Professional Documents
Culture Documents
4. Authorization Concept
5. Security Administration
|2
SAP HANA, Business Suite or BW powered by
HANA & S/4 HANA
What we will cover
4. Authorization Concept
5. Security Administration
|4
Traditional Security Architecture
Client
Application
DB
Hana Security Architecture
Traditional HANA
Integrative Authorization Scenarios
4. Authorization Concept
5. Security Administration
|8
SAP HANA Security Functions (overview)
Application
XS Engine
SAP HANA
What we will cover
4. Authorization Concept
5. Security Administration
|10
Authorization Entities
Goal
• Create user
User • Person accessing the system
• Manage users
• Collection of privileges
• Assign security Role • Granted to user or another role
Stored procedure
• SQL statement
• Standard behaviour:
invoker authorizations checked
• Definer behaviour:
creator authorizations checked
owns
Object
granted
to
Role
Attention
• Action “grant” is also considered
Privilege Role Role
as an object !
_SYS_REPO
Repository vs Catalog (2 ways of working)
Repository Catalog
owns
Object
granted
to
Role
Attention
• Action “grant” is also considered
Privilege Role Role
as an object !
Role
Privilege
Object
Authorization Entities: user
Single user maintenance
• Replication from ABAP user to HANA user User
• Maintenance of DBMS (database management system) users in SU01
create / delete a DBMS user
delete the assigned DBMS user when ABAP user is deleted
Role
Privilege
Object
Authorization Entities: user
Single user maintenance
User
Result in HANA:
Role
Privilege
Object
Authorization Entities: user
User mass maintenance
• Via: ABAP program RSUSR_DBMS_USERS User
mass mapping of ABAP users to DBMS users.
if DBMS user does not exist -> will be created in the DB system.
assign or unassign DBMS Roles to/from DBMS users.
Role
Privilege
Object
Authorization Entities: user
User mass maintenance
• Other solutions: User
via tools (IDM, …)
via own automation (SQL script)
Role
Privilege
Object
Authorization Entities: role
Repository roles Catalog roles
User
• Transportable (DEV, QA, PRD) • Not transportable
Privilege
Object
Best practice :
Not recommended:
Authorization Entities: role(assignment)
Repository Catalog
User
Role
Role (origin:
activate repository)
Role
owner = _SYS_REPO
own
Privilege
_SYS_REPO
Object
stored
procedure
(via “Granted
Best practice : Roles”)
Not recommended:
Authorization Entities: role(assignment)
User
Role
Privilege
Object
stored
procedure
execution
Authorization Entities: privilege (overview)
User
Client
SAP HANA
• System privilege
Authorization Entities: privilege (overview)
Object
Object Privilege • SQL statements on DB objects
Analyt. Priv.
Authorization Entities: privilege (system priv.)
Role
Privilege
Object
Authorization Entities: privilege (application priv.)
Application Privilege
Syst. Priv.
User
• Grant access to HANA based
applications
e.g. to access the Web IDE
interface application
Application Role
Privilege
(sap.hana.xs.ide)
Obj. Priv.
Object
Analyt. Priv.
Authorization Entities: privilege (application priv.)
Application Privilege
Authorization Entities: privilege (package priv.)
Package Privilege
Syst. Priv.
User
• Only for developers & modelers
Analyt. Priv.
Authorization Entities: privilege (package priv.)
Package Privilege
Authorization Entities: privilege (object priv.)
Object Privilege
Syst. Priv.
User
• Are linked to an object
• Actions:
select
update / create
Pack. Priv. Privilege
delete
…
Object Privilege
Object
Analyt. Priv.
Authorization Entities: privilege (object priv.)
Object Privilege
Authorization Entities: privilege (analytic priv.)
Analytic Privilege
Syst. Priv.
User
• Control access to data with row-level
authorization
Role
Appl. Priv.
Obj. Priv.
Object
Analytic Privilege
Dynamic analytic privilege Assign the dynamic procedure to the analytic privilege:
Authorization Entities: privilege (analytic priv.)
User
Access a table/ view Access a specific column
via object privilege via a created view
Role
Privilege
Access a row via
analytic privilege
Object
1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
What we will cover
4. Authorization Concept
5. Security Administration
|42
Security Administration
2 possibilities:
Client
SAP HANA
Studio
Admin
Application Admin
XS Engine
SAP HANA
Security Administration (role: repository vs catalog)
Repository Catalog
Role creation:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
Security Administration (user: repository vs catalog)
Repository Catalog
User creation:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
Security Administration (role assignment: repository vs catalog)
Repository Catalog
Role assignment:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
What we will cover
4. Authorization Concept
5. Security Administration
|47
Tools to replicate authorizations
When is it needed ?
• When there is a direct connection to SAP HANA
For BW authorizations:
• SAP HANA Model Generation
part of BW
replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges
o generate analytic priv.
o update analytic priv.
Tools to replicate authorizations
Attention !
SAP HANA privileges are less granular than authorizations in application layer
therefore: all BW/ECC authorizations are not supported in HANA
Tools to replicate authorizations
Impact to GRC
• In GRC user provisioning flow
if no replication, use Business Roles in GRC
Replication scenario: No replication scenario:
GRC GRC
assigned
Composite Role Business Role
BW
Single roles BW Composite roles
HANA roles
corresponding
HANA roles
assigned
assigned assigned
HANA
HANA BW
• HANA rule Set in GRC
limited to IT maintenance & development*
What we will cover
4. Authorization Concept
5. Security Administration
|51
Tips & tricks
• If the user has not the full access to a view, the user will see partial data (only authorized
data). >< with BI were the user has no results in that case.
• If a filter is applied to 1 view in an analytical privilege, it will apply to all views in the analytical
privilege.
• Dynamic analytic privileges can be used to have an ease of maintenance but be aware that
it will reduce transparency in authorizations !
• Note that HANA rule set in GRC is limited to IT maintenance & development.
Tips & tricks
Christophe Decamps
Consultant
Governance, Risk & Compliance
www.expertum.net
Inspire by Experience.