SAP HANA Security - Best Practice for Access to Schemas??

Similar Messages

• HANA Security - Best Practices for Schema??

  Hi,
  Currently we don'y have a defined Security model in HANA Studio.Neither there is no defined duties of a BASIS / Security / Developers.
  I want to understand what best practices are followed at other customers for defining security for Schema.
  1. Who should be creating the schema for Developers / Modelers?
  2. Should we use our own ID's to create/maintain these Schema or a Generic ID?
  Right now, when developers log in to Studio, by default they are assigned to their own schema (User ID) and they create objects under that.
  We(Security team), face issues when other developers need access to schema of another user as they want to develop objects under schema of different user
  Also, who should be owning the "SYSTEM" user ID and what steps needs to be done whenever a new schema is created.
  Thanks for the help in advance.

  >So, if we follow this approach, who should be creating the schema as design time?
  Not sure what you mean by that.  We call this design time because you are creating an artifact in the repository and the catalog object doesn't get created until you activate that design time object.
  > Security Administrator or Developer/Modeler?
  Doesn't really matter. Depends upon your process. However I would say most of the time the developer creates the schema.  The developer doesn't immediately get access to the new schema.  He/She must create a role and that role has to be granted to them before they can see the objects in the new schema.
  >Also, for our current scenario, where developers are doing changes in their own schema, what should be done as a Security Administrator to assign access to a user schema to other developers?
  They shouldn't be creating objects in their user schema.  That user schema is for internal usage - like the creation of temporary objects. It shouldn't be used for any development.

• Best Practices for Accessing the Configuration data Modelled as XML File in

  Hi,
  I refer the couple of blof posts/Forum threads on How to model and access the Configuration data as XML inside OSB.
  One of the easiest and way is to
  Re: OSB: What is best practice for reading configuration information
  Another could be
  Uploading XML data as .xq file (Creating .xq file copy paste all the Configuration as XML )
  I need expert answers for following.
  1] I have .xsd file which is representing the Configuration data. Structure of XSD is
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue</Config>
  <FrameworkConfig>
  2] As my project will move from one env to another the property-value will change according to the Environment...
  For Dev:
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Dev</Config>
  <FrameworkConfig>
  For Stage :
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Stage</Config>
  <FrameworkConfig>
  3] Let say I create the following Folder structure to store the Configuration file specific for dev/stage/prod instance
  OSB Project Folder
  |
  |---Dev
  |
  |--Dev_Config_file.xml
  |
  |---Stage
  |
  |--Stahe_Config_file.xml
  |
  |---Prod
  |
  |-Prod_Config_file.xml
  4] I need a way to load these property file as xml element/variable inside OSb message flow.?? I can't use XPath function fn:doc("URL") coz I don't know exact path of XMl on deployed server.
  5] Also I need to lookup/model the value which will specify the current server type(Dev/Stage/prod) on which OSB MF is running. Let say any construct which will act as a Global configuration and can be acccessible inside the OSb message flow. If I get the vaalue for the Global variable as Dev means I will load the xml config file under the Dev Directory @runtime containing key value pair for Dev environment.
  6] This Re: OSB: What is best practice for reading configuration information
  suggest the designing of the web application which will serve the xml file over the http protocol and getting the contents into variable (which in turn can be used in OSB message flow). Can we address this problem without creating the extra Project and adding the Dependencies? I read configuration file approach too..but the sample configuration file doesn't show entry of .xml file as resources
  Hope I am clear...I really appreciate your comments and suggestion..
  Sushil
  Edited by: Sushil Deshpande on Jan 24, 2011 10:56 AM

  If you can enforce some sort of naming convention for the transport endpoint for this proxy service across the environments, where the environment name is part of the endpoint you may able to retrieve it from $inbound in the message pipeline.
  eg. http://osb_host/service/prod/service1 ==> Prod and http://osb_host/service/prod/service2 ==> stage , then i think $inbound/ctx:transport/ctx:uri can give you /service/prod/service1 or /service/stage/service1 and applying appropriate xpath functions you will be able to extract the environment name.
  Chk this link for details on $inbound/ctx:transport : http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/context.html#wp1080822

• SAP HCM Implementation: Best Practice for configuring

  Hi,
  This is my first independent project of HCM implementation. I have just started the system configuration. Done with setting up the PA, PSA, EG and ESG. Assigned to CC.  At this stage, I have a very basic question which is, what is the best practice for the next steps of configuration. What do I go to next, step up the OM in the SAP EasyAccess Menu? How should I go from here?
  Would really appreciate some explanatory assistance.
  Thanks in advance.
  Papri
  Edited by: papri_rc on Jul 8, 2011 6:40 AM

  Its all depends on business requirement
  at starting as i advised you review your BBP , make sure you configure everything
  for your reference iam giving the following data for OM and PA config..
  as part of OM
  1.     depict client org structure using simple maintenance , with this you can create large structures in less time(while doing org structure be careful and refer BBP)
  2.     maintain integration switches
  3.     maintain plan version
  4.     maintain number ranges
  Configuration for PA
  HR Enterprise /PersonnelStructure     
  u2022     Personnel Areas     
  u2022     Personnel Sub Areas     
  u2022     Employee Group     
  u2022     Employee Sub Group     
  u2022     Assignment of Personnel Area to Company Code     
  u2022     Assignment of Employee Sub Group to Employee Group     
  Basic Settings
  1.     Maintain Number Range Intervals for Personnel Numbers     
  2.     Determine defaults for number ranges     
  Personal Data     
  1.     Create Forms of Address     
  2.     Create Marital Status     
  Family     
  1.     Defined Possible Family Members     
  Addresses
  1.     Create Address Type     
  Communication     
  1.     Create Communication Types     
  Contractual and Corporate Agreements
  1.     Define Contract Types     
  2.     Determine periods of notice     
  Employee Qualifications
  1.     Create education establishment types     
  2.     Define Education Training     
  3.     Create educational Certificates     
  4.     Create branches of study     
  5.     Determine permissible certificates for education type     
  Infotype Menus     
  1.     User Group Dependency on Menus and Info groups     
  2.     Infotype Menu     
  3.     Determine choice of Infotype menus     
  4.     Infotype Menus     
  Actions     
  1.     User Group Dependency on Menus and Infogroups     
  2.     Info Group     
  3.     Personnel Action Types     
  4.     Create reasons for personnel actions     
  5.     Change Action Menu     
  *Developments(ABAPconsultant will do)     *Field Enhancements     (any field enhancements in infotypes)
  Customer Infotypes     -Develop any customer infotypes if required for the business from 9000 series
  Edited by: Piscian . on Jul 8, 2011 9:08 AM

