SAP Hana security & authorization

April 26th, 2016

 What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|2
SAP HANA, Business Suite or BW powered by
HANA & S/4 HANA
 What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|4
Traditional Security Architecture

Client

Application

Authentication Identity Encryption

Store
Authorization Audit Logging
Application Server

DB
 Hana Security Architecture

Client SAP HANA Client

Client Studio
Application (admin & dev)
Server
Application
Application
Authentication Identity Encryption XS Engine
Store
Authorization Audit Logging
Authentication Identity Encryption
Application Server Store
Authorization Audit Logging
SAP HANA
DB

Traditional HANA
 Integrative Authorization Scenarios

Client Client Client Client

Application Server Application Server

(e.g. ECC or BW) (e.g. ECC or BW)

SAP HANA Source SAP HANA SAP HANA

replication

Traditional Data mart (3-tier or 2-tier) Native 2-tier application

DB migration to HANA Reporting ERP or BW data in HANA act as DB &
HANA Application Server
No changes to security Direct user access to HANA Direct user access to HANA
model
Modified security model Integrated security model
 What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|8
SAP HANA Security Functions (overview)

Application

XS Engine

Authentication Identity Encryption

Store

Authorization Audit Logging

SAP HANA
 What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|10
Authorization Entities

Goal
Create user
User Person accessing the system

Manage users
Collection of privileges
Assign security Role Granted to user or another role

Privilege Restrict operations on objects

Object E.g. a table, a view,

Particular object: stored procedure
Authorization Entities

Stored procedure
SQL statement

Standard behaviour:
invoker authorizations checked
Definer behaviour:
creator authorizations checked

Best practice: control who can create stored procedure

in definer behaviour
 Entities relations

owns
Object

granted
to
Role

Attention
Action grant is also considered
Privilege Role Role
as an object !

grant is owned by his creator

Best practice : Role Privilege

Repository vs Catalog (2 ways of working)
Repository Catalog

Object definition Object

(e.g. table def.) (e.g. table)

Store for design-time Run-time

Owner: _SYS_REPO
When activated, owner of
run-time object = _SYS_REPO

_SYS_REPO
Repository vs Catalog (2 ways of working)
Repository Catalog

Object definition Object

(e.g. table def.) (e.g. table)

+/- DB definition
Design time
+/- DB content
Packages & subpackages Run-time object

Package privilege Not transportable

Rep. object type: Creator = user

data models (views)
analytical privileges Creator deleted -> all linked objects
repository roles deleted

Transportable (DEV, QA, PRD)

Owner = technical user _SYS_REPO

When activated, owner of run-time object = _SYS_REPO
 Entities relations

owns
Object

granted
to
Role

Attention
Action grant is also considered
Privilege Role Role
as an object !

grant is owned by his creator

Best practice : Role Privilege

Authorization Entities: user
User type
DB users User
real user
deletable
all owned objects deleted
all privileged they granted deleted Role
Internal DB users
not real user
not deleted Privilege
for most: no logon possible
for admin tasks
E.g. technical user _SYS_REPO
Object
Authorization Entities: user
Single user maintenance
Create 1 user directly in HANA User
attention: no first name, last name, department, function, !
only user id & email address

Role

Privilege

Object
Authorization Entities: user
Single user maintenance
Replication from ABAP user to HANA user User
Maintenance of DBMS (database management system) users in SU01
create / delete a DBMS user
delete the assigned DBMS user when ABAP user is deleted
Role

Privilege

Object
 Authorization Entities: user
Single user maintenance
User

Result in HANA:
Role

Privilege

Object
Authorization Entities: user
User mass maintenance
Via: ABAP program RSUSR_DBMS_USERS User
mass mapping of ABAP users to DBMS users.
if DBMS user does not exist -> will be created in the DB system.
assign or unassign DBMS Roles to/from DBMS users.
Role

Privilege

Object
Authorization Entities: user
User mass maintenance
Other solutions: User
via tools (IDM, )
via own automation (SQL script)

