What’s New in Security SAP HANA 2.0 SPS 00 – LDAP group authorization
Most customers have a central user/role repository for their whole IT landscape where user authorizations are maintained. LDAP is one of the most popular choices for managing this information. New in the SAP HANA 2.0 SPS 00 release is support for using LDAP groups for automatic role assignment in SAP HANA.
Using an LDAP server as a central repository significantly reduces complexity for maintaining authorizations in large system landscapes. Customers who are already leveraging LDAP in their landscape can look forward to significant benefits in terms of reduced TCO as well as increased transparency regarding authorizations for users between SAP HANA and other systems. Customers will also benefit from improved compliance and auditing of authorizations.
Image I: LDAP Groups can now be used for automatic role assignment in SAP HANA
In Image II below, you will see an overview of the LDAP group authorization process.
- When a user logs on to SAP HANA, SAP HANA first authenticates the user and then searches for the user’s LDAP group membership in the LDAP server.
- In the LDAP server, the user is identified and user’s LDAP group information is sent back to SAP HANA.
- Next, SAP HANA grants the roles that are mapped to user’s LDAP groups to the user. Logon to SAP HANA succeeds if there is at least one SAP HANA role to grant. Conversely, logon to SAP HANA fails if the user is not a member of any LDAP groups, or LDAP groups with the user’s membership are not mapped to any SAP HANA roles. In addition, there are a couple of things to keep in mind here:
- (1) By default, SAP HANA reuses the roles that are granted to a user by LDAP group authorization process for four hours. However, you can configure the duration of such role reuse based on your preferences. Any changes in user’s group membership and role to LDAP group mappings are evaluated and applied during the next user login after the duration of the role reuse for the user is past
- (2) The search for a user entry in the LDAP server is always based on the user name of an existing SAP HANA user.
- Finally, as long as the user is in fact a member of LDAP group(s) and the group(s) are mapped to SAP HANA roles, the user will have access to resources based on the granted roles.
Image II: Overview of LDAP group authorization process
There are three main configuration changes required to enable LDAP group authorization for users in SAP HANA: LDAP groups need to be mapped to SAP HANA roles, the connection to the LDAP server needs to be configured, and finally SAP HANA users need to be configured for LDAP group authorization.
Mapping of LDAP groups to SAP HANA roles
- In order to map LDAP groups to SAP HANA roles you need to use the CREATE ROLE or ALTER ROLE statement.
- Please note a role that has an LDAP group mapping can also be granted to users and other roles as usual. If a role with an LDAP group mapping is deleted, it is revoked from users as usual and, in addition, the mappings of the LDAP groups to this role are also deleted.
- To view the current mappings between LDAP groups and SAP HANA roles, use the ROLE_LDAP_GROUPS system view.
Configuring the connection to the LDAP server
- To configure the connection to the LDAP server use the new CREATE LDAP PROVIDER
- In order to access the LDAP server you will need an LDAP server user with permission to perform searches as specified by the user look-up URL. The credential of this user is stored in the secure internal credential store.
- It is recommended to secure the communication between SAP HANA and the LDAP server with TLS/SSL or LDAPS.
- One thing to keep in mind here, TLS/SSL-secured communication between SAP HANA and an LDAP server uses OpenSSL. The OpenSSL library is installed by default as part of the operating system installation.
- If you would like to view the currently configured LDAP providers, use the LDAP_PROVIDERS system view.
Configuring SAP HANA users for LDAP group authorization.
- In order for a user to be granted roles on the basis of LDAP group membership, a user must be configured for authorization mode LDAP.
- Users with authorization mode LDAP are granted roles exclusively based on their LDAP group membership. It is not possible to grant such a user other roles or privileges directly.
- To view the roles that are granted by the LDAP authorization process, refer to the IS_GRANTED_BY_LDAP column of the GRANTED_ROLES system view.
- If you would like a user to have privileges granted locally rather than via LDAP use the CREATE USER or ALTER USER statement to change the authorization mode of the user from LDAP to LOCAL (roles and privileges are granted directly).
- To see which authorization mode is configured for a user, refer to the AUTHORIZATION_MODE column of the USERS system view.
For more detailed information on the configuration changes required to enable LDAP group authorization and the feature itself please refer to the SAP HANA 2.0 SPS 00 Security Guide. The LDAP group authorization section starts on page 135.