sap ha240 en col09 hana sp09

HA240 Authorization,security and scenarios

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]


wwww.sap.com

SAP SE Copyrights and Trademarks © 2014 SAP SE. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

� Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

� IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

� Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. � Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks

of Adobe Systems Incorporated in the United States and/or other countries. � Oracle is a registered trademark of Oracle Corporation � UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. � Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc. � HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology. � Java is a registered trademark of Sun Microsystems, Inc. � LabNetscape. � SAP, SAP Fiori, SAP SAPUI5, R/3, SAP Fiori, SAP NW Gateway, SAP NetWeaver, Duet, PartnerEdge,

ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries.

� Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

� Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

© SAP SE HA240 2



Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

CONTENTS

ABOUT THIS HANDBOOK ............................................................................................................................... 4 UNIT 1: INTRODUCTION INTO THE AREA OF SECURITY AND AUTHORIZATION ................................... 5 Lesson: SAP HANA Introduction and overview ................................................................................................. 6 UNIT 2 REPOSITORY ......................................................................................................................................26 Lesson: Repository ............................................................................................................................................. 27 UNIT 3 AUTHORIZATION INSIDE SAP HANA ..............................................................................................36 Lesson: Gerneral authorization concept .......................................................................................................... 37 Lesson:Roles ....................................................................................................................................................... 46 Lesson: Assigments from privileges to user ................................................................................................... 60 Lesson: Object Ownership ................................................................................................................................. 75 Exercise 1 : Maintaining Users and Authorizations ....................................................................................... 110 UNIT 4: GENERAL SECURITY REQUIREMENTS AND SOLUTIONS ........................................................116 Lesson: Introduction ......................................................................................................................................... 117 Lesson: SAP GRC Integration for Governance Risk and Compliance ....................................................... 150 Lesson: SAP Netweaver Identity Management integration ........................................................................... 171 Lesson: Authorization, Security and Scenarios ............................................................................................. 184 UNIT 5. AUTHORIZATION TRACE AND AUDITING ....................................................................................197 Lesson: Authorization trace ............................................................................................................................ 198 Exercise 3 : Authorization trace ....................................................................................................................... 209 Lesson: Auditing ............................................................................................................................................... 221 Exercise 4 : Auditing ........................................................................................................................................ 233 UNIT 6 INTEGRATIVE AUTHORIZATION SCENARIOS............................................................................237 Lesson : Scenarios introduction..................................................................................................................... 238 Lesson : Scenario BW + SAP-HANA ............................................................................................................... 248 Exercise 5: BW authorizations reuse by SAPHANA ..................................................................................... 263 Lesson : BI4 and HANA Integration ................................................................................................................. 279 Lesson : Reuse of ERP Authorization using SAP HANA Live ...................................................................... 289 Exercise 6 : HANA Live Analytic Authorization assistant ............................................................................. 304 UNIT 7 : OPTIONAL : MULTINENANT DB UND HANA ENTERPRISE CLOUD.........................................309 Lesson : Multitenant .......................................................................................................................................... 310 Lesson: HANA Enterprise Cloud ..................................................................................................................... 315

© SAP SE HA240 3




About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. American English is the standard used in this handbook. The following typographic conventions are also used:

Use Example/Visualization

Demonstration by InstructorA hint or advanced detail is shown or clarified by the instructor – please indicate reaching any of these points to the instructor

Warning or CautionA word of caution – generally used to point out limitations or actions with potential negative impact that need to be considered consciously

HintA hint, tip or additional detail that helps increate performance of the solution or help improve understanding of the solution

Additional information An indicator for pointing to additional information or technique beyond the scope of the exercise but of potential interest to the participant

Discussion/Group Exercise Used to indicate that collaboration is required to conclude a given exercise. Collaboration can be a discussion or a virtual collaboration.

User Interface Text Find the Flavor Gallery button

Solution or SAP Specific term E.g. Flavors are transaction specific screen personaslization created and rendered using SAP Screen Personas.

© SAP SE HA240 4




Unit 1: Introduction into the area of Security and authorization

.

© SAP SE HA240 5




Lesson: SAP HANA Introduction and overview

Image 1: Learning Objective

© SAP SE HA240 6




Image 2: SAP HANA as the powerful center of any data flow

For on premise deployment, SAP HANA comes either preinstalled on certified hardware provided by an SAP hardware partner (appliance) or

It must be installed on certified hardware by a certified administrator.

The installation itself is part of the course HA200 and there is a special certificate C_HANAINSTxxy .

xx = the last two numbers of a year

y = number of a halfyear.

© SAP SE HA240 7




Certification SAP HANA SPS

141

142

151

SPS07

SPS08

SPS09

Image 3: SAP HANA as a platform of a system landscape

© SAP SE HA240 8




Image 4: SAP HANA as Part of the Customer Solution Provide a holistic operations concept

SAP HANA is just one element of your IT solution

You will benefit from a holistic operations concept

© SAP SE HA240 9




Image 5: SAP HANA In-Memory Strategy

© SAP SE HA240 10




Image 6: Why is security necessary?

© SAP SE HA240 11




Image 7: Traditional security architecture

© SAP SE HA240 12




Image 8: SAP HANA scenarios – 3-tier application, data mart (analytics)

© SAP SE HA240 13




Image 9: SAP HANA scenarios – SAP HANA extended application services

© SAP SE HA240 14




Image 10: SAP HANA Security Architecture

© SAP SE HA240 15




Image 11: SAP HANA – authentication and single sign-on

Access to SAP HANA data and applications is enabled by authentication functions

Password policies, e.g. password length and complexity, can be defined to enforce password quality.

Passwords for the user name/password authentication of database users are subject to certain rules or password policy.

You can change the default password policy in line with your organization’s security requirements. You cannot deactivate the password policy.

© SAP SE HA240 16




Image 12: Password policy

© SAP SE HA240 17




Image 13: SAP HANA – user and role management

Client

Any possible client for the HANA Platform, this includes: SAP HANA Studio, Business Object BI Platform but also Web Browser, Analysis for Office, Office Excel, etc.

Application Server

In the common SAP Architecture this is normally the role of NetWeaver Application Server ABAP and/or Java.

In this case the HANA Platform can also be the Application Server because it can act only as a database but also as a server for native functionalities and applications.

Database

HANA is a database at its core and can be used just like another relational database e.g. in a classical 3-tier deployment like Suite on HANA.

© SAP SE HA240 18




Image 14: SAP HANA – authorization Privilege types

© SAP SE HA240 19




Image 15: SAP HANA – communication and data encryption

© SAP SE HA240 20




Image 16: SAP HANA – audit logging

© SAP SE HA240 21




Image 17: SAP HANA – security administration

SQLDBC is a SAP HANA-specific interface that is also the basis for the SAP HANA ODBC interface.

© SAP SE HA240 22




Image 18: SAP HANA – security administration SAP HANA studio

© SAP SE HA240 23




Image 19: Important info sources

© SAP SE HA240 24




Image 20: Security information map

© SAP SE HA240 25



Unit 2 Repository Lesson: SAP HANA Introduction and overview

Unit 2 Repository

© SAP SE HA240 26



Unit 2 Repository Lesson: Repository

Lesson: Repository


© SAP SE HA240 27




Image 22: Terminology: repository where design-time objects reside

The SAP HANA database repository is structured hierarchically with packages assigned to other packages as sub-packages.

If you grant privileges to a user for a package, the user is automatically also authorized for all corresponding sub-packages.

In the SAP HANA repository, a distinction is made between native and imported packages. Native packages

are packages that were created in the current system and should therefore be edited in the current system.

Imported packages from another system should not be edited, except by newly imported updates.

An imported package should only be manually edited in exceptional cases.

If you grant privileges to a user for a package, the user is automatically also

authorized for all corresponding sub packages

© SAP SE HA240 28




Image 23: _SYS_REPO Authorization in the Repository

_SYS_REPO must be explicitly authorized for objects that are not created in the repository but on which repository objects are modeled.

© SAP SE HA240 29




Image 24: Proposed Repository Layout See Developer Guide

© SAP SE HA240 30




Image 25: Working in the repository Studio perspectives and web IDE

© SAP SE HA240 31




Image 26: Managing Repository Objects Deleting objects, Changing objects

© SAP SE HA240 32




Image 27: Transporting Repository Objects

© SAP SE HA240 33




Image 28: Procedures in definer mode: What’s the deal?

© SAP SE HA240 34




Image 29: Implications of using definer mode

© SAP SE HA240 35



Unit 3 Authorization inside SAP HANA Lesson: Repository

Unit 3 Authorization inside SAP HANA

© SAP SE HA240 36



Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Lesson: Gerneral authorization concept


© SAP SE HA240 37




Image 31: Authorization administration

© SAP SE HA240 38




Image 32: Tools for authorization administration SAP HANA studio

© SAP SE HA240 39




Image 33: Tools for authorization administration Web based editor

You can call the Web based editor directly or from SAP HANA cockpit.

This editor has the same functionality like SAP HANA Studio.

From the technical side this editor is part of:

SAP HANA Web-based Developer Workbench.

For using this workbench all the necessary privileges are bundled in the following role:

sap.hana.xs.ide.roles::EditorDeveloper

© SAP SE HA240 40




Image 34: Basic Authorization entities

© SAP SE HA240 41




Image 35: Relationships between Entities

Privileges can be assigned to users directly or indirectly using roles. Privileges are required to model access control. Roles can be used to structure the access control scheme and model reusable business roles.

It is recommended to manage authorization for users by using roles. Roles can be nested so that role hierarchies can be implemented. This makes them very flexible, allowing very fine- and coarse -grained authorization management for individual users.

All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorization check using the user, the user's roles, and directly allocated privileges.

It is not possible to explicitly deny privileges. This means that the system does not need to check all the user roles. As soon as all requested privileges have been found, the system aborts the check and grants access.

Several predefined roles exist in the database. Some of them are templates that need to be customized; others can be used as they are.

User management is configured using SAP HANA Studio.

