For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Authorization, Security and Scenarios
. .
PARTICIPANT HANDBOOK INSTRUCTOR-LED TRAINING . Course Version: 13 Course Duration: 2 Day(s) Material Number: 50139950
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
SAP Copyrights and Trademarks
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced reproduced or transmitted in any form or for any purpose purpose without the express permission of SAP SE or an SAP affiliate company company.. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. functionality. All forward-looking statements are s ubject to various risks and u ncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Typographic Conventions
American English is the standard used in this handbook. The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Warning or Caution
Hint
Related or Additional Information
Facilitated Discussion
User interface control
Example text
Window title
Example text
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Contents
vii
Course Overview
1
Unit 1:
2
Security and Authorizations In Introduction Lesson: Introducing SAP HANA
21
Exercise 1: Navigate SAP HANA Security Administration Interfaces
35
Unit 2:
36 43
SAP HANA Repository Lesson: Introducing SAP HANA Repository
Unit 3:
SAP HANA Authorizations
45
Lesson: Explaining Authorization in SAP HANA
49
Lesson: Describing Roles
58
Lesson: Assigning Privileges and Roles to Users
71
Exercise 2: Maintain Users and Roles
85
Lesson: Understanding Object Ownership
88
Lesson: Understanding Privileges
107
Exercise 3: Create Classical Analytic Privileges
115
Exercise 4: Create Dynamic Analytic Privileges
119
Exercise 5: Create SQL Analytic Privileges
123 129
Lesson: Viewing Information about Users and Authorizations Unit 4: 4:
Security Requirements an and So Solutions
131
Lesson: Understanding Authentication and Single Sign-On
147
Lesson: Understanding Multitenant Database Containers
154
Lesson: Describing Encryption
169
Lesson: Outlining SAP GRC Integration for Governance Risk and Compliance
181
Lesson: Understanding SAP Netweaver Identity Management Integration
185
Lesson: Describing SAP HANA Extended Application Services Securityand Application Privileges
193
Lesson: Describing SAP HANA Extended Application Services, AdvancedModel Security
201 202 207
Unit 5:
Authorization Trace and Auditing Lesson: Setting up and Analyzing an Authorization Trace Exercise 6: Use an Authorization Trace to Find Authorization Issues
214 225
Lesson: Using Audit Logging Exercise 7: Configure Audit Logging
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
235
Unit 6:
Integrative Authorization Scenarios
236
Lesson: Outlining Security Scenarios
244
Lesson: Understanding SAP BW Models in SAP HANA
253
Exercise 8: Replicate Business Warehouse Authorizations from SAP BW in SAP HANA to Plain SAP HANA
267
Lesson: Understanding Authentication Options and User Management Implicationsfor the Integration of SAP Business Object BI 4.X and SAP HANA
274
Lesson: Describing SAP HANA with ERP or S/4HANA and the Analytics AuthorizationAssistant
291 292
Unit 7:
SAP HANA Cloud Solutions (Optional) Lesson: Understanding the Security Architecture of SAP HANA Cloud Platform
299
Lesson: Explaining the Security Aspects of SAP HANA Enterprise Cloud
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Course Overview
TARGET AUDIENCE This course is intended for the following audiences: ●
Systems Architect
●
Application Consultant
●
Development Consultant
●
Technology Consultant
●
Support Consultant
●
Data Consultant
●
Database Administrator
●
Technology Consultant
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
UNIT 1
Security and Authorizations Introduction
Lesson 1 Introducing SAP HANA Exercise 1: Navigate SAP HANA Security Administration Interfaces
UNIT OBJECTIVES ●
Define SAP HANA
●
Outline the security functions in SAP HANA
●
Describe the security administration tools
2 21
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Unit 1 Lesson 1 Introducing SAP HANA
LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Define SAP HANA
●
Outline the security functions in SAP HANA
●
Describe the security administration tools
SAP HANA
Figure 1: What is SAP HANA?
SAP HANA is an in-memory data platform that is deployable as either an on-premise appliance, or in the cloud. It is a revolutionary platform that is best suited for performing realtime analytics, and developing and deploying real-time applications. At the core of this realtime data platform is the SAP HANA database, which is fundamentally different from any other database engine in the market today.
