Expertum Hana Security and Authorization

SAP Hana security & authorization
April 26th, 2016

What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|2
SAP HANA, Business Suite or BW powered by
HANA & S/4 HANA
What we will cover
7. Tips & Tricks
|4
Traditional Security Architecture
Client
Application
Authentication Identity Encryption

Store
Authorization Audit Logging
Application Server
DB
Hana Security Architecture
Client SAP HANA Client

Client Studio
Application (admin & dev)
Server
Application
Application
Authentication Identity Encryption XS Engine
Store
Application Server Store
SAP HANA
DB
Traditional HANA
Integrative Authorization Scenarios
Client Client Client Client
Application Server Application Server

(e.g. ECC or BW) (e.g. ECC or BW)
SAP HANA Source SAP HANA SAP HANA

replication
Traditional Data mart (3-tier or 2-tier) Native 2-tier application

DB migration to HANA Reporting ERP or BW data in HANA act as DB &
HANA Application Server
No changes to security Direct user access to HANA Direct user access to HANA
model
Modified security model Integrated security model
What we will cover
7. Tips & Tricks
|8
SAP HANA Security Functions (overview)
Application
XS Engine

Store
SAP HANA
What we will cover
7. Tips & Tricks
|10
Authorization Entities
Goal
Create user
User Person accessing the system
Manage users
Collection of privileges
Assign security Role Granted to user or another role
Privilege Restrict operations on objects
Object E.g. a table, a view,

Particular object: stored procedure
Authorization Entities
Stored procedure
SQL statement
Standard behaviour:
invoker authorizations checked
Definer behaviour:
creator authorizations checked
Best practice: control who can create stored procedure

in definer behaviour
Entities relations
owns
Object
granted
to
Role
Attention
Action grant is also considered
Privilege Role Role
as an object !
grant is owned by his creator
Best practice : Role Privilege

Repository vs Catalog (2 ways of working)
Repository Catalog
Object definition Object
(e.g. table def.) (e.g. table)
Store for design-time Run-time

Owner: _SYS_REPO
When activated, owner of
run-time object = _SYS_REPO
_SYS_REPO
Repository vs Catalog (2 ways of working)
Repository Catalog
Object definition Object
(e.g. table def.) (e.g. table)

+/- DB definition
Design time
+/- DB content
Packages & subpackages Run-time object
Package privilege Not transportable
Rep. object type: Creator = user

data models (views)
analytical privileges Creator deleted -> all linked objects
repository roles deleted
Transportable (DEV, QA, PRD)
Owner = technical user _SYS_REPO

When activated, owner of run-time object = _SYS_REPO
Entities relations
owns
Object
granted
to
Role
Attention
Action grant is also considered
Privilege Role Role
as an object !
grant is owned by his creator
Best practice : Role Privilege

Authorization Entities: user
User type
DB users User
real user
deletable
all owned objects deleted
all privileged they granted deleted Role
Internal DB users
not real user
not deleted Privilege
for most: no logon possible
for admin tasks
E.g. technical user _SYS_REPO
Object
Single user maintenance
Create 1 user directly in HANA User
attention: no first name, last name, department, function, !
only user id & email address
Role
Privilege
Object
Replication from ABAP user to HANA user User
Maintenance of DBMS (database management system) users in SU01
create / delete a DBMS user
delete the assigned DBMS user when ABAP user is deleted
Role
Privilege
Object
User
Result in HANA:
Role
Privilege
Object
User mass maintenance
Via: ABAP program RSUSR_DBMS_USERS User
mass mapping of ABAP users to DBMS users.
if DBMS user does not exist -> will be created in the DB system.
assign or unassign DBMS Roles to/from DBMS users.
Role
Privilege
Object
User mass maintenance
Other solutions: User
via tools (IDM, )
via own automation (SQL script)
Role
Privilege
Object
Authorization Entities: role
Repository roles Catalog roles
User
Transportable (DEV, QA, PRD) Not transportable
No need to have privilege to grant Need to have privilege to

it to the role grant it to the role Role
Grantor can grant/revoke all roles Only grantor can revoke
if he can execute the Grant role
Activated Role stored procedure Privilege
Privileges are transitive
Use with grant option for (removed from grantor ->
_SYS_REPO removed from role)
Object
SOD possible btw creation, If grantor is deleted ->
ownership & granting privileges are revoked
Best practice Not recommended

