SAP HANA Content Security Roles Setup

A few months ago I was given a task to implement content security in SAP HANA. The main purpose for this task was to provide Business user access to information models created in SAP HANA. For example Finance user should only view finance package and can access information models in that package via BI tools such as Analysis for excel.

So, after a research and few discussions with various people (one of them was from SAP Melbourne) I came up with following security model.

















Let's assume that content is maintained in following structure:



So based on each type of privilege I created the roles as shown below:

System Privilege Roles

These roles are mainly needed for System admin tasks (technical role)

X_HNS = S for System Privilege role


Role
Name
Privilege
Type
Assigned
Privileges
X_HNS_USERADMIN
This role can create users, change their password and delete users
System
Privilege
USER ADMIN
DATA ADMIN
X_HNS_ROLEADMIN
This role can create roles, alter roles and drop roles with SQL commands1
System
Privilege
ROLE ADMIN
X_HNS_SYSADMIN
This roles can administer HANA system, alter system parameters and execute ALTER commands to change system
System
Privilege
INIFILE ADMIN
LICENSE ADMIN
LOG ADMIN
SERVICE ADMIN
SESSION ADMIN
TRACE ADMIN
AUDIT ADMIN    
X_HNS_SYSMON
This role can enable trace, auditing and manage logs to monitor system
System
Privilege
CATALOG READ
MONITOR ADMIN
X_HNS_CONTENTADMIN
This role can create, alter, import, export and drop content.
System
Privilege
CREATE SCENARIO
CREATE STRUCTURED PRIVILEGE
REPO.EXPORT
REPO.IMPORT
REPO.MAINTAIN_DELIVERY_UNITS
REPO.WORK_IN_FOREIGN_WORKSPACE
STUCTUREDPRIVILEGE ADMIN
X_HNS_DATAADMIN
This role can create schema, import and export tables and drop tables
System
Privilege
CATALOG READ
CREATE REMOTE SOURCE
CREATE SCHEMA
IMPORT
EXPORT


Object Privilege Roles

X_HNO = O for Object Privilege Role



Role
Name
Privilege
Type
Assigned
Privileges
X_HNO_CONTENT_READ
This role give read access to activated views
Object
Privilege
_SYS_BI (SELECT, EXECUTE)

You would only need this _SYS_BIC (SELECT, EXECUTE) if you are using HANA studio to access views. Not using this for BI tools provides more security in terms of displaying activated views. Access to SYS_BIC will provide access to all activated views and therefore this model will be invalid. We can create separate role for this privilege
X_HNO_CONTENT_WRITE
This role give write access for activated views and read access to schema
Object
Privilege
_SYS_BI (EXECUTE, SELECT, INSERT, UPDATE, DELETE)
_SYS_BIC (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE, DELETE, INDEX)
X_HNO_CONTENT_LIST
Object
Privilege
REPOSITORY_REST (EXECUTE)
X_HNO_SCHEMA_READ
Object
Privilege
SCHEMA (SELECT)
X_HNO_SCHEMA_WRITE
Object
Privilege
SCHEMA (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE, DELETE, INDEX)
X_HNO_FI_CONTENT
Object
Privilege
_SYS_BIC.FI Column Views
X_HNO_CO_CONTENT
Object
Privilege
_SYS_BIC.CO Column Views
X_HNO_IM_CONTENT
Object
Privilege
_SYS_BIC.IM Column Views
X_HNO_LE_CONTENT
Object
Privilege
_SYS_BIC.LE Column Views
X_HNO_MM_CONTENT
Object
Privilege
_SYS_BIC.MM Column Views
X_HNO_PA_CONTENT
Object Privilege
_SYS_BIC.PA Column Views
X_HNO_PU_CONTENT
Object Privilege
_SYS_BIC.PU Column Views
X_HNO_SD_CONTENT
Object Privilege
_SYS_BIC.SD Column Views
X_HNO_SP_CONTENT
Object Privilege
_SYS_BIC.SP Column Views


Package Privilege Roles




Role

Name
Privilege

Type
Assigned

Privileges

X_HNP_FI_READ


This role give read access to Package FI
Package

Privilege
REPO.READ on FI


X_HNP_IM_READ


This role give read access to Package IM
Package

Privilege
REPO.READ on IM



X_HNP_LE_READ


This role give read access to Package LE
Package

Privilege
REPO.READ on LE



X_HNP_MM_READ


This role give read access to Package MM
Package

Privilege
REPO.READ on MM



X_HNP_PP_READ


This role give read access to Package PP
Package

Privilege
REPO.READ on PP



X_HNP_PU_READ


This role give read access to Package PU
Package

Privilege
REPO.READ on PU



X_HNP_SD_READ


This role give read access to Package SD
Package

Privilege
REPO.READ on SD



X_HNP_SP_READ


This role give read access to Package SP
Package

Privilege
REPO.READ on SP


X_HNP_CO_READ


This role give read access to Package CO
Package

Privilege
REPO.READ on CO

X_HNP_PA_READ


This role give read access to Package PA
Package

Privilege
REPO.READ on PA

X_HNP_ROOT_WRITE


This role give edit access to ALL Packages
Package

Privilege
REPO.READ

REPO.EDIT_NATIVE_OBJECTS

REPO.ACTIVATE_NATIVE_OBJECTS

REPO.MAINTAIN_NATIVE_PACKAGES

on ROOT


Analytic Privilege Roles

There can be many analytic privileges assigned to a role. For example: I am creating one single analytic privilege first and then create a role for department with this analytic privilege. In future, more analytic privileges can be added to it. In our case, we are not using analytic privileges which means no attribute restrictions

X_HND = D for Data level restriction



Analytic

Privilege
Package


Content
Attributes

Restrictions

X_HND_CO_AP1
CO
column views under

_SYS_BIC.CO/
 NA

X_HND_FI_AP1
FI
All column views under __SYS_BIC.FI/
NA

X_HND_IM _AP1
IM
column views under __SYS_BIC.IM
NA

X_HND_LE _AP1
LE
 column views under _SYS_BIC.LE
NA

X_HND_MM _AP1
 MM
column views under _SYS_BIC.MM
NA

X_HND_PP _AP1
PP
column views under _SYS_BIC.PP
NA

X_HND_PA _AP1
PA
column views under __SYS_BIC.PA
NA

X_HND_PU _AP1
 PU
column views under _SYS_BIC.PU
NA

X_HND_SD _AP1
SD
column views under _SYS_BIC.SD
NA

_SYS_BI_CP_ALL
ROOT
All column views

under  _SYS_BIC
No Restrictions. Currently being used

Now the Analytic Roles

X_HNA = A for Analytic Privilege roles




Role

Name
Analytic

Privilege

X_HNA_FI
X_HND_FI_AP1

X_HNA_IM
X_HND_IM_AP1

X_HNA_LE
X_HND_LE_AP1

X_HNA_CO
X_HND_CO_AP1

X_HNA_MM
X_HND_MM_AP1

X_HNA_PU
X_HND_PU_AP1

X_HNA_PP
X_HND_PP_AP1

X_HNA_PA
X_HND_PA_AP1

X_HNA_SD
X_HND_SD _AP1

X_HNA_ALL
_SYS_BI_CP_ALL (This one is being used only)

Let's take a look at how we can use system privilege roles to create technical roles:

Technical Roles




Role

Name
Granted Roles

Y_HNT_SECURTY
 Add/delete/edit users and assign other roles
X_HNS_USERADMIN

X_HNS_ROLEADMIN


Y_HNT_ADMINS
Perform admin tasks and security tasks
X_HNS_USERADMIN

X_HNS_ROLEADMIN

X_HNS_SYSADMIN

X_HNS_SYSMON

X_HNS_CONTENTADMIN

X_HNS_DATAADMIN


Y_HNT_CONTENT_DEVS
Create and activate information models in packages
X_HNS_CONTENTADMIN

X_HNO_SCHEMA_READ

X_HNO_CONTENT_WRITE

X_HNO_CONTENT_LIST

X_HNP_ROOT_WRITE

X_HNA_ALL

Now, lets take a look at functional role example. In this example, Finance user A need access to FI package and it's information views. So, in this case create a functional role for Finance department and add user A into it.




Role

Name
Granted Roles

Y_HNF_FI
X_HNO_CONTENT_READ

X_HNO_FI_CONTENT

X_HNP_FI_READ

X_HNA_ALL

In the same way we can create other functional roles depending upon our requirements then assign them to user.

References
1.   SAP Hana Platform SPS6 Security Guide, 03rd September 2013, SAP HANA Security Guide, SAP Help Portal, http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
2.   Tomas Krojzl 2013, ‘SAP HANA – Security Concept and Data Architecture’, SAP Community Network – Tomas Krojzl’s Blog, 24 October 2011, viewed 20 October, 2013

Comments

Post a Comment

Popular posts from this blog

SAP HANA Input Parameter - Derived from Table - Use Expression in Filter Value

Image
Recently, I have experienced something while modeling HANA information view that I want to share with everyone.  Case:  Dynamic Filter for projection with current Fiscal Year and Fiscal Period.  Method: There are different parameter types that we can use to do this. I decided to use following "Derived from table" type as shown below:  Challenge: When filtering column then it displays list of values from the same HANA information view and we can select the date. Now, as the requirement is current Fiscal Year and Period so how do we filter the column to dynamically select current date in "Filter Value" section? Solution: Like everyone, I expected it to understand the expression. So I tried following and it worked. I used the expression  currentdate() I was aware that I could use expression in the "Default Value" section (as explained in SAP HANA Developer Guide) but didn't expect it to work in "Filter Value".
Read more

SLT Replication Issue Due To Timeout Reading Logging Tables

In our company we use SAP LT (Landscape Transformation) replication server to replicate tables from SAP ECC system to SAP HANA in real time. SLT creates trigger for each table that we want to replicate and whenever there is change it stores the changes in the logging table. Later on, these tables are used to update replicated tables in SAP HANA.    This system is really useful when you really need real time replication to SAP HANA. However, it also causes performance issue if proper monitoring is not being performed. Just recently, we faced an issue where we were trying to replicate a large table "VBFA" to SAP HANA in production environment. Every time table replicate status changes to "ERROR" after the initial load. It started to fail when ever SLT tries to read change/delta stored in logging table. This tables replication worked fine in DEV and QA environment.   After troubleshooting and taking help from SAP support we found that in the program generated
Read more