• SAP PI conceptual best practice for synchronous scenarios

  Hi,
  <br /><br />Apologies for the length of this post but I'm sure this is an area most of you have thought about in your journey with SAP PI.
  <br /><br />We have recently upgraded our SAP PI system from 7.0 to 7.1 and I'd like to document  best practice guidelines for our internal development team to follow.
  I'd be grateful for any feedback related to my thoughts below which may help to consolidate my knowledge to date.
  <br /><br />Prior to the upgrade we have implemented a number of synchronous and asynchronous scenarios using SAP PI as the hub at runtime using the Integration Directory configuration.
  No interfaces to date are exposes directly from our backend systems using transaction SOAMANAGER.
  <br /><br />Our asynchronous scenarios operate through the SAP PI hub at runtime which builds in resilience and harnesses the benefits of the queue-based approach.
  <br /><br />My queries relate to the implementation of synchronous scenarios where there is no mapping or routing requirement.  Perhaps it's best that I outline my experience/thoughts on the 3 options and summarise my queries/concerns that people may be able to advise upon afterwards.
  <br /><br />1) Use SAP PI Integration Directory.  I appreciate going through SAP PI at runtime is not necessary and adds latency to the process but the monitoring capability in transaction SXMB_MONI provide full access for audit purposes and we have implemented alerting running hourly so all process errors are raised and we handle accordingly.  In our SAP PI Production system we have a full record of sync messages recorded while these don't show in the backend system as we don't have propogation turned on.  When we first looked at this, the reduction in speed seemed to be outweighed by the quality of the monitoring/alerting given none of the processes are particularly intensive and don't require instant responses.  We have some inbound interfaces called by two sender systems so we have the overhead of maintaing the Integration Repository/Directory design/configuration twice for these systems but the nice thing is SXMB_MONI shows which system sent the message.  Extra work but seemingly for improved visibility of the process.  I'm not suggesting this is the correct long term approach but states where we are currently.
  <br /><br />2) Use the Advanced Adapter Engine.  I've heard mixed reviews about this functionaslity, there areh obvious improvements in speed by avoiding the ABAP stack on the SAP PI server at runtime, but some people have complained about the lack of SXMB_MONI support.  I don't know if this is still the case as we're at SAP PI 7.1 EHP1 but I plan to test and evaluate once Basis have set up the pre-requisite RFC etc. 
  <br /><br />3) Use the backend system's SOAP runtime and SOAMANAGER.  Using this option I can still model inbound interfaces in SAP PI but expose these using transaction SOAMANAGER in the backend ABAP system.  [I would have tested out the direct P2P connection option but our backend systems are still at Netweaver 7.0 and this option is not supported until 7.1 so that's out for now.]  The clear benefits of exposing the service directly from the backend system is obviously performance which in some of our planned processes would be desirable.  My understanding is that the logging/tracing options in SOAMANAGER have to be switched on while you investigate so there is no automatic recording of interface detail for retrospective review. 
  <br /><br />Queries:
  <br /><br />I have the feeling that there is no clear cut answer to which of the options you select from above but the decision should be based upon the requirements.
  <br /><br />I'm curious to understand SAPs intention with these options  -
  <br /><br />- For synchronous scenarios is it assumed that the client should always handle errors therefore the lack of monitoring should be less of a concern and option 3 desirable when no mapping/routing is required? 
  <br /><br />- Not only does option 3 offer the best performance, but the generated WSDL is ready once built for any further system to implement thereby offering the maximum benefit of SOA, therefore should we always use option 3 whenever possible?
  <br /><br />- Is it intended that the AAE runtime should be used when available but only for asynchronous scenarios or those requiring SAP PI functionality like mapping/routing otherwise customers should use option 3?  I accept there are some areas of functionality not yet supported with the AAE so that would be another factor.
  <br /><br />Thanks for any advice, it is much appreciated.
  <br /><br />Alan
  Edited by: Alan Cecchini on Aug 19, 2010 11:48 AM
  Edited by: Alan Cecchini on Aug 19, 2010 11:50 AM
  Edited by: Alan Cecchini on Aug 20, 2010 12:11 PM

  Hi Aaron,
  I was hoping for a better more concrete answer to my questions.
  I've had discussion with a number of experienced SAP developers and read many articles.
  There is no definitive paper that sets out the best approach here but I have gleaned the following key points:
  - Make interfaces asynchronous whenever possible to reduce system dependencies and improve the user experience (e.g. by eliminating wait times when they are not essential, such as by sending them an email with confirmation details rather than waiting for the server to respond)
  - It is the responsibility of the client to handle errors in synchronous scenarios hence monitoring lost through P-P services compared to the details information in transaction SXMB_MONI for PI services is not such a big issue.  You can always turn on monitoring in SOAMANAGER to trace errors if need be.
  - Choice of integration technique varies considerably by release level (for PI and Netweaver) so system landscape will be a significant factor.  For example, we have some systems on Netweaver 7.0 and other on 7.1.  As you need 7.1 for direction connection PI services we'd rather wait until all systems are at the higher level than have mixed usage in our landscape - it is already complex enough.
  - We've not tried the AAE option in a Production scenarios yet but this is only really important for high volume interfaces, something that is not a concern at the moment.  Obviously cumulative performance may be an issue in time so we plan to start looking at AAE soon.
  Hope these comments may be useful.
  Alan

