In a discussion related to the How-To Guide with Role Templates for SAP HANA, the question was raised which privileges are needed for BI users to consume data from SAP HANA. Since this is a good question and I'm not really aware of a complete answer in one place, my answer got longer and longer and finally cried to be converted to a blog post. So here we are.
In this post I start with the privileges needed to read data from a SAP HANA data model. I then mention SAP solutions that assist you in the process of creating and sometimes also managing these authorizations. Those people who are not using the described mechanisms will need to manage authorizations on their own, and I hint at the best mechanism to define them in HANA. After authorization, I also briefly dive into authentication and user provisioning.
Technically speaking, if an end-user wants to consume the content of a given activated data model in SAP HANA, they need to send an SQL query to the database with a database user that has two privileges: the object privilege "SELECT" for the activated view; and an Analytic Privilege for the activated view. This information is contained in section 5.8 of the guide. Analytic Privileges allow you to define row-level restrictions on activated data models (user <x> may only see entries for cost_center = 100).
A few additional privileges are needed, such as SELECT on the _SYS_BI schema (for tools to e.g. generate a list of available data models) and SELECT on tables for currency or unit of measure conversion (if that is used in the data models).
What the guide does not tell you is how to define Analytic Privileges, and how to manage the object and analytic privileges if you have a large number of end users and/or a large number of data models.
In some situations, SAP applications offer assistance for these tasks:
If you do not use any of these setups, you are in the world of "create your custom data models in SAP HANA", and you will also have to define your own analytic privileges for attribute value restrictions.
If you have a large number of end-users (in my eyes, everything above a dozen), you absolutely want to manage these using so-called dynamic analytic privileges. These things basically allow you to define a lookup table which maps restriction values to database users; and to define a stored procedure that can look up the restriction value for the session user; and to use this stored procedure within the privilege to define the restriction value.
The mechanism is described in the SAP HANA Developer Guide http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf, section 11.4.4.
So far for authorization: in scenarios with multiple end-users who have individual authorization on the data content, you need named users in the database with privileges as described above (or you need to model authorizations in the BI tools - which is only possible if the BI tool of choice offers a mechanism for that purpose, and it is only viable if all tools you are using can make use of the same authorization objects - in most cases, it is better to go with authorizations defined in SAP HANA).
For authentication, you probably want to make use of SSO integration. This topic has been described in many places, e.g. on SCN in these documents for Kerberos: http://scn.sap.com/docs/DOC-36305 and a blog post by Frank Bannert; and an SAP knowlege base article for SAML authentication. The absolutely best reference for implementing Kerberos authentication for SAP HANA is the how-to guide attached to SAP Note 1837331.
If you are not using SSO mechanisms, it's name-password authentication. In BI tools using a universe connection, you can make use of BI's credential mapping for some sort of SSO-like functionality. Other tools like SAP Business Objects Edition for Microsoft Office or SAP Lumira Desktop will simply ask you for a database user and password.
Finally, there is the question of user provisioning - typically from a central user repository such as AD. SAP's "IDM tools" NetWeaver Identity Management and GRC Access Control contain such functionality in their current releases, I'm not aware of 3rd party IDM solutions which support SAP HANA. Solutions which offer a generic database connector should easily be extendable, since the process of creating and managing database users is quite trivial. If you have a home-grown IDM solution, you will usually also be able to extend it to "know" SAP HANA, since the ODBC and JDBC drivers for HANA are available and documented.
Hope you find this post helpful,
Richard
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
19 | |
14 | |
11 | |
10 | |
9 | |
8 | |
7 | |
7 | |
7 | |
5 |