Authorization Entities: role(assignment)
Repository Catalog
User
Role
(origin:
catalog)
Role
Privilege
Object
Best practice :
Not recommended:
Repository Catalog
User
Role
Role (origin:
activate repository)
Role
owner = _SYS_REPO
own
Privilege
_SYS_REPO
Object
stored
procedure
(via Granted
Best practice : Roles)
Not recommended:
User
Role
Privilege
Object
stored
procedure
execution
Authorization Entities: privilege (overview)
User
Client
Application privilege Role

Application
XS Engine
Privilege
package
table Object privilege
Package Object
privilege
view Analytic privilege
SAP HANA
System privilege
Authorization Entities: privilege (overview)
System Privilege Admin tasks

User
Application HANA applications Role

Privilege (XS engine)
Access & use of packages

Privilege
Privilege Package Privilege
in repositories
Object
Object Privilege SQL statements on DB objects
Analytic Privilege Provide row-level

authorizations
Authorization Entities: privilege (system priv.)
System Privilege User

System-wide privilege System Privilege
Cannot be created or changed Role

Appl. Priv.
Authorize user for admin tasks:
Users & roles mngt
Catalog & repository mngt
Auditing
Pack. Priv. Privilege
System mngt
Data import/export
Obj. Priv.
Object
Analyt. Priv.
Authorization Entities: privilege (system priv.)
System Privilege User
Role
Privilege
Object
Authorization Entities: privilege (application priv.)
Application Privilege
Syst. Priv.
User
Grant access to HANA based
applications
e.g. to access the Web IDE
interface application
Application Role
Privilege
(sap.hana.xs.ide)
Used by HANA application developers

Obj. Priv.
Object
Analyt. Priv.
Authorization Entities: privilege (application priv.)
Application Privilege
Authorization Entities: privilege (package priv.)
Package Privilege
Syst. Priv.
User
Only for developers & modelers
Access & use of packages in the

repository
Role
Appl. Priv.
Hierarchical access to packages &

Package
corresponding sub-packages
Privilege Privilege
Packages contains objects such as:
object privileges
Obj. Priv.
Hana views Object

Analyt. Priv.
Authorization Entities: privilege (package priv.)
Package Privilege
Authorization Entities: privilege (object priv.)
Object Privilege
Syst. Priv.
User
Are linked to an object
Restrict access on DB objects

(e.g. table, view)
Role
Appl. Priv.
Actions:
select
update / create
delete

Object Privilege
Object
Analyt. Priv.
Authorization Entities: privilege (object priv.)
Object Privilege
Authorization Entities: privilege (analytic priv.)
Analytic Privilege
Syst. Priv.
User
Control access to data with row-level
authorization
Role
Appl. Priv.
Obj. Priv.
Object
Analytic Privilege
Dynamic analytic privilege can be

created
Table User_Region :
User_Name Region Position
Dynamic analytic privilege User1 America Manager
User2 Asia Employee
User3 Europe Manager

SQL dynamic analytic privilege:
Dynamic analytic privilege Assign the dynamic procedure to the analytic privilege:
Dynamic analytic privilege

Syst. Priv.
User
ease of maintenance
filter obtained from a stored
procedure with a complex logic Role
Appl. Priv.
e.g. check users region from a table

user 1 restrictions
user 1
Obj. Priv.
user 2 restrictions Object
user 2 View
user 3 restrictions Analytic Privilege
dynamic
privilege
user 3
Authorization Entities: privilege (summary)
User
Access a table/ view Access a specific column
via object privilege via a created view
Role
Privilege
Access a row via
analytic privilege
Object
1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
What we will cover
7. Tips & Tricks
|42
Security Administration
SAP HANA Studio XS Web Interface
2 possibilities:
Client
SAP HANA
Studio
Admin
Application Admin
XS Engine
SAP HANA
Security Administration (role: repository vs catalog)
Repository Catalog
Role creation:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
Security Administration (user: repository vs catalog)
Repository Catalog
User creation:
SAP HANA
Not recommended:
Security Administration (role assignment: repository vs catalog)
Repository Catalog
Role assignment:
SAP HANA
Not recommended:
What we will cover
7. Tips & Tricks
|47
Tools to replicate authorizations
When is it needed ?
When there is a direct connection to SAP HANA
For BW authorizations:
SAP HANA Model Generation
part of BW
replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges
o generate analytic priv.
o update analytic priv.
For ECC authorizations:

