SAP HANA - overview of security functions + JDBC/ODEC access © HTTP access (SAP HANA XS) Uses rame and password = User name and password {incl password poly) auherticabon, fombased login, inch = password — SAML = SPNEGO = SAPlogon and assertion tickets SNL x59 STU LySAP HANA - user and role management * For ogon, users must exist inthe identity store ofthe SAP HANA database * Roes (and privioges) en bo assigned fo users + Roles are used to bundle and structure prvieges. ~ Create ols fr specie groups of uses, role hierarchies suppored «© Rae ilocycle. design timo roles > export fo production systom + actwato > runtime SELLY SAP HANA - authorization Privilege types * System privileges. Authorize execution of adminisrative actions forthe entire GAP HANA database + SQL privileges, Aulhonze access to data and operations on database objcts * Analylic pririoges: Alow read access by using analytic views at run-ime, provide row-lvel access control besad on dimensions of the resgecbve view © Application privisges: Authorize access to SAP HANA XS applications functions * Package prisleges: Authorize access in the repository (modeing environment) at design time RLSAP HANA - communication and data encryption “Communication encryption ~ SSL {can be exforce for cent connections) * Data eneryption ~ Data volumes on sk + Secure intemal credential store for applications ™ For scenarios where appicabors on SAP HANA need to store addtional usar credentials BUY SAP HANA - audit logging Logging of crtical events for securty and compliance, © 9 ~ User, cle and prvege ctanges, conigurabon changes Data access looging ~ Read and wie access (abies, views), execitn of procecixes + User-defined audt potcies + Aun trai writen 0 Linus sysi0g oF dalabase taba within SAP HANA eeUCL OrySAP HANA - security administration SAP HANA Stud and SAP HANA Cockpit ‘command XS eomnisration ine (ncbsay twat (wob-basea) CUTTY Terminology: repository Where design-time objects reside Repository Is a store for design-time artefacts on Hierarchy of packages + Privileges on package level (read, edit, activate) ~ “package privileges” » Each package can be assigned to one delivery unit (for transporting) Type of object in repository * Data models (Attribute, Analytic, Calculation Views) * Analytic Privileges (privileges on data models) * New: Repository roles; development objects Activation » Activation generates run-time object, controlled by package and system privileges + Run time objects are owned by technical user_SYS REPO © Run time objects are “catalog objects” (like DB tables, schemas, views, procedures...) Physical representation of repository * Repository objects are serialized into tables in schema SYS_REPO_SYS_REPO Authorization in the Repository @ @ aq The technical user _SYS_REPO Is the owner of all objects in the repository,as well as their activated runtime versions. Inside the repository, only the technical user _SYS_REPO is used. Therefore, this user is the owner of the objects created in the repository and initially is the only user with privileges on these objects. This includes the following objects: * Alltables in the repository schema (SYS_REPO) + Allactivated objects such as procedures, views, analytic privileges, and roles Proposed Repository Layout See Developer Guide ‘Two pre-delivered packages in the repository Package system-local * Package for free-style developer testing (sandbox package) Ee = Cannot be essigned to a delivery unit a = Thus also not transportable : Package “sap” 4 © Any official SAP-delivered content soe © Builtin applications delivered with SAP HANA ate = SAP HANA Live = = » EPN demo content Where to put 3" party content? Any “vendor is supposed to create their own package * Direotty in the repository root * No best practice for sub-structure of the packagesWorking in the repository Studio perspectives and web |DE ‘Three places to work in repository: ‘Studio: Modeler perspective = Allows creation of objects directly in the “content” tree = But only "Modeler" objects: packayes, data models, analytic privileg Studio: developer perspective = Two-step development: ~ create objectslocally(clert-PC)in some edtor(e.g. studio) ~ Thon checkinto repositoryand activate = Complicated project-based approach = Mostly textile based editing, only classical modeler-objects have graphical editors Web IDE “Application: sap.nana xs. ide * Purely lext-tased exiting; objecttype cetermined through file name; seems rudimentary stored procedures, decision tablesManaging Repository Objects Deleting objects, Changing objects Deleting repo objects is not trivial Dependencies must be manually resolved * Can only delete objects that are not “used” elsewhere (views included in other views, * Can practically only delete one object at a time * Cannot delete packages that contain objects * Can be confusing when mixing “developer workbench” objects (hdkroles, XS-apps) and modeler objects (modeling perspective will only show modeler objects) * When deleting via developer workbench, delete from project, then activate parent node (folder, project) Changing existing objects * IF modeler objects > simply go into Modeler and modify objects * IFXS-development objects (or repo role): ~ create repo workspaceand import objectsand projects ~ then work project-based as alrays in developer workbench * Altematively: use the web IDE ~ allows access to all objects without project overhead Transporting Repository Objects Any repository content can be transported As long as itis assigned to a delivery unit * Which means package syster-local cannot be transported ‘Three transport applications (htip //scn sap com/docs/DOC-4932’ + cTS+ * Classical ABAP transports, with “HANA Transport Container’ integrated « Native HANA HANA transports, using XS application sap.hana.xs.ImProcedures in definer mode What's the deal? Whose privileges matter when running stored procedure? Standard behavior = Always the privileges of the user executing the procedure (invokes) = This might require far-reaching privileges for end users Definer Mode behavior * The privileges of the user who “created” the procedure are used (definer) * That is the user who executes the “CREATE PROCEDURE” statement = When creating via repository and activating: Creator= _SYS_REPO create type WAZ40. T_USER as table( user_nane nvarchar(128) ); create procedure test_proc_definer (out var_out “HA240"."T_USER") sq] security definer reads aq] data as begin var_out = user_nane fr end; ‘lect current_user as dunny ;