SAP HANA Security: Complete Tutorial

What is Sap Hana Security?

SAP HANA Security is protecting important data from unauthorized access and ensures that the standards and compliance meet as security standard adopted by the company.

SAP HANA provides a facility i.e. Multitenant database, in which multiple databases can be created on single SAP HANA System. It is known as multitenant database container. So SAP HANA provide all security related feature for all multitenant database container.

SAP HANA Provide following security-related feature –

  • User and Role Management
  • Authorization
  • Authentication
  • Encryption of data in Persistence Layer
  • Encryption of data in Network Layer

SAP HANA User and Role

SAP HANA User and Role management configuration depend on the architecture as below –

  1. 3-Tier Architecture.

    SAP HANA can be used as a relational database in a 3-Tier Architecture.

    In this architecture, security features (authorization, authentication, encryption, and auditing) are installed on application server layers.

    SAP application (ERP, BW, etc.) connects to database only with the help of a technical user or database administrator (Basis Person). The end-user cannot directly access to database or database server.

SAP HANA 3-Tier Architecture

  1. 2-Tier Architecture.

    SAP HANA Extended Application Services (SAP HANA XS) is based on 2 –Tier Architecture, in which Application server, Web Server and Development Environment are embedded in a single system.

SAP HANA 2-Tier Architecture

SAP HANA Authentication

Database user identifies who is accessing the SAP HANA Database. It is verified through a process Named “Authentication.” SAP HANA support many authentication methods. Single Sign-on (SSO) are used to integrate several Authentication method.

SAP HANA supports following authentication method –

  • Kerberos: It can be used in the following case –
  • Directly from JDBC and ODBC Client (SAP HANA Studio).
  • When HTTP is used to access SAP HANA XS.

  • User Name / Password When the user enters their database username and password, then SAP HANA Database authenticate the user.

  • Security Assertion Markup Language(SAML)

    SAML can be used to authenticate SAP HANA User, who is accessing SAP HANA Database directly through ODBC/JDBC. It is a process of mapping external user identity to the internal database user, so user can login in sap database with the external user id.

  • SAP Logon and Assertion Tickets

    The user can be authenticated by Logon or Assertion Tickets, which is configured and issued to the user for creating a ticket.

  • X.509 Clients Certificates

    When SAP HANA XS Access by HTTP, Client certificates signed by a trusted Certification authority (CA) can be used to authenticate the user.

SAP HANA Authorization

SAP HANA Authorization is required when a user using client interface (JDBC, ODBC, or HTTP) to access the SAP HANA database.

Depending on the authorization provided to the user, it can perform database operations on the database object. This authorization is called, “privileges.”

The Privileges can be granted to the user directly or indirectly (through roles). All Privileges assign to users are combined as a single unit.

When a user tries to access any SAP HANA Database object, HANA System performs authorization check on the user through user roles and directly grants the privileges.

When requested Privileges found, HANA system skips further checks and grant access to request database objects.

In SAP HANA following privileges are their –

Privileges Types Description
System Privileges It controls normal system activity. System Privileges are mainly used for –

  • Creating and Deleting Schema in SAP HANA Database
  • Managing user and role in SAP HANA Database
  • Monitoring and tracing of SAP HANA database
  • Performing data backups
  • Managing license
  • Managing version
  • Managing Audit
  • Importing and Exporting content
  • Maintaining Delivery Units
Object Privileges Object Privileges are SQL privileges that are used to give authorization to read and modify database objects. To access database objects user needs object privileges on database objects or on the schema in which database object exists. Object privileges can be granted to catalog objects (table, view, etc.) or non-catalog objects (development objects).
Object Privileges are as below –

  • CREATE ANY
  • UPDATE, INSERT, SELECT, DELETE, DROP, ALTER, EXECUTE
  • INDEX, TRIGGER, DEBUG, REFERENCES
Analytic Privileges Analytic Privileges are used to allow read access on data of SAP HANA Information model (attribute view, Analytic View, calculation View).

  • This privilege is evaluated during query processing.
  • Analytic Privileges grants different user access on different part of data in the
  • Same information view based on user role.
  • Analytic Privileges are used in SAP HANA database to provide row level data

Control for individual users to see the data is in the same view.

Package Privileges Package Privileges are used to provide authorization for actions on individual packages in SAP HANA Repository.
Application Privileges Application Privileges are required in In SAP HANA Extended Application Services (SAP HANA XS) for access application.

Application privileges are granted and revoked through the proceduresGRANT_APPLICATION_PRIVILEGE and REVOKE_APPLICATION_PRIVILEGE procedure in the _SYS_REPO schema.

Privileges on User It is an SQL Privileges, which can grant by the user on own user. ATTACH DEBUGGER is the only privilege that can be granted to a user.

SAP HANA User Administration and Role Management

To Access SAP HANA Database, users are required. Depending on the different security policy there are two types of user in SAP HANA as below –

  1. Technical User (DBA User) – It is a user who directly work with SAP HANA database with necessary privileges. Normally, these users don’t get deleted from the database.

    These users are created for an administrative task such as creating an object and granting privileges on database object or on the application.

    SAP HANA Database system provides following user by default as standard user–

  • SYSTEM
  • SYS
  • _SYS_REPO
  1. Database or Real User: Each user who wants to work on SAP HANA database, need a database user. Database user are a real person who works on SAP HANA.

    There are two types of Database user as below –

User Type Description Role assigned
Standard User This user can create objects in an own schema and reads data in system views. Standard User created with “CREATE USER” statement. PUBLIC role is assigned for read system views.
Restricted User Restricted User has no full SQL Access via an SQL Console and created with “CREATE RESTRICTED USER” statement. If Privileges required for use of any application, then they are provided through the role.