© SAP SE HA240 42




Image 36: Authorization Example

© SAP SE HA240 43




Image 37: Authorization design process

© SAP SE HA240 44




Image 38: Define and Create Roles

© SAP SE HA240 45



Unit 3 Authorization inside SAP HANA Lesson:Roles

Lesson:Roles

After completing this lesson, you will be able to:

� Create and use Runtime Roles � Grant and revoke Runtime Roles � Explain difference between Catalog and Repository Roles � Create and use Repository Roles � Know common pre-delivered roles

© SAP SE HA240 46




Image 39: Creating Roles using SAP HANA Studio

Prerequisite for creating roles is the privileg ROLE ADMIN.

© SAP SE HA240 47




Image 40: Repository Roles vs. Catalog roles

© SAP SE HA240 48




Image 41: Terminology: repository where design-time objects reside

© SAP SE HA240 49




Image 42: Properties of Catalog Roles

Runtime Role management has several challenges, especially with regards to revocation of privileges and roles.

© SAP SE HA240 50




Image 43: Properties of Repository Roles

© SAP SE HA240 51




Image 44: Creating Catalog Roles

© SAP SE HA240 52




Image 45: Difficulties with catalog roles Creation / Modification

© SAP SE HA240 53




Image 46: Less known properties of catalog roles revoking of roles

© SAP SE HA240 54




Image 47: Creating Repository Roles Create transportable roles with design time and run time representation

© SAP SE HA240 55




Image 48: How can you manage roles safely (and respecting typical compliance requirements)

© SAP SE HA240 56




Image 49: Transporting Repository Roles

© SAP SE HA240 57




Image 50: Template Roles

MODELING: Contains all privileges required for using the information modeler in the SAP HANA studio.

Contains the database authorization for a modeler to create all kinds of views and Analytic Privileges.

Allows access to all data in activated views without any filter (_SYS_BI_CP_ALL Analytic Privilege). However, this is restricted by missing SQL Privileges on those activated objects.

Note: Use caution when using the _SYS_BI_CP_ALL Analytic Privilege.

Use this predefined role as a template.

MONITORING: Contains privileges for full read-only access to all meta data, the current system status in system and monitoring views, and the data of the statistics server.

PUBLIC: Contains privileges for filtered read-only access to the system views.

Only objects for which the users have access rights are visible. By default, this role is assigned to each user.

CONTENT_ADMIN: Contains the same privileges as the MODELING role, but with the extension that users allocated this role are allowed to grant these privileges to other users.

In addition, it contains repository privileges for working with imported objects.

© SAP SE HA240 58




Use this role as a template for what content administrators might need as privileges.

SUPPORT: Contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data of the statistics server.

Additionally it contains the privileges to access the base information of the system and monitoring views (this information is otherwise only available to the SYSTEM user).

For security reasons, the following restrictions apply:

- It cannot be granted to user SYSTEM

- It cannot be granted to more than one user at a time

- It cannot be granted to another role

- No role can be granted to it

- Only system privileges can be granted to this role

Image 51: Summary

© SAP SE HA240 59



Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Lesson: Assigments from privileges to user

Image 52: Assign Privileges to Roles

© SAP SE HA240 60




Image 53: Assign Privileges to Roles

© SAP SE HA240 61




Image 54: Create Users

© SAP SE HA240 62




Image 55: Different User types: Database User

It is often necessary to specify different security policies for different types of database user.

In the SAP HANA database, we differentiate between database users that correspond to real people and technical database users.

Note!

Database users that correspond to real people are dropped when the person leaves the organization. This means that any database objects that they own are also automatically dropped, and any privileges that they granted are automatically revoked.

Compared to standard database users, restricted users are initially limited in the following ways:

They cannot create objects in the database as they are not authorized to create objects in their own database schema.

They cannot view any data in the database as they are not granted (and cannot be granted) the standard PUBLIC role.

They are only able to connect to the database using HTTP.

Users connecting via ODBC or JDBC require the standard role RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCESS.

© SAP SE HA240 63




Image 56: Different User types: Technical Database Users

The SYSTEM database user is the Bootstrapping-User. With it you can realize the inital system set and to create other database users, access system tables, and so on. Note however that SYSTEM database user does not automatically have access to objects created in the SAP HANA repository.

The recommendation from SAp is to inactivate thus user for commence operation!

<sid>adm user ( where <sid> is the ID of the SAP HANA system)

The <sid>adm user is an operating system user and is also referred to as the operating system administrator.

This operating system user has unlimited access to all local resources related to SAP systems.

This user is not a database user but a user at the operating system level.

Hint: The following usere are internal user , means it is't possible to log on in the database with them.

© SAP SE HA240 64




SY -SYS user is a technical database user. It is the owner of database objects such as system tables and monitoring views.

_SYS_AFL - is a technical user that owns all objects for Application Function Libraries

_SYS_EPM - is a technical database used by the SAP Performance Management (SAP EPM) application

_SYS_REPO is a technical database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions.

_SYS_STATISTICS _SYS_STATISTICS is a technical database user used by the internal monitoring mechanism of the SAP HANA database. It collects information about status, performance, and resource usage from all components of the database and issues alerts if necessary.

HINT.

What to do in an emergency situation? You have to reset the SYSTEM password

In this case the following mechanism for resetting the SYSTEM user password is available

� Prerequisite: Credentials of the operating system administrator <sid>adm, access to the master index server � As <sid>adm, log on to the server on which the master index server is running � On the command line, shut down the SAP HANA system, then start the name, compile and index servers � Use the following command to reset the password � /exe/hdbindexserver -resetUserSystem � Afterwards, the index server is automatically stopped � End the name and compile server processes � On the command line, start the SAP HANA system

You can find this emergency procedure in SAP HANA Administration guide too .

Note: In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the same way by starting the name server (for the system database) or index server (for tenant databases) in emergency mode

© SAP SE HA240 65




Image 57: Creating named Users In SAP HANA Studio

© SAP SE HA240 66




Image 58: Creating named Users in SAP HANA Studio

© SAP SE HA240 67




Image 59: Creating named Users Using SQL

© SAP SE HA240 68




Image 60: Modifying users

© SAP SE HA240 69




Image 61: User Self Service Tools

By default, SAP HANA user self-service tools are disabled; the tools are neither visible in the user interface nor configured in SAP HANA.

To provide access to embedded tools that enable users to request the creation of a new user account in the SAP HANA database or set a new password, the SAP HANA administrator must activate and set up the user self-service feature.

© SAP SE HA240 70




Image 62: User Management

© SAP SE HA240 71




Image 63: Grant Role to User

© SAP SE HA240 72




Image 64: Grant Roles to User

Note:

System Privilege ROLE ADMIN supersedes this GRANT OPTION

© SAP SE HA240 73




Image 65: Revoke Roles from User

Note on Cascaded Dropping of Privileges

If the user had granted the role to other users, revoking the role (and the grant option) also revokes the role from this grantee

© SAP SE HA240 74



Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Lesson: Object Ownership

Image 66: Security: Owner vs. schema How HANA handles ownership of catalog objects

Note:

© SAP SE HA240 75




Restricted users cannot create objects in the database as they are not authorized to create objects in their own database schema.

Image 67: Security: Dropping of DB users Impact of dropping with “cascade”

© SAP SE HA240 76




Image 68: Security: Dropping DB accounts safely UI support in SAP HANA Studio

© SAP SE HA240 77




Image 69: Object ownership finding ownership information

© SAP SE HA240 78




Image 70: Privileges

After completing this section you will be able to:

•Explain what are the possible types of Privileges

•Explain the use of Object Privileges, System Privileges, Package Privileges, Analytic Privileges

•Describe privileges to be set for Information Consumers

•Describe ownership rationale for possible Privilege Types

•Explain the use of Dynamic Analytic Privileges

© SAP SE HA240 79




Image 71: Type of privileges

Object Privileges:

This is used to restrict access and modification of database objects, such as tables. Depending on the object type (for example, table, view), different actions (for example, CREATE ANY, ALTER, DROP) can be authorized.

For Object Privileges in the SAP HANA database, the SQL standard behavior is applied.

Analytic Privileges:

This is used to restrict the access for read operations to certain data in Analytic, Attribute, and Calculation Views. This is done by filtering the attribute values.

It is only applied at the processing time of the user query.

Analytic Privileges need to be defined and activated before they can be granted to users and roles.

Package Privileges:

© SAP SE HA240 80




This is used to restrict the access to and the use of packages in the repository of the SAP HANA database.

Packages contain design-time versions of various objects, such as Analytic, Attribute, and Calculation Views, as well as Analytic Privileges, and functions. To be able to work with packages, the respective Package Privileges must be granted.

Application Privileges:

Developers of SAP HANA XS applications can create application privileges to authorize user and client access to their application. They apply in addition to other privileges

It is recommended to grant application privileges to roles created in the SAP HANA Repository at design time.

All kinds of Privileges are assigned to users and roles.

Image 72: System and Object privileges

More details on Object Privileges activities:

CREATE ANY

© SAP SE HA240 81




This privilege allows the creation of all kinds of objects, in particular, tables, views, sequences, synonyms, SQL script functions or database procedures in a schema. This privilege can only be granted on a schema.

ALL PRIVILEGES

This privilege is a collection of all Data Definition Language (DDL) and Data Manipulation Language (DML) privileges that the grantor currently possesses and is allowed to grant further. The privilege it grants is specific to the particular object being acted upon. ALL PRIVILEGES is not applicable to a schema, but only a table, view, or table type.

DROP and ALTER

These are DDL privileges and authorize the DROP and ALTER SQL commands. While the DROP privilege is valid for all kinds of objects, the ALTER privilege is not valid for sequences and synonyms as their definitions cannot be changed after creation.

SELECT, INSERT, UPDATE, and DELETE

These are DML privileges and authorize respective SQL commands. While SELECT is valid for all kinds of objects, except for functions and procedures, INSERT, UPDATE, and DELETE are only valid for schemas, tables, table types, and updatable views.

INDEX

This special DDL privilege authorizes the creation, alteration or revocation of indexes for an object using the CREATE INDEX, ALTER INDEX, and DROP INDEX commands. This privilege can only be applied to a schema, table, and table type.

EXECUTE

This special DML privilege authorizes the execution of an SQL script function or a database procedure using the CALLS or CALL command, respectively.