• Using WebI with SAP BW Data - Best practice for introducing BW Accelerator

  Hi,
  We have a significant investment in using BOE XI 3.1 SP2 integrated to SAP BW 7.0 EHP 1 SPS05.
  Now we intend to introduce BW Accelerator to improve the data fetch performance for the Adhoc (WebI) Analysis and the formatted reports built using WebI (Infoview).
  Data handling in question is approx. 2 Million+ records for each WebI report / adhoc analysis (20 to 30 columns).
  The solution could be BW Cubes --> BW Accelerator --> BW Queries --> BO Universe --> WebI using Infoview
  Does it really help in introducing the BW Accelerator like the case described above ?
  Understand that the BW Accelerator could improve the performance of the underlying data and hence the BW Queries do work faster; but does it really improve (9x to 10x) performance for the MDX Queries generated by the BO Universe ( BOE XI 3.1 SP2 ) & WebI.
  What is the roadmap for the future wrt BW Accelerator and SAP BI BO Integration; if we intend to use WebI ?
  Or should be migrate to BO Explorer as the front end for Adhoc Analysis ?
  Is BO Explorer able to present 1 Million + records with 20-30 columns ?
  What is the best practice / better on performance; as an integrated product / solution ?
  1) BW Cubes --> BW Accelerator --> BW Queries --> SAP Integ Kit --> BO Universe --> WebI
  2) BW Cubes --> BW Accelerator --> ??? --> BO Explorer --> ??? --> WebI ???
  3) BW Cubes --> BW Accelerator --> ??? --> BO Pioneer --> ??? --> WebI ???
  4) BW Cubes --> BW Accelerator --> ??? --> BO Explorer
  5) BW Cubes --> BW Accelerator --> ??? --> BO Pioneer
  6) BW Cubes --> BW Accelerator --> BW Queries --> SAP Integ Kit --> Crystal Reports (to handle above data volume)
  7) BW Multiproviders --> BW Accelerator --> BW Queries --> SAP Web Analyzer (to handle above data volume)
  regards,
  Rajesh K Sarin
  Edited by: Rajesh Sarin on Jan 25, 2010 4:05 PM

  Hi,
  We have a mix of Adhoc Analysis (60 %) and Formatted Reports (40%). We selected WebI as the tool for the purpose & used it for requirements which process approx. 2M records. We faced bottleneck issues on performance (we are on BO XI 3.1 SP2 & SAP BW 7.0 EHP1, SP05).
  We are further analyzing possibility to introduce BWA; if this can handle similar record processing & still preserve our investment on OLAP Universes, WebI, SAP Integration Kit & training users on WebI frontend.
  I see a lot of documentation suggesting "BO Explorer and BWA" - understand that BWA would improve the DB time and BO Explorer would help on the Front-end / OLAP time.
  Request your guidance on the road map & continuation of investment using BWA + WebI.
  regards,
  Rajesh K Sarin

• What are Printing Security Best Practices for Advanced Features

  In the Networking > Advanced "Enabled Features" what are the best practices settings for security. Trying to find out what all of these are.  Can't find them in the documentation. Particularly eCCL & eFCL?
  Enabled Features
  IPv4 IPv6 DHCP DHCPv6 BOOTP AUTOIP LPD Printing 9100 Printing LPD Banner Page Printing Bonjour AirPrint LLMNR IPP Printing IPPS Printing FTP Printing WS-Discovery WS-Print SLP Telnet configuration TFTP Configuration File ARP-Ping eCCL eFCLEnable DHCPv4 FQDN compliance with RFC 4702
  Thanks,
  John

  I do work with the LAST archived project file, which contains ALL necessary resources to edit the video.  But then if I add video clips to the project, these newly added clips are NOT in the archived project, so I archive it again.
  The more I think about it, the more I like this workflow.  One disadvantage as you said is duplicate videos and resource files.  But a couple of advantages I like are:
  1. You can revert to a previous version if there are any issues with a newer version, e.g., project corruption.
  2. You can open the archived project ANYWHERE, and all video and resource files are available.
  In terms of a larger project containing dozens of individual clips like my upcoming 2013 video highlights video of my 4  year old, I'll delete older archived projects as I go, and save maybe a couple of previous archived projects, in case I want to revert to these projects.
  If you are familiar with the lack of project management iMovie, then you will know why I am elated to be using Premiere Elements 12, and being able to manage projects at all!
  Thanks again for your help, I'm looking forward to starting my next video project.

• Best practices for creating application schema

  All,
  Can anyone recommend best practices (or pointer to a url) for creating application schema. A novice installer created a schema and the tablespace ran out of disk space in 2 days and the system came to a halt at a production site. The tablespace was created with one datafile and with MAXSIZE specified. I am looking for Do's and Dont's on production system.
  Thanks for any help,
  Vissu

  I'm not sure that you can boil this down to a "Do's and Don'ts" list unless you want to get overly general...
  For example, do make sure that you provision space appropriately. "Appropriately" however, is going to be radically different in different environments. Some shops set all their data files to autoextend in production and monitor utilization at the OS level. Other shops specify exact file sizes and monitor utilization at the Oracle level. Each approach has its own advantages and disadvantages, you just need to make sure that your application uses the same approach that every other application in the organization uses.
  Do have an idea about the space utilization of the application, but don't go overboard. Running out of space in 2 days means someone failed to do a basic analysis. On the other hand, I've seen people spend way more time than they should making 5 year projections based on some relatively soft assumptions and getting worried about internal overheads that were much smaller than the error bars in their baseline estimates. Of course, the precision necessary also depends on the implications-- a 20% error in a multi-TB data warehouse is going to have a lot more impact than a 20% error in a 20 GB OLTP application.
  Justin

• "Best practice" for accessing a class from a custom component?

