khnc_sap hana security and integration with sap bi 4.1

SAP HANA Security and Integration

with SAP BI 4.1 Vishal Dhir, SAP Customer Solution Adoption (CSA)

August 2013

© 2013 SAP AG. All rights reserved. 2 Public

Legal Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without

the permission of SAP. This presentation is not subject to your license agreement or any other service or

subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this

document or any related presentation, or to develop or release any functionality mentioned therein. This

document, or any related presentation and SAP's strategy and possible future developments, products and

or platforms directions and functionality are all subject to change and may be changed by SAP at any time

for any reason without notice. The information in this document is not a commitment, promise or legal

obligation to deliver any material, code or functionality. This document is provided without a warranty of any

kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness

for a particular purpose, or non-infringement. This document is for informational purposes and may not be

incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except

if such damages were caused by SAP´s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results

to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-

looking statements, which speak only as of their dates, and they should not be relied upon in making

purchasing decisions.


Agenda

Overview

User Provisioning

Users and Roles

Privileges

Authentication

Encryption

Auditing

BI 4.1 Integration

More Information

Key Learning Points

Overview


HANA Architecture

HANA

CMS DB

Audit DB

Sources

HANA

Studio

DS 4.0

DS Repos Small DBs

Cubes/

Views

BI 4.1 Server

DB Layer

_SYS_BIC

DB

Schemas

BW

ECC

Tables SLT

Real time

ETL 3rd Party

DBs

User

User

User

User

BOE

Explorer

Universe

Web Layer

Webi

Presentation Layer

Dashboards


HANA – BI Security Architecture


Generic Schema Architecture

SFLIGHT_USER Modelers/

Developers

Activate

Views

End Users Modeling Repository

Cubes

_SYS_BIC Studio

SFLIGHT

Other Apps

HANA

User Provisioning


User Provisioning

There are three ways in HANA to provision users

Manual creation of roles and users from HANA Studio

Programmatic creation of roles and users with SQL statements

CREATE ROLE <role_name>;

GRANT SELECT ON SCHEMA _SYS_BIC TO <role_name>;

GRANT SELECT ON <schema>.<table_1> TO <role_name> WITH GRANT OPTION;

…

CREATE USER <user_name> PASSWORD <password>;

GRANT <role_name> TO <user_name>;


User Provisioning

SAP NetWeaver Identity Management

SAP IDM <-> SAP HANA Connector

Using SQL Interface in HANA

Create / delete users

Create / delete roles

Grant / revoke roles

Change passwords

Corporate

Directory

(AD, LDAP)

SAP

HANA

BOE Server

Import

SAP IDM

Push Push / Pull

HANA, BOE, IDM and AD/LDAP

Users and Roles


User Management in HANA

3. Manage Users

Lock users

Password policy

Manage user

privileges

Integration with BI

2. Assign Security

Object-level

Row-level security

1. Create Users

Set initial password

Authentication

User-specific

parameters

DB user passwords

hashed with the

SHA-256 algorithm


Predefined Roles in HANA

MODELING

Contains all the privileges required for using the information modeler in the SAP HANA studio

Contains the _SYS_BI_CP_ALL Analytic Privilege which allows access to ALL data in ALL views

Role should be used as a template

MONITORING

Allows full read-only access to all metadata and data collected by the statistics server

PUBLIC

This role contains privileges for filtered read-only access to the system views

Every user automatically has this role, it cannot be revoked

CONTENT_ADMIN

Role contains the same privileges as the MODELING role but with additional authorization to grant these privileges to

other users

Use role as a template


Predefined Roles in HANA

SAP_INTERNAL_HANA_SUPPORT (renamed from the SUPPORT role in HANA SPS 6)

Contains system privileges (for example, CATALOG READ) and object privileges (for example, SELECT on SYS

schema) that allow access to certain low-level internal system views needed by SAP HANA development support in

support situation

All access is read only. This role does not allow access to any customer data

The following restrictions apply

It cannot be granted to user SYSTEM

It cannot be granted to more than one user at a time

It cannot be granted to another role

No role can be granted to it

Only system privileges can be granted to this role


Predefined Users in HANA

SYS, _SYS_STATISTICS, _SYS_AFL, SYSTEM

_SYS_REPO

SAP HANA database comes with a built-in repository, _SYS_REPO is the owner of this

repository

The repository stores

Runtime data, such as calculation scenarios

Design time data, such as models (Attribute, Analytic, Calculation Views) and Analytic Privileges

