for more memory than you are
licensed for (SAP grants a little extra memory consumption in before shutting down)

If the system is shut down due to a license key violation, you cannot access the system via
queries nor can the system be backed up. To see if your keys are enforced or not, take a look
inside the license file. If you see SWPRODUCTNAME=SAP-HANA, your keys are not
enforced. If you see SWPRODUCTNAME=SAP-HANA-ENF, your license keys are enforced.

Changes to license keys can only be made by administrator with the system privilege
LICENSE ADMIN in the security role.

10
License Audit by SAP

If you have installed permanent SAP HANA licensing keys, SAP may periodically request
a license audit

If requested, you simply open SAP HANA Studio, click on your database and select
PROPERTIES on the context menu.

From here you click on the EXPORT SYSTEM MEASUREMENTS button and save the XML
file. You will email this XML file to SAP as part of the license audit.

You need to have the system privilege LICENSE


ADMIN assigned to have access to this function
11
What Well Cover
Licensing and Update Maintenance
Hardware Options and Sizing
Performance Monitoring and Load Balancing
Managing Roles, Privileges, and Security
High Availability, Disaster Recovery and Backup Planning
Wrap up

12
HANA Editions and Components
While HANA is sold as an appliance, there
are many internal components and the
edition you buy may contain different
licenses to these components

13
HANA Release Strategy and Names
As of 2015, SAP introduced the idea of production verified revisions to provide
in-depth testing of all services packs for SAP HANA
Based on the planned releases over the next 12 months, customers should
adjust their plans for service packs accordingly

14
Sizing a BW system for HANA
Using the BW Automated Sizing tool in the Migration Cockpit

15
SAP BW on HANA Sizing Tool for Existing
BW Implementations
To increase speed,
SAP has released an updated tool that you can suppress
analysis tables with
generates a report for sizing SAP BW. less than 1 MB size

This program takes into consideration existing


database, table types, and includes the effects
of non-active data on the HANA system The higher
precision you
run the
estimate at,
the longer the
program is
going to run

This program is also referenced in SAP Notes


1909597 and 1736976 on the Service Marketplace

16
The Sizing Result

Since timeouts are common when running the sizing


program, you can temporarily change the parameter in
rdisp/max_wprun_time to 0 in BW transaction RZ11.
Finally, you estimate the growth for the system as a
percentage or as absolute growth.

The output is stored in the file you specified and the file
can now be emailed to hardware vendors for sizing input
and hardware selection

17
Sizing for BusinessSuite on HANA
SAP also have programs to size the
system for BusinessSuite on HANA

Inthis example from July 2015, we


see that a system of 1.992 GB is
required to migrate the ECC 6 box
to HANA

18
Main Hardware Options
It
is worth noting that IBM is
also working on certification by
SAP for their Power severs
(POWER 8 and E870) and have
posted some great performance
benchmarks on SCN together
with SAP.

IBMmay therefore, depending


on project timing, also be a
viable candidate for hardware.

19
What Well Cover
Licensing and Update Maintenance
Hardware Options and Sizing
Performance Monitoring and Load Balancing
Managing Roles, Privileges, and Security
High Availability, Disaster Recovery and Backup Planning
Wrap up

20
Key Resources for Monitoring HANA System

21
Monitoring with Admin Console in HANA Studio

22
System Landscape
The Landscape tab verifies that the system is running and displays the status of the
relevant services:

For each server within the HANA system, the following services should be running:
nameserver statisticsserver
indexserver sapstartsrv
preprocessor xsengine

If a distributed system is being used, this can be configured under the Configuration subtab
23
Monitoring with HANA Cockpit in Fiori

24
Monitoring with The DBA Cockpit

25
Monitoring with SAP Landscape and Virtualization Manager (LVM)

26
Monitoring with Alerts
The statistics server is the tool used for monitoring in SAP HANA and offers real-time
system resource alerts on vital information. There are 74 Alerts available.
Server crashes
or stoppages
Hard disk
reaching
critical capacity
CPU at risk of
experiencing
bottlenecks or
high stress

27
Configuring Alerts
Customer Alerts can be created to assist in monitoring system performance in the
Administrator Editor under the Alerts tab

Creating an administrative e-mail account is recommended in order to isolate system


monitoring information

The recipients of alerts can be optionally modified to inform those who should receive alert
notifications instead of targeting different alerts to specific email addresses

Each alert has three specific thresholds for when the alert can be executed: High, Medium, Low

The values for these thresholds can be defined as percentages. The scheduled times for when
the alerts should be triggered can also be set, the default is every six hours once a day.
28
Monitoring Availability with Alerts

29
Monitoring Backups with Alerts
Check
ID Time Description SAP Recommended Admin Action
Type
Most recent savepoint operation- How long ago the
Investigate why there was a delay defining the last savepoint and
last savepoint was defined, that is, how long ago a
28 Periodic consider triggering the operation manually by executing the SQL
complete, consistent image of the DB was persisted
statement ALTER SYSTEM SAVEPOINT.
to disk.
If you need point-in-time recovery, reconfigure the log mode of your
Log mode LEGACY- If the DB is running in log mode system to "normal". In the "persistence" section of the global.ini
Back- "legacy". Log mode "legacy" does not support point- configuration file, set the parameter "log_mode" to "normal" for the
32 Periodic
up in-recovery and is not recommended for productive System layer. When you change the log mode, you must restart the DB
systems. system to activate the changes. It is also recommended that you
perform a full data backup.
Log mode OVERWRITE- If the DB is running in log
mode "overwrite". Log mode "overwrite" does not Investigate why the service had to restart or be restarted, for example,
33 Periodic
support point-in-recovery (only recovery to data by checking service's trace files.
backup) and is not recommended for prod systems.
35 Daily Existence of data backup Perform a data backup as soon as possible.
36 Daily Status of most recent data backup Investigate why failed, resolve the problem, and perform a new data
37 Daily Age of most recent successful data backup
Status of most recent log backups- If the most recent backup as soon as possible.
Perform a data backup as soon as possible.
38 Daily log backups for services and volumes were
successful. Investigate why the log backup failed and resolve the problem.
Savepoint duration- Identifies long-running savepoint
54 Periodic Check disk I/O performance.
operations.
Runtime of the log backups currently running- If the
65 As needed Investigate why the log backup runs for too long, and resolve the issue.
most recent log backup terminates in the given time.
Storage snapshot is prepared- if the period, during
Investigate why the storage snapshot was not confirmed or
66 As needed the DB is prepared for a storage snapshot, exceeds
abandoned, and resolve the issue.
threshold.
Enablement of automatic log backup- if automatic log Enable automatic log backup. For more details please see SAP HANA
69 Periodic
backup is enabled. Administration Guide.
Number of log segments- segments in the log volume
Check whether the system has been frequently and unusually
of each service Check for number of log segments.
72 Daily
Make sure that log backups are being auto created
restarting services. If it has, then resolve the root cause of this issue 30
and create log backups as soon as possible.
Monitoring Configuration and CPU with Alerts

Check
ID Time Description SAP Recommended Admin Action
Type
As Discrepancy between host server times- discrepancies in a
3 Check operating system time settings.
needed scale-out system.
mergedog is the system process that periodically checks
column tables to determine if a delta merge operation
needs to be executed. Change in SYSTEM layer the
Delta merge (mergdog) configuration- If the 'active' parameter
10 Periodic parameter active in section(s) mergedog to yes
in the 'mergedog' section of system configuration file(s) is 'yes'.
Config In the 'transaction' section of the indexserver.ini file, set
uration the 'lock_wait_timeout' parameter to a value between
100,000 and 7,200,000 for the System layer.
Lock wait timeout configuration- if 'lock_waittimeout' parameter
Investigate why the service had to restart or be restarted,
16 Periodic in 'transaction' section of indexserver.ini file is between
for example, by checking service's trace files.
100,000 and 7,200,000.
Investigate why the volume is not assigned a service. I.e..,
Unassigned volumes- Identifies volumes that are not assigned a
26 Periodic assigned service is not active, the removal of a host failed,
service.
or the service removal was performed incorrectly.
34 Daily If all volumes are available. Investigate why the volume is not available.
Configuration consistency of systems in system replication The identified configuration parameter(s) should have the
79 Periodic setup- Identifies configuration parameters that do not have the same value in both systems, adjust the configuration. If
same value on the primary system and a secondary system. different values are acceptable, add the parameter(s) as
Host CPU Usage- Determines the % CPU idle time on the host an exception in global.ini/[inifile_checker].
CPU 5 Intra-day
and therefore if CPU resources are running low. Investigate CPU usage