© SAP SE HA240 82




Image 73: System privileges

Some Examples for this system types:

User and Roles:

ROLE ADMIN Authorizes the creation and deletion of roles using the CREATE ROLE and DROP ROLE commands. This privilege also authorizes the granting and revocation of roles using the GRANT and REVOKE commands.

Catalog and schema Management

© SAP SE HA240 83




CATALOG READ Authorizes unfiltered read-only access to all system views. Normally, the content of these views is filtered based on the privileges of the accessing user

Analytics

CREATE STRUCTURED PRIVILEGE Authorizes the creation of structured privileges. Only the owner of an analytic privilege can further grant or revoke that privilege to other users or roles.

Auditing:

AUDIT ADMIN

Controls the execution of the auditing-related commands CREATE AUDIT POLICY, DROP AUDIT POLICY, and ALTER AUDIT POLICY, as well as changes to auditing configuration. It also authorizes access to AUDIT_LOG system view

System Management

BACKUP ADMIN Authorizes backup and recovery commands for defining and initiating backup and recovery procedures. It also authorizes changes to system configuration options with respect to backup and recovery.

Data Import and Export

IMPORT Authorizes import activity in the database using the IMPORT commands Note that in addition to this privilege the user requires the INSERT privilege on the target tables to be imported.

All the system privileges are describe in the SAP HANA Security guide.

© SAP SE HA240 84




Image 74: Package privileges

© SAP SE HA240 85




Image 75: Sub-package privileges

© SAP SE HA240 86




Image 76: Native and imported package privileges

Developers should be granted the following privileges for native packages:

REPO.READ: This privilege authorizes read access to packages and design-time objects, including both native and imported objects.

REPO.EDIT_NATIVE_OBJECTS: This privilege authorizes all kinds of inactive changes to design-time objects in native packages.

REPO.ACTIVATE_NATIVE_OBJECTS: This privilege authorizes the user to activate or reactivate design-time objects in native packages.

REPO.MAINTAIN_NATIVE_PACKAGES: This privilege authorizes the user to update or delete native packages, or create subpackages of native packages.

Developers should only be granted the following privileges for imported packages in exceptional cases:

REPO.EDIT_IMPORTED_OBJECTS : This privilege authorizes all kinds of inactive changes to design-time objects in imported packages.

REPO.ACTIVATE_IMPORTED_OBJECTS : This privilege authorizes the user to activate or reactivate design-time objects in imported packages.

© SAP SE HA240 87




REPO.MAINTAIN_IMPORTED_PACKAGES : This privilege authorizes the user to update or delete imported packages, or create subpackages of imported packages.

In the SAP HANA studio, you can manage the repository system privileges together with the other system privileges on the System Privileges tab:

REPO.EXPORT : This privilege authorizes the user to export, for example, delivery units

REPO.IMPORT : This privilege authorizes the user to import transport archives.

REPO.MAINTAIN_DELIVERY_UNITS : This privilege authorizes the user to maintain delivery units (DU, DU-vendor must equal system-vendor).

REPO.WORK_IN_FOREIGN_WORKSPACE : This privilege authorizes theuser to work in a foreign inactive workspace.

Image 77: Analytic privileges

Analytic Privileges are used in the SAP HANA database to provide fine-grained control of what data particular users can see for Analytic use. They provide the ability for row-level authorization, based on the values in one or more columns.

All Attribute Views, Analytic Views, and Calculation Views, which have been designed in the modeler and have been activated from the modeler of the HANA studio, are automatically supported by the Analytic Privilege mechanism.

© SAP SE HA240 88




If you are already familiar with the authorization model of SAP NetWeaver Business Warehouse (SAP NetWeaver BW), you will see many similarities between the two models.

The overall idea behind Analytic Privileges is the reuse of Analytic Views by different users. However, the different users may not be allowed to see the same data. For example, different regional sales managers, who are only allowed to see sales data for their regions, could reuse the same Analytic View. They would get the Analytic Privilege to see only data for their region, and their queries on the same view would return the corresponding data. This is a major difference to the SAP NetWeaver BW model. While the concept itself is very similar, SAP NetWeaver BW would forward an error message if you executed a query that would return values you are not authorized to see. With the SAP HANA database, the query would be executed and, corresponding to your authorization, only values you are entitled to see returned.

An Analytic Privilege consists of several restrictions. Three of these restrictions are always present and have the following special meanings:

- One restriction (cube restriction) determines for which column views (Attribute, Analytic, or Calculation Views) the privilege is used. This may involve a single view, a list of views or, by means of a wildcard, all applicable views.

- One restriction (activity restriction) determines the effected activity, for example, READ. This means that the activity READ is restricted and not available for use.

- One restriction (validity restriction) determines at what times the privilege is valid.

In addition to these three restrictions, many additional dimension restrictions are used.

These are applied to the actual attributes of a view. Each dimension restriction is relevant for one dimension attribute, which can contain multiple value filters. Each value filter is a tuple of an operator and its operands, which is used to represent the logical filter condition. For example, a value filter (EQUAL 2014) can be defined for a dimension attribute YEAR in a dimension restriction to filter accessible data using the condition YEAR=2014 for potential users.

Only dimension attributes, and no measures or key figures, can be employed in dimension restrictions.

© SAP SE HA240 89




Image 78: Analytic Privilege - Start creation wizard

In general, the user has access to an individual, independent view (Attribute, Analytic, or Calculation View) if the following prerequisites are met:

� The user was granted the SELECT privilege on the view or the containing schema. � The user was granted an Analytic Privilege that is applicable to the view. An Analytic Privilege is applicable to a view

if it contains the view in the Cube restriction and contains at least one filter on one attribute of this view.

No SELECT privilege on the underlying base tables or views of this view is required.

© SAP SE HA240 90




Image 79: SAP HANA – authorization Runtime access control

© SAP SE HA240 91




Image 80: Analytic Privilege - Select Information Models

Analytic Privilege-Capable Views

The Analytic Privilege mechanism is automatically enforced for all three kinds of views that can be defined using the information modeler, namely Attribute, Analytic, and calculation Views:

� Attribute View � Analytic Views � Calculation Views

© SAP SE HA240 92




Image 81: Analytic Privilege - Editor Overview

© SAP SE HA240 93




Image 82: Analytic Privilege Select field for attribute restriction

When relevant Analytic Privileges are found for the current user and the query directed to the particular view, the evaluation process ensures that, according to the value filters specified in the Dimension restrictions, the appropriate view data is presented to the user.

In particular:

� Within one Dimension restriction, all value filters on the corresponding dimension attribute are combined with logical OR.

� Within one Analytic Privilege, all Dimension restrictions are combined with logical AND. � Multiple Analytic Privileges are combined with logical OR. � For example, if there is only one Analytic Privilege found with two Dimension restrictions, YEAR=2008 and

COUNTRY=US, the user is only allowed to see data fulfilling the condition YEAR=2008 AND COUNTRY=US.

However, if these two conditions were put in two different Analytic Privileges found for this user and this view, the user is allowed to see more data, namely the OR combination of the filters of the individual Analytic Privileges: YEAR=2008 OR COUNTRY=US.

Operators for defining value filters in the restrictions of analytic privileges:

© SAP SE HA240 94




� IN <list of scalar values> � CONTAINSPATTERN <pattern with *> � EQUAL (=), LESSEQUAL, (<=), LESSTHAN(<), GREATERTHAN (>), GREATEREQUAL(>=) <scalar value> � BETWEEN <scalar value as lower limit><scalar value as upper limit> � IS_NULL and NOT_NULL

IS_NULL filters rows with null values in the corresponding attribute,

NOT_NULL filters rows with non-null values in the attribute

- All filter operators, except IS_NULL and NOT_NULL, accept empty strings (“ “) as filter operands Examples:

IN (“ “, “A”, “B”)

As lower limit in comparison operators, e.g. BETWEEN (” “, “XYZ”)

Image 83: Analytic Privilege - Activation

In an Analytic Privilege, in addition to static values filtering conditions, it is also possible to determine the filtering conditions via a stored procedure.

© SAP SE HA240 95




With this approach the filtering conditions that apply for a specific user are determined at run-time, when querying a specific table or view. This allows a more scalable approach where the same analytic privilege can be applied to multiple users, with different authorization requirements. An Analytic Privilege where a procedure is used to determine the authorized values is also called a Dynamic Analytic Privilege.

The procedure used in a Dynamic Analytic Privilege must have the following signature:

� No input parameters � Only 1 output parameter as table type with one single column for the IN operator � Only 1 output parameter of a scalar type for all unary operators, such as EQUAL � Only 2 output parameters of a scalar type for the binary operator BETWEEN

Further restrictions apply as documented in the SAP HANA Developer Guide available on the SAP Help Portal.

Image 84: Dynamic analytic privileges

© SAP SE HA240 96




Image 85: Sample dynamic analytic privileges

© SAP SE HA240 97




Image 86: Analytic Privilege Check

© SAP SE HA240 98




Image 87: Analytic Privileges Caveats

© SAP SE HA240 99




Image 88: Ownership of Privileges

© SAP SE HA240 100




Image 89: System privileges Ownership, granting

© SAP SE HA240 101




Image 90: Object Privileges Ownership, granting

© SAP SE HA240 102




Image 91: Package privileges Ownership, granting

© SAP SE HA240 103




Image 92: Analytic Privileges / Structured Privileges Ownership, granting

© SAP SE HA240 104




Image 93: Information Consumers (I) Required privileges for reading from views

© SAP SE HA240 105




Image 94: Information Consumers (II) Required privileges for reading from views

© SAP SE HA240 106




Image 95: Information Consumers (III) Required privileges for reading from views

© SAP SE HA240 107




Image 96: Information Consumers (IV) Required privileges for reading from views

© SAP SE HA240 108




Image 97: Recursive revoking of privileges Take care when dropping users or revoking privileges

© SAP SE HA240 109



Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations

Exercise 1 : Maintaining Users and Authorizations

After completing this exercise, you will be able to:

• Create roles

• Assign privileges to a role

• Create a user

• Assign roles to a user

• Create an analytic privilege

Task 1: Create a role “ROLE_ANALYTIC_##”, where ## is your group ID and assign the following roles and privileges to your new role. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role. Add the Object Privilege REPOSITORY_REST with privilege EXECUTE. Add a Package Privilege to give access to repository package sap/hana/democontent/epm/modelsand assign authorization REPO.READ. Then deploy the role and confirm that the role has been created. Perform this task with SYSTEM user.