Design time objects need to be activated to become runtime objects

The _SYS_REPO user needs SELECT privileges to the schema where the source tables

are located, therefore you may need to run the following command to grant access

GRANT SELECT ON SCHEMA <schema name> TO _SYS_REPO WITH GRANT OPTION


HANA User and Schema Structure

Each user can own one or more schemas

View’s are activated by the _SYS_REPO User

SELECT DISTINCT OWNER_NAME, SCHEMA_NAME

FROM SYS.OWNERSHIP

WHERE SCHEMA_NAME is NOT NULL

ORDER BY 2


HANA User and Schema Structure

SYSTEM SYS _SYS_BI _SYS_RT _SYS_BIC _SYS_XS _SYS_REPO _SYS_STATIS

TICS SLTECC SFLIGHT

SYSTEM SYS _SYS_REPO

_SYS_STATISTICS SLTECC HANAUSER

Inbuilt System Schemas Custom schemas

TECHINICAL USERS Schema/Users

End Users

Modeling

Modeling Users

_SYS_REPO user need select permission on data schemas

Repository

Other Admin

Users


General HANA Authorization Steps

Avoid having SQL Privileges and Analytic Privileges in the same roles

Restrict access to a view via SQL Privileges and to specific values via

Analytic Privileges

Recommended to have different roles, for example

SYSTEM Roles – DB specific functions, ex: create users

SQL Roles – SQL specific functionality, ex: select, update table

Analytic Roles – Restrict access to certain data in a view

Define and

Create Roles

Create Privileges

Assign Privileges to Roles

Assign Roles to

Other Roles

Create Users

Assign Roles to Users


What’s New in SAP HANA SPS 6

Core User Properties

Additional core user properties are now available for applications based on

SAP HANA

Default e-mail address

Locale

Time zone

Validity period

To add and remove these properties use the following SQL

Prerequisites

Users can change their own properties (exception: validity period)

To change the properties of other users, the system privilege USER ADMIN is required

CREATE/ALTER USER <user_name>...[VALID FROM <timestamp> [UNTIL <timestamp>]

| VALID UNTIL <timestamp>] [SET PARAMETER LOCALE/TIME ZONE/EMAIL ADDRESS=…]


Roles in HANA

Concept of roles in SAP HANA

Are a named bundles of privileges

Roles and privileges can be bundled to form further roles, building a hierarchy of

roles

Role concept provides reusable building blocks for granular access control,

based on administrating certain aspects of a database, for example

Business end users

Consume reports using client tools

Modellers

Create models and reports

Database administrators

Operate and maintain the database

Authorization by

Granted Roles

System Privileges

Object Privileges

Analytic Privileges

Role A

Role B

Role C

User


Roles in HANA

Creating roles

Grouping individual privileges into roles

Create hierarchies of roles

Granting roles

Direct granting via SQL / SAP HANA Studio

Via SAP NetWeaver Identity Management

(requires separate license)

Role:

edit model

Role:

activate model

User

Role:

edit + activate

Package:

create / edit

models

SQL:

select

Package:

activate

SQL:

write

runtime

object



EFFECTIVE_ROLES system view

New system view

EFFECTIVE_ROLES shows

what roles the currently

logged-on user has

It shows both roles that were

granted directly to the user,

and roles that were inherited

from other roles

Column name Description

USER_NAME Name of the user for whom the effective roles are shown

GRANTEE Shows to which user or role the role was granted

GRANTEE_TYPE Shows whether the role was granted directly ('USER') or is

inherited from another role ('ROLE‘)

GRANTOR User that granted the role

ROLE_NAME Role that was granted

IS_GRANTABLE Shows whether the role was granted 'WITH ADMIN

OPTION': 'TRUE‘ or 'FALSE'

Privileges


What’s an Analytic Privilege?

Controls what users can do

Row-level security for data models

Example: See only data for cost center 1000

Only applied at processing time of the user query

Can only be used for attribute views, analytic views, and calculation views

Can not be used for tables or row store views

Can be combined

Example: AP1 + AP2 will allow a user to see data specified by AP1 or by AP2 or both

Filter for the restriction can be static or dynamic (values returned by a procedure)

_SYS_BI_CP_ALL privilege

Allows user to see ALL data in ALL views


Types of Privileges

For more information have a look at the SAP HANA Security Guide

http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

Privilege Type Description

System privilege System privileges are SQL privileges that control general system activities

Ex: Can I create users?

