SAP HANA is a concept of quick access to in-memory data. It allows for the analysis of large, often unaggregated, amounts of data much faster than in other databases. Data handling in SAP HANA differs significantly from the one we know from SAP NetWeaver. It has its own system for managing users and authorizations.
The authorization concept implemented in SAP HANA databases is based on authorizations.
SSL encryption should be configured on each of the three connection types:
SAP HANA also allows you to log critical events, such as changes to users, roles, permissions as well as configuration changes and incorrect logins. In addition, data reading and writing (e.g. via tables) and launches are logged. There is also some kind of emergency login available.
The SAP HANA database distinguishes between 3 types of users:
SAP HANA operations for these users require appropriate permissions. You can assign permissions directly to users or group them together into roles.
Basic rule - access is allowed only when appropriate permissions have been granted to the user. So-called positive authorization.
However, no authorizations in SAP HANA are negative, i.e. there is no way for which we BLOCK any access to a user. Exactly as in SAP NetWeaver - authorizations are only additive.
There are three types of authorizations:
In SAP HANA, roles are a set of authorizations (or in some cases a set of roles). Roles can be inherited (nested). This allows you to accurately map business roles in the authorization concept.
To manage the roles, you should always work in the HANA Repository and create the roles as design-time objects (Repository Roles) which you will transport later. Once transported, the role is automatically activated. Only these runtime roles (directory roles) can be assigned.
Access to SAP HANA objects is granted as standard by assigning authorization. The framework concept defines the rules for assigning permissions and roles. Such a concept is a guarantee of security (provided that there are appropriate mechanisms to verify its compliance).
The framework concept helps to improve the level of IT security by implementing appropriate access policies. Therefore, an authorization framework should answer the following questions:
The framework concept must contain the following information:
5. description of roles for specific user groups
6. role description with recommendations and requirements:
7. use of repository and HDI roles
8. use of Authorization:
9. settings for verifying the SAP HANA database:
10. description of access methods
Additionally (optionally) you can describe the use of fallback users and LDAP access (if any). Possible legal requirements (such as GDPR) should also be taken into account.
If you want to learn more about SAP HANA and authorization management - we invite you.
autor: Tomasz Jurgielewicz
contact: tomasz.jurgielewicz@lukardi.com/pl
————————————————————————————————
WORTH READING: