Overview: Security Considerations for BI End Users Reporting on SAP HANA
In a discussion related to the How-To Guide with Role Templates for SAP HANA, the question was raised which privileges are needed for BI users to consume data from SAP HANA. Since this is a good question and I’m not really aware of a complete answer in one place, my answer got longer and longer and finally cried to be converted to a blog post. So here we are.
In this post I start with the privileges needed to read data from a SAP HANA data model. I then mention SAP solutions that assist you in the process of creating and sometimes also managing these authorizations. Those people who are not using the described mechanisms will need to manage authorizations on their own, and I hint at the best mechanism to define them in HANA. After authorization, I also briefly dive into authentication and user provisioning.
Technically speaking, if an end-user wants to consume the content of a given activated data model in SAP HANA, they need to send an SQL query to the database with a database user that has two privileges: the object privilege “SELECT” for the activated view; and an Analytic Privilege for the activated view. This information is contained in section 5.8 of the guide. Analytic Privileges allow you to define row-level restrictions on activated data models (user <x> may only see entries for cost_center = 100).
A few additional privileges are needed, such as SELECT on the _SYS_BI schema (for tools to e.g. generate a list of available data models) and SELECT on tables for currency or unit of measure conversion (if that is used in the data models).
SAP Solutions that Help You Generate Authorizations
What the guide does not tell you is how to define Analytic Privileges, and how to manage the object and analytic privileges if you have a large number of end users and/or a large number of data models.
In some situations, SAP applications offer assistance for these tasks:
- BW 7.30 powered by HANA: you can generate SAP HANA content from the BW system (i.e. SAP HANA data models representing InfoCubes or DSOs) using a wizard in SAP HANA studio. I believe it is described in the SAP HANA Developer Guide. This wizard also allows you to generate Analytic Privileges for users in SAP HANA reflecting the BW Analysis Authorizations of that user in the NetWeaver BW system
- BW 7.40 powered by HANA: the BW system contains methods to generate SAP HANA native representations of the following ABAP entities: database user corresponding to ABAP application user; data models in SAP HANA representing InfoCubes and DSOs; SAP HANA roles for generated database users; Analytic Privileges representing the BW Analysis Authorizations. Since BW manages these HANA objects, updates to the BW objects and authorizations are immediately reflected in the SAP HANA system. If anyone wants to say that this mechanism is great, I’m sure the BW team will be happy to hear it 🙂 . It is documented here on scn at https://scn.sap.com/docs/DOC-52790.
- SAP HANA Live: these content models for the SAP Business Suite come with a wizard that can be installed as an add-on in SAP HANA studio. Similarly to the BW 7.30 situation, this wizard helps you generate SAP HANA authorizations reflecting the original authorizations of the Business Suite application user.
Manually Managing Attribute Value Restrictions
If you do not use any of these setups, you are in the world of “create your custom data models in SAP HANA”, and you will also have to define your own analytic privileges for attribute value restrictions.
If you have a large number of end-users (in my eyes, everything above a dozen), you absolutely want to manage these using so-called dynamic analytic privileges. These things basically allow you to define a lookup table which maps restriction values to database users; and to define a stored procedure that can look up the restriction value for the session user; and to use this stored procedure within the privilege to define the restriction value.
The mechanism is described in the SAP HANA Developer Guide http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf, section 11.4.4.
So far for authorization: in scenarios with multiple end-users who have individual authorization on the data content, you need named users in the database with privileges as described above (or you need to model authorizations in the BI tools – which is only possible if the BI tool of choice offers a mechanism for that purpose, and it is only viable if all tools you are using can make use of the same authorization objects – in most cases, it is better to go with authorizations defined in SAP HANA).
For authentication, you probably want to make use of SSO integration. This topic has been described in many places, e.g. on SCN in these documents for Kerberos: http://scn.sap.com/docs/DOC-36305 and a blog post by Frank Bannert; and an SAP knowlege base article for SAML authentication. The absolutely best reference for implementing Kerberos authentication for SAP HANA is the how-to guide attached to SAP Note 1837331.
If you are not using SSO mechanisms, it’s name-password authentication. In BI tools using a universe connection, you can make use of BI’s credential mapping for some sort of SSO-like functionality. Other tools like SAP Business Objects Edition for Microsoft Office or SAP Lumira Desktop will simply ask you for a database user and password.
Finally, there is the question of user provisioning – typically from a central user repository such as AD. SAP’s “IDM tools” NetWeaver Identity Management and GRC Access Control contain such functionality in their current releases, I’m not aware of 3rd party IDM solutions which support SAP HANA. Solutions which offer a generic database connector should easily be extendable, since the process of creating and managing database users is quite trivial. If you have a home-grown IDM solution, you will usually also be able to extend it to “know” SAP HANA, since the ODBC and JDBC drivers for HANA are available and documented.
Hope you find this post helpful,