How do I Define Authorization Concepts?

Reading time: 3 min.
Tomasz Jurgielewicz

How do I Define Authorization Concepts?

SAP HANA is a concept of quick access to in-memory data. It allows for the analysis of large, often unaggregated, amounts of data much faster than in other databases. Data handling in SAP HANA differs significantly from the one we know from SAP NetWeaver. It has its own system for managing users and authorizations.

SAP HANA Security Architecture

The authorization concept implemented in SAP HANA databases is based on authorizations.
SSL encryption should be configured on each of the three connection types:

  1. connection of the client and the SAP HANA database
  2. internal connections between SAP HANA components
  3. connection to the data center (for example, backup using SAP HANA System Replication)

SAP HANA also allows you to log critical events, such as changes to users, roles, permissions as well as configuration changes and incorrect logins. In addition, data reading and writing (e.g. via tables) and launches are logged. There is also some kind of emergency login available.

SAP HANA - Management of Authorizations and Users

The SAP HANA database distinguishes between 3 types of users:

  • user
  • user SYSTEM
  • internal technical user

SAP HANA operations for these users require appropriate permissions. You can assign permissions directly to users or group them together into roles.

SAP HANA - Authorizations

Basic rule - access is allowed only when appropriate permissions have been granted to the user. So-called positive authorization.

However, no authorizations in SAP HANA are negative, i.e. there is no way for which we BLOCK any access to a user. Exactly as in SAP NetWeaver - authorizations are only additive.

There are three types of authorizations:

  • to objects
  • systemic
  • analytical

SAP HANA roles

In SAP HANA, roles are a set of authorizations (or in some cases a set of roles). Roles can be inherited (nested). This allows you to accurately map business roles in the authorization concept.

To manage the roles, you should always work in the HANA Repository and create the roles as design-time objects (Repository Roles) which you will transport later. Once transported, the role is automatically activated. Only these runtime roles (directory roles) can be assigned.

The Concept of Authorization - Frameworks and Basics

Access to SAP HANA objects is granted as standard by assigning authorization. The framework concept defines the rules for assigning permissions and roles. Such a concept is a guarantee of security (provided that there are appropriate mechanisms to verify its compliance).

The framework concept helps to improve the level of IT security by implementing appropriate access policies. Therefore, an authorization framework should answer the following questions:

  • who is authorized to create and change users?
  • Who is Authorized to Create Roles?
  • who is authorized to assign/change roles?
  • who is responsible for administering the database?
  • how will emergency users (emergency user/firefighter) be managed and by whom?
  • who will control which users?
  • who is authorized to create XSA roles?
  • who is entitled to transport roles?
  • what restrictions must the roles have?
  • who is authorized to create analytic views?

The framework concept must contain the following information:

  1. description of the separation of functions between the IT administration and business departments
  2. escription of user types (standard and restricted)
  3. SYSTEM user support
  4. using users like:
  • Administrator
  • Technical user
  • Cockpit user
  • XSA Deweloper

5. description of roles for specific user groups

6. role description with recommendations and requirements:


7. use of repository and HDI roles

8. use of Authorization:

  • Objects
  • Analytics
  • Standard

9. settings for verifying the SAP HANA database:

  • Verification of audit logs
  • Linux syslog
  • Assigning users with audit rights

10. description of access methods

Additionally (optionally) you can describe the use of fallback users and LDAP access (if any). Possible legal requirements (such as GDPR) should also be taken into account.

If you want to learn more about SAP HANA and authorization management - we invite you.

Tomasz Jurgielewicz



Zapoznaj się z naszym e-bookiem dotyczącym migracji z SAP ERP na SAP S/4 HANA
Pobierz darmowego e-booka

If you find this article valuable, please share it.
This will allow us to reach new people. Thank you in advance!

We will take care of the digital transformation of your business

Do you want to protect your business against cyber attacks? Or maybe you are planning a digital transformation or looking for IT specialists for a project? We are happy to help. We are here for you. Let's talk about professional IT services for your company.
Contact Us
Darmowy e-book

Wszystko, co musisz wiedzieć
o migracji z SAP ERP na SAP S/4HANA

Nasz zespół ekspertów przygotował dla Ciebie
e-poradnik, dzięki któremu zrobisz to łatwo, bezboleśnie i bez szkody dla bezpieczeństwa
Twojej firmy.

To praktyczna wiedza podana w przystępnym
języku - zupełnie za darmo.
Pobierz darmowego e-booka
+ 48 508 400 203
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Lukardi 2022. All Rights Reserved. 
Made with