A few months ago I was given a task to implement content security in SAP HANA. The main purpose for this task was to provide Business user access to information models created in SAP HANA. For example Finance user should only view finance package and can access information models in that package via BI tools such as Analysis for excel.
So, after a research and few discussions with various people I came up with following security model.
Let's assume that content is maintained in following structure:
So based on each type of privilege I created the roles as shown below:
System Privilege Roles
These roles are mainly needed for System admin tasks (technical role)
X_HNS = S for System Privilege role
Role Name | Privilege Type | Assigned Privileges |
X_HNS_USERADMIN This role can create users, change their password and delete users | System Privilege | USER ADMIN |
X_HNS_ROLEADMIN This role can create roles, alter roles and drop roles with SQL commands1 | System Privilege | ROLE ADMIN |
X_HNS_SYSADMIN This roles can administer HANA system, alter system parameters and execute ALTER commands to change system | System Privilege | INIFILE ADMIN LICENSE ADMIN LOG ADMIN SERVICE ADMIN SESSION ADMIN TRACE ADMIN AUDIT ADMIN |
X_HNS_SYSMON This role can change alert, enable logging and view logs to monitor system | System Privilege | CATALOG READ MONITOR ADMIN |
X_HNS_CONTENTADMIN This role can create, alter, import, export and drop content. | System Privilege | CREATE SCENARIO CREATE STRUCTURED PRIVILEGE
STUCTUREDPRIVILEGE ADMIN |
X_HNS_DATAADMIN This role can create schema, import and export tables and drop tables | System Privilege | CATALOG READ CREATE REMOTE SOURCE CREATE SCHEMA IMPORT EXPORT |
Object Privilege Roles
X_HNO = O for Object Privilege Role
Role Name | Privilege Type | Assigned Privileges |
X_HNO_CONTENT_READ This role give read access to activated views | Object Privilege | _SYS_BI (SELECT, EXECUTE) You would only need this _SYS_BIC (SELECT, EXECUTE) if you are using HANA studio to access views. Not using this for BI tools provides more security in terms of displaying activated views. Access to SYS_BIC will provide access to all activated views and therefore this model will be invalid. We can create separate role for this privilege |
X_HNO_CONTENT_WRITE This role give write access for activated views and read access to schema | Object Privilege | _SYS_BI (EXECUTE, SELECT, INSERT, UPDATE, DELETE) _SYS_BIC (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE, DELETE, INDEX) |
X_HNO_CONTENT_LIST | Object Privilege | REPOSITORY_REST (EXECUTE) |
X_HNO_SCHEMA_READ Where SCHEMA can be changed with required SCHEMA name | Object Privilege | SCHEMA (SELECT) |
X_HNO_SCHEMA_WRITE Where SCHEMA can be changed with required SCHEMA name | Object Privilege | SCHEMA (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE, DELETE, INDEX) |
X_HNO_FI_CONTENT | Object Privilege | _SYS_BIC.FI Column Views |
X_HNO_CO_CONTENT | Object Privilege | _SYS_BIC.CO Column Views |
X_HNO_IM_CONTENT | Object Privilege | _SYS_BIC.IM Column Views |
X_HNO_LE_CONTENT | Object Privilege | _SYS_BIC.LE Column Views |
X_HNO_MM_CONTENT | Object Privilege | _SYS_BIC.MM Column Views |
X_HNO_PA_CONTENT | Object Privilege | _SYS_BIC.PA Column Views |
X_HNO_PU_CONTENT | Object Privilege | _SYS_BIC.PU Column Views |
X_HNO_SD_CONTENT | Object Privilege | _SYS_BIC.SD Column Views |
X_HNO_SP_CONTENT | Object Privilege | _SYS_BIC.SP Column Views |
Package Privilege Roles
Role Name | Privilege Type | Assigned Privileges |
