SAP HANA Database connector
Before you start
These connector instructions require a SAP HANA Database account with elevated privileges to add roles, system, and application privileges. The following information is required to configure the connector:
- Username
-
Your SAP HANA Database username.
- Password
-
Your SAP HANA Database password.
- JDBC Connection URL
-
The URL to establish the connection between the connector and the SAP HANA Database.
- Driver class name
-
The class name driver path.
For more information, refer to the Connect to SAP HANA via JDBC documentation.
Install the SAP HANA Database connector
If you are looking for the Advanced Identity Cloud application for this connector, refer to: |
You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.
Connector | IDM | RCS |
---|---|---|
No |
Yes |
Download the connector .jar file from Backstage.
-
If you are running the connector locally, place it in the
/path/to/openidm/connectors
directory, for example:mv ~/Downloads/saphanadb-connector-1.5.20.26.jar /path/to/openidm/connectors/
-
If you are using a remote connector server (RCS), place it in the
/path/to/openicf/connectors
directory on the RCS.
Download the Sap Hana JDBC driver.
The minimum required JDBC version is 2.16.14. |
-
If you are running the connector locally, place the library in the
/path/to/openidm/lib/
directory:mv ~/Downloads/ngdbc-version.jar /path/to/openidm/lib/
-
If you are using a remote connector server (RCS), place it in the
/path/to/openicf/connectors
directory on the RCS.
Configure the SAP HANA Database connector
Create a connector configuration using the IDM admin UI:
-
From the navigation bar, click Configure > Connectors.
-
On the Connectors page, click New Connector.
-
On the New Connector page, type a Connector Name.
-
From the Connector Type drop-down list, select SAP HANA Database Connector - 1.5.20.26.
-
Complete the Base Connector Details.
For a list of all configuration properties, refer to SAP HANA Database Connector Configuration -
Click Save.
When your connector is configured correctly, the connector displays as Active in the admin UI.
Refer to this procedure to create a connector configuration over REST.
Base connector details
username
|
The username for logging in to the database. |
password
|
The user password for logging in to the database. |
url
|
The database connection string in the form of |
driverClassName
|
The file directory location of DBC driver files. |
pageSize
|
Defines the page size to be displayed to users. |
ignoreUsers
|
Database users to ignore. Typically, these are internal database users to avoid for security reasons. |
Object types
You can add or edit the object type to obtain any of the following objects and their properties:
__ACCOUNT__
PROPERTY NAME | TYPE | NATIVE TYPE | REQUIRED |
---|---|---|---|
|
String |
String |
NO |
|
String |
String |
NO |
|
GuardedString |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
Boolean |
Boolean |
NO |
|
Boolean |
Boolean |
NO |
|
Boolean |
Boolean |
NO |
|
Boolean |
Boolean |
NO |
|
Boolean |
Boolean |
NO |
|
Boolean |
Boolean |
NO |
|
Boolean |
Boolean |
NO |
|
Array |
Object |
NO |
|
Array |
String |
NO |
|
Array |
String |
NO |
|
Array |
String |
NO |
|
Array |
String |
NO |
ROLES
PROPERTY NAME | TYPE | NATIVE TYPE | REQUIRED |
---|---|---|---|
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
APPLICATION_PRIVILEGES
PROPERTY NAME |
TYPE |
NATIVE TYPE |
REQUIRED |
|
String |
String |
NO |
SYSTEM_PRIVILEGES
PROPERTY NAME |
TYPE |
NATIVE TYPE |
REQUIRED |
|
String |
String |
NO |
To configure the connector over REST or using the filesystem, specify the connection details to the SAP HANA Database resource provider in the configurationProperties
for the connector. The minimum required properties are username
, password
, url
and driverClassName
.
Sample configuration
{
"configurationProperties" : {
"connectionProperties" : null,
"propagateInterruptState" : false,
"useDisposableConnectionFacade" : true,
"defaultCatalog" : null,
"validationInterval" : 3000,
"ignoreExceptionOnPreLoad" : false,
"jmxEnabled" : true,
"commitOnReturn" : false,
"logAbandoned" : false,
"maxIdle" : 100,
"testWhileIdle" : false,
"removeAbandoned" : false,
"abandonWhenPercentageFull" : 0,
"minIdle" : 10,
"defaultReadOnly" : null,
"maxWait" : 30000,
"logValidationErrors" : false,
"name" : "Tomcat Connection Pool[1-20280544]",
"useStatementFacade" : true,
"initSQL" : null,
"validationQueryTimeout" : -1,
"validationQuery" : null,
"rollbackOnReturn" : false,
"alternateUsernameAllowed" : false,
"dataSourceJNDI" : null,
"validatorClassName" : null,
"suspectTimeout" : 0,
"useEquals" : true,
"removeAbandonedTimeout" : 60,
"defaultAutoCommit" : null,
"testOnConnect" : false,
"jdbcInterceptors" : null,
"initialSize" : 10,
"defaultTransactionIsolation" : -1,
"numTestsPerEvictionRun" : 0,
"url" : "jdbc:sap://HOST:PORT",
"testOnBorrow" : false,
"fairQueue" : true,
"accessToUnderlyingConnectionAllowed" : true,
"maxAge" : 0,
"minEvictableIdleTimeMillis" : 60000,
"timeBetweenEvictionRunsMillis" : 5000,
"testOnReturn" : false,
"useLock" : false,
"maxActive" : 100,
"username" : "USERNAME",
"password" : "PASSWORD",
"pageSize" : "50",
"driverClassName" : "com.sap.db.jdbc.Driver",
"ignoreUsers" : [
"SYS",
"SYSTEM"
]
}
}
Mapping
From SAP HANA Database users to IDM or Advanced Identity Cloud users
SOURCE | TARGET | TRANSFORMATION SCRIPT |
---|---|---|
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
Association>Association Rules>Correlation Queries
-
Link Qualifier: default
-
Any of the following fields:
USER_NAME
From IDM or Advanced Identity Cloud users to SAP HANA Database users
SOURCE | TARGET | TRANSFORMATION SCRIPT |
---|---|---|
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
Association>Association Rules>Correlation Queries
-
Link Qualifier: default
-
Any of the following fields:
USER_NAME
Test the SAP HANA Database connector
Test the connector configuration:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Accept-API-Version: resource=1.0' \ --request POST \ 'http://localhost:8080/openidm/system/saphanadb?_action=test' { "name": "saphanadb", "enabled": true, "config": "config/provisioner.openicf/saphanadb", "connectorRef": { "bundleVersion": [1.5.0.0,1.6.0.0), "bundleName": "org.forgerock.openicf.connectors.saphanadb-connector", "connectorName": "org.forgerock.openicf.connectors.saphanadb.SapHanaDBConnector" }, "displayName": "SAP HANA Database Connector", "objectTypes": [ "APPLICATION_PRIVILEGES", "__ACCOUNT__", "SYSTEM_PRIVILEGES", "ROLES", "__ALL__" ], "ok": true }
Use the SAP HANA Database connector
Database user
Create a user
To create a new user, you must include at least the USER_NAME
and PASSWORD
fields.
The default configuration requires passwords to have:
-
a minimum of 8 characters.
-
at least one number.
-
at least one uppercase letter.
-
at least one lowercase letter.
Special characters are optional, but the default password setting (Aa1 ) only accepts underscores (_ ). For more information, refer to Password Policy Configuration Options.
|
If the IS_RESTRICTED
field is true, a restricted user is created. A restricted user has no default roles and an unrestricted user has the default PUBLIC role.
The possible date format for the fields VALID_FROM
and VALID_UNTIL
is: yyyy-MM-dd HH:mm AM/PM
.
When assigning SAML Providers to a User, only those providers that already exist within the database can be assigned during a create operation.
To grant and revoke roles, application or system privileges, some requirements are necessary, as detailed here.
