INFORMATION SECURITY:

Information Security is a key aspect of any organization. It prevents unauthorized use of the information in an enterprise. It is important to protect data and at the same time it follows all the security compliance in SAP – HANA. Security in HANA can be categorized into following two categories.

Authentication

Authentication is the process used to verify the identity of a User who tries to access the system. This is usually done by DBAs or Delegated administrators or BASIS teams and this is off the topic for this blog.

Authorization

Authorization is the process used to verify that a User has been granted sufficient privileges to perform the requested action on the specified object (on Packages/Models or Views). Information Modelers will be implementing authorization by creating Analytical Privileges or Dynamic Analytical privileges, defined on top of  SAP HANA package content i.e. Attribute Views ,Analytical Views and Calc views .

SAP HANA SECURITY

The perception that HANA Security is complex is not correct.SAP HANA has basic building block to design and implement security. Following are basic security concepts that simplify understanding and implementation of HANA Security.

Ø  HANA security model is unique to HANA.

Ø  A single “POWER USER” who has access to everything does not exist.

Ø  Database schema OWNER is the only user who can grant access to other users, including SYSTEM user. The Architect/SYSTEM/Administrators has to login as each schema owner and grant permissions to target users/roles.

Ø  The HANA Repository is owned by user _SYS_REPO.

HANA LIVE

I have written a blog providing HANA Live overview which is available here HANA LIVE Blog.

Hana Live security model follows a top-down security approach .The data restrictions are applied at the top level models or views also known as Query Views. The Query Views are the only views exposed to users for reporting and analytic purposes. These Query Views are built on underlying views known as Non-Query views or direct tables. The underline Non-Query views do not have any security restrictions.

HANA LIVE SECURITY

In SAP ECC, security is very tightly defined at the application layer. The SAP ECC does not define security at the database table level; therefore there are no restrictions when querying these core tables directly. The HANA LIVES views consume core SAP ECC tables, and therefore doesn’t inherit SAP ECC security. To mitigate this issue, Analytical Authorization Assistant (AAA) tool is provided to implement SAP ECC security on the HANA Live views.

There are two aspects to implementing security using Analytical Authorization Assistant tool.

  A.) Installation of AAA tool

  B.) Usage of AAA tool

A.)  Installtion Of AAA Tool

HANA Live content is build on direct transactional database tables (in Integrated approach or in Side Car approach) .It contains more than 1000 prebuilt models/views and building security around them is a bit challenge. HANA LIVE comes with Security Add On tool call “Analytics Authorization Assistant Tool” (AAA tool or Authorization tool).This tool is very handy to define security on HANA Live Content. The Authorization tool generates analytic privileges and corresponding roles of the selected ABAP user. To use this tool you have to download it from following directory from Market Place.

Access the zipped files for installation from SAP Service Marketplace at http://service.sap.com/swdc

   –> SAP softwares Download center ->

    Support Packages and Patches ->

    Browse our Download Catalog ->

    SAP In-Memory (SAP HANA) ->

    SAP HANA Add-ons ->

    SAP HANA CONTENT TOOLS ->

    SAP HANA CONTENT TOOLS 1.0 ->

    Comprised Software Component Versions ->

    SAP HANA ANALYT. AUTHASST. 100 ->

          # OS independent -> SAP HANA database

Use the patch HCOHBAAAA00P_1-10013120.SAR file and extract the .sar file (DOWNLOAD LATEST FILE)

See the picture below.

HLpicture1.png

HLpicture2.png

Once you download the latest Package file and install in your local directory, unzip the file. You might need sapcar to unzip file. I am assuming you have sapcar so once you double click it will unzip in your User Folder (not where you have download the file). In my case I have downloaded the temp directory when I double clicked it opened in my user folder as shown below.

C:\Temp\ folder.  The file you should be looking is HCOHBAAAA.tgz

HLpicture3.png

A1.) User Requirements to Install Downloaded Package

User should have

·   Import/Export System privileges 

·   And two Granted Roles

Ø  AnalyticalAuthorizationAdministrator

Ø  AnalyticalAuthorizationDeveloper 

HLpicture4.png

NOTE : Need to grant these privileges even if User is SYSTEM user.

A2.) Installing Downloaded Package

Import Package into Hana Live

The package will contain following content and importing this package into Hana Live system will deploy following content into your HL System.

I.)         Plugin Jar file for HANA Studio: This jar file will install Analytical Authorization tool in Studio.

II.)        HANA Procedures / Hana Tables:  This contains some Hana Prebuild SPs and tables.

III.)       HANA ROLES  Comes with some ECC roles inside Hana.

Now Go to HANA Studio and go to following Hana Live server Node.

Go to Quick Launch 

And Click on IMPORT

HLPicture5.png

Click on Delivery Unit

HLpicture6.png

Select Client

HLpicture7.png

CLICK ON BROWSE  to the downloaded file as shown below.

HLPicture8.png

Click Finish.

HLpicture9.png

A3.) INSTALL JAVA PLUGIN for AAA TOOL

To install JAVA Plugin Jar for HANA Studio

Goto Help /Install New Software 

Enter following link in Work with URL :

http://<servernameWithFullyQualifiedDomainName> : 8000 <or Port Address>/sap/hba/tools/auth

Ex: http://servername.sap.com: 8000/sap/hba/tools/auth

HLPicture10.png

Click Finish

HLPicture11.png

Once installation is done close Studio and re-open Studio. you should see Authorization Assistant tool in the studio.

B.  Usage of AAA Tool

B1.) Creating Analytical Privileges:

Following are two options you get when you click on Analytical Authorization Tool

  • Generate Analytical Privilege
  • Update Analytical Privilege

HLpicture12.png

Analytical privileges on Query views can be done in two ways.

     a)    If you are using ABAP user security

     b)    If you are using None ABAP users: regular users who will be consuming these views from reporting tools and don’t have a ABAP user ids.

You will follow similar process to create APs on Query views as in Non-Query views.

a.)           a.) With ABAP User Security: The two tables UST12 and USRBF2 should be replicated into the HANA system.  You need to make sure that

                   any client and user information entered has matching data in those tables.

          

             Go to Analytical Authorization tool and select ‘Generate Analytical Privileges’

b.)          b.) Create APs for None ABAP Users: Create Analytical Privileges in a regular way. This will give you flexibility of the naming of APs and create

                 a custom restriction. When Granting Access on QueryViews  to Non-ABAP Users Grant on Individual QueryViews Only.

          NOTE: PLEASE DO NOT  Grant “SELECT ON SCHEMA _SYS_BIC ” ACCESS TO NON_ABAP_USER.

Once you create all you APs in either above cases you will have to create Roles and assign APS to role and assign roles to users. Finally you will have to link HANA Users linking them to BI4.0 users or any front end users .Once the linking is done you will be ableto see the restrictions applied on reports.

 

B2.) Generate Analytical Privileges

To Generate AP you have to select a Query View first. For Ex I have selected BillingDocumentQuery

HLpicture13.png

Click Schema , SAP client and ABAP User

HLpicture14.png

Select a User ,For ex I have selected XXXX1309A

HLpicture15.png

Click Finish .It will create a Analytical Privilege and A ROLE .

HLPicture16.png

Click finish

ROLES: Once you generate Analytical Privilege it automatically creates the role with Role_USER  (as in Above picture) .The Role Details as shown in below  picture.HLpicture17.png

Analytical Privilege

Following Screen shot shows the Generated Analytical Privilege (AP) .

HLpicture18.png

Details of Analytical Privilege

HLpicture19.png

Analytical Privilege restriction details .

HLPicture20.png

B3.) Updating Analytical Privileges

Use Update Analytical Privilege option when any changes happen in ECC and you want to reflect in HANA.

HLpicture21.png

CONCLUSION

Good luck with your HANA Live security setup/ implementation. This tool is changing alot .If you see some thing new  please let me know  I will edit accordingly. Thanks for reading this blog and please let me know your feedback on this topic.

To report this post you need to login first.

24 Comments

You must be Logged on to comment or reply to a post.

  1. Vivek Singh Bhoj

    Hi Shivaji,

    Thanks for sharing the info regarding HANA Live Authorization Assistant

    For HANA Live ERP Virtual Data Models, which file needs to be imported? – HCOHBAECC file?

    Regards,

    Vivek

    (0) 
      1. Vivek Singh Bhoj

        Thanks a lot Jason,

        I have a question –

        I guess there are few HTML5 based reports available for HANA Live Models – like CRM Interactive reporting – my question is from where can I download these reports?

        Regards,

        Vivek

        (0) 
  2. Christian Willig

    Hi All,

    I’m deploying this component on top of my HANA Live views for security but we have defined a different package structure where the users will consume the views from, as we are doing enhancements to them. Do you know how AAA can read this views from that particular package folders? By default it seems to read the sap.hba folder.

    Thanks for your comments!

    Cheers.

    (0) 
  3. Michael Smahol

    Hello,

    Will the AAA tool only work with predefined HANA Live Views?  I am at a customer site currently attempting to build out their own custom version of HANA Live, basically creating a layered architecture with similar foundational components that feed “query views” that will be consumed by end users. 

    My question is, is there a way to use this Top Down AAA tool to work with non HANA Live Views?

    Thanks,

    Mike

    (0) 
    1. Christian Willig

      Hi Michael Smahol,

      Yes, you can make AAA tool work with non HANA Live views, sitting on a different package. You need to define the metadata of the view, meaning define the authorisation objects you want to restrict (actions and column).

      From what I could experience when I worked with this tools, the metadata tab (sits in properties below general tab.) gets available when you install the AAA tool in your HANA Studio, otherwise you won’t see it.

      After that, you have to define for that view the authorisation object you want to map and the action allowed. Those auth objects will be mapped with the roles that a user has in ECC and will be transformed into Analytic Privileges in HANA.

      Hope this helps Michael.

      Cheers.

      Christian.

      (0) 
  4. Mahendra Bhandari

    Thanks for putting it up! šŸ™‚

    I do have a problem for this, not sure whether this thread is right to post or not but giving a shot šŸ™‚

    I have a Demo Landscape where I’m using HANA as Common dB with 2 separate Schema for 2 separate SAP Business Suite. (say, A4R is the HDB and SAPCRM + SAPSCM are the 2 different dB schema for CRM and SCM backend respectively).

    Now, the problem is I want to provide Analytics Authorization for SAPCRM Schema (or the package/ Components of SAPCRM but I can only see/ view SAPSCM…… This is a big hurdle for me to move further.

    UST12 and USRBF2 is all set for SAPCRM (Initially, it was meant for SAPSCM…… but deleted all the entries from both tables and re-ran the SQL Queries)

    So the ques. is, How to change the dB schema in Analytics Authorization?

    Any help is much appreciated.

    Thanking you,

    ~ Mahendra

    (0) 
  5. Sascha Jaekel

    Hi experts,

    I’ll try to find any documentation about the necessary user rights to use the HANA Live View browser. I know that there are 2 given roles for the view browser, which may comes deafult with the installation. Will that’ll be it to assign those 2 roles? I mean, if I have to create a “HANA Live View Browser” user from scratch,…which rights to assign futhermore?

    thanks and cheers!

    (0) 
  6. ADNAN ABID

    Hi Shivaji,

    Thank you for the nice document. Reading through it you mentioned under HANA LIVE     heading, last line ‘ The Underline Non-Query views do not have any security restrictions’.

