Professional Documents
Culture Documents
Admin Ea Designer en
Admin Ea Designer en
1 Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
......................................................................... 4
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
2 PUBLIC Content
7.2 Creating New Types of Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
7.3 Modifying Lists of Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
8 SAP Enterprise Architecture Designer, Edition for SAP HANA Security Guide. . . . . . . . . . . . . .41
8.1 Auditing and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
8.2 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Change Logging for Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.3 Identity and Access Managment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.4 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8.5 Cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Content PUBLIC 3
1 Installing and Administering SAP
Enterprise Architecture Designer, Edition
for SAP HANA
One or more administrators must install and configure SAP Enterprise Architecture Designer, Edition for SAP
HANA and manage repository users and groups. Administrators can also monitor repository logs and define
extensions to make custom properties available for objects.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP
4 PUBLIC HANA
2 Installing SAP EA Designer
SAP EA Designer can be installed in your SAP HANA 2.0 system using the SAP HANA XS Advanced Cockpit.
Prerequisites
To install SAP EA Designer, you must have an XSA user with the following role collections:
● XS_CONTROLLER_ADMIN (or XS_CONTROLLER_USER with the SpaceDeveloper role for the space in
which to perform the installation).
● XS_AUTHORIZATION_ADMIN
● XS_USER_ADMIN
Note
For information about installing SAP EA Designer in HANA Express, see your HANA Express Getting Started
guide.
Note
For information about upgrading an existing SAP EA Designer installation, see Upgrading SAP EA Designer
[page 7].
Procedure
1. Download the latest version of SAP EA Designer from the SAP Support Portal.
a. Go to https://launchpad.support.sap.com/#/softwarecenter and search for EA Designer.
b. Select SAP EA DESIGNER FOR SAP HANA Maintenance Product SAP EA DESIGN FOR SAP HANA
1.0 COMPRISED SOFTWARE COMPONENT VERSIONS SAP EA DESIGN FOR SAP HANA 1.0 .
c. Select the XSACHANAEAD<version>.zip item with the most recent release date and download it.
2. Log into SAP HANA XS Advanced Cockpit on your HANA 2.0 server, which is by default available at:
https://<HOST>:51023
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Installing SAP EA Designer PUBLIC 5
The installation may take several minutes and is complete when Validation, Deployment, and
Registration show green check marks.
d. When the installation is complete, return to the SAP HANA XS Advanced Cockpit homepage.
4. Obtain the address to access SAP EA Designer.
a. From the SAP HANA XS Advanced Cockpit homepage, select Application Monitor, find eadesigner in
the list, and click the URL link to go to the SAP EA Designer homepage.
b. Note the URL to communicate to users, and return to the SAP HANA XS Advanced Cockpit homepage.
5. Create a role collection to contain the EADesigner_Administrator application role.
a. From the SAP HANA XS Advanced Cockpit homepage, select Application Role Builder, and navigate to
the Role Collection page.
b. Click the New Role Collection tool at the bottom of the list, enter the following values, and click Create:
○ Name: EA_DESIGNER_ADMIN
○ Description: Perform administration tasks in EA Designer.
c. Click the Roles tab, click Add Application Role, enter the following values, and then click OK to add the
EADesigner_Administrator to the EA_DESIGNER_ADMIN role collection:
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
6 PUBLIC Installing SAP EA Designer
3 Upgrading SAP EA Designer
You can upgrade your SAP EA Designer installation in your SAP HANA 2.0 system using the SAP HANA XS
Advanced Cockpit.
Prerequisites
To upgrade SAP EA Designer you must have an XSA user with the following role collections:
● XS_CONTROLLER_ADMIN (or XS_CONTROLLER_USER with the SpaceDeveloper role for the space in
which to perform the upgrade).
Procedure
1. Download the latest version of SAP EA Designer from the SAP Support Portal.
a. Go to https://launchpad.support.sap.com/#/softwarecenter and search for EA Designer.
b. Select SAP EA DESIGNER FOR SAP HANA Maintenance Product SAP EA DESIGN FOR SAP HANA
1.0 COMPRISED SOFTWARE COMPONENT VERSIONS SAP EA DESIGN FOR SAP HANA 1.0 .
c. Select the XSACHANAEAD<version>.zip item with the most recent release date and download it.
2. Log into SAP HANA XS Advanced Cockpit on your HANA 2.0 server, which is by default available at:
https://<HOST>:51023
The upgrade may take several minutes and is complete when Validation, Deployment, and Registration
show green check marks.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Upgrading SAP EA Designer PUBLIC 7
4 Controlling Repository Access
The repository administrator is responsible for controlling access to the documents stored in the repository by
creating users and groups and assigning them rights, permissions, and profiles.
Context
Repository rights give users access to general repository features, while permissions give them access to
particular locations in the repository. The following rights and permissions are available:
● Connect - Connect to the repository and view dia ● List - View the document or folder in the repository
grams in SAP EA Designer. browser and in search results. Without this permission,
● Edit on Web - Create and edit diagrams in SAP EA the folder or document is hidden from the user.
Designer.
● Read - Also open and compare documents.
● Edit Extensions on Web - Create and edit cus
● Submit - Also propose changes to the document for
tom properties in SAP EA Designer. Gives access to the
Administration/Extensions tile. review by a user with Write permission.
● Manage All Documents - Perform any action on ● Write - Also review changes by other users and pub
any document version. Implicitly includes Full per lish changes directly.
mission on all repository documents. Gives access to
● Full - Also move and delete documents, and manage
the Administration/Activities/Log tile.
permissions granted to users and groups.
● Manage Users & Permissions - Create, modify,
and delete repository users and groups, grant them
rights, and add them to groups. Users with this right can
Note
list all repository documents and set permissions on Administrators, who have implicit Full permission
them without needing explicit Full permission. Gives
on all repository objects, will only receive diagrams
access to the Administration/Users, Administration/
for review if they have been granted explicit Write
Groups, and Administration/Activities/Security Log tiles.
permission on them.
● Manage Repository - Create, upgrade, and delete
the repository database. Gives access to the
Administration/Settings tile.
Procedure
1. [recommended] Connect the repository to an SMTP server to enable the automatic sending of emails for
passwords, changelist submissions, and other notifications (see Connecting to an SMTP Server for
Notifications [page 29]).
2. Determine how you will manage user authentication. You can choose one or more of:
○ SAP HANA XS Advanced authentication - Users with SAP HANA accounts can log in using their XS
Advanced user and password.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
8 PUBLIC Controlling Repository Access
○ Repository-managed authentication - Specify an appropriate password policy (see Defining a
Password Policy [page 30]).
○ LDAP authentication - Connect the repository to an LDAP server to allow users to connect with their
corporate credentials (see Connecting to an LDAP Server for User Authentication [page 26]).
Note
LDAP and XS Advanced are only used for authentication. Rights and permissions on repository folders
and documents are controlled in the repository.
3. [optional] Create high-level functional groups (see Creating Repository Groups [page 14]) to organize
users by type and assign appropriate rights to them to govern general actions that they can perform in the
repository (see Granting Rights to Users and Groups [page 16]).
For example:
Groups Rights
Administrators Connect, Manage All Documents, Manage Users & Permissions, Manage Repository
Note
There is no requirement to create groups - you can assign rights and permissions to individual users -
but we recommend that in all but the smallest deployments, you do create groups to simplify the
process.
4. Create an appropriate folder structure in the repository to enable you to group documents by project or in
any other appropriate way, and to simplify the granting of permissions.
In this example, we imagine the following simple folder structure:
○ Library
○ EA
○ Process Map
○ Process Diagrams
○ HR
○ Sales
○ Data
5. Determine your review policy either at a global or project by project level. SAP EA Designer supports the
following kinds of policy:
○ Simple review - Change lists submitted by users with the Submit permission are reviewed by users
with the Write or Full permission.
○ Peer review - Users with the Write or Full permission voluntarily submit change lists for review.
○ Direct check in - The Submit permission and change lists are not used, and users all check in changes
without review.
6. Create development groups and implement your review policies by assigning appropriate permissions to
control what actions users and groups can perform on particular repository documents and folders.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Controlling Repository Access PUBLIC 9
In this example, we propose a simple group structure with permissions based on role and line of business:
○ Enterprise Architects - Have full control over all documents.
○ Process Analysts - Maintain the process map and review business process diagrams for publication in
the repository.
○ Process Owners - May submit business process diagrams for their domain.
○ Data Modelers - Maintain data models.
○ Stakeholders - Have read access to all documents by default.
7. Create as many users as necessary either manually (see Creating Repository Users [page 10]) or via
LDAP (see Managing Externally-Authenticated Repository Users [page 12]) and assign them to
appropriate groups (see Adding Users and Groups to a Group [page 15]) according to their roles and
project responsibilities.
There is no limit to the number of groups to which a user or group can be assigned, and users benefit from
the cumulative total of all the rights and permissions they receive.
The repository administrator is responsible for creating user accounts to enable users to connect to the
repository and access the content that they need.
Context
No users are created by default in the SAP EA Designer repository. You must designate an XSA user as the first
SAP EA Designer administrator (see Installing SAP EA Designer [page 5]).
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
10 PUBLIC Controlling Repository Access
Note
This procedure is for creating users authenticated by the repository. SAP EA Designer also supports
delegating authentication of users to an LDAP server (see Connecting to an LDAP Server for User
Authentication [page 26]) and to XSA.
Procedure
1. From the homepage, click Administration Tasks Manage Users , and then click the + button to create
a user and open its property sheet.
2. Enter the following properties as appropriate:
Property Description
Managed by By default, users must enter a password managed by SAP EA Designer to connect to the reposi
tory. To allow them to enter their standard corporate password, select External (LDAP) (see
Managing Externally-Authenticated Repository Users [page 12]).
Login Name Specifies the account name used to connect to the repository.
Note
Account names and passwords managed by SAP EA Designer are case-sensitive and must
only contain standard ASCII characters.
Email Specifies the email address of the user. If you have specified an SMTP server (see Connecting to
an SMTP Server for Notifications [page 29]) this address will be used to send the password.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Controlling Repository Access PUBLIC 11
Property Description
Rights Select the checkboxes corresponding to the rights you want to assign. The following rights are
available:
○ Connect - Connect to the repository and view diagrams in SAP EA Designer.
○ Edit on Web - Create and edit diagrams in SAP EA Designer.
○ Edit Extensions on Web - Create and edit custom properties in SAP EA Designer.
Gives access to the Administration/Extensions tile.
○ Manage All Documents - Perform any action on any document version. Implicitly in
cludes Full permission on all repository documents. Gives access to the Administration/
Activities/Log tile.
○ Manage Users & Permissions - Create, modify, and delete repository users and
groups, grant them rights, and add them to groups. Users with this right can list all reposi
tory documents and set permissions on them without needing explicit Full permission.
Gives access to the Administration/Users, Administration/Groups, and Administration/
Activities/Security Log tiles.
○ Manage Repository - Create, upgrade, and delete the repository database. Gives ac
cess to the Administration/Settings tile.
3. If you have not enabled delivery of passwords by email (see Connecting to an SMTP Server for
Notifications [page 29]), click the Change Password button, enter a temporary password identically in the
two fields and then click Change Password. Note the temporary password for transmission to the user.
4. Click the Groups tab and add the user to any appropriate groups (see Adding Users and Groups to a Group
[page 15]).
All users are added to the Public group, from which, by default, they inherit the Read permission on all
the contents of the repository (see Granting Access Permissions on Repository Items [page 17]).
5. Select Menu Push Diagrams to User or Menu Push Folder to User to make appropriate
diagrams and folders available in their homepage (see Pushing Diagrams and Folders to Users' Homepages
[page 18]).
6. Click Save to complete the creation of the user. If an SMTP server is configured, the password will be sent
to the user at the recorded email address.
Users must log in with their temporary password before the delay specified in the password policy (see
Defining a Password Policy [page 30]). When they first log in they will be required to change the temporary
password.
SAP HANA XS Advanced users can connect to and browse the SAP EA Designer repository. If you have
connected the repository to an LDAP server, any users with valid accounts in your organization can also browse
the repository. You can modify the default rights and permissions for such users by changing the rights and
permissions granted to the External users group, or provide specific rights and permissions for individual
external users by pre-creating repository user accounts for them.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
12 PUBLIC Controlling Repository Access
Context
For example, if you want to allow any user connecting to the repository to create and edit diagrams in the
Processes folder and submit them for approval, you would:
● Grant the External users group the Edit on Web right (see Granting Rights to Users and Groups
[page 16]).
● Grant the External users group Submit permission on the Processes folder (see Granting Access
Permissions on Repository Items [page 17]).
In many environments, you will want to grant different rights to different groups of users, or provide them with
different permissions. For example you may want to allow users to submit changes only for processes in their
particular line of business based on sub-folders beneath the Processes folder. In this or other more
complicated cases (or if you want to restrict which users can connect to the repository and have not selected
the Auto-create user accounts in repository option), you should create accounts for your anticipated users
before inviting them to connect.
Procedure
1. From the homepage, click Administration Tasks Manage Users , click the Edit tool and then click the +
button to open the new user's property sheet.
2. Enter the user's corporate account name in the Login name field, select External (LDAP), and click the
Check Name button to verify the login name and auto-fill the remaining fields, which are set, with the
exception of Comment, to read-only.
Note
You may need to enter your own corporate account name and password to connect to the LDAP server,
even if your connection is configured for anonymous binding.
3. In the Rights panel, select the check boxes corresponding to the rights you want to assign. The following
rights are available:
○ Connect - Connect to the repository and view diagrams in SAP EA Designer.
○ Edit on Web - Create and edit diagrams in SAP EA Designer.
○ Edit Extensions on Web - Create and edit custom properties in SAP EA Designer. Gives access to
the Administration/Extensions tile.
○ Manage All Documents - Perform any action on any document version. Implicitly includes Full
permission on all repository documents. Gives access to the Administration/Activities/Log tile.
○ Manage Users & Permissions - Create, modify, and delete repository users and groups, grant
them rights, and add them to groups. Users with this right can list all repository documents and set
permissions on them without needing explicit Full permission. Gives access to the Administration/
Users, Administration/Groups, and Administration/Activities/Security Log tiles.
○ Manage Repository - Create, upgrade, and delete the repository database. Gives access to the
Administration/Settings tile.
4. Click the Groups tab and add the user to any appropriate groups (see Adding Users and Groups to a Group
[page 15]).
All externally-authenticated users are added to:
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Controlling Repository Access PUBLIC 13
○ All users (PUBLIC) groups, from which they inherit, by default, Read permission on all the
contents of the repository.
○ External users (EXTERNAL) - from which they inherit, by default, the Connect right.
5. Select Menu Push Diagrams to User or Menu Push Folder to User to make appropriate
diagrams and folders available in their homepage (see Pushing Diagrams and Folders to Users' Homepages
[page 18]).
6. Click Save to complete the creation of the user.
The repository administrator is responsible for creating groups of users in the repository. Users are added to
groups in order to simplify the granting of rights and permissions. You can create hierarchies of groups. For
example, you could insert the Designers, Quality Assurance, and Documentation groups into the R&D
group, to which you assign permissions to documents that all these groups must use.
Context
The following standard groups are automatically created in the SAP EA Designer repository:
● Administrators, [ADMN] - Has, by default, all available rights and implicit Full permission on all repository
folders.
● All users [PUBLIC] - Has, by default, Read permission on the repository root. All users belong to this group
and can thus, by default, browse any diagram.
● External users [EXTERNAL] - Has, by default, no rights or permissions. Users authenticated via LDAP (see
Connecting to an LDAP Server for User Authentication [page 26]) are automatically added to this group
when they connect for the first time.
Procedure
1. From the homepage, click Administration Tasks Manage Groups , and then click the + button to
create a group and open its property sheet.
2. Enter the following properties as appropriate:
Property Description
Name Specifies the name of the group as it will appear in the interface.
Code Specifies the internal name of the group, which can be used in scripting.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
14 PUBLIC Controlling Repository Access
Property Description
Rights Select the checkboxes corresponding to the rights you want to assign. The following rights are
available:
○ Connect - Connect to the repository and view diagrams in SAP EA Designer.
○ Edit on Web - Create and edit diagrams in SAP EA Designer.
○ Edit Extensions on Web - Create and edit custom properties in SAP EA Designer.
Gives access to the Administration/Extensions tile.
○ Manage All Documents - Perform any action on any document version. Implicitly in
cludes Full permission on all repository documents. Gives access to the Administration/
Activities/Log tile.
○ Manage Users & Permissions - Create, modify, and delete repository users and
groups, grant them rights, and add them to groups. Users with this right can list all repository
documents and set permissions on them without needing explicit Full permission. Gives
access to the Administration/Users, Administration/Groups, and Administration/Activities/
Security Log tiles.
○ Manage Repository - Create, upgrade, and delete the repository database. Gives access
to the Administration/Settings tile.
By default, groups do not have any rights.
3. Click the Members tab and add any appropriate users and groups to the group (see Adding Users and
Groups to a Group [page 15]).
4. Click the Parents tab and add the group to any appropriate groups (see Adding Users and Groups to a
Group [page 15]).
5. Select Menu Push Diagrams to Group or Menu Push Folder to Group to make appropriate
diagrams and folders available in group members' homepages (see Pushing Diagrams and Folders to
Users' Homepages [page 18]).
6. Click Save to complete the creation of the group.
You can add users and groups as members of a group from either the user or the group property sheet.
Context
● To add a user to a group from the user's property sheet, click the Groups tab, which lists the groups to
which the user belongs. Click the + tool to open a list of groups, select one or more, and then click OK to
add the user to them.
● To add a group to a parent group from the child group's property sheet, click the Parents tab, which lists the
groups to which the group belongs. Click the + tool to open a list of groups, select one or more, and then
click OK to add the group to them.
● To add a user or group to a group from the parent group's property sheet, click the Members tab, which
lists the users and groups which are members of the group. Click the Add tool to open a list of users and
groups, select one or more, and then click OK to add them to the group.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Controlling Repository Access PUBLIC 15
4.3.2 Deleting a Group
When you delete a group from the repository you do not delete the members (either users or groups) of the
group.
Procedure
A new user has only the Connect right assigned by default and belongs only to the PUBLIC group. The
repository administrator can grant additional rights to the user either directly or by adding her to other groups.
Context
User rights are associated with document permissions (see Granting Access Permissions on Repository Items
[page 17]) to define the actions a user can effectively perform on a document.
Procedure
1. From the homepage, click Administration Tasks Manage Users (or AdministrationTasks Manage
Groups ), and click the appropriate user or group in the list to open its property sheet.
2. Select the check boxes corresponding to the rights you want to assign. The following rights are available:
○ Connect - Connect to the repository and view diagrams in SAP EA Designer.
○ Edit on Web - Create and edit diagrams in SAP EA Designer.
○ Edit Extensions on Web - Create and edit custom properties in SAP EA Designer. Gives access to
the Administration/Extensions tile.
○ Manage All Documents - Perform any action on any document version. Implicitly includes Full
permission on all repository documents. Gives access to the Administration/Activities/Log tile.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
16 PUBLIC Controlling Repository Access
○ Manage Users & Permissions - Create, modify, and delete repository users and groups, grant
them rights, and add them to groups. Users with this right can list all repository documents and set
permissions on them without needing explicit Full permission. Gives access to the Administration/
Users, Administration/Groups, and Administration/Activities/Security Log tiles.
○ Manage Repository - Create, upgrade, and delete the repository database. Gives access to the
Administration/Settings tile.
3. Click Save to save your changes.
The repository administrator or a user with Full permission on a document or folder can grant permissions on
it. Permissions can be granted on the repository root, folders, and models, but not on individual diagrams or
objects.
Context
A user wanting to browse and edit documents in the repository must have at least the following permissions:
● Browsing - Read permission. When you create a user, she is inserted into the Public group, which by
default is granted Read permission on the repository root.
● Creating or editing a diagram - Submit on the target folder to propose a new diagram or edits to an
existing diagram, or Write to publish them directly.
Note
Object permissions should be viewed in conjunction with the rights granted to users or groups (see
Granting Rights to Users and Groups [page 16]).
Procedure
1. From the homepage, click Browse Repository, navigate to the item, and click its Permissions tab.
2. Click the + button to open a list of available users and groups, select one or more, and click OK to add them
to the list.
3. For each user or group, select the permission you want to grant in the Granted Permission column. The
following permissions are available:
○ List - View the document or folder in the repository browser and in search results. Without this
permission, the folder or document is hidden from the user.
○ Read - Also open and compare documents.
○ Submit - Also propose changes to the document for review by a user with Write permission.
○ Write - Also review changes by other users and publish changes directly.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Controlling Repository Access PUBLIC 17
○ Full - Also move and delete documents, and manage permissions granted to users and groups.
Note
Administrators, who have implicit Full permission on all repository objects, will only receive
diagrams for review if they have been granted explicit Write permission on them.
The Effective Permissions column shows the highest level of permission that each user or group has on the
item either directly or via a group.
4. [optional] Click the Copy Permissions to All Children tool to propagate changes to the item's children.
When you create a folder or diagram, the permissions defined on its parent folder are propagated to it.
However, subsequent changes made to the permissions for the parent are not applied to its children unless
you click this tool. For example, if you grant Write permission on the Major Project folder, to the
Development Team 2 group, then they will not automatically be granted Write access on its existing
contents.
The repository administrator can push diagrams and folders to users' homepages to give them personalized
entry points to the repository. Diagrams appear as cards in the user's homepage, and folders as entries in the
Quick Links card. You can push diagrams and folders to individual users or to groups.
Context
Note
Diagrams and folders pushed to groups are received by all the members of the group at the time of the
action. Users that are subsequently added to the group will not receive the diagram or folder unless you
push it again. If you push a diagram or folder that is already present in a user's homepage, it will not be
duplicated.
Procedure
1. From the homepage, click Administration Tasks Manage Users (or Administration Tasks Manage
Groups ), and click the appropriate user or group in the list to open its property sheet.
2. To push diagrams to the user or group:
a. Select Menu Push Diagrams to User/Group to open the Select Diagrams dialog.
b. Navigate to or search for the diagrams you want to push, and select them.
c. When your selection is complete, click Push to push them to the user or group.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
18 PUBLIC Controlling Repository Access
3. To push a folder to the user or group:
a. Select Menu Push Folder to User/Group to open the Select Folder dialog.
b. Navigate to the folder you want to push, and click Push to push it to the user or group.
The repository administrator or a user with the Manage Users & Permissions right can unblock users
blocked for password policy violations.
Procedure
1. From the homepage, click Administration Tasks Manage Users and click the appropriate user in the
list to open its property sheet.
2. Click the Change Password button. If an SMTP server is configured, the password will be sent to the user at
the recorded email address. Otherwise, enter a temporary password identically in the two fields and note it
for transmission to the user.
Users must log in with their temporary password before the delay specified in the password policy (see
Defining a Password Policy [page 30]). When they first log in they will be required to change the temporary
password.
The repository administrator or a user with the Manage Users & Permissions right can deactivate users.
Inactive users cannot connect to the repository and the information held about them is deleted except for the
log of their checkins and other repository actions, which remain available to other users for auditing purposes.
Context
Caution
A user cannot deactivate himself, even if he has the Manage Users & Permissions right.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Controlling Repository Access PUBLIC 19
Procedure
1. From the homepage, click Administration Tasks Manage Users , and click the Edit tool.
2. Locate the user in the list and then select its checkbox in the Deactivated User column.
SAP EA Designer provides limited compatibility with the SAP PowerDesigner enterprise architecture tool. You
can connect to the SAP EA Designer repository with the PowerDesigner desktop client to upload
PowerDesigner models for viewing with SAP EA Designer.
Procedure
1. Obtain a user account in the SAP EA Designer repository with appropriate rights and permissions.
2. Obtain connection information for the SAP EA Designer repository database (see Obtaining Connection
Information for the Repository [page 21]).
3. Install a version of the PowerDesigner desktop client that is compatible with the repository.
Property Description
Login name Enter your user name for the SAP EA Designer repository.
7. Check models into the SAP EA Designer repository to make them available for viewing in SAP EA Designer.
Note
Though it may be possible to check models out of the SAP EA Designer repository, support for editing
them in the PowerDesigner desktop client is not guaranteed.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
20 PUBLIC Controlling Repository Access
4.9.1 Obtaining Connection Information for the Repository
Before you can create a PowerDesigner repository definition for a SAP EA Designer repository, you must obtain
connection information for the SAP EA Designer database.
Procedure
1. Login to the XSA environment with the following command and enter your credentials when prompted:
xs login -a https://<HOST>:30030
You must login with an XS Controller-enabled SAP HANA user (the XS_CONTROLLER_ADMIN scope is
assigned) with the required SAP HANA roles and the SpaceManager XS Controller role assigned to it.
2. Enter the following command to obtain the connection parameters for the SAP EA Designer repository:
xs env eadesigner-backend
3. In the output, note the values for the following parameters inside VCAP_SERVICES:
○ user
○ password
○ url
Once you have obtained the connection information for your SAP EA Designer database, you can create a
PowerDesigner repository definition for it.
Procedure
1. Open the PowerDesigner desktop client and select Repository Repository Definitions .
2. Click the Add a Row tool to create a new repository definition, enter an appropriate name, click the
Properties tool to open its property sheet, and then click the Select Data Source tool.
3. In the Select a Data Source dialog, select Connection profile and then click the Configure tool.
4. In the Configure Data Connections dialog, click the Add Data Source tool and enter the following
parameters:
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Controlling Repository Access PUBLIC 21
Property Description
5. Click the Test Connection button, enter the password value from xs and click OK.
6. Click OK to close the Connection Profile Definition dialog and click OK again to close the Configure Data
Connections dialog.
7. In the Select a Data Source dialog, select the connection profile you just created and click OK to close it and
return to the Direct Repository Definition property sheet.
8. Enter the user and password values from xs in the Database group box, click the Test button to confirm
that the repository connection is correctly configured, and then click OK.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
22 PUBLIC Controlling Repository Access
5 Configuring the SAP EA Designer Server
The repository administrator is responsible for configuring the SAP EA Designer server.