31
Monitoring Files and Disk Usage with Alerts
Check
ID Time Description SAP Recommended Admin Action
Type
These files These contain information about, for example, build,
As RTEdump files- Identifies new runtime dump files (*rtedump*)
46 loaded modules, running threads, CPU, etc..Check contents of the
needed have been generated in the trace directory.
Diag- dump files.
nosis A large number of files can indicate a problem with the DB (i.e.,
Number of diagnosis files- written by the system (excluding
50 Periodic problem with trace file rotation or a high number of crashes).
zip-files).
Files Investigate the diagnosis files.
Size of diagnosis files- very large file sizes can indicate a
51 Daily Check the diagnosis files in the SAP HANA studio for details.
problem with DB.
Crashdump files- new files that have been generated in the
52 Daily
trace directory
Check the contents of the dump files.
Pagedump files- new files that have been generated in the
53 Daily
trace directory
Python trace activity- If trace is active and for how long. Trace If no longer required, deactivate the python trace in the relevant
56 Periodic
affects performance. configuration file.
Disk Usage- Determines what % of each disk containing data, Investigate disk usage of processes. Increase disk space, for
2 Intra-day log, and trace files is used. This includes space used by non- example by shrinking volumes, deleting diagnosis files, or adding
SAP HANA files. additional storage.
Resolve the disk-full event: In the Admin Editor on the Overview
Check internal disk full event- If the disks to which data and log tab, choose the \"Disk Full Events\" link and mark the event as
Disk
30 Intra-day files are written are full. A disk-full event causes your DB to handled. Alternatively, execute the SQL statements ALTER SYSTEM
stop and must be resolved. SET EVENT ACKNOWLEDGED '<host>:<port>' <id> and ALTER
SYSTEM SET EVENT HANDLED '<host>:<port>'<id>.
Sync/Async read ratio- Identifies a bad trigger asynchronous
60 Periodic This means that asynchronous reads are blocking and behave
read ratio.
almost like synchronous reads. This might have negative impact on
Sync/Async write ratio- Identifies a bad trigger asynchronous
61 Periodic SAP HANA I/O performance in certain scenarios. Note 1930979.
write ratio.
DB disk usage- The total used disk space of the DB. All data, Investigate the disk usage of the DB. See system view
77 Intra-day
logs, traces and backups are considered. M_DISK_USAGE for more details.

32
Monitoring Memory Usage
Memory in SAP HANA is consumed for a variety of purposes:
The operating systems and support files
Proprietary code and stack of program files
Column and row stores where data is stored
Working space where computations occur, temporary results are stored, and shared user
memory consumption occurs

SAP HANA tracks memory from the perspective of the host. The most important
aspects are the following:
Physical memory The max amount of physical (system) memory available on the host
Allocated memory The memory pool reserved by HANA from the operating system

Used memory The amount of memory from th4 pool that is actually used by HANA DB

33
Monitoring Memory Usage
The physical memory on most SAP HANA hosts is from 256 GB - 2 TB
This is used to run the Linux OS, SAP HANA, and any additional
programs that run on the host
SQL statements can be used to obtain or edit memory information.
There is a set of predefined SQL statements provided by SAP that are
available for use
Used memory serves the following purposes:
Program code and stack
Working space and data tables (heap and shared memory)
The program code area houses the SAP HANA database while it is
active. Various parts of SAP HANA can share a common program
code. The stack is required to complete actual computations

34
Monitoring Memory with Alerts
Check Type ID Time Description SAP Recommended Admin Action
Host physical memory usage- The % of total physical memory All processes consuming memory are considered, including non-SAP HANA processes. Investigate
1 Intra-day
available on the host memory usage of processes.
3 Periodic Row store fragmentation Implement SAP Note 1813245.
Memory usage of name server- Determines what % of allocated Increase the shared memory size of the name server. In the 'topology' section of the
12 Intra-day
shared memory is being used by the name server on a host. nameserver.ini file, increase the value of the 'size' parameter.
Record count of non-partitioned column-store tables- Current Partitioning need only be considered if tables are expected to grow rapidly. A non-partitioned
17 Periodic
Mem- table size is not critical. table cannot contain more than 2,000,000,000 (2 billion) rows). Consider partitioning the table
ory 20 Periodic Table growth rate of non-partitioned column-store table only if you expect it to grow rapidly.
27 Periodic Record count of column-store table partitions
Investigate the delta merge history in the monitoring view M_DELTA_MERGE_STATISTICS. Consider
29 Periodic Size of delta storage of column-store tables
merging the table delta manually.
Total memory usage of column-store tables- The % of the
This is the cumulative size of all of a table's columns and internal structures. Consider
40 Daily effective alloc limit being consumed by individual column-store
partitioning or repartitioning the table.
tables as a whole
Memory usage of services- % of effective alloc limit a service is
43 Daily Check for services that consume a lot of memory.
using.
Increase licensed amount of main memory. See the peak memory allocation since installation in
44 Periodic Licensed memory usage- % used.
the system view M_LICENSE, column PRODUCT_USAGE
Memory usage of main storage of column-store tables- % of
45 Periodic Consider partitioning or repartitioning the table.
effective alloc limit consumed by column-store tables.
Columnstore unloads- # of columns that have been unloaded
55 Periodic Can indicate performance issues. Check sizing with respect to data distribution.
from memory.
Increase the size of the plan cache. In the 'sql' section of the indexserver.ini file, increase the
58 As needed Plan cache size- if the plan cache is too small.
value of the 'plan_cache_size' parameter.
67 Periodic Table growth of rowstore tables Reduce the size by removing unused data
68 Periodic Total memory usage of row store used by a service Investigate memory usage by row store tables and consider cleanup of unused data
73 Periodic Overflow ratio of rowstore version space. Identify the connection or transaction that is blocking version garbage collection. You can do this
74 Periodic Overflow ratio of metadata version space. in the SAP HANA studio by executing the "MVCC Blocker Connection" and "MVCC Blocker
Rowstore version space skew- if rowstore version chain is too Transaction" statements available on the System Information tab of the Administration editor. If
75 Periodic
long. possible, kill the blocking connection or transaction.
Cached view size- how much memory is occupied by cached Increase size of the cached view. In the "view_cache" section of the indexserver.ini file, increase
81 Periodic
view the value of the "total_size" parameter.

35
Monitoring Security, Sessions and Transactions with Alerts
Check
ID Time Description SAP Recommended Admin Action
Type
Secure store file system (SSFS) consistency regarding the Check and make sure that the secure storage file system (SSFS) is
57 Daily
DB accessible and consistent regarding the DB.
User passwords- Identifies DB users whose password is Change password of the DB user. It is recommended that you disable
62 Daily due to expire with the PW policy. If it expires, the user will the password lifetime check of technical users so that their password
Securit be locked. This may impact application availability. never expires (ALTER USER <username> DISABLE PASSWORD LIFETIME).
y Granting of SAP_INTERNAL_HANA_SUPPORT role- if the Check if the corresponding users still need the role. If not, revoke the
63 Daily
internal support role is currently granted to any DB users. role from them.
Total memory usage of table-based audit log- % of the
Consider exporting the content of the table and then truncating the
64 Periodic effective allocation limit is being consumed by the DB
table.
table used for table-based audit logging.
The max number of permitted connections is configured in the
Session Open connections- % of the max number of permitted
25 Daily "session" section of the indexserver.ini file.Investigate why max
s SQL connections open.
number is being approached.
Investigate the statement. For more info, see table
39 Daily Long-running SQL statements
_SYS_STATISTICS.HOST_LONG_RUNNING_STATEMENTS.
Session
As
& 42 Long-idling cursors
needed Close cursor, uncommitted transaction, or the serializable transaction
Transa-
in the application, kill connection, or by executing the SQL statement
ctions
47 Periodic Long-running serializable transactions ALTER SYSTEM DISCONNECT SESSION <LOGICAL_CONNECTION_ID>. For
more information, see the tables HOST_LONG_IDLE_CURSOR,
HOST_LONG_SERIALIZABLE_TRANSACTION and
48 Periodic Long-running uncommitted write transactions HOST_UNCOMMITTED_WRITE_TRANSACTION (_SYS_STATISTICS).

49 Periodic Long-running blocking situations Investigate the blocking and blocked transactions and if appropriate
59 Daily Percentage of blocked transactions cancel one of them.
Table consistency- the number of table consistency errors
System 83 Daily Contact SAP support
and affected tables
36
More System Information in HANA Studio

37
Server Performance Information
It is possible to monitor more detailed aspects of system performance on the
Performance tab in order to detect and fix performance issues.

