SAP HANA - Security Overview

8/17/2019 SAP HANA - Security Overview

1/47

SAP HANA - Security Overview


2/47


3/47


4/47


5/47

"ser &y'es

Stanar "sers%-

Standard users are users !ho can create o"3ects

in their o!n Schemas and have read access insystem nformation models. 'ead access isprovided "y P+C role !hich is assigned toevery standard users.

&ser types vary according to security policiesand di4erent privileges assigned on userpro/le. &ser type can "e a technical data"aseuser or end user needs access on HANA

system for reporting purpose or for datamanipulation.5. Standard &sers6. 'estricted &sers


6/47


7/47

SAP HANA &ser AdministrationActivities

• Create &sers

• :rant roles to users

• ;e/ne and Create 'oles

• ;eleting &sers

• 'esetting user pass!ords

• 'eactivating users after too many failed logon attempts

• ;eactivating users !hen it is re0uired

;epending on "usiness needs and con/guration of HANA system, there are duser activities that can "e performed using user administration tool li*e HANAstudio.

(ost common activities include $-

"ser A$inistration ( Role#anage$ent


8/47

How to create "sers in HANAStuio)

• 8hen you e1pand security ta", it gives option of&ser and 'oles. 2o create a ne! user right clic* on

&ser and go to Ne! &ser. Ne! !indo! !ill open!here you de/ne &ser and &ser parameters.

• )nly data"ase users !ith the system privilege ')+ A;(N are allo!ed to creatand roles in HANA studio.

2o create users and roles in HANAstudio, go to HANA AdministratorConsole.


9/47

• nter &ser name =mandate> and in Authentication /eld enter pass!ord. Pass!ord applied, !hile saving pass!ord for a ne! user.


10/47

;i4erent Authorization methods can "e con/gured li*e SA(+, ?@B certi/cates, SAtic*et, etc. &sers in the data"ase can "e authenticated "y varying mechanisms $ -

• nternal authentication mechanism using a pass!ord.

• 1ternal mechanisms such as er"eros, SA(+, SAP +ogon 2ic*et, SAP Assert 2ic*et or ?.@B.

• A user can "e authenticated "y more than one mechanism at a time. Ho!eone pass!ord and one principal name for er"eros can "e valid at any one t)ne authentication mechanism has to "e speci/ed to allo! the user to conn!or* !ith the data"ase instance.

• t also gives an option to de/ne validity of user, you can mention validity in"y selecting the dates. Dalidity speci/cation is an optional user parameter.

• Some users that are, "y default, delivered !ith the SAP HANA data"ase areS


11/47

*rante Roles to a"ser

2his is used to add in"uilt SAP HANA roles to user pro/le or to addcustom roles created under 'oles ta".

Custom roles allo! you to de/ne roles as per access re0uirement andyou can add these roles directly to user pro/le. 2his removes need toremem"er and add o"3ects to a user pro/le every time for di4erentaccess types.


12/47

2his is :eneric role and is assigned to all data"ase users "y default. 2his contains read only access to system vie!s and e1ecute privileges for somprocedures. 2hese roles cannot "e revo*ed.

P"+,IC %.


13/47

(odelling

2here are di4erent types of System privileges that can "e added to a userpro/le. 2o add a system privileges to a user pro/le, clic* on F sign.

System privileges are used for #ac*up9'estore, &ser Administration, nstance

start and stop, etc.

t contains all privileges re0uired for using the information modeller in the

SAP HANA studio.Syste$ Privileges


14/47

Content A$in

• t contains the similar privileges as that in ();+N: role, "ut !ith the addition that thisallo!ed to grant these privileges to other users. t also contains the repository privileges!or* !ith imported o"3ects.


15/47

Data A$in

2his is a type of privilege, re0uired for adding ;ata from o"3ects to userpro/le.


