Scribd
Upload
49 views

0902 - Security - User Management

The document discusses user management and security in SAP HANA. It covers topics like creating and authenticating users, managing passwords, authorization using roles, and integrating HANA with SAP IDM and LDAP. SAP HANA security is important for implementations both with and without an application server.

Uploaded by

ravin.jugdav678
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
49 views

0902 - Security - User Management

The document discusses user management and security in SAP HANA. It covers topics like creating and authenticating users, managing passwords, authorization using roles, and integrating HANA with SAP IDM and LDAP. SAP HANA security is important for implementations both with and without an application server.

Uploaded by

ravin.jugdav678
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

SAP HANA Security – User Management

Legal disclaimer

This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this
presentation. This presentation and SAP's strategy and possible future
developments are subject to change and may be changed by SAP at any time for
any reason without notice. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement. SAP assumes
no responsibility for errors or omissions in this document, except if such damages
were caused by SAP intentionally or grossly negligent.

© 2011 SAP AG. All rights reserved. 2


Agenda

HANA use cases / Impacts on Security Setup

Authentication

Authorization

Auditing

Network Security

Details HANA Data Mart <-> BI Integration

© 2011 SAP AG. All rights reserved. 3


IT-Systems with SAP HANA
With or without application server?
SAP HANA without Application Server
Relevant for Security Implementation within SAP HANA

Data Marts with SAP HANA Applications on top of SAP HANA

BI Tools Stand-Alone Application


Access through BI Direct Access Using HANA as Database

BI 4.0 (optional)
Semantic Layer

SAP HANA Appliance


SAP HANA Database
HANA Data Models
Calculation Engine
Olap Engine
SAP HANA Engine
Database
Database Tables

This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice.
© 2011 SAP AG. All rights reserved. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. 5
SAP HANA with Application Server
Mainly Not Relevant for Security within SAP HANA

Accelerator Scenarios HANA as Database in App Server

SAP Application Server Application Server


E.g. SAP NetWeaver BW 7.3
E.g. COPA Application

Aggregation Read
Levels Interface

Primary DB Secondary DB SAP HANA Database


connection connection
Read / write Read / write Calculation Engine
Olap Engine
Engine
Traditional SAP HANA
Database Database Database Tables

This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice.
© 2011 SAP AG. All rights reserved. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. 6
User Management
User Management, Authentication
User management in SAP HANA Database

Creating of users
Authentication
User-specific
parameters

User management
Authorization Lock users
Object-level Password policy
Row-level security Integration with BI

© 2011 SAP AG. All rights reserved. 8


Creating named users

Creating user accounts


Named accounts in the database
Creation via SAP HANA Studio
or via SQL syntax
or via SAP NetWeaver Identity Management
(version 7.2 SP 3)
No replication of existing authorizations from
source systems

Authentication
Name / password
Password management via SAP HANA
Studio or via SQL
Kerberos Authentication
Based on certificates
Enables SSO authentication
SAML (as of SPS 4)

© 2011 SAP AG. All rights reserved. 9


Integration HANA, IDM, LDAP and BOE

Connector SAP IDM <-> SAP HANA Central repository for


As of SAP IDM 7.2 SP 3 user accounts
Using SQL Interface in HANA
SAP IDM
Create / delete users
Create / delete roles
Grant / revoke roles Push
Change passwords Active
Directory /
LDAP
Authentication BOE <-> HANA
Up to recently: name / password Import
Using “Credential Mapping” SAP HANA
Duplicate maintenance of user accounts Database Kerberos BOE Server
As of BI 4.0 FP 3: Kerberos integration User Store (BI 4.0
User Store
FP 3)

© 2011 SAP AG. All rights reserved. 10


Authentication via Kerberos

Kerberos
Domain Controller
SAP HANA Server

User logs on and


receives ticket

Users starts application


(e.g. Analysis for Office);
Authentication via domain
controller

End user

© 2011 SAP AG. All rights reserved. 11


Passwords and Authorization

Password-Policy in SAP HANA User


Features:
Minimal length; required character groups Role:
Password life time edit + activate
Lock / unlock users
… Role: Role:
edit model activate model
Concept of roles in SAP HANA
Creating roles
Package: SQL:
Grouping individual privileges into roles SQL: Package:
create / edit write
select activate
Create hierarchies of roles models runtime
object
Granting roles
Direct granting via SQL / SAP HANA Studio
Via SAP NetWeaver Identity Management

© 2011 SAP AG. All rights reserved. 12


Authorization
Known and new types of privileges

Privilege What for?

System Privileges Restrict possible actions


E.g. backup/restore; create user; …

SQL Privilege Restrict Access to Database Object


E.g. SELECT on <table>

Analytic Privilege Row-Level Security on HANA models


HANA specific Restrict on Attribute Values
Affects run-time objects

Package Privilege Restrict actions on data models


HANA specific Read / edit / activate
On design-time objects only
© 2011 SAP AG. All rights reserved. 13
Do I need to know all this?

