Skip to Content

In this blog Rob Case (rob.case@sap.com) explains how to set up a business user in SAP HANA Rules Framework 1.0 SPS 07 (for the set up of a technical user please read the next blog):

 

Introduction

One of the more major modifications to SAP HANA Rules Framework 1.0 in the SPS 07 release is the delivery of a new technical user authorization mechanism. This change was made in order to align SAP HRF with other SAP HANA applications that isolate the business user from direct access to the HANA database.

This narrative has a close relationship to my previous blog A Guide to the Technical User Authorization Mechanism in SAP HANA Rules Framework 1.0 SPS 07. Reference should be made to the introduction from that document as it has a more extensive explanation of the changes made to SAP HRF user authorizations in the SPS 07 release and how the technical user and business user roles should coexist. I will confine my explanations here to describing the setup involved in the creation of and permission assignment of a business user. This setup can be replicated for each new business user added and allows for their relevant permissions to be adjusted to suit individual business requirements.

As a result of the new user authorization mechanism, upgrades from a previous release of SAP HANA Rules Framework mandate that you create and authorize a technical user role and check and reassign existing business user permissions in order to conform to the new authorization requirements.

The intention of this document is to ease the process of understanding the new business user authorization mechanism and to supplement the comprehensive coverage provided by the release documentation. I have provided an example of how to do this using screenshots and explanations based upon the installation and configuration of the SAP HRF Banking Demo. I will limit the discussion here to the setup of business users and their authorizations as apart from this topic the install documentation remains largely unchanged from the SAP HRF 1.0 SPS 06 release.

 

Business User Authorizations

Business user authorization is a much simpler task than it was with previous releases of SAP HANA Rules Framework since the SAP HRF roles are better defined and data schema access is no longer granted to business users. The objective of this exercise is to grant minimal access rights to a particular user but still allow enough SAP HRF feature access to satisfy their business needs. It is the business needs of a user that dictate which of the SAP HRF roles and privileges should be assigned to them.

The available application privileges and shipped roles are described in great depth in the SAP HANA Rules Framework 1.0 SPS 07 Security Guide in sections User Administration and Authorization and Shipped Roles for the SAP HRF Web Application. Please refer to these sections of the document to decide exactly which privileges or roles should be assigned for each business user.

Individual application privileges should be assigned directly when you are building a custom application integrating SAP HRF without using an application technical user. However, if a solution wishes to embed the SAP HRF Web Application then role assignment makes this process easier. Functionality within the web application can be enabled or disabled dependent upon the roles that have been assigned to a user. For example a user that is only assigned the HrfRuleViewer role is restricted to just view permissions on rules and rule services, they have no ability to create, edit or consume these artefacts unless they are also granted the HrfRuleEditor and HrfRuleConsumer roles. Similarly an administrator of an SAP HRF system can be provided with the HrfAdmin role which on its own will only permit the user to manage authorizations and configure HRF based application settings.

As my example using the Banking Demo relies heavily on the SAP HRF Web Application I am going to concentrate on the setup of HRF roles without going into detail on the individual SAP HRF privileges.

The following table describes the SAP HANA Studio user privilege settings for the Banking Demo example for a business user. Note that the demo users I create are assigned all of the available SAP HRF roles as I wish them to have full access to all web application functionality. This should not be the case for business users in a real application where SAP HRF feature availability will be restricted dependent upon their business function.

 

Business User Authorization

Granted Roles tab – SAP HANA Studio

 

 

 

 

Business User Granted Roles

/wp-content/uploads/2016/03/1_899497.png

This is the complete set of SAP HRF roles and they have been manually assigned to the user.

Package Privileges tab – SAP HANA Studio

 

 

Business User Package Privileges

  /wp-content/uploads/2016/03/2_899516.png

I need to provide package privileges so that the business user can access particular SAP HRF artefacts that comprise the application. I can assign the whole of a package including all child folders or simply assign discrete parts of a package. In this instance I wish the user to be able to work with all the resources of the banking demo and so I grant REPO.READ, REPO.EDIT_NATIVE_OBJECTS and REPO.ACTIVATE_NATIVE_OBJECTS privileges to the whole demo package sap.demo-store.banking

 

 

 

 

 

 

 

 

 

Business User Package Privileges

During the SAP HRF install I instructed the automated configuration script to create the default HRF_Rules and HRF_Rule_Services packages that are used to contain rules and rule services. Business users that have been granted the ability to create and maintain rules and rule services must also be granted access to both these packages.

/wp-content/uploads/2016/03/3_899517.png

/wp-content/uploads/2016/03/4_899518.png

 

 

 

 

From the SAP HRF standpoint this list of authorizations is comprehensive enough for a business user to be permitted use of all the SAP HRF Web Application features. As application needs grow further authorizations will be required but these are outside the scope of this document

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply