Caution: System Privilege! Managing Critical System Privileges in SAP HANA
Privileges are the most basic elements for access right control in the SAP HANA database. They provide database users with the ability to perform several tasks to complete daily job functions. The different types of privileges in SAP HANA are system privileges, object privileges, analytical privileges, package privileges and application privileges.
System privileges control general system activities. They are mainly used for administrative purposes, such as creating schemas, creating and changing users or roles, performing data backups, or managing licenses. The target group of users are database administrators. As shown below, System privileges should be assigned with caution.
|System Privilege||How to manage System Privilege in SAP HANA?|
|AUDIT ADMIN, AUDIT OPERATOR, AUDIT READ, CERTIFICATE ADMIN, DATA ADMIN, DATABASE AUDIT ADMIN, ENCRYPTION ROOT KEY ADMIN, LDAP ADMIN, ROLE ADMIN, SSL ADMIN, TRUST ADMIN||A 4-eye principle should be followed while assigning below system critical privileges to ANY user.|
|BACKUP ADMIN, BACKUP OPERATOR, DATABASE ADMIN, DATABASE START, DATABASE STOP, EXTENDED STORAGE ADMIN, INIFILE ADMIN, LICENSE ADMIN, LOG ADMIN, MONITOR ADMIN, OPTIMIZER ADMIN, RESOURCE ADMIN, SAVEPOINT ADMIN, SERVICE ADMIN, SESSION ADMIN, TABLE ADMIN, VERSION ADMIN, WORKLOAD ADMIN, WORKLOAD ANALYZE ADMIN, WORKLOAD CAPTURE ADMIN, WORKLOAD REPLAY ADMIN||These system privileges should NOT be assigned to technical users in GRANTABLE mode|
|ADAPTER ADMIN, AGENT ADMIN, CATALOG READ, CREATE REMOTE SOURCE, CREDENTIAL ADMIN||These system privileges can be assigned to ANY technical users.|
|ALTER CLIENTSIDE ENCRYPTION KEYPAIR, ATTACH DEBUGGER, CATALOG READ, CLIENT PARAMETER ADMIN, CREATE CLIENTSIDE ENCRYPTION KEYPAIR, CREATE R SCRIPT, CREATE SCENARIO, CREATE SCHEMA, CREATE STRUCTURED PRIVILEGE, DROP CLIENTSIDE ENCRYPTION KEYPAIR, EXPORT, IMPORT, SCENARIO ADMIN, STRUCTUREDPRIVILEGE ADMIN, TRACE ADMIN||These system privileges can be assigned to ANY user depending upon their job function.|
Please refer to SAP Note 2950209 for updates to the table and to download the information in PDF format. The description of individual SYSTEM privilege can be found in the SAP HANA Security Guide.
Multiple system privileges can be assigned to users or roles. But, as mentioned above they are critical in nature and certain privileges should follow 4 eye principle. Technical users with wider access should be reviewed regularly.
Thanks for this helpful blog Aamir. One question: CATALOG READ is contained in two categories. Which is the correct one?
I would say this can be made available to any technical user. I'm curious whether you agree.