Depends on HANA Use Case


Data Marts with SAP HANA (e.g. RDS Content)
Named users required in SAP HANA Database
Authorizations in SAP HANA Database

Applications on SAP HANA Database


(e.g. CO-PA Accelerator; BW 7.30 auf HANA)
All standard security handled by SAP NetWeaver
No changes in authorization/authentication
No named users required in SAP HANA Database

© 2011 SAP AG. All rights reserved. 14


Data Marts with SAP HANA
Overview of BI <-> HANA Interaction

BI Tools
Access through BI Direct Access Three layers in BI <-> HANA
Anything else Explorer Analysis Consumption layer (end-user tools)
WebI, Dashboards, Crystal
SAP BusinessObjects Explorer
Analysis suite (Analysis Office, OLAP, …)
BI 4.0
Semantic Explorer BI 4.0 Server
Layer Services
Semantic Layer:
– “Universe” based on HANA data providers
Explorer Services:
– Technical layer with “Explorer logic”
SAP HANA Database
– Search, index, … (delegates most tasks to HANA)
HANA Data Models
SAP HANA Database
Either plain tables
SAP HANA
or Data Models created in HANA
Database (Analytic Views, Calculation Views)

© 2011 SAP AG. All rights reserved. 15


Data Marts with SAP HANA
Interaction Analysis <-> HANA

BI Tools
Access through BI Direct Access Consumption via Analysis Suite
Anything else Explorer Analysis Analysis User Interface
Front-end on end-user PC
Store workbooks,
get connection Direct ODBC connection into HANA DB
(Optional) SQL and MDX calls into HANA
BI 4.0 No authorization features in client

In BI 4.0 server
Only used for auxiliary tasks (optional)
SAP HANA Database
HANA Data Models
In SAP HANA Database
Tables Can only consume HANA Data Models
Authorization must be defined in HANA
– Requires named users in HANA
– Analytic and SQL privileges

© 2011 SAP AG. All rights reserved. 16


Data Marts with SAP HANA
Interaction Explorer <-> HANA

BI Tools
Access through BI Direct Access Consumption via Explorer
Anything else Explorer Analysis Explorer UI
Flash-based web interface
HTTP connector into Explorer Server

BI 4.0
In BI 4.0 server – Explorer servers
Semantic Explorer
Layer Services Exploration server, search server, …
Delegates search/explore calls to HANA
(extended SQL syntax via JDBC)
No appropriate authorization features
SAP HANA Database
HANA Data Models In SAP HANA Database
Can only consume HANA Data Models
Tables
Authorization must be defined in HANA
– Requires named users in HANA
– Analytic and SQL privileges

© 2011 SAP AG. All rights reserved. 17


Data Marts with SAP HANA
Interaction “Other Tools” <-> HANA (not Explorer, not Analysis)

BI Tools
Access through BI Direct Access
Consumption via Other Tools
BI Front-End
Anything else Explorer Analysis
Typically web-based UI
Connects against Universe or other BI server
component (WebI server, …)

BI 4.0 In BI 4.0 server


Tool-specific server component (some tools)
Semantic Layer
Access of Semantic Layer (Universe)
Connect to HANA via JDBC/ODBC
Authorization options:
– Implement all authorization in BI
(enables having one single service user)
SAP HANA Database – Or have authorization and named users in HANA
Data Models
In SAP HANA Database
Either: Consume HANA Data Models
Tables (Universe is 1:1 mapping of this model)
Or define entire data model in semantic layer
(consuming tables directly in universe)

© 2011 SAP AG. All rights reserved. 18


Account Integration HANA, IDM, LDAP and BOE
Before BI 4.0 FP 3

Connector SAP IDM <-> SAP HANA Central repository for


As of SAP IDM 7.2 SP 3 user accounts
Using SQL Interface in HANA
Create / delete users SAP IDM
Create / delete roles
Grant / revoke roles Push /
Change passwords Push Pull
Active
Authentication BOE <-> HANA Directory /
Name / Password Authentication Define LDAP
DB
Either single-user connection Cre-
– If authorization defined in BI server dentials Import
Or named accounts in HANA SAP HANA
Name /
– Using “Credential Mapping” Database Password BOE Server
– Duplicate maintenance of user accounts
– Authorizations defined in HANA User Store User Store

© 2011 SAP AG. All rights reserved. 19


Account Integration HANA, IDM, LDAP and BOE
Starting with BI 4.0 FP 3

Connector SAP IDM <-> SAP HANA Central repository for


As of SAP IDM 7.2 SP 3 user accounts
Using SQL Interface in HANA
SAP IDM
Create / delete users
Create / delete roles Push /
Grant / revoke roles Push Pull
Change passwords Active
Directory /
LDAP
Authentication BOE <-> HANA
Kerberos authentication (since FP 3) Import
Maintain named accounts in HANA SAP HANA
Kerberos ID instead of password Database Kerberos BOE Server
Or name / password as before User Store (BI 4, FP3
User Store