1. Create a role “ROLE_ANALYTIC_##” where ## is your group ID. 2. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role. 3. Add the Object privilege REPOSITORY_REST with privilege EXECUTE to your role. 4. Add a Package Privilege to give access to repository package sap.hana.democontent.epm.models and assign authorization REPO.READ. 5. Deploy the role and confirm that the role has been created.

Task 2:

Create a user named USER##, where ## is your group ID. Assign the role you

© SAP SE HA240 110




have just created to this user. Then confirm that your user has been created.

After you have created the user successfully, you can log on and add the user to

the Navigator View of the HANA studio. Then confirm that your user’s schema

has been created under Catalog.

1. Create a user named USER##, where ## is your group ID.

2. Assign the role ROLE_ANALYTIC_##, where ## is your group ID to this

user.

3. Confirm that your user has been created.

4. Add the user to the Navigator View of the HANA studio.

Task 3:

Check if the user USER## is authorized to access the Analytic View

AN_PURCHASE_OVERVIEW.

1. Check if the user USER## is authorized to access the Analytic View

AN_PURCHASE_OVERVIEW.

Task 4:

Create a new analytic privilege, AP_PURCHASE_OVERVIEW_DE, in the package sap.hana.democontent.epm.models.

This analytic privilege should give access to the Analytic View

sap.hana.democontent.epm.models.AN_PURCHASE_OVERVIEW with

restriction to the attribute SUPPLIER_COUNTRY = DE.

1. Navigate to the Modeler Perspective and create a new analytic

privilege AP_PURCHASE_OVERVIEW_DE, in the Package

sap.hana.democontent.epm.models

Task 5:

Add the new analytic privilege to your role ROLE_ANALYTIC_## using the user

USER##. Then test the authorizations of user USER## by selecting the Analytic

View AN_PURCHASE_OVERVIEW.

1. Add the new analytic privileges to your role ROLE_ANALYTIC_##.

2. Select the Analytic View AN_PURCHASE_OVERVIEW to test the

authorizations.

Task 6:

© SAP SE HA240 111




You need a user with authorizations for database administration. This database administrator should perform the following tasks:

� All actions that any DB administrator will expect they are allowed to do and that � Are not specific to data schemas or repository packages. � All backup-related tasks. � Create new database schemas and to Import and Export catalog objects.

Create the roles which allow performing these administrative tasks.

1. Create a new role BASIC_ADMIN.

This role collects all actions that any DB administrator will expect they

are allowed to do and that are not specific to data schemas or repository

packages. Therefore the following privileges should be granted

Privilege What does it do?

System privilege CATALOG READ Read access to all metadata of the database catalog. Among other things, required to enter into the administration editor of SAP HANA studio

System privilege SERVICE ADMIN Start and stop individual services(processes) of the database

System privilege INIFILE ADMIN Modify the database configuration

System privilege TRACE ADMIN Start and stop database traces, change the trace levels of the kernel trace

System privilege SESSION ADMIN Kill sessions

System privilege VERSION ADMIN Trigger garbage collection of the database’s version history (part of MVCC implementation)

System privilege LICENSE ADMIN Install or delete license key

SELECT on schema _SYS_STATISTICS Read alerts of the statistics server process

2. Create a new role BACKUP_ADMIN.

This role allows all backup-related tasks, such as creating a database backup or managing the backup catalog or deleting backups from disk. Therefore the following privileges should be granted:

© SAP SE HA240 112





System privilege CATALOG READ

Read access to all metadata of the database catalog

System privilege BACKUP ADMIN Access to all backup functionalities

except for restore (which requires OS user credentials)

Create a new role DATA_ADMIN.

This role defines a user who can create new database schemas directly in the catalog and import and export catalog objects. Therefore the following privileges should be granted:


System privilege CREATE SCHEMA Create new schemas directly in the database catalog

System privilege EXPORT Export catalog objects to the DB server (csv/binary) or to the client machine

System privilege IMPORT

Import catalog objects from the

DB server (csv/binary) or from the

client machine

Task 7:

Create a user named ADMIN##, where ## is your group ID. Assign the database administration roles you have just created to this user. Then confirm that your user has been created.

After you have created the user successfully, you can log on and add the user to the Navigator View of the HANA studio. Then confirm that your user’s schema has been created under Catalog.

1. Create a user named ADMIN##, where ## is your group ID.

2. Assign the roles BASIC_ADMIN, BACKUP_ADMIN, and DATA_ADMIN

to this user.

3. Confirm that your user has been created

© SAP SE HA240 113




4. Add the user to the Navigator View of the HANA studio.

Task 8:

Check the authorizations of the user ADMIN##.

1. Check if the user ADMIN## is authorized to export table

TRAIN00.PRODUCTS

2. Check if the user ADMIN## is authorized to perform a backup

3. Check if the user ADMIN## is authorized to change configuration Parameters

Solution of the Exercise 1

Task 1:

Create a role “ROLE_ANALYTIC_##”, where ## is your group ID and assign

the following roles and privileges to your new role.

Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role.

Add the Object Privilege REPOSITORY_REST with privilege EXECUTE.

Add a Package Privilege to give access to repository package

sap/hana/democontent/epm/models and assign authorization REPO.READ.

Then deploy the role and confirm that the role has been created.

Perform this task with SYSTEM user.

© SAP SE HA240 114




1. Create a role “ROLE_ANALYTIC_##” where ## is your group ID.

a) Log on to the SAP HANA studio with SYSTEM user.

b) Choose Administration Perspective: Window → Open Perspective →Other... → Administrative Console.

c) Expand the content of the SAP HANA system → Security → Roles.

d) Right-click Roles → New Role.

e) Give your role the following name: ROLE_ANALYTIC_##. Save

(CRTL+S).

2. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT

to your role.

a) Select theObject Privileges tab and click +.

b) Search for Object Privilege _SYS_BI, highlight it, and click OK.

c) Select the object that has just been added.

d) Scroll to the right, and assign the privilege SELECT to object _SYS_BI.

e) Repeat the same steps for the Object Privilege _SYS_BIC.

© SAP SE HA240 115



Unit 4: General Security Requirements and Solutions Exercise 1 : Maintaining Users and Authorizations

Unit 4: General Security Requirements and Solutions

© SAP SE HA240 116



Unit 4: General Security Requirements and Solutions Lesson: Introduction

Lesson: Introduction


© SAP SE HA240 117




Image 99: Scenario

© SAP SE HA240 118




Image 100: SAP HANA Authentication Options

User Name/Password Authentication

Users accessing the SAP HANA database authenticate themselves by entering their database user name and password.

Kerberos

A Kerberos authentication provider can be used to authenticate users accessing SAP HANA in the following ways:

� Directly from ODBC and JDBC database clients within a network (for example, the SAP HANA studio) � Indirectly from front-end applications such as SAP BusinessObjects applications using Kerberos delegation � Via HTTP access by means of SAP HANA Extended Services (SAP HANA XS). In this case, Kerberos authentication

is enabled with Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). � Security Assertion Markup Language (SAML)

A SAML bearer assertion can be used to authenticate users accessing SAP HANA directly from ODBC/JDBC database clients. SAP HANA can act as service provider to authenticate users accessing via HTTP by means of SAP HANA XS.

SAP Logon and Assertion Tickets

© SAP SE HA240 119




Users can be authenticated by logon or assertion tickets issued to them when they log on to an SAP system that is configured to create tickets (for example, the SAP Web Application Server or Portal).

X.509 Client Certificates

For HTTP access to SAP HANA by means of SAP HANA XS, users can be authenticated by client certificates signed by a trusted Certification Authority (CA), which can be stored in the SAP HANA XS trust store.

Image 101: SAP HANA Authentication User configuration for authentication and SSO

© SAP SE HA240 120




Image 102: Single Sign-On Introduction

Kerberos

A user who connects to the database using an external authentication provider must also have a database user known to the database. SAP HANA maps the external identity to the identity of an internal database user.

Security Assertion Markup Language (SAML)

A user who connects to the database using an external authentication provider must also have a database user known to the database. SAP HANA maps the external identity to the identity of an internal database user.

SAP Logon and Assertion Tickets

To implement SAP logon/assertion tickets, the user specified in the logon/assertion ticket must already exist in SAP HANA; there is no support for user mapping.

X.509 Client Certificates

To implement X.509 client certificates, the user specified in the certificate must already exist in SAP HANA; there is no support for user mapping.

© SAP SE HA240 121




Image 103: Kerberos Introduction

Kerberos is a network authentication protocol that provides authentication for client-server applications across an insecure network connection using secret-key cryptography.

ODBC and JDBC database clients support the Kerberos protocol, for example, the SAP HANA studio. Access from front-end applications (for example, SAP BusinessObjects XI applications) can also be implemented using Kerberos delegation.

Note however that constrained delegation and protocol transition are not supported.

Kerberos is supported for HTTP access via SAP HANA XS with Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). It is up to the HTTP client whether it uses Kerberos directly or SPNEGO.

© SAP SE HA240 122




Image 104: Kerberos Prerequisites

© SAP SE HA240 123




Image 105: Kerberos Configuration: ODBC/JDBC

In distributed SAP HANA systems that use Kerberos delegation (SSO2DB), application disruptions resulting from expired authentication are avoided though the use of session cookies.

This mechanism is active by default but can be disabled in the indexserver.ini file with the session_cookie_for_kerberos parameter.

Figure: Mapping the new DB user to Windows Active Directory user (External ID).

© SAP SE HA240 124




Image 106: Kerberos Configuration: SPNEGO

Changing the Service User Password

Since the keys stored in the key tab are generated from the Service User password, you should change the Service User password periodically.

After the password has been changed, the key tab has to be either created again or extended to contain the new key(s), since a password change implies an increment of the Key Version Number (kvno).

© SAP SE HA240 125




Image 107: Kerberos Troubleshooting

© SAP SE HA240 126




Image 108: SAML Introduction

SAML provides the mechanism by which the identity of users accessing the SAP HANA database from client applications is authenticated by XML-based assertions issued by a trusted identity provider. The internal database user to which the external identity is mapped is used for authorization checks during the database session.

© SAP SE HA240 127




Image 109: SAML: What is SAML?

© SAP SE HA240 128




Image 110: SAML: How it works?

© SAP SE HA240 129




Image 111: SAML Assertion Specification

SAP HANA supports plain SAML 2.0 assertions as well as unsolicited SAML responses that include an unencrypted SAML assertion. SAML assertions and responses must be signed using XML signatures.

© SAP SE HA240 130




Image 112: SAML User Mapping

© SAP SE HA240 131




Image 113: SAML Prerequisites

© SAP SE HA240 132




Image 114: SAML Configuration in HANA Studio

© SAP SE HA240 133




Image 115: SAML Configuration for XS Engine APPs

© SAP SE HA240 134




Image 116: X.509 Certificates Introduction

© SAP SE HA240 135




Image 117: X.509 Certificates Prerequisites

© SAP SE HA240 136




Image 118: X.509 Certificates Configuration Overview

© SAP SE HA240 137




Image 119: X.509 Usage

© SAP SE HA240 138




Image 120: SAP Logon and Assertion Tickets SAP Logon Tickets

© SAP SE HA240 139




Image 121: SAP Logon and Assertion Tickets SAP Assertion Tickets

© SAP SE HA240 140




Image 122: SAP Logon and Assertion Tickets Prerequisites: Trust Store

© SAP SE HA240 141




Image 123: SAP Logon and Assertion Tickets Prerequisites: User Configuration

© SAP SE HA240 142




Image 124: SAP Logon and Assertion Tickets Configurations

© SAP SE HA240 143




Image 125: SAP Logon and Assertion Tickets Usage

© SAP SE HA240 144




Image 126: SAP HANA – encryption

© SAP SE HA240 145




Image 127: SAP HANA – Certified 3rd party backup tools

© SAP SE HA240 146




Image 128: SAP HANA – network security

© SAP SE HA240 147




Image 129: Summary

Exercise 2: Configure Encryption

Exercise Objectives


• Configure Data Volume Encryption

Task:

Configure Data Volume Encryption using the Security editor in SAP HANA Studio.

1. Activate Data Volume Encryption

2. Monitor the progress of the data volume encryption.

© SAP SE HA240 148




Solution: Configure Encryption

Task:

Configure Data Volume Encryption using the Security editor in SAP HANA Studio.

1. Activate Data Volume Encryption

a) In the Systems view in SAP HANA studio, choose Security and open

the Data Volume Encryption tab.

b) Choose: Encrypt data volumes.

c) Choose the Deploy button.

2. Monitor the progress of the data volume encryption.

a) Choose the Refresh button to monitor the status of the data volume

encryption.

During encryption the status “Encryption running ...” is displayed. The

status “Encrypted” indicates that the data volumes are encrypted.

© SAP SE HA240 149



Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Lesson: SAP GRC Integration for Governance Risk and Compliance


© SAP SE HA240 150




Image 131: Scenario

© SAP SE HA240 151




Image 132: SAP HANA – data center integration

SSAP HANA supports standard and documented interfaces to enable integration with customer security network and datacenter infrastructures

© SAP SE HA240 152




Image 133: SAP solutions for GRC Integrated suite and endorsed partner solutions

© SAP SE HA240 153




Image 134: SAP Access Control Manage access risk and prevent fraud

SAP Access Control enables customers to manage access risk and prevent fraud.

Automation is the key here.

Note: This slide reads starting at the 1 o’clock slot with Analyze Risk.

Through this set of capabilities, SAP Access Control helps you to

Get clean (Analyze risk)

Stay clean (Manage access and maintain roles)

Stay in control (certify authorizations and monitor privileges

© SAP SE HA240 154




Image 135: SAP Access Control 10.1 System Components and Plugins

© SAP SE HA240 155




Image 136: Usage Scenario Comprehensive, pre-defined rule set

� SAP Access Control is delivered with a comprehensive rule set based on business process and best practice experience.

� Technical rules are delivered for SAP ERP, Oracle, JD Edwards, and PeopleSoft � Business risks are identified across 10 business processes, and technical rules for additional systems can easily be

mapped to these risks.

Terminology:

Business Process

The business area categories in which you would like to report Risk analysis results.

© SAP SE HA240 156




Risk:

An opportunity for physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a specific condition

Function

A Function is a grouping of one or more related Actions and/or Permissions for a specific business area.

Action

An activity that is performed in the system in order to fulfill a specific Function, for example, Create Purchase Order or Create Material Master Record

Action = Transaction Code

Permission

Authorizations that allows a user to perform a particular activity in a system

Permission = Authorization Object

Rule

Rule is a one-to-one transaction code conflict. One risk can have many Rules.

© SAP SE HA240 157




Image 137: Access Risk Definition based on SAP HANA Security Model Function Actions

© SAP SE HA240 158




Image 138: Access Risk Definition based on SAP HANA Security Model Function Permissions

© SAP SE HA240 159




Image 139: Example 1 SoD Risk Analyse in SAP HANA

© SAP SE HA240 160




Image 140: Example 1 Analysis Criteria & Result Screen

© SAP SE HA240 161




Image 141: Example 2 Critical Action Risk Analyse in SAP HANA

© SAP SE HA240 162




Image 142: DEMO 2 Analysis Criteria & Result Screen

© SAP SE HA240 163




Image 143: Usage Scenario Self-service access request and approval process

Workflow driven by SAP Business Workflow technology helps to eliminate manual tasks and make it faster and easier for users to obtain the access that they need in a compliant manner.

Pull user details from HR, LDAP, or IdM systems to leverage a single authoritative source and make the process easier on the end user.

© SAP SE HA240 164




Image 144: User Provisioning in SAP HANA Supported and Unsupported Scenarios

© SAP SE HA240 165




Image 145: Access Request for a New User in SAP HANA Including assignment of HANA Role & Analytical Privilege (Runtime)

© SAP SE HA240 166




Image 146: Request Approval Can Include SoD-Risk Analysis and Mitigation Control Assignment

© SAP SE HA240 167




Image 147: Access Request for New User in SAP HANA Provisioned User in HANA Studio

© SAP SE HA240 168




Image 148: SAP Basis Risk from SAP GRC Standard Rule Set Risks that may be applicable to SAP HANA

© SAP SE HA240 169




Image 149: Requirements and Best Practices in Security Administration that are currently hard to implement in SAP HANA

© SAP SE HA240 170



Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Lesson: SAP Netweaver Identity Management integration


© SAP SE HA240 171




Image 151: Scenario

© SAP SE HA240 172




Image 152: SAP HANA – data center integration

SSAP HANA supports standard and documented interfaces to enable integration with customer security network and datacenter infrastructures

© SAP SE HA240 173




Image 153: SAP NetWeaver Identity Management Introduction

Ensure that people have the correct authorizations in the back-end systems!

© SAP SE HA240 174




Image 154: SAP NetWeaver Identity Management Holistic identity management approach

Holistic identity management Approach

With SAP NetWeaver identity management, SAP offers integrated identity management capabilities for a heterogeneous system landscapes (SAP and non-SAP software), driven by business processes.

Central identity store: The central store consolidates identity data from different source systems (example: SAP HCM) and then distributes this information to the target systems.

Approval Workflows: Workflows distribute the responsibility for authorization assignments to the different business process owners and managers.

Identity Virtualization / Identity as a service: The data within SAP NetWeaver identity management can be accessed using services and standard protocols such as LDAP.

SAP Business Suite Integration: The integration of HCM as one of the possible source systems for identity information is a key functionality for enabling business-driven identity management.

© SAP SE HA240 175




Compliance Checks / GRC: The integration with SAP BusinessObjects Access Enforcer offers extensive functions for assuring compliance and segregation of duties in the role and authorization assignment process.

Definition and Rule-Based Assignment of Business Roles: You can define different rule sets for the assignment of roles to users. This means that the assignment can be performed automatically based on attributes of the identity.

Monitoring and Audit: Provides auditors with one central place to check employees’ authorizations in all systems. This information is also available for the past.

Password Management: A centralized password management reduces calls to the help desk for password resets, and enables password provisioning across heterogeneous landscape.

Distribution of Users and Role Assignments: Handles user accounts and role assignments of SAP and non-SAP applications.

Image 155: SAP Identity Management 8.0 SP0 Product road map overview – key themes and capabilities

© SAP SE HA240 176




Image 156: SAP Identity Management Capabilities

© SAP SE HA240 177




Image 157: SAP NetWeaver Identity Management Use cases

© SAP SE HA240 178




Image 158: SAP NetWeaver Identity Management Example of integration with HR Processes

© SAP SE HA240 179




Image 159: Main changes in IdM 8.0 compared to IdM 7.2 (1 of 2)

© SAP SE HA240 180




Image 160: Main changes in IdM 8.0 compared to IdM 7.2 (2 of 2)

© SAP SE HA240 181




Image 161: HANA connector for SAP NetWeaver Identity Management Introduction

© SAP SE HA240 182




Image 162: HANA connector for SAP NetWeaver Identity Management Use cases

© SAP SE HA240 183



Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Lesson: Authorization, Security and Scenarios


© SAP SE HA240 184




Image 164: Scenario

© SAP SE HA240 185




Image 165: SAP HANA Extended Application Services (XS) Introduction

© SAP SE HA240 186




Image 166: Traditional 3-tier applications (Java, ABAP)

© SAP SE HA240 187




Image 167: User handling in XS Plain DB user

Plain DB User Scenario

Since the same user is used on all levels, the roles that are assigned to the user must contain all privileges that the user needs to execute the application.

� homogeneous way of granting all privileges � working with personal DB users requires that the HANA user base is maintained properly; this can be a complex and

expensive process (creation and deletion of users, and especially updates to the roles they should have)

© SAP SE HA240 188




Image 168: User handling in XS SQLCC scenario (best practice for stand-alone XS Apps)

SQLCC Scenario

The logon user maps to a personal DB user, but this is user is used on XS level only, the DB activities run via sqlcc connections and thus using a technical user.

� the necessary SQL privileges are granted to the SQLCC user only, the logon user just needs the XS application privileges -> no security risk anymore

� maintaining the personal DB users is still complex (see above)

© SAP SE HA240 189




Image 169: User handling in XS Anonymous section scenario

Anonymous Section Scenario

No logon is enforced; XS privilege checks will thus fail and must be avoided.

OData services and plain DB access from xsjs are only possible in packages with configured default connection.

User-specific Instance-filtering is for obvious reasons not possible.

© SAP SE HA240 190




Image 170: User handling in XS Technical user scenario

"Technical User Scenario" (maybe we need a better name for this)

The logon may be successful without mapping to a DB user; XS will continue working as long as no user is required: XS privilege checks will fail, plain DB access is not possible.

To support DB access, packages must be configured with a default connection. All SQL connections (xsjs and OData) are then opened for the configured sqlcc user, which is thus used for checking all SQL privileges.

+ the necessary SQL privileges are granted to the technical user(s) only -> no security hole

+ no personal DB users are used -> no User Maintenance nightmare

- in case that multiple technical users are used (not the case for HPAs), the User Maintenance nightmare is replaced with the still difficult task of defining a mapping of logon users to the few technical users

Since XS application privileges cannot be used, the application must use other means to protect their semantics in a fine-grained way. The HPAs use the HDB_AUTHORITY_CHECK. In order to support this, XS provides access to the name of the logged-on user. The ABAP client and the schema of the ABAP tables must be provided to the HPA e.g. via static configuration.

© SAP SE HA240 191




Image 171: Application Privileges Introduction

© SAP SE HA240 192




Image 172: Application Privileges Details

The application privileges referenced in the role definition (for example, Display and View) are actually defined in an application-specific .xsprivileges file which also contains entries for additional privileges.

The package where the .xsprivileges resides defines the scope of the application privileges; the privileges specified in the .xsprivileges file can only be used in the package where the .xsprivileges resides (or any sub-packages). This is checked during activation of the .xsaccess file and at runtime in the by the XS JavaScript API $.session.(has|assert)AppPrivilege().

The privileges are authorized for use with an application by inserting the authorization keyword into the corresponding .xsaccess file. Like the .xsprivileges file, the .xsaccess file must reside either in the root package of the application to which the privilege authorizations apply or the specific subpackage which requires the specified authorizations.

Note:

If a privilege is inserted into the .xsaccess file as an authorization requirement, a user must have this privilege to access the application package where the .xsaccess file resides. If there is more than one privilege, the user must have at least one of these privileges to access the content of the package.

© SAP SE HA240 193




Image 173: Server Side JavaScript Security Considerations

Note : If you want to create own XS-application please have a look in the SAP HANA Development guide. Here you will find best practice how you should write it from security from standpoint of security .

The following list illustrates the areas where special attention is required to avoid security-related problems when writing server-side JavaScript. Each of the problems highlighted in the list is described in detail in its own dedicated section:

SSL/HTTPS

Enable secure HTTP (HTTPS) for inbound communication required by an SAP HANA application.

Injection flaws

In the context of SAP HANA Extended Application Services (SAP HANA XS) injection flaws concern SQL injection that modifies the URL to expand the scope of the original request.

Cross-site scripting (XSS)

© SAP SE HA240 194




Web-based vulnerability that involves an attacker injecting JavaScript into a link with the intention of running the injected code on the target computer.

Broken authentication and session management

Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.

Insecure direct object references

An application lacks the proper authentication mechanism for target objects.

Cross-site request forgery (XSRF)

Exploits the trust boundaries that exist between different Web sites running in the same web browser session.

Incorrect security configuration

Attacks against the security configuration in place, for example, authentication mechanisms and authorization processes.

Insecure cryptographic storage

Sensitive information such as logon credentials is not securely stored, for example, with encryption tools.

Missing restrictions on URL Access

Sensitive information such as logon credentials is exposed.

Insufficient transport layer protection

Network traffic can be monitored, and attackers can steal sensitive information such as logon credentials or credit-card data.

Invalid redirects and forwards

Web applications redirect users to other pages or use internal forwards in a similar manner.

XML processing issues

Potential security issues related to processing XML as input or to generating XML as output

Enable secure HTTP (HTTPS) for inbound communication required by an SAP HANA application.

Injection flaws

In the context of SAP HANA Extended Application Services (SAP HANA XS) injection flaws concern SQL injection that modifies the URL to expand the scope of the original request.

Cross-site scripting (XSS)

Web-based vulnerability that involves an attacker injecting JavaScript into a link with the intention of running the injected code on the target computer.

Broken authentication and session management

© SAP SE HA240 195




Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.

Insecure direct object references

An application lacks the proper authentication mechanism for target objects.

Cross-site request forgery (XSRF)

Exploits the trust boundaries that exist between different Web sites running in the same web browser session.

Incorrect security configuration

Attacks against the security configuration in place, for example, authentication mechanisms and authorization processes.

Insecure cryptographic storage

Sensitive information such as logon credentials is not securely stored, for example, with encryption tools.

Missing restrictions on URL Access

Sensitive information such as logon credentials is exposed.

Insufficient transport layer protection

Network traffic can be monitored, and attackers can steal sensitive information such as logon credentials or credit-card data.

Invalid redirects and forwards

Web applications redirect users to other pages or use internal forwards in a similar manner.

XML processing issues

Potential security issues related to processing XML as input or to generating XML as output

© SAP SE HA240 196



Unit 5. Authorization trace and Auditing Lesson: Authorization, Security and Scenarios

Unit 5. Authorization trace and Auditing

© SAP SE HA240 197



Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Lesson: Authorization trace


© SAP SE HA240 198




Image 175: Scenario

© SAP SE HA240 199




Image 176: Authorization Trace Prerequisites

© SAP SE HA240 200




Image 177: Procedure: How to use authorization trace

For additional information see the following note

1809199 - SAP HANA DB: Debugging user authorization errors

© SAP SE HA240 201




Image 178: Procedure: How to use authorization trace Activate the trace

© SAP SE HA240 202




Image 179: Procedure: How to use authorization trace Reproduce the issue

© SAP SE HA240 203




Image 180: Procedure: How to use authorization trace Deactivate the trace

© SAP SE HA240 204




Image 181: Procedure: How to use authorization trace Analyze the trace

© SAP SE HA240 205




Image 182: Procedure: How to use authorization trace Object IDs

© SAP SE HA240 206




Image 183: Additional information

In the definition of the analytical privileges, pay attention to two restrictions with the restriction types CUBERESTRICTION and DIMENSIONRESTRICTION: Only if a view is included in the one of the cube restrictions and at least one of its attribute is employed by one of the dimension restrictions, access to the view is granted by this analytical privilege. Without specific authorization a user can only see privileges granted to himself in the system views EFFECTIVE_PRIVILEGES and STRUCTURED_PRIVILEGES. This is sufficient to find out own missing analytical privileges.

© SAP SE HA240 207




Image 184: Summary

© SAP SE HA240 208



Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Exercise 3 : Authorization trace

Exercise 8: Authorization Trace

1. Login to the HANA Database using your STUDENTXX user (where XX corresponds to your grup ID)

2. Check the Attribute View “HA240_AT_CUSTOMERS” under the package “TRAINING”

3. Login to the HANA Database with USERXX user (where XX corresponds to your grup ID)

4. Preview the content of “HA240_AT_CUSTOMERS” view under the package “TRAINING”

5. Using STUDENTXX activate the trace for user USERXX

6. Try again to preview the content as per step number 4

7. Deactivate the trace

8. Analyze the trace

9. Assign to user USERXX the relevant privileges using the Analytic Privilege HA240_AP_CUSTOMERS under package TRAINING

10. Try again to preview the content as per step number 4

11. Close the connections.

12. This completes the exercise.

© SAP SE HA240 209




Image 185: Exercise 3 :Solution Task 1 - 2

© SAP SE HA240 210




Image 186: Exercise 3 :Solution Task 2 - 3

3. Login to the HANA Database with USERXX user (where XX corresponds to your grup ID)

a. Click with the right button on the T64 system entry and select “Add System with different User Name…”

b Fill the username and password with the following data.

Name Property

------------------------------------------------------- User name USERXX Password Training1

4. Preview the content of “HA240_AT_CUSTOMERS” view under the package “TRAINING” a. Navigate to Content > TRAINING > Attribute Views > HA240_AT_CUSTOMERS

b. Right click on the name of the view and select Data Preview

© SAP SE HA240 211




Image 187: Exercise 3 :Solution Task 4

c. An error is shown

© SAP SE HA240 212




Image 189: Exercise 3 :Solution Task 5; the end of the task.

© SAP SE HA240 214




Image 190: Exercise 3 :Solution Task 6 and 7

© SAP SE HA240 215




Image 192: Exercise 3 :Solution Task 8 and the end of the task

© SAP SE HA240 217




Image 193: Exercise 3: Solution Task 9

© SAP SE HA240 218




Image 194: Exercise 3:Solution Task 10

© SAP SE HA240 219




Image 195: Exercise 3: The end of the exercise

11. Close the connections . This completes the exercise .

© SAP SE HA240 220



Unit 5. Authorization trace and Auditing Lesson: Auditing

Lesson: Auditing


Around 20 percent of respondents in North America and 31 percent in

EMEA say one or more of their co-workers have used administrative privileges to

reach confidential or sensitive information.

The auditing feature of the SAP HANA database allows you to track actions performed in the database: who did what (or tried to do what), and when.

SAP HANA provides audit actions for critical security events and for access to sensitive data. Both successful and unsuccessful events can be logged.

In the case of logging of successful and unsuccessful events, one has to specify for each audit policy if successful and/or unsuccessful events will be audited.

Audit logging is not enabled by default.

© SAP SE HA240 221




Image 197: Audit with audit activity

The first step for using the AUDIT Activity is to "enable" this function

like you see it on the screenshot above.

For that do you need the system privilege AUDIT ADMIN.

Currently the configuration parameter for auditing are stored i global.ini configuration file, in the auditing configuration section.

As for all configuration parameters, these parameters can be selected in view M_INIFILE_CONTENTS, assuming that the current user has the required privileges.

System Views

AUDIT_POLICIES : All audit policies and their states. M_INIFILE_CONTENTS : Configuration parameter concerning auditing. AUDIT_LOG : Audit log. Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.

© SAP SE HA240 222




Image 198: Audit action

Main Topics of audit actions are:

� Backup Deletions � Data Definitions � Data Queries � Encryption � Granting and Revoking Authorizations � License deletion and installation � Procedure executions � Repository content operations � User and role management

© SAP SE HA240 223




Image 199: Enable Audit Policy in SAP HANA Studio

Can be combined together in the same policy, therefore compatible audit actions

have been grouped together. When you select an action, those actions that are not

compatible with the selected action become unavailable for selection.

If you need to two audit incompatible audit actions, you need to create two

separate audit policies.

In addition to the actions to be audited, an audit policy specifies additional

parameters that further narrow the number of events actually audited.

• Audited action status

On successful execution

On unsuccessful execution

On both successful and unsuccessful execution

© SAP SE HA240 224




• Target object

Tables

Views

Procedures

• Audited user

Individual users can be included/excluded from an audit level

EMERGENCY

ALERT

CRITICAL

WARNING

INFO

When an audit policy is triggered, that is, when an action in the policy occurs under

the conditions defined in the policy, an audit entry is created in the audit trail.

Firefighter logging logs all actions performed by a specific user.

This covers not only all actions that can be audited individually, but also actions that cannot

otherwise be audited. Such a policy is useful if you want to audit the actions of

a particularly privileged user.

Note: Some actions cannot be audited using database auditing even with a

policy that includes all actions, in particular, system restart and system

recovery.

Caution: Firefighter logging may generate a lot of audit entries, so only enable it if required

Audit entries written to the table are only accessible through the public system

view AUDIT_LOG. Only SELECT operations can be performed on this view by

users with the system privilege AUDIT OPERATOR or AUDIT ADMIN.

© SAP SE HA240 225




Image 200: Events that Can be Audited

Changes to user authorization

• Create/drop user, create/drop role

• Grant/revoke role

• Grant/revoke SQL privilege, system privilege, analytical privilege

• Create/drop analytical privilege

• Create/drop and alter structured privilege

Authentication of users

• Connection attempts of users to the database

Changes to system configuration

• Changes to system configuration, e.g. ini file

• Uninstall and install license key

• Set system license/unset system license all

© SAP SE HA240 226




Access to or changing of sensitive data

You can specify the following database objects to be audited:

• Tables

• Views

• Procedures

Both write and read access to data can be recorded:

• SELECT

• INSERT

• UPDATE

• DELETE

• EXECUTE

.

Changes to system configuration

As of SPS08 the previous values of parameters are written to the audit trail if audit

logging for configuration changes is enabled.

Hint: Only actions that take place inside the database engine can be

audited. If the database engine is not online when an action occurs, it

cannot be detected and therefore cannot be audited. These actions are,

for example, an upgrade of an SAP HANA database instance or direct

changes to system configuration files using operating system commands.

Activation of Audit Policies

Auditing is implemented through the creation and activation of audit polices. An

audit policy defines the actions to be audited, as well as the conditions under which

the action must be performed to be relevant for auditing. For example, actions in a

particular policy are audited only when they are performed by a particular user on

a particular object. When an action occurs, the audit policy is triggered and an

audit event is written to the audit trail.

The following slides give an overview how to configure and switch on audit

logging.

© SAP SE HA240 227




Image 201: Audit Logging – Infrastructure

When an audit policy is triggered, an audit entry is created in the audit trail. The

audit trail is written to Linux syslog or to an internal system table.

• Linux syslog

The logging system of the Linux operating system (syslog) is a

secure storage location for the audit trail because not even the database

administrator can access or change it. There are also numerous storage

possibilities for the syslog, including storing it on other systems. In

addition, the syslog is the default log daemon in UNIX systems. The

syslog therefore provides a high degree of flexibility and security,

as well as integration into a larger system landscape. For more

information about how to configure syslog, refer to the documentation

of your operating system.

© SAP SE HA240 228




• Database table

– Using an SAP HANA database table as the target for the audit trail

makes it possible to query and analyze auditing information quickly. It

also provides a secure and tamper-proof storage location.

– Internal column store table in the _SYS_AUDIT schema of the SAP

HANA database

– Audit entries are only accessible through the public system view

AUDIT_LOG. Only SELECT operations can be performed on this

view by users with system privilege AUDIT ADMIN or AUDIT

OPERATOR

– To avoid the audit table growing too large, it is possible to delete old

audit entries

Note: For test purposes in non-production systems, you can also use a

CSV text file as the audit trail. A separate CSV file is created for every

service that executes SQL.

Hint: As of SPS08 multiple audit trail targets could be configured.

• System-wide default: Audit entries are written to the audit trail

target(s) configured for the system if no other trail target has been

configured per audit level

Audit level (optional): Audit entries from audit policies with the

audit level EMERGENCY, CRITICAL, or ALERT are written to the

specified audit trail target(s). If no audit trail target is configured,

entries are written to the audit trail target configured for the system.

© SAP SE HA240 229




Image 202: Viewing the audit trail

If the audit trail target is a database table, you can avoid the audit table growing

indefinitely by deleting audit entries created up until a certain time and date.

Caution: All information in the audit trail that is older will be

immediately deleted.

If auditing is active, certain actions are always audited and are therefore not

available for inclusion in user-defined audit policies. In the audit trail, these action

are labeled with the internal audit policy MandatoryAuditPolicy.

Mandatory audit actions:

• Creation, modification, or deletion of audit policies

• Deletion of audit entries from the audit trail. This only applies if audit entries are written to column store database tables.

• Changes to auditing configuration, that is:

© SAP SE HA240 230




– Enabling or disabling auditing

– Changing the audit trail target

– Changing the location of the audit trail target if it is a CSV text file

AUDIT_POLICIES: All audit policies and their states.

M_INIFILE_CONTENTS: Configuration parameter concerning auditing.

AUDIT_LOG: Audit log.

Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.

Image 203: System settings for auditing

© SAP SE HA240 231



Unit 5. Authorization trace and Auditing Exercise 4 : Auditing

Exercise 4 : Auditing

Exercise Objectives


• Configuring Audit Logging

• Enabling an Audit Policy

Business Example

Task:

Enable audit logging and activate an audit policy which records read access on table PRODUCTS and an audit policy which records system configuration changes.

Use Database Table as audit trail target.

Then perform a select on table PRODUCTS and check the resulting entry in the audit trail.

1. Enable audit logging and use Database Table as audit trail target. 2. Activate an audit policy which records read access on table PRODUCTS. 3. Activate an audit policy which records system configuration changes. 4. Perform a select on table PRODUCTS and check the resulting entry in the audit trail.

© SAP SE HA240 233




Image 205: Exercise 4 :Solution Audit Exercise

Solution Auditing

Task:

Enable audit logging and activate an audit policy which records read access

on table PRODUCTS and an audit policy which records system configuration

changes. Use Database Table as audit trail target. Then perform a select on table

PRODUCTS and check the resulting entry in the audit trail.

1. Enable audit logging and use Database Table as audit trail target.

1. In the Systems view in SAP HANA studio, choose Security and open

the Auditing tab.

© SAP SE HA240 234




b) Choose Enabled for the auditing status and Database Table for the

audit trail target.

c) Choose the Deploy button.

2. Activate an audit policy which records read access on table PRODUCTS.


the Auditing tab.

b) Select the Audit Policies tab and click +.

c) Enter a name for the audit Policy (for example: READ ACCESS).

d) Select the Audited Actions tab.

Choose “....” button to open the Edit Actions ... dialog.

Choose Data Query and Manipulation → SELECT for audited actions.

e) Exclude user _SYS_REPO from the audit policy.

Select the Users tab.

Choose “....” button to open the Select Users dialog.

f) Select user _SYS_REPO and choose Add.

Choose “Exclude selected users from policy” and choose OK

g) Select table PRODUCTS (SYS_REPO) for auditing.

Select the Target Object tab.

h) Select table PRODUCTS (SYS_REPO) and choose Add.

and choose Add.

Choose OK

i) Choose the Deploy button.

Continued

3. Activate an audit policy which records system configuration changes.

© SAP SE HA240 235





the Auditing tab.

b) Select the Audit Policies tab and click +.

c) Enter a name for the audit Policy (for example: CONFIG CHANGES)

.

d) Select the Audited Actions tab.

Choose “....” button to open the Edit Actions ... dialog.

Choose Session Management and System Configuration → SYSTEM

CONFIGURATION CHANGE for audited actions.

e) Choose the Deploy button.

4. Perform a select on table PRODUCTS and check the resulting entry in the

audit trail.

a) Right click on the HANA system which uses ‘SYSTEM’ user for

connection and select SQL Console

b) Enter the sql command below to create a schema and execute by

clicking on a little white arrow in a green circle (F8 – Execute)

select * from “SYS_REPO”. “PRODUCTS”

c) To check the resulting entry in the audit trail (database table) enter

the sql command below:

select TIMESTAMP, USER_NAME, AUDIT_POLICY_NAME,

STATEMENT_STRING from “PUBLIC”. “AUDIT_LOG”

© SAP SE HA240 236



Unit 6 Integrative authorization Scenarios Exercise 4 : Auditing

Unit 6 Integrative authorization Scenarios

© SAP SE HA240 237



Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Lesson : Scenarios introduction


© SAP SE HA240 238




Image 208: SAP HANA Scenario Overview of different scenario types

Traditional 3-tier application Classical architecture with Client, Application Server and SAP HANA used as a database for the NetWeaver platform Data mart (3-tier or 2-tier) HANA used as data mart platform to load data from external source and execute analysis and queries on those data using end-users client or analytics applications (Business Object BI Platform). Native 2-tier application In this architecture the XS Engine component is used and the HANA platform acts as Database and Application Server. In this case all the server pieces are provided by the HANA Platform.

© SAP SE HA240 240




Image 209: Traditional 3-tier application Database migration to HANA

End-users authorizations All the authorization and user management functionaly previously used in Netweaver are still valid and working after the migration. No change here. Developers

All the ABAP development and customizing can still be done using the same authorizations as before. No change here.

Administrators

The basis administrators working on the application server can still work using the same authorizations. No change here.

All the administrators working on the database level can still use the DBA Cockpit transaction or create a specific user with specific authorizations on the database level.

