Part IV: Security and Authorization
Part IV: Security and Authorization
8.0 Module 8: SAP HANA Security Framework
A powerful, high-performance database is of little value without a robust security framework to protect its critical data assets. Security in SAP HANA is a comprehensive discipline designed to prevent unauthorized access, ensure data integrity, and meet compliance standards. This module will cover the foundational elements of SAP HANA’s security model, including user and role management, and the different authentication methods available.
——————————————————————————–
8.1 Security Overview
The primary goal of security in SAP HANA is to protect sensitive company data from unauthorized access and ensure that all actions comply with established corporate policies. SAP HANA supports multitenant database containers, allowing multiple isolated databases to run within a single HANA system. This architecture requires additional security considerations.
The primary security features provided by SAP HANA include:
- User and Role Management
- Authentication and Single Sign-On (SSO)
- Authorization
- Encryption of data communication in the network
- Encryption of data in the persistence layer
For multitenant databases, SAP HANA adds specific features:
- Database Isolation: Uses operating system mechanisms to prevent cross-tenant attacks.
- Configuration Change Blacklist: Prevents tenant administrators from changing certain critical system properties.
- Restricted Features: Disables certain database features that could provide direct access to the file system or network.
8.2 User and Role Management
User management strategy in SAP HANA depends on the system architecture. There are two primary scenarios:
- Integration with BI Platforms: If HANA serves as a database for a BI platform, end-user and role management are typically handled in the application server layer (e.g., SAP BusinessObjects).
- Direct Connection to HANA: If end-users connect directly to the HANA database for analysis or administration, they require a dedicated database user profile with specific privileges managed within HANA itself.
Regardless of the scenario, every user who wants to work with the HANA database must have a database user profile that defines their identity and privileges.
8.3 User Types
SAP HANA defines two distinct types of users, each with different capabilities and security profiles.
| Standard Users | Restricted Users |
| Can create objects (e.g., tables, views) in their own schemas. | Cannot create any objects in the database. |
| Have default read-only access to system views via the automatically granted PUBLIC role. | Have no default access to any data; the PUBLIC role is not granted to them. |
| Can connect to the database using standard SQL clients (JDBC/ODBC). | Can only connect to the HANA database via HTTP/HTTPS through the XS Engine. |
Restricted users are typically used for application-specific access where direct SQL interaction is not required or desired.
8.4 User Administration in HANA Studio
The creation and management of users and roles require a database user who has been granted the ROLE ADMIN system privilege. The SAP HANA Studio provides a graphical interface for these tasks under the Security tab of a system connection.
Common user administration activities include:
- Creating new users
- Granting roles to users
- Defining and creating custom roles
- Deleting users
- Resetting user passwords
- Reactivating users after too many failed logon attempts
Step-by-Step User Creation in HANA Studio:
- Navigate to the Security tab and expand it.
- Right-click on the User folder and select New User.
- In the user creation window, enter a unique User Name.
- Under Authentication, select the desired mechanism. For standard password authentication, enter and confirm a new password that adheres to the system’s password policy.
- Optionally, you can create a Restricted User by checking the corresponding box.
- You can also set a validity period for the user account.
- Click the “Deploy” button (green arrow) to create the user.
By default, a new HANA installation includes several system users, such as SYS, SYSTEM, _SYS_REPO, and _SYS_STATISTICS. It is critical for administrators to understand that while these system users are essential for internal operations, their direct, interactive use should be strictly limited and heavily audited. Granting privileges equivalent to SYSTEM to regular users is a significant security risk that must be avoided.
Once a user is created, they have an identity but no permissions. The next crucial step is to grant them the appropriate privileges to perform their required tasks. This is the subject of our next module.
——————————————————————————–
9.0 Module 9: Privileges and Authorization Methods
Authorization is the process that controls what a user is permitted to do after they have been successfully authenticated. It is the core mechanism for enforcing data security and access control. This module will provide a comprehensive breakdown of the different types of privileges in SAP HANA that are combined to define a user’s permissions.
——————————————————————————–
9.1 Granted Roles
A role is a named collection of privileges. Instead of assigning dozens of individual privileges directly to each user, administrators can bundle related privileges into a role and then grant that role to users or other roles. This greatly simplifies security administration.
