HA240_EN_Col11_FV_A4.pdf

HA240 SAP HANA Authorizations, Scenarios & Security Requirements Collection: 11 Material number: 50133569

www.sap.com

SAP SE Copyrights and Trademarks © 2016 SAP SE. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. x Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. x IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. x Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. x Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. x Oracle is a registered trademark of Oracle Corporation x UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. x Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. x HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. x Java is a registered trademark of Sun Microsystems, Inc. x LabNetscape. x SAP, SAP Fiori, SAP SAPUI5, R/3, SAP Fiori, SAP NW Gateway, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. x Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. x Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Lesson: SAP HANA Introduction and Overview

CONTENTS ABOUT THIS HANDBOOK .................................................................................................................................... 4 UNIT 1: INTRODUCTION INTO THE AREA OF SECURITY AND AUTHORIZATION ........................................ 5 Lesson: SAP HANA Introduction and Overview ................................................................................................ 6 Exercise 1: HANA Security administration interfaces ..................................................................................... 34 UNIT 2: REPOSITORY ......................................................................................................................................... 43 Lesson: Repository ............................................................................................................................................. 44 Demonstration 1: Work with Repository from HANA Studio and Web IDE ................................................... 53 UNIT 3: AUTHORIZATION INSIDE SAP HANA .................................................................................................. 57 Lesson: General Authorization Concept ........................................................................................................... 58 Lesson: Roles ...................................................................................................................................................... 66 Lesson: From Privileges and Roles Assignment to User Management ........................................................ 81 Exercise 2: Maintaining Users and Roles ....................................................................................................... 103 Lesson: Object Ownership ............................................................................................................................... 110 Lesson: Privileges ............................................................................................................................................. 115 Exercise 3: Create Classical Analytic Privileges............................................................................................ 153 Exercise 4: Create Dynamic Analytic Privileges ............................................................................................ 161 Exercise 5: Create SQL Analytic Privileges .................................................................................................... 165 Lesson: Information about users and authorizations ................................................................................... 169 UNIT 4: GENERAL SECURITY REQUIREMENTS AND SOLUTIONS ............................................................. 175 Lesson: Authentication and Single Sign-On .................................................................................................. 176 Lesson: Multitenant Database containers ...................................................................................................... 202 Lesson: Encryption ........................................................................................................................................... 215 Lesson: SAP GRC Integration for Governance Risk and Compliance ........................................................ 230 Lesson: SAP Netweaver Identity Management integration ........................................................................... 248 Lesson: Extended Application Services (XS) security and Application Privileges.................................... 256 UNIT 5: AUTHORIZATION TRACE AND AUDITING ........................................................................................ 269 Lesson: Authorization trace ............................................................................................................................ 270 Exercise 6: Authorization trace ........................................................................................................................ 279 Lesson: Audit Logging ..................................................................................................................................... 287 Exercise 7: Auditing .......................................................................................................................................... 299 UNIT 6: INTEGRATIVE AUTHORIZATION SCENARIOS ............................................................................... 301 Lesson: Scenarios introduction....................................................................................................................... 302 Lesson: Scenario BW + SAP HANA................................................................................................................. 313 Exercise 8: BW authorizations reuse by SAPHANA ..................................................................................... 327 Lesson: Business Object BI Platform 4.X and HANA Integration ................................................................ 344 Lesson : Reuse of ERP Authorizations in HANA Live and Smart Business Analytics applications ........ 355 UNIT 7: (OPTIONAL) HANA CLOUD SOLUTIONS........................................................................................... 377 Lesson: HANA Cloud Platform (HCP) security............................................................................................... 378 Lesson: HANA Enterprise Cloud security ...................................................................................................... 389

© 2016 Copyright. All rights reserved

HA240

3

Unit 1: Introduction into the Area of Security and Authorization

About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. American English is the standard used in this handbook. The following typographic conventions are also used: Use