  • Restricted User cannot create database objects.
  • Restricted User cannot view data in the database.
  • Restricted User connects to database through HTTP Only.
  • ODBC/JDBC access for client connection must be enabled with SQL statement.
RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCESS role required to user for Full Access of ODBC/JDBC functionality

SAP HANA User Administrator have access to the following activity –

  1. Create/delete User.
  2. Define and Create Role.
  3. Grant Role to the user.
  4. Resetting user password.
  5. Re-activate / de-activate user according to requirement.

1. Create User in SAP HANA- only database user with ROLE ADMIN privileges can create user and role in SAP HANA.

Step 1) To create new user in SAP HANA Studio go to security tab as shown below and follow the following steps;

  1. Go to security node.
  2. Select Users (Right Click) -> New User.

Create User in SAP HANA

Step 2) A user creation screen appear.

  1. Enter User Name.
  2. Enter Password for the user.
  3. These are authentication mechanism, by default User name / password is used for authentication.

Create User in SAP HANA

By Clicking on the deployCreate User in SAP HANAButton user will be created.

2. Define and Create Role

A role is a collection of privileges that can be granted to other users or role. The role includes privileges for database object & application and depending on the nature of the job.

It is a standard mechanism to grant privileges. Privileges can be directly granted to the user. There are many standard roles (e.g. MODELLING, MONITORING, etc.) available in SAP HANA database.

We can use the standard role as a template for creating a custom role.

A role can contain following privileges –

  • System Privileges for administrative and development task (CATALOG READ, AUDIT ADMIN, etc.)
  • Object Privileges for database objects (SELECT, INSERT, DELETE, etc.)
  • Analytic Privileges for SAP HANA Information View
  • Package Privileges on repository packages (REPO.READ, REPO.EDIT_NATIVE_OBJECTS, etc.)
  • Application Privileges for SAP HANA XS applications.
  • Privileges on the user (For Debugging of procedure).

Role Creation

Step 1) In this step,

  1. Go to Security node in SAP HANA System.
  2. Select Role Node (Right Click) and select New Role.

Role Creation in SAP HANA

Step 2) A role creation screen is displayed.

Role Creation in SAP HANA

  1. Give Role name under New Role Block.
  2. Select Granted Role tab, and click “+” Icon to add Standard Role or exiting role.
  3. Select Desired role (e.g. MODELLING, MONITORING, etc.)

Step 3) In this step,

  1. Selected Role is added in Granted Roles Tab.
  2. Privileges can be assign to the user directly by selecting System Privileges, object Privileges, Analytic Privileges, Package Privileges, etc.
  3. Click on deploy icon to create Role.

Role Creation in SAP HANA

Tick option “Grantable to other users and roles”, if you want to assign this role to other user and role.

3. Grant Role to User

Step 1) In this step, we will Assign Role “MODELLING_VIEW” to another user “ABHI_TEST”.

  1. Go to User sub-node under Security node and double click it. User window will show.
  2. Click on Granted roles “+” Icon.
  3. A pop-up will appear, Search Role name which will be assign to the user.

Grant Role to User in SAP HANA

Step 2) In this step, role “MODELLING_VIEW” will be added under Role.

Grant Role to User in SAP HANA

Step 3) In this step,

  1. Click on Deploy Button.
  2. A Message ” User ‘ABHI_TEST” changed is displayed.

Grant Role to User

4. Resetting User Password

If user password needs to reset, then go to User sub-node under Security node and double click it. User window will show.

Step 1) In this step,

  1. Enter new password.
  2. Enter Confirm password.

Resetting User Password

Step 2) In this step,

  1. Click on Deploy Button.
  2. A message “User ‘ABHI_TEST” changed is displayed.

Resetting User Password in SAP HANA

5. Re-Activate/De-activate User

Go to User sub-node under Security node and double click it. User window will show.

There is De-Activate User icon. Click on it

Re-Activate/De-activate User in SAP HANA

A confirmation message “Popup” will appear. Click on ‘Yes’ Button.

Re-Activate/De-activate User in SAP HANA

A message “User ‘ABHI_TEST’ deactivated” will be displayed. The De-Activate icon changes with name “Activate user”. Now we can activate user from the same icon.

SAP HANA License Management

The license key is required to use SAP HANA Database. A license key can be installed and deleted using SAP HANA Studio, SAP HANA HDBSQL Command Line tool, and HANA SQL Query editor.

SAP HANA database support two types of license key –

  • Permanent License Key: Permanent license keys are valid till expiration date. We need to request and apply license key before expire. If license key expires then Temporary License Key are is automatically installed for 28 days.
  • Temporary License Key: This is automatically installed with a new SAP HANA Database Installation. It is valid for 90 days and later can apply for Permanent key from SAP.

Authorization of License Management

“LICENSE ADMIN” privileges are required for License Management.

SAP HANA Auditing

SAP HANA Auditing features allow you to monitor and record action which is performed in SAP HANA System. This features should be activated for the system before creating audit policy.

Authorization for SAP HANA Auditing

“AUDIT ADMIN”System Privileges required for SAP HANA Auditing.

Summary

In this tutorial, we have learned following topic –

  • SAP HANA Security overview.
  • SAP HANA Authentication in detail.
  • SAP HANA Authorization in detail.
  • SAP HANA User Administration method.
  • SAP HANA Role Administration method
  • SAP HANA license Management process.
  • SAP HANA Role Auditing Process.