14.2    Creating Delivery Units for Security-Related Packages

Delivery units play a role in the lifecycle management of packages. Before you can export content to a file or transport development content from one SAP HANA system to another, you must first assign a package or package hierarchy to a delivery unit. A delivery unit should contain packages and development artifacts that are associated with each other. For example, a web-based application developed in the XS engine and its associated package hierarchy can be assigned to a single delivery unit. Using a delivery unit allows the content to be transported in an organized and consistent manner.

Once content is organized into a delivery unit, you can export it to a compressed file. This file can subsequently be imported into another SAP HANA system for the purposes of transporting the code. Using SAP HANA application lifecycle management, you can also transport delivery units between systems. Delivery units can also serve as external backups of code and subsequently be imported back into the originating SAP HANA system if content needs to be restored.

Note that the administrator must define the vendor ID or the content vendor within the system configuration before content can be assigned to a delivery unit. This definition is configured in the indexserver.ini file under the Repository option and content_vendor key. Specify a value that will identify your organization. For example, you can enter a domain name such as “e-corp.com.”

The user creating the delivery unit must have privileges similar to those assigned to the sap.hana.xs.lm.roles::Administrator default role. Note that the INIFILE ADMIN system privilege, found in this default role, is only necessary to define the content vendor. A custom role should be created for developers that create delivery units to avoid granting them access to make configuration changes to the SAP HANA system.

You can use two main graphical user interfaces (GUIs) for creating and managing delivery units: SAP HANA Studio (Section 14.2.1) and the web-based SAP HANA application lifecycle management application (Section 14.2.2). Again, this functionality is not available with the SAP HANA cockpit but is still critical to the support of an SAP HANA security model even in SAP HANA 2.0 SPS 04. Therefore, we’ll take time to explain the process from the perspective of SAP HANA Studio.

14.2.1    Creating a Delivery Unit with SAP HANA Studio

SAP HANA Studio provides an interface to manage delivery units. To access this interface, open the default modeler perspective. Then, go to the Quick View area on the right. The Quick View area provides several buttons that act as shortcuts to interfaces for managing development artifacts. The first item in the list of shortcuts is the Delivery Units shortcut. Click this shortcut to manage delivery units within the system. When you first click the shortcut, the Select System window will appear. From the list of systems configured within SAP HANA Studio, select the system related to the delivery units you need to manage. Click Next to open the Delivery Units management window, as shown in Figure 14.2.

Minimum Privileges to Manage Delivery Units in SAP HANA Studio

A grantee will need at least a few privileges to manage a delivery unit for a given package. The following examples use SQL statements for demonstration purposes only. We recommend that you apply the same privileges within a repository-based role when developing a security model.

The grantee must be able to execute the REPOSITORY_REST stored procedure. The following SQL example demonstrates how this catalog object privilege can be granted:

GRANT EXECUTE ON "_SYS_REPO"."REPOSITORY_REST" TO <GRANTEE>;

The grantee must have a system privilege to maintain delivery units. The following SQL example demonstrates how this system privilege can be granted:

GRANT REPO.MAINTAIN_DELIVERY_UNITS TO <GRANTEE>;

The grantee must have privileges to read and maintain imported packages on the packages referenced by the delivery unit. The following SQL example demonstrates how these package privileges can be granted:

GRANT REPO.READ, REPO.MAINTAIN_IMPORTED_PACKAGES on "<Package>" TO <GRANTEE>;

Figure 14.2    Delivery Units Management Window in SAP HANA Studio

The delivery unit management window is divided into two main sections. The top half of the window is titled Delivery Units. In this section, you can create and delete delivery units within the system. To create a delivery unit, click the Create button located to the right of the section. The New Delivery Unit window will appear, as shown in Figure 14.3.

In this window, enter the Name of the delivery unit. The Vendor field should already be populated with the content vendor ID configured in the indexserver.ini configuration file. All other configuration fields are optional. The Version, Support Package Version, Patch Version, Caption, and other fields are typically used by SAP or other vendors that provide plug-ins for the XS engine. Click OK to create the delivery unit. To delete a delivery unit, remove all assigned packages, highlight the delivery unit in the Delivery Unit list, then click the Delete button.

Figure 14.3    New Delivery Unit Window in SAP HANA Studio

At the bottom of Figure 14.2, you’ll see the Assigned Packages section. You’ll use this section to add or remove packages from the delivery unit. To add a package to the selected delivery unit, click the Add button. The Assign Packages window will appear, as shown in Figure 14.4.

Repository Role Dependencies

In our example, we’ve packaged all the security-related development artifacts into a single delivery unit. We included dependent subpackage items, such as schemas and analytic privileges. Although this methodology will capture most of dependent items, the delivery unit likely won’t contain all dependent items. All dependent items must be packaged into their own delivery units and transported into target systems before security-specific delivery units are imported.

