Newell Rubbermaid: SAP BI Native HANA Security

Design Best Practices

Speakers: Anthony Thiongo & Gautam Patel

Newell Rubbermaid Inc.

Session ID# 5434

ABOUT NEWELL RUBBERMAID

We are a global marketer of consumer and commercial
products that touch the lives of people where they work,
live and play
Segments: Home Solutions, Writing, Tools, Commercial
Products, Baby & Parenting
Headquartered in Atlanta, GA
Approximately 18,300 employees worldwide
NYSE: NWL

More than 90 percent of U.S. households have at least

one Newell Rubbermaid product.

NEWELL RUBBERMAID BRANDS

NEWELL SAP BI HANA LANDSCAPE

Active
Directory

SAP Business
Objects

SAP Enterprise Portal

Bex
Analyzer

SAP BI Business Suite

SAP HANA

Active
Directory

Tableau

SAP NATIVE HANA OVERVIEW

Hana Perspectives

SAP HANA Administration Console

SAP HANA Development
SAP HANA Modeler
Debug Perspective

Systems, Repository Workspace and Project Explorer

System View Central point for performing system specific
(Runtime) administration and monitoring activities
Repository Workspace Displays the repository contents
for a specific SAP HANA system. Creating a local workspace
is required before you can check out and import
development artifacts
Project Explorer Hierarchical view of the artifacts in SAP
HANA. Design time objects are created through project
explorer. Roles should be created from project explorer

SAP HANA MODELING OVERVIEW

Schema
Container that holds database objects such as tables,
views and stored procedures
Schema Types - User Defined, SLT Derived & System
_SYS_BIC, _SYS_BI & _SYS_REPO_ schemas in HANA
Create separate schemas per function area or project
Avoid creating system specific schemas

Package
Container for repository objects which can be
transported between Native HANA systems
Package types - Structured & Unstructured
Root package should be structured
Avoid creating unnecessary packages as this creates
additional administration work
Security can be restricted at the root package or
sub package level

SAP HANA MODELING OVERVIEW (CONTD.)

Delivery Units (DU)
A collections of packages for transporting between
Native HANA systems. DUs are managed through
the HANA Lifecycle Management Web application
Transports mechanisms in HANA
CTS Transport
Native HANA transport

HANA Stored Procedures

A set of SQL statements used to perform specific
tasks in Native HANA. For instance, you can use
stored procedure automate security administration
Custom Newell Security Procedures
User provisioning procedure
Dynamic analytic privilege procedure

HANA MODELING NAMING CONVENTION

Its important to follow proper naming standards during HANA modeling

Naming convention should be discussed and signed off by HANA technical teams and the
business leads

Newell Modeling Naming Standards

CV_XXXXX (For Calculation View)

AV_XXXXX (For Analytic View)
AT_XXXXX (For Attribute View)
AP_XXXXX (For Analytic Privilege)
IP_XXXXX (For Input Parameter)
VA_XXXXX (For Variable)
ZSP_XXXXX (For Stored Procedure)
ZT_XXXXX (For Custom Tables)
ZH_XXXXX (For Security Roles)

DESIGN-TIME VS RUNTIME ARTIFACTS

HANA development artifacts such as schema, package, roles etc. can exist as runtime or
design-time objects
HANA development /modeling should be done in Design-time

Runtime Objects (Catalog roles) Design-time Objects (Repository roles)

SQL Statements/SAP HANA Studio/GUI
Objects cannot be transported between
systems

Domain-specific language (DSL)

Objects can be transported between systems

Associated with a database user and granted

through standard SQL mechanism using GRANT Associated with Technical user (_SYS_REPO) and granted
and REVOKE.
through execution of stored procedures
Granted directly by database user and can only Any user with access to these procedures can grant and
revoke by the same user
revoke a role
If database user is deleted, all roles granted by Design time objects are owned by _SYS_REPO (System
that user are revoked
User)
No version management

Version management is possible.

SAP HANA PRIVILEGES

System Privileges Authorize execution of administrative actions
Object/SQL Privileges Authorize access to and modification of database
objects
Analytic Privileges Authorize read access to data in information models
(i.e. analytic views, attribute views and calculation views)
Package Privileges Authorize access in the repository (modeling
environment) at design time
Application Privileges Authorize access to SAP HANA XS application
functions

ROLE DEVELOPMENT - RUNTIME

Create Role SAP HANA Studio

Create Role SQL Statement

ROLE DEVELOPMENT DESIGN-TIME

Role created using Domain Specific Language (DSL)

ROLE DEVELOPMENT WEB IDE

Create Runtime role through Web IDE

Create Design-time role through Web IDE

USER PROVISIONING PROCEDURE

Users in SAP HANA should be synchronized with users in BW including all
the key security attributes
User validity dates
User E-mail address
User enablement/disablement
User gets created with SAML and Kerberos entries
Mapping of BW roles to equivalent HANA roles
Invoke the procedure manually or through ABAP program

Users can still be provisioned manually outside this process and those
users will not be interfered with or altered by this process

