INFORMATION SECURITY:
Information Security is a key aspect of any organization. It prevents unauthorized use of the information in an enterprise. It is important to protect data and at the same time it follows all the security compliance in SAP – HANA. Security in HANA can be categorized into following two categories.
Authentication
Authentication is the process used to verify the identity of a User who tries to access the system. This is usually done by DBAs or Delegated administrators or BASIS teams and this is off the topic for this blog.
Authorization
Authorization is the process used to verify that a User has been granted sufficient privileges to perform the requested action on the specified object (on Packages/Models or Views). Information Modelers will be implementing authorization by creating Analytical Privileges or Dynamic Analytical privileges, defined on top of SAP HANA package content i.e. Attribute Views ,Analytical Views and Calc views .
SAP HANA SECURITY
The perception that HANA Security is complex is not correct.SAP HANA has basic building block to design and implement security. Following are basic security concepts that simplify understanding and implementation of HANA Security.
Ø HANA security model is unique to HANA.
Ø A single “POWER USER” who has access to everything does not exist.
Ø Database schema OWNER is the only user who can grant access to other users, including SYSTEM user. The Architect/SYSTEM/Administrators has to login as each schema owner and grant permissions to target users/roles.
Ø The HANA Repository is owned by user _SYS_REPO.
HANA LIVE
I have written a blog providing HANA Live overview which is available here HANA LIVE Blog.
Hana Live security model follows a top-down security approach .The data restrictions are applied at the top level models or views also known as Query Views. The Query Views are the only views exposed to users for reporting and analytic purposes. These Query Views are built on underlying views known as Non-Query views or direct tables. The underline Non-Query views do not have any security restrictions.
HANA LIVE SECURITY
In SAP ECC, security is very tightly defined at the application layer. The SAP ECC does not define security at the database table level; therefore there are no restrictions when querying these core tables directly. The HANA LIVES views consume core SAP ECC tables, and therefore doesn’t inherit SAP ECC security. To mitigate this issue, Analytical Authorization Assistant (AAA) tool is provided to implement SAP ECC security on the HANA Live views.
There are two aspects to implementing security using Analytical Authorization Assistant tool.
A.) Installation of AAA tool
B.) Usage of AAA tool
A.) Installtion Of AAA Tool
HANA Live content is build on direct transactional database tables (in Integrated approach or in Side Car approach) .It contains more than 1000 prebuilt models/views and building security around them is a bit challenge. HANA LIVE comes with Security Add On tool call “Analytics Authorization Assistant Tool” (AAA tool or Authorization tool).This tool is very handy to define security on HANA Live Content. The Authorization tool generates analytic privileges and corresponding roles of the selected ABAP user. To use this tool you have to download it from following directory from Market Place.
Access the zipped files for installation from SAP Service Marketplace at http://service.sap.com/swdc
–> SAP softwares Download center ->
Support Packages and Patches ->
Browse our Download Catalog ->
SAP In-Memory (SAP HANA) ->
SAP HANA Add-ons ->
SAP HANA CONTENT TOOLS ->
SAP HANA CONTENT TOOLS 1.0 ->
Comprised Software Component Versions ->
SAP HANA ANALYT. AUTHASST. 100 ->
# OS independent -> SAP HANA database
Use the patch HCOHBAAAA00P_1-10013120.SAR file and extract the .sar file (DOWNLOAD LATEST FILE)
See the picture below.
Once you download the latest Package file and install in your local directory, unzip the file. You might need sapcar to unzip file. I am assuming you have sapcar so once you double click it will unzip in your User Folder (not where you have download the file). In my case I have downloaded the temp directory when I double clicked it opened in my user folder as shown below.
C:\Temp\ folder. The file you should be looking is HCOHBAAAA.tgz
A1.) User Requirements to Install Downloaded Package
User should have
· Import/Export System privileges
· And two Granted Roles
Ø AnalyticalAuthorizationAdministrator
Ø AnalyticalAuthorizationDeveloper
NOTE : Need to grant these privileges even if User is SYSTEM user.
A2.) Installing Downloaded Package
Import Package into Hana Live
The package will contain following content and importing this package into Hana Live system will deploy following content into your HL System.
I.) Plugin Jar file for HANA Studio: This jar file will install Analytical Authorization tool in Studio.
II.) HANA Procedures / Hana Tables: This contains some Hana Prebuild SPs and tables.
III.) HANA ROLES Comes with some ECC roles inside Hana.
Now Go to HANA Studio and go to following Hana Live server Node.
Go to Quick Launch
And Click on IMPORT
Click on Delivery Unit
Select Client
CLICK ON BROWSE to the downloaded file as shown below.
Click Finish.
A3.) INSTALL JAVA PLUGIN for AAA TOOL
To install JAVA Plugin Jar for HANA Studio
Goto Help /Install New Software
Enter following link in Work with URL :
http://<servernameWithFullyQualifiedDomainName> : 8000 <or Port Address>/sap/hba/tools/auth
Ex: http://servername.sap.com: 8000/sap/hba/tools/auth
Click Finish
Once installation is done close Studio and re-open Studio. you should see Authorization Assistant tool in the studio.
B. Usage of AAA Tool
B1.) Creating Analytical Privileges:
Following are two options you get when you click on Analytical Authorization Tool
- Generate Analytical Privilege
- Update Analytical Privilege
Analytical privileges on Query views can be done in two ways.
a) If you are using ABAP user security
b) If you are using None ABAP users: regular users who will be consuming these views from reporting tools and don’t have a ABAP user ids.
You will follow similar process to create APs on Query views as in Non-Query views.
a.) a.) With ABAP User Security: The two tables UST12 and USRBF2 should be replicated into the HANA system. You need to make sure that
any client and user information entered has matching data in those tables.
Go to Analytical Authorization tool and select ‘Generate Analytical Privileges’
b.) b.) Create APs for None ABAP Users: Create Analytical Privileges in a regular way. This will give you flexibility of the naming of APs and create
a custom restriction. When Granting Access on QueryViews to Non-ABAP Users Grant on Individual QueryViews Only.
NOTE: PLEASE DO NOT Grant “SELECT ON SCHEMA _SYS_BIC ” ACCESS TO NON_ABAP_USER.
Once you create all you APs in either above cases you will have to create Roles and assign APS to role and assign roles to users. Finally you will have to link HANA Users linking them to BI4.0 users or any front end users .Once the linking is done you will be ableto see the restrictions applied on reports.
B2.) Generate Analytical Privileges
To Generate AP you have to select a Query View first. For Ex I have selected BillingDocumentQuery
Click Schema , SAP client and ABAP User
Select a User ,For ex I have selected XXXX1309A
Click Finish .It will create a Analytical Privilege and A ROLE .
Click finish
ROLES: Once you generate Analytical Privilege it automatically creates the role with Role_USER (as in Above picture) .The Role Details as shown in below picture.
Analytical Privilege
Following Screen shot shows the Generated Analytical Privilege (AP) .
Details of Analytical Privilege
Analytical Privilege restriction details .
B3.) Updating Analytical Privileges
Use Update Analytical Privilege option when any changes happen in ECC and you want to reflect in HANA.
CONCLUSION
Good luck with your HANA Live security setup/ implementation. This tool is changing alot .If you see some thing new please let me know I will edit accordingly. Thanks for reading this blog and please let me know your feedback on this topic.
Hi Shivaji,
Thanks for sharing the info regarding HANA Live Authorization Assistant
For HANA Live ERP Virtual Data Models, which file needs to be imported? - HCOHBAECC file?
Regards,
Vivek
Yes you will need to import the HCOHBAECC file.
If you require translated text for HANA content, you can import LANG_HCOHBAECC.tgz as well; See note1805967 - Deployment of Translated Texts for Delivery Units
Thanks a lot Jason,
I have a question -
I guess there are few HTML5 based reports available for HANA Live Models - like CRM Interactive reporting - my question is from where can I download these reports?
Regards,
Vivek
Service Market place .
I already downloaded it, forgot to mention it here
hi Shivaji Patnaik thank you very much for more effective writing .
can we add you blog to The SAP Hana Reference for SAP Basis Administrators Best information at one place.
Hi All,
I'm deploying this component on top of my HANA Live views for security but we have defined a different package structure where the users will consume the views from, as we are doing enhancements to them. Do you know how AAA can read this views from that particular package folders? By default it seems to read the sap.hba folder.
Thanks for your comments!
Cheers.
Hello,
Will the AAA tool only work with predefined HANA Live Views? I am at a customer site currently attempting to build out their own custom version of HANA Live, basically creating a layered architecture with similar foundational components that feed "query views" that will be consumed by end users.
My question is, is there a way to use this Top Down AAA tool to work with non HANA Live Views?
Thanks,
Mike
Hi Michael Smahol,
Yes, you can make AAA tool work with non HANA Live views, sitting on a different package. You need to define the metadata of the view, meaning define the authorisation objects you want to restrict (actions and column).
From what I could experience when I worked with this tools, the metadata tab (sits in properties below general tab.) gets available when you install the AAA tool in your HANA Studio, otherwise you won't see it.
After that, you have to define for that view the authorisation object you want to map and the action allowed. Those auth objects will be mapped with the roles that a user has in ECC and will be transformed into Analytic Privileges in HANA.
Hope this helps Michael.
Cheers.
Christian.
Thanks for putting it up! 🙂
I do have a problem for this, not sure whether this thread is right to post or not but giving a shot 🙂
I have a Demo Landscape where I'm using HANA as Common dB with 2 separate Schema for 2 separate SAP Business Suite. (say, A4R is the HDB and SAPCRM + SAPSCM are the 2 different dB schema for CRM and SCM backend respectively).
Now, the problem is I want to provide Analytics Authorization for SAPCRM Schema (or the package/ Components of SAPCRM but I can only see/ view SAPSCM...... This is a big hurdle for me to move further.
UST12 and USRBF2 is all set for SAPCRM (Initially, it was meant for SAPSCM...... but deleted all the entries from both tables and re-ran the SQL Queries)
So the ques. is, How to change the dB schema in Analytics Authorization?
Any help is much appreciated.
Thanking you,
~ Mahendra
Hi experts,
I'll try to find any documentation about the necessary user rights to use the HANA Live View browser. I know that there are 2 given roles for the view browser, which may comes deafult with the installation. Will that'll be it to assign those 2 roles? I mean, if I have to create a "HANA Live View Browser" user from scratch,...which rights to assign futhermore?
thanks and cheers!
Hi Shivaji,
Thank you for the nice document. Reading through it you mentioned under HANA LIVE heading, last line ' The Underline Non-Query views do not have any security restrictions'.
With no security restrictions, does that mean anyone can see them? reason i asked is because I do see in HANA live views that Query views have Analytic Privileges selected whereas other views have that as blank. So when i assign a user an analytic privilege all those HANA live views with 'Apply Privilege' as blank show up and I don't want them to show up.
Appreciate your time.
Adnan,
By default you will see all Query Views ( or other views ) in AAA tool. To make some views visible or not visible that you need to handle separately by Design time Roles. While defining DT roles you can mention as follows .
// SELECT, DROP for all objects in list
sql object "_SYS_BIC"."pkg/VIEWNAME": SELECT;
-- Only Selected views will be visible for that role .
-- And That role you need to assign it to Users so Users can see only those views defined in Role.
Hope this helps.
Thanks
Shivaji
Hi.
We have installed SAP HANA Live Analytics Authorization tool on the latest SAP HANA STUDIO version.
When we try to generate Analytic Privileges we get the following error:
An internal error occurred during: "Analytic Privilege Generation".
com.sap.ndb.studio.bi.sdk.SDK.getResourceManager()Lcom/sap/ndb/studio/sdk/resource/base/core/IResourceManager;
Any idea to solve this error?.
Best regards.
Hi Shivaji
Thank you for your sharing!!
I faced a little problem when coming to step A1).
Could you please tell me more details about how to grant the following 2 roles to SYSTEM user?
Ø AnalyticalAuthorizationAdministrator
Ø AnalyticalAuthorizationDeveloper
I have searched for them but I couldn't find. I wonder weather some other steps are needed to add the 2 roles to the system.
I'm really appreciated if you can offer any help.
Best regards
William
Hi William,
Download the package HCOHBAAAA package from service market place.
, when you download and import the package you will get the roles AnalyticalAuthorizationAdministrator and AnalyticalAuthorizationDeveloper.
In service market place search for HCOHBAAAA and you will find the package.
Regards,
Ramakrishna Yella.
Hi,
I am getting the below error in some of the standard views:
An internal error occurred during: "Analytic Privilege Generation".
com/sap/ndb/studio/bi/sdk/resource/SDKResourceType
Any idea what is the reason and how it can be resolved?
Jayesh
Hi Jayesh,
we are facing exactly the same problem. Did you already resolve it?
Scott
what is the version of SAP HANA are you using ?
We are using SPS 12. But I tink the error comes from HANA Studio. We figured out that it's probably a missing plug in.
See also:
Problems creating an Analytic Privilege with Analytics Authorization Tool
Hi Scott,
Did you fix that ?
I'm facing the same issue ....
Regards,
Rodrigo Silveira
Hi Jayesh,
Did you fix that ?
I’m facing the same issue ….
Regards,
Rodrigo Silveira
Dear,
I am not able to locate HANA Live server node in my HANA Studio from where I can import the .tgz file for AA tool. Can anyone guide me please.
Thank you.
Hello Shivaji,
I have been working with the AAA in my project and have a question regarding the transportation of the roles, hope you can help me:
We are creating security over some SAP HANA customized views. This is what we did:
– Installed HANA Live Authorization assistant
– Filled Analytics Metadata for relevant authorization objects in each query view
– Generated transportable roles and corresponding analytic privileges in DEV system for each HANA View.
Yesterday we executed transport from DEV to QAS and everything deployed just fine in QA environment, but the problem is that for all analytic privileges the SAP Client value is still the one used in DEV (120) and we use a different one in QAS (210), therefore we cannot query any data from BO. In fact, I have realized that I never included SAP Client as relevant authorization object in any of my views, neither is used in the ERP system, but it is still included in all my APs as a restriction.
Is there any configuration that allows me to map source and destination clients as there is for logical systems in SAP? Is it my procedure wrong and I am not supposed to transport roles but create them in every system intead?
Thank you very much in advance.
Hi
please we impoted the SAP_HANA_ANALYTICS_FOR_ERP_1.0 (HCOHBAECC.tgz ) in our development Hana system just to have a sample for the Calculation Views.
We cannot use it productively, and we do not want to import the AAA tool.
The schema mapping has been done SAP_ECC --> OURSCHEMA, and the package has been imported by SYSTEM user.
But we have problems to allow others users to access the imported package sap.hba.ecc.
User SYSTEM is able to see all the 1027 Calculation Views of the sap.hba.ecc package , while other users are not able to see the package at all.
This despite we granted to other users the sap.hba.ecc package with all the grants , and all the grants on the OURSCHEMA used for mapping
What's wrong ?
Best regards