Security issues pose a greater challenge to enterprise networks than ever before. SAP Hana has a number of user controls that mitigate these security risks. Network encryption, user management and single sign-on authentication are among the most important controls SAP Hana provides.
SAP Hana security experts generally focus on the importance of encryption. However, implementing the right user controls is equally important. Cybersecurity breaches often take place when a hacker assumes control of a database user or creates one of their own and assigns administrative privileges that give it access to vulnerable parts of the database. Restricting user privileges and monitoring user behavior is key to preventing such breaches.
Database security experts we spoke with helped create the following primer on utilizing SAP Hana user controls and restricting Hadoop access to reduce security risks.
Establish user types carefully
As an SAP Hana administrator, you must be familiar with the different user types. Assigning user types appropriately is necessary to establish permissions.
There are two types of users:
- Real users. This user type applies to actual human users in your database.
- Technical users. This user type is reserved for specific functions, rather than a human user. It may be handled by internal controls or shared by multiple real users with sufficient permissions.
Setting restrictions on real users
Many users correspond to clients that are only intended to have access to front-end applications. These users should not be given permissions to alter, add or delete fields in any SAP Hana database.
One option is to create database users and assign null permissions to them. This approach introduces several significant risk factors:
- The PUBLIC role cannot be revoked later. Since this role is set by default, users will always have access to system views privileges.
- Network administrators may neglect to set null permissions for these users.
- Permissions may accidentally be reset by another network administrator.
- A malware attack could eliminate the restrictions and allow the hackers to override and assume control of the user.
The best way to prevent these issues is by permanently restricting user permissions upon creation. Use the Create Restricted User function to ensure sufficient limitations are placed on them for the duration of their existence.
Here are some of the restrictions that apply to these users:
- They can only connect to the database with HTTP and HTTPS server calls.
- They are not assigned the PUBLIC role, so they are barred from viewing any fields in the database.
- They are prohibited from creating database objects.
Placing these restrictions significantly limits the security liability of client users.
Assigning privileges to Public Users
If you create users without the restricted user command, they will be assigned the PUBLIC role. They will have system views privileges and permissions to execute some procedures. Additional permissions can be allocated at the system administrator’s discretion.
Network administrators must set these privileges conservatively to minimize risks of users abusing them and the damage hackers could wreak by assuming control of their accounts.
Here is a condensed list of permissions available to SAP Hana users:
- Content administrators. Content Admins have the same privileges provided to all users with the modeling role. Additionally, they have the ability to grant such privileges to other database users and altar and add imported objects.
- Data Admin. Data admins can add data user fields.
- Attach debugger. This permission allows users to debug procedure calls.
- Audit admin. This permission allows users to handle various auditing functions.
- Backup admin. This permission allows users to execute recovery and backup procedures.
- Catalog read. This permission only grants users real-only access to the database.
- This set of permissions grants the user privileges to use the Export Table command to export data.
- This set of permissions grants the user the rights to import data with various Import commands.
All of these permissions need to be limited as much as possible.