SAP Hana security & authorization - Welcome on · PDF fileIntegrative Authorization Scenarios SAP HANA Source Application Server (e.g. ECC or BW) Client Client Traditional Native 2

April 26th, 2016

SAP Hana security & authorization

What we will cover

1. SAP HANA, Powered by HANA & S/4 HANA

2. Security Architecture & Authorization Scenarios

3. SAP HANA Security Functions (overview)

4. Authorization Concept

5. Security Administration

6. Tools to replicate authorizations

7. Tips & Tricks

|2

SAP HANA, Business Suite or BW powered by

HANA & S/4 HANA

What we will cover







7. Tips & Tricks

|4

Traditional Security Architecture

DB

Application Server

Audit Logging Authorization

Authentication Encryption Identity

Store

Application

Client

Hana Security Architecture

DB

Application Server



Store

Application

Client

SAP HANA



Store

Application

Client SAP HANA

Studio (admin & dev)

XS Engine

Application

Server

Client

Traditional HANA

Integrative Authorization Scenarios

SAP HANA Source

Application Server

(e.g. ECC or BW)

Client

Traditional

• DB migration to HANA

No changes to security

model

SAP HANA

Application Server

(e.g. ECC or BW)

Client

SAP HANA

Client

Native 2-tier application

• HANA act as DB &

Application Server

• Direct user access to HANA

Integrated security model

Data mart (3-tier or 2-tier)

• Reporting ERP or BW data in

HANA

• Direct user access to HANA

Modified security model

replication

Client

What we will cover







7. Tips & Tricks

|8

SAP HANA Security Functions (overview)

SAP HANA

Identity Store

Application

XS Engine

Authentication

Audit Logging

Encryption

Authorization

What we will cover







7. Tips & Tricks

|10

Authorization Entities

Goal

• Create user

• Manage users

• Assign security

User

Role

Privilege

Object

• Person accessing the system

• Collection of privileges

• Granted to user or another role

• Restrict operations on objects

• E.g. a table, a view, …

• Particular object: stored procedure

Authorization Entities

Stored procedure

• SQL statement

• Standard behaviour:

invoker authorizations checked

• Definer behaviour:

creator authorizations checked

• Best practice: control who can create stored procedure

in definer behaviour

Entities relations

Role

Privilege Role

Privilege Best practice :

Object owns

Role

Role

Attention

• Action “grant” is also considered

as an object !

“grant” is owned by his creator

granted

to

Repository Catalog

Object definition

(e.g. table def.)

Object

(e.g. table)

Repository vs Catalog (2 ways of working)

_SYS_REPO

• Store for design-time

• Owner: _SYS_REPO

• When activated, owner of

run-time object = _SYS_REPO

• Run-time

Repository vs Catalog (2 ways of working)

Repository Catalog

Object definition

(e.g. table def.)

Object

(e.g. table)

• +/- DB definition

Design time

• Packages & subpackages

• Package privilege

• Rep. object type:

data models (views)

analytical privileges

repository roles

• Transportable (DEV, QA, PRD)

• Owner = technical user _SYS_REPO

• When activated, owner of run-time object = _SYS_REPO

• +/- DB content

Run-time object

• Not transportable

• Creator = user

• Creator deleted -> all linked objects

deleted

Entities relations

Role

Privilege Role

Privilege Best practice :

Object owns

Role

Role

Attention

• Action “grant” is also considered

as an object !

“grant” is owned by his creator

granted

to

Privilege

Object

Authorization Entities: user

Role

User User type

• DB users

real user

deletable

all “owned” objects deleted

all privileged “they granted” deleted

• Internal DB users

not real user

not deleted

for most: no logon possible

for admin tasks

E.g. technical user _SYS_REPO

Privilege

Object


Role

User Single user maintenance

• Create 1 user directly in HANA

attention: no first name, last name, department, function, … !

only user id & email address

Privilege

Object


Role


• Replication from ABAP user to HANA user

• Maintenance of DBMS (database management system) users in SU01

create / delete a DBMS user

delete the assigned DBMS user when ABAP user is deleted

Privilege

Object


Role


Result in HANA:

Privilege

Object


Role

User User mass maintenance

• Via: ABAP program RSUSR_DBMS_USERS

mass mapping of ABAP users to DBMS users.

if DBMS user does not exist -> will be created in the DB system.

assign or unassign DBMS Roles to/from DBMS users.

