sap ha240 en col09 hana sp09
DESCRIPTION
SAP HA240 HANA SP09TRANSCRIPT
HA240 Authorization,security and scenarios
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
wwww.sap.com
SAP SE Copyrights and Trademarks © 2014 SAP SE. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
� Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
� IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
� Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. � Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks
of Adobe Systems Incorporated in the United States and/or other countries. � Oracle is a registered trademark of Oracle Corporation � UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. � Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc. � HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology. � Java is a registered trademark of Sun Microsystems, Inc. � LabNetscape. � SAP, SAP Fiori, SAP SAPUI5, R/3, SAP Fiori, SAP NW Gateway, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries.
� Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
� Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
© SAP SE HA240 2
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
CONTENTS
ABOUT THIS HANDBOOK ............................................................................................................................... 4 UNIT 1: INTRODUCTION INTO THE AREA OF SECURITY AND AUTHORIZATION ................................... 5 Lesson: SAP HANA Introduction and overview ................................................................................................. 6 UNIT 2 REPOSITORY ......................................................................................................................................26 Lesson: Repository ............................................................................................................................................. 27 UNIT 3 AUTHORIZATION INSIDE SAP HANA ..............................................................................................36 Lesson: Gerneral authorization concept .......................................................................................................... 37 Lesson:Roles ....................................................................................................................................................... 46 Lesson: Assigments from privileges to user ................................................................................................... 60 Lesson: Object Ownership ................................................................................................................................. 75 Exercise 1 : Maintaining Users and Authorizations ....................................................................................... 110 UNIT 4: GENERAL SECURITY REQUIREMENTS AND SOLUTIONS ........................................................116 Lesson: Introduction ......................................................................................................................................... 117 Lesson: SAP GRC Integration for Governance Risk and Compliance ....................................................... 150 Lesson: SAP Netweaver Identity Management integration ........................................................................... 171 Lesson: Authorization, Security and Scenarios ............................................................................................. 184 UNIT 5. AUTHORIZATION TRACE AND AUDITING ....................................................................................197 Lesson: Authorization trace ............................................................................................................................ 198 Exercise 3 : Authorization trace ....................................................................................................................... 209 Lesson: Auditing ............................................................................................................................................... 221 Exercise 4 : Auditing ........................................................................................................................................ 233 UNIT 6 INTEGRATIVE AUTHORIZATION SCENARIOS............................................................................237 Lesson : Scenarios introduction..................................................................................................................... 238 Lesson : Scenario BW + SAP-HANA ............................................................................................................... 248 Exercise 5: BW authorizations reuse by SAPHANA ..................................................................................... 263 Lesson : BI4 and HANA Integration ................................................................................................................. 279 Lesson : Reuse of ERP Authorization using SAP HANA Live ...................................................................... 289 Exercise 6 : HANA Live Analytic Authorization assistant ............................................................................. 304 UNIT 7 : OPTIONAL : MULTINENANT DB UND HANA ENTERPRISE CLOUD.........................................309 Lesson : Multitenant .......................................................................................................................................... 310 Lesson: HANA Enterprise Cloud ..................................................................................................................... 315
© SAP SE HA240 3
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. American English is the standard used in this handbook. The following typographic conventions are also used:
Use Example/Visualization
Demonstration by InstructorA hint or advanced detail is shown or clarified by the instructor – please indicate reaching any of these points to the instructor
Warning or CautionA word of caution – generally used to point out limitations or actions with potential negative impact that need to be considered consciously
HintA hint, tip or additional detail that helps increate performance of the solution or help improve understanding of the solution
Additional information An indicator for pointing to additional information or technique beyond the scope of the exercise but of potential interest to the participant
Discussion/Group Exercise Used to indicate that collaboration is required to conclude a given exercise. Collaboration can be a discussion or a virtual collaboration.
User Interface Text Find the Flavor Gallery button
Solution or SAP Specific term E.g. Flavors are transaction specific screen personaslization created and rendered using SAP Screen Personas.
© SAP SE HA240 4
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Unit 1: Introduction into the area of Security and authorization
.
© SAP SE HA240 5
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Lesson: SAP HANA Introduction and overview
Image 1: Learning Objective
© SAP SE HA240 6
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 2: SAP HANA as the powerful center of any data flow
For on premise deployment, SAP HANA comes either preinstalled on certified hardware provided by an SAP hardware partner (appliance) or
It must be installed on certified hardware by a certified administrator.
The installation itself is part of the course HA200 and there is a special certificate C_HANAINSTxxy .
xx = the last two numbers of a year
y = number of a halfyear.
© SAP SE HA240 7
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Certification SAP HANA SPS
141
142
151
SPS07
SPS08
SPS09
Image 3: SAP HANA as a platform of a system landscape
© SAP SE HA240 8
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 4: SAP HANA as Part of the Customer Solution Provide a holistic operations concept
SAP HANA is just one element of your IT solution
You will benefit from a holistic operations concept
© SAP SE HA240 9
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 5: SAP HANA In-Memory Strategy
© SAP SE HA240 10
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 6: Why is security necessary?
© SAP SE HA240 11
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 7: Traditional security architecture
© SAP SE HA240 12
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 8: SAP HANA scenarios – 3-tier application, data mart (analytics)
© SAP SE HA240 13
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 9: SAP HANA scenarios – SAP HANA extended application services
© SAP SE HA240 14
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 10: SAP HANA Security Architecture
© SAP SE HA240 15
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 11: SAP HANA – authentication and single sign-on
Access to SAP HANA data and applications is enabled by authentication functions
Password policies, e.g. password length and complexity, can be defined to enforce password quality.
Passwords for the user name/password authentication of database users are subject to certain rules or password policy.
You can change the default password policy in line with your organization’s security requirements. You cannot deactivate the password policy.
© SAP SE HA240 16
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 12: Password policy
© SAP SE HA240 17
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 13: SAP HANA – user and role management
Client
Any possible client for the HANA Platform, this includes: SAP HANA Studio, Business Object BI Platform but also Web Browser, Analysis for Office, Office Excel, etc.
Application Server
In the common SAP Architecture this is normally the role of NetWeaver Application Server ABAP and/or Java.
In this case the HANA Platform can also be the Application Server because it can act only as a database but also as a server for native functionalities and applications.
Database
HANA is a database at its core and can be used just like another relational database e.g. in a classical 3-tier deployment like Suite on HANA.
© SAP SE HA240 18
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 14: SAP HANA – authorization Privilege types
© SAP SE HA240 19
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 15: SAP HANA – communication and data encryption
© SAP SE HA240 20
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 16: SAP HANA – audit logging
© SAP SE HA240 21
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 17: SAP HANA – security administration
SQLDBC is a SAP HANA-specific interface that is also the basis for the SAP HANA ODBC interface.
© SAP SE HA240 22
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 18: SAP HANA – security administration SAP HANA studio
© SAP SE HA240 23
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 19: Important info sources
© SAP SE HA240 24
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview
Image 20: Security information map
© SAP SE HA240 25
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: SAP HANA Introduction and overview
Unit 2 Repository
© SAP SE HA240 26
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Lesson: Repository
Image 21: Learning Objective
© SAP SE HA240 27
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 22: Terminology: repository where design-time objects reside
The SAP HANA database repository is structured hierarchically with packages assigned to other packages as sub-packages.
If you grant privileges to a user for a package, the user is automatically also authorized for all corresponding sub-packages.
In the SAP HANA repository, a distinction is made between native and imported packages. Native packages
are packages that were created in the current system and should therefore be edited in the current system.
Imported packages from another system should not be edited, except by newly imported updates.
An imported package should only be manually edited in exceptional cases.
If you grant privileges to a user for a package, the user is automatically also
authorized for all corresponding sub packages
© SAP SE HA240 28
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 23: _SYS_REPO Authorization in the Repository
_SYS_REPO must be explicitly authorized for objects that are not created in the repository but on which repository objects are modeled.
© SAP SE HA240 29
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 24: Proposed Repository Layout See Developer Guide
© SAP SE HA240 30
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 25: Working in the repository Studio perspectives and web IDE
© SAP SE HA240 31
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 26: Managing Repository Objects Deleting objects, Changing objects
© SAP SE HA240 32
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 27: Transporting Repository Objects
© SAP SE HA240 33
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 28: Procedures in definer mode: What’s the deal?
© SAP SE HA240 34
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 2 Repository Lesson: Repository
Image 29: Implications of using definer mode
© SAP SE HA240 35
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Repository
Unit 3 Authorization inside SAP HANA
© SAP SE HA240 36
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Lesson: Gerneral authorization concept
Image 30: Learning Objective
© SAP SE HA240 37
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 31: Authorization administration
© SAP SE HA240 38
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 32: Tools for authorization administration SAP HANA studio
© SAP SE HA240 39
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 33: Tools for authorization administration Web based editor
You can call the Web based editor directly or from SAP HANA cockpit.
This editor has the same functionality like SAP HANA Studio.
From the technical side this editor is part of:
SAP HANA Web-based Developer Workbench.
For using this workbench all the necessary privileges are bundled in the following role:
sap.hana.xs.ide.roles::EditorDeveloper
© SAP SE HA240 40
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 34: Basic Authorization entities
© SAP SE HA240 41
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 35: Relationships between Entities
Privileges can be assigned to users directly or indirectly using roles. Privileges are required to model access control. Roles can be used to structure the access control scheme and model reusable business roles.
It is recommended to manage authorization for users by using roles. Roles can be nested so that role hierarchies can be implemented. This makes them very flexible, allowing very fine- and coarse -grained authorization management for individual users.
All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorization check using the user, the user's roles, and directly allocated privileges.
It is not possible to explicitly deny privileges. This means that the system does not need to check all the user roles. As soon as all requested privileges have been found, the system aborts the check and grants access.
Several predefined roles exist in the database. Some of them are templates that need to be customized; others can be used as they are.
User management is configured using SAP HANA Studio.
© SAP SE HA240 42
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 36: Authorization Example
© SAP SE HA240 43
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 37: Authorization design process
© SAP SE HA240 44
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept
Image 38: Define and Create Roles
© SAP SE HA240 45
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Lesson:Roles
After completing this lesson, you will be able to:
� Create and use Runtime Roles � Grant and revoke Runtime Roles � Explain difference between Catalog and Repository Roles � Create and use Repository Roles � Know common pre-delivered roles
© SAP SE HA240 46
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 39: Creating Roles using SAP HANA Studio
Prerequisite for creating roles is the privileg ROLE ADMIN.
© SAP SE HA240 47
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 40: Repository Roles vs. Catalog roles
© SAP SE HA240 48
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 41: Terminology: repository where design-time objects reside
© SAP SE HA240 49
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 42: Properties of Catalog Roles
Runtime Role management has several challenges, especially with regards to revocation of privileges and roles.