© 2011 SAP AG. All rights reserved. 20


Summary of Connectivity BI 4.0 <-> HANA
Capabilities / limitations for various BI tools

Analysis Suite(*) Explorer Other Tools

Direct connect into Indirect connect into Connect through


HANA HANA Semantic Layer
Requires named Server component Consume Universes
accounts in HANA for connects to HANA(*) Single-user connection
all end-users Requires named Don’t need named
accounts in HANA for all
Uses ODBC connection accounts in HANA for end-users
SSL encryption all end-users(*) Or credential mapping
FP 3: Can make use of JDBC need named accounts in
HANA for all end-users
Kerberos (no password SSL encryption
maintenance in HANA) JDBC or ODBC
Kerberos (as of FP 3)
SSL encryption
Only consumes HANA Only consumes HANA
data models Kerberos (as of FP 3)
data models(*)
(*) Main table applies to edition for (*) Technically, Explorer can
Analysis/Explorer cannot
Office. Analysis OLAP: JDBC, using connect through semantic layer consume semantic layer
a server component. SSL does not at high performance penalty /
work for Analysis OLAP. only on very small data sets

© 2011 SAP AG. All rights reserved. 21


Summary of Authorization BI 4.0 <-> HANA
Capabilities / limitations for various BI tools

Analysis Suite Explorer Other Tools

No authorization No authorization Two choices for


capabilities in UI capabilities in UI(*) Authorization
Only consumes HANA Only consumes HANA Report level authorization
data models data models Data-level authorization
Requires named Requires named Don’t need named
accounts in HANA for all
accounts in HANA for accounts in HANA for end-users
all end-users all end-users Authorizations not
Define all authorizations Define all authorizations available for Analysis /
Explorer
(object- and row-level) (object- and row-level)
Or use HANA authorization
in HANA in HANA
/ named users for data
Analytic Privileges and Analytic Privileges and authorization
SQL Privileges SQL Privileges
Same as Analysis /
Combine into one role per Combine into one role per
Explorer
end-user end-user
Can use BI authorizations
(*) Assuming that authorization on top
InfoSpace is not sufficiently powerful

© 2011 SAP AG. All rights reserved. 22


Documentation and Information Around SAP HANA

www.sap.com/hana - official SAP HANA page with customer testimonials

www.experiencesaphana.com - SAP HANA collaboration space for customers

http://help.sap.com/hana_appliance - Official documentation


see especially the SAP HANA Database Security Guide

http://service.sap.com/HANA - Installation and Implementation knowledge

http://www.sdn.sap.com/irj/sdn/in-memory - SAP Developer Network for HANA

© 2011 SAP AG. All rights reserved. 23


© 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
purpose without the express permission of SAP AG. The information contained Explorer, StreamWork, and other SAP products and services mentioned herein as
herein may be changed without prior notice. well as their respective logos are trademarks or registered trademarks of SAP AG
in Germany and other countries.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors. Business Objects and the Business Objects logo, BusinessObjects, Crystal
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Microsoft Corporation. Objects products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of Business Objects Software Ltd.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, Business Objects is an
System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, SAP company.
zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390
Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, Sybase products and services mentioned herein as well as their respective logos
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, company.
Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM
All other product and service names mentioned are the trademarks of their
Corporation.
respective companies. Data contained in this document serves informational
Linux is the registered trademark of Linus Torvalds in the U.S. and other purposes only. National product specifications may vary.
countries.
The information in this document is proprietary to SAP. No part of this document
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or may be reproduced, copied, or transmitted in any form or for any purpose without
registered trademarks of Adobe Systems Incorporated in the United States and/or the express prior written permission of SAP AG.
other countries.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and
MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®,
World Wide Web Consortium, Massachusetts Institute of Technology.

© 2011 SAP AG. All rights reserved. 24


© 2011 SAP AG. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des
zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Explorer, StreamWork und weitere im Text erwähnte SAP-Produkte und -
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene
können Softwarekomponenten auch anderer Softwarehersteller enthalten. Marken der SAP AG in Deutschland und anderen Ländern.
Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal
der Microsoft Corporation. Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text
erwähnte Business-Objects-Produkte und Dienstleistungen sowie die
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,
entsprechenden Logos sind Marken oder eingetragene Marken der Business
System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,
Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG.
zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390
Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, weitere im Text erwähnte Sybase-Produkte und -Dienstleistungen sowie die
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc.
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Sybase ist ein Unternehmen der SAP AG.
Netfinity, Tivoli und Informix sind Marken oder eingetragene Marken der IBM Alle anderen Namen von Produkten und Dienstleistungen sind Marken der
Corporation. jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu
Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Informationszwecken. Produkte können länderspezifische Unterschiede
Ländern. aufweisen.
Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe
eingetragene Marken von Adobe Systems Incorporated in den USA und/oder und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem
anderen Ländern. Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher
Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer Genehmigung durch SAP AG gestattet.
Tochtergesellschaften.
UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und
MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc.

© 2011 SAP AG. All rights reserved. 25

You might also like