Object privilege This privileges that are used to restrict access to and modification of database

objects, such as tables and views

Analytic privilege Analytic privileges are used to restrict read access to

data in SAP HANA information models. Analytic

privileges are evaluated during query processing

Ex: What data can I see?

Package privileges Package privileges are used to restrict access to and the

ability to work in packages in the repository of the SAP

HANA database

SQL privileges Define coarse-grained restrictions at object level only

Ex: Which tables can I ready or write to?

Application Privileges Authorize user and client access to XS applications




Application Privileges in HANA

Application privileges can now be granted/revoked in SAP HANA studio

Developers of applications based on SAP HANA Extended Application Services (SAP

HANA XS) can create application privileges.

These privileges authorize user and client access to the application, for example to start

the application or to perform administrative actions in the application.

To grant an application privilege to a user:

Expand the Security folder in the SAP HANA studio navigator Users and double-click on the user

On the Application Privileges tab, assign the privilege


Analytic Privileges

Analytic Privileges are repository objects

Create and manage via SAP HANA Studio

Create in any package

Does not need to be the same package as views

Can be created with no restrictions to display all data a user is allowed to see


Analytic Privileges

The views that the privilege

grants access to List of fields for

attribute restrictions

List of restrictions implemented for the

selected field from the above list

Result


Displaying Privileges Granted to a User

To display which privileges a specific user has been granted, either directly or

indirectly (via a role), use the system view EFFECTIVE_PRIVILEGES

SELECT * FROM "SYS"."EFFECTIVE_PRIVILEGES" WHERE USER_NAME = <user name>



Dynamic Analytic Privileges in HANA

You can now create dynamic analytic privileges in SAP HANA studio,

repository/catalog procedures can now be to the filter list of analytic privileges

Dynamic analytical privileges provide a flexible approach for specifying user-

specific filter conditions. The filter conditions are obtained by SAP HANA at

runtime from a database procedure, which can contain complex logic. This

makes it possible to,

Reuse the same analytical privilege for many users

Change the filter condition in the underlying tables and views without having to change the analytic

privilege itself

Authentication



Authentication: SAML and X.509 support for SAP HANA XS

Overview of authentication methods for SQL and HTTP access

User Name/Password Authentication – credentials are stored in HANA Database

Kerberos Authentication - User ID is stored in HANA and mapped to an External User ID

stored in a central directory (Windows Active Directory or LDAP). External User ID is used

by HANA to enforce privileges

Authentication Method SQL Access HTTP Access

(SAP HANA XS)

User Name/Password Y Y

Kerberos Y -

SAML (version 2) Y Y

SAP logon ticket - Y

X.509 - Y



Password Policy

The password policy can now be configured in SAP HANA studio

Passwords for user name/password authentication are subject to certain rules

(password policy)

You can change the settings in line with your organization’s security

requirements, e.g.

Password quality (length, complexity)

Blacklist of forbidden words that are not allowed as passwords or parts of passwords

Configured by double clicking Security in HANA Studio


SAML Authentication

Security Assertion Markup Language (SAML)

SAML is an XML standard that allows parties to

exchange authentication and authorization data

Requires a trusted 3rd party (identity provider) that can

issue SAML assertions for clients (e.g. browser)

The SAP HANA database can only act as a SAML

service provider

Prior to using SAML, SSL needs to be configured on the

HANA server


SAML Authentication

Certificate can be imported directly in HANA Studio and SAML Providers

can be configured via HANA Studio


SAML Authentication

Each user in HANA can have an external identity for the SAML assertion

For example a Business Objects User

Encryption


SSL Encryption

SSL encryption is available for connections

between the SAP HANA database and the

SAP HANA interfaces

Supported interfaces: SQLDBC, ODBC,

JDBC

Supported crypto providers: OpenSSL,

sapcrypto


SSL Encryption

Server-side configuration

SSL libraries need to be installed – for example OpenSSL

A valid SSL certificate is required and needs to be installed on the HANA server and root

certificates installed on the client

Steps: Generate a CSR on the HANA server, have it signed by a Certificate Authority

(CA), install the root certificate and intermediate certificates (if required)

HANA requires the certificate to be in the PEM format – key.pem, trust.pem

SSL parameters need to be configured in the indexserver.ini > Communication section

Example

See blog for more information

http://bit.ly/17U3p68




SSL Encryption

SSL configuration for SAP HANA studio

1. In SAP HANA studio, click Add System

2. Enter your user credentials and select Connect with SSL

3. Select whether you want to validate the certificate and whether you want to also check

the host name in the certificate.