© SAP SE HA240 50
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 43: Properties of Repository Roles
© SAP SE HA240 51
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 44: Creating Catalog Roles
© SAP SE HA240 52
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 45: Difficulties with catalog roles Creation / Modification
© SAP SE HA240 53
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 46: Less known properties of catalog roles revoking of roles
© SAP SE HA240 54
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 47: Creating Repository Roles Create transportable roles with design time and run time representation
© SAP SE HA240 55
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 48: How can you manage roles safely (and respecting typical compliance requirements)
© SAP SE HA240 56
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 49: Transporting Repository Roles
© SAP SE HA240 57
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Image 50: Template Roles
MODELING: Contains all privileges required for using the information modeler in the SAP HANA studio.
Contains the database authorization for a modeler to create all kinds of views and Analytic Privileges.
Allows access to all data in activated views without any filter (_SYS_BI_CP_ALL Analytic Privilege). However, this is restricted by missing SQL Privileges on those activated objects.
Note: Use caution when using the _SYS_BI_CP_ALL Analytic Privilege.
Use this predefined role as a template.
MONITORING: Contains privileges for full read-only access to all meta data, the current system status in system and monitoring views, and the data of the statistics server.
PUBLIC: Contains privileges for filtered read-only access to the system views.
Only objects for which the users have access rights are visible. By default, this role is assigned to each user.
CONTENT_ADMIN: Contains the same privileges as the MODELING role, but with the extension that users allocated this role are allowed to grant these privileges to other users.
In addition, it contains repository privileges for working with imported objects.
© SAP SE HA240 58
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson:Roles
Use this role as a template for what content administrators might need as privileges.
SUPPORT: Contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data of the statistics server.
Additionally it contains the privileges to access the base information of the system and monitoring views (this information is otherwise only available to the SYSTEM user).
For security reasons, the following restrictions apply:
- It cannot be granted to user SYSTEM
- It cannot be granted to more than one user at a time
- It cannot be granted to another role
- No role can be granted to it
- Only system privileges can be granted to this role
Image 51: Summary
© SAP SE HA240 59
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Lesson: Assigments from privileges to user
Image 52: Assign Privileges to Roles
© SAP SE HA240 60
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 53: Assign Privileges to Roles
© SAP SE HA240 61
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 54: Create Users
© SAP SE HA240 62
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 55: Different User types: Database User
It is often necessary to specify different security policies for different types of database user.
In the SAP HANA database, we differentiate between database users that correspond to real people and technical database users.
Note!
Database users that correspond to real people are dropped when the person leaves the organization. This means that any database objects that they own are also automatically dropped, and any privileges that they granted are automatically revoked.
Compared to standard database users, restricted users are initially limited in the following ways:
They cannot create objects in the database as they are not authorized to create objects in their own database schema.
They cannot view any data in the database as they are not granted (and cannot be granted) the standard PUBLIC role.
They are only able to connect to the database using HTTP.
Users connecting via ODBC or JDBC require the standard role RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCESS.
© SAP SE HA240 63
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 56: Different User types: Technical Database Users
The SYSTEM database user is the Bootstrapping-User. With it you can realize the inital system set and to create other database users, access system tables, and so on. Note however that SYSTEM database user does not automatically have access to objects created in the SAP HANA repository.
The recommendation from SAp is to inactivate thus user for commence operation!
<sid>adm user ( where <sid> is the ID of the SAP HANA system)
The <sid>adm user is an operating system user and is also referred to as the operating system administrator.
This operating system user has unlimited access to all local resources related to SAP systems.
This user is not a database user but a user at the operating system level.
Hint: The following usere are internal user , means it is't possible to log on in the database with them.
© SAP SE HA240 64
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
SY -SYS user is a technical database user. It is the owner of database objects such as system tables and monitoring views.
_SYS_AFL - is a technical user that owns all objects for Application Function Libraries
_SYS_EPM - is a technical database used by the SAP Performance Management (SAP EPM) application
_SYS_REPO is a technical database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions.
_SYS_STATISTICS _SYS_STATISTICS is a technical database user used by the internal monitoring mechanism of the SAP HANA database. It collects information about status, performance, and resource usage from all components of the database and issues alerts if necessary.
HINT.
What to do in an emergency situation? You have to reset the SYSTEM password
In this case the following mechanism for resetting the SYSTEM user password is available
� Prerequisite: Credentials of the operating system administrator <sid>adm, access to the master index server � As <sid>adm, log on to the server on which the master index server is running � On the command line, shut down the SAP HANA system, then start the name, compile and index servers � Use the following command to reset the password � /exe/hdbindexserver -resetUserSystem � Afterwards, the index server is automatically stopped � End the name and compile server processes � On the command line, start the SAP HANA system
You can find this emergency procedure in SAP HANA Administration guide too .
Note: In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the same way by starting the name server (for the system database) or index server (for tenant databases) in emergency mode
© SAP SE HA240 65
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 57: Creating named Users In SAP HANA Studio
© SAP SE HA240 66
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 58: Creating named Users in SAP HANA Studio
© SAP SE HA240 67
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 59: Creating named Users Using SQL
© SAP SE HA240 68
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 60: Modifying users
© SAP SE HA240 69
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 61: User Self Service Tools
By default, SAP HANA user self-service tools are disabled; the tools are neither visible in the user interface nor configured in SAP HANA.
To provide access to embedded tools that enable users to request the creation of a new user account in the SAP HANA database or set a new password, the SAP HANA administrator must activate and set up the user self-service feature.
© SAP SE HA240 70
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 62: User Management
© SAP SE HA240 71
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 63: Grant Role to User
© SAP SE HA240 72
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 64: Grant Roles to User
Note:
System Privilege ROLE ADMIN supersedes this GRANT OPTION
© SAP SE HA240 73
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user
Image 65: Revoke Roles from User
Note on Cascaded Dropping of Privileges
If the user had granted the role to other users, revoking the role (and the grant option) also revokes the role from this grantee
© SAP SE HA240 74
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Lesson: Object Ownership
Image 66: Security: Owner vs. schema How HANA handles ownership of catalog objects
Note:
© SAP SE HA240 75
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Restricted users cannot create objects in the database as they are not authorized to create objects in their own database schema.
Image 67: Security: Dropping of DB users Impact of dropping with “cascade”
© SAP SE HA240 76
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 68: Security: Dropping DB accounts safely UI support in SAP HANA Studio
© SAP SE HA240 77
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 69: Object ownership finding ownership information
© SAP SE HA240 78
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 70: Privileges
After completing this section you will be able to:
•Explain what are the possible types of Privileges
•Explain the use of Object Privileges, System Privileges, Package Privileges, Analytic Privileges
•Describe privileges to be set for Information Consumers
•Describe ownership rationale for possible Privilege Types
•Explain the use of Dynamic Analytic Privileges
© SAP SE HA240 79
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 71: Type of privileges
Object Privileges:
This is used to restrict access and modification of database objects, such as tables. Depending on the object type (for example, table, view), different actions (for example, CREATE ANY, ALTER, DROP) can be authorized.
For Object Privileges in the SAP HANA database, the SQL standard behavior is applied.
Analytic Privileges:
This is used to restrict the access for read operations to certain data in Analytic, Attribute, and Calculation Views. This is done by filtering the attribute values.
It is only applied at the processing time of the user query.
Analytic Privileges need to be defined and activated before they can be granted to users and roles.
Package Privileges:
© SAP SE HA240 80
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
This is used to restrict the access to and the use of packages in the repository of the SAP HANA database.
Packages contain design-time versions of various objects, such as Analytic, Attribute, and Calculation Views, as well as Analytic Privileges, and functions. To be able to work with packages, the respective Package Privileges must be granted.
Application Privileges:
Developers of SAP HANA XS applications can create application privileges to authorize user and client access to their application. They apply in addition to other privileges
It is recommended to grant application privileges to roles created in the SAP HANA Repository at design time.
All kinds of Privileges are assigned to users and roles.
Image 72: System and Object privileges
More details on Object Privileges activities:
CREATE ANY
© SAP SE HA240 81
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
This privilege allows the creation of all kinds of objects, in particular, tables, views, sequences, synonyms, SQL script functions or database procedures in a schema. This privilege can only be granted on a schema.
ALL PRIVILEGES
This privilege is a collection of all Data Definition Language (DDL) and Data Manipulation Language (DML) privileges that the grantor currently possesses and is allowed to grant further. The privilege it grants is specific to the particular object being acted upon. ALL PRIVILEGES is not applicable to a schema, but only a table, view, or table type.
DROP and ALTER
These are DDL privileges and authorize the DROP and ALTER SQL commands. While the DROP privilege is valid for all kinds of objects, the ALTER privilege is not valid for sequences and synonyms as their definitions cannot be changed after creation.
SELECT, INSERT, UPDATE, and DELETE
These are DML privileges and authorize respective SQL commands. While SELECT is valid for all kinds of objects, except for functions and procedures, INSERT, UPDATE, and DELETE are only valid for schemas, tables, table types, and updatable views.
INDEX
This special DDL privilege authorizes the creation, alteration or revocation of indexes for an object using the CREATE INDEX, ALTER INDEX, and DROP INDEX commands. This privilege can only be applied to a schema, table, and table type.
EXECUTE
This special DML privilege authorizes the execution of an SQL script function or a database procedure using the CALLS or CALL command, respectively.
© SAP SE HA240 82
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 73: System privileges
Some Examples for this system types:
User and Roles:
ROLE ADMIN Authorizes the creation and deletion of roles using the CREATE ROLE and DROP ROLE commands. This privilege also authorizes the granting and revocation of roles using the GRANT and REVOKE commands.
Catalog and schema Management
© SAP SE HA240 83
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
CATALOG READ Authorizes unfiltered read-only access to all system views. Normally, the content of these views is filtered based on the privileges of the accessing user
Analytics
CREATE STRUCTURED PRIVILEGE Authorizes the creation of structured privileges. Only the owner of an analytic privilege can further grant or revoke that privilege to other users or roles.
Auditing:
AUDIT ADMIN
Controls the execution of the auditing-related commands CREATE AUDIT POLICY, DROP AUDIT POLICY, and ALTER AUDIT POLICY, as well as changes to auditing configuration. It also authorizes access to AUDIT_LOG system view
System Management
BACKUP ADMIN Authorizes backup and recovery commands for defining and initiating backup and recovery procedures. It also authorizes changes to system configuration options with respect to backup and recovery.
Data Import and Export
IMPORT Authorizes import activity in the database using the IMPORT commands Note that in addition to this privilege the user requires the INSERT privilege on the target tables to be imported.
All the system privileges are describe in the SAP HANA Security guide.
© SAP SE HA240 84
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 74: Package privileges
© SAP SE HA240 85
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 75: Sub-package privileges
© SAP SE HA240 86
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 76: Native and imported package privileges
Developers should be granted the following privileges for native packages:
REPO.READ: This privilege authorizes read access to packages and design-time objects, including both native and imported objects.
REPO.EDIT_NATIVE_OBJECTS: This privilege authorizes all kinds of inactive changes to design-time objects in native packages.
REPO.ACTIVATE_NATIVE_OBJECTS: This privilege authorizes the user to activate or reactivate design-time objects in native packages.
REPO.MAINTAIN_NATIVE_PACKAGES: This privilege authorizes the user to update or delete native packages, or create subpackages of native packages.
Developers should only be granted the following privileges for imported packages in exceptional cases:
REPO.EDIT_IMPORTED_OBJECTS : This privilege authorizes all kinds of inactive changes to design-time objects in imported packages.
REPO.ACTIVATE_IMPORTED_OBJECTS : This privilege authorizes the user to activate or reactivate design-time objects in imported packages.
© SAP SE HA240 87
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
REPO.MAINTAIN_IMPORTED_PACKAGES : This privilege authorizes the user to update or delete imported packages, or create subpackages of imported packages.
In the SAP HANA studio, you can manage the repository system privileges together with the other system privileges on the System Privileges tab:
REPO.EXPORT : This privilege authorizes the user to export, for example, delivery units
REPO.IMPORT : This privilege authorizes the user to import transport archives.
REPO.MAINTAIN_DELIVERY_UNITS : This privilege authorizes the user to maintain delivery units (DU, DU-vendor must equal system-vendor).
REPO.WORK_IN_FOREIGN_WORKSPACE : This privilege authorizes theuser to work in a foreign inactive workspace.
Image 77: Analytic privileges
Analytic Privileges are used in the SAP HANA database to provide fine-grained control of what data particular users can see for Analytic use. They provide the ability for row-level authorization, based on the values in one or more columns.
All Attribute Views, Analytic Views, and Calculation Views, which have been designed in the modeler and have been activated from the modeler of the HANA studio, are automatically supported by the Analytic Privilege mechanism.
© SAP SE HA240 88
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
If you are already familiar with the authorization model of SAP NetWeaver Business Warehouse (SAP NetWeaver BW), you will see many similarities between the two models.
The overall idea behind Analytic Privileges is the reuse of Analytic Views by different users. However, the different users may not be allowed to see the same data. For example, different regional sales managers, who are only allowed to see sales data for their regions, could reuse the same Analytic View. They would get the Analytic Privilege to see only data for their region, and their queries on the same view would return the corresponding data. This is a major difference to the SAP NetWeaver BW model. While the concept itself is very similar, SAP NetWeaver BW would forward an error message if you executed a query that would return values you are not authorized to see. With the SAP HANA database, the query would be executed and, corresponding to your authorization, only values you are entitled to see returned.
An Analytic Privilege consists of several restrictions. Three of these restrictions are always present and have the following special meanings:
- One restriction (cube restriction) determines for which column views (Attribute, Analytic, or Calculation Views) the privilege is used. This may involve a single view, a list of views or, by means of a wildcard, all applicable views.
- One restriction (activity restriction) determines the effected activity, for example, READ. This means that the activity READ is restricted and not available for use.
- One restriction (validity restriction) determines at what times the privilege is valid.
In addition to these three restrictions, many additional dimension restrictions are used.
These are applied to the actual attributes of a view. Each dimension restriction is relevant for one dimension attribute, which can contain multiple value filters. Each value filter is a tuple of an operator and its operands, which is used to represent the logical filter condition. For example, a value filter (EQUAL 2014) can be defined for a dimension attribute YEAR in a dimension restriction to filter accessible data using the condition YEAR=2014 for potential users.
Only dimension attributes, and no measures or key figures, can be employed in dimension restrictions.
© SAP SE HA240 89
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 78: Analytic Privilege - Start creation wizard
In general, the user has access to an individual, independent view (Attribute, Analytic, or Calculation View) if the following prerequisites are met:
� The user was granted the SELECT privilege on the view or the containing schema. � The user was granted an Analytic Privilege that is applicable to the view. An Analytic Privilege is applicable to a view
if it contains the view in the Cube restriction and contains at least one filter on one attribute of this view.
No SELECT privilege on the underlying base tables or views of this view is required.
© SAP SE HA240 90
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 79: SAP HANA – authorization Runtime access control
© SAP SE HA240 91
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 80: Analytic Privilege - Select Information Models
Analytic Privilege-Capable Views
The Analytic Privilege mechanism is automatically enforced for all three kinds of views that can be defined using the information modeler, namely Attribute, Analytic, and calculation Views:
� Attribute View � Analytic Views � Calculation Views
© SAP SE HA240 92
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 81: Analytic Privilege - Editor Overview
© SAP SE HA240 93
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 82: Analytic Privilege Select field for attribute restriction
When relevant Analytic Privileges are found for the current user and the query directed to the particular view, the evaluation process ensures that, according to the value filters specified in the Dimension restrictions, the appropriate view data is presented to the user.
In particular:
� Within one Dimension restriction, all value filters on the corresponding dimension attribute are combined with logical OR.
� Within one Analytic Privilege, all Dimension restrictions are combined with logical AND. � Multiple Analytic Privileges are combined with logical OR. � For example, if there is only one Analytic Privilege found with two Dimension restrictions, YEAR=2008 and
COUNTRY=US, the user is only allowed to see data fulfilling the condition YEAR=2008 AND COUNTRY=US.
However, if these two conditions were put in two different Analytic Privileges found for this user and this view, the user is allowed to see more data, namely the OR combination of the filters of the individual Analytic Privileges: YEAR=2008 OR COUNTRY=US.
Operators for defining value filters in the restrictions of analytic privileges:
© SAP SE HA240 94
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
� IN <list of scalar values> � CONTAINSPATTERN <pattern with *> � EQUAL (=), LESSEQUAL, (<=), LESSTHAN(<), GREATERTHAN (>), GREATEREQUAL(>=) <scalar value> � BETWEEN <scalar value as lower limit><scalar value as upper limit> � IS_NULL and NOT_NULL
IS_NULL filters rows with null values in the corresponding attribute,
NOT_NULL filters rows with non-null values in the attribute
- All filter operators, except IS_NULL and NOT_NULL, accept empty strings (“ “) as filter operands Examples:
IN (“ “, “A”, “B”)
As lower limit in comparison operators, e.g. BETWEEN (” “, “XYZ”)
Image 83: Analytic Privilege - Activation
In an Analytic Privilege, in addition to static values filtering conditions, it is also possible to determine the filtering conditions via a stored procedure.
© SAP SE HA240 95
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
With this approach the filtering conditions that apply for a specific user are determined at run-time, when querying a specific table or view. This allows a more scalable approach where the same analytic privilege can be applied to multiple users, with different authorization requirements. An Analytic Privilege where a procedure is used to determine the authorized values is also called a Dynamic Analytic Privilege.
The procedure used in a Dynamic Analytic Privilege must have the following signature:
� No input parameters � Only 1 output parameter as table type with one single column for the IN operator � Only 1 output parameter of a scalar type for all unary operators, such as EQUAL � Only 2 output parameters of a scalar type for the binary operator BETWEEN
Further restrictions apply as documented in the SAP HANA Developer Guide available on the SAP Help Portal.
Image 84: Dynamic analytic privileges
© SAP SE HA240 96
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 85: Sample dynamic analytic privileges
© SAP SE HA240 97
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 86: Analytic Privilege Check
© SAP SE HA240 98
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 87: Analytic Privileges Caveats
© SAP SE HA240 99
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 88: Ownership of Privileges
© SAP SE HA240 100
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 89: System privileges Ownership, granting
© SAP SE HA240 101
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 90: Object Privileges Ownership, granting
© SAP SE HA240 102
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 91: Package privileges Ownership, granting
© SAP SE HA240 103
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 92: Analytic Privileges / Structured Privileges Ownership, granting
© SAP SE HA240 104
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 93: Information Consumers (I) Required privileges for reading from views
© SAP SE HA240 105
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 94: Information Consumers (II) Required privileges for reading from views
© SAP SE HA240 106
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 95: Information Consumers (III) Required privileges for reading from views
© SAP SE HA240 107
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 96: Information Consumers (IV) Required privileges for reading from views
© SAP SE HA240 108
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Lesson: Object Ownership
Image 97: Recursive revoking of privileges Take care when dropping users or revoking privileges
© SAP SE HA240 109
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations
Exercise 1 : Maintaining Users and Authorizations
After completing this exercise, you will be able to:
• Create roles
• Assign privileges to a role
• Create a user
• Assign roles to a user
• Create an analytic privilege
Task 1: Create a role “ROLE_ANALYTIC_##”, where ## is your group ID and assign the following roles and privileges to your new role. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role. Add the Object Privilege REPOSITORY_REST with privilege EXECUTE. Add a Package Privilege to give access to repository package sap/hana/democontent/epm/modelsand assign authorization REPO.READ. Then deploy the role and confirm that the role has been created. Perform this task with SYSTEM user.
1. Create a role “ROLE_ANALYTIC_##” where ## is your group ID. 2. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role. 3. Add the Object privilege REPOSITORY_REST with privilege EXECUTE to your role. 4. Add a Package Privilege to give access to repository package sap.hana.democontent.epm.models and assign authorization REPO.READ. 5. Deploy the role and confirm that the role has been created.
Task 2:
Create a user named USER##, where ## is your group ID. Assign the role you
© SAP SE HA240 110
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations
have just created to this user. Then confirm that your user has been created.
After you have created the user successfully, you can log on and add the user to
the Navigator View of the HANA studio. Then confirm that your user’s schema
has been created under Catalog.
1. Create a user named USER##, where ## is your group ID.
2. Assign the role ROLE_ANALYTIC_##, where ## is your group ID to this
user.
3. Confirm that your user has been created.
4. Add the user to the Navigator View of the HANA studio.
Task 3:
Check if the user USER## is authorized to access the Analytic View
AN_PURCHASE_OVERVIEW.
1. Check if the user USER## is authorized to access the Analytic View
AN_PURCHASE_OVERVIEW.
Task 4:
Create a new analytic privilege, AP_PURCHASE_OVERVIEW_DE, in the package sap.hana.democontent.epm.models.
This analytic privilege should give access to the Analytic View
sap.hana.democontent.epm.models.AN_PURCHASE_OVERVIEW with
restriction to the attribute SUPPLIER_COUNTRY = DE.
1. Navigate to the Modeler Perspective and create a new analytic
privilege AP_PURCHASE_OVERVIEW_DE, in the Package
sap.hana.democontent.epm.models
Task 5:
Add the new analytic privilege to your role ROLE_ANALYTIC_## using the user
USER##. Then test the authorizations of user USER## by selecting the Analytic
View AN_PURCHASE_OVERVIEW.
