LDAP group authorization
What’s New in Security SAP HANA 2.0 SPS 00 – LDAP group authorization
Most customers have a central user/role repository for their whole IT landscape where user authorizations are maintained. LDAP is one of the most popular choices for managing this information. New in the SAP HANA 2.0 SPS 00 release is support for using LDAP groups for automatic role assignment in SAP HANA.
Using an LDAP server as a central repository significantly reduces complexity for maintaining authorizations in large system landscapes. Customers who are already leveraging LDAP in their landscape can look forward to significant benefits in terms of reduced TCO as well as increased transparency regarding authorizations for users between SAP HANA and other systems. Customers will also benefit from improved compliance and auditing of authorizations.
Image I: LDAP Groups can now be used for automatic role assignment in SAP HANA
In Image II below, you will see an overview of the LDAP group authorization process.
- When a user logs on to SAP HANA, SAP HANA first authenticates the user and then searches for the user’s LDAP group membership in the LDAP server.
- In the LDAP server, the user is identified and user’s LDAP group information is sent back to SAP HANA.
- Next, SAP HANA grants the roles that are mapped to user’s LDAP groups to the user. Logon to SAP HANA succeeds if there is at least one SAP HANA role to grant. Conversely, logon to SAP HANA fails if the user is not a member of any LDAP groups, or LDAP groups with the user’s membership are not mapped to any SAP HANA roles. In addition, there are a couple of things to keep in mind here:
- (1) By default, SAP HANA reuses the roles that are granted to a user by LDAP group authorization process for four hours. However, you can configure the duration of such role reuse based on your preferences. Any changes in user’s group membership and role to LDAP group mappings are evaluated and applied during the next user login after the duration of the role reuse for the user is past
- (2) The search for a user entry in the LDAP server is always based on the user name of an existing SAP HANA user.
- Finally, as long as the user is in fact a member of LDAP group(s) and the group(s) are mapped to SAP HANA roles, the user will have access to resources based on the granted roles.
Image II: Overview of LDAP group authorization process
There are three main configuration changes required to enable LDAP group authorization for users in SAP HANA: LDAP groups need to be mapped to SAP HANA roles, the connection to the LDAP server needs to be configured, and finally SAP HANA users need to be configured for LDAP group authorization.
Mapping of LDAP groups to SAP HANA roles
- In order to map LDAP groups to SAP HANA roles you need to use the CREATE ROLE or ALTER ROLE statement.
- Please note a role that has an LDAP group mapping can also be granted to users and other roles as usual. If a role with an LDAP group mapping is deleted, it is revoked from users as usual and, in addition, the mappings of the LDAP groups to this role are also deleted.
- To view the current mappings between LDAP groups and SAP HANA roles, use the ROLE_LDAP_GROUPS system view.
Configuring the connection to the LDAP server
- To configure the connection to the LDAP server use the new CREATE LDAP PROVIDER
- In order to access the LDAP server you will need an LDAP server user with permission to perform searches as specified by the user look-up URL. The credential of this user is stored in the secure internal credential store.
- It is recommended to secure the communication between SAP HANA and the LDAP server with TLS/SSL or LDAPS.
- One thing to keep in mind here, TLS/SSL-secured communication between SAP HANA and an LDAP server uses OpenSSL. The OpenSSL library is installed by default as part of the operating system installation.
- If you would like to view the currently configured LDAP providers, use the LDAP_PROVIDERS system view.
Configuring SAP HANA users for LDAP group authorization.
- In order for a user to be granted roles on the basis of LDAP group membership, a user must be configured for authorization mode LDAP.
- Users with authorization mode LDAP are granted roles exclusively based on their LDAP group membership. It is not possible to grant such a user other roles or privileges directly.
- To view the roles that are granted by the LDAP authorization process, refer to the IS_GRANTED_BY_LDAP column of the GRANTED_ROLES system view.
- If you would like a user to have privileges granted locally rather than via LDAP use the CREATE USER or ALTER USER statement to change the authorization mode of the user from LDAP to LOCAL (roles and privileges are granted directly).
- To see which authorization mode is configured for a user, refer to the AUTHORIZATION_MODE column of the USERS system view.
For more detailed information on the configuration changes required to enable LDAP group authorization and the feature itself please refer to the SAP HANA 2.0 SPS 00 Security Guide. The LDAP group authorization section starts on page 135.
This was very helpful. One thing I do not understand, how is the mapping between that SAP hana users and the LDAP user done? Do I need to log on with an AD user to SAP Hana, or do I need to log into hana with a Hana user who is mapped to an AD user?
Details of how to map SAP HANA users to LDAP users can be found in the SAP HANA security guide: https://help.sap.com/viewer/b3ee5778bc2e4a089d3299b82ec762a7/2.0.00/en-US/9fb0ac08b214477b8276af2b68eeefc3.html. Essentially, LDAP groups can be mapped to SAP HANA catalog roles using the CREATE ROLE or ALTER ROLE statements. You would log into SAP HANA with the user who is mapped to the AD user.
Hope this helps!
It’s clear that we can map LDAP group to SAP HANA roles but how about the SAP HANA Privileges
Can we map LDAP group to SAP HANA Privileges such as Analytic Privileges or Object Privileges.
In general we do not recommend that you assign individual privileges to end users in SAP HANA. The best practice is to bundle privileges into roles and then assign these to the end users. This holds true with the LDAP groups feature as well, please use SAP HANA roles for the mapping.
This is helpful . Can LDAP groups be mapped to SAP HANA repository roles as well or only to catalog roles?
Thanks for reading the blog. To answer your question, LDAP groups can only be mapped to catalog roles. For more information on this please reference the latest SAP HANA Security Guide: https://help.sap.com/viewer/b3ee5778bc2e4a089d3299b82ec762a7/2.0.02/en-US/9fb0ac08b214477b8276af2b68eeefc3.html
We have configured BO and HANA to assign automatic roles with our LDAP Groups ( in Novell LDAP) when the user is logged in BO and ask (query) to see a view in HANA, and it works successfully.
User LDAP --> BO (user type LDAP)--> Query in HANA (assign user role=group ldap) --> OK
But now, we are testing to connect directly with SAP HANA Studio, the authentication method LDAP with SAP HANA Studio is available ? Or is not possible to use it ?
Thanks a lot !!
Hopefully I understand your question correctly - a couple of comments from my side. As of today, we do not support LDAP authentication, this is something we have planned for 2018. Please note, as with all roadmap items this is subject to change. That being said, LDAP authorization works with all supported authentication mechanisms of SAP HANA. As long as the user is configured for LDAP authorization, LDAP authorization will be in effect for all connections for the user, including those made from the SAP HANA studio.
Hope this helps answer your question.
is this also possible with HANA 1.0 SP12 as available in SCP NEO Cloud?
No, unfortunately this is not possible with SAP HANA 1.0 SPS12. The initial feature release was in SAP HANA 2.0 SPS 00.