Overview: Security Considerations for BI End Users Reporting on SAP HANA
In a discussion related to the How-To Guide with Role Templates for SAP HANA, the question was raised which privileges are needed for BI users to consume data from SAP HANA. Since this is a good question and I’m not really aware of a complete answer in one place, my answer got longer and longer and finally cried to be converted to a blog post. So here we are.
In this post I start with the privileges needed to read data from a SAP HANA data model. I then mention SAP solutions that assist you in the process of creating and sometimes also managing these authorizations. Those people who are not using the described mechanisms will need to manage authorizations on their own, and I hint at the best mechanism to define them in HANA. After authorization, I also briefly dive into authentication and user provisioning.
Technically speaking, if an end-user wants to consume the content of a given activated data model in SAP HANA, they need to send an SQL query to the database with a database user that has two privileges: the object privilege “SELECT” for the activated view; and an Analytic Privilege for the activated view. This information is contained in section 5.8 of the guide. Analytic Privileges allow you to define row-level restrictions on activated data models (user <x> may only see entries for cost_center = 100).
A few additional privileges are needed, such as SELECT on the _SYS_BI schema (for tools to e.g. generate a list of available data models) and SELECT on tables for currency or unit of measure conversion (if that is used in the data models).
SAP Solutions that Help You Generate Authorizations
What the guide does not tell you is how to define Analytic Privileges, and how to manage the object and analytic privileges if you have a large number of end users and/or a large number of data models.
In some situations, SAP applications offer assistance for these tasks:
- BW 7.30 powered by HANA: you can generate SAP HANA content from the BW system (i.e. SAP HANA data models representing InfoCubes or DSOs) using a wizard in SAP HANA studio. I believe it is described in the SAP HANA Developer Guide. This wizard also allows you to generate Analytic Privileges for users in SAP HANA reflecting the BW Analysis Authorizations of that user in the NetWeaver BW system
- BW 7.40 powered by HANA: the BW system contains methods to generate SAP HANA native representations of the following ABAP entities: database user corresponding to ABAP application user; data models in SAP HANA representing InfoCubes and DSOs; SAP HANA roles for generated database users; Analytic Privileges representing the BW Analysis Authorizations. Since BW manages these HANA objects, updates to the BW objects and authorizations are immediately reflected in the SAP HANA system. If anyone wants to say that this mechanism is great, I’m sure the BW team will be happy to hear it 🙂 . It is documented here on scn at https://scn.sap.com/docs/DOC-52790.
- SAP HANA Live: these content models for the SAP Business Suite come with a wizard that can be installed as an add-on in SAP HANA studio. Similarly to the BW 7.30 situation, this wizard helps you generate SAP HANA authorizations reflecting the original authorizations of the Business Suite application user.
Manually Managing Attribute Value Restrictions
If you do not use any of these setups, you are in the world of “create your custom data models in SAP HANA”, and you will also have to define your own analytic privileges for attribute value restrictions.
If you have a large number of end-users (in my eyes, everything above a dozen), you absolutely want to manage these using so-called dynamic analytic privileges. These things basically allow you to define a lookup table which maps restriction values to database users; and to define a stored procedure that can look up the restriction value for the session user; and to use this stored procedure within the privilege to define the restriction value.
The mechanism is described in the SAP HANA Developer Guide http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf, section 11.4.4.
So far for authorization: in scenarios with multiple end-users who have individual authorization on the data content, you need named users in the database with privileges as described above (or you need to model authorizations in the BI tools – which is only possible if the BI tool of choice offers a mechanism for that purpose, and it is only viable if all tools you are using can make use of the same authorization objects – in most cases, it is better to go with authorizations defined in SAP HANA).
For authentication, you probably want to make use of SSO integration. This topic has been described in many places, e.g. on SCN in these documents for Kerberos: http://scn.sap.com/docs/DOC-36305 and a blog post by Frank Bannert; and an SAP knowlege base article for SAML authentication. The absolutely best reference for implementing Kerberos authentication for SAP HANA is the how-to guide attached to SAP Note 1837331.
If you are not using SSO mechanisms, it’s name-password authentication. In BI tools using a universe connection, you can make use of BI’s credential mapping for some sort of SSO-like functionality. Other tools like SAP Business Objects Edition for Microsoft Office or SAP Lumira Desktop will simply ask you for a database user and password.
Finally, there is the question of user provisioning – typically from a central user repository such as AD. SAP’s “IDM tools” NetWeaver Identity Management and GRC Access Control contain such functionality in their current releases, I’m not aware of 3rd party IDM solutions which support SAP HANA. Solutions which offer a generic database connector should easily be extendable, since the process of creating and managing database users is quite trivial. If you have a home-grown IDM solution, you will usually also be able to extend it to “know” SAP HANA, since the ODBC and JDBC drivers for HANA are available and documented.
Hope you find this post helpful,
Good One Richard....:)
"Hope you find this post helpful"
when did you ever write an unhelpful post Richard 😆
Love this one, all in one place, concise and to the point!
We are migrating BI to Hana platform for our client. From security perspective i had some questions.
1) As part of migration BI is getting upgraded to BI 7.3 from BI 7.0
A) Is it essential to run SU25 , are there new authorizations introduced in BI 7.3
B) What will be the changes required for user roles like reporting, power user in BI
I'm not the greatest expert on security in the thing whose current name is SAP NetWeaver BW (often still named BI - which is presently the most common term for the reporting front-end tools whose names begin with SAP BusinessObjects), but as far as I know, security aspects do basically not change when you update from BW 7.0 to BW 7.30 - provided you are already using the BW 7.0 authorization concept (and not the 3.x concept anymore).
Unless there was a change that slipped past me, BW 7.30 (at least the variant powered by SAP HANA) requires the 7.0 authorization concept.
I'm not aware of new authorizations in 7.30 compared to 7.0, but again, that's not exactly my home turf.
See also the random google results Reporting Authorizations and SAP Business Warehouse 7.3
Hi Richard and all
I am just wondering if anyone can answer the following query.
Under a test user ID called MERON, I did IMPORT and selected DEVELOPER MODE to import the EFASION model which contain the packages and the views. I get the error below. The issue is: To give the test user access to the package in SAP HANA the package has to exist in the system but this package does not exist yet. I really find this strange in SAP HANA. So it is catch 22, to the user MERON to access the model, he need to IMPORT it and to import it he need authorisations to the model before he can import it. SAP HANA is not like SAP R/3 where we can give values such as A* to Z* etc.
I really think that SAP HANA should allow for authorisations administrators ability to KEY IN values for authorisations and not only SELECT the privileges objects already exist in the system to give.
Any thoughts please?
Repository: User is not authorized to execute specified operation;User 'MERON' has no authorization, privilege: 'REPO.MAINTAIN_NATIVE_PACKAGES', package: 'models.R12.efashion'!
You need the privilege 'REPO.MAINTAIN_NATIVE_PACKAGES' on the
package ‘under which’ you want to import your package.
If you do not specify any parent package the parent package actually is ‘root’.
You do not want just anyone creating packages in root, so this access is
only given to a ‘repository manager’, but it exists, so luckily no catch 22 there.
For this reason you would normally create a ‘playground’ package in
which your test user has this right, just like any other developer. (I assume your test user is a developer, not really and end user, otherwise he would not be importing packages in developer mode... So your comment would probably be more appropiate in Richards HANA roles post 😉 )
For ‘real’ packages that are built to be developed from scratch and
transported to production, you go a different route.
In this case the repository manager will create the ‘project’ or ‘subject
area’ package and project members are given the necessary rights on this.
Hope this helps,
I posted a question about who takes care of all aspects of HANA security in the following post. I appreciate your thoughts when you have a chance.
Who takes care of HANA security and compliance: Application teams, security, GRC, DBA, basis?