Prevent Changes to System Properties in Tenant Databases

To ensure the stability and performance of the overall system or for security reasons, you can prevent certain system properties from being changed by tenant database administrators, for example, properties related to resource management. A configuration change blacklist is available for this purpose. You configure the blacklist in the SAP HANA cockpit.

Prerequisites

  • The system database is registered in the SAP HANA cockpit.
  • You have the system privileges INIFILE ADMIN.

Context

System configuration (*.ini) files have a database layer to facilitate the configuration of system properties for individual tenant databases. However, it may be desirable to prevent changes to certain properties being made directly in tenant databases because they could for example affect the performance of the system as a whole (CPU and memory management properties).

For this reason, a dedicated configuration change blacklist, multidb.ini, is available. This blacklist contains several critical properties by default. You can customize the default configuration, as well as add further properties by editing the file in the SAP HANA studio.

Procedure

  1. On the Overview page of the system database in the SAP HANA cockpit, open Configuration of System Properties by clicking the corresponding administration link.
  2. Select the configuration file multidb.ini and the section readonly_parameters.
  3. Add a new parameter to the blacklist:
    1. Specify on which layer you want to blacklist the properties.

      You can choose from the following layers:

      Layer Result
      System Configuration not possible in any tenant database.
      Database Configuration not possible in the specified tenant database(s)
    2. In the Key field, enter the ini file section that contains the properties you want to blacklist.
      If the section exists in more than one configuration file, you can specify the exact configuration file by entering <file>/<section>. If you do not specify a configuration file, the properties will be blacklisted in all files that contain the section.
      For example, to specify the communication section in all configuration files, enter communication. But to specify the communication section in the xsengine.ini file only, enter xsengine.ini/communication.
    3. In the Value field, enter the properties that you want to blacklist.
      If you want to add all the properties in the section, enter *. If you want to add all the properties in all sections of a specific file, enter <filename>/* (for example, xsengine.ini/*).
    4. Choose OK.
    5. Add further parameters as required.

Results

Tenant database administrators cannot change the properties in the configuration change blacklist. If they try, they will get the error message: Change not allowed for tenant database. System administrators can still change the properties in the system database in all layers.

Example:

Layered Configuration
The property [sql] sql_executors is blacklisted for all tenant databases in all configuration files by default. You could create a layered configuration for example as follows:
  • You change the sql entry at the system layer and enter plan_cache_size as the value. This overrides the default configuration so that [sql] plan_cache_size is blacklisted instead of [sql] sql_executors.
  • You change the sql entry at the system layer and enter sql_executors and plan_cache_size as the value. This overrides the default configuration so that both [sql] plan_cache_size and [sql] sql_executors are blacklisted.
  • You add a new entry indexserver.ini/sql at the system layer with the value plan_cache_size as the value. This adds a specific configuration for the indexserver.ini file. Here, now only [sql] plan_cache_size is blacklisted.

Source: https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/2.0.01/en-US/cd34680fe57242ef8a5e7199739e972c.html