Information Security is a key aspect of any organization. It prevents unauthorized use of the information in an enterprise. It is important to protect data and at the same time it follows all the security compliance in SAP – HANA. Security in HANA can be categorized into following two categories.
Authentication is the process used to verify the identity of a User who tries to access the system. This is usually done by DBAs or Delegated administrators or BASIS teams and this is off the topic for this blog.
Authorization is the process used to verify that a User has been granted sufficient privileges to perform the requested action on the specified object (on Packages/Models or Views). Information Modelers will be implementing authorization by creating Analytical Privileges or Dynamic Analytical privileges, defined on top of SAP HANA package content i.e. Attribute Views ,Analytical Views and Calc views .
SAP HANA SECURITY
The perception that HANA Security is complex is not correct.SAP HANA has basic building block to design and implement security. Following are basic security concepts that simplify understanding and implementation of HANA Security.
Ø HANA security model is unique to HANA.
Ø A single “POWER USER” who has access to everything does not exist.
Ø Database schema OWNER is the only user who can grant access to other users, including SYSTEM user. The Architect/SYSTEM/Administrators has to login as each schema owner and grant permissions to target users/roles.
Ø The HANA Repository is owned by user _SYS_REPO.
I have written a blog providing HANA Live overview which is available here HANA LIVE Blog.
Hana Live security model follows a top-down security approach .The data restrictions are applied at the top level models or views also known as Query Views. The Query Views are the only views exposed to users for reporting and analytic purposes. These Query Views are built on underlying views known as Non-Query views or direct tables. The underline Non-Query views do not have any security restrictions.
HANA LIVE SECURITY
In SAP ECC, security is very tightly defined at the application layer. The SAP ECC does not define security at the database table level; therefore there are no restrictions when querying these core tables directly. The HANA LIVES views consume core SAP ECC tables, and therefore doesn’t inherit SAP ECC security. To mitigate this issue, Analytical Authorization Assistant (AAA) tool is provided to implement SAP ECC security on the HANA Live views.
There are two aspects to implementing security using Analytical Authorization Assistant tool.
A.) Installation of AAA tool
B.) Usage of AAA tool
A.) Installtion Of AAA Tool
HANA Live content is build on direct transactional database tables (in Integrated approach or in Side Car approach) .It contains more than 1000 prebuilt models/views and building security around them is a bit challenge. HANA LIVE comes with Security Add On tool call “Analytics Authorization Assistant Tool” (AAA tool or Authorization tool).This tool is very handy to define security on HANA Live Content. The Authorization tool generates analytic privileges and corresponding roles of the selected ABAP user. To use this tool you have to download it from following directory from Market Place.
Access the zipped files for installation from SAP Service Marketplace at http://service.sap.com/swdc
–> SAP softwares Download center ->
Support Packages and Patches ->
Browse our Download Catalog ->
SAP In-Memory (SAP HANA) ->
SAP HANA Add-ons ->
SAP HANA CONTENT TOOLS ->
SAP HANA CONTENT TOOLS 1.0 ->
Comprised Software Component Versions ->
SAP HANA ANALYT. AUTHASST. 100 ->
# OS independent -> SAP HANA database
Use the patch HCOHBAAAA00P_1-10013120.SAR file and extract the .sar file (DOWNLOAD LATEST FILE)
See the picture below.
Once you download the latest Package file and install in your local directory, unzip the file. You might need sapcar to unzip file. I am assuming you have sapcar so once you double click it will unzip in your User Folder (not where you have download the file). In my case I have downloaded the temp directory when I double clicked it opened in my user folder as shown below.
C:\Temp\ folder. The file you should be looking is HCOHBAAAA.tgz
A1.) User Requirements to Install Downloaded Package
User should have
· Import/Export System privileges
· And two Granted Roles
NOTE : Need to grant these privileges even if User is SYSTEM user.
A2.) Installing Downloaded Package
Import Package into Hana Live
The package will contain following content and importing this package into Hana Live system will deploy following content into your HL System.
I.) Plugin Jar file for HANA Studio: This jar file will install Analytical Authorization tool in Studio.
II.) HANA Procedures / Hana Tables: This contains some Hana Prebuild SPs and tables.
III.) HANA ROLES Comes with some ECC roles inside Hana.
Now Go to HANA Studio and go to following Hana Live server Node.
Go to Quick Launch
And Click on IMPORT
Click on Delivery Unit
CLICK ON BROWSE to the downloaded file as shown below.
A3.) INSTALL JAVA PLUGIN for AAA TOOL
To install JAVA Plugin Jar for HANA Studio
Goto Help /Install New Software
Enter following link in Work with URL :
http://<servernameWithFullyQualifiedDomainName> : 8000 <or Port Address>/sap/hba/tools/auth
Ex: http://servername.sap.com: 8000/sap/hba/tools/auth
Once installation is done close Studio and re-open Studio. you should see Authorization Assistant tool in the studio.
B. Usage of AAA Tool
B1.) Creating Analytical Privileges:
Following are two options you get when you click on Analytical Authorization Tool
- Generate Analytical Privilege
- Update Analytical Privilege
Analytical privileges on Query views can be done in two ways.
a) If you are using ABAP user security
b) If you are using None ABAP users: regular users who will be consuming these views from reporting tools and don’t have a ABAP user ids.
You will follow similar process to create APs on Query views as in Non-Query views.
a.) a.) With ABAP User Security: The two tables UST12 and USRBF2 should be replicated into the HANA system. You need to make sure that
any client and user information entered has matching data in those tables.
Go to Analytical Authorization tool and select ‘Generate Analytical Privileges’
b.) b.) Create APs for None ABAP Users: Create Analytical Privileges in a regular way. This will give you flexibility of the naming of APs and create
a custom restriction. When Granting Access on QueryViews to Non-ABAP Users Grant on Individual QueryViews Only.
NOTE: PLEASE DO NOT Grant “SELECT ON SCHEMA _SYS_BIC ” ACCESS TO NON_ABAP_USER.
Once you create all you APs in either above cases you will have to create Roles and assign APS to role and assign roles to users. Finally you will have to link HANA Users linking them to BI4.0 users or any front end users .Once the linking is done you will be ableto see the restrictions applied on reports.
B2.) Generate Analytical Privileges
To Generate AP you have to select a Query View first. For Ex I have selected BillingDocumentQuery
Click Schema , SAP client and ABAP User
Select a User ,For ex I have selected XXXX1309A
Click Finish .It will create a Analytical Privilege and A ROLE .
Following Screen shot shows the Generated Analytical Privilege (AP) .
Details of Analytical Privilege
Analytical Privilege restriction details .
B3.) Updating Analytical Privileges
Use Update Analytical Privilege option when any changes happen in ECC and you want to reflect in HANA.
Good luck with your HANA Live security setup/ implementation. This tool is changing alot .If you see some thing new please let me know I will edit accordingly. Thanks for reading this blog and please let me know your feedback on this topic.