In this second installation of the SAP HANA Security and Controls blog series we will focus on some of the key SAP HANA Security Functions.
Let’s consider authentication as the first security function. How do we log in to SAP ECC? Is it SAP GUI or a NWBC login screen which takes you to a web page to access ECC? You can consider both options but authentication in SAP HANA can be done using SAP HANA Studio or SAP Web IDE.
The second security function to discuss is Authorization. In the traditional SAP system we have Authorizations, Transaction Codes and Authorization Objects. In SAP HANA, we use something called “Privileges”. It is the same as authorizations but just a different word.
Considering user management as the next security function the traditional SAP system uses transaction code PFCG or SU01. In SAP HANA, you can manage User Management using SAP HANA Studio or SAP Wed IDE.
SAP HANA Users – In SAP HANA, users can be classified by two groups: regular users and technical users. Regular users are named users or real persons who work as data modelers or data administrators. Technical users are internal users within the SAP HANA database such as _SYS_STATISTICS, _SYS_REPO that cannot be logged in from outside but are technical user IDs used internally for managing the SAP HANA database. In SAP HANA, the key User Types are SYSTEM – which is used as an overall system admin ID. Avoid using the SYSTEM user ID and monitor the control to prevent regular end users from using this user ID. <SID>ADM User is another user ID which has Unlimited OS access to all resources related to HANA. ROOT User is another user ID which is used to install and upgrade only.
When you consider SAP HANA security, the one question that everyone asks is “What am I securing?” In SAP HANA, there are several objects that constitute the HANA database. HANA is not just a database but also a modeling environment. Some of the objects that are used to secure are Views, Functions, Indexes, Sequences, Synonyms, Triggers, Tables and Views. From a modeling perspective the three important views in HANA are Attribute Views, Analytic Views and Calculation Views. I am not going to explain what these objects are as we are focused on HANA security but let’s discuss the “Privileges” or what we know as “Authorizations” in this next section.
SAP HANA Privileges are broken down to Object Privileges, Package Privileges, Analytic Privileges and System Privileges. SAP HANA provides database schemas in which objects such as tables, indexes, and views are stored. Access to data stored in these objects and the schema that holds these objects are managed using object privileges. Package Privileges are used to secure Packages which are individual projects within the SAP HANA database. Analytic privileges provide row level control of what data users can see on the data models and System privileges help to monitor execution of administrative actions for the entire SAP HANA database.
Learn More About SAP HANA Security
Download an in-depth customer case study presentation deck: Managing Security and Controls in SAP HANA – Tube Specialties Case Study.
Read Part One in this blog series and learn how SAP HANA can be used in different scenarios and each scenario requires a different security approach.
In the last blog of this series we examine security loopholes, best practices, Security Controls and auditing features in SAP HANA.