ℹ️Introduction

This guide explains how to connect your SAP HANA database to Neomir DQ using a secure and lightweight proxy called the Neomir HANA Gateway. As direct database access from a browser is not possible, the gateway acts as a secure bridge between your infrastructure and the Neomir platform. You'll learn how to create a dedicated read-only user, install the gateway, and configure the necessary permissions. Whether deployed on-premise or in the cloud, this setup ensures that Neomir DQ can read metadata and table contents in a controlled and compliant manner.

About Neomir HANA Gateway

Neomir HANA Gateway is essentially a Node.js server with Express.js as middleware with a connector to HANA DB. Its main task is, in simple terms, to act as a middleman between your HANA DB and your users while using the Neomir DQ platform.

We decided to open-source Neomir HANA Gateway to enhance transparency, foster trust, and leverage collective intelligence in IT Security & Compliance. You can find the source code in our Github organization:

https://github.com/neomir-pe/neomir-hana-gateway

🔬Details & Information Security

The integration of Neomir DQ with your SAP S/4HANA system follows our core principle, that Neomir’s infrastructure never sees, processes or saves your source system’s raw data. The following diagram shows how the integration works once it is setup:

SAP S4HANA Connector UML Diagram.png

🧭Step-by-step Guide

1. Creating a new SAP HANA DB User

This guide explains how to create a read-only service account for Neomir DQ on SAP HANA.

<aside> 💡

Prerequisite To create a SAP HANA DB user, you will need to have USER ADMIN privileges.

Your Neomir implementation contact will help you identify the tables which the HANA DB user needs access to - specifically for your use cases.

</aside>

Please run the SQL snippets below on your SAP HANA tenant database to create a read-only database user for Neomir DQ.

-- Creates a restricted user. Turns off requirement that this user changes their password.
CREATE RESTRICTED USER <username> PASSWORD <password> NO FORCE_FIRST_PASSWORD_CHANGE;
ALTER USER <username> DISABLE PASSWORD LIFETIME

-- Allows user to connect to the database through a client.
ALTER USER <username> ENABLE CLIENT CONNECT;

-- Grants user SELECT access on system views needed for metadata collection.
GRANT CATALOG READ TO <username>;
GRANT SELECT ON SYS.M_DATABASE TO <username>;
GRANT SELECT ON SYS.SCHEMAS TO <username>;
GRANT SELECT ON SYS.M_TABLES TO <username>;
GRANT SELECT ON SYS.M_TABLE_STATISTICS TO <username>;
GRANT SELECT ON SYS.VIEWS TO <username>;

-- User needs SELECT access on the individual tables.
-- To give the user SELECT privileges on every table in a schema, run:
GRANT SELECT ON SCHEMA <schema_name> TO <username>;

-- To give the user SELECT privileges on a specific table only, run:
GRANT SELECT ON <schema_name>.<table_name> TO <username>;

2. Installing Neomir HANA Gateway

<aside> 💡

Prerequisite

A server that complies with the hardware recommendations mentioned below
This server shall be callable from clients in your network
Your SAP server shall open the HANA port (default: 30015) to that server
You need to have an SAP HANA DB user & its password at hand </aside>

Hardware Recommendations

	Minimum Requirements	Medium-Scale Deployments	Large-Scale Deployments
CPU	2 vCPUs	4 vCPUs	8 vCPUs
RAM	2 GB	8 GB	16-32 GB
Storage	10 GB SSD	50 GB SSD	100 GB NVMe SSD
Network	1 Gbps	1 Gbps with low-latency access to SAP HANA	10 Gbps
OS	Linux (Ubuntu 20.04+), Windows Server	Linux (Ubuntu 22.04 LTS, RHEL 8+), Windows Server 2022	Linux (Ubuntu 22.04 LTS, RHEL 9, SUSE Enterprise Linux), Windows Server 2022