In the Thread view you can end the operation of a specific thread

Since multiple threads run together in one session and in one transaction, the operations
of all subsequent threads belonging to that session/transaction will also be terminated.
38
Managing Large Tables with Partitioning
When column tables grow containing high data volumes, it would be advantageous to
split them horizontally into smaller partitions
SAP HANA automatically manages the partitions in the background which simplifies the
access and frontend development and gives the administrator a key tool to manage disks,
memory, and large column stores
In a distributed (scale-out) SAP HANA system, it is possible to place the partitions on
different nodes and thereby increase performance exponentially due to more processors
being available for the users
In a partitioned schema, it is possible to have 2 billion rows per partition with
virtually no limit on how many partitions can be added
As a result, this becomes a matter of hardware and landscape architecture as opposed to
a question of database limitation
39
Managing Large Tables with Partitioning
There are three different ways of creating partitions from an administration standpoint in
SAP HANA:
By ranges
By hash
By round-robin
While more complex schemas are possible with multilevel partitioning, these three
options cover the basics used in the higher level options.

In addition to these options, you application layer may offer additional software
options depending on the application you are running on top of HANA
40
Partitioning Column Tables by Range
If data familiarity is acute, data can be partitioned by any range in a table
The most common partition is by date, though it is possible to use material
numbers, postal codes, customer numbers, or anything else
Partitioning by date increases query speed and limits data to a single node
The maintenance of range partitions is somewhat higher than the other options
since new partitions must be constantly added as data outside the existing
partitions emerge, as is the case with time sensitive data
Example of partitioning by SQL:
CREATE COLUMN TABLE SALES (sales_order INT, customer_number INT, quantity INT, PRIMARY
KEY (sales_order))
PARTITION BY RANGE (sales_order)
(PARTITION 1 <=values < 100000000,
PARTITION 100000000 <== values <200000000,
PARTITION OTHERS)

41
Partitioning Column Tables by Hash
Partitioning column stores by the hash does not require an in-depth knowledge of the data
Instead, partitions are created by an internal algorithm applied to one or more fields in the
database by the system itself. This is known as a hash
The records are then assigned to the required partitions based on this internal hash number
The partitions can be created in SQL with defined rules such as the following:
If the table has a primary key, it must be included in the hash
If more than one column is added, and the table has a primary key, all fields used to partition on must be
part of the primary key
If the number of partitions is not defined, the system will determine the optimal number of partitions based
on the configuration. As a result, this is the recommended setting for most hash partitions
Example of partitioning by SQL:
CREATE COLUMN TABLE SALES (sales_order INT, customer_number INT, quantity INT, PRIMARY KEY (sales_order,
customer_number))
PARTITION BY HASH(sales_order, customer_number)
PARTITIONS 6
42
Partitioning Column Tables by Round-Robin
In a round-robin partition, the system assigns records to the partitions on a rotating basis
While it makes for efficient assignments and requires no data familiarity, it also means that
removing partitions in the future will be more challenging as both new and old data will be
present in the same partitions

The following syntax can be used in SQL to create the partitions:


CREATE COLUMN TABLE SALES (sales order INT, customer number INT, quantity INT)
PARTITION BY ROUNDROBIN
PARTITIONS 6

In this example, six partitions are being created and records are assigned on a
rotating basis. If the last statement is changed to PARTITIONS GET_NUM_SERVERS(),
the system will assign the optimal number of partitions based on the system
landscape. The only requirement is that the table does not contain a primary key.

43
Moving Files and Partitions for Load Balancing
Periodically moving files and file partitions allow column tables to achieve better load
balancing across hosts and are useful for adding or removing a node from the system,
creating new partitions, and load balancing existing ones that have grown very large
Before initiating this process, save the current distributions using the RESOURCE ADMIN
system privilege for recovery later in the event of an error
From the Table Distribution Editor the catalog, schemas, and tables can be viewed
A table can be moved to another location by right-clicking it and selecting Move Table. A
similar process can be used for moving partitions to consolidating partitions to single hosts
If a disk full event is triggered it will be display on alerts and will suspend the use of the
database. You can find information in Volumes tab, and if it is full due to other temporary
files being stores, they may be deleted. The event is then marked as handled in the
Overview tab ceasing the suspension of the database

44
What Well Cover
Licensing and Update Maintenance
Hardware Options and Sizing
Performance Monitoring and Load Balancing
Managing Roles, Privileges, and Security
High Availability, Disaster Recovery and Backup Planning
Wrap up

