Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 
ShivajiPatnaik
Advisor
Advisor

INFORMATION SECURITY:

Information Security is a key aspect of any organization. It prevents unauthorized use of the information in an enterprise. It is important to protect data and at the same time it follows all the security compliance in SAP – HANA. Security in HANA can be categorized into following two categories.

Authentication

Authentication is the process used to verify the identity of a User who tries to access the system. This is usually done by DBAs or Delegated administrators or BASIS teams and this is off the topic for this blog.

Authorization

Authorization is the process used to verify that a User has been granted sufficient privileges to perform the requested action on the specified object (on Packages/Models or Views). Information Modelers will be implementing authorization by creating Analytical Privileges or Dynamic Analytical privileges, defined on top of  SAP HANA package content i.e. Attribute Views ,Analytical Views and Calc views .

SAP HANA SECURITY

The perception that HANA Security is complex is not correct.SAP HANA has basic building block to design and implement security. Following are basic security concepts that simplify understanding and implementation of HANA Security.

Ø  HANA security model is unique to HANA.

Ø  A single "POWER USER" who has access to everything does not exist.

Ø  Database schema OWNER is the only user who can grant access to other users, including SYSTEM user. The Architect/SYSTEM/Administrators has to login as each schema owner and grant permissions to target users/roles.

Ø  The HANA Repository is owned by user _SYS_REPO.

HANA LIVE

I have written a blog providing HANA Live overview which is available here HANA LIVE Blog.

Hana Live security model follows a top-down security approach .The data restrictions are applied at the top level models or views also known as Query Views. The Query Views are the only views exposed to users for reporting and analytic purposes. These Query Views are built on underlying views known as Non-Query views or direct tables. The underline Non-Query views do not have any security restrictions.

HANA LIVE SECURITY

In SAP ECC, security is very tightly defined at the application layer. The SAP ECC does not define security at the database table level; therefore there are no restrictions when querying these core tables directly. The HANA LIVES views consume core SAP ECC tables, and therefore doesn’t inherit SAP ECC security. To mitigate this issue, Analytical Authorization Assistant (AAA) tool is provided to implement SAP ECC security on the HANA Live views.

There are two aspects to implementing security using Analytical Authorization Assistant tool.

  A.) Installation of AAA tool

  B.) Usage of AAA tool

A.)  Installtion Of AAA Tool

HANA Live content is build on direct transactional database tables (in Integrated approach or in Side Car approach) .It contains more than 1000 prebuilt models/views and building security around them is a bit challenge. HANA LIVE comes with Security Add On tool call “Analytics Authorization Assistant Tool” (AAA tool or Authorization tool).This tool is very handy to define security on HANA Live Content. The Authorization tool generates analytic privileges and corresponding roles of the selected ABAP user. To use this tool you have to download it from following directory from Market Place.

Access the zipped files for installation from SAP Service Marketplace at http://service.sap.com/swdc

   --> SAP softwares Download center ->

    Support Packages and Patches ->

    Browse our Download Catalog ->

    SAP In-Memory (SAP HANA) ->

    SAP HANA Add-ons ->

    SAP HANA CONTENT TOOLS ->

    SAP HANA CONTENT TOOLS 1.0 ->

    Comprised Software Component Versions ->

    SAP HANA ANALYT. AUTHASST. 100 ->

          # OS independent -> SAP HANA database

Use the patch HCOHBAAAA00P_1-10013120.SAR file and extract the .sar file (DOWNLOAD LATEST FILE)

See the picture below.

Once you download the latest Package file and install in your local directory, unzip the file. You might need sapcar to unzip file. I am assuming you have sapcar so once you double click it will unzip in your User Folder (not where you have download the file). In my case I have downloaded the temp directory when I double clicked it opened in my user folder as shown below.

C:\Temp\ folder.  The file you should be looking is HCOHBAAAA.tgz

A1.) User Requirements to Install Downloaded Package

User should have

·   Import/Export System privileges 

·   And two Granted Roles

Ø  AnalyticalAuthorizationAdministrator

Ø  AnalyticalAuthorizationDeveloper 

NOTE : Need to grant these privileges even if User is SYSTEM user.

A2.) Installing Downloaded Package

Import Package into Hana Live

The package will contain following content and importing this package into Hana Live system will deploy following content into your HL System.

I.)         Plugin Jar file for HANA Studio: This jar file will install Analytical Authorization tool in Studio.

II.)        HANA Procedures / Hana Tables:  This contains some Hana Prebuild SPs and tables.

III.)       HANA ROLES  Comes with some ECC roles inside Hana.

Now Go to HANA Studio and go to following Hana Live server Node.

Go to Quick Launch 

And Click on IMPORT

Click on Delivery Unit

Select Client

CLICK ON BROWSE  to the downloaded file as shown below.

Click Finish.

A3.) INSTALL JAVA PLUGIN for AAA TOOL

To install JAVA Plugin Jar for HANA Studio

Goto Help /Install New Software 

Enter following link in Work with URL :

http://<servernameWithFullyQualifiedDomainName> : 8000 <or Port Address>/sap/hba/tools/auth

Ex: http://servername.sap.com: 8000/sap/hba/tools/auth

Click Finish

Once installation is done close Studio and re-open Studio. you should see Authorization Assistant tool in the studio.

B.  Usage of AAA Tool

B1.) Creating Analytical Privileges:

Following are two options you get when you click on Analytical Authorization Tool

  • Generate Analytical Privilege
  • Update Analytical Privilege

Analytical privileges on Query views can be done in two ways.

     a)    If you are using ABAP user security

     b)    If you are using None ABAP users: regular users who will be consuming these views from reporting tools and don’t have a ABAP user ids.

You will follow similar process to create APs on Query views as in Non-Query views.

a.)           a.) With ABAP User Security: The two tables UST12 and USRBF2 should be replicated into the HANA system.  You need to make sure that

                   any client and user information entered has matching data in those tables.

          

             Go to Analytical Authorization tool and select ‘Generate Analytical Privileges’

b.)          b.) Create APs for None ABAP Users: Create Analytical Privileges in a regular way. This will give you flexibility of the naming of APs and create

                 a custom restriction. When Granting Access on QueryViews  to Non-ABAP Users Grant on Individual QueryViews Only.

          NOTE: PLEASE DO NOT  Grant “SELECT ON SCHEMA _SYS_BIC " ACCESS TO NON_ABAP_USER.

Once you create all you APs in either above cases you will have to create Roles and assign APS to role and assign roles to users. Finally you will have to link HANA Users linking them to BI4.0 users or any front end users .Once the linking is done you will be ableto see the restrictions applied on reports.

 

B2.) Generate Analytical Privileges

To Generate AP you have to select a Query View first. For Ex I have selected BillingDocumentQuery

Click Schema , SAP client and ABAP User

Select a User ,For ex I have selected XXXX1309A

Click Finish .It will create a Analytical Privilege and A ROLE .

Click finish

ROLES: Once you generate Analytical Privilege it automatically creates the role with Role_USER  (as in Above picture) .The Role Details as shown in below  picture.

Analytical Privilege

Following Screen shot shows the Generated Analytical Privilege (AP) .

Details of Analytical Privilege

Analytical Privilege restriction details .

B3.) Updating Analytical Privileges

Use Update Analytical Privilege option when any changes happen in ECC and you want to reflect in HANA.

CONCLUSION

Good luck with your HANA Live security setup/ implementation. This tool is changing alot .If you see some thing new  please let me know  I will edit accordingly. Thanks for reading this blog and please let me know your feedback on this topic.

25 Comments