Privilege

Object


Role

User User mass maintenance

• Other solutions:

via tools (IDM, …)

via own automation (SQL script)

User

Privilege

Object

Authorization Entities: role

• Transportable (DEV, QA, PRD)

• No need to have privilege to grant

it to the role

• Grantor can grant/revoke all roles

if he can execute the “Grant

Activated Role” stored procedure

Use “with grant option” for

_SYS_REPO

SOD possible btw creation,

ownership & granting

Role

Repository roles Catalog roles

• Not transportable

• Need to have privilege to

grant it to the role

• Only grantor can revoke

role

Privileges are transitive

(removed from grantor ->

removed from role)

If grantor is deleted ->

privileges are revoked

Best practice Not recommended

User

Privilege

Object

Authorization Entities: role(assignment)

Role

Repository Catalog

Role

(origin:

catalog)

Best practice :

Not recommended:

User

Privilege

Object


Role

Repository Catalog

Role

Role

(origin:

repository)

_SYS_REPO

own

Best practice :

Not recommended:

stored

procedure (via “Granted

Roles”)

owner = _SYS_REPO

activate

User

Privilege

Object


Role

stored

procedure

execution

User

Object

Role

Privilege

Authorization Entities: privilege (overview)

SAP HANA

• table

Application

Client

XS Engine

• view

• Application privilege

• Object privilege

• Analytic privilege

• package

• Package

privilege

• System privilege

User

Object

Role

Privilege

Authorization Entities: privilege (overview)

Object Privilege

Privilege

System Privilege

Analytic Privilege

Package Privilege

Application

Privilege

• SQL statements on DB objects

• Admin tasks

• Provide row-level

authorizations

• Access & use of packages

in repositories

• HANA applications

(XS engine)

User

Object

Role

Privilege

Authorization Entities: privilege (system priv.)

System Privilege

Pack. Priv.

Analyt. Priv.

Obj. Priv.

System Privilege

• System-wide privilege

• Cannot be created or changed

• Authorize user for admin tasks:

Users & roles mngt

Catalog & repository mngt

Auditing

System mngt

Data import/export

Appl. Priv.

User

Object

Role

Privilege

Authorization Entities: privilege (system priv.)

System Privilege

User

Object

Role

Privilege

Authorization Entities: privilege (application priv.)

Application

Privilege

Syst. Priv.

Pack. Priv.

Obj. Priv.

Analyt. Priv.

Application Privilege

• Grant access to HANA based

applications

e.g. to access the Web IDE

interface application

(sap.hana.xs.ide)

• Used by HANA application developers

Authorization Entities: privilege (application priv.)

Application Privilege

User

Object

Role

Privilege

Package Privilege

• Only for developers & modelers

• Access & use of packages in the

repository

• Hierarchical access to packages &

corresponding sub-packages

• Packages contains objects such as:

object privileges

Hana views

…

Syst. Priv.

Appl. Priv.

Authorization Entities: privilege (package priv.)

Obj. Priv.

Package

Privilege

Analyt. Priv.

Package Privilege

Authorization Entities: privilege (package priv.)

User

Object

Role

Privilege

Authorization Entities: privilege (object priv.)

Object Privilege

• Are linked to an object

• Restrict access on DB objects

(e.g. table, view)

• Actions:

select

update / create

delete

…

Syst. Priv.

Pack. Priv.

Appl. Priv.

Object Privilege

Analyt. Priv.

Authorization Entities: privilege (object priv.)

Object Privilege

User

Object

Role

Privilege

Analytic Privilege

• Control access to data with row-level

authorization

• Dynamic analytic privilege can be

created

Syst. Priv.

Appl. Priv.

Authorization Entities: privilege (analytic priv.)

Analytic Privilege

Obj. Priv.

Pack. Priv.

Dynamic analytic privilege


User_Name Region Position

User1 America Manager

User2 Asia Employee

User3 Europe Manager

Table “User_Region” :

SQL dynamic analytic privilege:

Dynamic analytic privilege


Assign the dynamic procedure to the analytic privilege:

User

Object

Role

Privilege

• Dynamic analytic privilege

ease of maintenance

filter obtained from a stored

procedure with a complex logic

e.g. check user’s region from a table

Syst. Priv.

Appl. Priv.


Analytic Privilege

Obj. Priv.

Pack. Priv.

user 1

user 2

user 3

View

dynamic

privilege

user 1 restrictions

user 2 restrictions

user 3 restrictions

User

Object

Role

Privilege

Authorization Entities: privilege (summary)

Access a table/ view

via object privilege

Access a row via

analytic privilege

Access a specific column

via a created view

1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)

What we will cover







7. Tips & Tricks

|42

2 possibilities:

SAP HANA

Application

Client

XS Engine

SAP HANA

Studio

Admin

Admin

Security Administration

SAP HANA Studio XS Web Interface

Repository Catalog

Design-time Run-time

SAP HANA


Best practice :

Not recommended:

XS Web Interface

Security Administration (role: repository vs catalog)

SAP HANA Studio

Role creation:

Repository Catalog

SAP HANA


Best practice :

Not recommended:

XS Web Interface

Security Administration (user: repository vs catalog)

SAP HANA Studio

User creation:


Repository Catalog

SAP HANA


Best practice :

Not recommended:

XS Web Interface

Security Administration (role assignment: repository vs catalog)

SAP HANA Studio

Role assignment:


What we will cover







7. Tips & Tricks

|47

Tools to replicate authorizations

When is it needed ?

• When there is a direct connection to SAP HANA

For BW authorizations:

• SAP HANA Model Generation

part of BW

replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges

o generate analytic priv.

o update analytic priv.


For ECC authorizations:

• SAP HANA Live Authorization Assistant

SAP HANA Studio add-on

Replicate ABAP PFCG

authorizations in HANA Privileges

o generate analytic priv.

o update analytic priv.

Attention !

SAP HANA privileges are less granular than authorizations in application layer

therefore: all BW/ECC authorizations are not supported in HANA


Impact to GRC

• In GRC user provisioning flow

if no replication, use Business Roles in GRC

• HANA rule Set in GRC

limited to IT maintenance & development*

HANA

BW

Replication scenario:

Composite Role

GRC

assigned

corresponding

HANA roles

assigned

No replication scenario:

Business Role

GRC

Single roles

BW Composite roles

HANA roles

HANA BW

assigned assigned

What we will cover







7. Tips & Tricks

|51

Tips & tricks

Tips & tricks:

• Create roles in Design-time (repository roles).

• Ensure you are in the repository when working with the HANA Studio or the XS Web Interface

for role creation.

• Transfer ownership of all what you have created in the repository to _SYS_REPO to avoid issues

if your user is deleted.

• Transport roles from DEV to QA & PRD & activate them on each system to have _SYS_REPO as

the owner of the run-time roles.

• Assign roles via “Granted Roles” (executing stored procedure (via user _SYS_REPO)).

• Control who can create stored procedure in define behaviour to mitigate the risk of abuse.

• Create a similar design to the 2 layer model to keep it clear.

• Even if there is no limit on # of privileges assigned ( >< ECC 312 max profiles), be logical in

grouping the views.

• SAP template roles are too wide. Create custom roles instead.

• Restrict access to only the needed packages for modellers.

Tips & tricks

Tips & tricks:

• System privileges cannot be created/changed. Use stored procedures for a more granular

approach.

• Ensure the new custom XS HANA applications created by developers are secured to avoid

exposing the DB.

• If the user has not the full access to a view, the user will see partial data (only authorized

data). >< with BI were the user has no results in that case.

• If a filter is applied to 1 view in an analytical privilege, it will apply to all views in the analytical

privilege.

• Dynamic analytic privileges can be used to have an ease of maintenance but be aware that

it will reduce transparency in authorizations !

• Use a tool to replicate BW & ECC authorizations to HANA authorizations.

• Note that HANA rule set in GRC is limited to IT maintenance & development.

Tips & tricks

Don’t forget the important Security Notes:

• 2197397: SAP HANA Extended Application Services (XS) has a Buffer Overflow vulnerability.

• 2197428: Potential remote code execution in HANA.

• 2197459: Potential log injection vulnerability in SAP HANA audit log.

• …

www.expertum.net

Inspire by Experience.

Christophe Decamps

Consultant

Governance, Risk & Compliance

+32 473 720 125

[email protected]

Thanks for listening! Any questions?

Documents

SAP Hana security & authorization - Welcome on · PDF fileIntegrative Authorization Scenarios SAP HANA Source Application Server (e.g. ECC or BW) Client Client Traditional Native 2