Example/Visualization

Demonstration by Instructor A hint or advanced detail is shown or clarified by the instructor – please indicate reaching any of these points to the instructor Warning or Caution A word of caution – generally used to point out limitations or actions with potential negative impact that need to be considered consciously Hint A hint, tip or additional detail that helps increate performance of the solution or help improve understanding of the solution Additional information An indicator for pointing to additional information or technique beyond the scope of the exercise but of potential interest to the participant Discussion/Group Exercise Used to indicate that collaboration is required to conclude a given exercise. Collaboration can be a discussion or a virtual collaboration. User Interface Text Solution or SAP Specific term


Find the Flavor Gallery button E.g. Flavors are transaction specific screen personaslization created and rendered using SAP Screen Personas.

HA240

4



.


HA240

5



Figure 1: Learning Objective

The course material contains the security features available in SAP HANA SPS10 and also updates from HANA SPS11.


HA240

6


Figure 2: SAP HANA as the powerful center of any data flow

For on premise deployment, SAP HANA comes either preinstalled on certified hardware provided by an SAP hardware partner (appliance) or you can realize the installation self-reliant. But the prerequisite for that is SAP HANA must be installed on certified hardware by a certified administrator. The installation itself is part of the course HA200 and there is a special certificate E_HANAINSxxy.


HA240

7


Figure 3: SAP HANA In-Memory Strategy


HA240

8


Figure 4: Security - What is the goal?


HA240

9


Figure 5: Traditional security architecture

This is the standard security architecture available with products like SAP ECC, SAP BW or SAP CRM. The following layers are part of the architecture: Client Any possible client for the HANA Platform, this includes: SAP HANA Studio, Business Object BI Platform but also Web Browser, Analysis for Office, Office Excel, etc. Application Server In the common SAP Architecture this is normally the role of NetWeaver Application Server ABAP and/or Java. In this case the HANA Platform can also be the Application Server because it can act only as a database but also as a server for native functionalities and applications. Database HANA is a database at its core and can be used just like another relational database e.g. in a classical 3-tier deployment like Suite on HANA.


HA240

10


Figure 6: Where are the end users in typical SAP HANA scenarios?


HA240

11


Figure 7: SAP HANA Security Architecture


HA240

12


Figure 8: SAP HANA – Authentication and Single Sign-On

Access to SAP HANA data and applications is enabled by authentication functions Password policies, e.g. password length and complexity, can be defined to enforce password quality.


HA240

13


Figure 9: Logon to HANA


HA240

14


Figure 10: Password policy

Passwords for the user name/password authentication of database users are subject to certain rules or password policy. You can change the default password policy in line with your organization’s security requirements. You cannot deactivate the password policy.


HA240

15


Figure 11: SAP HANA – Access channels


HA240

16


Figure 12: SAP HANA – User management


HA240

17


Figure 13: SAP HANA – Role management


HA240

18


Figure 14: SAP HANA - Authorization - Privilege types


HA240

19


Figure 15: Authorization concept: Roles and Privileges


HA240

20


Figure 16: SAP HANA – Access privileges in details


HA240

21


Figure 17: SAP HANA – Secure communication

There are 3 main connection types that can be encrypted: 1. Client to server connections 2. Internal connection between HANA components (e.g. different HANA nodes in a scale-out system) 3. Connections between Data Center (e.g. for Disaster Recovery using HANA System Replication)


HA240

22


Figure 18: Securing communication channels using TLS/SSL


HA240

23


Figure 19: SAP HANA – Data encryption


HA240

24


Figure 20: Data encryption


HA240

25


Figure 21: SAP HANA – Audit logging


HA240

26


Figure 22: Audit logging


HA240

27


Figure 23: SAP HANA – security administration

1. SAP HANA studio is the central development environment and main administration tool for SAP HANA 2. New web-based administration and monitoring tools SAP DB control center and SAP HANA cockpit 3. Web-based SAP HANA Web Development Workbench (WebIDE) for development 4. SAP HANA is fully integrated into SAP Solution Manager (not directly relevant for Security administration) Prerequisites for using the web-based tools: x x