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--header 'Content-Type: application/json' \
--request POST \
--data '{
"USER_NAME" : "SAPHANADB_NEWUSER",
"PASSWORD" : "Password123",
"EMAIL_ADDRESS" : "SAPHANADB_NEWUSER@example.com",
"CLIENT" : "001",
"TIME_ZONE" : "GMT",
"VALID_FROM" : "2024-12-12 12:30",
"VALID_UNTIL" : "2025-12-12 15:00",
"IS_SAML_ENABLED" : true,
"IS_KERBEROS_ENABLED" : true,
"IS_PASSWORD_ENABLED" : true,
"IS_CLIENT_CONNECT_ENABLED": true,
"ROLES" : [
"MODELING"
],
"APPLICATION_PRIVILEGES" : [
"sap.hana.backup::Admin"
],
"SYSTEM_PRIVILEGES" : [
"REPO.EXPORT",
"REPO.IMPORT",
"REPO.MAINTAIN_DELIVERY_UNITS"
]
}' \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__'
{
"USER_NAME" : "SAPHANADB_NEWUSER",
"EMAIL_ADDRESS" : "SAPHANADB_NEWUSER@example.com",
"IS_RESTRICTED" : false,
"CLIENT" : "001",
"TIME_ZONE" : "GMT",
"USER_MODE" : "LOCAL"
"VALID_FROM": "2024-12-12 12:30",
"VALID_UNTIL": "2025-12-12 15:00",
"IS_SAML_ENABLED" : true,
"IS_KERBEROS_ENABLED" : true,
"IS_PASSWORD_ENABLED" : true,
"PASSWORD_CHANGE_NEEDED" : false,
"IS_CLIENT_CONNECT_ENABLED": true,
"HAS_REMOTE_USERS" : false,
"EXTERNAL_IDENTITY" : false,
"CREATOR" : "USER_CREATOR",
"ROLES" : [
"PUBLIC",
"MODELING"
],
"APPLICATION_PRIVILEGES" : [
"sap.hana.backup::Admin"
],
"SYSTEM_PRIVILEGES" : [
"REPO.EXPORT",
"REPO.IMPORT",
"REPO.MAINTAIN_DELIVERY_UNITS"
]
}
Get users
Retrieve a list of database user ids from SAP HANA Database:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ 'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__?_queryId=query-all-ids' { "result": [ { "_id" : "001" }, { "_id" : "002" }, { "_id" : "003" }, ... ] }
Get a user
Retrieve a user from SAP HANA Database. You must specify the id in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
"USER_NAME" : "NEW_USER",
"EMAIL_ADDRESS" : "NEW_USER@example.com",
"IS_RESTRICTED" : false,
"CLIENT" : "000",
"TIME_ZONE" : "GMT",
"USER_MODE" : "LOCAL",
"VALID_FROM": "2023-09-06",
"VALID_UNTIL": "2023-12-31",
"IS_SAML_ENABLED" : fale,
"IS_KERBEROS_ENABLED" : false,
"IS_PASSWORD_ENABLED" : true,
"PASSWORD_CHANGE_NEEDED" : false,
"HAS_REMOTE_USERS" : false,
"IS_CLIENT_CONNECT_ENABLED": true,
"EXTERNAL_IDENTITY" : "999",
"CREATOR" : "USER_CREATOR",
"ROLES": [
"PUBLIC",
"MODELING"
],
"APPLICATION_PRIVILEGES" : [
"sap.hana.backup::Admin"
],
"SYSTEM_PRIVILEGES" : [
"REPO.EXPORT",
],
"SAML_PROVIDERS" : [
{
"SAML_PROVIDER_NAME" : "PROVIDER_NAME",
"EXTERNAL_IDENTITY" : null
}
]
}
Update a user
Update a user from the database. You must specify the id in the URI path.
The roles field combines the catalog and repository roles. To grant and revoke roles, application or system privileges, some requirements are necessary, as detailed here.
