HA 240 Authorization, Security and Authorizations

Unit 1 Lesson 1

Authenticantion – users who need to carry out tasks

Authorzation – users in system who should only see and do what they need to fulfill

Audito Logging

Indexserver.ini

- Password policy defined by parameters are entered in password policy section

Password Policy and Blacklist App

- In HANA Cockpit or Security Editor of SAP HANA Studio for Password Policies

2 Access Channels for SAP HANA

- JDBC/ODBC
- HTTP for XS Applications
- Connections support standard SQL with SAP HANA Specific extentions

Role – bundle of Privilages for specific group

Privilages – control what a user can see and do

- End User Privilege – access DB content, execute apps

- Administrator Privilege – Backups, User Management
- Developer Privileges- access repository privileges

In Detail

- SQL Privileges – access data and operations on database objects (tables, views)
- Analytic Privileges – analytic views, see row-level access
- Application Privileges – start and execute applications XS
- System Privileges – administer actions, Backup, user management

Connection Types

- Client to Server
- Internal Connection (within HANA Components) (ex. Notes of Scale Out System)
- Connections between Data Center ( DR, Sys Replication)

DB Encryption

- Protect data from unauthorized access at operating system level

- Can use HANA XS $Security.Store API to define secure stores

Security Administration
 - HANA Studio – central development, main admin tool HANA
- SAP SOlutons Manager – management of SAP Landscape
- HANA WebIDE – development environment for HANA
- HANA Cockpit – monitoring of individual HANA SYs
- DB Control Center – Lanscape Monitoring for SAP DB

Security Monitoring Config and Admin

- HANA Cockpit DETAILED

o Security Monitoing, Alerting, and Config and Administration
o Role-Based Access to tiles
o Has Important KPI Overview of System
- Solution Manager OVERVIEW
o Security Monitoing, Alerting, Config and Administration

SAP HANA Security Checklist and Recommendations

- HANA Security Guide

- Best practices for Security, Base Line template

Documentation: SAP HELP Portal

WhitePaper: HANA Security Whitepaper

Best Practices: How to Define Standard Roles

Unit 2 Lesson 1: SAP HANA Repository

Repository – design-time artefacts

Hierarchy of Packages

- Privilages on Package Level = package privilages

- Package can be assigned to one Delivery Unit for Transporting

Type of Objects

- Data Models ( calculation Views)

- Analytic Privilages
- Repository Roles and Development Objects

Activation

- Design Time Object  Runtie Objects

o Controlled by package and system privilages
- RTO: Owned by _SYS_Repo
o Called CATALOG OBJECTS (DB Tables, Schemas, Views, Procedures

DEFINIER MODE
 - Authorization check is run against privilages of the user who created the object, not user
accessing the object

INVOKER MODE
- authorization check is run against the pivilage of the accessing user

Unit 3 Lesson 1: Explaining Authorization in SAP HANA

Unit 3 Lesson 2: Describing Roles

Steps:

1. Define and Create Roles

2. Assign Privilages to Roles
3. Create Users
4. Grant Role to User

Runtime Roles / Catalog Roles

- Aka. Catalog Roles

- Studio: to Edit Roles, for Creating, Editing, Granting, and Revoking
- Not Transportable,
- Grantor can only revoke role
- Grantor Dropped = Privileges Dropped
- Privilege for Role creation: ROLE ADMIN (System Privilage)
- Privilege to add roles: GRANT Action
o Only grantor can revoke role

Repository Role

- Advantages: Grantor doesn’t need the privilege to Grant, TRANSPORTABLE, can de-couple
creation of role from ownership and granting
- Can be created using runtime objects that follow SQL Principles
- Compared to Catalog Roles, Advantages are
o Versioning
o Integration
o Standard Transport Mechanisms
o Decoupling of Role Creation from role granting or revoking
o Support Transport Cycle DEV QA PROD

Role Management

- As long as assigned to DU, (System-local cant be transported

- 3 Transport Applications
o CTS+
o ABAP Transport w/ HANA Transport Container
o Native HANA  HANA Transport using XS Application