1. Add the new analytic privileges to your role ROLE_ANALYTIC_##.
2. Select the Analytic View AN_PURCHASE_OVERVIEW to test the
authorizations.
Task 6:
© SAP SE HA240 111
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations
You need a user with authorizations for database administration. This database administrator should perform the following tasks:
� All actions that any DB administrator will expect they are allowed to do and that � Are not specific to data schemas or repository packages. � All backup-related tasks. � Create new database schemas and to Import and Export catalog objects.
Create the roles which allow performing these administrative tasks.
1. Create a new role BASIC_ADMIN.
This role collects all actions that any DB administrator will expect they
are allowed to do and that are not specific to data schemas or repository
packages. Therefore the following privileges should be granted
Privilege What does it do?
System privilege CATALOG READ Read access to all metadata of the database catalog. Among other things, required to enter into the administration editor of SAP HANA studio
System privilege SERVICE ADMIN Start and stop individual services(processes) of the database
System privilege INIFILE ADMIN Modify the database configuration
System privilege TRACE ADMIN Start and stop database traces, change the trace levels of the kernel trace
System privilege SESSION ADMIN Kill sessions
System privilege VERSION ADMIN Trigger garbage collection of the database’s version history (part of MVCC implementation)
System privilege LICENSE ADMIN Install or delete license key
SELECT on schema _SYS_STATISTICS Read alerts of the statistics server process
2. Create a new role BACKUP_ADMIN.
This role allows all backup-related tasks, such as creating a database backup or managing the backup catalog or deleting backups from disk. Therefore the following privileges should be granted:
© SAP SE HA240 112
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations
Privilege What does it do?
System privilege CATALOG READ
Read access to all metadata of the database catalog
System privilege BACKUP ADMIN Access to all backup functionalities
except for restore (which requires OS user credentials)
Create a new role DATA_ADMIN.
This role defines a user who can create new database schemas directly in the catalog and import and export catalog objects. Therefore the following privileges should be granted:
Privilege What does it do?
System privilege CREATE SCHEMA Create new schemas directly in the database catalog
System privilege EXPORT Export catalog objects to the DB server (csv/binary) or to the client machine
System privilege IMPORT
Import catalog objects from the
DB server (csv/binary) or from the
client machine
Task 7:
Create a user named ADMIN##, where ## is your group ID. Assign the database administration roles you have just created to this user. Then confirm that your user has been created.
After you have created the user successfully, you can log on and add the user to the Navigator View of the HANA studio. Then confirm that your user’s schema has been created under Catalog.
1. Create a user named ADMIN##, where ## is your group ID.
2. Assign the roles BASIC_ADMIN, BACKUP_ADMIN, and DATA_ADMIN
to this user.
3. Confirm that your user has been created
© SAP SE HA240 113
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations
4. Add the user to the Navigator View of the HANA studio.
Task 8:
Check the authorizations of the user ADMIN##.
1. Check if the user ADMIN## is authorized to export table
TRAIN00.PRODUCTS
2. Check if the user ADMIN## is authorized to perform a backup
3. Check if the user ADMIN## is authorized to change configuration Parameters
Solution of the Exercise 1
Task 1:
Create a role “ROLE_ANALYTIC_##”, where ## is your group ID and assign
the following roles and privileges to your new role.
Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role.
Add the Object Privilege REPOSITORY_REST with privilege EXECUTE.
Add a Package Privilege to give access to repository package
sap/hana/democontent/epm/models and assign authorization REPO.READ.
Then deploy the role and confirm that the role has been created.
Perform this task with SYSTEM user.
© SAP SE HA240 114
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations
1. Create a role “ROLE_ANALYTIC_##” where ## is your group ID.
a) Log on to the SAP HANA studio with SYSTEM user.
b) Choose Administration Perspective: Window → Open Perspective →Other... → Administrative Console.
c) Expand the content of the SAP HANA system → Security → Roles.
d) Right-click Roles → New Role.
e) Give your role the following name: ROLE_ANALYTIC_##. Save
(CRTL+S).
2. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT
to your role.
a) Select theObject Privileges tab and click +.
b) Search for Object Privilege _SYS_BI, highlight it, and click OK.
c) Select the object that has just been added.
d) Scroll to the right, and assign the privilege SELECT to object _SYS_BI.
e) Repeat the same steps for the Object Privilege _SYS_BIC.
© SAP SE HA240 115
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Exercise 1 : Maintaining Users and Authorizations
Unit 4: General Security Requirements and Solutions
© SAP SE HA240 116
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Lesson: Introduction
Image 98: Learning Objective
© SAP SE HA240 117
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 99: Scenario
© SAP SE HA240 118
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 100: SAP HANA Authentication Options
User Name/Password Authentication
Users accessing the SAP HANA database authenticate themselves by entering their database user name and password.
Kerberos
A Kerberos authentication provider can be used to authenticate users accessing SAP HANA in the following ways:
� Directly from ODBC and JDBC database clients within a network (for example, the SAP HANA studio) � Indirectly from front-end applications such as SAP BusinessObjects applications using Kerberos delegation � Via HTTP access by means of SAP HANA Extended Services (SAP HANA XS). In this case, Kerberos authentication
is enabled with Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). � Security Assertion Markup Language (SAML)
A SAML bearer assertion can be used to authenticate users accessing SAP HANA directly from ODBC/JDBC database clients. SAP HANA can act as service provider to authenticate users accessing via HTTP by means of SAP HANA XS.
SAP Logon and Assertion Tickets
© SAP SE HA240 119
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Users can be authenticated by logon or assertion tickets issued to them when they log on to an SAP system that is configured to create tickets (for example, the SAP Web Application Server or Portal).
X.509 Client Certificates
For HTTP access to SAP HANA by means of SAP HANA XS, users can be authenticated by client certificates signed by a trusted Certification Authority (CA), which can be stored in the SAP HANA XS trust store.
Image 101: SAP HANA Authentication User configuration for authentication and SSO
© SAP SE HA240 120
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 102: Single Sign-On Introduction
Kerberos
A user who connects to the database using an external authentication provider must also have a database user known to the database. SAP HANA maps the external identity to the identity of an internal database user.
Security Assertion Markup Language (SAML)
A user who connects to the database using an external authentication provider must also have a database user known to the database. SAP HANA maps the external identity to the identity of an internal database user.
SAP Logon and Assertion Tickets
To implement SAP logon/assertion tickets, the user specified in the logon/assertion ticket must already exist in SAP HANA; there is no support for user mapping.
X.509 Client Certificates
To implement X.509 client certificates, the user specified in the certificate must already exist in SAP HANA; there is no support for user mapping.
© SAP SE HA240 121
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 103: Kerberos Introduction
Kerberos is a network authentication protocol that provides authentication for client-server applications across an insecure network connection using secret-key cryptography.
ODBC and JDBC database clients support the Kerberos protocol, for example, the SAP HANA studio. Access from front-end applications (for example, SAP BusinessObjects XI applications) can also be implemented using Kerberos delegation.
Note however that constrained delegation and protocol transition are not supported.
Kerberos is supported for HTTP access via SAP HANA XS with Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). It is up to the HTTP client whether it uses Kerberos directly or SPNEGO.
© SAP SE HA240 122
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 104: Kerberos Prerequisites
© SAP SE HA240 123
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 105: Kerberos Configuration: ODBC/JDBC
In distributed SAP HANA systems that use Kerberos delegation (SSO2DB), application disruptions resulting from expired authentication are avoided though the use of session cookies.
This mechanism is active by default but can be disabled in the indexserver.ini file with the session_cookie_for_kerberos parameter.
Figure: Mapping the new DB user to Windows Active Directory user (External ID).
© SAP SE HA240 124
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 106: Kerberos Configuration: SPNEGO
Changing the Service User Password
Since the keys stored in the key tab are generated from the Service User password, you should change the Service User password periodically.
After the password has been changed, the key tab has to be either created again or extended to contain the new key(s), since a password change implies an increment of the Key Version Number (kvno).
© SAP SE HA240 125
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 107: Kerberos Troubleshooting
© SAP SE HA240 126
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 108: SAML Introduction
SAML provides the mechanism by which the identity of users accessing the SAP HANA database from client applications is authenticated by XML-based assertions issued by a trusted identity provider. The internal database user to which the external identity is mapped is used for authorization checks during the database session.
© SAP SE HA240 127
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 109: SAML: What is SAML?
© SAP SE HA240 128
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 110: SAML: How it works?
© SAP SE HA240 129
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 111: SAML Assertion Specification
SAP HANA supports plain SAML 2.0 assertions as well as unsolicited SAML responses that include an unencrypted SAML assertion. SAML assertions and responses must be signed using XML signatures.
© SAP SE HA240 130
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 112: SAML User Mapping
© SAP SE HA240 131
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 113: SAML Prerequisites
© SAP SE HA240 132
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 114: SAML Configuration in HANA Studio
© SAP SE HA240 133
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 115: SAML Configuration for XS Engine APPs
© SAP SE HA240 134
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 116: X.509 Certificates Introduction
© SAP SE HA240 135
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 117: X.509 Certificates Prerequisites
© SAP SE HA240 136
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 118: X.509 Certificates Configuration Overview
© SAP SE HA240 137
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 119: X.509 Usage
© SAP SE HA240 138
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 120: SAP Logon and Assertion Tickets SAP Logon Tickets
© SAP SE HA240 139
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 121: SAP Logon and Assertion Tickets SAP Assertion Tickets
© SAP SE HA240 140
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 122: SAP Logon and Assertion Tickets Prerequisites: Trust Store
© SAP SE HA240 141
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 123: SAP Logon and Assertion Tickets Prerequisites: User Configuration
© SAP SE HA240 142
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 124: SAP Logon and Assertion Tickets Configurations
© SAP SE HA240 143
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 125: SAP Logon and Assertion Tickets Usage
© SAP SE HA240 144
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 126: SAP HANA – encryption
© SAP SE HA240 145
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 127: SAP HANA – Certified 3rd party backup tools
© SAP SE HA240 146
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 128: SAP HANA – network security
© SAP SE HA240 147
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Image 129: Summary
Exercise 2: Configure Encryption
Exercise Objectives
After completing this exercise, you will be able to:
• Configure Data Volume Encryption
Task:
Configure Data Volume Encryption using the Security editor in SAP HANA Studio.
1. Activate Data Volume Encryption
2. Monitor the progress of the data volume encryption.
© SAP SE HA240 148
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Introduction
Solution: Configure Encryption
Task:
Configure Data Volume Encryption using the Security editor in SAP HANA Studio.
1. Activate Data Volume Encryption
a) In the Systems view in SAP HANA studio, choose Security and open
the Data Volume Encryption tab.
b) Choose: Encrypt data volumes.
c) Choose the Deploy button.