Role

Privilege

Object
Authorization Entities: role
Repository roles Catalog roles
User
Transportable (DEV, QA, PRD) Not transportable

No need to have privilege to grant Need to have privilege to

it to the role grant it to the role Role
Grantor can grant/revoke all roles Only grantor can revoke
if he can execute the Grant role
Activated Role stored procedure Privilege
Privileges are transitive
Use with grant option for (removed from grantor ->
_SYS_REPO removed from role)
Object
SOD possible btw creation, If grantor is deleted ->
ownership & granting privileges are revoked

Best practice Not recommended

 Authorization Entities: role(assignment)
Repository Catalog
User
Role
(origin:
catalog)
Role

Privilege

Object

Best practice :
Not recommended:
 Authorization Entities: role(assignment)
Repository Catalog
User
Role
Role (origin:
activate repository)
Role
owner = _SYS_REPO
own
Privilege
_SYS_REPO

Object
stored
procedure
(via Granted
Best practice : Roles)
Not recommended:
Authorization Entities: role(assignment)

User

Role

Privilege

Object

stored
procedure
execution
 Authorization Entities: privilege (overview)

User
Client

Application privilege Role

Application
XS Engine
Privilege
package
table Object privilege
Package Object
privilege

view Analytic privilege

SAP HANA

System privilege
Authorization Entities: privilege (overview)

System Privilege Admin tasks

User

Application HANA applications Role

Privilege (XS engine)

Access & use of packages

Privilege
Privilege Package Privilege
in repositories

Object
Object Privilege SQL statements on DB objects

Analytic Privilege Provide row-level

authorizations
Authorization Entities: privilege (system priv.)

System Privilege User

System-wide privilege System Privilege

Cannot be created or changed Role

Appl. Priv.
Authorize user for admin tasks:
Users & roles mngt
Catalog & repository mngt
Auditing
Pack. Priv. Privilege
System mngt
Data import/export
Obj. Priv.
Object

Analyt. Priv.
Authorization Entities: privilege (system priv.)

System Privilege User

Role

Privilege

Object
Authorization Entities: privilege (application priv.)

Application Privilege
Syst. Priv.
User
Grant access to HANA based
applications
e.g. to access the Web IDE
interface application
Application Role
Privilege
(sap.hana.xs.ide)

Used by HANA application developers

Pack. Priv. Privilege

Obj. Priv.
Object

Analyt. Priv.
Authorization Entities: privilege (application priv.)

Application Privilege
Authorization Entities: privilege (package priv.)

Package Privilege
Syst. Priv.
User
Only for developers & modelers

Access & use of packages in the

repository
Role
Appl. Priv.

Hierarchical access to packages &

Package
corresponding sub-packages
Privilege Privilege
Packages contains objects such as:
object privileges
Obj. Priv.
Hana views Object

Analyt. Priv.
Authorization Entities: privilege (package priv.)

Package Privilege
Authorization Entities: privilege (object priv.)

Object Privilege
Syst. Priv.
User
Are linked to an object

Restrict access on DB objects

(e.g. table, view)
Role
Appl. Priv.

Actions:
select
update / create
Pack. Priv. Privilege
delete

Object Privilege
Object

Analyt. Priv.
Authorization Entities: privilege (object priv.)

Object Privilege
Authorization Entities: privilege (analytic priv.)

Analytic Privilege
Syst. Priv.
User
Control access to data with row-level
authorization
Role
Appl. Priv.

Pack. Priv. Privilege

Obj. Priv.
Object

Analytic Privilege

Dynamic analytic privilege can be

created
Authorization Entities: privilege (analytic priv.)
Table User_Region :
User_Name Region Position

Dynamic analytic privilege User1 America Manager

User2 Asia Employee

User3 Europe Manager

SQL dynamic analytic privilege:
Authorization Entities: privilege (analytic priv.)

Dynamic analytic privilege Assign the dynamic procedure to the analytic privilege:
 Authorization Entities: privilege (analytic priv.)