SAP Note 1716423 - SAPUI5 Browser Support PAM for SAPUI5


HA240

28


Figure 24: Monitoring and managing SAP HANA security


HA240

29


Figure 25: SAP HANA – security administration SAP HANA studio


HA240

30


Figure 26: SAP HANA – security administration SAP HANA Cockpit


HA240

31


Figure 27: Monitoring security KPIs in the new security dashboard


HA240

32


Figure 28: Important info sources


HA240

33


Exercise 1: HANA Security administration interfaces

Before starting All the exercises will be executed using a Virtual Desktop environment. The instructor will give you the details about server name for the connection. This VIrtual Desktop contains all the tools you need to perform the exercises. After the connection to the server when asked use the following login details for the connection to the server. 1. User: train-## (where ## are the the 2 digitis of your group number) 2. Password: initial When connected to the Virtual Desktop server use the following steps to open HANA Studio. 1. Click on the start button in the taskbar

2. Click on the arrow to scroll page

3. Locate "SAP HANA Studio" under S letter in the list and click on the icon to open the application 4. Confirm the Workspace Launcher screen with "OK" leaving the default folder


HA240

34


5. Click on Open Administration Console in order to start the exercise 1

6. Click on the blank area to add a new system and select "Add System..." 7. Provide the following data: x Hostname: wdflbmt7211 x Instance number: 01 8. Press next and provide the following data: x Username: STUDENT## (where ## is your group/student number) x Password: Training1 9. Provide a new password for your student user and confirm


HA240

35


Exercise Objectives After completing this exercise, you will be able to: x x

Open and navigate to the security administration view in SAP HANA Studio Open and navigate to the security web interface

Task 1: From the SAP HANA Studio client execute the following steps. 1. 2. 3. 4. 5.

Login with your STUDENT## user (where ## is your group ID) Navigate to the security folder Open the security console and navigate through the different available tabs Search and open your user under the Users section on the left navigation panel Double click on the role "TRAINING.HA240.Roles::STUDENT" to check which autorizations are assigned to your user

Task 2: Open the Security console on HANA Web-based Development Workbench and execute the following steps. 1. Open the Security Web Interface using the following link: http://wdflbmt7211:8001/sap/hana/ide/security/ ...alternatively in HANA Studio right click on your system (HDB) and open the SAP HANA Cockpit from Configuration and Monitoring menu item. Then when you are logged in with your STUDENT## user click on Manage Roles and Users 2. Login using your STUDENT## user and password 3. Open the security console and navigate through the different available tabs 4. Search and open your user under the Users section on the left navigation panel 5. Search and open the role TRAINING.HA240.Roles::STUDENT under the Users section on the left navigation panel to check which autorizations are assigned to your user 6. Switch to Editor interface using the Navigation button


HA240

36


Task 3: Execute the following steps from HANA Cockpit to prepare the list of applications you will use during the course. 1. In HANA Studio right click on your system (HDB) and open the SAP HANA Cockpit from Configuration and Monitoring menu item. 2. In the web page login with your STUDENT## (where ## is your group number) and the password you set previously in Task 1 3. Browse the SAP HANA Security Overview tiles 4. In the home page press on the change button in the bottom right part of the screen

5. Add the following Applications to "My Home" group x Manage Roles and Users x Assign Roles to Users 6. Click again the change button to exit from editing mode

7. Check the resulting home page screen 8. Open the "Assign Roles to Users" application


HA240

37


Solution of the Exercise 1

Task 1: 1. On the HANA Studio Welcome page click on Administration Console 2. On the left panel called Systems right click on the white area and select Add System 3. Specify the following information x Host Name: wdflbmt7211 x Instance Number: 01 4. Click on Next and specify the following information x User Name: STUDENT## (where ## is your group ID) x Password: Training1 5. Click on Finish 6. Expand the Security folder in the left panel 7. Double click on the Security entry to open the Security Console 8. Navigate through the different available tabs, without making any change, to check: x Auditing policies x Password policies x SAML Identity Providers configurations x Data Volume Encryption configuration 9. On the left panel right click on Users and select Find User 10. Type your user name (STUDENT##) , select the result and click on OK to open the user definition 11. Check the roles assigned to your user 12. On the left panel right click on Roles and select Find Role 13. Type just part of the following role name "TRAINING.HA240.Roles::STUDENT", select the result and click on Ok to open the role definition 14. Check the roles assigned to your user 15. Check which autorizations are assigned to your user within this role 16. Close all the opened tabs


HA240

38


Task 2: Open the broswer (internet Explorer or Chrome) and paste the following link: http://wdflbmt7211:8001/sap/hana/ide/security/ ...alternatively in HANA Studio right click on your system (HDB) and open the SAP HANA Cockpit from Configuration and Monitoring menu item. Then when you are logged in with your STUDENT## user click on Manage Roles and Users 1. Login using your STUDENT## user and password 2. Right click on the Security object from the left panel and click on Open Security console

3. Navigate through the different available tabs and check the similarity with the same interface in SAP HANA Studio 4. On the left panel right click on Users and select Search (Ctrl+Shift+F) 5. Type your user name (STUDENT##) , select the result and click on Ok to open the user definition 6. Check the roles assigned to your user 7. On the left panel right click on Roles and select Search (Ctrl+Shift+F) 8. Type the following role name "TRAINING.HA240.Roles::STUDENT", select the result and click on Ok to open the role definition 9. Check the roles assigned to your user 10. Check which autorizations are assigned to your user within this role 11. Switch to Editor interface using the Navigation button

12. Check the content of the editor view and check the address generate for this interface (in the following exercises this interface will be used for role creation)


HA240

39


Task 3: 1. In HANA Studio right click on your system (HDB) and open the SAP HANA Cockpit from Configuration and Monitoring menu item or use the following link: http://wdflbmt7211:8001/sap/hana/admin/cockpit/ 2. In the web page login with your STUDENT## (where ## is your group number) and the password you set previously in Task 1 3. Browse the SAP HANA Security Overview tiles 4. In the home page press on the change button in the bottom right part of the screen

5. Scroll the screen up and click on button + on the Group name "My Home" 6. Search the application "Manage Roles and Users" in the list 7. Click on the check button below the Icon

8. Select "My Home" group and press OK


HA240

40


9. Execute steps from 4 to 6 also for the following application: x Assign Roles to Users 10. Click again the change button to exit from editing mode

11. Check the resulting home page screen 12. Click on "Assign Roles to Users" application


HA240

41



HA240

42


Unit 2: Repository


HA240

43

Unit 2: Repository

Lesson: Repository



HA240

44

Lesson: Repository

Figure 30: Terminology: repository - Where design-time objects reside

The SAP HANA database repository is structured hierarchically with packages assigned to other packages as sub-packages. In the SAP HANA repository, a distinction is made between native and imported packages. Native packages are packages that were created in the current system and should therefore be edited in the current system. Imported packages from another system should not be edited, except by newly imported updates. An imported package should only be manually edited in exceptional cases. If you grant privileges to a user for a package, the user is automatically also authorized for all corresponding sub packages.


HA240

45

Unit 2: Repository

Figure 31: _SYS_REPO Authorization in the Repository

_SYS_REPO must be explicitly authorized for objects that are not created in the repository but on which repository objects are modeled.


HA240

46

Lesson: Repository

Figure 32: Proposed Repository Layout


HA240

47

Unit 2: Repository

Figure 33: Proposed Repository Layout - Naming convention


HA240

48

Lesson: Repository

Figure 34: Managing Repository Objects Deleting objects, Changing objects


HA240

49

Unit 2: Repository

Figure 35: Transporting Repository Objects

Prerequisite for the classical ABAP transports with " HANA Transport Container" is NetWeaver 7.4.


HA240

50

Lesson: Repository

Figure 36: Procedures in definer mode: What’s the deal?


HA240

51

Unit 2: Repository

Figure 37: Implications of using definer mode


HA240

52

Demonstration 1: Work with Repository from HANA Studio and Web IDE


Demonstration Objectives x x

Show how is possible to work with the repository from HANA Studio and what are the required steps Show how the same work can be done using Web IDE and what are the steps in this case

Task 1: From the SAP HANA Studio client the instructor will execute the following steps. 1. Open the "SAP HANA Development" perspective x Click on Window >> Perspective >> Open Perspective x Select SAP HANA Development (if not available select Other... and search for SAP HANA Development) 2. Click on Repository tab in the left panel and import remote workspace for system HDB x Expand the system HDB on tab Repository x Right click on (Default) and click "Import Remote Workspace..." x Click "Continue" to confirm the import 3. Go to tab Project Explorer and create a new project x On tab Project Explorer right click on the blank area and select New >> Project x Select General >> Project and click on Next x Call project "Playground1" and choose Next x Click on Finish


HA240

53

Unit 2: Repository

4. Share the project with the Repository x Right click on the new project and select Team >> Share Project... x Select the workspace just created on step 2 x Click on Broswe to select the Repository target package x Navigate to package TRAINING.HA240.Playground and confirm the selction screen 1. If package Playgroung does not exist create the package before sharing the project x Unselect option "Add Project Folder as Subpackage" x Click finish to confirm 5. Create a new repository object of type schema and show the resulting catalog object x On the Project Explorer tab right click on the new project and select New >> Other... x Type "Schema" on the selection screen x Select object Schema under SAP HANA > Database Development and click on Next x Type DEMO_SCHEMA as file name and select teamplate "Basic" x Select "Finish" 6. Activate the new object x Right click on the object just created (DEMO_SCHEMA.hdbschema) and click on Team >> Activate x Wait the operation to be completed and check the result on the Job Log view 7. Show the results on Repository tab x Switch to Repository tab and open the object "DEMO_SCHEMA.hdbschema" under TRAINING >> HA240 >> Playground 8. Show the object in the catalog x Switch to "Systems" tab x The new schema is not visible under "Catalog" folder because not yet authorized for any user x To check the new schema execute the following statement from the SQL console: SELECT * FROM SCHEMAS WHERE SCHEMA_NAME = 'DEMO_SCHEMA'


HA240

54


Task 2: From the Web IDE tool the instructor will execute the following steps. 1. Open Web IDE Editor using the following URL: http://wdflbmt7211:8001/sap/hana/ide/editor/ 2. Authenticate using STUDENT00 user (password: Training1) 3. Create a new schema under the same package used on Task1 x Broswe the catalog: TRAINING >> HA240 >> Playground x Right click on New >> File x Create a file named "DEMO_SCHEMA_2.hdbschema" x Insert the following line in the file: schema_name = "DEMO_SCHEMA_2"; 4. Activate the new object x Right click on the object name in the left panel and click on "Activate" x Check the gray panel on the buttom for the result 5. Show the results on Repository tab in HANA Studio and on the catalog x Go back to HANA Studio and open the SAP HANA Development prospective x Switch to Repository tab and open the object "DEMO_SCHEMA_2.hdbschema" under TRAINING >> HA240 >> Playground (refresh if not visible) x Switch to "Systems" tab x The new schema is not visible under "Catalog" folder because not yet authorized for any user x To check the new schema execute the following statement from the SQL console: SELECT * FROM SCHEMAS WHERE SCHEMA_NAME = 'DEMO_SCHEMA_2' NOTE: From WebIDE we were able to develop objects without creating a project and without configuring the workspace.