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Lesson: Introducing SAP HANA
Figure 2: SAP HANA In-Memory Strategy
Figure 3: SAP HANA Security: What is the Goal?
The goal of SAP HANA security is to protect against threats from outside the syst em by employing additional protection mechanisms, such as encryption.
Figure 4: Manage Secure Data Access and Keep Your Systems Protected
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Unit 1: Security and Authorizations Introduction
Figure 5: SAP Traditional Traditional Security Architecture
SAP traditional security architecture is the standard security architecture that is available with products like SAP ECC, SAP BW, or SAP CRM. The figure, SAP Traditional Security Architecture, details the security architecture in a typ ical system as follows: ●
●
Client: Any possible client for the SAP HANA platform. This includes SAP HANA Studio, and Business Object BI Platform, b ut also includes a web br owser, Analysis for Office, Office Excel, and so on. Application Server: In the common SAP architecture, this is normally the role of SAP NetWeaver NetWeaver Application Server ABAP ABAP or Java. In this case, the S AP HANA Platform can also be the application server, because it can be a database, and also a server f or native functionalities and applications.
●
Database: SAP HANA is a database at its core, and can be used like any another relational database. For example, in a classical three-tier deployment, like SAP Business Suite powered by SAP HANA.
Figure 6: Where are the End Users in Typical Typical SAP HANA Scenarios?
Additional details related to the scenarios will be covered in the unit about "Integrative authorization scenarios".
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Lesson: Introducing SAP HANA
The scenarios listed in the figure, Where are the E nd Users in Typical SAP HANA Scenarios?, are the most representative scenarios, because they are heterogeneous in terms of the user and the authorization requirements in the different architectural layers.
Security Functions Overview
Figure 7: Security Functions Overview
Figure 8: Authentication and Single Sign-On
Access to SAP HANA data and applications is enabled by authentication functions. You can define password policies (f or example, password length and complexity) to enforce password quality. quality.
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Unit 1: Security and Authorizations Introduction
Figure 9: Logon to SAP HANA: Users and Authentication
Figure 10: Password Policy
Passwords for the basic authentication of database users are subject to certain rules. These rules are defined in the password policy. You You can change the default password policy in line with your organization's security requirements. The password policy is defined by parameters in the password policy section of the indexserver.ini indexserver.ini system properties file. Although you can configure your password policy directly in the indexserver.ini file, it is recommended that you use either the Pass word Policy and Blacklist app of the SAP HANA cockpit (available since SPS12) or the Security Editor of the SAP HANA studio.
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Lesson: Introducing SAP HANA
Figure 11: Access Channels
SAP HANA provides standard database interfaces, such as Java Database Connectivity (JDBC) and Open Database Connectivity (ODBC), and supports standard SQL with SAP HANA-specific extensions. In addition to this channel, the embedded application server available on SAP HANA allows HTTP(S) access to the database. For JDBC and ODBC client connections, user passwords are always transmitted in encrypted hashed form during the user authentication process. The passwords are never transmitted in plain text. For HTTP connections, HTTPS must be configured. In SSO environments, we recommend using encrypted communication channels for all client connections.
Figure 12: User Management
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Unit 1: Security and Authorizations Introduction
Every user who wants to work directly with the SAP HANA database must have a database user with the necessary privileges. Depending on the situation, the user accessing SAP HANA may be a technical system user or a user corresponding to a real person.
Figure 13: Role Management
A role is a collection of privileges that can be granted to either a database user or another role in runtime. A role typically contains the privileges required for a particular function or task. Privileges can be granted directly to users of the S AP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable authorization concepts that can be modeled on business roles.
Figure 14: Authorization Concept: Roles and Privileges
The following videos provide more information on roles:
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Lesson: Introducing SAP HANA
●
SAP HANA Roles Explained - Understanding the Concepts: https://www.youtube.com/watch?v=ah7AspicX8o
●
SAP HANA Roles Explained - Creating Roles Using the SAP HANA Web Workbench: Workbench: https://www.youtube.com/watch?v=_ https://www.youtube.com/watch?v=_D27iPdVr D27iPdVrvo vo
●
Repository Role Editor: https://www.youtube.com/watch?v=Wv6 https://www.youtube.com/watch?v=Wv6YH3ft9XM&list=PLkzo92owKnVwADqa YH3ft9XM&list=PLkzo92owKnVwADqaEp2Ep2YhXFRKDVoUQNL&index=2
●
Support Role: https://www.youtube.com/watch?v=y https://www.youtube.com/watch?v=yQqTGkQFp7M&list=PLkzo92owKnVwA QqTGkQFp7M&list=PLkzo92owKnVwADqaEp2DqaEp2YhXFRKDVoUQNL&index=3
Figure 15: Authorization Privilege Types
Several privilege types are used in SAP HANA (system, object, analytic, package, and application).
Figure 16: Access Privileges in Detail
The following list outlines access privileges:
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Unit 1: Security and Authorizations Introduction
●
●
●
●
●
System privileges control general system activities. Object privileges are SQL privileges that are used to allow access to and modification of database objects. Analytic privileges grant different users access to different portions of data in the same view based on their business role. Within the definition of an analytic privilege, the conditions that control which data users see are either contained in an XML document, or defined using SQL. Package privileges authorize actions on individual packages in the classic SAP HANA repository. Application privileges in SAP HANA XS classic define the authorization level required for access to an SAP HANA XS classic application (for example, to start the application, or view particular functions and screens).
Figure 17: Secure Communication Communication
The following list outlines the three main connection types that can be encrypted: ●
●
●
Client to server connections Internal connection between SAP HANA components (for example, different SAP HANA nodes in a scale-out system) Connections between Data Center (for example, for disaster recovery using SAP HANA System Replication)
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Lesson: Introducing SAP HANA
Figure 18: Securing Communication Channels using TLS/SSL
Note: Certified SAP HANA hosts use a separate network adapter with a separate IP address for each of the different networks.
Figure 19: Data Encryption
To protect data saved to disk from unauthorized access at operating system level, the SAP HANA database supports data encryption. Application developers can use the SAP HANA XS $.security.Store API to define secure stores that store application data in name-value form. These secure stores use the internal data encryption service.ncryption in the persistence layer. This is referred to as data volume encryption.
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Unit 1: Security and Authorizations Introduction
SAP HANA uses the instance SSFS to store all internal SAP HANA encryption keys (that is, the root keys used for data volume encryption and the internal data encryption service).
Figure 20: Data Encryption
SAP HANA uses the system PKI SSFS to protect the X.509 certificate infrastructure. The X.509 certificate infrastructure is used to secure internal SSL/TLS-based communication between hosts in a multiple-host sy stem, or between processes of individual databases in a multiple-container system. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are supported and recommended for network communication, where possible.
Figure 21: Audit Logging
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Lesson: Introducing SAP HANA
Auditing provides you with visibility on who did what (or tried to do what) in the SAP HANA database, and when they did so. Auditing allows you to monitor and record selected actions performed in the SAP HANA database. database. Although auditing does not directly increase your system's security, it can, if wisely designed, help you achieve greater security in the following ways: ●
Uncover security holes if too many privileges were granted to some user
●
Show attempts to breach security
●
Protect the system owner against accusations of security violations and data misuse
●
Allow the system owner to meet security standards
Figure 22: Audit Logging
Only actions that take place inside t he database engine can be audited. If the database engine is not online when an action occurs, it cannot be detected and th erefore cannot be audited. Audit logging administration and maintenance is possible from SAP HANA Studio in the security console, or in the SAP HANA Cockpit using a specific application ( available since SPS12).
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At :
[email protected]
Unit 1: Security and Authorizations Introduction
Security Administration Tools
Figure 23: Security Administration - When to Use What
SAP HANA Cockpit and SAP HANA Studio are the native tools for SAP HANA Database administration. SAP HANA Cockpit is a web-based tool that is built on SAP HANA XS Advanced to leverage the latest SAP technology to allow faster delivery and new innovations. It is a single webconsole that simplifies the administration f or landscape, group, and individual SAP HANA databases. SAP HANA cockpit provides an overview of important security KPIs. It allows easy access to the security configuration. SAP HANA Studio can be used for administration and monitoring of SAP HANA databases, including system configuration, user management, and performance monitoring capabilities. It can also be used for SAP HANA development of content, including modeled views and stored procedures. SAP HANA Studio is still required to perform certain administration tasks, but future versions of SAP HANA cockpit will encompass all SAP HANA Studio functionality for administrators.