The following parameters can be set from the homepage by clicking Administration Settings Core
Settings :
Parameter Description
Session timeout Specifies the amount of time that the browser session is permitted to be idle before it is automati
cally logged out. Default 15 minutes.
Refresh interval Specifies the amount of time between the browser checking for changes in the repository database.
Default 5 minutes.
Maximum users Specifies the maximum number of users that may connect to SAP EA Designer at any one time.
Default 10 users.
While accessing and viewing diagrams in SAP EA Designer does not require a license, users who create or edit
diagrams must obtain a license. Some SAP EA Designer packages include license entitlements. If yours does
not, or if you require additional licenses, you must purchase them and serve them from a SySAM license server.
Procedure
1. Obtain your licenses (Obtaining Licenses [page 25]) and install the SySAM license server (Installing a
License Server [page 24]).
Parameter Description
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Configuring the SAP EA Designer Server PUBLIC 23
Parameter Description
If your SAP EA Designer package does not include license entitlements for editing diagrams, or if you require
additional licenses, you must purchase them and serve them from a SySAM license server.
Context
You must already have obtained a license file before you can install the license server.
Procedure
1. Select the machine on which you want to install the SySAM license server.
The SySAM license server can be installed on the repository server or on another server. It must not be
installed on any client workstation used to connect to the repository.
The copy starts. A progress box is displayed and Setup copies files to the destination directory. When
installation is complete, you can choose to start the license server as a service.
7. Click Finish to exit the wizard.
Note
If a firewall is activated on the computer where the license server is installed, then the ports 27000 and
27010 must be opened in the firewall. For a Windows Firewall, you may need to add the port 27000 and
the SySAM executable (for example C:\Sybase\SYSAM-<x-x>\Bin\SYBASE.exe to the list of
exceptions.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
24 PUBLIC Configuring the SAP EA Designer Server
Additionally, on Windows and UNIX platforms, edit the license server license files to add the port
number 27000 to the line beginning SERVER and add a new line VENDOR SYBASE PORT=27010
directly after it. When you have finished, these lines should read as follows:
If your SAP EA Designer package does not include license entitlements for editing diagrams, or if you require
additional licenses, you must purchase licenses from SAP Service Marketplace (SMP).
Procedure
1. Obtain the host ID and name of the machine to which your SySAM license server is installed.
Obtain the machine's ethernet address, which is a 12-character hex value consisting of digits 0 through 9
and characters A through F in any of the following formats:
○ 12AB34CD56EF
○ 12-AB-34-CD-56-EF
○ 12:AB:34:CD:56:EF
Your host id is obtained by entering the first 8 characters of the ethernet address in one of the following
formats:
○ 12AB34CD
○ 12AB-34CD
Note
For some platforms, host IDs can also be entered in decimal formats, with a # prefix. Example:
#1039716963.
For Windows platforms, if your machine does not have a network adapter, you can use the disk serial
number as an alternate host ID. Use the lmutil lmhostid -vsn command or execute DIR C: to obtain
the serial number, remove the hyphen and enter it with a DISK_SERIAL_NUM= prefix. For example:
DISK_SERIAL_NUM=3e2e17fd.
2. Go to SAP Service Marketplace (SMP) and generate your SAP EA Designer license keys.
3. Copy the generated files to the <install_dir>\SYSAM-<x-x>\licenses directory.
4. Open a command prompt and run the following command to instruct SySAM to re-read the licenses
directory contents:
sysam reread
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Configuring the SAP EA Designer Server PUBLIC 25
5.1.3 Troubleshooting with lmutil
lmutil.exe, which is available in the SYSAM-<x_x>\Bin folder provides various diagnostic possibilities.
For example, the following command can be used to find the user(s) who have currently borrowed the
license(s):
For detailed information about lmutil, see the SySAM Users Guide.
A repository administrator can delegate the authentication of repository users to an LDAP server. SAP EA
Designer supports authentication via Active Directory and a number of other LDAP implementations. You can
optionally allow automatic creation of repository accounts when an LDAP user connects to the repository for
the first time.
Context
Note
LDAP integration provides only authentication. Authorization is always managed via the rights and
permissions granted within the repository environment.
Procedure
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
26 PUBLIC Configuring the SAP EA Designer Server
Parameter Description
Server type Specifies the type of the LDAP server and sets default values for the server. The following types
are available:
○ Active Directory - if your environment supports anonymous binding, you may be able to
connect without further configuration. Click the Test Connection button and follow the in
structions on the dialog.
○ Netscape Directory Server
○ OpenLDAP
○ Oracle Directory Server
○ Other
If you edit any parameters and want to revert to the defaults, click the Default Settings button.
Provider URL Specifies the URL for the LDAP provider. By default, for Active Directory, the nearest LDAP
server is automatically detected and used for authentication, initializing this field to:
LDAP://_ldap.<domain>:389
LDAP://ldap.<domain>:389
and you should replace ldap with the name or IP address of your LDAP server.
Use Secure Socket Specifies to connect to the LDAP server using SSL, changing the LDAP provider port to the
Layer (SSL) standard secure 636. You must obtain and register your certificate authority root certificate us
ing the xs trust-certificate command and restart and restage the Web application af
ter selecting this option (see Registering the Certificate Authority Root Certificate [page 31]).
Default search base Specifies the level at which the query begins its search for users in the LDAP tree. By default this
is initialized to the domain components (DCs) of the LDAP server. For example:
dc=acme, dc=com
You could include the location of the User directory such as OU=Users, dc=devpd,
dc=local . If the location of the User directory is not specified here, then you must include it in
the Authentication Search Base.
Anonymous bind [default] Specifies that the LDAP server supports anonymous access. If you deselect this pa
rameter, you must specify a bind user distinguished name (DN) and password for an account
that has permissions to query the LDAP server.
Note
If the Bind user DN is in the same DN as the Authentication search base then you can simply
enter the user id for the search. Otherwise, you must enter the full DN for that account. For
example, if the Default search base is ou=people,dc=Onebridge,dc=qa, and you
have a user cn=csitest,cn=users,dc=Onebridge,dc=qa, then the Bind DN
must be cn=csitest,cn=users,dc=Onebridge,dc=qa.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Configuring the SAP EA Designer Server PUBLIC 27
Parameter Description
Auto-create user ac Specifies that any users corresponding to the LDAP authentication search filter can connect to
counts in repository the repository, and will have an account created for them in the repository when they do so. If
you do not select this option, then an administrator must create an account for each user before
they can connect.
Parameter Description
Search filter Specifies the LDAP query that selects users for authentication. By default this is initialized to (for
Active Directory):
(&(objectClass=person)(userPrincipalName={uid}))
(&(objectClass=person)(cn={uid}))
To determine an alternative filter, you must know the properties of the users defined in the Active
Directory, and which property (for example, name or samAccountName) is being used as the
login name.