HA240

55

Unit 2: Repository


HA240

56


Unit 3: Authorization Inside SAP HANA


HA240

57


Lesson: General Authorization Concept



HA240

58


Figure 39: Authorization administration


HA240

59


Figure 40: Tools for authorization administration SAP HANA studio


HA240

60


Figure 41: Tools for authorization administration Web based editor

You can call the Web based editor directly or from SAP HANA cockpit. This editor allows the creation of Repository Roles without any Development prospective and projct setup (required in HANA Studio). From the technical side this editor is part of: SAP HANA Web-based Developer Workbench. For using this workbench all the necessary privileges are bundled in the following role: sap.hana.xs.ide.roles::EditorDeveloper sap.hana.xs.ide.roles::SecurityAdmin sap.hana.security.cockpit.roles::EditAssignedRoles


HA240

61


Figure 42: Basic Authorization entities


HA240

62


Figure 43: Relationships between Entities

Privileges can be assigned to users directly or indirectly using roles. Privileges are required to model access control. Roles can be used to structure the access control scheme and model reusable business roles. It is recommended to manage authorization for users by using roles. Roles can be nested so that role hierarchies can be implemented. This makes them very flexible, allowing very fine- and coarse grained authorization management for individual users. All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorization check using the user, the user's roles, and directly allocated privileges.


HA240

63


It is not possible to explicitly deny privileges. This means that the system does not need to check all the user roles. As soon as all requested privileges have been found, the system aborts the check and grants access. Several predefined roles exist in the database. Some of them are templates that need to be customized; others can be used as they are. User management is configured using SAP HANA Studio and Web based editor.

Figure 44: Authorization Example


HA240

64


Figure 45: Authorization design process


HA240

65


Lesson: Roles

After completing this lesson, you will be able to: x x x x x

Create and use Runtime Roles Grant and revoke Runtime Roles Explain difference between Catalog and Repository Roles Create and use Repository Roles Know common pre-delivered roles

Figure 46: Define and Create Roles


HA240

66

Lesson: Roles

In HANA there are 2 different type of roles and this lesson contains the details about the differences. But first of all is important to understand the naming and the synonyms associated to that. x

Repository Roles x Also called: Design-time roles

x

Catalog Roles x Also called: Runtime Roles

Figure 47: Properties of Catalog Roles

Runtime Role management has several challenges, especially with regards to revocation of privileges and roles.


HA240

67


Figure 48: Creating Catalog Roles


HA240

68

Lesson: Roles

Figure 49: Difficulties with catalog roles Creation / Modification


HA240

69


Figure 50: Less known properties of catalog roles revoking of roles


HA240

70

Lesson: Roles

Figure 51: Properties of Repository Roles


HA240

71


Figure 52: Creating Repository Roles Create transportable roles with design time and run time representation


HA240

72

Lesson: Roles

Figure 53: Repository role editor (I)

A graphical editor for repository roles is available since SPS10 as part of the SAP HANA Web-based Development Workbench (Web IDE) yIn earlier versions, only a text editor in SAP HANA studio was available. yThere are two types of roles in SAP HANA: catalog roles and repository roles. For most use cases it is recommended to use repository roles. Compared to catalog roles, they offer several advantages, e.g. - Versioning - Integration with standard transport mechanisms - Decoupling of role creation from role granting/revoking Î Support for standard DEV Æ QA Æ PROD landscapes Î Separation of duties Role lifecycle 1. A developer/role designer creates the role in the repository of the development system and tests it 2. The role is transported to the production system, e.g. using HALM or CTS+ 3. In the production system, a user administrator grants the role to end users


HA240

73


Figure 54: Repository role editor (II)

Web-based administration and development tools As part of the general SAP UI strategy, administration and development functions are being made available in web-based tools such as SAP HANA Cockpit and SAP HANA Web-based Development Workbench (Web IDE). One of the prerequisites for using these functions is a web browser with SAPUI5 support. Information on web browsers with SAPUI5 support SAP Note 1716423 - SAPUI5 Browser Support PAM for SAPUI5: https://websmp130.sapag.de/sap(bD1lbiZjPTAwMQ==)/support/pam/pam.html?smpsrv=https%3A%2F%2Fwebsmp105.sapag.de#pvnr=01200314690900004969&pt=t%7CWBRPFM&ainstnr=01200314694900015214&ts=0


HA240

74

Lesson: Roles

Figure 55: Accessing the web-based user and catalog role editors in Web IDE


HA240

75


Figure 56: Transporting Repository Roles


HA240

76

Lesson: Roles

Figure 57: Repository roles vs. Catalog roles


HA240

77


Figure 58: How can you manage roles safely (and respecting typical compliance requirements)


HA240

78

Lesson: Roles

Figure 59: Standard Catalog Roles

Several catalog roles are delivered with the SAP HANA database. You should not use these roles directly, but instead use them as templates for creating your own roles. MODELING: Contains all privileges required for using the information modeler in the SAP HANA studio. Contains the database authorization for a modeler to create all kinds of views and Analytic Privileges. Allows access to all data in activated views without any filter (_SYS_BI_CP_ALL Analytic Privilege). However, this is restricted by missing SQL Privileges on those activated objects. Note: Use caution when using the _SYS_BI_CP_ALL Analytic Privilege. Use this predefined role as a template. MONITORING: Contains privileges for full read-only access to all meta data, the current system status in system and monitoring views, and the data of the statistics server.


HA240

79


PUBLIC: Contains privileges for filtered read-only access to the system views. Only objects for which the users have access rights are visible. By default, this role is assigned to each user except for "Restricted Users" CONTENT_ADMIN: Contains the same privileges as the MODELING role, but with the extension that users allocated this role are allowed to grant these privileges to other users. In addition, it contains repository privileges for working with imported objects. Use this role as a template for what content administrators might need as privileges. SAP_INTERNAL_HANA_SUPPORT: Contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data of the statistics server. Additionally it contains the privileges to access the base information of the system and monitoring views (this information is otherwise only available to the SYSTEM user). For security reasons, the following restrictions apply: - It cannot be granted to user SYSTEM - It cannot be granted to more than one user at a time - It cannot be granted to another role - No role can be granted to it - Only system privileges can be granted to this role

Figure 60: Summary


HA240

80

Lesson: From Privileges and Roles Assignment to User Management


Figure 61: Assign Privileges to Roles


HA240

81


Figure 62: Assign Privileges to Catalog Roles

Remember: ROLE ADMIN is required and all the privileges assigned to the roles have to be already assigned to the role creator with GRANT OPTION. Caution: Errors during save Typically: missing privilege for editing user (USER ADMIN) Or missing grant option: For Object/Privilege combinations: on object For direct privilege assignment: on privilege


HA240

82


Figure 63: Assign Privileges to Repository Roles

Remember: In this case ROLE ADMIN is not required and privileges are checked against _SYS_REPO user during activation (not checked on the role creator).


HA240

83


Figure 64: Create Users

There is also the possibility to create HANA users and assign roles via NetWeaver ABAP transaction SU01. Details about this options will follow in Unit 6.


HA240

84


Figure 65: Different User types: Database Users

It is often necessary to specify different security policies for different types of database user. In the SAP HANA database, we differentiate between database users that correspond to real people and internal database users. Note! Database users that correspond to real people are dropped when the person leaves the organization. This means that any database objects that they own are also automatically dropped, and any privileges that they granted are automatically revoked. Compared to standard database users, restricted users are initially limited in the following ways: x x x

They cannot create objects in the database as they are not authorized to create objects in their own database schema. They cannot view any data in the database as they are not granted (and cannot be granted) the standard PUBLIC role. They are only able to connect to the database using HTTP.

For restricted users to connect via ODBC or JDBC, access for client connections must be enabled as follows: ALTER USER ENABLE CLIENT CONNECT. For full access to ODBC or JDBC functionality users also require the standard role RESTRICTED_USER_ODBC_ACCESS or


HA240

85


RESTRICTED_USER_JDBC_ACCESS.

