Expertum Hana Security and Authorization PDF

SAP Hana security & authorization
April 26th, 2016

What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|2
SAP HANA, Business Suite or BW powered by
HANA & S/4 HANA
What we will cover
7. Tips & Tricks
|4
Traditional Security Architecture
Client
Application
Authentication Identity Encryption

Store
Authorization Audit Logging
Application Server
DB
Hana Security Architecture
Client SAP HANA Client

Client Studio
Application (admin & dev)
Server
Application
Application
Authentication Identity Encryption XS Engine
Store
Application Server Store
SAP HANA
DB
Traditional HANA
Integrative Authorization Scenarios
Client Client Client Client
Application Server Application Server

(e.g. ECC or BW) (e.g. ECC or BW)
SAP HANA Source SAP HANA SAP HANA

replication
Traditional Data mart (3-tier or 2-tier) Native 2-tier application

• DB migration to HANA • Reporting ERP or BW data in • HANA act as DB &
HANA Application Server
 No changes to security • Direct user access to HANA • Direct user access to HANA
model
 Modified security model  Integrated security model
What we will cover
7. Tips & Tricks
|8
SAP HANA Security Functions (overview)
Application
XS Engine

Store
SAP HANA
What we will cover
7. Tips & Tricks
|10
Authorization Entities
Goal
• Create user
User • Person accessing the system
• Manage users
• Collection of privileges
• Assign security Role • Granted to user or another role
Privilege • Restrict operations on objects
Object • E.g. a table, a view, …

• Particular object: stored procedure
Authorization Entities
Stored procedure
• SQL statement
• Standard behaviour:
 invoker authorizations checked
• Definer behaviour:
 creator authorizations checked
• Best practice: control who can create stored procedure

in definer behaviour
Entities relations
owns
Object
granted
to
Role
Attention
• Action “grant” is also considered
Privilege Role Role
as an object !
 “grant” is owned by his creator
Best practice : Role Privilege

Repository vs Catalog (2 ways of working)
Repository Catalog
Object definition Object
(e.g. table def.) (e.g. table)
• Store for design-time • Run-time

• Owner: _SYS_REPO
• When activated, owner of
run-time object = _SYS_REPO
_SYS_REPO
Repository vs Catalog (2 ways of working)
Repository Catalog
Object definition Object
(e.g. table def.) (e.g. table)

• +/- DB definition
Design time
• +/- DB content
• Packages & subpackages Run-time object
• Package privilege • Not transportable
• Rep. object type: • Creator = user

 data models (views)
 analytical privileges • Creator deleted -> all linked objects
 repository roles deleted
• Transportable (DEV, QA, PRD)
• Owner = technical user _SYS_REPO

• When activated, owner of run-time object = _SYS_REPO
Entities relations
owns
Object
granted
to
Role
Attention
• Action “grant” is also considered
Privilege Role Role
as an object !
 “grant” is owned by his creator
Best practice : Role Privilege

Authorization Entities: user
User type
• DB users User
 real user
 deletable
 all “owned” objects deleted
 all privileged “they granted” deleted Role
• Internal DB users
 not real user
 not deleted Privilege
 for most: no logon possible
 for admin tasks
 E.g. technical user _SYS_REPO
Object
Single user maintenance
• Create 1 user directly in HANA User
 attention: no first name, last name, department, function, … !
 only user id & email address
Role
Privilege
Object
• Replication from ABAP user to HANA user User
• Maintenance of DBMS (database management system) users in SU01
 create / delete a DBMS user
 delete the assigned DBMS user when ABAP user is deleted
Role
Privilege
Object
User
Result in HANA:
Role
Privilege
Object
User mass maintenance
• Via: ABAP program RSUSR_DBMS_USERS User
 mass mapping of ABAP users to DBMS users.
 if DBMS user does not exist -> will be created in the DB system.
 assign or unassign DBMS Roles to/from DBMS users.
Role
Privilege
Object
User mass maintenance
• Other solutions: User
 via tools (IDM, …)
 via own automation (SQL script)
Role
Privilege
Object
Authorization Entities: role
Repository roles Catalog roles
User
• Transportable (DEV, QA, PRD) • Not transportable
No need to have privilege to grant • Need to have privilege to

•
it to the role grant it to the role Role
• Grantor can grant/revoke all roles • Only grantor can revoke
if he can execute the “Grant role
Activated Role” stored procedure Privilege
 Privileges are transitive
 Use “with grant option” for (removed from grantor ->
_SYS_REPO removed from role)
Object
 SOD possible btw creation,  If grantor is deleted ->
ownership & granting privileges are revoked
Best practice Not recommended