Search base Specifies the location of the User list in your LDAP server. By default this is initialized to the same
value as the Default search base. If the default search base does not include your users you must
specify an appropriate search base here. Users may be in a common node such as cn=Users or
an organization unit such as OU=Users. To determine the correct search base, you should use an
LDAP browser to look at the full distinguished name of a user. Note that your Bind DN may be a user
in a different node in the tree than general users so it is very important that you have the correct
information for each.
Search scope Specifies the scope of the authentication search. You can choose between:
○ subtree - [default] the search begins at the level of the Search base and also searches any
subnodes.
○ onelevel - only the level specified in the Search base is searched
Authentication Specifies the method to use for authentication requests. You can choose between:
method ○ simple - [default] clear text authentication. If SSL is enabled, then the password will be en
crypted.
○ DIGEST-MD5 - hashed password authentication. If you select this option, you must specify a
digest format.
5. Click the Test Connection button and follow the instructions on the dialog to verify your connection.
6. Click Save to save your changes.
Note
If you have not selected the Auto-create user accounts in repository option, you must create repository
accounts for each user that you want to be able to connect. Even if you select this option, we
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
28 PUBLIC Configuring the SAP EA Designer Server
recommend that you create appropriate user accounts in advance in order to grant appropriate rights
and permissions on your various repository folders and documents. LDAP users connecting to the
repository are automatically added to the External users and All users groups, and are limited,
by default, to read access on the repository.
A repository administrator can automate the sending of emails for passwords, changelist submissions, and
other notifications to users by specifying an SMTP server. If an SMTP server is not specified, the administrator
must distribute passwords manually and notifications related to the creation of comments and the submission
and approval of change lists cannot be sent.
Procedure
Parameter Description
SMTP host Specifies the host name of the SMTP server used to send mail.
SMTP port Specifies the port number of the SMTP server used to send mail.
Sender's email address Specifies the email address from which to send mails.
Use Secure Socket Layer Specifies to connect to the SMTP mail server through SSL.
(SSL)
Server requires authentica Specifies that the SMTP server requires authentication. If you select this option, then
tion you must specify an SMTP account and password, and can select to use Secure Pass
word Authentication (SPA).
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Configuring the SAP EA Designer Server PUBLIC 29
5.4 Defining a Password Policy
In environments where SAP EA Designer manages user passwords, the repository administrator is responsible
for defining a password policy to ensure that passwords are sufficiently secure and are changed at appropriate
intervals.
Context
Note
The password policy governs only users who are not managed by LDAP (see Managing Externally-
Authenticated Repository Users [page 12]).
Procedure
Parameter Description
Password length Specifies the minimum and maximum permitted length of passwords. This option can
not be disabled. The minimum length for a password is 6 characters.
Password must contain Specifies that passwords must contain at least one of each of the character types se
lected.
Disallow reuse of previous Prevents users from reusing the specified number of old passwords.
<x> passwords
Enforce changing of pass Requires that users change their passwords after the specified number of days.
words after <x> days
Block inactive users after Blocks users if they try to log in after the specified number of days of inactivity.
<x> days without connec
tion
Temporarily block users for Blocks users for the specified number of minutes if they submit an invalid combination
<x> minutes after <y> fail of username and password the specified number of times.
ures to log in
Temporary passwords is Specifies the period for which temporary passwords (which are issued when a user is
sued by an administrator created or unblocked) are valid. Users attempting to use a temporary password after
are valid for <x> days this time will be blocked.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
30 PUBLIC Configuring the SAP EA Designer Server
5.5 Registering the Certificate Authority Root Certificate
You must register your certificate authority root certificate in the XSA store in order to connect to other servers
using SSL.
Procedure
xs login -a https://<HOST>:30030
3. Add the certificate to the XSA store with the following command:
For information about working with certificates in XSA, see XS CLI: Certificates
4. Run the following command to restage the application backend:
xs restage eadesigner-backend
Once the application is restaged, run the following command to restart it:
xs restart eadesigner-backend
Repository administrators can review the status of the full-text index and change the interval at which it is
rebuilt.
Procedure
1. From the homepage, click Administration Tasks Configure Full Text Index .
2. Review the status of the index and the next scheduled rebuild in the Index Information section.
3. Enter appropriate values for each of the following settings:
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Configuring the SAP EA Designer Server PUBLIC 31
Parameter Description
Index rebuild interval Specifies the interval between rebuilds of the search index in minutes. By default, the in
dex is rebuilt every 120 minutes. Click the Menu Rebuild Index button on the
homepage to perform an immediate rebuild.
Index rebuild hours Specifies the hours of the day when the index rebuild is allowed to start (in the time zone
where the SAP EA Designer server is installed). By default it can start any time. In the
following example, the rebuild is restricted from starting between 5am and 7pm:
0-5,19-23
xs login -a https://<HOST>:30030
xs restage eadesigner-backend
Once the application is restaged, run the following command to restart it:
xs restart eadesigner-backend
Procedure
Note
This list is limited to the database versions supported by SAP EA Designer. You cannot add drivers for
other, unsupported database versions.
2. Click the name of the database for which you want to add a JDBC driver.
Note
As when dealing with any executable code, you should perform all appropriate security scanning on the
file before uploading it to the server.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
32 PUBLIC Configuring the SAP EA Designer Server
3. Click the Upload button to the right of the Driver Jar File field, navigate to and select the JDBC driver jar,
and click OK to upload it.
Note
If necessary, you can upload multiple versions of the jar, and they will be available in the drop-down list
in the Driver Jar File field. Select the appropriate jar file in the list to enable it.
4. [DB2] Click the Upload button to the right of the License Jar File field, navigate to and select the license jar,
and click OK to upload it.
5. Review the default driver class and connection URL and modify them if appropriate.
6. Click Save to complete the definition of the JDBC driver.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Configuring the SAP EA Designer Server PUBLIC 33
6 Monitoring Repository Activities
Users with the appropriate rights can review lists of repository activities, change lists, and file locks.
To access these lists, click Administration Tasks View Repository Activities and then click the appropriate
tile:
● Log - [requires the Manage All Documents right] View events concerning repository documents:
○ Check In - User publishes a new document or a new version of a document. This event is also
triggered each time a user saves a draft diagram.
○ Change List Submission - User submits a diagram for review.
○ Change List Approval / Rejection / Return for Revision - A reviewer approves (publishes),
rejects, or returns a diagram to the user for revision.
○ Lock / Unlock - A document is locked for editing or the lock is released manually or by a check in.
○ Document Move - User moves a document from one repository folder to another.
○ Version Deletion / Document Deletion - User deletes a version of a document or a document.
