- Kyma ✅
- Cloud Foundry ✅
In this part of the Expert Features you will learn how to access and manage tenant database containers. In this sample scenario, you will be accessing a respective tenant database container with a user that is assigned administrative permissions for the underlying database schema like CREATE ANY, SELECT, EXECUTE, or DROP SQL permissions.
Please also check out the blog post by Andrew Lunde which is part of the Further Information section (click here). It provides even more details and different approaches on how to interact with containers managed by the so-called SAP Service Manager.
The demonstrated approach explains how to access a tenant database container with a so-called technical Runtime user. This user has extensive permissions to interact with the underlying database schema and the presented access should only be used in very exceptional scenarios! This technical user is able to modify any data in a tenant container and to create and drop schema objects using plain SQL commands.
Hint - If you want to adapt the permissions of this default access role assigned to Runtime users, please read the following SAP Help documentation (click here). Please keep in mind, this will also restrict the permissions of the Runtime user used by the Service Manager when accessing the tenant database containers.
No developer in a productive environment should ever have access to the credentials used in this step-by-step guide. This can be achieved by not assigning any Cloud Foundry roles like Space Developer/Supporter/Manager to developers in a productive subaccount. Instead, a very limited number of named database users should be used in combination with dedicated support roles provided by the database schema.
Please use this approach for learning purposes only e.g., when working in a development environment or in very exceptional circumstances by a dedicated administrator having access to the Service Binding details of the Service Manager instance!
- You need to have a Developer role in the Cloud Foundry Space in which your SaaS application is deployed.
- You need to have access to the Subscription Management Dashboard which simplifies the identification of tenant IDs.
3.1. Identify the tenant ID of the respective consumer tenant (in this case thebestrun) using the SaaS Registry service which is binded to your multitenant application.
Hint - Make sure your SAP BTP subaccount user has the required roles to access the Subscription Management Dashboard of SaaS Registry. If necessary, create and assign a new role collection containing the required roles. You can find the relevant roles in the official documentation.
3.2. Identify the related tenant database container instance within your SaaS Service Manager by checking the labels and comparing it to the tenant ID you identified in the Subscription Management Dashboard.
3.3. Open the existing Service Binding, to read the credentials of the tenant database container you want to access. Please note the host, port, user and password property.
Hint - You can see that the user property ends with RT, which stands for RunTime user. The hdi_user property ending with DT is the so-called DesignTime user.
3.4. Switch to the SAP HANA Database Explorer to add the tenant database container connection. You can open the SAP HANA Database Explorer from the SAP HANA Cloud Tools.
Hint - You might be asked to login when opening the Database Explorer. Please use the DBADMIN or any other non-technical database user for this purpose.
4.1. Click the + icon to add a new database connection. Select the Instance Type SAP HANA Database.
4.2. Provided the service binding credentials of step 3.3. into the corresponding fields. Enable the SSL-based communication as shown in the screenshot. Click OK to add the tenant container/schema to your SAP HANA Database Explorer.
4.3. Once the container appears in your list of available connections, please switch to the Tables section. To see the tables of your tenant database container/schema, please click on the value help icon.
Hint - Currently you only see tables of the Runtime user's (_RT user) own schema which is empty. Keep in mind, that a database container is nothing different than a collection of database schemas.
4.4. Select the two available schemas with randomly generated names, which are the shared database container schema and the tenant database container schema. Click on Select to close the value help.
Hint - You can uncheck the RT (Runtime) user's own schema.
4.5. You should now have access to all tables in the shared database container/schema and the tenant database container/schema of the bestrun tenant. You can use SQL commands or available user interface options to view table content, insert/delete/modify records or create and drop schema objects.
Please use the following links to find further information on the topics above: