Security means protecting company’s critical data from unauthorized access and use, and to ensure that Compliance and standards are met as per the company policy. SAP HANA enables customer to implement different security policies and procedures and to meet compliance requirements of the company.

SAP HANA supports multiple databases in a single HANA system and this is known as multitenant database containers. HANA system can also contain more than one multitenant database containers. A multiple container system always has exactly one system database and any number of multitenant database containers. AN SAP HANA system that is installed in this environment is identified by a single system ID (SID). Database containers in HANA system are identified by a SID and database name. SAP HANA client, known as HANA studio, connects to specific databases.

SAP HANA provides all security related features such as Authentication, Authorization, Encryption and Auditing, and some add on features, which are not supported in other multitenant databases.

1 34

Below given is a list of security related features, provided by SAP HANA −

User and Role Management
Authentication and SSO
Authorization
Encryption of data communication in Network
Encryption of data in Persistence Layer

Additional Features in multitenant HANA database −

Database Isolation − It involves preventing cross tenant attacks through operating system mechanism
Configuration Change blacklist − It involves preventing certain system properties from being changed by tenant database administrators
Restricted Features − It involves disabling certain database features that provides direct access to file system, the network or other resources.

SAP HANA User and Role Management

SAP HANA user and role management configuration depends on the architecture of your HANA system.

If SAP HANA is integrated with BI platform tools and acts as reporting database, then the end-user and role are managed in application server.
If the end-user directly connects to the SAP HANA database, then user and role in database layer of HANA system is required for both end users and administrators.

Every user wants to work with HANA database must have a database user with necessary privileges. User accessing HANA system can either be a technical user or an end user depending on the access requirement. After successful logon to system, user’s authorization to perform the required operation is verified. Executing that operation depends on privileges that user has been granted. These privileges can be granted using roles in HANA Security. HANA Studio is one of powerful tool to manage user and roles for HANA database system.

User Types

User types vary according to security policies and different privileges assigned on user profile. User type can be a technical database user or end user needs access on HANA system for reporting purpose or for data manipulation.

Standard Users

Standard users are users who can create objects in their own Schemas and have read access in system Information models. Read access is provided by PUBLIC role which is assigned to every standard users.

2 33

Restricted Users

Restricted users are those users who access HANA system with some applications and they do not have SQL privileges on HANA system. When these users are created, they do not have any access initially.

If we compare restricted users with Standard users −

Restricted users cannot create objects in HANA database or their own Schemas.
They do not have access to view any data in database as they don’t have generic Public role added to profile like standard users.
They can connect to HANA database only using HTTP/HTTPS.

User Administration & Role Management

Technical database users are used only for administrative purpose such as creating new objects in database, assigning privileges to other users, on packages, applications etc.

SAP HANA User Administration Activities

Depending on business needs and configuration of HANA system, there are different user activities that can be performed using user administration tool like HANA studio.

Most common activities include −

Create Users
Grant roles to users
Define and Create Roles
Deleting Users
Resetting user passwords
Reactivating users after too many failed logon attempts
Deactivating users when it is required

How to create Users in HANA Studio?

Only database users with the system privilege ROLE ADMIN are allowed to create users and roles in HANA studio. To create users and roles in HANA studio, go to HANA Administrator Console. You will see security tab in System view −

3 33

When you expand security tab, it gives option of User and Roles. To create a new user right click on User and go to New User. New window will open where you define User and User parameters.

Enter User name (mandate) and in Authentication field enter password. Password is applied, while saving password for a new user. You can also choose to create a restricted user.

The specified role name must not be identical to the name of an existing user or role. The password rules include a minimal password length and a definition of which character types (lower, upper, digit, special characters) have to be part of the password.

4 31

Different Authorization methods can be configured like SAML, X509 certificates, SAP Logon ticket, etc. Users in the database can be authenticated by varying mechanisms −

Internal authentication mechanism using a password.

External mechanisms such as Kerberos, SAML, SAP Logon Ticket, SAP Assertion Ticket or X.509.