© SAP SE HA240 241




Image 210: Integrated Scenario Reporting in ERP Data in SAP HANA

In this case tha HANA is used as database where data should be replicated (side-car) or reside (Netweaver on HANA). In addition to the standard access via Application Server (see previous scenario) you also would like to access the data in HANA directly and this requires a user on the database level with specific authorizations.

© SAP SE HA240 242




Image 211: Integrated Scenario Reporting on BW Data in SAP HANA

-Starting with BW 740 SP5, BW can automatically generate views incl. HANA privileges based on BW privileges

-These HANA privileges are always automatically assigned to a HANA role that is also automatically generated

-This role is automatically granted to all database users in HANA if they fulfil the following requirements:

-For each database user in HANA exist a corresponding BW user (either configured in SU01, or via name matching BW user <-> HANA database user)

-The BW user is authorized to execute queries on the respective info provider

-Recommendation: to regularly update the HANA authorizations from the BW authorizations, schedule a regular process chain BW for this

© SAP SE HA240 243



Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Lesson : Scenario BW + SAP-HANA Desired consistency of authorization between BW and SAP-HANA


© SAP SE HA240 248




Image 225: SAP HANA Model Generation Pre-requisites in BW (2/2)

Analysis authorizations must be created. The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.

© SAP SE HA240 257




Image 229: SAP HANA Model Generation Pre-requisites in SAP HANA for reporting user

Analysis authorizations must be created. The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.

© SAP SE HA240 261



Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Exercise 5: BW authorizations reuse by SAPHANA

Image 231: Exercise 5 :Business Background

© SAP SE HA240 263



Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Lesson : BI4 and HANA Integration


© SAP SE HA240 279




Image 248: Reporting on HANA 1.0 with BI 4 Client and connectivity options

What does it means BI 4?

BI 4 is a kind of acronym for SAP BusinessObjects Business Intelligence platform 4.0

SAP BusinessObjects Business Intelligence (BI) platform provides flexible systems management for an enterprise BI standard that allows administrators to confidently deploy and standardize their BI implementations on a proven, scalable, and adaptive service-oriented architecture.

© SAP SE HA240 280




Image 252: Reporting on HANA 1.0 with BI 4 SSO with Kerberos

Configuration steps Step 1: Active Directory Create the keytab Setting up the SPN’s on the Domain Controller Step 2: HANA Install the Kerberos client Copy the keytab from the AD server and setup the krb5.conf file Enable Kerberos for a HANA user and enter an External ID for the user Add the User to HANA Studio to test SSO Step 3: BOE Copy the krb5.conf from the HANA Server and create the bscLogin.conf Configure the web application server for Kerberos Configure BI4 service account for Kerberos Configure Webi Rich Client, Information Design Tool (IDT), APS, Explorer for Kerberos Refer to these for more information SAP Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory

© SAP SE HA240 284




Image 253: Reporting on HANA 1.0 with BI 4 SSO with SAML

Configuration Steps

1.Enter HANA server details

2.Generate a certificate on the BI side to import into the HANA server

3.Once both systems are setup, user can test connection from CMC directly to validate setup

© SAP SE HA240 285



Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 257: Reuse of ERP Authorization using SAP HANA Live

© SAP SE HA240 289




Image 260: Integrated Scenario Reporting in ERP Data in SAP HANA

In this case tha HANA is used as database where data should be replicated (side-car) or reside (Netweaver on HANA). In addition to the standard access via Application Server (see previous scenario) you also would like to access the data in HANA directly and this requires a user on the database level with specific authorizations.

© SAP SE HA240 292




Image 261: Analytics Authorization Assistant Introduction

With the SAP HANA Live Authorization Assistant, you can provide users authorizations in the SAP HANA system that is required to access business data displayed by the virtual data model of SAP HANA Live. For this, SAP HANA Live Authorization Assistant take those permissions into account that the same users already have in ABAP-based Business Suite application. See SAP Note 1796718 for details on this tool

© SAP SE HA240 293




Image 262: Analytics Authorization Assistant Benefit

You can select multiple query views for multiple users and create analytic privileges for all the query views. You do not need to manually check for privileges in the SAP ABAP system and manually create privileges for each query view. Hence, the mass process available with this tool reduces the effort required to create analytic privileges for query views. The existing analytic privileges can be reused between different users.

© SAP SE HA240 294




Image 264: Analytics Authorization Assistant Installation pre-requisites

For more information, refer to the Administration guide on SAP Service Marketplace at http://service.sap.com/instguides SAP In-memory Computing SAP HANA Live for SAP Business Suite (Section 4.3.5 Download and Deploy Content Package). _SYS_REPO user should have SQL Execute privilege REPOSITORY_REST with Grantable to others option selected. You have replicated the tables USRBF2 and UST12 from the ABAP— based system where you want to create the authorizations.

© SAP SE HA240 296




Image 265: Analytics Authorization Assistant Installation steps

* The two available plug-ins are Analytic Authorization Assistant and Analytic Authorization Assistant — Metadata. If the user does not want to enter new metadata and only generates analytic privileges with SAP delivered metadata, then you require only Analytic Authorization Assistant plug-in. For more information, refer to the Administration guide on SAP Service Marketplace at http://service.sap.com/instguides SAP In-memory Computing SAP HANA Live for SAP Business Suite (Section 4.3.5 Download and Deploy Content Package).

© SAP SE HA240 297




Image 266: Analytics Authorization Assistant Key content after the installation

Developer role is needed to maintain additional meta data for custom views.

© SAP SE HA240 298




Image 267: Analytics Authorization Assistant Implementation

There are two main tools available with AAA that are downloaded from SMP:

� Generate Analytic Privileges (this also includes Update Privileges function) � Maintain Analytics Meta Data

© SAP SE HA240 299




Image 268: Analytics Authorization Assistant Steps to generate privileges

If you have selected views that use tables from multiple SAP HANA schemas you can then select a schema in this step from where the user authorizations will be taken. A role is automatically generated with the name ROLE_<abap user name> and the generated privilege is automatically assigned to this role. If this role already exists (from a previous generation) the new privilege will be added to the role. Note: Do not manually modify any analytic privilege or roles generated by the tool.

© SAP SE HA240 300




Image 269: Analytics Authorization Assistant Steps to update privileges

With the SAP HANA Live Authorization Assistant, you can also update analytic privileges generated earlier using SAP HANA Live Analytics Authorization Assistant. When you make changes in the ABAP authorizations, the changes are reflected in the SAP HANA authorization tables through replication. The update analytic privilege tool identifies the changes in the ABAP authorizations and new restrictions are created when you run the tool. The valid analytic privileges are retained in the role and newly created analytic privileges are added. If the analytic privilege is not valid, it is removed from the role and if analytic privilege is not assigned to any role, it is deleted. The tool only checks if the analytic privilege is assigned to the role.

© SAP SE HA240 301




Image 270: Analytics Authorization Assistant Maintain additional meta-data

SAP delivers the required metadata for all the relevant query views of the virtual data model. For customer created views, the metadata is defined with the view as specific properties. To view the SAP delivered metadata, open the respective query view and navigate to Properties Analytics Metadata Maintain Metadata. In addition, you can use this tool to maintain metadata for views created using tables from the ERP system. You can add more rows by pressing the + button to map your own attributes to ABAP fields

© SAP SE HA240 302



Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant

Exercise 6 : HANA Live Analytic Authorization assistant Exercise 8: Authorization HANA Live Authorization Assistant.

In this exercise you will learn how to use HANA Live Authorization Assistant.

1. Login to the HANA Database using your STUDENTXX user.

2. Generate the Analytic Privilege

3. Check the generated role and analytic privilege.

4. Close the connections.

5. This completes the exercise.

Solution for Exercise regarding Authorization Assistent

Image 272: Exercise 6 : Solution Slide1

© SAP SE HA240 304



Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Exercise 6 : HANA Live Analytic Authorization assistant

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud

© SAP SE HA240 309



Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant

Lesson : Multitenant


© SAP SE HA240 310




Image 278: Multiple-Host Systems with Multitenant Database Containers

A multiple-container system has exactly one system database.

It is created during system installation or migration from a single-container system. It contains the data and users for system administration.

System administration tools, such as the SAP HANA studio, can connect to this database. The system database stores overall system landscape information, including knowledge of the tenant databases that exist in the system.

However, it doesn't own database-related topology information, that is, information about the location of tables and table partitions in databases.

Database-related topology information is stored in the relevant tenant database catalog

© SAP SE HA240 311




Image 279: Overview

All the databases in the same multiple-container system share:

� The same installation of database system software. � The same computing resources. � The same system administration.

However, each database is self-contained and fully isolated with its own:

� Set of database users � Database catalog � Repository � Persistence � Backups � Traces and logs

Although database objects such as schemas, tables, views, procedures, and so on are local to the database, cross-database SELECT queries are possible!

This supports in particular cross-application reporting in MCOS (multiple components in one system) scenarios.

© SAP SE HA240 312




Image 281: MDC and its Users

SYSTEM is the database super user. It has irrevocable system privileges, such as the ability to create other database users, access system tables, and so on.

In a system with multitenant database containers, the SYSTEM user of the system database has additional privileges for managing tenant databases, for example, creating and dropping databases, changing configuration (*.ini) files of databases, and performing database-specific data backups.

© SAP SE HA240 314



Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Lesson: HANA Enterprise Cloud


© SAP SE HA240 315




Image 284: HANA Enterprise Cloud (HEC)

The fundamental security architecture of the HEC infrastructure is the principal of a private cloud.

This means customer will receive an isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other.

HEC administrative tasks will be done using management networks

© SAP SE HA240 317




Image 287: Security & Data Protection Requirements – Data Center (Building / Facilities)

Cloud hosted customer environments must be operated in an SAP Tier Level III, III+ or IV classified Datacenter to meet the physical security and operational compliance requirements of the customer.

For co-location data centers (non-SAP DC), access to SAP HEC infrastructure needs to be physically separated from other DC customers, e.g. using cages

© SAP SE HA240 320




Image 290: Security, Compliance & Data Protection Processes: Internal Control System – Certifications as of today

© SAP SE HA240 323



sap ha240 en col09 hana sp09

Documents