Scribd Logo
Upload

Welcome to Scribd!

  • Day 5 - HANA User Administartion

    Uploaded by

    DIGITAL TELUGU
    50 views12 pages
    hana security

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    hana security

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    50 views12 pages

    Day 5 - HANA User Administartion

    Uploaded by

    DIGITAL TELUGU
    hana security

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.

    com

    HANA Security sapsecurityacademy.com

    User Administration:
    BASIS - System Admin - Installation

    Security - User Admin, Role Admin

    Database - Developer - DB Admin

    BW - Modeling

    End Users - Reports Access

    User types:

    1. Standard User Accounts – Non End User

    Technical User Accounts

    2. Restricted User Accounts – End Users

    Standard User Accounts:

     Whoever needs login into HANA DB

     Would be assigned with PUBLIC Role ( without PUBLIC role, user cant
    login into HANA Studio)

     Schema gets created on user name - Dedicated space where he can


    create his own data

    Purpose:

    1) Individual Accounts - Dialog IDs

    2) Service Accounts - Service IDs, RFC User

    3) Application Accounts - Used in Web Based Application to interact


    with HANA Database
    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    Technical User Accounts:

    Scenario1:

    Every User has 2 accounts - Normal and Tech Account

    Ex,,

    ABCD - To display the data

    TECH_ABCD - to create the data - All the development

    Disadvantage: TECH Ids will be piled up as we don’t delete these IDs.

    Scenario2:

    Every User has only one account with DISPLAY Access.

    But to create/Edit data - They need to use a common TECH Account -


    Anyone can use it.

    Ex,, Team Wise we create one TECH account, and this is used whenever
    they want to create/edit data. Entire team knows the password.

    Disadvantage: No track of who edited/created data. Not auditable.

    Solution:

    Every User has only one account with FULL Access. But when they are
    maintaining Data, it has to be treated /created as REPOSITORY DATA.

    Whenever the data is created, create that as Repository Data

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    Owner of the Repository Data is standard user id ---- >


    _SYS_REPO/SYSTEM/SYS

    Ownership of Data:

    User1 is creating Role1, Role2. User1 is the owner for Role 1 ad Role 2.

    User1 is deleted from System, R1 and R2 also gets deleted

    User2 is copying from Role 1 to Role 3

    Grantable to Others:

    YES - The User can assign the same access what he has to other users.

    NO - The User cannot assign the same access what he has to other users.

    Restricted User Accounts:

    PUBLIC Role is not assigned - which is responsible to login into HANA DB

    Users trying to access data in HANA DB through Web Based Application


    – BPC/BO/Power BI/FIORI

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

     Can we convert Restricted User Account into Standard User Account


    and vice versa?

     In HANA 1.0, we cannot

     IN HANA 2.0 we can

    User Account Naming Convention:

     A to Z

     0-9

     Underscore ‘_’

    User Creation ----- > 3 different ways

     SQL statements Ex,, CREATE USER

     HANA Studio

     Web Based XS Development Infrastructure - IDE

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    Creating user through HANA Studio:

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    Grantable to other users and role:

    Only when this is selected, User who is assigned with this role, can assign this role to some other user,
    even without having ROLE ADMIN access in HANA.

    TL - SCHEMA1

    DEVELOPER1

    DEVELOPER2

    DEVELOPER3

    TL wants all 3 developers to create data under SCHEMA1

    Solution1:

    Ask Security team to give Create Table under SCHEMA1 to all 3 developers

    TL

    Object Privilege
    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    SCHEMA1 ----- > Create Any ----> Grantable to OThers (YES)

    SCHEMA1 ----- > Create Any ----> Grantable to OThers (NO)

    DEVELOPER1

    Object Privilege

    SCHEMA1 ----- > Create Any

    User Deletion:

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    What is difference between RESTRICT and CASCADE in user deletion?

    RESTRICT option will delete the user only when all the objects/DATA
    under his SCHEMA are owned by the user himself.

    CASCADE option will delete the user and also remove all objects owned
    by the user and revoke all privileges granted by the user. (It does not
    check for dependant objects/data)

    Examples:

    Scenario 1:

    SCHEMA1:USER1

     DATA1 - USER1
     DATA2 - USER1
     DATA3 - USER1

    Scenario 2:

    SCHEMA1:USER1

     DATA1 – USER1
     DATA2 - USER2
     DATA3 - USER3

    User Account System Views:

    Schema: SYS ---- > VIEWS ---- > Apply filter for “USER” word

    Right Click on USERS ----- >Open Data Preview/ Open Content

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    2 views are important here:


    USERS

    USERS PARAMETERS

    Standard user Accounts in SAP HANA database:

     _SYS_REPO

     SYSTEM

     SYS

    2. HANA Web Based Development Workbench:

    http://<sap_hana_hostname>:80<Instance_number>/sap/hana/ide/security

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com


    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    http://hanabox:8004/sap/hana/ide/security

    Or

    https://<sap_hana_hostname>:43<Instance_number>/sap/hana/ide/security

    http://sec.st.com:8000/sap/hana/ide/security

    Security Admin Role:

    sap.hana.ide.roles::SecurityAdmin

    3. SQL Statements

    To create user

    CREATE USER <User Name> PASSWORD “<password>”

    Sridhar Gajulapalli sridhar.gajulapalli@gmail.com

    HANA Security sapsecurityacademy.com

    You might also like