16/47

:iven "elo! are common supported System Privileges $-

Attach Debugger

t authorizes the de"ugging of a procedure call, called "y a di4erent user

Additionally, the ;#&: privilege for the corresponding procedure is neeAuit A$in

Controls the e1ecution of the follo!ing auditing%related commands - C'P)+C


17/47

+acku' O'erator

• t authorizes the #AC&P command to initiate a "ac*up process.

Catalog Rea

•

t authorizes users to have un/ltered read%only access to all system vie!s. Nthe content of these vie!s is /ltered "ased on the privileges of the accessin

Create Sche$a

• t authorizes the creation of data"ase schemas using the C'A2 SCH(A c#y default, each user o!ns one schema, !ith this privilege the user is allo!additional schemas.

CR/A&/ S&R"C&"R/D PRI0I,/*/

• t authorizes the creation of Structured Privileges =Analytical Privileges>. )nlof an Analytical Privilege can further grant or revo*e that privilege to other uroles.

Creential A$in

• t authorizes the credential commands - C'A29A+2'9;')P C';N2A+


18/47

Database A$in

t authorizes all commands related to data"ases in a multi%data"ase, such as C';')P, A+2', 'NA(, #AC&P, 'C)D'


19/47

Inifle A$in

t authorizes changing of system settings.

,icense A$in

t authorizes the S2 S


20/47

Resource A$in

2his privilege authorizes commands concerning system resources. or e1amplA+2' S


21/47

Ob3ect4S5,Privileges

)"3ect privileges are also *no!n as S7+ privileges. 2hese privileges are used toallo! access on o"3ects li*e Select, nsert, &pdate and ;elete of ta"les, Die!s orSchemas.


22/47

•

)"3ect privilege on data"ase o"3ects that e1ist only in runtime

• )"3ect privilege on activated o"3ects created in the repository, li*e cavie!s

• )"3ect privilege on schema containing activated o"3ects created in threpository

• )"3ect9S7+ Privileges are collection of all ;;+ and ;(+ privileges on o"3ects.

:iven "elo! are possi"le types of )"3ectPrivileges $%


23/47

:iven "elo! are common supported )"3ect Privileges $-

• 2here are multiple data"ase o"3ects in HANA data"ase, so not all theprivileges are applica"le to all *inds of data"ase o"3ects.


24/47

)"3ect Privileges and their applica"ility on data"aseo"3ects $-


25/47

AnalyticPrivileges

Sometimes, it is re0uired that data inthe same vie! should not "e accessi"leto other users !ho does not have anyrelevant re0uirement for that data.

Analytic privileges are used to limit theaccess on HANA nformation Die!s ato"3ect level. 8e can apply ro! andcolumn level security in AnalyticPrivileges

• Allocation of ro! and column level security forspeci/c value range.

• Allocation of ro! and column level security formodelling vie!s.

Analytic Privileges are usedfor $-

P k


26/47

PackagePrivileges• n the SAP HANA repository, you can set pac*age authorizations for a speci/c useror for a role. Pac*age privileges are used to allo! access to data models% Analyticor Calculation vie!s or on to 'epository o"3ects.

• All privileges that are assigned to a repository pac*age are assigned to all su"

pac*ages too.•


27/47

• Select one or more repository pac*ages that you !ant to authorize accethe selected pac*ages appear in the Pac*age Privileges ta"


28/47

:iven "elo! are grant privileges, !hich are used on repository pac*ages authorize user to modify the o"3ects $-

R/PO6R/AD .

'ead access to the selected pac*age and design%time o"3ects ="oth native an

R/PO6/DI&7NA&I0/7O+8/C&S .

Authorization to modify o"3ects in pac*ages.

*rantable to Others .f you choose L


29/47

• Application privileges in a user pro/le are used to de/ne authorization faccess to HANA ?S application.

• 2his can "e assigned to an individual user or to the group of users.

•

Application privileges can also "e used to provide di4erent level of accethe same application li*e to provide advanced functions for data"aseAdministrators and read%only access to normal users.