Figure 66: Control allowed access channels for users

Restricted users By default all restricted users are enabled only for HTTP(S) access channel to HANA. You can change this behavior after the creation enabling JDBC/ODBC access.


HA240

86


Figure 67: Different User types: Internal Database Users

The SYSTEM database user is the Bootstrapping-User. With it you can realize the inital system set and to create other database users, access system tables, and so on. Note however that SYSTEM database user does not automatically have access to objects created in the SAP HANA repository. The recommendation from SAP is to inactivate thus user for commence operation! adm user ( where is the ID of the SAP HANA system) The adm user is an operating system user and is also referred to as the operating system administrator. This operating system user has unlimited access to all local resources related to SAP systems. This user is not a database user but a user at the operating system level.


HA240

87


HINT: The following users are internal users, means that is impossible to log on in the database with them. x x x x

x

SYS - is an internal database user. It is the owner of database objects such as system tables and monitoring views. _SYS_AFL - is an internal user that owns all objects for Application Function Libraries _SYS_EPM - is an internal database used by the SAP Performance Management (SAP EPM) application _SYS_REPO - is an internal database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions. _SYS_STATISTICS - is an internal database user used by the internal monitoring mechanism of the SAP HANA database. It collects information about status, performance, and resource usage from all components of the database and issues alerts if necessary.

HINT: What to do in an emergency situation? You have to reset the SYSTEM password In this case the following mechanism for resetting the SYSTEM user password is available x x x x x x x x

Prerequisite: Credentials of the operating system administrator adm, access to the master index server As adm, log on to the server on which the master index server is running On the command line, shut down the SAP HANA system, then start the name, compile and index servers Use the following command to reset the password /exe/hdbindexserver -resetUserSystem Afterwards, the index server is automatically stopped End the name and compile server processes On the command line, start the SAP HANA system

You can find this emergency procedure in SAP HANA Administration guide too. Note! In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the same way by starting the name server (for the system database) or index server (for tenant databases) in emergency mode.


HA240

88


Figure 68: Creating named Users in SAP HANA Studio

Figure 69: Creating named Users Using SQL


HA240

89


Figure 70: Modifying users


HA240

90


Figure 71: User Self Service Tools

By default, SAP HANA user self-service tools are disabled; the tools are neither visible in the user interface nor configured in SAP HANA. To provide access to embedded tools that enable users to request the creation of a new user account in the SAP HANA database or set a new password, the SAP HANA administrator must activate and set up the user self-service feature. For more information you can check SAP HANA Administration guide.


HA240

91


Figure 72: User Self Services - Web-based user self-services


HA240

92


Figure 73: User Self Services - Configuration


HA240

93


Figure 74: User Self Services - Reset password


HA240

94


Figure 75: User Self Services - Request new user


HA240

95


Figure 76: User Self Services - Approval for new users


HA240

96


Figure 77: User Management - What are the options?


HA240

97


Figure 78: Grant Roles to User


HA240

98


Figure 79: Grant Catalog Roles to User

Note: System Privilege ROLE ADMIN supersedes this GRANT OPTION Caution: Errors during save Typically: missing privilege for editing role: Or missing grant option: E.g.: System privilege ROLE ADMIN missing Or (without ROLE ADMIN): GRANT OPTION for the role missing


HA240

99


Figure 80: Revoke Catalog Roles from User

Note on Cascaded Dropping of Privileges If the user had granted the role to other users, revoking the role (and the grant option) also revokes the role from these grantee Remember: Only grantor can revoke a catalog role from a user


HA240

100


Figure 81: Repository Roles - Granting and Revoking Privileges on Activated Repository Objects

It is not possible to use the standard GRANT and REVOKE because objects belong to _SYS_REPO user This is covered automatically in all the graphical tools (HANA Studio and Web-based) so the stored procedure are not required in that case.


HA240

101


Syntax: CALL GRANT_PRIVILEGE_ON_ACTIVATED_CONTENT ('','

HA240_EN_Col11_FV_A4.pdf

Recommend Documents