4. All connections from SAP HANA Studio to the database will now be encrypted – you will

see the lock on the SSL connection

SSL on the ODBC connection

The HANA ODBC Client, also allows for SSL.

To enable it select Connect using SSL. The

necessary certificates will need to be installed

for this to work properly

Auditing


What is Auditing?

Many regulatory requirements require audit logging

Audit logging provides traceability for security-relevant events. It records security breaches

and privilege abuse, and can be used for data forensics in the case of suspected abuse or

criminal investigations. It also helps protect companies against unsubstantial charges.

Audit logging records critical actions performed in the database such as

Who did what?

What did they do?

When did they do it?

Threats

Internal - Majority of all attacks and security breaches come from inside the intranet!

External - Hackers


HANA Audit Logging

Audit trails stored in Linux syslog, secure operating

system log

Audit policies stored in the database catalog

Logging of successful and unsuccessful events

Audit logging of critical events

Create/drop user/role

Create/drop analytic privilege

Grant/revoke SQL/system/analytic privilege

Grant/revoke role

Enable/disable audit policy

Database objects: Tables/Views/Procedures

Write and read access to data

(SELECT/INSERT/UPDATE/DELETE/EXECUTE)

User connects to the database

Configuration changes (via ini files)

License key installation



Audit Logging

New audit events

Disconnect/cancel session

Drop table

Activate, import, export repository content

Backup lifecycle management (truncate backup catalog/delete backups)

New fields have been added to the audit trail

Client IP address

Client process ID

Client port number


Configuring Audit Logging

Auditing can be enabled and disabled for the entire system only

Show Audit Policies

More Information – SAP HANA Reference

http://help.sap.com/hana/html/sql_create_audit_policy.html

alter system alter configuration ('global.ini','SYSTEM') set ('auditing

configuration','global_auditing_state' ) = 'true' with reconfigure;

–select * from "PUBLIC"."AUDIT_POLICIES"

http://help.sap.com/hana/html/sql_create_audit_policy.html


Audit Logging Example

Create audit policy

Activate audit policy

Syslog output

/var/log/messages

CSV output can be enabled (column names need to be added manually for now)

Aug 15 17:18:01 myhanaserver HDB[61990]: 2013-08-15

17:18:01;indexserver;myhanaserver;HDB;00;30003;10.10.10.10;myclient.sap.corp;13076;524

95;KHNC_DEMO_POLICY;CRITICAL;CREATE USER;SYSTEM;;;;;;KHNC_DEMO;SUCCESSFUL;;;;;;;CREATE

USER KHNC_DEMO PASSWORD XXXXXXXXXXXXX;243491;

AUDIT POLICY KHNC_DEMO_POLICY AUDITING ALL CREATE USER, DROP USER LEVEL Critical;

ALTER AUDIT POLICY KHNC_DEMO_POLICY ENABLE;

SAP BI 4.1 Integration


Discovery and Analysis Dashboards and Apps Reporting

Reporting on HANA 1.0 with BI 4.1

Client and connectivity options

Web

Intelligence

Dashboards Crystal Reports

(2008*, 2011*,

Enterprise)

Semantic Layer

(relational universe UNX)

Analysis Office* Explorer

JDBC ODBC Analysis OLAP

* SBO BI Platform is optional

BICS

Design Studio*

Lumira

ODBC

JDBC ODBC JDBC

direct access to views

JDBC ODBC JDBC

ODBC

JDBC

ODBC

JDBC

access to views, tables, stored procedures

views tables stored procedures


BI User Provisioning

SAP BOBJ BI

SAP HANATM

SAP IDM

1. Users and Groups Import

2. Users and Roles

Creation / Delete

Corporate

Directory

Corporate Users and

Groups are leveraged

by BI 4

SAP IDM leverages

the same Users and

Groups to create

Users and Roles in

HANA


BI User Provisioning

All existing User and Group Provisioning methods with BOE / BI 4 remain valid

Example: you can provision Users and Groups from Windows AD with the traditional

WinAD configuration options from the CMC

Database Credentials Mapping in BI 4 can be

done from the CMC or programmatically (*).

