Skip to Content
Author's profile photo Former Member



Information Security is a key aspect of any organization. It prevents unauthorized use of the information in an enterprise. It is important to protect data and at the same time it follows all the security compliance in SAP – HANA. Security in HANA can be categorized into following two categories.


Authentication is the process used to verify the identity of a User who tries to access the system. This is usually done by DBAs or Delegated administrators or BASIS teams and this is off the topic for this blog.


Authorization is the process used to verify that a User has been granted sufficient privileges to perform the requested action on the specified object (on Packages/Models or Views). Information Modelers will be implementing authorization by creating Analytical Privileges or Dynamic Analytical privileges, defined on top of  SAP HANA package content i.e. Attribute Views ,Analytical Views and Calc views .


The perception that HANA Security is complex is not correct.SAP HANA has basic building block to design and implement security. Following are basic security concepts that simplify understanding and implementation of HANA Security.

Ø  HANA security model is unique to HANA.

Ø  A single “POWER USER” who has access to everything does not exist.

Ø  Database schema OWNER is the only user who can grant access to other users, including SYSTEM user. The Architect/SYSTEM/Administrators has to login as each schema owner and grant permissions to target users/roles.

Ø  The HANA Repository is owned by user _SYS_REPO.


I have written a blog providing HANA Live overview which is available here HANA LIVE Blog.

Hana Live security model follows a top-down security approach .The data restrictions are applied at the top level models or views also known as Query Views. The Query Views are the only views exposed to users for reporting and analytic purposes. These Query Views are built on underlying views known as Non-Query views or direct tables. The underline Non-Query views do not have any security restrictions.


In SAP ECC, security is very tightly defined at the application layer. The SAP ECC does not define security at the database table level; therefore there are no restrictions when querying these core tables directly. The HANA LIVES views consume core SAP ECC tables, and therefore doesn’t inherit SAP ECC security. To mitigate this issue, Analytical Authorization Assistant (AAA) tool is provided to implement SAP ECC security on the HANA Live views.

There are two aspects to implementing security using Analytical Authorization Assistant tool.

  A.) Installation of AAA tool

  B.) Usage of AAA tool

A.)  Installtion Of AAA Tool

HANA Live content is build on direct transactional database tables (in Integrated approach or in Side Car approach) .It contains more than 1000 prebuilt models/views and building security around them is a bit challenge. HANA LIVE comes with Security Add On tool call “Analytics Authorization Assistant Tool” (AAA tool or Authorization tool).This tool is very handy to define security on HANA Live Content. The Authorization tool generates analytic privileges and corresponding roles of the selected ABAP user. To use this tool you have to download it from following directory from Market Place.

Access the zipped files for installation from SAP Service Marketplace at

   –> SAP softwares Download center ->

    Support Packages and Patches ->

    Browse our Download Catalog ->

    SAP In-Memory (SAP HANA) ->

    SAP HANA Add-ons ->



    Comprised Software Component Versions ->


          # OS independent -> SAP HANA database

Use the patch HCOHBAAAA00P_1-10013120.SAR file and extract the .sar file (DOWNLOAD LATEST FILE)

See the picture below.



Once you download the latest Package file and install in your local directory, unzip the file. You might need sapcar to unzip file. I am assuming you have sapcar so once you double click it will unzip in your User Folder (not where you have download the file). In my case I have downloaded the temp directory when I double clicked it opened in my user folder as shown below.

C:\Temp\ folder.  The file you should be looking is HCOHBAAAA.tgz


A1.) User Requirements to Install Downloaded Package

User should have

·   Import/Export System privileges 

·   And two Granted Roles

Ø  AnalyticalAuthorizationAdministrator

Ø  AnalyticalAuthorizationDeveloper 


NOTE : Need to grant these privileges even if User is SYSTEM user.

A2.) Installing Downloaded Package

Import Package into Hana Live

The package will contain following content and importing this package into Hana Live system will deploy following content into your HL System.

I.)         Plugin Jar file for HANA Studio: This jar file will install Analytical Authorization tool in Studio.

II.)        HANA Procedures / Hana Tables:  This contains some Hana Prebuild SPs and tables.

III.)       HANA ROLES  Comes with some ECC roles inside Hana.

Now Go to HANA Studio and go to following Hana Live server Node.

Go to Quick Launch 

And Click on IMPORT


Click on Delivery Unit


Select Client


CLICK ON BROWSE  to the downloaded file as shown below.


Click Finish.



To install JAVA Plugin Jar for HANA Studio

Goto Help /Install New Software 

Enter following link in Work with URL :

http://<servernameWithFullyQualifiedDomainName> : 8000 <or Port Address>/sap/hba/tools/auth

Ex: 8000/sap/hba/tools/auth


Click Finish


Once installation is done close Studio and re-open Studio. you should see Authorization Assistant tool in the studio.

B.  Usage of AAA Tool

B1.) Creating Analytical Privileges:

Following are two options you get when you click on Analytical Authorization Tool

  • Generate Analytical Privilege
  • Update Analytical Privilege


Analytical privileges on Query views can be done in two ways.

     a)    If you are using ABAP user security

     b)    If you are using None ABAP users: regular users who will be consuming these views from reporting tools and don’t have a ABAP user ids.

You will follow similar process to create APs on Query views as in Non-Query views.

a.)           a.) With ABAP User Security: The two tables UST12 and USRBF2 should be replicated into the HANA system.  You need to make sure that

                   any client and user information entered has matching data in those tables.


             Go to Analytical Authorization tool and select ‘Generate Analytical Privileges’

b.)          b.) Create APs for None ABAP Users: Create Analytical Privileges in a regular way. This will give you flexibility of the naming of APs and create

                 a custom restriction. When Granting Access on QueryViews  to Non-ABAP Users Grant on Individual QueryViews Only.


Once you create all you APs in either above cases you will have to create Roles and assign APS to role and assign roles to users. Finally you will have to link HANA Users linking them to BI4.0 users or any front end users .Once the linking is done you will be ableto see the restrictions applied on reports.


B2.) Generate Analytical Privileges

To Generate AP you have to select a Query View first. For Ex I have selected BillingDocumentQuery


Click Schema , SAP client and ABAP User


Select a User ,For ex I have selected XXXX1309A


Click Finish .It will create a Analytical Privilege and A ROLE .


Click finish

ROLES: Once you generate Analytical Privilege it automatically creates the role with Role_USER  (as in Above picture) .The Role Details as shown in below  picture.HLpicture17.png

Analytical Privilege

Following Screen shot shows the Generated Analytical Privilege (AP) .


Details of Analytical Privilege


Analytical Privilege restriction details .


B3.) Updating Analytical Privileges

Use Update Analytical Privilege option when any changes happen in ECC and you want to reflect in HANA.



Good luck with your HANA Live security setup/ implementation. This tool is changing alot .If you see some thing new  please let me know  I will edit accordingly. Thanks for reading this blog and please let me know your feedback on this topic.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Vivek Singh Bhoj
      Vivek Singh Bhoj

      Hi Shivaji,

      Thanks for sharing the info regarding HANA Live Authorization Assistant

      For HANA Live ERP Virtual Data Models, which file needs to be imported? - HCOHBAECC file?



      Author's profile photo Former Member
      Former Member

      Yes you will need to import the HCOHBAECC file.

      If you require translated text for HANA content, you can import LANG_HCOHBAECC.tgz as well; See note1805967 - Deployment of Translated Texts for Delivery Units

      Author's profile photo Vivek Singh Bhoj
      Vivek Singh Bhoj

      Thanks a lot Jason,

      I have a question -

      I guess there are few HTML5 based reports available for HANA Live Models - like CRM Interactive reporting - my question is from where can I download these reports?



      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Service Market place .

      Author's profile photo Vivek Singh Bhoj
      Vivek Singh Bhoj

      I already downloaded it, forgot to mention it here

      Author's profile photo Former Member
      Former Member

      hi  Shivaji Patnaik  thank you very much for more effective writing .

      can we add you blog to The SAP Hana Reference for SAP Basis Administrators  Best information at one place.