SAP HANA Live Authorization Assistant
SAP HANA Studio add-on
Replicate ABAP PFCG
authorizations in HANA Privileges
o generate analytic priv.
o update analytic priv.
Attention !
SAP HANA privileges are less granular than authorizations in application layer
therefore: all BW/ECC authorizations are not supported in HANA
Impact to GRC
In GRC user provisioning flow
if no replication, use Business Roles in GRC
Replication scenario: No replication scenario:
GRC GRC
assigned
Composite Role Business Role
BW
Single roles BW Composite roles
HANA roles
corresponding
HANA roles
assigned
assigned assigned
HANA
HANA BW
HANA rule Set in GRC
limited to IT maintenance & development*
What we will cover
7. Tips & Tricks
|51
Tips & tricks
Tips & tricks:

Create roles in Design-time (repository roles).
Ensure you are in the repository when working with the HANA Studio or the XS Web Interface
for role creation.
Transfer ownership of all what you have created in the repository to _SYS_REPO to avoid issues
if your user is deleted.
Transport roles from DEV to QA & PRD & activate them on each system to have _SYS_REPO as
the owner of the run-time roles.
Assign roles via Granted Roles (executing stored procedure (via user _SYS_REPO)).
Control who can create stored procedure in define behaviour to mitigate the risk of abuse.
Create a similar design to the 2 layer model to keep it clear.

Even if there is no limit on # of privileges assigned ( >< ECC 312 max profiles), be logical in
grouping the views.
SAP template roles are too wide. Create custom roles instead.
Restrict access to only the needed packages for modellers.
Tips & tricks
Tips & tricks:

System privileges cannot be created/changed. Use stored procedures for a more granular
approach.
Ensure the new custom XS HANA applications created by developers are secured to avoid
exposing the DB.
If the user has not the full access to a view, the user will see partial data (only authorized
data). >< with BI were the user has no results in that case.
If a filter is applied to 1 view in an analytical privilege, it will apply to all views in the analytical
privilege.
Dynamic analytic privileges can be used to have an ease of maintenance but be aware that
it will reduce transparency in authorizations !
Use a tool to replicate BW & ECC authorizations to HANA authorizations.
Note that HANA rule set in GRC is limited to IT maintenance & development.
Tips & tricks
Dont forget the important Security Notes:

2197397: SAP HANA Extended Application Services (XS) has a Buffer Overflow vulnerability.
2197428: Potential remote code execution in HANA.
2197459: Potential log injection vulnerability in SAP HANA audit log.

Thanks for listening! Any questions?
Christophe Decamps
Consultant
Governance, Risk & Compliance
+32 473 720 125

christophe.decamps@expertum.net
www.expertum.net
Inspire by Experience.

Expertum Hana Security and Authorization

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Expertum Hana Security and Authorization

Uploaded by

Copyright:

Available Formats

SAP Hana security & authorization

April 26th, 2016

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

Authentication Identity Encryption

Client SAP HANA Client

Client Client Client Client

Application Server Application Server

SAP HANA Source SAP HANA SAP HANA

Traditional Data mart (3-tier or 2-tier) Native 2-tier application

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

Authentication Identity Encryption

Authorization Audit Logging

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

Privilege Restrict operations on objects

Object E.g. a table, a view,

Best practice: control who can create stored procedure

grant is owned by his creator

Best practice : Role Privilege

Object definition Object

(e.g. table def.) (e.g. table)

Store for design-time Run-time

Object definition Object

(e.g. table def.) (e.g. table)

Package privilege Not transportable

Rep. object type: Creator = user

Transportable (DEV, QA, PRD)

Owner = technical user _SYS_REPO

grant is owned by his creator

Best practice : Role Privilege

No need to have privilege to grant Need to have privilege to

Best practice Not recommended

Application privilege Role

view Analytic privilege

System Privilege Admin tasks

Application HANA applications Role

Access & use of packages

Analytic Privilege Provide row-level

System Privilege User

Cannot be created or changed Role

System Privilege User

Used by HANA application developers

Access & use of packages in the

Hierarchical access to packages &

Restrict access on DB objects

Pack. Priv. Privilege

Dynamic analytic privilege can be