A user can be authenticated by more than one mechanism at a time. However, only one password and one principal name for Kerberos can be valid at any one time. One authentication mechanism has to be specified to allow the user to connect and work with the database instance.

It also gives an option to define validity of user, you can mention validity interval by selecting the dates. Validity specification is an optional user parameter.

Some users that are, by default, delivered with the SAP HANA database are − SYS, SYSTEM, _SYS_REPO, _SYS_STATISTICS.

Once this is done, the next step is to define privileges for user profile. There are different types of privileges that can be added to a user profile.

Granted Roles to a User

This is used to add inbuilt SAP.HANA roles to user profile or to add custom roles created under Roles tab. Custom roles allow you to define roles as per access requirement and you can add these roles directly to user profile. This removes need to remember and add objects to a user profile every time for different access types.

5 28

PUBLIC − This is Generic role and is assigned to all database users by default. This role contains read only access to system views and execute privileges for some procedures. These roles cannot be revoked.

6 22

Modeling

It contains all privileges required for using the information modeler in the SAP HANA studio.

System Privileges

There are different types of System privileges that can be added to a user profile. To add a system privileges to a user profile, click on + sign.

System privileges are used for Backup/Restore, User Administration, Instance start and stop, etc.

Content Admin

It contains the similar privileges as that in MODELING role, but with the addition that this role is allowed to grant these privileges to other users. It also contains the repository privileges to work with imported objects.

7 18

Data Admin

This is a type of privilege, required for adding Data from objects to user profile.

8 16

Given below are common supported System Privileges −

Attach Debugger
It authorizes the debugging of a procedure call, called by a different user. Additionally, the DEBUG privilege for the corresponding procedure is needed.
Audit Admin
Controls the execution of the following auditing-related commands − CREATE AUDIT POLICY, DROP AUDIT POLICY and ALTER AUDIT POLICY and the changes of the auditing configuration. Also allows access to AUDIT_LOG system view.
Audit Operator
It authorizes the execution of the following command − ALTER SYSTEM CLEAR AUDIT LOG. Also allows access to AUDIT_LOG system view.
Backup Admin
It authorizes BACKUP and RECOVERY commands for defining and initiating backup and recovery procedures.
Backup Operator
It authorizes the BACKUP command to initiate a backup process.
Catalog Read
It authorizes users to have unfiltered read-only access to all system views. Normally, the content of these views is filtered based on the privileges of the accessing user.
Create Schema
It authorizes the creation of database schemas using the CREATE SCHEMA command. By default, each user owns one schema, with this privilege the user is allowed to create additional schemas.
CREATE STRUCTURED PRIVILEGE
It authorizes the creation of Structured Privileges (Analytical Privileges). Only the owner of an Analytical Privilege can further grant or revoke that privilege to other users or roles.
Credential Admin
It authorizes the credential commands − CREATE/ALTER/DROP CREDENTIAL.
Data Admin
It authorizes reading all data in the system views. It also enables execution of any Data Definition Language (DDL) commands in the SAP HANA database

A user having this privilege cannot select or change data stored tables for which they do not have access privileges, but they can drop tables or modify table definitions.
Database Admin
It authorizes all commands related to databases in a multi-database, such as CREATE, DROP, ALTER, RENAME, BACKUP, RECOVERY.
Export
It authorizes export activity in the database via the EXPORT TABLE command.

Note that beside this privilege the user requires the SELECT privilege on the source tables to be exported.
Import
It authorizes the import activity in the database using the IMPORT commands.