○ Repository Upgrade - Administrator upgrades the repository to a new software version.
● Security Log - [requires the Manage Users & Permissions right] View events concerning user
accounts:
○ User Created - User's account is created.
○ Login - User enters correct user name and password combination.
○ Failed Login - User enters incorrect user name and password combination.
○ Logout - User logs out.
○ Password Changed - User changes password.
○ Password Reset - User's password is changed by an administrator.
○ User Blocked for Failed Logins - User is blocked for having entered too many incorrect user
name and password combinations (see Defining a Password Policy [page 30]).
○ User Blocked for Inactivity - User is blocked for having tried to login after too long a period of
inactivity (see Defining a Password Policy [page 30]).
○ User Unblocked - User is unblocked by an administrator (see Unblocking Blocked Users [page 19]).
○ User Deactivated - User is deactivated by an administrator (see Deactivating Users [page 19]).
○ User Activated - User is reactivated by an administrator.
○ User Accessed - User's account information is accessed by an administrator.
○ User Updated - User's account information is updated by an administrator.
○ User Deleted - User's account is deleted by an administrator
● Change Lists - [requires the Manage All Documents or Manage Users & Permissions right] Lists all
change lists that have been created in the repository, including those that have a status of Draft,
Submitted, Approved, and Rejected.
If the creator of a draft change list is unavailable, you can re-assign the draft changes to another user by
selecting it and clicking the Re-Assign tool. The list of users to whom you can re-assign the change list is
limited to those who have at least Submit permission on the diagram.
● Locks - [requires the Manage All Documents or Manage Users & Permissions right] Lists the
repository documents that are currently locked in the repository.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
34 PUBLIC Monitoring Repository Activities
You can remove a lock from a document by selecting it and clicking the Remove Lock tool.
To reorder any of these lists by values in a column, click in the column header. Some columns also support
filtering on their values. To filter the list by values in any of its text fields, enter two or more characters in the
search box above it.
You configure logging for SAP EA Designer using the xs command line interface.
To list the components in eadesigner-backend and the logging levels currently in place for each of them, use
the following command:
xs list-logging-levels eadesigner-backend
xs logs eadesigner-backend
For detailed information about logging in XSA, see Configure a Java Application for Logs and Traces in the SAP
HANA Developer Guide for XS Advanced Model.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Monitoring Repository Activities PUBLIC 35
7 Customizing Object Properties
Users with the Edit Extensions on Web right can define new properties and dependencies for modeling
objects, and modify the lists of values available for some objects.
Users with the Edit Extensions on Web right can define new custom properties for modeling objects.
When you define a new property it becomes immediately available to all objects of the specified type on their
Info tab, in a section entitled Custom Properties.
Procedure
1. From the homepage, click Administration Tasks Manage Extensions to view the list of extensions.
Note
Properties created in the BPMN2 extension will appear in both BPMN 2.0 Descriptive and Executable
process diagram objects.
2. Click the name of the extension you want to edit to open it and list the standard types of objects in this type
of model.
3. Click the object type for which you want to define a new property to open it in the editor.
Note
If your object type is not present, click the + button, and then click the object type to add it to the list
and open it.
4. In the Properties section, click the + button to create a property, and enter:
Property Description
Name Specifies the name of the property as it will appear in the interface.
Code Specifies the internal name of the property, which must not contain spaces or the dot character
and must be unique for this class of objects.
Caution
If you change the code after the property is in use, then any values set in models will be lost.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
36 PUBLIC Customizing Object Properties
Property Description
Default value Specifies the value of the property that will be set in the interface by default.
Object type [object] Specifies the type of object that can be selected for the property. Click the tool to se
lect the object type from a list.
In this example, a new boolean property is created for the Data Store class:
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Customizing Object Properties PUBLIC 37
7.2 Creating New Types of Dependencies
Users with the Edit Extensions on Web right can define new types of dependencies for modeling objects.
When you define a new dependency it becomes immediately available to all objects of the specified type as a
new list on their Dependencies tab.
Procedure
1. From the homepage, click Administration Tasks Manage Extensions to view the list of extensions.
Note
Dependencies created in the BPMN2 extension will appear in both BPMN 2.0 Descriptive and Executable
process diagram objects.
2. Click the name of the extension you want to edit to open it and list the standard types of objects in this type
of model.
3. Click the object type for which you want to define a new dependency to open it in the editor.
Note
If your object type is not present, click the + button, and then click the object type to add it to the list
and open it.
4. In the Dependencies section, click the + button to create a dependency, and enter:
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
38 PUBLIC Customizing Object Properties
Property Description
Name Specifies the name of the dependency list as it will appear in the interface on the Dependencies
tab.
Code Specifies the internal name of the dependency, which must not contain spaces or the dot char
acter and must be unique for this class of objects.
Caution
If you change the code after the dependency is in use, then any values set in models will be
lost.
Object type Click the Select tool to select the type of object that can be added to the new dependency list.
In this example, a new dependency list is created for the Business Capability class:
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Customizing Object Properties PUBLIC 39
7.3 Modifying Lists of Values
Some standard object properties, such as requirement Type, Status, and Priority provide drop-down lists of
values for users to select. Users with the Edit Extensions on Web right can modify the values in these lists.
Procedure
1. From the homepage, click Administration Tasks Manage Extensions to view the list of extensions.
2. Click the name of the extension you want to edit to open it and list the classes.
3. Click the object type whose property you want to edit to display its list of properties.
All the properties with lists of values that can be edited are listed.
4. Click the property you want to edit to display its property sheet, and then click the Edit tool to the right of
the List of Values field.
5. The Values dialog lists all the available values for the property as a:
○ Value - specifies the internal value, which must respect the datatype of the property.
○ Label - specifies how the value is displayed in the UI.
Note
Some values depend on another property, such as the type of parent of the object. In this case, the
type of dependency is specified above the list and as an additional column in the list.
Note
The order in which labels are displayed in the list in the UI is controled by the Value.
○ Delete or add value-label pairs using the tools above the list
7. Click OK to save your changes.
The updated list of values is immediately available to all objects of the specified type.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
40 PUBLIC Customizing Object Properties
8 SAP Enterprise Architecture Designer,
Edition for SAP HANA Security Guide
This guide provides an overview of the security concepts used and recommended in administering an SAP
Enterprise Architecture Designer, Edition for SAP HANA environment. It is aimed at technology consultants,
security consultants, and system administrators.
Note
This guide should be read in the context of and as a supplement to the SAP HANA Security Guide.
As it becomes more and more important for organizations to protect their critical data from unauthorized
access and to ensure compliance with a growing number of rules and regulations, the demands on security are
also on the rise. As a repository for your enterprise metadata, SAP EA Designer can contain sensitive
information about your organization and its systems. It is therefore essential that you integrate SAP EA
Designer into your infrastructures securely and that you protect your data in SAP EA Designer.