X_HNP_FI_READ This role give read access to Package FI | Package Privilege |
|
X_HNP_IM_READ This role give read access to Package IM | Package Privilege |
|
X_HNP_LE_READ This role give read access to Package LE | Package Privilege |
|
X_HNP_MM_READ This role give read access to Package MM | Package Privilege |
|
X_HNP_PP_READ This role give read access to Package PP | Package Privilege |
|
X_HNP_PU_READ This role give read access to Package PU | Package Privilege |
|
X_HNP_SD_READ This role give read access to Package SD | Package Privilege |
|
X_HNP_SP_READ This role give read access to Package SP | Package Privilege |
|
X_HNP_CO_READ This role give read access to Package CO | Package Privilege |
|
X_HNP_PA_READ This role give read access to Package PA | Package Privilege |
|
X_HNP_ROOT_WRITE This role give edit access to ALL Packages | Package Privilege |
on ROOT |
Analytic Privilege Roles
There can be many analytic privileges assigned to a role. For example: I am creating one single analytic privilege first and then create a role for department with this analytic privilege. In future, more analytic privileges can be added to it. In our case, we are not using analytic privileges which means no attribute restrictions
X_HND = D for Data level restriction
Analytic Privilege | Package | Content | Attributes Restrictions |
X_HND_CO_AP1 | CO | column views under _SYS_BIC.CO/ | NA |
X_HND_FI_AP1 | FI | All column views under __SYS_BIC.FI/ | NA |
X_HND_IM _AP1 | IM | column views under __SYS_BIC.IM/ | NA |
X_HND_LE _AP1 | LE | column views under _SYS_BIC.LE/ | NA |
X_HND_MM _AP1 | MM | column views under _SYS_BIC.MM/ | NA |
X_HND_PP _AP1 | PP | column views under _SYS_BIC.PP/ | NA |
X_HND_PA _AP1 | PA | column views under __SYS_BIC.PA/ | NA |
X_HND_PU _AP1 | PU | column views under _SYS_BIC.PU/ | NA |
X_HND_SD _AP1 | SD | column views under _SYS_BIC.SD/ | NA |
_SYS_BI_CP_ALL | ROOT | All column views under _SYS_BIC | No Restrictions. Currently being used |
Now the Analytic Roles
X_HNA = A for Analytic Privilege roles
Role Name | Analytic Privilege |
X_HNA_FI | X_HND_FI_AP1 |
X_HNA_IM | X_HND_IM_AP1 |
X_HNA_LE | X_HND_LE_AP1 |
X_HNA_CO | X_HND_CO_AP1 |
X_HNA_MM | X_HND_MM_AP1 |
X_HNA_PU | X_HND_PU_AP1 |
X_HNA_PP | X_HND_PP_AP1 |
X_HNA_PA | X_HND_PA_AP1 |
X_HNA_SD | X_HND_SD _AP1 |
X_HNA_ALL | _SYS_BI_CP_ALL (This one is being used only) |
Let's take a look at how we can use system privilege roles to create technical roles:
Technical Roles
Role Name | Granted Roles |
Y_HNT_SECURTY Add/delete/edit users and assign other roles | X_HNS_USERADMIN X_HNS_ROLEADMIN |
Y_HNT_ADMINS Perform admin tasks and security tasks | X_HNS_USERADMIN X_HNS_ROLEADMIN X_HNS_SYSADMIN X_HNS_SYSMON X_HNS_CONTENTADMIN X_HNS_DATAADMIN |
Y_HNT_CONTENT_DEVS Create and activate information models in packages | X_HNS_CONTENTADMIN X_HNO_SCHEMA_READ X_HNO_CONTENT_WRITE X_HNO_CONTENT_LIST X_HNP_ROOT_WRITE X_HNA_ALL |
Now, lets take a look at functional role example. In this example, Finance user A need access to FI package and it's information views. So, in this case create a functional role for Finance department and add user A into it.
Role Name | Granted Roles |
Y_HNF_FI | X_HNO_CONTENT_READ X_HNO_FI_CONTENT X_HNP_FI_READ X_HNA_ALL |
In the same way we can create other functional roles depending upon our requirements then assign them to user. Now, it is not mandatory that everyone follow this way to setup rule but it can be used as reference.
References
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
37 | |
10 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 | |
2 | |
2 |