View
4
Download
0
Category
Preview:
Citation preview
Berechtigungen im SAP HANA Universum
PwC für SNP Transformation World
Eine kleine Einführung in Benutzer- und Berechtigungsthemen im neuen SAP HANA Universum
SNP Transformation World
Agenda
1. HANA & S/4 Introduction
2. HANA Scenarios
3. HANA & Authorizations
4. HANA & PwC Standards
Folie 2
Oktober 2016SAP HANA & Authorizations
HANA & S/4Eine Einführung
SNP Transformation World
HANA & S/4Eine Einführung
Das Herzstück von HANA ist die neue In-Memory-Datenbank. Programme werden direkt im Arbeitsspeicher ausgeführt statt über Speichermedien. Aktionen (insb. Analytische) werden so erheblich beschleunigt.
Durch die neue Datenbanktechnologie können die bisherigen relationalen fragmentierten Tabellenstrukturen zusammengeführt werden. SAP startet dies im FI/CO-Modul mit dem Universal Ledger.
Eine Vielzahl von Analysefunktionen ist für HANA bereits vorbereitet. Diese erleichtern die Auswertung der Summe an Daten, die in HANA erfasst werden und unterstützen somit die Entscheidungsfindung.
HANADaten-bank
Mit S/4 HANA überarbeitet und optimiert SAP auch eine Reihe transaktionaler Funktionen. Dies betrifft aktuell Finance und Logistik. In Finance ist eine wichtige Änderung, die Zusammenführung der FI & CO-Buchungsfunktionen.
SAP vermarktet mit HANA intensiv die „neue“ SAP Benutzeroberfläche SAP Fiori. Diese kann u.a. für transaktionale Programme in der SAP S/4 Business Suite oder analytische native HANA Apps genutzt werden.
Optimiertes HANADatenmodell
NativeAnalyseProgramme
S/4 - Neue BusinessFunktionen
FioriApps
Folie 4
Oktober 2016SAP HANA & Authorizations
HANASzenarien
SNP Transformation World
DatabaseLayer
ApplicationLayer
FrontendLayer
HANA ScenariosScenarios in Comparison
Analytical Scenarios
EmbeddedBW
Gate-way
Server
HANA
Transactional Scenarios
S/4 BusinessSuite
Gate-way
Server
SAPGUI
FioriUI
FioriUI
SAPGUI
Folie 6
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA ScenariosHANA Scenarios, Users & Roles
on HANA (ECC or BW)
The first HANA evolution step is to switch the database layer from Non-SAP solutions to HANA as a pure database.
For end users nothing changes. Access is still controlled via WAS.
Technical Access Rights on the HANA layer have to be granted via native HANA Roles containing Privileges.
Transaction Apps (S/4 Business Suite)
The second HANA evolution step is switching over to S/4 Business Suite with an optimized data model and new transactions.
End users are still getting access via WAS, users and roles but with possibly changed transactions and authorizations.
Requires HANA roles for administering the technical layer as described to the left.
Analytical Apps (HANA)
Another step using HANA is to create and use direct analytical functions on the HANA layer.
This requires native users with assigned analytical HANA roles containing native analytical HANA privileges.
With embedded BW only the classical WAS roles with analytical privileges are required.
SAP R/3(ECC or BW)
We start our comparison with the classical R/3 PRE-on or S/4HANA scenario.
Access is controlled via Users and Roles on the SAP Web Application Server Layer (WAS).
Roles contain authorizations for authorization objects with fields and field values.
Folie 7
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
DatabaseLayer
ApplicationLayer
FrontendLayer
HANA ScenariosHANA Scenarios, Users & Roles
on HANA (ECC or BW)
SAP R/3 ECC
Hana Database
Transaction Apps (S/4 BS)
Fiori Gateway
Server
Hana Database
S/4 BusinessSuite
Analytical Apps (HANA)
Fiori Gateway
Server
Hana Layer
SAP R/3(ECC or BW)
SAP R/3 ECC
Oracle Database
HANARole
FioriRole
FioriRole
ABAPRole
ABAPRole
ABAPRole
Folie 8
Oktober 2016SAP HANA & Authorizations
HANA &Authorizations
SNP Transformation World
HANA & AuthorizationsSAP R/3 Access Assignment
SAP R/3 • A user gets access through a useraccount in the Web Application Server Layer (typically using transaction Su01)
• The access rights to give access to dataand functions are granted either via composite roles consisting of singleroles or direct assignment of singleroles
• The single roles do consist ofauthorizations for authorizationobjects each protecting specificbusiness objects
• Each authorization has object fieldsand field values each differentiatingthe access to the business objectsaccording to different criteria
• A direct assignment ofauthorizations to users is not possible
User
Composite Role
Authori-zation
Authorizations
A-Field
A-Field-Values
SingleRole
Folie 10
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA & AuthorizationsSAP HANA Access Assignment
SAP HANA • A user is authorized using a useraccount in the native HANA Layer.
• Access to perform specific functions canbe granted either by roles collectively orspecifically via privileges.
• When creating a role, privileges will beassigned and then be stored as a repository object = design time role.
• A role may also extend other roles, thusinheriting all their respective privileges.
• There are 5 different privilege types, system, object, package, analytic andapplication privileges.
• On activation of repository roles, runtime roles are created from them andcan then be assigned to the user.
User
Privileges
System Object Package AnalyticAppli-cation
RuntimeRole
RepositoryRole
Folie 11
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA & AuthorizationsRole Orchestra in the HANA universe
On HANA, embedded BW or S/4 Business Suite:ABAP roles areused either in on HANA scenarios aswell as forembedded BW orS/4-HANA Business Suite scenarios. This independent of the UI whether Fiori, SAP or WebGui
HANA Configuration, Administration, Development:The HANA layerrequires a totallynew approach totechnical roles foradministration, development and configuration due to it‘s newauthorizationstructures
Direct analyticalaccess via HANA:when analyticalapplications aredirectly accessingdata via HANA, native analyticalHANA roles withanalytical andobject privilegesare to be created
Directtransactionalaccess via HANA:Currently we do not really see HANA applications withtransactionalcharacter. Shouldthis come up, it will require native HANA Roles, mostprobably withApplicationPrivileges
Fiori User Interface:Fiori grants Users access toapplications via tabs and tiles in the launchpad. This has to beauthorized bycreating users and granting FioriRoles in the SAP gateway server
ClassicalABAPRoles
Technical HANARoles
AnalyticalHANARoles
TransactionalHANARoles
FioriRoles
Folie 12
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA & AuthorizationsHANA Privileges
• What:Controls access to administrative functions within HANA (e.g. USER ADMIN, CREATE SCHEMA, etc)
• Who: Admins, Developer
• What:Privileges based on SQL statements (e.g, SELECT, UPDATE, etc.) for Catalog Objects (Run-time) such as tables & views
• Who: Developers, Modellers
• What:Restricts access to and the use of packages in the HANA repository (modelling environment)
• Who: Developers, Modellers
• What:Provides access to reporting objects for view-only purposes. Provides filter or contextual controls on a report. Comparable to BW Analysis Authorization
• Who: End Users (Reporting)
• What:Controls access to applications and functions within apps connecting directly to HANA running on the XS Engine
• Who: Developer of or End User of any HANA XS app
System Object Package AnalysisAppli-cation
Folie 13
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA & AuthorizationHANA User Types (Restricted vs. Normal)
• By Standard able to create own objects like Tables and Views in their own Schema. Inherits the ‘PUBLIC’ role upon creation.
• Is able to use ODBC/JDBC to access the SQL console for objects, access has been granted to.
NormalUser
• Initially has no privileges.
• Is neither able to view, nor alter or create any objects.
• Therefore all privileges to perform actions have to be given to the user explicitly or using a role.
• Access is primarily performed using http, unless explicitly changed and special role given to the user
RestrictedUser
Folie 14
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA & AuthorizationHANA Role Types (Catalog vs. Repository)
RepositoryRoles
CatalogRoles
Role Creation Requires SQL knowledge or web-interface
Easy to create via integration HANA UI
Transports Roles and privileges are transportable Roles and privileges are not transportable and not versioned
Privileges Role creator can assign any privilege to a role
Role creator must have a privilege to assign it to a role. Removing a privilege from the role creator revokes the privilege from role
RoleOwnership
Role creation more similar to ECC, owned by system ID _SYS_REPO
Only the role grantor can revoke a role from a given user. Privileges revoked if grantor is dropped
Folie 15
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA & AuthorizationsKey Challenges
• Even with a pure on HANA scenario, the operating and database security shifts from separate technology layers e.g. MS and Oracle to HANA
• Organizations are increasingly evaluating HANA as a true platform via SAP’s S/4 HANA products. Data, users and their authorizations will then move over to HANA
• As soon as sensitive data & transactions move to another new platform, internal & external audit and validation functions will turn their attention towards HANA
• Organizations will have to re-evaluate of how and by whom HANA security should be managed and also have to train their teams to cope with the new security concepts & leading practices
• Depending on the chosen HANA-scenario or even scenario combination, the security concept will change to a complex combination of up to three different environments.
• Companies current IAM-processes & –tools will most probably not be able to cope with this new challenge.
Folie 16
Oktober 2016SAP HANA & Authorizations
HANA &PwC Standards
SNP Transformation World
HANA & PwC StandardsPwC Standard Materials
• Overview of all HANA Standard Privileges(w/o analysisprivileges)
• Assignment of eachprivilege to a PrivilegeGroup (e.g. Database, Interface)
• Definition of tasks per process and sub-process area (e.g. DB Monitoring)
• Assignment of all privileges necessaryfor task
• Introdocution into theprivilege matrix, thetarget and thestructure
• Description of theoverall structure of theHANA authorizationconcept and privilegetypes
• Description of theprocess areas andadditional informationon the tasks per sub-process
• Audit guide forHANA DB and HANA S/4
• Requirements on authorization andauthentication relatedHANA aspects to becomplied to
• Identification ofauthorizations to beregarded as sensitive or critical as part ofthe privilege matrix
• Overview of new S/4 transactions, old R/3 transactions replacedby new S/4 transactions, R/3 transactions to beretired w/o replacement
• This can be used toidentify old roles withtransactions possiblyto be replaced by newroles or to be fullyretired
PrivilegeMatrix
PrivilegeGlossary
WorkProgram
TransactionsMap
Folie 18
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
HANA & PwC StandardsIAGM-Service-Sequence
Technical HANA-Roles IAGM1IAG Modelling
IAG Governance
IAG Compliance
IAG Automation
Transactional-S/4-Roles IAGM2
Analytical BW-roles IAGM3
Analytical HANA-Roles IAGM4
Fiori-UI-Roles IAGM5
HANA-Business Roles IAGM6
HANA Conventions IAGG1
HANA Organization& Training
IAGG2
HANA Rules & Requirements
IAGC1
HANA Automation & Integration
IAGA1
Folie 19
Oktober 2016SAP HANA & Authorizations
Ihre Fragen an uns?
Johannes Liffers Kapelle-Ufer 410117 BerlinTel.: +49 30 2636-1658email: johannes.liffers@de.pwc.com
Martin KrauseAlsterufer 120354 HamburgTel.: +49 40 6378 1520email: martin.krause@de.pwc.com
Torsten Lechelt Kapelle-Ufer 410117 BerlinTel.: +49 30 2636-1700email: torsten.lechelt@de.pwc.com
© 2016 PricewaterhouseCoopers Aktiengesellschaft Wirtschaftsprüfungsgesellschaft.
Alle Rechte vorbehalten. „PwC“ bezeichnet in diesem Dokument die PricewaterhouseCoopers
Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, die eine Mitgliedsgesellschaft der
PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der Mitgliedsgesellschaften der PwCIL
ist eine rechtlich selbstständige Gesellschaft.
SNP Transformation World
HANA, Authorizations & ComplianceAudit aspects, Q2 2016
No. Aspect Description
1 Passwort Settings(Authentication)
Authentication Parameters for Passwords (HA01), Blacklist for Generic Passwords (HA03)
2 Privileged Accounts (PA) and PA Management
Use of Generic Privileged Accounts (HA02), Process Privileged Access Management (HA04)
3 Logs & Protocolls Correct Log Parameter Settings (HA05) and adequate policies for log settings and reviewprocecdures / controls , limitation / prevention to modify logs (HA06)
4 Sensitive Data Encryption Adequate identification of sensitive data (HA07),
5 Processes & Organization User Maintenance and Role / Privilege Assignment (HA08), Recertification (HA09), LeaversProcess (HA13), Role Change Management (HC01), Transport Management (HC03), Backup Procedures (HO01), Desaster Recovery (HO03), Batch Processing (HO03)
6 Ruleset for Sensitive Privileges Sensitive Object Privileges (HA10), Schema Ownership (HA11), Non-Read Procedure Access in Production (HA12), Sensitive System Privileges (HA14), Repository Changes in Production(HC02), Backup Configuration (HO02), Background Scheduling & Review (HO05&06),
Folie 21
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
Key HANA Terminology
Term Definition
SAP Business Suite Powered by HANA
Current version SAP applications (ECC6.0, etc) run on HANA database. Alternative to traditional database (e.g. Oracle) achieved via non-disruptive database migration.
S/4 HANA SAP’s next generation ERP application (upgrade of ECC). 400M lines of re-engineered ABAP code optimized to run on HANA. Fiori interface options for most commonly used functions.
Simple Finance First SAP modules optimized to run on HANA (includes: Accounting, Cash Mgmt, Business Planning, Receivables, Payables, etc). Option for ERP on HANA or S/4HANA customers.
Simple Logistics Second HANA optimized module will be made available end 2015 and will include:inventory management, purchasing, sales, productions and manufacturing.
HANA Live Standard SAP-delivered reporting content in form of SAP HANA calculation views for easyto leverage real-time operational reporting off the HANA database.
Folie 22
Oktober 2016SAP HANA & Authorizations
SNP Transformation World
Key HANA Terminology
Term Definition
HANA XS Engine Extended Application Services (XS) engine is a built-in application & web server enabling application development and deployment directly on the HANA database (a true ‘platform’).
HANA Studio Administration and development front-end client for SAP HANA.
HANA Web IDE Integrated Development Environment (IDE) – Web-based front-end for development and administration functionality of HANA – alternative to HANA studio.
HANA One Fully featured SAP HANA instance hosted on Amazon Web Services that can be used to build and deploy on-demand applications (SaaS).
HANA Cloud Platform
HCP – SAP’s subscription based cloud platform for HANA solutions (PaaS).
Fiori New HTML5 user interface for SAP software optimized for modern design & mobile devices.
Folie 23
Oktober 2016SAP HANA & Authorizations
Recommended