This guide provides an overview of the security-relevant information that applies to SAP Enterprise
Architecture Designer, Edition for SAP HANA:
Auditing provides you with visibility on who did what in the SAP EA Designer repository (or tried to do what)
and when.
Auditing allows you to monitor and record selected actions performed in the SAP EA Designer repository.
Although auditing does not directly increase your system's security, if wisely designed, it can help you achieve
greater security in the following ways:
● Uncover security holes if too many privileges were granted to some user
● Show attempts to breach security
● Protect the system owner against accusations of security violations and data misuse
● Allow the system owner to meet security standards
For information about viewing lists of events concerning repository documents and user accounts, see
Monitoring Repository Activities [page 34].
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
SAP Enterprise Architecture Designer, Edition for SAP HANA Security Guide PUBLIC 41
8.2 Data Protection and Privacy
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data privacy acts, it is necessary to consider compliance with industry-specific
legislation in different countries.
Note
In the majority of cases, compliance with data privacy laws is not a product feature. SAP software supports
data privacy by providing security features and specific functions relevant to data protection, such as
functions for the deletion of personal data. SAP does not provide legal advice in any form. The definitions
and other terms used in this guide are not taken from any given legal source.
The logins, names, and email addresses of users are stored in their SAP EA Designer repository user accounts,
and may be created manually by an administrator or copied from an external identity provider. No consent is
requested for storing this information, as consent is considered to be implied through the user's employment
contract. If your organization requires that consent must be explicitly obtained, administrators must put in
place their own processes for obtaining such consent.
Note
This product contains open or freely configurable entry fields, which are not intended for storing personal
data without additional technical and organizational measures to safeguard data protection and privacy.
Users can view and download the information stored about them at any time by clicking their user name and
selecting User Account.
If a user is removed from an external identity provider, any information that was copied to SAP EA Designer
must be removed manually by deactivating their repository user account.
When a user is deactivated, any information held about them is deleted except for the log of their checkins and
other repository actions, which remain available to other users for auditing purposes (see Deactivating Users
[page 19]).
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
42 PUBLIC SAP Enterprise Architecture Designer, Edition for SAP HANA Security Guide
8.2.3 Change Logging for Personal Data
Any time that the information stored in a user's repository account is accessed or modified by an
administrator, the event is recorded in the security log.
The security log can only be accessed by an administrator with the Manage Users & Permissions right
(see Monitoring Repository Activities [page 34]).
Repository rights give users access to general repository features, while permissions give them access to
particular locations in the repository. The following rights and permissions are available:
● Connect - Connect to the repository and view dia ● List - View the document or folder in the repository
grams in SAP EA Designer. browser and in search results. Without this permission,
● Edit on Web - Create and edit diagrams in SAP EA the folder or document is hidden from the user.
Designer.
● Read - Also open and compare documents.
● Edit Extensions on Web - Create and edit cus
● Submit - Also propose changes to the document for
tom properties in SAP EA Designer. Gives access to the
Administration/Extensions tile. review by a user with Write permission.
● Manage All Documents - Perform any action on ● Write - Also review changes by other users and pub
any document version. Implicitly includes Full per lish changes directly.
mission on all repository documents. Gives access to
● Full - Also move and delete documents, and manage
the Administration/Activities/Log tile.
permissions granted to users and groups.
● Manage Users & Permissions - Create, modify,
and delete repository users and groups, grant them
rights, and add them to groups. Users with this right can
Note
list all repository documents and set permissions on Administrators, who have implicit Full permission
them without needing explicit Full permission. Gives
on all repository objects, will only receive diagrams
access to the Administration/Users, Administration/
for review if they have been granted explicit Write
Groups, and Administration/Activities/Security Log tiles.
permission on them.
● Manage Repository - Create, upgrade, and delete
the repository database. Gives access to the
Administration/Settings tile.
Rights and permissions can be granted to repository users either directly, or indirectly through groups.
In order to manage repository users and groups, you must have the Manage Users right. In order to grant
permission on a repository folder or document, you must have Full permission on the folder or document.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
SAP Enterprise Architecture Designer, Edition for SAP HANA Security Guide PUBLIC 43
See Controlling Repository Access [page 8].
No users are created by default in the SAP EA Designer repository. You must designate an XSA user as the first
SAP EA Designer administrator (see Installing SAP EA Designer [page 5]).
The following standard groups are automatically created in the SAP EA Designer repository:
● Administrators, [ADMN] - Has, by default, all available rights and implicit Full permission on all repository
folders.
● All users [PUBLIC] - Has, by default, Read permission on the repository root. All users belong to this group
and can thus, by default, browse any diagram.
● External users [EXTERNAL] - Has, by default, no rights or permissions. Users authenticated via LDAP (see
Connecting to an LDAP Server for User Authentication [page 26]) are automatically added to this group
when they connect for the first time.
Password Policy
Passwords for the user name/password authentication of repository users are subject to a password policy.
You can change the default password policy in line with your organization’s security requirements. You cannot
deactivate the password policy.
LDAP
SAP EA Designer supports the enforcement of reviewing proposed changes to repository documents through
the use of the Submit permission, which requires users to pass through a review process before publication.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
44 PUBLIC SAP Enterprise Architecture Designer, Edition for SAP HANA Security Guide
8.4 Network and Communication Security
SAP EA Designer runs in the XS Advanced Application Server to which users connect via SSL by default.
Certain features require connection to servers outside XS Advanced, and we recommend that you apply
appropriate additional security measures, such as encryption, where necessary.
SAP EA Designer supports reverse engineering from and generating to other databases via JDBC connections.
These connections are not encrypted by default, but we recommend that you specify encryption options in the
Options field that is provided whenever you connect to a database. For detailed information about encryption
and other parameters for your database, see your DBMS documentation.
SAP EA Designer supports reverse engineering from and generating to SAP Solution Manager v7.2 servers via
HTTP connections. We recommend that you encrypt your connections, if possible, by selecting the Use https
connection option.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
SAP Enterprise Architecture Designer, Edition for SAP HANA Security Guide PUBLIC 45
8.5 Cookies
Session cookies are required for each SAP EA Designer client session and are deleted when the session is
closed. Additional persistent cookies are used to store the most recent choices for content language and user
interface language.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
46 PUBLIC SAP Enterprise Architecture Designer, Edition for SAP HANA Security Guide
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
Installing and Administering SAP Enterprise Architecture Designer, Edition for SAP HANA
Important Disclaimers and Legal Information PUBLIC 47
www.sap.com/contactsap
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.