Authorization Entities: role(assignment)
Repository Catalog
User
Role
(origin:
catalog)
Role
Privilege
Object
Best practice :
Not recommended:
Repository Catalog
User
Role
Role (origin:
activate repository)
Role
owner = _SYS_REPO
own
Privilege
_SYS_REPO
Object
stored
procedure
(via “Granted
Best practice : Roles”)
Not recommended:
User
Role
Privilege
Object
stored
procedure
execution
Authorization Entities: privilege (overview)
User
Client
• Application privilege Role

Application
XS Engine
Privilege
• package
• table • Object privilege
• Package Object
privilege
• view • Analytic privilege
SAP HANA
• System privilege
Authorization Entities: privilege (overview)
System Privilege • Admin tasks

User
Application • HANA applications Role

Privilege (XS engine)
• Access & use of packages

Privilege
Privilege Package Privilege
in repositories
Object
Object Privilege • SQL statements on DB objects
Analytic Privilege • Provide row-level

authorizations
Authorization Entities: privilege (system priv.)
System Privilege User

• System-wide privilege System Privilege
• Cannot be created or changed Role

Appl. Priv.
• Authorize user for admin tasks:
 Users & roles mngt
 Catalog & repository mngt
 Auditing
Pack. Priv. Privilege
 System mngt
 Data import/export
Obj. Priv.
Object
Analyt. Priv.
Authorization Entities: privilege (system priv.)
System Privilege User
Role
Privilege
Object
Authorization Entities: privilege (application priv.)
Application Privilege
Syst. Priv.
User
• Grant access to HANA based
applications
 e.g. to access the Web IDE
interface application
Application Role
Privilege
(sap.hana.xs.ide)
• Used by HANA application developers

Obj. Priv.
Object
Analyt. Priv.
Authorization Entities: privilege (application priv.)
Application Privilege
Authorization Entities: privilege (package priv.)
Package Privilege
Syst. Priv.
User
• Only for developers & modelers
• Access & use of packages in the

repository
Role
Appl. Priv.
• Hierarchical access to packages &

Package
corresponding sub-packages
Privilege Privilege
• Packages contains objects such as:
 object privileges
Obj. Priv.
 Hana views Object
 …
Analyt. Priv.
Authorization Entities: privilege (package priv.)
Package Privilege
Authorization Entities: privilege (object priv.)
Object Privilege
Syst. Priv.
User
• Are linked to an object
• Restrict access on DB objects

(e.g. table, view)
Role
Appl. Priv.
• Actions:
 select
 update / create
 delete
 …
Object Privilege
Object
Analyt. Priv.
Authorization Entities: privilege (object priv.)
Object Privilege
Authorization Entities: privilege (analytic priv.)
Analytic Privilege
Syst. Priv.
User
• Control access to data with row-level
authorization
Role
Appl. Priv.
Obj. Priv.
Object
Analytic Privilege
• Dynamic analytic privilege can be

created
Table “User_Region” :
User_Name Region Position
Dynamic analytic privilege User1 America Manager
User2 Asia Employee
User3 Europe Manager

SQL dynamic analytic privilege:
Dynamic analytic privilege Assign the dynamic procedure to the analytic privilege:
• Dynamic analytic privilege

Syst. Priv.
User
 ease of maintenance
 filter obtained from a stored
procedure with a complex logic Role
Appl. Priv.
 e.g. check user’s region from a table

user 1 restrictions
user 1
Obj. Priv.
user 2 restrictions Object
user 2 View
user 3 restrictions Analytic Privilege
dynamic
privilege
user 3
Authorization Entities: privilege (summary)
User
Access a table/ view Access a specific column
via object privilege via a created view
Role
Privilege
Access a row via
analytic privilege
Object
 1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
What we will cover
7. Tips & Tricks
|42
Security Administration
SAP HANA Studio XS Web Interface
2 possibilities:
Client
SAP HANA
Studio
Admin
Application Admin
XS Engine
SAP HANA
Security Administration (role: repository vs catalog)
Repository Catalog
Role creation:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
Security Administration (user: repository vs catalog)
Repository Catalog
User creation:
SAP HANA
Not recommended:
Security Administration (role assignment: repository vs catalog)
Repository Catalog
Role assignment:
SAP HANA
Not recommended:
What we will cover
7. Tips & Tricks
|47
Tools to replicate authorizations
When is it needed ?
• When there is a direct connection to SAP HANA
For BW authorizations:
• SAP HANA Model Generation
 part of BW
 replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges
o generate analytic priv.
o update analytic priv.
For ECC authorizations:

• SAP HANA Live Authorization Assistant
 SAP HANA Studio add-on
 Replicate ABAP PFCG
authorizations in HANA Privileges
o generate analytic priv.
o update analytic priv.
Attention !
 SAP HANA privileges are less granular than authorizations in application layer
 therefore: all BW/ECC authorizations are not supported in HANA
Impact to GRC
• In GRC user provisioning flow
 if no replication, use Business Roles in GRC
Replication scenario: No replication scenario:
GRC GRC
assigned
Composite Role Business Role
BW
 Single roles  BW Composite roles
 HANA roles
corresponding
HANA roles
assigned
assigned assigned
HANA
HANA BW
• HANA rule Set in GRC
 limited to IT maintenance & development*
What we will cover
7. Tips & Tricks
|51
Tips & tricks
Tips & tricks:

• Create roles in Design-time (repository roles).
• Ensure you are in the repository when working with the HANA Studio or the XS Web Interface
for role creation.
• Transfer ownership of all what you have created in the repository to _SYS_REPO to avoid issues
if your user is deleted.
• Transport roles from DEV to QA & PRD & activate them on each system to have _SYS_REPO as
the owner of the run-time roles.
• Assign roles via “Granted Roles” (executing stored procedure (via user _SYS_REPO)).
• Control who can create stored procedure in define behaviour to mitigate the risk of abuse.
• Create a similar design to the 2 layer model to keep it clear.

• Even if there is no limit on # of privileges assigned ( >< ECC 312 max profiles), be logical in
grouping the views.
• SAP template roles are too wide. Create custom roles instead.
• Restrict access to only the needed packages for modellers.
Tips & tricks
Tips & tricks:

• System privileges cannot be created/changed. Use stored procedures for a more granular
approach.
• Ensure the new custom XS HANA applications created by developers are secured to avoid
exposing the DB.
• If the user has not the full access to a view, the user will see partial data (only authorized
data). >< with BI were the user has no results in that case.
• If a filter is applied to 1 view in an analytical privilege, it will apply to all views in the analytical
privilege.
• Dynamic analytic privileges can be used to have an ease of maintenance but be aware that
it will reduce transparency in authorizations !
• Use a tool to replicate BW & ECC authorizations to HANA authorizations.
• Note that HANA rule set in GRC is limited to IT maintenance & development.
Tips & tricks
Don’t forget the important Security Notes:

• 2197397: SAP HANA Extended Application Services (XS) has a Buffer Overflow vulnerability.
• 2197428: Potential remote code execution in HANA.
• 2197459: Potential log injection vulnerability in SAP HANA audit log.
• …
Thanks for listening! Any questions?
Christophe Decamps
Consultant
Governance, Risk & Compliance
+32 473 720 125

christophe.decamps@expertum.net
www.expertum.net
Inspire by Experience.

Expertum Hana Security and Authorization PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Expertum Hana Security and Authorization PDF

Uploaded by

Copyright:

Available Formats

SAP Hana security & authorization

April 26th, 2016

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

Authentication Identity Encryption

Client SAP HANA Client

Client Client Client Client

Application Server Application Server

SAP HANA Source SAP HANA SAP HANA

Traditional Data mart (3-tier or 2-tier) Native 2-tier application

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

Authentication Identity Encryption

Authorization Audit Logging

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

6. Tools to replicate authorizations

7. Tips & Tricks

Privilege • Restrict operations on objects

Object • E.g. a table, a view, …

• Best practice: control who can create stored procedure

 “grant” is owned by his creator

Best practice : Role Privilege

Object definition Object

(e.g. table def.) (e.g. table)

• Store for design-time • Run-time

Object definition Object

(e.g. table def.) (e.g. table)

• Package privilege • Not transportable

• Rep. object type: • Creator = user

• Transportable (DEV, QA, PRD)

• Owner = technical user _SYS_REPO

 “grant” is owned by his creator

Best practice : Role Privilege

No need to have privilege to grant • Need to have privilege to

Best practice Not recommended

• Application privilege Role

• view • Analytic privilege

System Privilege • Admin tasks

Application • HANA applications Role

• Access & use of packages

Analytic Privilege • Provide row-level

System Privilege User

• Cannot be created or changed Role

System Privilege User

• Used by HANA application developers

• Access & use of packages in the

• Hierarchical access to packages &

• Restrict access on DB objects

Pack. Priv. Privilege

• Dynamic analytic privilege can be