A''licationPrivileges


30/47

2o de/ne Application speci/c privileges in a user pro/le or to add group ofusers, "elo! privileges should "e used $-

Application%privileges /le =.1sprivileges>

Application%access /le =.1saccess>

'ole%de/nition /le =M'oleName.hd"role>


31/47

All SAP HANA users that have access on HANA data"ase are veri/ed !ith di4erent Authenticmethod.SAP HANA system supports various types of authentication method and all these login methcon/gured at time of pro/le creation.

• &sername9Pass!ord

• er"eros

• SA(+ 6.

• SAP +ogon tic*ets

• ?.@B

#elo! is the list ofauthentication methodssupported "y SAP HANA $-

SAP HANA -Authentications

"ser


32/47

"serNa$e4Passwor

• 2his method re0uires a HANA user to enter user name and pass!ord to login to da 2his user pro/le is created under &ser management in HANA Studio K Security 2a"

• Pass!ord should "e as per pass!ord policy i.e. Pass!ord length, comple1ity, lo!eupper case letters, etc.

•


33/47

9erberos

• All users !ho connect to HANA data"ase system using an e1ternal authentication metshould also have a data"ase user. t is re0uired to map e1ternal login to internal data"

• 2his method ena"les users to authenticate HANA system directly using O;#C9);#C drithrough net!or* or "y using front end applications in SAP #usiness )"3ects.

• t also allo!s H22P access in HANA 1tended Service using HANA ?S engine. t uses Smechanism for er"eros authentication

SA#


34/47

SA#,• SA(+ stands for Security Assertion (ar* up +anguage and can "e usedto authenticate users accessing HANA system directly from );#C9O;#Cclients.

• t can also "e used to authenticate users in HANA system coming via

H22P through HANA ?S engine.

• SA(+ is used only for authentication purpose and not for authorization.


35/47

SAP,ogonanAssertion&ickets

• SAP +ogon9assertion tic*ets can "e used to authenticate users in HANA sys

• 2hese tic*ets are issued to users !hen they login into SAP system, !hich icon/gured to issue such tic*ets li*e SAP Portal, etc.

• &ser speci/ed in SAP logon tic*ets should "e created in HANA system, as inot provide support for mapping users.


36/47

:6;


37/47

Single Sign )n in HANAsystem

• SA(+

•

er"eros• ?.@B client certi/cates for H22P access from

HANA ?S engine

• SAP +ogon9Assertion tic*ets

• Single sign on can "e con/gured in HANA system, !hich allo!s usersto login to HANA system from an initial authentication on the client.

• &ser logins at client applications using di4erent authentication

methods and SS) allo!s user to access HANA system directly.

SS) can "e con/gured on "elo! con/gurationmethods $-


38/47

SAP HANA - Authori2ation #ethos

• Authorization is chec*ed !hen a user tries to connect to HANA dataperform some data"ase operations.

• 8hen a user connects to HANA data"ase using client tools via O;#CDia H22P to perform some operations on data"ase o"3ects, correspaction is determined "y the access that is granted to the user.

• Privileges granted to a user are determined "y )"3ect privileges asuser pro/le or role that has "een granted to user.

• Authorization is a com"ination of "oth accesses.

• 8hen a user tries to perform some operation on HANA data"ase, syperforms an authorization chec*.

• 8hen all re0uired privileges are found, system stops this chec* andre0uested access.

2here are di4erent typesofprivileges !hichare used inSAP HANA as mentioned


39/47

2here are di4erent types of privileges, !hich are used in SAP HANA as mentioned role and (anagement $-

• 2hey are applica"le to system and data"ase authorization for users and control system

• 2hey are used for administrative tas*s such as creating Schemas, data "ac*ups, creatinand roles and so on.

• System privileges are also used to perform 'epository operations

Syste$Privileges

Ob3ectPrivileges• 2hey are applica"le to data"ase operations and apply to data"ase o"3ects li*

ta"les, Schemas, etc.

• 2hey are used to manage data"ase o"3ects such as ta"les and vie!s.

• ;i4erent actions li*e Select, 1ecute, Alter, ;rop, ;elete can "e de/ned "asdata"ase o"3ects.

• 2hey are also used to control remote data o"3ects, !hich are connected throS(A'2 data access to SAP HANA.


40/47

• 2hey are applica"le to data inside all the pac*ages that are created in HANA

• 2hey are used to control modelling vie!s that are created inside pac*ages liAttri"ute Die!, Analytic Die!, and Calculation Die!.

• 2hey apply ro! and column level security to attri"utes that are de/ned in mvie!s in HANA pac*ages.

AnalyticPrivileges

PackagePrivileges

• 2hey are applica"le to allo! access to and a"ility to use pac*ages thatare created in repository of HANA data"ase.

• Pac*age contains di4erent (odelling vie!s li*e Attri"ute, Analytic andCalculation vie!s and also Analytic Privileges de/ned in HANA repositorydata"ase

A''lication


41/47

• 2hey are applica"le to HANA ?S application that access HANA data"ase via H22P r

• 2hey are used to control access on applications created !ith HANA ?S engine.

• Application Privileges can "e applied to users9roles directly using HANA studio "ut

preferred that they should "e applied to roles created in repository at design time

''Privileges

Re'ository Authori2ation in SAPHANA Database

• ES


42/47

#anage$ent

• 2emporary +icense *eys are automatically installed !hen you install the HANA

• 2hese *eys are valid only for B days and you should re0uest permanent licenSAP mar*et place "efore e1piry of this B days period after installation.

SAP HANA +icense management and *eys are re0uired to use HANA data"ase


43/47

2here are t!o types of permanent +icense *eys for HANAsystem $-

• f unenforced license *ey is installed and consumption of HANA system e1ceethe license amount of memory, operation of SAP HANA is not a4ected in this

?6"nen>orce

@6/n>orce • f nforced license *ey is installed and consumption of HANA system e1ceeds the license

amount of memory, HANA system gets loc*ed. f this situation occurs, HANA system hasrestarted or a ne! license *ey should "e re0uested and installed.

2here is di4erent +icense scenarios that can "e used in HANA system deon the landscape of the system =Standalone, HANA Cloud, #8 on HANA, and not all of these models are "ased on memory of HANA system install

h * i i f


44/47

Ho! to Chec* +icense Properties ofHANA

• t tells a"out +icense type, Start ;ate

and 1piration ;ate, (emory Allocationand the information =Hard!are ey,System d> that is re0uired to re0uest ane! license through SAP (ar*et Place.

• nstall +icense *ey K #ro!se K nterPath, is used to install a ne! +icense *eyand delete option is used to delete anyold e1piration *ey.

• All +icenses ta" under +icense tellsa"out Product name, description,Hard!are *ey, irst installation time, etc.

'ight Clic* on HANA system K Properties K+icense

SAP HANA


45/47

SAP HANA -Auiting

• SAP HANA audit policy tells the actions to "e audited and also the condition underaction must "e performed to "e relevant for auditing.

•

Audit Policy de/nes !hat activities have "een performed in HANA system and !hoperformed those activities at !hat time.

• SAP HANA data"ase auditing feature allo!s monitoring action performed in HANA

• SAP HANA audit policy must "e activated on HANA system to use it. 8hen an actioperformed, the policy triggers an audit event to !rite to audit trail.


46/47

2o de/ne Audit policy in HANA system, you should have system privilege - Audit AdminPolicy

:o to Security option in HANA system KAuditing

&nder :lo"al Settings K set Auditing status asena"led.


47/47

aultB

• +ogging system of +inu1)perating System.

Database

&able• nternal data"ase ta"le, user !ho has Audit admin or Audit operator

system privilege he can only run select operation on this ta"le.

CS0 te1t

• 2his type of audit trail is only used for test purpose in a non%production environment.

SAP HANA - Security Overview

Documents

Transcript of SAP HANA - Security Overview