Note that beside this privilege the user requires the INSERT privilege on the target tables to be imported.
Inifile Admin

It authorizes changing of system settings.
License Admin

It authorizes the SET SYSTEM LICENSE command install a new license.
Log Admin
It authorizes the ALTER SYSTEM LOGGING [ON|OFF] commands to enable or disable the log flush mechanism.
Monitor Admin
It authorizes the ALTER SYSTEM commands for EVENTs.
Optimizer Admin
It authorizes the ALTER SYSTEM commands concerning SQL PLAN CACHE and ALTER SYSTEM UPDATE STATISTICS commands, which influence the behavior of the query optimizer.
Resource Admin
This privilege authorizes commands concerning system resources. For example, ALTER SYSTEM RECLAIM DATAVOLUME and ALTER SYSTEM RESET MONITORING VIEW. It also authorizes many of the commands available in the Management Console.
Role Admin
This privilege authorizes the creation and deletion of roles using the CREATE ROLE and DROP ROLE commands. It also authorizes the granting and revocation of roles using the GRANT and REVOKE commands.

Activated roles, meaning roles whose creator is the pre-defined user _SYS_REPO, can neither be granted to other roles or users nor dropped directly. Not even users having ROLE ADMIN privilege are able to do so. Please check documentation concerning activated objects.
Savepoint Admin
It authorizes the execution of a savepoint process using the ALTER SYSTEM SAVEPOINT command.

Components of the SAP HANA database can create new system privileges. These privileges use the component-name as first identifier of the system privilege and the component-privilege-name as the second identifier.

Object/SQL Privileges

Object privileges are also known as SQL privileges. These privileges are used to allow access on objects like Select, Insert, Update and Delete of tables, Views or Schemas.

9 11

Given below are possible types of Object Privileges −

Object privilege on database objects that exist only in runtime
Object privilege on activated objects created in the repository, like calculation views
Object privilege on schema containing activated objects created in the repository,
Object/SQL Privileges are collection of all DDL and DML privileges on database objects.

Given below are common supported Object Privileges −

There are multiple database objects in HANA database, so not all the privileges are applicable to all kinds of database objects.

10 8

Object Privileges and their applicability on database objects −

11 5

Analytic Privileges

Sometimes, it is required that data in the same view should not be accessible to other users who does not have any relevant requirement for that data.

Analytic privileges are used to limit the access on HANA Information Views at object level. We can apply row and column level security in Analytic Privileges.

Analytic Privileges are used for −

Allocation of row and column level security for specific value range.
Allocation of row and column level security for modeling views.

12 4

Package Privileges

In the SAP HANA repository, you can set package authorizations for a specific user or for a role. Package privileges are used to allow access to data models- Analytic or Calculation views or on to Repository objects. All privileges that are assigned to a repository package are assigned to all sub packages too. You can also mention if assigned user authorizations can be passed to other users.

Steps to add a package privileges to User profile −

Click on Package privilege tab in HANA studio under User creation → Choose + to add one or more packages. Use Ctrl key to select multiple packages.
In the Select Repository Package dialog, use all or part of the package name to locate the repository package that you want to authorize access to.
Select one or more repository packages that you want to authorize access to, the selected packages appear in the Package Privileges tab.

13 4

Given below are grant privileges, which are used on repository packages to authorize user to modify the objects −

REPO.READ − Read access to the selected package and design-time objects (both native and imported)
REPO.EDIT_NATIVE_OBJECTS − Authorization to modify objects in packages.
Grantable to Others − If you choose ‘Yes’ for this, this allows assigned user authorization to pass to the other users.

Application Privileges

Application privileges in a user profile are used to define authorization for access to HANA XS application. This can be assigned to an individual user or to the group of users. Application privileges can also be used to provide different level of access to the same application like to provide advanced functions for database Administrators and read-only access to normal users.