Figure 14.4    Assign Packages Window in SAP HANA Studio

To select a package, click the top-level package node within the package hierarchy using the Select Package(s) section of the window. To include all subpackages with the top-level package node, select the Selects all sub-packages under the selected nodes checkbox. Click Finish to add the packages to the delivery unit. To remove a package or subpackage from the Assigned Packages section, select it in the list and click the Remove button. A confirmation popup window will appear. Click OK to confirm that you want to remove the selected package from the delivery unit.

14.2.2    Creating a Delivery Unit with SAP HANA Application Lifecycle Management

In Section 14.3 and Section 14.4, we’ll discuss SAP HANA application lifecycle management in more detail. In this section, we’ll look specifically at delivery unit management in SAP HANA application lifecycle management. To access SAP HANA application lifecycle management, you must use a web browser. Customize the following URLs for your system.

For Secure Sockets Layer (SSL) access to SAP HANA application lifecycle management, use the following URL:

• https://<host_name>:43<instance number>/sap/hana/xs/lm

For example, the URL could look like the following:

• https://w5-3db-hana01.e-corp.root.local:4300/sap/hana/xs/lm

If SSL isn’t configured, use the following URL:

• http://<host_name>:80<instance number>/sap/hana/xs/lm

For example, the URL could look like the following:

• http://w5-3db-hana01.e-corp.root.local:8000/sap/hana/xs/lm

In these examples, replace the <host_name> variable with the host name of your SAP HANA instance and the <instance number> variable with the two-digit instance number of your SAP HANA instance.

To access SAP HANA application lifecycle management and manage delivery units, you must have the sap.hana.xs.lm.roles::Administrator role. During our testing, we found that this role is required even if the grantee has the privileges necessary to perform the same actions using SAP HANA Studio. Once you have access to SAP HANA application lifecycle management and log on using the configured method for your environment, the homepage shown in Figure 14.5 will appear.

Figure 14.5    SAP HANA Application Lifecycle Management Homepage

On the Home page, click the tile labeled Delivery Units. A new window will appear and the navigation path Products • Delivery Units will be preselected. Within this Delivery Units window, you’ll see a list of delivery units on the left. On the right, you’ll find configuration options for the selected delivery unit. Figure 14.6 shows an example of the delivery unit management window in SAP HANA application lifecycle management.

Figure 14.6    Delivery Unit Management Window in SAP HANA Application Lifecycle Management

To create a new delivery unit, click the + Create button at the top left. The New Delivery Unit window will appear, as shown in Figure 14.7.

The Name field is mandatory and must be maintained. The Vendor field will contain the name of the content vendor configured within your environment. All remaining fields are optional. Click Create once you’ve entered the required information.

Figure 14.7    New Delivery Unit Window in SAP HANA Application Lifecycle Management

To assign packages to the delivery unit, select the delivery unit on the left, then, on the right side of the window, scroll down until the Assigned Packages section is visible. In this section, click the Assign button to add packages to the delivery unit. The Assign Packages window will appear, as shown in Figure 14.8.

Figure 14.8    Assign Packages Window in SAP HANA Application Lifecycle Management

Click the package node level that you want to assign to the delivery unit. Choose the Select Sub Packages option to include all subpackages within the delivery unit. Click the Assign button to assign the packages.

To remove packages from the delivery unit, select the delivery unit on the left, then, on the right, scroll down to the Assigned Packages section. Select the package to remove and click Unassign. To save changes made to the delivery unit, click the Save button just to the right of the + Create button.

Additional Information

For additional information pertaining to SAP HANA application lifecycle management, refer to the SAP HANA Application Lifecycle Management Guide, available at http://s-prs.co/v498218.

In this guide, you’ll find information on the following topics discussed briefly in this chapter:

• Maintaining delivery units (this section)

• Register a system for a transport route (Section 14.3.1)

• Create a transport route and start the transport (Section 14.3.1)

• Maintaining SAP HANA change recording (Section 14.4.1 and Section 14.4.2)

In the next section, we’ll explore the options necessary for transporting or promoting content between SAP HANA systems. We’ll also review the processes necessary to export a delivery unit to a file.

14.2.3    Importing and Exporting Delivery Units with SAP HANA Application Lifecycle Management

Based on the information provided in Section 14.2.2 and as shown in Figure 14.6, you’ll notice two additional buttons in the icon bar: Import and Export. Select a delivery unit in the list and then click the Export button to export a delivery unit to your local file system.

To import a delivery unit, select the Import button. The Import Delivery Unit window will appear. Click the Browse button to locate a delivery unit on your file system. Click Import to start the import process. The Confirm Import of Delivery Unit window will appear. Review the Objects Test Import Results list for any possible errors. If the results seem successful, click the Import button again to start the import process.