The best security procedures are clear and straight forward. In this video by the SAP HANA Academy Denys justifies the role of SAP_INTERNAL_HANA_SUPPORT in SPS09. This topic could be complex but Denys tells you what you with need to know when you need to know it. He showcases the relevant sections of key documentation and discusses how and why the role exists. This is no mean feat for a 5 minute video.
What, why and when?
The SAP_INTERNAL_HANA_SUPPORT role was introduced in SPS05. The role was introduced to allow read only access to catalog metadata and the privilege to activate tracing. The justification for this role was that in the event that issues arose that necessitated SAP Support a preconfigured, dedicated role would be enabled which could be later locked when the issues had been dealt with. This would mean that the role would not have access to confidential parts of the business such as customer data.
Denys then refers to the Security Guide for more details on this role. It concerns low internal system views, all access is read only and there is no access to customer data.
Denys reviews the restrictions to the role as below. The role cannot be modified. There may be occasions where it is necessary to add system privileges. However, SAP recommends these should be added to a user NOT the role. This should be an exceptional tactic and any additional privileges should only be added when needed and removed straight afterwards. With every upgrade the role is automatically reset.
Denys demonstrates how the role is configured from a Windows Computer connected to SAP HANA Studio. He is logged on as Bill the Security Administration user. The System User has been disabled. Bill has created user SAP and granted this user the SAP_INTERNAL_HANA_SUPPORT role which has no granted roles, not Part of Roles and has the System Privileges and Object Privileges shown.
In the Administration Console, under Configuration you can set the maximum number of user that can be assigned this role. This is set by default to 1 but in the example below has been set to 2. Any attempt to assign a third user with this role will be met with an error message.
When you connect as your support user SAP you can browse the catalog but do not have access to the repository.
Under Alerts you can see that alert is generated when a user is granted the role. This is a new feature.
You need the Kernel Profiler to activate a trace. It collects information about frequent execution tasks during query processing. It’s built in, so no additional software needs to be installed. You can set the services to profile, any wait time and a memory limit. This is important because profiling requires a lot of memory and you don’t want to let the SAP HANA Server run out of it.
Denys concludes by referring back to the documentation. The first deals with how to run the Kernel Profiler from the command line and the second is about Product Development Support.
Providing the right privileges to admin staff in a business environment is fraught with anxieties and ambiguities. Getting the balance right involves discussions with business leaders and decisions on who can be trusted amongst IT staff. This is where rocket science comes in! Huge flowcharts indicating who should have access to what in an organisation need to be made but require the input of too many key stakeholders simultaneously. This process has often been de-personalised by role but the temptation to add more roles to a real person can render redundant parts of the agreed security policy. Staff leaving, being absent or being replaced can be difficult to manage as different people bring different skills sets and responsibilities and roles often get juggled around for wider business reasons. So any pre-configured policies, rights and users need to generic enough to fit around a wide range of business purposes. We all know in IT that systems often get the blame for human error or the immediate need for a quick fix. Modern thinking places the human element at the centre of interface design. It is entirely logical that this approach should cascade up to security design considerations. The whole point of the SAP_INTERNAL_HANA_SUPPORT role is to make “rocket science” less stressful for business leaders who may not be technical and local IT staff who can be territorial when issues arise on their infrastructure. The fact that the role is preconfigured and locked down in key areas means that both these stakeholders should feel assured when issues arise. Now that’s a good starting point to issues resolution when dialling in on a Friday afternoon.