Dynamic analytic privilege

Syst. Priv.
User
ease of maintenance
filter obtained from a stored
procedure with a complex logic Role
Appl. Priv.
e.g. check users region from a table

Pack. Priv. Privilege

user 1 restrictions
user 1
Obj. Priv.
user 2 restrictions Object
user 2 View
user 3 restrictions Analytic Privilege
dynamic
privilege
user 3
Authorization Entities: privilege (summary)

User
Access a table/ view Access a specific column
via object privilege via a created view
Role

Privilege
Access a row via
analytic privilege
Object

1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
 What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|42
Security Administration

SAP HANA Studio XS Web Interface

2 possibilities:

Client
SAP HANA
Studio
Admin

Application Admin
XS Engine

SAP HANA
 Security Administration (role: repository vs catalog)
Repository Catalog

Role creation:
Design-time Run-time

SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
 Security Administration (user: repository vs catalog)
Repository Catalog

User creation:
Design-time Run-time

SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
 Security Administration (role assignment: repository vs catalog)
Repository Catalog

Role assignment:
Design-time Run-time

SAP HANA
Best practice : Security Administration
Not recommended:
XS Web Interface SAP HANA Studio
 What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|47
Tools to replicate authorizations

When is it needed ?
When there is a direct connection to SAP HANA

For BW authorizations:
SAP HANA Model Generation
part of BW
replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges
o generate analytic priv.
o update analytic priv.
Tools to replicate authorizations

For ECC authorizations:

SAP HANA Live Authorization Assistant
SAP HANA Studio add-on
Replicate ABAP PFCG
authorizations in HANA Privileges
o generate analytic priv.
o update analytic priv.

Attention !
SAP HANA privileges are less granular than authorizations in application layer
therefore: all BW/ECC authorizations are not supported in HANA
Tools to replicate authorizations

Impact to GRC
In GRC user provisioning flow
if no replication, use Business Roles in GRC
Replication scenario: No replication scenario:

GRC GRC
assigned
Composite Role Business Role
BW
Single roles BW Composite roles
HANA roles
corresponding
HANA roles
assigned
assigned assigned

HANA
HANA BW
HANA rule Set in GRC
limited to IT maintenance & development*
 What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|51
Tips & tricks

Tips & tricks:

Create roles in Design-time (repository roles).
Ensure you are in the repository when working with the HANA Studio or the XS Web Interface
for role creation.
Transfer ownership of all what you have created in the repository to _SYS_REPO to avoid issues
if your user is deleted.
Transport roles from DEV to QA & PRD & activate them on each system to have _SYS_REPO as
the owner of the run-time roles.
Assign roles via Granted Roles (executing stored procedure (via user _SYS_REPO)).
Control who can create stored procedure in define behaviour to mitigate the risk of abuse.

Create a similar design to the 2 layer model to keep it clear.

Even if there is no limit on # of privileges assigned ( >< ECC 312 max profiles), be logical in
grouping the views.
SAP template roles are too wide. Create custom roles instead.
Restrict access to only the needed packages for modellers.
Tips & tricks

Tips & tricks:

System privileges cannot be created/changed. Use stored procedures for a more granular
approach.
Ensure the new custom XS HANA applications created by developers are secured to avoid
exposing the DB.

If the user has not the full access to a view, the user will see partial data (only authorized
data). >< with BI were the user has no results in that case.
If a filter is applied to 1 view in an analytical privilege, it will apply to all views in the analytical
privilege.
Dynamic analytic privileges can be used to have an ease of maintenance but be aware that
it will reduce transparency in authorizations !

Use a tool to replicate BW & ECC authorizations to HANA authorizations.

Note that HANA rule set in GRC is limited to IT maintenance & development.
Tips & tricks

Dont forget the important Security Notes:

2197397: SAP HANA Extended Application Services (XS) has a Buffer Overflow vulnerability.
2197428: Potential remote code execution in HANA.
2197459: Potential log injection vulnerability in SAP HANA audit log.

Thanks for listening! Any questions?

Christophe Decamps
Consultant
Governance, Risk & Compliance

+32 473 720 125

[email protected]

www.expertum.net
Inspire by Experience.