Key standard roles include:
- PUBLIC: Granted by default to all standard users, providing basic read-only access to system views.
- Modeling: Contains all the privileges required to use the Information Modeler in HANA Studio.
- Content Admin: Includes the same privileges as the Modeling role, plus the ability to grant these privileges to other users.
- Data Admin: A powerful role that grants the ability to read all data in system views and execute any Data Definition Language (DDL) commands.
9.2 System Privileges
System Privileges are used to authorize high-level administrative tasks and system-wide actions. They are not tied to a specific database object.
| Privilege | Description |
| ATTACH DEBUGGER | Authorizes the debugging of a procedure call made by another user. |
| AUDIT ADMIN | Authorizes creating, modifying, and deleting audit policies and accessing the AUDIT_LOG system view. |
| AUDIT OPERATOR | Authorizes clearing the audit log (ALTER SYSTEM CLEAR AUDIT LOG) and accessing the AUDIT_LOG view. |
| BACKUP ADMIN | Authorizes the execution of BACKUP and RECOVERY commands. |
| BACKUP OPERATOR | Authorizes the BACKUP command to initiate a backup process. |
| CATALOG READ | Authorizes unfiltered read-only access to all system views. |
| CREATE SCHEMA | Authorizes the creation of new database schemas using the CREATE SCHEMA command. |
| CREATE STRUCTURED PRIVILEGE | Authorizes the creation of Analytic Privileges. |
| CREDENTIAL ADMIN | Authorizes the CREATE/ALTER/DROP CREDENTIAL commands. |
| DATA ADMIN | Authorizes reading all data in system views and executing any DDL commands. |
| DATABASE ADMIN | Authorizes all commands related to databases in a multi-database environment (CREATE, DROP, etc.). |
| EXPORT | Authorizes the export of database objects and data via the EXPORT TABLE command. |
| IMPORT | Authorizes the import of database objects and data via the IMPORT commands. |
| INIFILE ADMIN | Authorizes changing system settings. |
| LICENSE ADMIN | Authorizes the installation of a new license key via SET SYSTEM LICENSE. |
| LOG ADMIN | Authorizes enabling or disabling the log flush mechanism. |
| MONITOR ADMIN | Authorizes ALTER SYSTEM commands related to events. |
| OPTIMIZER ADMIN | Authorizes commands that influence the query optimizer, such as ALTER SYSTEM SQL PLAN CACHE. |
| RESOURCE ADMIN | Authorizes commands concerning system resources, like ALTER SYSTEM RECLAIM DATAVOLUME. |
| ROLE ADMIN | Authorizes the creation and management of roles, as well as granting roles to users. |
| SAVEPOINT ADMIN | Authorizes the execution of a savepoint process. |
| USER ADMIN | Authorizes the creation and management of users. (Note: This privilege is a subset of the more powerful ROLE ADMIN privilege). |
9.3 Object/SQL Privileges
Object Privileges, also known as SQL Privileges, are used to grant access to and allow manipulation of specific database objects like tables, views, schemas, and procedures. These are the standard DDL (Data Definition Language) and DML (Data Manipulation Language) permissions.
Common Object Privileges include: SELECT, INSERT, UPDATE, DELETE, DROP, ALTER, and EXECUTE.
9.4 Analytic Privileges
Analytic Privileges are a unique and critical feature of HANA security. They are used to enforce row- and column-level security on data within Information Views (Attribute, Analytic, and Calculation Views). This allows for fine-grained control, ensuring that different users see different slices of data from the very same view.
- Practical Use Case: An EmpDetails view contains employee information, including their salary. An analyst needs to see all employee data for reporting, but should not see the sensitive salary column. An Analytic Privilege can be created to restrict access to the Salary attribute for that user’s role.
Creating an Analytic Privilege:
- Right-click on your package and select New -> Analytic Privilege.
- Provide a name and description.
- In the editor, add the Information View you want to secure as a Reference Model.
- Under Associated Attributes Restrictions, add the attributes (columns) you want to control.
- In the Assign Restriction section, define the filter conditions (e.g., Department = ‘Sales’ for row-level security or simply restricting access to a column).
- Activate the Analytic Privilege.
- Finally, assign the activated Analytic Privilege to a user or role in the user management editor.
9.5 Package and Application Privileges
- Package Privileges: These grant access to repository packages and the design-time objects within them. The main privileges are:
- REPO.READ: Grants read access to a package and its objects.
- REPO.EDIT_NATIVE_OBJECTS: Grants authorization to modify objects within a package.
- Application Privileges: These are used to provide authorization for native HANA XS applications, allowing for different levels of access (e.g., administrator vs. read-only user) to the same application.
9.6 Authentication and Authorization Mechanisms
Authentication Methods
SAP HANA supports multiple methods for verifying a user’s identity:
- User name/Password: The standard internal authentication mechanism.
- Kerberos: Enables single sign-on in a corporate network environment.
- SAML (Security Assertion Markup Language): Used for web-based single sign-on.
- SAP Logon/Assertion Tickets: Used for SSO within an SAP landscape.
- X.509 Client Certificates: Provides certificate-based authentication, often used for HTTP access.
Authorization Process
When a user attempts to perform an operation, the HANA system performs an authorization check. It verifies the privileges granted directly to the user as well as those granted via any roles they possess. If the required privilege is found, the check stops, and the operation is allowed.
The _SYS_REPO User
A special system user, _SYS_REPO, is the owner of all objects created in the HANA repository (i.e., all Information Views). For this user to be able to activate a view that is based on tables in a user schema, it must be explicitly granted access to that schema with the following command:
GRANT SELECT ON SCHEMA “<SCHEMA_NAME>” TO _SYS_REPO WITH GRANT OPTION;
This command is essential for the modeling process to function correctly.
With users created and their permissions defined, the final pieces of security administration involve auditing system activity and managing licenses.
——————————————————————————–
10.0 Module 10: Auditing and License Management
A comprehensive security strategy extends beyond just access control. It also requires compliance with software licensing and the ability to monitor and audit system activities to detect and investigate potential security breaches. This final module in our security section covers these two essential administrative functions.
——————————————————————————–
10.1 License Management
A valid license key is required to operate the SAP HANA database. SAP HANA supports two main types of license keys, each with different characteristics and enforcement mechanisms.
- Temporary License Key: This key is installed automatically during the initial HANA database installation. It is valid for 90 days, providing a grace period during which administrators must request and install a permanent license from the SAP Market Place.
- Permanent License Key: A permanent license is valid until a specified expiration date. It also defines the amount of memory licensed for the HANA installation. If a permanent key expires, the system automatically installs a temporary key that is valid for only 28 days, demanding urgent action.
Permanent license keys come in two forms:
- Unenforced: If the system’s memory consumption exceeds the licensed amount, system operation is not affected. This provides flexibility but requires careful monitoring to ensure compliance.
- Enforced: If the memory consumption exceeds the licensed amount, the HANA system locks down and will not operate until it is restarted or a new, larger license key is installed.
To check the current license properties in HANA Studio, right-click on the system, select Properties, and go to the License tab. This screen displays the license type, validity dates, memory allocation, and the hardware key required to request a new license.
10.2 Auditing
The auditing feature in SAP HANA allows administrators to monitor and record actions performed within the system. This is controlled by creating and activating an Audit Policy, which specifies which actions should be audited and the conditions under which the auditing should occur.
Activating an Audit Policy in HANA Studio:
- Navigate to the Auditing Section: In the Administrator editor for your system, go to the Security -> Auditing tab.
- Enable Auditing: Set the Auditing status to Enabled.
- Choose an Audit Trail Target: You must specify where the audit logs will be written. There are three options:
- Syslog (Default): Writes logs to the Linux operating system’s syslog. This is the standard for production environments.
- Database Table: Writes logs to an internal database table. Only users with AUDIT ADMIN or AUDIT OPERATOR privileges can query this table.
- CSV text file: Writes logs to a CSV file. This option is intended only for testing purposes in non-production environments.
- Create and Deploy a Policy:
- Click “Create New Policy” in the Audit Policies area.
- Give the policy a name and select the specific actions you wish to audit (e.g., user creation, data deletion, failed logons).
- Save the policy by clicking the Deploy button. Once deployed, the policy is active and will begin generating audit entries whenever a specified action occurs.
An active audit policy can be disabled or deleted from this same interface at any time.
A secure, licensed, and well-managed HANA system is now ready for its primary purpose: housing and serving data. The next part will explore how data is provisioned into the system.