  My app utilizes a simple class to hold global properties such as username, session data, and similar data. The class is initialized at app startup via code similar to: appGlobals:myGlobals=new myGlobals.
  Many of the custom MXML components and AS classes need to access that data. I have been able to work with it using Application.application.appGlobals.propertyname.
  Is this method the best way to communicate from components and classes to a class initiated at the application level, or should I learn something new before I build a lot of code on this method?
  Thanks.
  Paul

  The WizardModel class is interesting, it is a "singleton" where it is designed to only have one instance, and the class actually has a static variable of its own class. Because that variable is static, an instance is created the first time the class is accessed.
  As to where the WizardModel is "first accessed" and thus its own variable of type WizardModel instantiated, is hard to say, as you really need to understand the application and component startup lifecycle indepth. I have a certain depth of knowledge of that but not enough depth to say definitively when WizardModel  is first accessed, but here are some possibilities:
  WizardModel.wizardTitle = WizardModel.wizardTitleBase;      In the WizardController "wizardTitleChangeHandler" event handler
  creationComplete="WizardModel.app = this;"      In the Wizard.mxml main app creationComplete handler
  <mx:Panel title="{WizardModel.wizardTitle}" width="100%" height="100%">    Opening tag of Panel in Wizard.mxml
  I know its confusing, but just try to absorb what you can for now, and over time it will become gradually more clear.

• Best practices for accessing data in subviews

  I've got two iPhone projects which share most of their code base. I'm trying to figure out the best way to load data from some plist files and store them in a common container UIView and provide access to the data for subviews and subviews of the subviews, etc. Right now I've got the data being passed from the container view to the subviews it creates and then the subview themselves pass it further, basically a bucket brigade to get the data to where it needs to go which could be 3 or 4 views down in the hierarchy.
  Is there a better approach? I've looked at delegates & protocols but I'm having a hard time understanding how they work and whether they are appropriate in this situation. Originally I had the app delegate holding the data and any class anywhere could invoke the app delegate and get the data. However this approach fails with 2 projects because the app delegates have different names and the classes that need to access it are common to both projects. Can the app delegate be renamed without significant impact? Or is there a way a UIView can be set up as a delegate in much the same way?
  Thanks for any advice!
  Greg

  Hi Greg - You can rename the app delegate class to whatever you want, just remember to change it in IB, and make sure you catch any place it already appears in your code. I guess there's no need to change the app delegate class file names unless you want to.
  However there are lots of other solutions to your problem. A case could be made for declaring a global pointer to this data, for example. Or, you could encapsulate the data wherever you want and make an extern (globally visible) C function to access it.
  Another solution would be to put the data in a shared object which would be accessed just like the shared app object, e.g.
  #include "MyObject.h"
  NSDictionary *myPlistData = [MyObject sharedObject].plistData;
  I just got done looking at "how to make a shared object" in the Cocoa docs and can't seem to find it atm. Anyway it's in there somewhere, either in an Obj-C doc or one of the top level guides. The job just wants a class method that returns the pointer stored in a static C var; if the var is nil, the object is first created and its addy is stored in the var.
  Hope that helps!
  - Ray

• Best practices for accessing remote management

  So, I've been looking into consolidating and moving our servers and such to a colocation datacenter. A problem for me that arises from moving is, what do we do about our remote access?In a private office enviornment, I haven't ever opened up VMWare vCenter to the open internet, nor have I ever opened up DRAC/iLO past our firewall to the net. I've always just had all that management stuff hanging out on its own subnet/VLAN and I haven't ever bothered with giving remote access to anyone, really. (Well, I did once set up a windows box to allow me to RDP in and opened up the firewall for that RDP so I could then access that management VLAN from that PC)Moving to a colocation facility makes me wonder, what does everyone else do for this? Would one have a VPN configured on a router in their colo space and remote in that way, and if the...
  This topic first appeared in the Spiceworks Community

  Harvard University recently announced that on June 19, 2015, it discovered an intrusion into the IT networks of the Faculty of Arts and Sciences and Central Administration."Since discovering this intrusion, Harvard has been working with external information security experts and federal law enforcement to investigate the incident, protect the information stored on our systems, and strengthen IT environments across the University," university provost Alan Garber and executive vice president Katie Lapp said in a statement."At this time, we have no indication that personal data, research data, or PIN System credentials have been exposed," Garber and Lapp added. "It is possible that Harvard login credentials (username and password) used to access individual computers and University email accounts have been exposed."...Read More
  Read More

• What are the best practices for using the enhancement framework?

  Hello enhancement framework experts,
  Recently, my company upgraded to SAP NW 7.1 EhP6.  This presents us with the capability to use the enhancement framework.
  A couple of senior programmers were asked to deliver a guideline for use of the framework.  They published the following statement:
  "SAP does not guarantee the validity of the enhancement points in future releases/versions. As a result, any implemented enhancement points may require significant work during upgrades. So, enhancement points should essentially be used as an alternative to core modifications, which is a rare scenario.".
  I am looking for confirmation or contradiction to the statement  "SAP does not guarantee the validity of enhancement points in future releases/versions..." .  Is this a true statement for both implicit and explicit enhancement points?
  Is the impact of activated explicit and implicit enhancements much greater to an SAP upgrade than BAdi's and user exits?
  Is there any SAP published guidelines/best practices for use of the enhancement framework?
  Thank you,
  Kimberly
  Edited by: Kimberly Carmack on Aug 11, 2011 5:31 PM

  Found an article that answers this question quite well:
  [How to Get the Most From the Enhancement and Switch Framework as a Customer or Partner - Tips from the Experts|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/c0f0373e-a915-2e10-6e88-d4de0c725ab3]
  Thank you Thomas Weiss!

• What is best practice for remotely managing bank of switches over POTS

  I need to be able to have a back door into several catalyst switches and ASA.
  What is the best practice for accessing them remotely. ?

  Just place a modem into any console port. Ideally you use a terminal server, but is not always really needed.

• Can we install Best Practice for Fabricated Metals V1.604 on ECC 6.0 EHP5

  Hi Expert Team,
  We are planning to implement Best Practice for Fabricated Metals V1.604 on ECC 6.0 environment.
  We are on ECC 6.0 EHP5, but the SAP installation document mentions to install Fabricated Metals V1.604 on ECC 6.0 with EHP4.
  Also I dont think SAP has released Best Practice for Fabricated Metals for EHP5.
  I would request your confirmation if we can still install Best Practice for Fabricated Metals V1.604 on ECC 6.0 EHP5, does EHP5 supports BP V1.604, Let us know if there will be any impact on Fabricated Metals V1.604 if we install on  EHP5.
  I didnt find any SAP note or document to answer my question. Please provide some reference for the same.
  Looking forward for your response.
  Thank you!
  Guru
  Edited by: Gururaj Srinivasa on Jan 31, 2012 12:41 PM

  Dear Srinivasa,
  Did u find a solution for this issue, if you did please mention it since i have the same problem.
  Thanks in advance.

• Best practice for external but secure access to internal data?

  We need external customers/vendors/partners to access some of our company data (view/add/edit).  It’s not so easy as to segment out those databases/tables/records from other existing (and put separate database(s) in the DMZ where our server is).  Our
  current solution is to have a 1433 hole from web server into our database server.  The user credentials are not in any sort of web.config but rather compiled in our DLLs, and that SQL login has read/write access to a very limited number of databases.
  Our security group says this is still not secure, but how else are we to do it?  Even if a web service, there still has to be a hole in somewhere.  Any standard best practice for this?
  Thanks.

  Security is mainly about mitigation rather than 100% secure, "We have unknown unknowns". The component needs to talk to SQL Server. You could continue to use http to talk to SQL Server, perhaps even get SOAP Transactions working but personally
  I'd have more worries about using such a 'less trodden' path since that is exactly the areas where more security problems are discovered. I don't know about your specific design issues so there might be even more ways to mitigate the risk but in general you're
  using a DMZ as a decent way to mitigate risk. I would recommend asking your security team what they'd deem acceptable.
  http://pauliom.wordpress.com