45
Security Authentication
SAP HANA has two forms for authentication security
Internal Authentication

Users are created in SAP HANA database only

Authentication is handled by SAP HANA


database via username/password
External User Repositories

Kerberos or Security Assertion Markup


Language (SAML)
Once authenticated, users are then check for authorization privileges
Database users can have the following types of privilege:
Direct Privileges

Inherited Privileges

When Kerberos is used, the users in the key distribution center should be mapped to the
database users in SAP HANA by making users principal name the external ID.
46
Overview of Privilege Types
Package privilege
Package privileges allow access to and the ability to work in packages in the repository of the SAP HANA DB
Packages contain design time versions of various objects, such as analytic views, attribute views,
calculation views, and analytic privileges

Application privilege
Developers of SAP HANA XS applications can create application privileges to authorize user and client
access to their application.
Application privileges are granted and revoked through the procedures GRANT_APPLICATION_PRIVILEGE
and REVOKE_APPLICATION_PRIVILEGE procedure in the _SYS_REPO schema
Application privileges can be granted directly to users or roles in run time in the SAP HANA studio. It is
recommended that you grant application privileges to roles created in the repository in design time

47
Privileges on users
Privileges on users are SQL privileges
that users can grant on their user.
ATTACH DEBUGGER is the only privilege
that can be granted on a user

For example, User A can grant User B the


privilege ATTTACH DEBUGGER to allow
User B debug SQLScript code in User A's
session. User A is only user who can
grant this privilege

48
Roles Management
Adding Roles
Go to the NAVIGATOR pane in Studio, and select the
system you want to grant access to
Select the CATALOG folder, and then the
AUTHORIZATION folder
Right-click on the ROLES folder, and select NEW ROLE

Deleting Roles
Go to the NAVIGATOR pane in Studio, and select the
system you want to grant access to
Select the CATALOG folder, and then the
AUTHORIZATION folder
Expand the Roles folder and right-click on the ROLE
and select DELETE
49
Standard Roles
CONTENT_ADMIN
This role contains all the privileges required for using the information modeler in the SAP HANA
studio, as well the additional authorization to grant these privileges to other users. It also contains
system privileges for working with imported objects in the SAP HANA repository

MODELING
This role contains all the privileges required for the information modeler in SAP HANA studio

It therefore provides a modeler with the database authorization required to create all kinds of
views and analytic privileges
The MODELING role contains the standard analytic privilege _SYS_BI_CP_ALL. This analytic
privilege potentially allows a user to access all the data in all activated views, regardless of any
other analytic privileges that apply.
The CONTENT_ADMIN role is very privileged and should not be granted to users, particularly
in production systems. The CONTENT_ADMIN role should only be used as a template.
50
Standard Roles
MONITORING
This role contains privileges for full read-only access to all metadata, the current system
status in system and monitoring views, and the data collected by the statistics server

RESTRICTED_USER_ODBC_ACCESS
This role contains the privileges required by restricted database users to connect to SAP
HANA through the ODBC client interface
This role is intended to be used in conjunction with application-specific roles

It is recommended that the privileges required to use an


application are encapsulated within an application-specific
role, which is then granted to restricted database users.
51
Standard Roles
PUBLIC
This role contains privileges for filtered read-only access to the system
views. Only objects for which the users have access rights are visible.
By default, this role is granted to every user, except restricted users

SAP_INTERNAL_HANA_SUPPORT
This role contains system privileges and object privileges that allow
access to certain low-level internal system views needed by SAP HANA
development support in support situations. All access is read only

This role does not allow access to any customer data.


52
Users Management
Adding Users
To add users, go to the NAVIGATOR pane in Studio, and select the
system you want to grant access to
Select the CATALOG folder, and the AUTHORIZATION folder

Right-click on the USERS folder, and select NEW USER

Deleting Users
To delete users, go to the NAVIGATOR pane in Studio, and select
the system impacted
Select the CATALOG folder, and select AUTHORIZATION folder
Choose the USERS folder, and select the user to be deleted

53
Users Management
Deactivating Users
To deactivate users, go to the NAVIGATOR pane in Studio, and select the system impacted

Select the CATALOG folder, and then select the AUTHORIZATION folder

Choose the USERS folder, and select the user to be deactivated

Activating Users
To activate users, go to the
NAVIGATOR pane in Studio, and
select the system impacted
Select the CATALOG folder, and
then select the AUTHORIZATION
folder
Choose the USERS folder, and
select the user to be activated
54
Users Management
Emergency User
IF the SYSTEM user is deactivated and can no longer connect to the SAP HANA database

You can verify that this is the case in the USERS system view. For user SYSTEM, check
the values in the columns USER_DEACTIVATED, DEACTIVATION_TIME, and
LAST_SUCCESSFUL_CONNECT

You can still use the SYSTEM user as an emergency user even if it has been deactivated. Any
user with the system privilege USER ADMIN can reactivate SYSTEM with the statement ALTER
USER SYSTEM ACTIVATE USER NOW. To ensure that an administrator does not do this
casualy, we recommended that you create an audit policy monitoring ALTER USER statements.