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request PUT \
--data '{
"EMAIL_ADDRESS": "NEW_MAIL@EMAIL.COM",
"CLIENT" : "002",
"TIME_ZONE" : "PST",
"VALID_FROM" : "2023-09-06",
"VALID_UNTIL" : "2023-12-31",
"IS_KERBEROS_ENABLED" : true,
"IS_SAML_ENABLED" : true,
"IS_PASSWORD_ENABLED" : true,
"PASSWORD_CHANGE_NEEDED": true,
"IS_CLIENT_CONNECT_ENABLED": true,
"EXTERNAL_IDENTITY": "999",
"ROLES": [
"PUBLIC",
"RESTRICTED_USER_JDBC_ACCESS"
]
}' \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
"USER_NAME": "USERNAME",
"EMAIL_ADDRESS": "NEW_MAIL@EMAIL.COM",
"IS_RESTRICTED": false,
"CLIENT": "002",
"TIME_ZONE": "PST",
"USER_MODE": "LOCAL",
"VALID_FROM": "2023-09-06",
"VALID_UNTIL": "2023-12-31",
"IS_KERBEROS_ENABLED": true,
"IS_SAML_ENABLED": true,
"IS_PASSWORD_ENABLED": true,
"PASSWORD_CHANGE_NEEDED": true,
"IS_CLIENT_CONNECT_ENABLED": true,
"EXTERNAL_IDENTITY": "999",
"HAS_REMOTE_USERS": false,
"CREATOR": "USER_CREATOR",
"ROLES": [
"PUBLIC",
"RESTRICTED_USER_JDBC_ACCESS",
],
"APPLICATION_PRIVILEGES": [],
"SYSTEM_PRIVILEGES": [],
"SAML_PROVIDERS" : []
}
Delete a user
Delete a user from a database. You must specify the id in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request DELETE \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
"USER_NAME" : "NEW_USER",
"EMAIL_ADDRESS" : "NEW_USER@EMAIL.COM",
"IS_RESTRICTED" : false,
"CLIENT" : "001",
"TIME_ZONE" : "GMT",
"USER_MODE" : "LOCAL"
"VALID_FROM": "2024-12-12",
"VALID_UNTIL": "2025-12-12",
"IS_SAML_ENABLED" : false,
"IS_KERBEROS_ENABLED" : false,
"IS_PASSWORD_ENABLED" : true,
"PASSWORD_CHANGE_NEEDED" : false,
"IS_CLIENT_CONNECT_ENABLED": true,
"HAS_REMOTE_USERS" : false,
"EXTERNAL_IDENTITY" : "999",
"CREATOR" : "USER_CREATOR",
"ROLES": [
"PUBLIC"
],
"APPLICATION_PRIVILEGES" : [],
"SYSTEM_PRIVILEGES" : [],
"SAML_PROVIDERS" : []
}
Get roles
Retrieve roles from a SAP HANA Database:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Accept-API-Version: resource=1.0' \ --request GET \ 'http://localhost:8080/openidm/system/saphanadb/ROLES?_queryFilter=true' { "result": [ { "_id": "2361418", "ROLE_NAME": "ABAP_READ", "ROLE_ID": "2361418", "ROLE_MODE": "LOCAL", "__NAME__": "ABAP_READ", "ROLE_SCHEMA_NAME": null, "GLOBAL_IDENTITY": null }, ... }
Get system privileges
Retrieve system privileges from a SAP HANA Database:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Accept-API-Version: resource=1.0' \ --request GET \ 'http://localhost:8080/openidm/system/saphanadb/SYSTEM_PRIVILEGES?_queryFilter=true' { "result": [ { "_id": "ADAPTER ADMIN", "__NAME__": "ADAPTER ADMIN", }, ... }
Get application privileges
Retrieve application privileges from a SAP HANA Database:
curl --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Accept-API-Version: resource=1.0' \ --request GET 'http://localhost:8080/openidm/system/saphanadb/APPLICATION_PRIVILEGES/_queryFilter=true' { "result": [ { "_id": "sap.hana.ide::Catalog", "__NAME__": "sap.hana.ide::Catalog" }, ... }
OpenICF Interfaces Implemented by the SAP HANA Database Connector
The SAP HANA Database Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:
- Create
-
Creates an object and its
uid
. - Delete
-
Deletes an object, referenced by its
uid
. - Schema
-
Describes the object types, operations, and options that the connector supports.
- Script on Connector
-
Enables an application to run a script in the context of the connector.
Any script that runs on the connector has the following characteristics:
-
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
-
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. -
The script has access to any script arguments passed in by the application.
-
- Search
-
Searches the target resource for all objects that match the specified object class and filter.
- Test
-
Tests the connector configuration.
Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
-
Updates (modifies or replaces) objects on a target resource.
SAP HANA Database Connector Configuration
The SAP HANA Database Connector has the following configurable properties:
Configuration properties
Property | Type | Default | Encrypted(1) | Required(2) |
---|---|---|---|---|
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
Description is not available |
||||
|
|
|
|
No |
The connection username to be passed to our JDBC driver to establish a connection |
||||
|
|
|
Yes |
Yes |
SAP HANA Database login password to authenticate the user |
||||
|
|
|
|
No |
Page size of search |
||||
|
|
|
|
No |
List of database users to be ignored by the connector |
(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.
(2) A list of operations in this column indicates that the property is required for those operations.