Beruflich Dokumente
Kultur Dokumente
4. Authorization Concept
5. Security Administration
|2
SAP HANA, Business Suite or BW powered by
HANA & S/4 HANA
What we will cover
4. Authorization Concept
5. Security Administration
|4
Traditional Security Architecture
Client
Application
DB
Hana Security Architecture
Traditional HANA
Integrative Authorization Scenarios
4. Authorization Concept
5. Security Administration
|8
SAP HANA Security Functions (overview)
Application
XS Engine
SAP HANA
What we will cover
4. Authorization Concept
5. Security Administration
|10
Authorization Entities
Goal
Create user
User Person accessing the system
Manage users
Collection of privileges
Assign security Role Granted to user or another role
Stored procedure
SQL statement
Standard behaviour:
invoker authorizations checked
Definer behaviour:
creator authorizations checked
owns
Object
granted
to
Role
Attention
Action grant is also considered
Privilege Role Role
as an object !
_SYS_REPO
Repository vs Catalog (2 ways of working)
Repository Catalog
owns
Object
granted
to
Role
Attention
Action grant is also considered
Privilege Role Role
as an object !
Role
Privilege
Object
Authorization Entities: user
Single user maintenance
Replication from ABAP user to HANA user User
Maintenance of DBMS (database management system) users in SU01
create / delete a DBMS user
delete the assigned DBMS user when ABAP user is deleted
Role
Privilege
Object
Authorization Entities: user
Single user maintenance
User
Result in HANA:
Role
Privilege
Object
Authorization Entities: user
User mass maintenance
Via: ABAP program RSUSR_DBMS_USERS User
mass mapping of ABAP users to DBMS users.
if DBMS user does not exist -> will be created in the DB system.
assign or unassign DBMS Roles to/from DBMS users.
Role
Privilege
Object
Authorization Entities: user
User mass maintenance
Other solutions: User
via tools (IDM, )
via own automation (SQL script)
Role
Privilege
Object
Authorization Entities: role
Repository roles Catalog roles
User
Transportable (DEV, QA, PRD) Not transportable
Privilege
Object
Best practice :
Not recommended:
Authorization Entities: role(assignment)
Repository Catalog
User
Role
Role (origin:
activate repository)
Role
owner = _SYS_REPO
own
Privilege
_SYS_REPO
Object
stored
procedure
(via Granted
Best practice : Roles)
Not recommended:
Authorization Entities: role(assignment)
User
Role
Privilege
Object
stored
procedure
execution
Authorization Entities: privilege (overview)
User
Client
SAP HANA
System privilege
Authorization Entities: privilege (overview)
Object
Object Privilege SQL statements on DB objects
Analyt. Priv.
Authorization Entities: privilege (system priv.)
Role
Privilege
Object
Authorization Entities: privilege (application priv.)
Application Privilege
Syst. Priv.
User
Grant access to HANA based
applications
e.g. to access the Web IDE
interface application
Application Role
Privilege
(sap.hana.xs.ide)
Obj. Priv.
Object
Analyt. Priv.
Authorization Entities: privilege (application priv.)
Application Privilege
Authorization Entities: privilege (package priv.)
Package Privilege
Syst. Priv.
User
Only for developers & modelers
Analyt. Priv.
Authorization Entities: privilege (package priv.)
Package Privilege
Authorization Entities: privilege (object priv.)
Object Privilege
Syst. Priv.
User
Are linked to an object
Actions:
select
update / create
Pack. Priv. Privilege
delete
Object Privilege
Object
Analyt. Priv.
Authorization Entities: privilege (object priv.)
Object Privilege
Authorization Entities: privilege (analytic priv.)
Analytic Privilege
Syst. Priv.
User
Control access to data with row-level
authorization
Role
Appl. Priv.
Obj. Priv.
Object
Analytic Privilege
Dynamic analytic privilege Assign the dynamic procedure to the analytic privilege:
Authorization Entities: privilege (analytic priv.)
User
Access a table/ view Access a specific column
via object privilege via a created view
Role
Privilege
Access a row via
analytic privilege
Object
1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
What we will cover
4. Authorization Concept
5. Security Administration
|42
Security Administration
2 possibilities:
Client
SAP HANA
Studio
Admin
Application Admin
XS Engine
SAP HANA
Security Administration (role: repository vs catalog)
Repository Catalog
Role creation:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
Security Administration (user: repository vs catalog)
Repository Catalog
User creation:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
Security Administration (role assignment: repository vs catalog)
Repository Catalog
Role assignment:
Design-time Run-time
SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
What we will cover
4. Authorization Concept
5. Security Administration
|47
Tools to replicate authorizations
When is it needed ?
When there is a direct connection to SAP HANA
For BW authorizations:
SAP HANA Model Generation
part of BW
replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges
o generate analytic priv.
o update analytic priv.
Tools to replicate authorizations
Attention !
SAP HANA privileges are less granular than authorizations in application layer
therefore: all BW/ECC authorizations are not supported in HANA
Tools to replicate authorizations
Impact to GRC
In GRC user provisioning flow
if no replication, use Business Roles in GRC
Replication scenario: No replication scenario:
GRC GRC
assigned
Composite Role Business Role
BW
Single roles BW Composite roles
HANA roles
corresponding
HANA roles
assigned
assigned assigned
HANA
HANA BW
HANA rule Set in GRC
limited to IT maintenance & development*
What we will cover
4. Authorization Concept
5. Security Administration
|51
Tips & tricks
If the user has not the full access to a view, the user will see partial data (only authorized
data). >< with BI were the user has no results in that case.
If a filter is applied to 1 view in an analytical privilege, it will apply to all views in the analytical
privilege.
Dynamic analytic privileges can be used to have an ease of maintenance but be aware that
it will reduce transparency in authorizations !
Note that HANA rule set in GRC is limited to IT maintenance & development.
Tips & tricks
Christophe Decamps
Consultant
Governance, Risk & Compliance
www.expertum.net
Inspire by Experience.