(*) Use these methods of the BOE SDK: IUser.setProfileString(“DBUSER”, HANA_user_ID);

IUser.addSecondaryCredential(“DBPASS”, HANA_user_pwd);

Important!

If BI 4 is configured with WinAD, make sure the

option “Synchronization of Credentials” is

unchecked to avoid the credentials mapping

being overwritten


SAP HANA + BI: What Are My Options?

Three options for HANA and BI SSO - Credential Mapping, Kerberos , SAML

If you are running BI on Windows

Set up Windows SSO to BI Portal, or manually log on using AD credentials

SSO at view time using Exploration view, Semantic Layer (Web Intelligence, Crystal Reports),

OLAP Analysis

Still no scheduling SSO using Kerberos

If you are running on Linux

Configure LDAP connectivity for MS AD

Enable Kerberos authentication from your LDAP authentication plug-in

Manually log on, then SSO to database possible

Any platform, all clients

Set up user database credentials for Direct DB authentication, exposed through CMC

Can be scripted



SAP Business Objects and SAP HANA support identity forwarding for scenarios where authorization

enforcement in SAP HANA is required

Steps

1. User authenticates against BOE server with one of the mechanisms supported by BOE

2. BOE securely forwards the user identity to SAP HANA with one of the following methods

– User name/password

o SAP HANA database user name/password stored in BOE server

o Manual synchronization

– Kerberos (As of SP4)

o Users must log on to BOE server using Active Directory authentication

o BOE server must run on Linux or Microsoft Windows

– SAML via JDBC (New with 4.1) - BOE server acts as identity provider

o BOE server generates SAML ticket for the user, sends it to the SAP HANA database to validate,

if valid session will be established for the user

o Using SSL BOE and HANA is highly recommended

o User ID’s must match between systems.



Authentication

Credentials are defined in the Connection object from Information Design Tool

“Use Specified User Name and

Password” if all users share the

same data access restrictions

“Use BusinessObjects Credential Mapping”

if you need user-specific restrictions

and direct authentication

“Use Single Sign On when refreshing

reports at view time” if you need user-

specific restrictions and Kerberos

delegated authentication


SSO with Credential Mapping

BusinessObjects Credentials

Mapping

Each individual BI 4 user is

assigned HANA

This is can be done from the

CMC or programmatically with

the BOE SDK

(CMC -> Users and Groups -> UserID -> Properties)


Authentication BOE <-> HANA

Name / Password Authentication

Either single-user connection

– If authorization defined in BI server

Or named accounts in HANA

– Using “Credential Mapping”

– Duplicate maintenance of user accounts

– Authorizations defined in HANA

SSO with Credential Mapping

Corporate

Directory

(AD, LDAP)

SAP

HANA

BOE Server

Import

SAP IDM

Name /

Password

Push / Pull Push

Define DB

Credentials


Reporting on HANA Client and Connectivity Options Using

Kerberos SSO

JDBC JDBC ODBC

SAP HANA Database

JDBC ODBC

Web

Intelligence

Dashboards Crystal Reports for

Enterprise

Semantic Layer

(relational universe UNX)

Exp

lore

r

CR

2

01

1


SSO with Kerberos

SAP BOBJ BI

SAP HANATM

SAP IDM

1. authentication to BI 4

Corporate

Directory Kerberos

3. authentication to HANA

4. authorization checks

in HANA (views,

tables, data)

2. Authorization checks in BI 4

(reports, dashboards, data(*)

Authentication BOE

<-> HANA

Kerberos authentication

(since FP 3)

Maintain named

accounts in HANA

Kerberos ID instead of

password

BI 4 secures reports,

dashboards, optionally

data

HANA secures views,

tables and data

Kerberos allows SSO


Kerberos Configuration Steps

Step 1: Active Directory

Create the keytab

Setting up the SPN’s on the Domain Controller

Step 2: HANA

Install the Kerberos client

Copy the keytab from the AD server and setup the krb5.conf file

Enable Kerberos for a HANA user and enter an External ID for the user

Add the User to HANA Studio to test SSO

Step 3: BOE

Copy the krb5.conf from the HANA Server and create the bscLogin.conf

Configure the web application server for Kerberos

Configure BI4 service account for Kerberos

Configure Webi Rich Client, Information Design Tool (IDT), APS, Explorer for Kerberos

Refer to these for more information

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

– http://bit.ly/125UHfD

SAP Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory

– https://service.sap.com/sap/support/notes/1837331


SSO with SAML

Based on trust configured between BI and HANA

Less work to setup than Kerberos

User ID’s must match between HANA & BI system

Works with any type of authentication to BOE:

Enterprise, AD, LDAP, SAP, and supports all

platforms


SSO with SAML

Enter HANA server details

Generate a certificate on the BI side

to import into the HANA server

Once both systems are setup, user

can test connection from CMC

directly to validate setup


SAML SSO Process Flow

SP – Service Provider - HANA

ldP – Identity Provider – BI 4.1

HANA Manages

The SAML Providers

Mapping between HANA users and External

Users

BI

Generates the SAML assertion and passes

it to HANA

Authentication is based on system trust.

HANA trusts BI to do the authentication.

Once a user is authenticated to BI, BI

will generate a SAML assertion for the

user and pass it to HANA for SSO


Authentication from Analysis

Analysis OLAP and Office leverage OLAP connections defined from the CMC

OLAP Connections point to a HANA system or a specific HANA view

Use “Pre-defined” user and

password if all users share the

same data access restrictions

Use “Prompted” if you need

user-specific restrictions and

direct authentication

Use “SSO” if you require

Single-sign on


Summary of Security BI to HANA

(1) Crystal Reports for Enterprise via a Universe (UNX)

(2) Crystal Reports 2011

(3) Support on Linux and Windows platforms only

Crystal

Reports

Web

Intelligence

SBOP

Dashboards

Design

Studio

Analysis,

edition for

Microsoft

Office

Analysis,

edition for

OLAP

SBOP

Explorer Lumira

Direct

Authentication

(user/password) Yes Yes Yes Yes Yes Yes Yes Yes

Kerberos Yes (1)

No (2) Yes (3) Yes (3) No Yes No Yes (3) No

SAML Yes Yes Yes Yes Yes Yes Yes Yes

Secured

Connection (SSL) Yes Yes Yes No Yes No Yes No


Security Authorizations: What can you secure where?

Item to secure In HANA In the Universe

(Semantic Layer) In BI 4.x

Database schema - -

Table - -

Database (SQL) view - -

Attribute view - -

Analytic view - -

Calculation view - -

Data in a table (column values) - -

Data in an attribute view (dimension

values) -

Connection to HANA - -

Universe, Report, Dashboard, Explorer

Information Space, etc. - -

Excel worksheet with Analysis Office - -

Excel worksheet with PivotTable - - -


BI 4.x SSL Support

SSL encryption is available for connections between the SAP HANA database

and the SAP HANA interfaces

Supported Interfaces: ODBC, JDBC

Authentication is handled via certificates

Enabling SSL in IDT 4.0 Enabling SSL in IDT 4.1


More Information

HANA Security Guide


SSL with HANA and BI4 Feature Pack 3


Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

http://bit.ly/125UHfD

SAP Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory

https://service.sap.com/sap/support/notes/1837331

SAP Note 1813724 - HANA SSO/Kerberos: create keytab and validate conf


Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 - Part 1

http://bit.ly/1aZ2ROm














Key Learning Points

How to provision users to HANA

What are the pre-defined users and roles

The authentication types supported by HANA

What are analytic privileges

What auditing in HANA

How to integrate HANA and BI 4.1 and the SSO options available

Contact information:

Vishal Dhir

Customer Solution Adoption (CSA)

[email protected]

We value your opinion. Let us know how you like this CSA presentation and how we

can make adopting SAP innovations a more beautiful experience. Please send

questions and comments to [email protected].

mailto:[email protected]


© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or

warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing

herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in

Germany and other countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

http://www.sap.com/corporate-en/legal/copyright/index.epx



khnc_sap hana security and integration with sap bi 4.1

Documents

sap ag

sap bi

sap hana security

permission of sap

apps hana user provisioning

roles grant revoke roles

user password grant

related presentation