      Author's profile photo Christian Willig
      Christian Willig

      Hi All,

      I'm deploying this component on top of my HANA Live views for security but we have defined a different package structure where the users will consume the views from, as we are doing enhancements to them. Do you know how AAA can read this views from that particular package folders? By default it seems to read the sap.hba folder.

      Thanks for your comments!


      Author's profile photo Former Member
      Former Member


      Will the AAA tool only work with predefined HANA Live Views?  I am at a customer site currently attempting to build out their own custom version of HANA Live, basically creating a layered architecture with similar foundational components that feed "query views" that will be consumed by end users. 

      My question is, is there a way to use this Top Down AAA tool to work with non HANA Live Views?



      Author's profile photo Former Member
      Former Member

      Hi Michael Smahol,

      Yes, you can make AAA tool work with non HANA Live views, sitting on a different package. You need to define the metadata of the view, meaning define the authorisation objects you want to restrict (actions and column).

      From what I could experience when I worked with this tools, the metadata tab (sits in properties below general tab.) gets available when you install the AAA tool in your HANA Studio, otherwise you won't see it.

      After that, you have to define for that view the authorisation object you want to map and the action allowed. Those auth objects will be mapped with the roles that a user has in ECC and will be transformed into Analytic Privileges in HANA.

      Hope this helps Michael.



      Author's profile photo Mahendra Bhandari
      Mahendra Bhandari

      Thanks for putting it up! 🙂

      I do have a problem for this, not sure whether this thread is right to post or not but giving a shot 🙂

      I have a Demo Landscape where I'm using HANA as Common dB with 2 separate Schema for 2 separate SAP Business Suite. (say, A4R is the HDB and SAPCRM + SAPSCM are the 2 different dB schema for CRM and SCM backend respectively).

      Now, the problem is I want to provide Analytics Authorization for SAPCRM Schema (or the package/ Components of SAPCRM but I can only see/ view SAPSCM...... This is a big hurdle for me to move further.

      UST12 and USRBF2 is all set for SAPCRM (Initially, it was meant for SAPSCM...... but deleted all the entries from both tables and re-ran the SQL Queries)

      So the ques. is, How to change the dB schema in Analytics Authorization?

      Any help is much appreciated.

      Thanking you,

      ~ Mahendra

      Author's profile photo Sascha Jaekel
      Sascha Jaekel

      Hi experts,

      I'll try to find any documentation about the necessary user rights to use the HANA Live View browser. I know that there are 2 given roles for the view browser, which may comes deafult with the installation. Will that'll be it to assign those 2 roles? I mean, if I have to create a "HANA Live View Browser" user from scratch,...which rights to assign futhermore?

      thanks and cheers!

      Author's profile photo ADNAN ABID

      Hi Shivaji,

      Thank you for the nice document. Reading through it you mentioned under HANA LIVE     heading, last line ' The Underline Non-Query views do not have any security restrictions'.

      With no security restrictions, does that mean anyone can see them? reason i asked is because I do see in HANA live views that Query views have Analytic Privileges selected whereas other views have that as blank. So when i assign a user an analytic privilege all those HANA live views with 'Apply Privilege' as blank show up and I don't want them to show up.

      Appreciate your time.

      Author's profile photo Former Member
      Former Member
      Blog Post Author


      By default you will see all Query Views ( or other views )  in AAA tool. To make some views visible or not visible that you need to handle separately by Design time Roles. While defining DT  roles you can mention as follows .

      // SELECT, DROP for all objects in list

        sql object  "_SYS_BIC"."pkg/VIEWNAME": SELECT; 

      -- Only Selected views will be visible for that role .

      -- And That role you need to assign it to Users  so Users can see only those views defined in Role.

      Hope this helps.



      Author's profile photo Former Member
      Former Member


      We have installed SAP HANA Live Analytics Authorization tool on the latest SAP HANA STUDIO version.

      When we try to generate Analytic Privileges we get the following error:

      An internal error occurred during: "Analytic Privilege Generation".;

      Any idea to solve this error?.

      Best regards.

      Author's profile photo Former Member
      Former Member

      Hi Shivaji

      Thank you for your sharing!!

      I faced a little problem when coming to step A1).

      Could you please tell me more details about how to grant the following 2 roles to SYSTEM user?

      Ø  AnalyticalAuthorizationAdministrator

      Ø  AnalyticalAuthorizationDeveloper

      I have searched for them but I couldn't find. I wonder weather some other steps are needed to add the 2 roles to the system.


      I'm really appreciated if you can offer any help.

      Best regards


      Author's profile photo Former Member
      Former Member

      Hi William,

      Download the package HCOHBAAAA package from service market place.
      , when you download and import the package you will get the roles AnalyticalAuthorizationAdministrator and AnalyticalAuthorizationDeveloper.

      In service market place search for HCOHBAAAA and you will find the package.


      Ramakrishna Yella.

      Author's profile photo Jayesh Kharva BASIS
      Jayesh Kharva BASIS


      I am getting the below error in some of the standard views:

      An internal error occurred during: "Analytic Privilege Generation".


      Any idea what is the reason and how it can be resolved?


      Author's profile photo Scott Habermann
      Scott Habermann

      Hi Jayesh,

      we are facing exactly the same problem. Did you already resolve it?


      Author's profile photo Former Member
      Former Member

      what is the version of SAP HANA are you using ?

      Author's profile photo Scott Habermann
      Scott Habermann

      We are using SPS 12. But I tink the error comes from HANA Studio. We figured out that it's probably a missing plug in.

      See also:

      Problems creating an Analytic Privilege with Analytics Authorization Tool

      Author's profile photo Rodrigo Silveira
      Rodrigo Silveira

      Hi Scott,
      Did you fix that ?
      I'm facing the same issue ....


      Rodrigo Silveira

      Author's profile photo Rodrigo Silveira
      Rodrigo Silveira

      Hi Jayesh,

      Did you fix that ?

      I’m facing the same issue ….


      Rodrigo Silveira

      Author's profile photo Former Member
      Former Member


      I am not able to locate HANA Live server node in my HANA Studio from where I can import the .tgz file for AA tool. Can anyone guide me please.

      Thank you.

      Author's profile photo Former Member
      Former Member

      Hello Shivaji,

      I have been working with the AAA in my project and have a question regarding the transportation of the roles, hope you can help me:


      We are creating security over some SAP HANA customized views. This is what we did:

      – Installed HANA Live Authorization assistant

      – Filled Analytics Metadata for relevant authorization objects in each query view

      – Generated transportable roles and corresponding analytic privileges in DEV system for each HANA View.

      Yesterday we executed transport from DEV to QAS and everything deployed just fine in QA environment, but the problem is that for all analytic privileges the SAP Client value is still the one used in DEV (120) and we use a different one in QAS (210), therefore we cannot query any data from BO. In fact, I have realized that I never included SAP Client as relevant authorization object in any of my views, neither is used in the ERP system, but it is still included in all my APs as a restriction.

      Is there any configuration that allows me to map source and destination clients as there is for logical systems in SAP? Is it my procedure wrong and I am not supposed to transport roles but create them in every system intead?

      Thank you very much in advance.

      Author's profile photo Roberto Mariani
      Roberto Mariani


      please we impoted the SAP_HANA_ANALYTICS_FOR_ERP_1.0   (HCOHBAECC.tgz )    in our development Hana system just to have a sample for the Calculation Views.

      We cannot use it productively, and we do not want to import the AAA tool.

      The schema mapping has been done SAP_ECC --> OURSCHEMA, and the package has been imported by SYSTEM user.

      But we have problems to allow  others  users  to access the imported package sap.hba.ecc.

      User SYSTEM is able to see all the 1027 Calculation Views of the sap.hba.ecc package , while other users are not able to see the package at all.

      This despite we granted to other users the sap.hba.ecc package with all the grants , and all the grants on the OURSCHEMA used for mapping

      What's wrong ?

      Best regards