FIG 66: Manage Roles: Repo Vs. Catalog Roles

There are set of standard Catalog Roles set by HANA

Unit 3 Lesson 3: Assigning Privileges and Roles to User

JDBC/ODBC Access

- Enabled for normal users

- Disabled for restricted users
- Use HANA Studio or SQL Commands

Restricted Users

- Default only enabled to HTTP access in HANA

Internal DB users

- Not real people, used for admin tasks such as creating objects and granting privilages
- SYS and SYS Repo Technical users

Database Users

- SYSTEM – used for creating other database users, access system tables, recommended to access
before starting Operation
- SID ADMIN – OS administrator, unlimited access to all local resources, user at operating system
level
- SYS – internal DB user, owner of database objects such as system tables and monitoring views
- SYS REPO – used by HANA Repository, consist of packages that contain design time version of
various objects (calculation views, procedures, analytic privilages
- SYS Statistics – internal monitoring of HANA DB

Modifications can be done using SQL Commands

- ALTER USER command for user modification

HANA Cockpit

- Can be used to assign roles to a user

Unit 3 Lesson 4: Understanding Object Ownership

Schema – location of catalog objects, not all schemas have a DB account and can be owned by any
account

Owner – DB user that created object, can create new schemas

Finding Ownership Information

- Catalog Objects: “View Ownership” for tables, views, procedures

- Schema: View Schemas
- Roles: No Ownership but who is the Creator, View ROLES
Unit 3 Lesson 5: Understanding Privileges

4 Types using Client Interface ODBC, JDBC, MDX

- Object Privilege ( SELECT, UPDATE, CALL) on DB objects

- Package Privilege ( restrict acces t use of packages in repository) for packages in design time
objects such as calculation views and Analytic privileges
- System Privilege (used for administrative task, assigned to users and roles)
- Analytic Privilege (for row-level authorizations) such as Calculation views, activated and defined
before granted to users and roles
- Application Privileges: developer of HANA XS Application can create application privileges to
access application

Unit 3 Lesson 6: Viewing Information about Users and Authorizations

Unit 4 Lesson 1: Authentication and SSO

Password Policies – rules or a password policy, can be changed in HANA Studio or Security WebIDE

Password Blacklist – list of words not allowed to be used as passwords or past passwords

Unit 4 Lesson 2: MDC

SYSTEM – database superuser

Unit 4 Lesson 3: Encryption

Unit 4 Lesson 4: GRC Access COntrol

Unit 4 Lesson 5: NW Identity Management

- To Integrate with other modules of SAP

o HCM
o NW Portal

Unit 4 Lesson 6: HANA Extended Application Service and Application Services

- Do all computation and processing in the HANA Server and return results to Application Services
- Application logic processing is done on the database. No need for traditional application server =
reduced cost of ownership
- Single development landscape. Less risk of inconsistencies
- Speed of development is fast with web-based data access.

SQLCC Scenario

- Package w/o configured Default connection:

o Odata and Plain db access from XSJS are not recommended
 - Package w/ configured default connection
o All SQL connections (XSJS and OData) are opened for configured default connection

Unit 4 Lesson 7: HANA Extended Application Services, Advanced Model Security

Vision of XS Advanced

- Runtime and scale application onpremise and cloud

- Support polygot runtine containers of HANA App dev
- HANA Deployment Infrastructure (HDI) enable deployment of isolated native HANA content
multiple times
- Support standard development tools and processes (GIT and Eclipse)
- Unified Web-based development to code end to end native applications

Unit 5 Lesson 1: Setting up and Analyzing an Authorization Trace

Unit 6 Lesson 1: Outlining Security Scenarios

Unit 6 Lesson 2: BW Models in HANA

- Create interface to BW Data using HANA Views (Calculation views) and Dynamic Analytic
Privilages used by native HANA Clients and applications
- Authorization in HANA are required for users to be able to access generated views

Unit 6 Lesson 3: Auth Options and User Managemenet for Integration of BOBJ BI and HANA