How to Define Authorization Concepts?
- Security
SAP HANA is an in-memory high-speed data access concept. It allows the analysis of large, often unaggregated, amounts of data, in a much faster way than in other databases. Data handling in SAP HANA is very different from what we know from SAP NetWeaver. It has its own system for managing users and authorizations.
SAP HANA security architecture
The authorization concept implemented in SAP HANA databases is based on authorizations.
SSL encryption should be configured on each of the three connection types:
- Connecting the customer and the SAP HANA database
- internal connections between SAP HANA components
- Connection to a data center (for example, backup using SAP HANA System Replication)
SAP HANA also allows logging of critical events, such as changes on users, roles, permissions, and configuration changes and invalid logins. In addition, data reads and writes (for example, via tables) and runs are logged. Some type of failover logging is also available.
SAP HANA - Authorization and user management
The SAP HANA database distinguishes between 3 types of users:
- user
- user SYSTEM
- internal technical user
SAP HANA operations for these users require appropriate permissions. You can assign permissions directly to users or group them with each other into roles.
SAP HANA - Entitlements
The basic principle - access is allowed only if the appropriate permissions have been granted to the user. The so-called positive authorization.
No authorizations in SAP HANA are instead negative, that is, there is no way for which a user BLOCKS any access. Exactly like in SAP NetWeaver - authorizations are only additive.
There are three types of entitlements:
- facilities
- systemic
- analytical
SAP HANA roles
In SAP HANA, roles are a set of permissions (or in some cases a set of roles). Roles can be inherited (nested). This allows you to accurately map business roles into the authorization concept.
To manage roles, you should always work in the HANA Repository and create roles as design-time objects (Repository roles), which you will later transport. Once transported, the role is activated automatically. Only those runtime roles (directory roles) can be assigned.
The concept of authorization - Framework and fundamentals
Granting access to SAP HANA objects is done by assigning authorization as standard. A framework concept defines the rules for assigning authorizations and roles. Such a concept is a guarantee of security (provided there are adequate mechanisms to verify compliance).
The framework concept helps improve the level of IT security by implementing appropriate access policies. Therefore, the authorization framework should answer the following questions:
- Who is authorized to create and change users?
- Who is authorized to create roles?
- Who has the authority to assign/change roles?
- Who is responsible for administering the database?
- How will emergency users (emergency user/firefighters) be managed and by whom?
- Who will control which users?
- Who is authorized to create XSA roles?
- Who is authorized to transport roles?
- What constraints must the roles have?
- Who is authorized to create analytical views?
The framework concept must have the following information:
- A description of the division of functions between IT administration and business departments
- description of user types (standard and restricted)
- SYSTEM user support
- use of such users as Administrator, Technical User, Cockpit User, XSA Developer
- description of roles for specific user groups
- Role description with recommendations and requirements: DATA ADMIN, ROLE ADMIN, CATALOG READ
- use of HDI repository and roles
- use of authorization: Facilities, Analytics, Standard
- Settings for SAP HANA database verification: Audit log verification, Linux syslog, Assign audit privileges to users
- description of access methods
In addition (optional), you can describe the use of fallback users and LDAP access (if any). Also, possible legal requirements (such as RODO) should be included.
If you want to learn more about SAP HANA and authorization management - welcome.
More from the category
- Security
Tomasz Jurgielewicz
Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.