Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Blue Print for Policy Managment

ThorstenHa
Advisor
Advisor
‎09-28-2021 9:55 AM

Introduction


Due to the feedback I have got and the task of setting up a new  SAP Data Intelligence policy management I thought a blueprint  and a more elaborate description of the dipolicy-script might be helpful. For an introduction to policy management please read my blog:

Policy Management with SAP Data Intelligence



General Setup Strategies


In a nutshell I list the principles discussed in my previous blog I followed when creating the blueprint.

Separation of "application" and "data" policies


Separate policies of

  • "application"-policies, that only use as resource type "application", and

  • "data"-policies that contain "connection" and "connectionContent" as resource types.


I prefer to combine these policies only when assigning them to user.

Avoid Resource Redundancies


Hierarchies are important for an intuitive understanding of how policies depend on each other. Nonetheless I separate the very basic policies and inherit the resources only at the last level, that I use for group/user role definitions

Create Role Policies


To keep all policy definitions in one place - the policy management - and not splitting it up between policies and user assignments, I create a role policy that encompasses eventually all policies that a user role or group needs. Only these roles I "expose" to enable the assignment to user. All other policies  I flag as non-exposed.

Application Policy Blueprint


The blueprint I am using as a starting point looks like the following:


Only the policies in the orange boxes are exposed and correspond to a user group. You can download these policies as a zip-file from my personal GitHub.

The basic idea is that I have 2 types of developers

  • ml-developer and

  • developer


where the ml-developer can use additional ml applications. Both roles can use the Connection Management as well and in case the user get the data policy "data.own" she could create her own connections.

For the metadata explorer application I have split the role as well into 2 groups:

  • catalog for the catalog and glossary management

  • quality for the preparation and rulebook management


All user have the authentication to manage the metadata data. If you like to have an additional role that has only "reading" rights you need to create a new role with the policy "basic.metadata". All metadata users can not start the Connection Manager and therefore cannot add new data sources. They depend on the data sources defined and assigned to them by the system administrator.

The 5th role is the omnipotent user that has unlimited rights to all applications.

Data Policy Blueprint


There is not much to prepare because each customer has a different data source landscape. The basic data policies are

  • *data.own - that allows users to read, write and manage the data of connections they have created by their own

  • *.data.shared - These encompass all the data sources that every user has access to. Normally this are the central object stores like the DI_DATA_LAKE.

  • *.data.all - Finally we have the data system administrator who has the access rights to all data sources. This role I would not use in a productive environment.




Script dipolicy


Installation and Configuration


As already outlined I am using a script when setting up a policy management. You can install the script with
pip install diadmin>=0.0.24

dipolicy --help

usage: dipolicy [-h] [-c CONFIG] [-g] [-d DOWNLOAD] [-u UPLOAD] [-m MYCOMPANY] [-z] [-f FILE] [-a]



Policy utility script for SAP Data Intelligence. Pre-requiste: vctl.



optional arguments:

  -h, --help            show this help message and exit

  -c CONFIG, --config CONFIG

                        Specifies yaml-config file

  -g, --generate        Generates config.yaml file

  -d DOWNLOAD, --download DOWNLOAD

                        Download specified policy. If wildcard '*' is used then policies are filtered or all downloaded.

  -u UPLOAD, --upload UPLOAD

                        Upload new policy (path). If path is directory all json-files uploaded. If path is a pattern like 'policies/mycompany.' all matching json-files are uploaded.

  -m MYCOMPANY, --mycompany MYCOMPANY

                        Replaces mycompany in policy name.

  -z, --zip             Zip policies

  -f FILE, --file FILE  File to analyse policy structure. If not given all policies are newly downloaded.

  -a, --analyse         Analyses the policy structure. Resource list is saved as 'resources.csv'.

The script needs a configuration file config.yaml that you can generate with

dipolicy -g
or create it with : 





URL : 'https://vsystem.ingress.xxxx.shoot.live.k8s-hana.ondemand.com'

TENANT: default

USER : user

PWD : 'userpwd123'

POLICIES_PATH : policies

POLICY_FILTER: mycompany   # regex match of policyID - use '.' for all. Used for analysis-option only





RESOURCE_CLASSES :

  connectionConfiguration: admin

  connection: admin

  connectionContent: data

  app.datahub-app-data.qualityDashboard: metadata

  app.datahub-app-core.connectionCredentials: metadata

  app.datahub-app-data.profile: metadata

  app.datahub-app-data.qualityRulebook: metadata

  app.datahub-app-data.system: metadata

  app.datahub-app-data.catalog: metadata

  app.datahub-app-data.glossary: metadata

  app.datahub-app-data.tagHierarchy: metadata

  app.datahub-app-data.qualityRule: metadata

  app.datahub-app-data.preparation: metadata

  app.datahub-app-data.publication: metadata

  application: application

  systemManagement: admin

  certificate: admin

  connectionCredential: admin



COLOR_MAP:

  admin: black

  metadata: green

  application: orange

  data: blue

  multiple: grey

The main use case is to download/upload polices and prepare for further analysis.

Download Policies


For downloading a policies you can specify with regular expression which policies you like to download, e.g.
dipolicy -d mycompany.basic -z -m pears

This downloads all policies that start with "my company.basic" (option: -d mycompany.basic) and saves them to the "policies"-folder of the working directory. In addition they are also zipped (option: -z). Keep noted that existing files are overwritten without warning. The options -m replaces "mycompany" with the argument value "pears".

Uploading Policies


The uploading case is similar:
dipolicy -u ./policies/mycompany.basic -m pears

It uploads all policies starting with "mycompany.basic" to SAP Data Intelligence (option: -u). Due to the option -m the uploaded policy is renamed, that means all 'mycompany" are replaced by "pears". Due to policy dependencies it could be that in the first run not all policies are uploaded. Please have a look to the console warnings. The reason is that policies that inherit from other policies that are not yet existing will not be added. In this case you just have to restart it again.

Analyses


Graphical visualisations works for me far better than tabular ones. Therefore I added a simple network visualisation that you can call with
dipolicy -a -f policies.json

If the option -f (--file) is not given all policies are downloaded from SAP Data Intelligence and saved to "policies.json" in the policies-path defined in config.yaml before the actual analysis starts. Keep noted that with the config parameter "POLICY_FILTER" you can select the policies you like to analyse, e.g. only your "mycompany." policies.

The analysis-option produces 2 outcomes:

  • A chart displaying the filtered policies with dependencies

  • resource.csv-file for further analysis with e.g. Excel


For the blueprint policies, the chart of the mycompany policies looks like the following:



Legend:


Node shapes

  • "Diamond": Exposed nodes

  • "Circle": Non-exposed nodes


Color coding for the policy classes:

  • admin: black

  • metadata: green

  • application: orange

  • data: blue

  • multiple: grey


Number label: Policy number you find in the "resources.csv" file.

Both the classification of the resources and policies are configurable with "config.yaml". There is also a threshold when all resources of policies except the number of thresholds (but at least 90%) are of one type then this nearly unique resource type is assigned to the policy. Otherwise the policy is labeled with "multiple". 

This chart gives you a first glance if the policies look like you planned or not. E.g. in my preparation I saw that I had a couple of nested policies I wanted to avoid.

Conclusion


I am aware that this blueprint is only a rough starting point for a companies user security but hopefully gives you at lease kind of kickstart.

 

 
4 Comments
Labels in this area
Popular Blog Posts