BW TABLES DRIVING SYNCHRONIZATION

PROCEDURES
Procedures
A set of SQL statements and the logic that is used to perform specific task

PROVISION USERS
ZSP_PROVISION_USERS

CREATE/UPDATE BW USER
ZSP_CREATE_UPDATE_BW_USER

ADD LOG
ZSP_ADD_LOG

PURGE USER PROVISION LOG

ZSP_PURGE_USER_PROVISIONING_LOG

CUSTOM TABLES
BW TO HANA ROLE MAPPING

User Provisioning Log (ZT_USER_PROVISIONING_LOG)

SU01 PROVISIONING TO HANA

SAP BW 740
Connection using DBCO
Personalized User
Technical User
ADBC_TEST_CONNECTION

USR_DBMS_SYSTEM table

RSUSR_DBMS_USERS program
RSUSR_DBMS_USERS_CHECK prog.

DYNAMIC ANALYTIC PRIVILEGE

Business Scenario You have implemented SAP BW on HANA and BW
Analysis authorization for row level security. You also want to apply the
same row level security to SAP HANA view (Analytic/Calculation)
SAP BW Analysis Authorization
SAP HANA Analytic privilege
Analysis Authorization

Analytic Privilege

@ 20 Company Code

@ 20 Company Code

@ 15 Profit Center

@ 15 Profit Center

@ 5 Sales Org.

@ 5 Sales Org.

Challenges You have to create Analytic Privilege (AP) for each relevant
BW Analysis Authorization and you have to create these APs for each
HANA view you want to restrict

DYNAMIC ANALYTIC PRIVILEGE (CONTD.)

Solution Use Dynamic Analytic Privilege in which authorized values are
derived from SAP BW Analysis Authorization tables for logged in user at
runtime using custom SAP HANA Repository procedure

PROCEDURES AND TABLES

Procedures

Company Code
Plant
Sales org.
Profit Center

Tables

AGR_USERS
AGR_1251
RSECVAL
RSECHIE
/BIC/HZPRFT_CTR

ANALYTIC PRIVILEGE - STATIC

ANALYTIC PRIVILEGE - DYNAMIC

HANA AUTHENTICATION MECHANISM

SSO authentication mechanisms support by SAP HANA

Kerberos
- X509
SAP Assertion Ticket
- SAP Logon Ticket
SAML
Kerberos authentication has been enabled for HANA studio and Tableau desktop access
SAML authentication has been setup for HANA Web XS application, Solman CTS+, BOBJ and
Tableau server integration with Native HANA

HANA USER SELF SERVICE

SAP HANA provides a web based user self service platform for end users to request new
HANA accounts and reset passwords. These feature is available as of HANA SP09 and above
The content is deactivated by default and is part of the HANA_XS_BASE Delivery Unit

HANA AUDIT CONFIGURATION

SAP HANA allows administrators to configure audit activities

Auditable activities include:
User activities such as user creation, deletion, and role changes
Changes to database objects such as tables, schema, procedures
Changes of the system configuration
You can setup audit trail for a set of users or database objects (i.e. tables)
Firefighter is not available for Native HANA. However, you can configure audit trail for
firefighter Ids created in HANA

TROUBLESHOOTING HANA REPORTS

SAP HANA introduces a new challenge for security administrators whenever there are
authorization issues. There is no SU53, SUIM, ST01 or STAUTHTRACE t-codes available
Here are some steps to follow when troubleshooting HANA reports
Isolate the problem
Is it a Portal, BI ABAP, BOBJ, tableau, or Native HANA
issue? You need a security resource with knowledge
in all the above areas
If issue is in Native HANA:
Check if user is locked, has correct access and SSO enabled?
Find out which views (Analytic, Calculation etc.) the end
user is executing?
Perform a Data Preview within Native HANA to verify error
is security related. Not Authorized Error should appear
Perform a Native HANA trace through trace configuration

TRACING IN NATIVE HANA

Activating the User Trace in HANA

Go to Admin Console and click on the Trace Configuration

In User specific trace, enter the database user and select authorization in ALL Services
Activate the trace and ask user to execute the report.
To view the trace results, go to the Diagnosis Files tab in Admin Console

TRACING IN NATIVE HANA

Sample trace Results log file

Use the SQL statement below to find out the missing object
/* SQL to Lookup object names */
SELECT * FROM OWNERSHIP WHERE OBJECT_OID IN (131073);
You should see the object failing i.e. schema name or analytic privilege name

SUMMARY
Newell BI HANA Landscape
Overview of HANA system, repository and project explorer
Schema, packages, delivery Units, transport and stored procedures in
Native HANA
Design-time vs Runtime HANA artifacts
Native HANA security privileges
Newell roles design in Native HANA
Newell user provisioning procedure Vs SAP SU01 provisioning
Dynamic analytic privilege procedure Vs static privileges in Native HANA
SSO authentication mechanism in Native HANA
HANA user self service application
Security audit and trace configuration in Native HANA

QUESTIONS

FOLLOW US

Thank you for your time

Follow us on

at @ASUG365