How do I Define Authorization Concepts?

How do I Define Authorization Concepts?

SAP HANA is a concept of quick access to in-memory data. It allows for the analysis of large, often unaggregated, amounts of data much faster than in other databases. Data handling in SAP HANA differs significantly from the one we know from SAP NetWeaver. It has its own system for managing users and authorizations.

SAP HANA Security Architecture

The authorization concept implemented in SAP HANA databases is based on authorizations.
SSL encryption should be configured on each of the three connection types:

1. connection of the client and the SAP HANA database
2. internal connections between SAP HANA components
3. connection to the data center (for example, backup using SAP HANA System Replication)

SAP HANA also allows you to log critical events, such as changes to users, roles, permissions as well as configuration changes and incorrect logins. In addition, data reading and writing (e.g. via tables) and launches are logged. There is also some kind of emergency login available.

SAP HANA - Management of Authorizations and Users

The SAP HANA database distinguishes between 3 types of users:

• user
• user SYSTEM
• internal technical user

SAP HANA operations for these users require appropriate permissions. You can assign permissions directly to users or group them together into roles.

SAP HANA - Authorizations

Basic rule - access is allowed only when appropriate permissions have been granted to the user. So-called positive authorization.

However, no authorizations in SAP HANA are negative, i.e. there is no way for which we BLOCK any access to a user. Exactly as in SAP NetWeaver - authorizations are only additive.

There are three types of authorizations:

• to objects
• systemic
• analytical

SAP HANA roles

In SAP HANA, roles are a set of authorizations (or in some cases a set of roles). Roles can be inherited (nested). This allows you to accurately map business roles in the authorization concept.

To manage the roles, you should always work in the HANA Repository and create the roles as design-time objects (Repository Roles) which you will transport later. Once transported, the role is automatically activated. Only these runtime roles (directory roles) can be assigned.

The Concept of Authorization - Frameworks and Basics

Access to SAP HANA objects is granted as standard by assigning authorization. The framework concept defines the rules for assigning permissions and roles. Such a concept is a guarantee of security (provided that there are appropriate mechanisms to verify its compliance).

The framework concept helps to improve the level of IT security by implementing appropriate access policies. Therefore, an authorization framework should answer the following questions:

• who is authorized to create and change users?
• Who is Authorized to Create Roles?
• who is authorized to assign/change roles?
• who is responsible for administering the database?
• how will emergency users (emergency user/firefighter) be managed and by whom?
• who will control which users?
• who is authorized to create XSA roles?
• who is entitled to transport roles?
• what restrictions must the roles have?
• who is authorized to create analytic views?

The framework concept must contain the following information:

1. description of the separation of functions between the IT administration and business departments
2. escription of user types (standard and restricted)
3. SYSTEM user support
4. using users like:

• Administrator
• Technical user
• Cockpit user
• XSA Deweloper

5. description of roles for specific user groups

6. role description with recommendations and requirements:

• DATA ADMIN
• ROLE ADMIN
• CATALOG READ

7. use of repository and HDI roles

8. use of Authorization:

• Objects
• Analytics
• Standard

9. settings for verifying the SAP HANA database:

• Verification of audit logs
• Linux syslog
• Assigning users with audit rights

10. description of access methods

Additionally (optionally) you can describe the use of fallback users and LDAP access (if any). Possible legal requirements (such as GDPR) should also be taken into account.

If you want to learn more about SAP HANA and authorization management - we invite you.

autor: Tomasz Jurgielewicz
contact: tomasz.jurgielewicz@lukardi.com/pl

————————————————————————————————

WORTH READING:

• Czy wiesz jakie uprawnienia mają Twoi pracownicy?
• Project of Authorization Reorganization
• SAP Dictionary of Terms
• SAP System
• SECPOL SAP
• SAST is the Best Security for the SAP System?
• SAP User Monitoring
• A Security Vulnerability Causes a Cyberattack
• What is the SAP Security?
• A Secure Password for SAP
• How to Increase the Security of the SAP System Related to Logging in?
• The Reasons for Data Lleakage
• SAP Notes
• SAP Security
• Is SAP System Security Important?
• Where do You Start with SAP Security?
• Backups and Cybersecurity
• RPA Automation
• SAP Security Audit
• The Benefits of SAST
• SAST - SAP User Authorizations
• What Should the SAP Entitlement Concept Contain?
• Authorization Concepts in the SAP System
• Too High SAP User Authorizations
• What Rights do Employees Have for SAP
• SAP Authorization Reorganization
• What is SoD?

Zapoznaj się z naszym e-bookiem dotyczącym migracji z SAP ERP na SAP S/4 HANA

Pobierz darmowego e-booka