SAP HANA Database Security
The SAP HANA database has its own role and authorization system, which differs from the traditional role structure in ABAP systems. Various tools are available for creating and managing these roles and authorizations.
SAP HANA Database Authorization Check and Role Building
With the introduction of SAP S/4HANA (and thus the HANA database, HANA DB) end-users will be able to directly access Core Data Services in the HANA database and bypass the authorization check in the S/4HANA ABAP system.
For database administrators, SAP provides the SAP HANA studio and the SAP HANA cockpit. These tools also require a new authorization and role concept.
The Xiting HANA DB Authorization Service includes administrative tools, role templates and the following deliverables:
SAP HANA Authorization Services in Detail
The HANA cockpit is SAP’s new user interface for database administrators. Unfortunately, the HANA database doesn’t rely on traditional ABAP authorizations and, as a result, organizations have to implement a separate authorization concept to control access to the HANA cockpit and the underlying database.
In addition to XS Classic and XS Advanced, HDB Studio and hdbsql are available as environments for development and role building.
Another challenge is that certain use cases require business users to directly access the Core Data Services. To implement such scenarios, you have to authorize users via special HANA database privileges that add further complexity to the overall access framework.
To assist with the creation of catalogs, repositories and HDI roles, SAP offers the HANA security tools.
Database users can be created and managed directly in HANA or external IDM systems. In addition, HANA offers various transport options for roles and objects.
With the HANA Security Services developed by Xiting, we help customers better understand the differences between the various tools for administering and managing the HANA database.
We will also present the advantages and disadvantages of the SAP HANA Cockpit and the SAP HANA Studio, and show you which authorizations are required.
Security administrators must be able to create roles, manage password rules and user groups, and detect authorization problems. Our service introduces you to the necessary roles and functionalities.
For example, SAP recommends deactivating the SYSTEM user. As part of our workshop, we show you which privileges you can use to manage the HANA database without relying on a SYSTEM user.
In addition, HANA also has unique requirements related to auditing. We explain how security audits can be created and transported to other systems.
Plus, our HANA Security Service provides clear recommendations for creating HANA roles and managing users. If Core Data Services (Views) should not be visible to all users in plain text, we will also be happy to show you all the functions required for data masking.
SAP HANA Database Services
- Creation of a common understanding of SAP HANA DB and clarification of terms.
- Presentation of the possible application scenarios for an SAP HANA database, as well as the resulting effects on the system landscape.
- Displaying of the SAP HANA security functionalities, such as password security, database auditing, user and role management, datacenter integration and transport.
- Presentation of the SAP HANA authorization concept in a workshop.
- Based on the workshop results, we create a basic SAP HANA authorization concept, which includes defined roles for daily operations.
- Creation of roles for actors, such as basic administrators, transport, power users and/or developers.
- Implementation of the created roles in an SAP HANA database system/system network.
- Assignment of the previously created authorization roles for the respective user types in the target databases.
- Creation and provision of the complete documentation.
- Review of your SAP HANA database from the point of view of the assignment of authorizations and system configuration, based on a clearly defined set of rules.
- Documentation and evaluation of the results.
- Recommendation of operational measures.