55
Security Password Policy
You can also set your own password policy for SAP HANA which includes the
different password rules:

minimum password length


use of characters
max number of log-on attempts
blacklisted passwords
password expiration
notifications

56
Changing Password Policy
To change a password policy, right-click on
the SAP HANA system in the NAVIGATOR
pane and select OPEN SECURITY

Under the PASSWORD POLICY tab you can


change all the settings to conform to your
companys password rules

57
What Well Cover
Licensing and Update Maintenance
Hardware Options and Sizing
Performance Monitoring and Load Balancing
Managing Roles, Privileges, and Security
High Availability, Disaster Recovery and Backup Planning
Wrap up

58
Backup and Standby
Supports synchronous backup between production system and backup storage
Alerts can be setup to monitor backups and two primary backup methods exists:
Traditional File
BACKINT API for third party vendors

There are 4 basepath options for traditional file backups in HANA Studio:
Basepath data backup Standard backups to external mount point
Basepath data volumes Permanent location for data volumes
Basepath log backup External mount point for logs segment to be copied every 15 minutes
Basepath log volumes Permanent location for log volumes

IBM offers a backup management solution called Tivoli Storage Manager and SAP provides a
script in SAP Note 1651055 to help clean up log files

If log files become too large, longer backup times may result
59
SAP HANA designed with High Availability

Supports recovery measures ranging from faults and software errors to


disasters that decommission an entire data center
Provides the ability to rapidly resume operations after a system outage
with minimal business loss (fault resilience)
Offers a service auto-restart functionality which automatically detects the
failure and restarts the stopped service process
Allows the assignment of up to 3 master servers as the name server in
case the active master name server fails, the system can restore itself to
the available standby master

The number of standby servers defined during installation cannot subsequently be


reduced without major work. However, standby servers can be added after installation.
60
High Availability and Fault Tolerance
High Availability configuration
N active servers in one cluster

M standby server(s) in one cluster

Shared file system for all servers

Failover
Server X fails

Server N+1 reads indexes from


shared storage and connects to
logical connection of server X

61
Scale out Standby Server Configuration

SAP HANA cold standby host


Standby host is kept ready for the event that a failover situation
occurs during production operation
Standby host is not used for database processing

All the database processes run on the


standby host, but they are idle and do
not allow SQL connections

62
What Well Cover
Licensing and Update Maintenance
Hardware Options and Sizing
Performance Monitoring and Load Balancing
Managing Roles, Privileges, and Security
High Availability, Disaster Recovery and Backup Planning
Wrap up

63
Where to Find More Information
www.sap-press.com/sap-hana_3687/
Bjarne Berg and Penny Silvia, SAP HANA: An introduction (SAP PRESS, 3rd Edition).
www.amazon.com/SAP-BW-HANA-Migration-Handbook/dp/150852761X/
Bjarne Berg, Rob Frye and Joe Darlak: BW to HANA migration handbook
www.saphana.com/welcome
SAPs main page for all SAP HANA-related information
www.saphana.com/community/try
SAP HANA Marketplace
http://scn.sap.com/community/bw-hana
SAP BW powered by SAP HANA on SCN

64
7 Key Points to Take Home
The Software Update Manager (SUM) for SAP HANA Support Package Stack (SPS) can
execute automatic updates of the Lifecycle management perspective as part of self-update
Make sure that you know the type of key the system is using to insure that the SAP HANA
system will not shut down
There is a System Monitoring option within HANA that provides useful overview information
to help prevent potential problems
Managing user roles within HANA system can be done through a simple process
SAP HANA supports synchronous backup between production system and backup storage
An system admin can set up password policy within HANA
SAP HANA is designed with Support for High Availability
65
Your Turn!

How to contact me:


Dr. Berg
bberg@comerit.com

66
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

67