14 3

To define Application specific privileges in a user profile or to add group of users, below privileges should be used −

Application-privileges file (.xsprivileges)
Application-access file (.xsaccess)
Role-definition file (<RoleName>.hdbrole)

This Tecklearn ‘User Administration & Role Management and Security Overview in SAP Hana’ blog helps you with commonly asked questions if you are looking out for a job in SAP Hana and SAP Domain. If you wish to learn SAP Hana and build a career in SAP domain, then check out our interactive, SAP HANA Training, that comes with 24*7 support to guide you throughout your learning period. Please find the link for course details:

https://www.tecklearn.com/course/sap-hana-training-certification/

SAP HANA Training

About the Course

SAP HANA is an in-memory computing application that is designed and developed to boost the business processes, deliver smart solutions, and simplify both hardware and software environments. Our Sap Hana Training course will help you understand and learn the fundamentals and will also felicitate on training hands-on for the better grasp on the course. Further, we have the highly qualified professionals who will train you about Sap Hana Studio, Modelling, Security features and its various other aspects. You will understand why SAP HANA is a fundamentally different database engine upon the completion of this SAP HANA course.

Why Should you take SAP HANA Training?

The average Sap Hana Consultant salary $165,750 per year or $85 per hour. (neuvoo.com).
SAP HANA is the highest growing technology; hence, there is no surprise in plenty of career opportunities in this field. Since it is one among the fastest-growing products in the history of SAP, it is considered by the industries as a ground-breaking key for in-memory databases.
SAP HANA currently has more than 6,500 customers globally.

What you will Learn in this Course?

Introduction to SAP HANA

Fundamentals of SAP HANA
Capabilities of SAP HANA
Limitations of SAP HANA

Key Features of SAP HANA

Key Features: High Performance functionalities In-Memory computing, Columnar store database, Data Compression and Massive Parallel Processing
Using SAP HANA for Non-SAP Applications

Architecture of SAP HANA

Detailed Architecture of SAP HANA Database
Concept of SAP HANA Landscapes and Scenarios

Overview of HANA Studio

SAP HANA System – Perspectives, Administration, Modelling, Development Plan
HANA Database SQL Basics and Database SQL Script
Types of statements and data types
Operators, expressions and basic query execution
Sub-queries, Types of Joins, Expressions and Loops
Catalog – Schema, Table, Views, Functions, Stored Procedures, Index, Synonyms, Sequences, Triggers

Data Provisioning

Data Provisioning with Flat File upload
Provisioning – SDA (Smart Data Access)
Joins Types in HANA

SAP HANA Modelling

Types of Models
Attribute Views, Joins and Using Filter Operations
Creating Restricted and Calculated Columns
Using Hierarchies
Analytic Views – Star Schema design and Multi-Dimensional Modelling
Variables and Input parameters

Calculation Views

Dimension Calculation View
Information View
SAP HANA Variables
Introduction to Input Parameters

SAP Project

Using HANA analytical view building of COPA (Controlling and Profitability Analysis) model
SAP HANA COPA for evaluation of market segments and classification of markets according to the products, customers or any combination of it

Dimension Calculation View

Dimension Calculation View – Star Join Calculation view
Using Projection, Join, Aggregation, Union and Rank

In-depth Modelling

Refactoring information models
Schema Mapping
Propagate to schematics and Show Lineage
Schema Mapping
Generating Time Data
Union Pruning
Using Time Travel
Migrating deprecated Information models
Using Currency Conversion
Web based Modelling Work bench

Analytic Privileges and Decision Tables

Classical Analytic Privileges
SQL Analytic Privileges
Dynamic analytic Privileges.
Turning Business Rules into Decision tables
Table Functions

SAP HANA Table Function

Query Optimizing Technique related to SAP HANA Tables
Web Based Modelling work bench

SAP HANA on Cloud

SAP Analytics with SAP Reporting environment SAP BOBJ – tools, WEBI, LUMIRA, DASHBOARD (integration between sap Hana and bob)

Advanced Topics Overview

SAP HANA Dynamic tiering
Delta Merge
SDI (Smart Data Integration)
SDA (Smart Data Access)

DATA Provisioning

SLT – SAP Landscape Transformation
BODS – Business Objects Data Services

Analytical Privileges

Classical XML Based Analytical Privileges
SQL Analytical Privileges

HANA Administration and Security

Hana Administration
Security in SAP HANA – User Management

Got a question for us? Please mention it in the comments section and we will get back to you.

718