2. Monitor the progress of the data volume encryption.
a) Choose the Refresh button to monitor the status of the data volume
encryption.
During encryption the status “Encryption running ...” is displayed. The
status “Encrypted” indicates that the data volumes are encrypted.
© SAP SE HA240 149
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 130: Learning Objective
© SAP SE HA240 150
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 131: Scenario
© SAP SE HA240 151
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 132: SAP HANA – data center integration
SSAP HANA supports standard and documented interfaces to enable integration with customer security network and datacenter infrastructures
© SAP SE HA240 152
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 133: SAP solutions for GRC Integrated suite and endorsed partner solutions
© SAP SE HA240 153
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 134: SAP Access Control Manage access risk and prevent fraud
SAP Access Control enables customers to manage access risk and prevent fraud.
Automation is the key here.
Note: This slide reads starting at the 1 o’clock slot with Analyze Risk.
Through this set of capabilities, SAP Access Control helps you to
Get clean (Analyze risk)
Stay clean (Manage access and maintain roles)
Stay in control (certify authorizations and monitor privileges
© SAP SE HA240 154
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 135: SAP Access Control 10.1 System Components and Plugins
© SAP SE HA240 155
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 136: Usage Scenario Comprehensive, pre-defined rule set
� SAP Access Control is delivered with a comprehensive rule set based on business process and best practice experience.
� Technical rules are delivered for SAP ERP, Oracle, JD Edwards, and PeopleSoft � Business risks are identified across 10 business processes, and technical rules for additional systems can easily be
mapped to these risks.
Terminology:
Business Process
The business area categories in which you would like to report Risk analysis results.
© SAP SE HA240 156
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Risk:
An opportunity for physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a specific condition
Function
A Function is a grouping of one or more related Actions and/or Permissions for a specific business area.
Action
An activity that is performed in the system in order to fulfill a specific Function, for example, Create Purchase Order or Create Material Master Record
Action = Transaction Code
Permission
Authorizations that allows a user to perform a particular activity in a system
Permission = Authorization Object
Rule
Rule is a one-to-one transaction code conflict. One risk can have many Rules.
© SAP SE HA240 157
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 137: Access Risk Definition based on SAP HANA Security Model Function Actions
© SAP SE HA240 158
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 138: Access Risk Definition based on SAP HANA Security Model Function Permissions
© SAP SE HA240 159
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 139: Example 1 SoD Risk Analyse in SAP HANA
© SAP SE HA240 160
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 140: Example 1 Analysis Criteria & Result Screen
© SAP SE HA240 161
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 141: Example 2 Critical Action Risk Analyse in SAP HANA
© SAP SE HA240 162
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 142: DEMO 2 Analysis Criteria & Result Screen
© SAP SE HA240 163
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 143: Usage Scenario Self-service access request and approval process
Workflow driven by SAP Business Workflow technology helps to eliminate manual tasks and make it faster and easier for users to obtain the access that they need in a compliant manner.
Pull user details from HR, LDAP, or IdM systems to leverage a single authoritative source and make the process easier on the end user.
© SAP SE HA240 164
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 144: User Provisioning in SAP HANA Supported and Unsupported Scenarios
© SAP SE HA240 165
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 145: Access Request for a New User in SAP HANA Including assignment of HANA Role & Analytical Privilege (Runtime)
© SAP SE HA240 166
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 146: Request Approval Can Include SoD-Risk Analysis and Mitigation Control Assignment
© SAP SE HA240 167
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 147: Access Request for New User in SAP HANA Provisioned User in HANA Studio
© SAP SE HA240 168
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 148: SAP Basis Risk from SAP GRC Standard Rule Set Risks that may be applicable to SAP HANA
© SAP SE HA240 169
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance
Image 149: Requirements and Best Practices in Security Administration that are currently hard to implement in SAP HANA
© SAP SE HA240 170
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Lesson: SAP Netweaver Identity Management integration
Image 150: Learning Objective
© SAP SE HA240 171
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 151: Scenario
© SAP SE HA240 172
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 152: SAP HANA – data center integration
SSAP HANA supports standard and documented interfaces to enable integration with customer security network and datacenter infrastructures
© SAP SE HA240 173
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 153: SAP NetWeaver Identity Management Introduction
Ensure that people have the correct authorizations in the back-end systems!
© SAP SE HA240 174
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 154: SAP NetWeaver Identity Management Holistic identity management approach
Holistic identity management Approach
With SAP NetWeaver identity management, SAP offers integrated identity management capabilities for a heterogeneous system landscapes (SAP and non-SAP software), driven by business processes.
Central identity store: The central store consolidates identity data from different source systems (example: SAP HCM) and then distributes this information to the target systems.
Approval Workflows: Workflows distribute the responsibility for authorization assignments to the different business process owners and managers.
Identity Virtualization / Identity as a service: The data within SAP NetWeaver identity management can be accessed using services and standard protocols such as LDAP.
SAP Business Suite Integration: The integration of HCM as one of the possible source systems for identity information is a key functionality for enabling business-driven identity management.
© SAP SE HA240 175
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Compliance Checks / GRC: The integration with SAP BusinessObjects Access Enforcer offers extensive functions for assuring compliance and segregation of duties in the role and authorization assignment process.
Definition and Rule-Based Assignment of Business Roles: You can define different rule sets for the assignment of roles to users. This means that the assignment can be performed automatically based on attributes of the identity.
Monitoring and Audit: Provides auditors with one central place to check employees’ authorizations in all systems. This information is also available for the past.
Password Management: A centralized password management reduces calls to the help desk for password resets, and enables password provisioning across heterogeneous landscape.
Distribution of Users and Role Assignments: Handles user accounts and role assignments of SAP and non-SAP applications.
Image 155: SAP Identity Management 8.0 SP0 Product road map overview – key themes and capabilities
© SAP SE HA240 176
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 156: SAP Identity Management Capabilities
© SAP SE HA240 177
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 157: SAP NetWeaver Identity Management Use cases
© SAP SE HA240 178
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 158: SAP NetWeaver Identity Management Example of integration with HR Processes
© SAP SE HA240 179
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 159: Main changes in IdM 8.0 compared to IdM 7.2 (1 of 2)
© SAP SE HA240 180
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 160: Main changes in IdM 8.0 compared to IdM 7.2 (2 of 2)
© SAP SE HA240 181
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 161: HANA connector for SAP NetWeaver Identity Management Introduction
© SAP SE HA240 182
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration
Image 162: HANA connector for SAP NetWeaver Identity Management Use cases
© SAP SE HA240 183
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Lesson: Authorization, Security and Scenarios
Image 163: Learning Objective
© SAP SE HA240 184
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 164: Scenario
© SAP SE HA240 185
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 165: SAP HANA Extended Application Services (XS) Introduction
© SAP SE HA240 186
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 166: Traditional 3-tier applications (Java, ABAP)
© SAP SE HA240 187
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 167: User handling in XS Plain DB user
Plain DB User Scenario
Since the same user is used on all levels, the roles that are assigned to the user must contain all privileges that the user needs to execute the application.
� homogeneous way of granting all privileges � working with personal DB users requires that the HANA user base is maintained properly; this can be a complex and
expensive process (creation and deletion of users, and especially updates to the roles they should have)
© SAP SE HA240 188
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 168: User handling in XS SQLCC scenario (best practice for stand-alone XS Apps)
SQLCC Scenario
The logon user maps to a personal DB user, but this is user is used on XS level only, the DB activities run via sqlcc connections and thus using a technical user.
� the necessary SQL privileges are granted to the SQLCC user only, the logon user just needs the XS application privileges -> no security risk anymore
� maintaining the personal DB users is still complex (see above)
© SAP SE HA240 189
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 169: User handling in XS Anonymous section scenario
Anonymous Section Scenario
No logon is enforced; XS privilege checks will thus fail and must be avoided.
OData services and plain DB access from xsjs are only possible in packages with configured default connection.
User-specific Instance-filtering is for obvious reasons not possible.
© SAP SE HA240 190
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 170: User handling in XS Technical user scenario
"Technical User Scenario" (maybe we need a better name for this)
The logon may be successful without mapping to a DB user; XS will continue working as long as no user is required: XS privilege checks will fail, plain DB access is not possible.
To support DB access, packages must be configured with a default connection. All SQL connections (xsjs and OData) are then opened for the configured sqlcc user, which is thus used for checking all SQL privileges.
+ the necessary SQL privileges are granted to the technical user(s) only -> no security hole
+ no personal DB users are used -> no User Maintenance nightmare
- in case that multiple technical users are used (not the case for HPAs), the User Maintenance nightmare is replaced with the still difficult task of defining a mapping of logon users to the few technical users
Since XS application privileges cannot be used, the application must use other means to protect their semantics in a fine-grained way. The HPAs use the HDB_AUTHORITY_CHECK. In order to support this, XS provides access to the name of the logged-on user. The ABAP client and the schema of the ABAP tables must be provided to the HPA e.g. via static configuration.
© SAP SE HA240 191
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 171: Application Privileges Introduction
© SAP SE HA240 192
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 172: Application Privileges Details
The application privileges referenced in the role definition (for example, Display and View) are actually defined in an application-specific .xsprivileges file which also contains entries for additional privileges.
The package where the .xsprivileges resides defines the scope of the application privileges; the privileges specified in the .xsprivileges file can only be used in the package where the .xsprivileges resides (or any sub-packages). This is checked during activation of the .xsaccess file and at runtime in the by the XS JavaScript API $.session.(has|assert)AppPrivilege().
The privileges are authorized for use with an application by inserting the authorization keyword into the corresponding .xsaccess file. Like the .xsprivileges file, the .xsaccess file must reside either in the root package of the application to which the privilege authorizations apply or the specific subpackage which requires the specified authorizations.
Note:
If a privilege is inserted into the .xsaccess file as an authorization requirement, a user must have this privilege to access the application package where the .xsaccess file resides. If there is more than one privilege, the user must have at least one of these privileges to access the content of the package.
© SAP SE HA240 193
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Image 173: Server Side JavaScript Security Considerations
Note : If you want to create own XS-application please have a look in the SAP HANA Development guide. Here you will find best practice how you should write it from security from standpoint of security .
The following list illustrates the areas where special attention is required to avoid security-related problems when writing server-side JavaScript. Each of the problems highlighted in the list is described in detail in its own dedicated section:
SSL/HTTPS
Enable secure HTTP (HTTPS) for inbound communication required by an SAP HANA application.
Injection flaws
In the context of SAP HANA Extended Application Services (SAP HANA XS) injection flaws concern SQL injection that modifies the URL to expand the scope of the original request.
Cross-site scripting (XSS)
© SAP SE HA240 194
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Web-based vulnerability that involves an attacker injecting JavaScript into a link with the intention of running the injected code on the target computer.
Broken authentication and session management
Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.
