SAP HANA Content Security Roles Setup
A few months ago I was given a task to implement content security in SAP HANA. The main purpose for this task was to provide Business user access to information models created in SAP HANA. For example Finance user should only view finance package and can access information models in that package via BI tools such as Analysis for excel.
So, after a research and few discussions with various people (one of them was from SAP Melbourne) I came up with following security model.
Let's assume that content is maintained in following structure:
So based on each type of privilege I created the roles as shown below:
System Privilege Roles
These roles are mainly needed for System admin tasks (technical role)
X_HNS = S for System Privilege role
Object Privilege Roles
X_HNO = O for Object Privilege Role
Package Privilege Roles
Analytic Privilege Roles
There can be many analytic privileges assigned to a role. For example: I am creating one single analytic privilege first and then create a role for department with this analytic privilege. In future, more analytic privileges can be added to it. In our case, we are not using analytic privileges which means no attribute restrictions
X_HND = D for Data level restriction
Now the Analytic Roles
X_HNA = A for Analytic Privilege roles
Let's take a look at how we can use system privilege roles to create technical roles:
Technical Roles
Now, lets take a look at functional role example. In this example, Finance user A need access to FI package and it's information views. So, in this case create a functional role for Finance department and add user A into it.
In the same way we can create other functional roles depending upon our requirements then assign them to user.
References
So, after a research and few discussions with various people (one of them was from SAP Melbourne) I came up with following security model.
Let's assume that content is maintained in following structure:
So based on each type of privilege I created the roles as shown below:
System Privilege Roles
These roles are mainly needed for System admin tasks (technical role)
X_HNS = S for System Privilege role
Role
Name
|
Privilege
Type
|
Assigned
Privileges
|
X_HNS_USERADMIN
This role
can create users, change their password and delete users
|
System
Privilege
|
USER ADMIN
DATA ADMIN
|
X_HNS_ROLEADMIN
This role can
create roles, alter roles and drop roles with SQL commands1
|
System
Privilege
|
ROLE ADMIN
|
X_HNS_SYSADMIN
This roles
can administer HANA system, alter system parameters and execute ALTER
commands to change system
|
System
Privilege
|
INIFILE ADMIN
LICENSE ADMIN
LOG
ADMIN
SERVICE ADMIN
SESSION ADMIN
TRACE ADMIN
AUDIT ADMIN
|
X_HNS_SYSMON
This role can
enable trace, auditing and manage logs to monitor system
|
System
Privilege
|
CATALOG READ
MONITOR ADMIN
|
X_HNS_CONTENTADMIN
This role can
create, alter, import, export and drop content.
|
System
Privilege
|
CREATE SCENARIO
CREATE STRUCTURED PRIVILEGE
REPO.EXPORT
REPO.IMPORT
REPO.MAINTAIN_DELIVERY_UNITS
REPO.WORK_IN_FOREIGN_WORKSPACE
STUCTUREDPRIVILEGE ADMIN
|
X_HNS_DATAADMIN
This role can
create schema, import and export tables and drop tables
|
System
Privilege
|
CATALOG READ
CREATE REMOTE SOURCE
CREATE SCHEMA
IMPORT
EXPORT
|
Object Privilege Roles
X_HNO = O for Object Privilege Role
Role
Name
|
Privilege
Type
|
Assigned
Privileges
|
X_HNO_CONTENT_READ
This role
give read access to activated views
|
Object
Privilege
|
_SYS_BI (SELECT, EXECUTE)
You would only need this _SYS_BIC (SELECT, EXECUTE) if you are using HANA studio to access views. Not using this for BI tools provides more security in terms of displaying activated views. Access to SYS_BIC will provide access to all activated views and therefore this model will be invalid. We can create separate role for this privilege |
X_HNO_CONTENT_WRITE
This role
give write access for activated views and read access to schema
|
Object
Privilege
|
_SYS_BI (EXECUTE, SELECT, INSERT, UPDATE, DELETE)
_SYS_BIC (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE,
DELETE, INDEX)
|
X_HNO_CONTENT_LIST
|
Object
Privilege
|
REPOSITORY_REST (EXECUTE)
|
X_HNO_SCHEMA_READ
|
Object
Privilege
|
SCHEMA (SELECT)
|
X_HNO_SCHEMA_WRITE
|
Object
Privilege
|
SCHEMA (CREATE ANY, ALTER, DROP, EXECUTE, SELECT,
INSERT, UPDATE, DELETE, INDEX)
|
X_HNO_FI_CONTENT
|
Object
Privilege
|
_SYS_BIC.FI Column Views
|
X_HNO_CO_CONTENT
|
Object
Privilege
|
_SYS_BIC.CO Column Views
|
X_HNO_IM_CONTENT
|
Object
Privilege
|
_SYS_BIC.IM Column Views
|
X_HNO_LE_CONTENT
|
Object
Privilege
|
_SYS_BIC.LE Column Views
|
X_HNO_MM_CONTENT
|
Object
Privilege
|
_SYS_BIC.MM Column Views
|
X_HNO_PA_CONTENT
|
Object Privilege
|
_SYS_BIC.PA Column Views
|
X_HNO_PU_CONTENT
|
Object Privilege
|
_SYS_BIC.PU Column Views
|
X_HNO_SD_CONTENT
|
Object Privilege
|
_SYS_BIC.SD Column Views
|
X_HNO_SP_CONTENT
|
Object Privilege
|
_SYS_BIC.SP Column Views
|
Package Privilege Roles
|
Role
Name
|
Privilege
Type
|
Assigned
Privileges
|
|
X_HNP_FI_READ
This role
give read access to Package FI
|
Package
Privilege
|
REPO.READ on FI
|
|
X_HNP_IM_READ
This role
give read access to Package IM
|
Package
Privilege
|
REPO.READ on IM
|
|
X_HNP_LE_READ
This role
give read access to Package LE
|
Package
Privilege
|
REPO.READ on LE
|
|
X_HNP_MM_READ
This role
give read access to Package MM
|
Package
Privilege
|
REPO.READ on MM
|
|
X_HNP_PP_READ
This role
give read access to Package PP
|
Package
Privilege
|
REPO.READ on PP
|
|
X_HNP_PU_READ
This role
give read access to Package PU
|
Package
Privilege
|
REPO.READ on PU
|
|
X_HNP_SD_READ
This role
give read access to Package SD
|
Package
Privilege
|
REPO.READ on SD
|
|
X_HNP_SP_READ
This role
give read access to Package SP
|
Package
Privilege
|
REPO.READ on SP
|
|
X_HNP_CO_READ
This role
give read access to Package CO
|
Package
Privilege
|
REPO.READ on CO
|
|
X_HNP_PA_READ
This role
give read access to Package PA
|
Package
Privilege
|
REPO.READ on PA
|
|
X_HNP_ROOT_WRITE
This role
give edit access to ALL Packages
|
Package
Privilege
|
REPO.READ
REPO.EDIT_NATIVE_OBJECTS
REPO.ACTIVATE_NATIVE_OBJECTS
REPO.MAINTAIN_NATIVE_PACKAGES
on ROOT
|
Analytic Privilege Roles
There can be many analytic privileges assigned to a role. For example: I am creating one single analytic privilege first and then create a role for department with this analytic privilege. In future, more analytic privileges can be added to it. In our case, we are not using analytic privileges which means no attribute restrictions
X_HND = D for Data level restriction
|
Analytic
Privilege
|
Package
|
Content
|
Attributes
Restrictions
|
|
X_HND_CO_AP1
|
CO
|
column views under
_SYS_BIC.CO/
|
|
|
X_HND_FI_AP1
|
FI
|
All column views under __SYS_BIC.FI/
|
NA
|
|
X_HND_IM _AP1
|
IM
|
column views under __SYS_BIC.IM
|
NA
|
|
X_HND_LE _AP1
|
LE
| column views under _SYS_BIC.LE |
NA
|
|
X_HND_MM _AP1
| MM |
column views under _SYS_BIC.MM
|
NA
|
|
X_HND_PP _AP1
|
PP
|
column views under _SYS_BIC.PP
|
NA
|
|
X_HND_PA _AP1
|
PA
|
column views under __SYS_BIC.PA
|
NA
|
|
X_HND_PU _AP1
| PU |
column views under _SYS_BIC.PU
|
NA
|
|
X_HND_SD _AP1
|
SD
|
column views under _SYS_BIC.SD
|
NA
|
|
_SYS_BI_CP_ALL
|
ROOT
|
All column views
under _SYS_BIC
|
No Restrictions.
Currently being used
|
Now the Analytic Roles
X_HNA = A for Analytic Privilege roles
|
Role
Name
|
Analytic
Privilege
|
|
X_HNA_FI
|
X_HND_FI_AP1
|
|
X_HNA_IM
|
X_HND_IM_AP1
|
|
X_HNA_LE
|
X_HND_LE_AP1
|
|
X_HNA_CO
|
X_HND_CO_AP1
|
|
X_HNA_MM
|
X_HND_MM_AP1
|
|
X_HNA_PU
|
X_HND_PU_AP1
|
|
X_HNA_PP
|
X_HND_PP_AP1
|
|
X_HNA_PA
|
X_HND_PA_AP1
|
|
X_HNA_SD
|
X_HND_SD _AP1
|
|
X_HNA_ALL
|
_SYS_BI_CP_ALL (This one is being used only)
|
Let's take a look at how we can use system privilege roles to create technical roles:
Technical Roles
|
Role
Name
|
Granted
Roles
|
|
Y_HNT_SECURTY
Add/delete/edit users and assign other roles
|
X_HNS_USERADMIN
X_HNS_ROLEADMIN
|
|
Y_HNT_ADMINS
Perform admin tasks and security tasks
|
X_HNS_USERADMIN
X_HNS_ROLEADMIN
X_HNS_SYSADMIN
X_HNS_SYSMON
X_HNS_CONTENTADMIN
X_HNS_DATAADMIN
|
|
Y_HNT_CONTENT_DEVS
Create and activate information models in packages
|
X_HNS_CONTENTADMIN
X_HNO_SCHEMA_READ
X_HNO_CONTENT_WRITE
X_HNO_CONTENT_LIST
X_HNP_ROOT_WRITE
X_HNA_ALL
|
Now, lets take a look at functional role example. In this example, Finance user A need access to FI package and it's information views. So, in this case create a functional role for Finance department and add user A into it.
|
Role
Name
|
Granted
Roles
|
|
Y_HNF_FI
|
X_HNO_CONTENT_READ
X_HNO_FI_CONTENT
X_HNP_FI_READ
X_HNA_ALL
|
In the same way we can create other functional roles depending upon our requirements then assign them to user.
References
1. SAP Hana Platform SPS6 Security Guide, 03rd
September 2013, SAP HANA Security Guide, SAP
Help Portal, http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
2. Tomas Krojzl 2013, ‘SAP HANA – Security Concept
and Data Architecture’, SAP Community
Network – Tomas Krojzl’s Blog, 24 October 2011, viewed 20 October, 2013
Comments
Post a Comment