    With no security restrictions, does that mean anyone can see them? reason i asked is because I do see in HANA live views that Query views have Analytic Privileges selected whereas other views have that as blank. So when i assign a user an analytic privilege all those HANA live views with ‘Apply Privilege’ as blank show up and I don’t want them to show up.

    Appreciate your time.

    (0) 
    1. Shivaji Patnaik Post author

      Adnan,

      By default you will see all Query Views ( or other views )  in AAA tool. To make some views visible or not visible that you need to handle separately by Design time Roles. While defining DT  roles you can mention as follows .

      // SELECT, DROP for all objects in list

        sql object  “_SYS_BIC”.”pkg/VIEWNAME”: SELECT; 

      — Only Selected views will be visible for that role .

      — And That role you need to assign it to Users  so Users can see only those views defined in Role.

      Hope this helps.

      Thanks

      Shivaji

      (0) 
  7. Carlos Luque Gamez

    Hi.

    We have installed SAP HANA Live Analytics Authorization tool on the latest SAP HANA STUDIO version.

    When we try to generate Analytic Privileges we get the following error:

    An internal error occurred during: “Analytic Privilege Generation”.

    com.sap.ndb.studio.bi.sdk.SDK.getResourceManager()Lcom/sap/ndb/studio/sdk/resource/base/core/IResourceManager;

    Any idea to solve this error?.

    Best regards.

    (0) 
  8. William Chen

    Hi Shivaji

    Thank you for your sharing!!

    I faced a little problem when coming to step A1).

    Could you please tell me more details about how to grant the following 2 roles to SYSTEM user?

    Ø  AnalyticalAuthorizationAdministrator

    Ø  AnalyticalAuthorizationDeveloper

    I have searched for them but I couldn’t find. I wonder weather some other steps are needed to add the 2 roles to the system.

    ć‚­ćƒ£ćƒ—ćƒćƒ£.PNG

    I’m really appreciated if you can offer any help.

    Best regards

    William

    (0) 
    1. Yella Ramakrishna

      Hi William,

      Download the package HCOHBAAAA package from service market place.
      , when you download and import the package you will get the roles AnalyticalAuthorizationAdministrator and AnalyticalAuthorizationDeveloper.

      In service market place search for HCOHBAAAA and you will find the package.

      Regards,

      Ramakrishna Yella.

      (0) 
  9. Jayesh Kharva BASIS

    Hi,

    I am getting the below error in some of the standard views:

    An internal error occurred during: “Analytic Privilege Generation”.

    com/sap/ndb/studio/bi/sdk/resource/SDKResourceType

    Any idea what is the reason and how it can be resolved?

    Jayesh

    (0) 
  10. David Lawrence

    Dear,

    I am not able to locate HANA Live server node in my HANA Studio from where I can import the .tgz file for AA tool. Can anyone guide me please.

    Thank you.

    (0) 
  11. Anibal Granados

    Hello Shivaji,

    I have been working with the AAA in my project and have a question regarding the transportation of the roles, hope you can help me:

    Ā 

    We are creating security over some SAP HANA customized views. This is what we did:

    ā€“ Installed HANA Live Authorization assistant

    ā€“ Filled Analytics Metadata for relevant authorization objects in each query view

    ā€“ Generated transportable roles and corresponding analytic privileges in DEV system for each HANA View.

    Yesterday we executed transport from DEV to QAS and everything deployed just fine in QA environment, but the problem is that for all analytic privileges the SAP Client value is still the one used in DEV (120) and we use a different one in QAS (210), therefore we cannot query any data from BO. In fact, I have realized that I never included SAP Client as relevant authorization object in any of my views, neither is used in the ERP system, but it is still included in all my APs as a restriction.

    Is there any configuration that allows me to map source and destination clients as there is for logical systems in SAP? Is it my procedure wrong and I am not supposed to transport roles but create them in every system intead?

    Thank you very much in advance.

    (0) 

Leave a Reply