Insecure direct object references
An application lacks the proper authentication mechanism for target objects.
Cross-site request forgery (XSRF)
Exploits the trust boundaries that exist between different Web sites running in the same web browser session.
Incorrect security configuration
Attacks against the security configuration in place, for example, authentication mechanisms and authorization processes.
Insecure cryptographic storage
Sensitive information such as logon credentials is not securely stored, for example, with encryption tools.
Missing restrictions on URL Access
Sensitive information such as logon credentials is exposed.
Insufficient transport layer protection
Network traffic can be monitored, and attackers can steal sensitive information such as logon credentials or credit-card data.
Invalid redirects and forwards
Web applications redirect users to other pages or use internal forwards in a similar manner.
XML processing issues
Potential security issues related to processing XML as input or to generating XML as output
Enable secure HTTP (HTTPS) for inbound communication required by an SAP HANA application.
Injection flaws
In the context of SAP HANA Extended Application Services (SAP HANA XS) injection flaws concern SQL injection that modifies the URL to expand the scope of the original request.
Cross-site scripting (XSS)
Web-based vulnerability that involves an attacker injecting JavaScript into a link with the intention of running the injected code on the target computer.
Broken authentication and session management
© SAP SE HA240 195
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios
Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.
Insecure direct object references
An application lacks the proper authentication mechanism for target objects.
Cross-site request forgery (XSRF)
Exploits the trust boundaries that exist between different Web sites running in the same web browser session.
Incorrect security configuration
Attacks against the security configuration in place, for example, authentication mechanisms and authorization processes.
Insecure cryptographic storage
Sensitive information such as logon credentials is not securely stored, for example, with encryption tools.
Missing restrictions on URL Access
Sensitive information such as logon credentials is exposed.
Insufficient transport layer protection
Network traffic can be monitored, and attackers can steal sensitive information such as logon credentials or credit-card data.
Invalid redirects and forwards
Web applications redirect users to other pages or use internal forwards in a similar manner.
XML processing issues
Potential security issues related to processing XML as input or to generating XML as output
© SAP SE HA240 196
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization, Security and Scenarios
Unit 5. Authorization trace and Auditing
© SAP SE HA240 197
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Lesson: Authorization trace
Image 174: Learning Objective
© SAP SE HA240 198
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 175: Scenario
© SAP SE HA240 199
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 176: Authorization Trace Prerequisites
© SAP SE HA240 200
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 177: Procedure: How to use authorization trace
For additional information see the following note
1809199 - SAP HANA DB: Debugging user authorization errors
© SAP SE HA240 201
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 178: Procedure: How to use authorization trace Activate the trace
© SAP SE HA240 202
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 179: Procedure: How to use authorization trace Reproduce the issue
© SAP SE HA240 203
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 180: Procedure: How to use authorization trace Deactivate the trace
© SAP SE HA240 204
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 181: Procedure: How to use authorization trace Analyze the trace
© SAP SE HA240 205
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 182: Procedure: How to use authorization trace Object IDs
© SAP SE HA240 206
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 183: Additional information
In the definition of the analytical privileges, pay attention to two restrictions with the restriction types CUBERESTRICTION and DIMENSIONRESTRICTION: Only if a view is included in the one of the cube restrictions and at least one of its attribute is employed by one of the dimension restrictions, access to the view is granted by this analytical privilege. Without specific authorization a user can only see privileges granted to himself in the system views EFFECTIVE_PRIVILEGES and STRUCTURED_PRIVILEGES. This is sufficient to find out own missing analytical privileges.
© SAP SE HA240 207
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Authorization trace
Image 184: Summary
© SAP SE HA240 208
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Exercise 3 : Authorization trace
Exercise 8: Authorization Trace
1. Login to the HANA Database using your STUDENTXX user (where XX corresponds to your grup ID)
2. Check the Attribute View “HA240_AT_CUSTOMERS” under the package “TRAINING”
3. Login to the HANA Database with USERXX user (where XX corresponds to your grup ID)
4. Preview the content of “HA240_AT_CUSTOMERS” view under the package “TRAINING”
5. Using STUDENTXX activate the trace for user USERXX
6. Try again to preview the content as per step number 4
7. Deactivate the trace
8. Analyze the trace
9. Assign to user USERXX the relevant privileges using the Analytic Privilege HA240_AP_CUSTOMERS under package TRAINING
10. Try again to preview the content as per step number 4
11. Close the connections.
12. This completes the exercise.
© SAP SE HA240 209
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 185: Exercise 3 :Solution Task 1 - 2
© SAP SE HA240 210
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 186: Exercise 3 :Solution Task 2 - 3
3. Login to the HANA Database with USERXX user (where XX corresponds to your grup ID)
a. Click with the right button on the T64 system entry and select “Add System with different User Name…”
b Fill the username and password with the following data.
Name Property
------------------------------------------------------- User name USERXX Password Training1
4. Preview the content of “HA240_AT_CUSTOMERS” view under the package “TRAINING” a. Navigate to Content > TRAINING > Attribute Views > HA240_AT_CUSTOMERS
b. Right click on the name of the view and select Data Preview
© SAP SE HA240 211
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 187: Exercise 3 :Solution Task 4
c. An error is shown
© SAP SE HA240 212
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 188: Exercise 3 :Solution Task 5
© SAP SE HA240 213
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 189: Exercise 3 :Solution Task 5; the end of the task.
© SAP SE HA240 214
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 190: Exercise 3 :Solution Task 6 and 7
© SAP SE HA240 215
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 191: Exercise 3 :Solution Task 8
© SAP SE HA240 216
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 192: Exercise 3 :Solution Task 8 and the end of the task
© SAP SE HA240 217
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 193: Exercise 3: Solution Task 9
© SAP SE HA240 218
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 194: Exercise 3:Solution Task 10
© SAP SE HA240 219
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace
Image 195: Exercise 3: The end of the exercise
11. Close the connections . This completes the exercise .
© SAP SE HA240 220
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Lesson: Auditing
Image 196: Learning Objective
Around 20 percent of respondents in North America and 31 percent in
EMEA say one or more of their co-workers have used administrative privileges to
reach confidential or sensitive information.
The auditing feature of the SAP HANA database allows you to track actions performed in the database: who did what (or tried to do what), and when.
SAP HANA provides audit actions for critical security events and for access to sensitive data. Both successful and unsuccessful events can be logged.
In the case of logging of successful and unsuccessful events, one has to specify for each audit policy if successful and/or unsuccessful events will be audited.
Audit logging is not enabled by default.
© SAP SE HA240 221
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Image 197: Audit with audit activity
The first step for using the AUDIT Activity is to "enable" this function
like you see it on the screenshot above.
For that do you need the system privilege AUDIT ADMIN.
Currently the configuration parameter for auditing are stored i global.ini configuration file, in the auditing configuration section.
As for all configuration parameters, these parameters can be selected in view M_INIFILE_CONTENTS, assuming that the current user has the required privileges.
System Views
AUDIT_POLICIES : All audit policies and their states. M_INIFILE_CONTENTS : Configuration parameter concerning auditing. AUDIT_LOG : Audit log. Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.
© SAP SE HA240 222
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Image 198: Audit action
Main Topics of audit actions are:
� Backup Deletions � Data Definitions � Data Queries � Encryption � Granting and Revoking Authorizations � License deletion and installation � Procedure executions � Repository content operations � User and role management
© SAP SE HA240 223
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Image 199: Enable Audit Policy in SAP HANA Studio
Can be combined together in the same policy, therefore compatible audit actions
have been grouped together. When you select an action, those actions that are not
compatible with the selected action become unavailable for selection.
If you need to two audit incompatible audit actions, you need to create two
separate audit policies.
In addition to the actions to be audited, an audit policy specifies additional
parameters that further narrow the number of events actually audited.
• Audited action status
On successful execution
On unsuccessful execution
On both successful and unsuccessful execution
© SAP SE HA240 224
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
• Target object
Tables
Views
Procedures
• Audited user
Individual users can be included/excluded from an audit level
EMERGENCY
ALERT
CRITICAL
WARNING
INFO
When an audit policy is triggered, that is, when an action in the policy occurs under
the conditions defined in the policy, an audit entry is created in the audit trail.
Firefighter logging logs all actions performed by a specific user.
This covers not only all actions that can be audited individually, but also actions that cannot
otherwise be audited. Such a policy is useful if you want to audit the actions of
a particularly privileged user.
Note: Some actions cannot be audited using database auditing even with a
policy that includes all actions, in particular, system restart and system
recovery.
Caution: Firefighter logging may generate a lot of audit entries, so only enable it if required
Audit entries written to the table are only accessible through the public system
view AUDIT_LOG. Only SELECT operations can be performed on this view by
users with the system privilege AUDIT OPERATOR or AUDIT ADMIN.
© SAP SE HA240 225
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Image 200: Events that Can be Audited
Changes to user authorization
• Create/drop user, create/drop role
• Grant/revoke role
• Grant/revoke SQL privilege, system privilege, analytical privilege
• Create/drop analytical privilege
• Create/drop and alter structured privilege
Authentication of users
• Connection attempts of users to the database
Changes to system configuration
• Changes to system configuration, e.g. ini file
• Uninstall and install license key
• Set system license/unset system license all
© SAP SE HA240 226
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Access to or changing of sensitive data
You can specify the following database objects to be audited:
• Tables
• Views
• Procedures
Both write and read access to data can be recorded:
• SELECT
• INSERT
• UPDATE
• DELETE
• EXECUTE
.
Changes to system configuration
As of SPS08 the previous values of parameters are written to the audit trail if audit
logging for configuration changes is enabled.
Hint: Only actions that take place inside the database engine can be
audited. If the database engine is not online when an action occurs, it
cannot be detected and therefore cannot be audited. These actions are,
for example, an upgrade of an SAP HANA database instance or direct
changes to system configuration files using operating system commands.
Activation of Audit Policies
Auditing is implemented through the creation and activation of audit polices. An
audit policy defines the actions to be audited, as well as the conditions under which
the action must be performed to be relevant for auditing. For example, actions in a
particular policy are audited only when they are performed by a particular user on
a particular object. When an action occurs, the audit policy is triggered and an
audit event is written to the audit trail.
The following slides give an overview how to configure and switch on audit
logging.
© SAP SE HA240 227
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Image 201: Audit Logging – Infrastructure
When an audit policy is triggered, an audit entry is created in the audit trail. The
audit trail is written to Linux syslog or to an internal system table.
• Linux syslog
The logging system of the Linux operating system (syslog) is a
secure storage location for the audit trail because not even the database
administrator can access or change it. There are also numerous storage
possibilities for the syslog, including storing it on other systems. In
addition, the syslog is the default log daemon in UNIX systems. The
syslog therefore provides a high degree of flexibility and security,
as well as integration into a larger system landscape. For more
information about how to configure syslog, refer to the documentation
of your operating system.
© SAP SE HA240 228
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
• Database table
– Using an SAP HANA database table as the target for the audit trail
makes it possible to query and analyze auditing information quickly. It
also provides a secure and tamper-proof storage location.
– Internal column store table in the _SYS_AUDIT schema of the SAP
HANA database
– Audit entries are only accessible through the public system view
AUDIT_LOG. Only SELECT operations can be performed on this
view by users with system privilege AUDIT ADMIN or AUDIT
OPERATOR
– To avoid the audit table growing too large, it is possible to delete old
audit entries
Note: For test purposes in non-production systems, you can also use a
CSV text file as the audit trail. A separate CSV file is created for every
service that executes SQL.
Hint: As of SPS08 multiple audit trail targets could be configured.
• System-wide default: Audit entries are written to the audit trail
target(s) configured for the system if no other trail target has been
configured per audit level
Audit level (optional): Audit entries from audit policies with the
audit level EMERGENCY, CRITICAL, or ALERT are written to the
specified audit trail target(s). If no audit trail target is configured,
entries are written to the audit trail target configured for the system.
© SAP SE HA240 229
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Image 202: Viewing the audit trail
If the audit trail target is a database table, you can avoid the audit table growing
indefinitely by deleting audit entries created up until a certain time and date.
Caution: All information in the audit trail that is older will be
immediately deleted.
If auditing is active, certain actions are always audited and are therefore not
available for inclusion in user-defined audit policies. In the audit trail, these action
are labeled with the internal audit policy MandatoryAuditPolicy.
Mandatory audit actions:
• Creation, modification, or deletion of audit policies
• Deletion of audit entries from the audit trail. This only applies if audit entries are written to column store database tables.
• Changes to auditing configuration, that is:
© SAP SE HA240 230
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
– Enabling or disabling auditing
– Changing the audit trail target
– Changing the location of the audit trail target if it is a CSV text file
AUDIT_POLICIES: All audit policies and their states.
M_INIFILE_CONTENTS: Configuration parameter concerning auditing.
AUDIT_LOG: Audit log.
Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.
Image 203: System settings for auditing
© SAP SE HA240 231
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Lesson: Auditing
Image 204: Audit Policy Example
© SAP SE HA240 232
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 4 : Auditing
Exercise 4 : Auditing
Exercise Objectives
After completing this exercise, you will be able to:
• Configuring Audit Logging
• Enabling an Audit Policy
Business Example
Task:
Enable audit logging and activate an audit policy which records read access on table PRODUCTS and an audit policy which records system configuration changes.
Use Database Table as audit trail target.
Then perform a select on table PRODUCTS and check the resulting entry in the audit trail.
1. Enable audit logging and use Database Table as audit trail target. 2. Activate an audit policy which records read access on table PRODUCTS. 3. Activate an audit policy which records system configuration changes. 4. Perform a select on table PRODUCTS and check the resulting entry in the audit trail.
© SAP SE HA240 233
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 4 : Auditing
Image 205: Exercise 4 :Solution Audit Exercise
Solution Auditing
Task:
Enable audit logging and activate an audit policy which records read access
on table PRODUCTS and an audit policy which records system configuration
changes. Use Database Table as audit trail target. Then perform a select on table
PRODUCTS and check the resulting entry in the audit trail.
1. Enable audit logging and use Database Table as audit trail target.
1. In the Systems view in SAP HANA studio, choose Security and open
the Auditing tab.
© SAP SE HA240 234
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 4 : Auditing
b) Choose Enabled for the auditing status and Database Table for the
audit trail target.
c) Choose the Deploy button.
2. Activate an audit policy which records read access on table PRODUCTS.
a) In the Systems view in SAP HANA studio, choose Security and open
the Auditing tab.
b) Select the Audit Policies tab and click +.
c) Enter a name for the audit Policy (for example: READ ACCESS).
d) Select the Audited Actions tab.
Choose “....” button to open the Edit Actions ... dialog.
Choose Data Query and Manipulation → SELECT for audited actions.
e) Exclude user _SYS_REPO from the audit policy.
Select the Users tab.
Choose “....” button to open the Select Users dialog.
f) Select user _SYS_REPO and choose Add.
Choose “Exclude selected users from policy” and choose OK
g) Select table PRODUCTS (SYS_REPO) for auditing.
Select the Target Object tab.
h) Select table PRODUCTS (SYS_REPO) and choose Add.
and choose Add.
Choose OK
i) Choose the Deploy button.
Continued
3. Activate an audit policy which records system configuration changes.
© SAP SE HA240 235
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 5. Authorization trace and Auditing Exercise 4 : Auditing
a) In the Systems view in SAP HANA studio, choose Security and open
the Auditing tab.
b) Select the Audit Policies tab and click +.
c) Enter a name for the audit Policy (for example: CONFIG CHANGES)
.
d) Select the Audited Actions tab.
Choose “....” button to open the Edit Actions ... dialog.
Choose Session Management and System Configuration → SYSTEM
CONFIGURATION CHANGE for audited actions.
e) Choose the Deploy button.
4. Perform a select on table PRODUCTS and check the resulting entry in the
audit trail.
a) Right click on the HANA system which uses ‘SYSTEM’ user for
connection and select SQL Console
b) Enter the sql command below to create a schema and execute by
clicking on a little white arrow in a green circle (F8 – Execute)
select * from “SYS_REPO”. “PRODUCTS”
c) To check the resulting entry in the audit trail (database table) enter
the sql command below:
select TIMESTAMP, USER_NAME, AUDIT_POLICY_NAME,
STATEMENT_STRING from “PUBLIC”. “AUDIT_LOG”
© SAP SE HA240 236
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 4 : Auditing
Unit 6 Integrative authorization Scenarios
© SAP SE HA240 237
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Lesson : Scenarios introduction
Image 206: Learning Objective
© SAP SE HA240 238
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 207: Scenario
© SAP SE HA240 239
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 208: SAP HANA Scenario Overview of different scenario types
Traditional 3-tier application Classical architecture with Client, Application Server and SAP HANA used as a database for the NetWeaver platform Data mart (3-tier or 2-tier) HANA used as data mart platform to load data from external source and execute analysis and queries on those data using end-users client or analytics applications (Business Object BI Platform). Native 2-tier application In this architecture the XS Engine component is used and the HANA platform acts as Database and Application Server. In this case all the server pieces are provided by the HANA Platform.
© SAP SE HA240 240
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 209: Traditional 3-tier application Database migration to HANA
End-users authorizations All the authorization and user management functionaly previously used in Netweaver are still valid and working after the migration. No change here. Developers
All the ABAP development and customizing can still be done using the same authorizations as before. No change here.
Administrators
The basis administrators working on the application server can still work using the same authorizations. No change here.
All the administrators working on the database level can still use the DBA Cockpit transaction or create a specific user with specific authorizations on the database level.
© SAP SE HA240 241
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 210: Integrated Scenario Reporting in ERP Data in SAP HANA
In this case tha HANA is used as database where data should be replicated (side-car) or reside (Netweaver on HANA). In addition to the standard access via Application Server (see previous scenario) you also would like to access the data in HANA directly and this requires a user on the database level with specific authorizations.
© SAP SE HA240 242
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 211: Integrated Scenario Reporting on BW Data in SAP HANA
-Starting with BW 740 SP5, BW can automatically generate views incl. HANA privileges based on BW privileges
-These HANA privileges are always automatically assigned to a HANA role that is also automatically generated
-This role is automatically granted to all database users in HANA if they fulfil the following requirements:
-For each database user in HANA exist a corresponding BW user (either configured in SU01, or via name matching BW user <-> HANA database user)
-The BW user is authorized to execute queries on the respective info provider
-Recommendation: to regularly update the HANA authorizations from the BW authorizations, schedule a regular process chain BW for this
© SAP SE HA240 243
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 212: Integrated Scenario Users generation from ABAP
© SAP SE HA240 244
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 213: Data Mart Customer-specific analytic reporting on SAP HANA
© SAP SE HA240 245
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 214: HANA as Web Application Server Native applications built on SAP HANA XS
© SAP SE HA240 246
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction
Image 215: Summary
© SAP SE HA240 247
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Lesson : Scenario BW + SAP-HANA Desired consistency of authorization between BW and SAP-HANA
Image 216: Learning Objective
© SAP SE HA240 248
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 217: Scenario
© SAP SE HA240 249
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 218: SAP HANA Model Generation The Idea behind
© SAP SE HA240 250
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 219: SAP HANA Model Generation Access data from BW and SAP HANA Studio
© SAP SE HA240 251
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 220: SAP HANA Model Generation Prerequisites when Replicating BW Authorizations to SAP HANA
© SAP SE HA240 252
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 221: SAP HANA Model Generation Characteristics
© SAP SE HA240 253
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 222: SAP HANA Model Generation Representation of BW Authorizations in SAP HANA
© SAP SE HA240 254
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 223: SAP HANA Model Generation Pre-requisites in BW (1/2)
© SAP SE HA240 255
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 224: SAP HANA Model Generation Users generation from ABAP
© SAP SE HA240 256
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 225: SAP HANA Model Generation Pre-requisites in BW (2/2)
Analysis authorizations must be created. The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.
© SAP SE HA240 257
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 226: SAP HANA Model Generation Generating the View and the Authorizations
© SAP SE HA240 258
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 227: SAP HANA Model Generation Role content in SAP HANA
© SAP SE HA240 259
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 228: SAP HANA Model Generation Filter String in BW
© SAP SE HA240 260
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 229: SAP HANA Model Generation Pre-requisites in SAP HANA for reporting user
Analysis authorizations must be created. The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.
© SAP SE HA240 261
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA
Image 230: Summary
© SAP SE HA240 262
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Exercise 5: BW authorizations reuse by SAPHANA
Image 231: Exercise 5 :Business Background
© SAP SE HA240 263
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 232: Exercise 5 :Initial situation
© SAP SE HA240 264
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 233: Exercise 5 :The cube ZH240_00
© SAP SE HA240 265
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 234: Exercise 5 :Task 1
© SAP SE HA240 266
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 235: Exercise 5 :Task 2
© SAP SE HA240 267
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 236: Exercise 5 :Task 3
© SAP SE HA240 268
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 237: Exercise 5 :Task 4
© SAP SE HA240 269
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 238: Exercise 5 :Task 5
© SAP SE HA240 270
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 239: Exercise 5 :The result
© SAP SE HA240 271
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 240: Exercise 5 : Solution Task 1
© SAP SE HA240 272
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 241: Exercise 5 : Solution Task 2 and 3
© SAP SE HA240 273
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 242: Exercise 5 : Deep technical look in the table
© SAP SE HA240 274
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 243: Exercise 5 : Solution Task 4
© SAP SE HA240 275
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 244: Exercise 5 : Solution Task 5
© SAP SE HA240 276
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 245: Exercise 5 : Solution Task 5/2
© SAP SE HA240 277
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA
Image 246: Exercise 5 : the goal that was to be reached
© SAP SE HA240 278
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Lesson : BI4 and HANA Integration
Image 247: Learning Objective
© SAP SE HA240 279
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 248: Reporting on HANA 1.0 with BI 4 Client and connectivity options
What does it means BI 4?
BI 4 is a kind of acronym for SAP BusinessObjects Business Intelligence platform 4.0
SAP BusinessObjects Business Intelligence (BI) platform provides flexible systems management for an enterprise BI standard that allows administrators to confidently deploy and standardize their BI implementations on a proven, scalable, and adaptive service-oriented architecture.
© SAP SE HA240 280
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 249: Reporting on HANA 1.0 with BI 4 BI User Provisioning
© SAP SE HA240 281
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 250: Reporting on HANA 1.0 with BI 4 SAP HANA + BI: What Are My Authentication Options?
© SAP SE HA240 282
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 251: Reporting on HANA 1.0 with BI 4 SSO with credential mapping
© SAP SE HA240 283
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 252: Reporting on HANA 1.0 with BI 4 SSO with Kerberos
Configuration steps Step 1: Active Directory Create the keytab Setting up the SPN’s on the Domain Controller Step 2: HANA Install the Kerberos client Copy the keytab from the AD server and setup the krb5.conf file Enable Kerberos for a HANA user and enter an External ID for the user Add the User to HANA Studio to test SSO Step 3: BOE Copy the krb5.conf from the HANA Server and create the bscLogin.conf Configure the web application server for Kerberos Configure BI4 service account for Kerberos Configure Webi Rich Client, Information Design Tool (IDT), APS, Explorer for Kerberos Refer to these for more information SAP Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory
© SAP SE HA240 284
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 253: Reporting on HANA 1.0 with BI 4 SSO with SAML
Configuration Steps
1.Enter HANA server details
2.Generate a certificate on the BI side to import into the HANA server
3.Once both systems are setup, user can test connection from CMC directly to validate setup
© SAP SE HA240 285
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 254: Reporting on HANA 1.0 with BI 4 Summary
© SAP SE HA240 286
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 255: Reporting on HANA 1.0 with BI 4 What can be secure and where?
© SAP SE HA240 287
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration
Image 256: Summary
© SAP SE HA240 288
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 257: Reuse of ERP Authorization using SAP HANA Live
© SAP SE HA240 289
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 258: Learning Objective
© SAP SE HA240 290
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 259: Scenario 1 Expose SAP HANA views in ERP
© SAP SE HA240 291
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 260: Integrated Scenario Reporting in ERP Data in SAP HANA
In this case tha HANA is used as database where data should be replicated (side-car) or reside (Netweaver on HANA). In addition to the standard access via Application Server (see previous scenario) you also would like to access the data in HANA directly and this requires a user on the database level with specific authorizations.
© SAP SE HA240 292
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 261: Analytics Authorization Assistant Introduction
With the SAP HANA Live Authorization Assistant, you can provide users authorizations in the SAP HANA system that is required to access business data displayed by the virtual data model of SAP HANA Live. For this, SAP HANA Live Authorization Assistant take those permissions into account that the same users already have in ABAP-based Business Suite application. See SAP Note 1796718 for details on this tool
© SAP SE HA240 293
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 262: Analytics Authorization Assistant Benefit
You can select multiple query views for multiple users and create analytic privileges for all the query views. You do not need to manually check for privileges in the SAP ABAP system and manually create privileges for each query view. Hence, the mass process available with this tool reduces the effort required to create analytic privileges for query views. The existing analytic privileges can be reused between different users.
© SAP SE HA240 294
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 263: Analytics Authorization Assistant Installation Overview
© SAP SE HA240 295
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 264: Analytics Authorization Assistant Installation pre-requisites
For more information, refer to the Administration guide on SAP Service Marketplace at http://service.sap.com/instguides SAP In-memory Computing SAP HANA Live for SAP Business Suite (Section 4.3.5 Download and Deploy Content Package). _SYS_REPO user should have SQL Execute privilege REPOSITORY_REST with Grantable to others option selected. You have replicated the tables USRBF2 and UST12 from the ABAP— based system where you want to create the authorizations.
© SAP SE HA240 296
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 265: Analytics Authorization Assistant Installation steps
* The two available plug-ins are Analytic Authorization Assistant and Analytic Authorization Assistant — Metadata. If the user does not want to enter new metadata and only generates analytic privileges with SAP delivered metadata, then you require only Analytic Authorization Assistant plug-in. For more information, refer to the Administration guide on SAP Service Marketplace at http://service.sap.com/instguides SAP In-memory Computing SAP HANA Live for SAP Business Suite (Section 4.3.5 Download and Deploy Content Package).
© SAP SE HA240 297
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 266: Analytics Authorization Assistant Key content after the installation
Developer role is needed to maintain additional meta data for custom views.
© SAP SE HA240 298
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 267: Analytics Authorization Assistant Implementation
There are two main tools available with AAA that are downloaded from SMP:
� Generate Analytic Privileges (this also includes Update Privileges function) � Maintain Analytics Meta Data
© SAP SE HA240 299
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 268: Analytics Authorization Assistant Steps to generate privileges
If you have selected views that use tables from multiple SAP HANA schemas you can then select a schema in this step from where the user authorizations will be taken. A role is automatically generated with the name ROLE_<abap user name> and the generated privilege is automatically assigned to this role. If this role already exists (from a previous generation) the new privilege will be added to the role. Note: Do not manually modify any analytic privilege or roles generated by the tool.
© SAP SE HA240 300
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 269: Analytics Authorization Assistant Steps to update privileges
With the SAP HANA Live Authorization Assistant, you can also update analytic privileges generated earlier using SAP HANA Live Analytics Authorization Assistant. When you make changes in the ABAP authorizations, the changes are reflected in the SAP HANA authorization tables through replication. The update analytic privilege tool identifies the changes in the ABAP authorizations and new restrictions are created when you run the tool. The valid analytic privileges are retained in the role and newly created analytic privileges are added. If the analytic privilege is not valid, it is removed from the role and if analytic privilege is not assigned to any role, it is deleted. The tool only checks if the analytic privilege is assigned to the role.
© SAP SE HA240 301
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 270: Analytics Authorization Assistant Maintain additional meta-data
SAP delivers the required metadata for all the relevant query views of the virtual data model. For customer created views, the metadata is defined with the view as specific properties. To view the SAP delivered metadata, open the respective query view and navigate to Properties Analytics Metadata Maintain Metadata. In addition, you can use this tool to maintain metadata for views created using tables from the ERP system. You can add more rows by pressing the + button to map your own attributes to ABAP fields
© SAP SE HA240 302
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live
Image 271: Summary
© SAP SE HA240 303
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant
Exercise 6 : HANA Live Analytic Authorization assistant Exercise 8: Authorization HANA Live Authorization Assistant.
In this exercise you will learn how to use HANA Live Authorization Assistant.
1. Login to the HANA Database using your STUDENTXX user.
2. Generate the Analytic Privilege
3. Check the generated role and analytic privilege.
4. Close the connections.
5. This completes the exercise.
Solution for Exercise regarding Authorization Assistent
Image 272: Exercise 6 : Solution Slide1
© SAP SE HA240 304
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant
Image 273: Exercise 6 : Solution Slide2
© SAP SE HA240 305
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant
Image 274: Exercise 6 : Solution Slide3
© SAP SE HA240 306
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant
Image 275: Exercise 6 : Solution Slide4
3 .Check the generated role and analytic privilege
© SAP SE HA240 307
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant
Image 276: Exercise 6 :Solution Slide5
4. Close the connection. This completes the exercise .
© SAP SE HA240 308
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Exercise 6 : HANA Live Analytic Authorization assistant
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud
© SAP SE HA240 309
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant
Lesson : Multitenant
Image 277: Learning Objective
© SAP SE HA240 310
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant
Image 278: Multiple-Host Systems with Multitenant Database Containers
A multiple-container system has exactly one system database.
It is created during system installation or migration from a single-container system. It contains the data and users for system administration.
System administration tools, such as the SAP HANA studio, can connect to this database. The system database stores overall system landscape information, including knowledge of the tenant databases that exist in the system.
However, it doesn't own database-related topology information, that is, information about the location of tables and table partitions in databases.
Database-related topology information is stored in the relevant tenant database catalog
© SAP SE HA240 311
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant
Image 279: Overview
All the databases in the same multiple-container system share:
� The same installation of database system software. � The same computing resources. � The same system administration.
However, each database is self-contained and fully isolated with its own:
� Set of database users � Database catalog � Repository � Persistence � Backups � Traces and logs
Although database objects such as schemas, tables, views, procedures, and so on are local to the database, cross-database SELECT queries are possible!
This supports in particular cross-application reporting in MCOS (multiple components in one system) scenarios.
© SAP SE HA240 312
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant
Image 280: Multiple-Host System with Multitenant Database Containers
© SAP SE HA240 313
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant
Image 281: MDC and its Users
SYSTEM is the database super user. It has irrevocable system privileges, such as the ability to create other database users, access system tables, and so on.
In a system with multitenant database containers, the SYSTEM user of the system database has additional privileges for managing tenant databases, for example, creating and dropping databases, changing configuration (*.ini) files of databases, and performing database-specific data backups.
© SAP SE HA240 314
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Lesson: HANA Enterprise Cloud
Image 282: Learning Objective
© SAP SE HA240 315
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 283: HANA Enterprise Cloud (HEC)
© SAP SE HA240 316
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 284: HANA Enterprise Cloud (HEC)
The fundamental security architecture of the HEC infrastructure is the principal of a private cloud.
This means customer will receive an isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other.
HEC administrative tasks will be done using management networks
© SAP SE HA240 317
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 285: Details for Customer Landscapes
© SAP SE HA240 318
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 286: Details for Network Integration
© SAP SE HA240 319
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 287: Security & Data Protection Requirements – Data Center (Building / Facilities)
Cloud hosted customer environments must be operated in an SAP Tier Level III, III+ or IV classified Datacenter to meet the physical security and operational compliance requirements of the customer.
For co-location data centers (non-SAP DC), access to SAP HEC infrastructure needs to be physically separated from other DC customers, e.g. using cages
© SAP SE HA240 320
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 288: Benefits HANA Enterprise Cloud Multi Layers of Defense
© SAP SE HA240 321
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 289: Holistic Security & Compliance Approach
© SAP SE HA240 322
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud
Image 290: Security, Compliance & Data Protection Processes: Internal Control System – Certifications as of today
© SAP SE HA240 323
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]