SAP HANA Security Guide – What makes SAP HANA a Secured SAP Tool?
After completing the basics of SAP HANA technology to a modest extent, let us gain some knowledge on SAP HANA security aspects. For any technology, security is the topmost concern for all users and with this introductory tutorial on SAP HANA security, you will understand the concept of security in SAP HANA thoroughly.
We will be covering the following topics:
- Security Features
- Scenarios in SAP HANA Deployment
- Risks in SAP HANA Deployments
- SAP HANA User Administration
- User Creation in SAP HANA Studio
- SAP HANA Role Management
Shall we start the tutorial? We will first take a look at the need for security in SAP HANA.
Keeping you updated with latest technology trends, Join DataFlair on Telegram
SAP HANA Security
Need for Security
SAP HANA is a popular SAP tool and has a widespread user base. SAP HANA plays a vital role in business processes of all the enterprises it is a part of and thus, is more prone to security threats due to its widespread use and high availability to users. The data hosted in SAP HANA systems are prone to multiple risks related to espionage and sabotage. SAP HANA becomes a target for espionage and hacking as it holds business-critical data. Also, it is central to crucial business processes, making it a data sabotage target posing serious security threats to the SAP HANA database.
Such security threat calls for a robust security system for SAP HANA. We can use SAP HANA in different ways; as a data mart, as a standard SQL-based relational database for OLAP and OLTP applications, as an application platform (SAP HANA extended application services/ SAP HANA XS). In addition to this, the SAP HANA system serves as a Multitenant Database Container (MDC) as it provides a single SAP HANA environment and resources to multiple isolated databases. All the isolated databases share the same HANA database system software, system administration, and computing resources. The SAP HANA security framework makes sure to provide the best security provisions to the SAP HANA system used in any of the above-mentioned ways by the users.
SAP HANA Deployment Scenarios
Before we start learning more about security features and functions available in SAP HANA, let us understand different deployment scenarios of SAP HANA. Deployment scenarios mean the different ways in which the users utilize the SAP HANA system and technology. The security functions vary according to deployment scenario and you have to finalize security approaches accordingly.
For SAP HANA, there are 4 major types of deployment scenarios:
1. 3-Tier Architecture
We use SAP HANA as a relational database in classical 3-tier architecture. In a typical 3 tier architecture, there exist 3 operational levels; the client, the application server, and the SAP HANA database. The applications hosted on an application server are SAP Business Warehouse, SAP Business Suite, ERP, or S/4 HANA use SAP HANA as their database.
The security model in this scenario offers security features such as authentication, authorization, user management, encryption, and audit logging. These features are enforced in the application server layer and manage administrative access. No end user is allowed direct access to the SAP HANA database. Direct access is allowed only for database administration purposes to authorized users.
2. SAP HANA Extended Application Services
The SAP HANA Extended Application Services (SAP HANA XS) setup involves an application server, web server, and SAP HANA database within a single environment. Applications are directly hosted on the SAP HANA XS setup and are made available to the end users using web interfaces.
There are two models of SAP HANA XS:
- Classic model
- Advanced model
The security features for the classic model are more or less the same as the general security functions provided by SAP HANA. Only, there are some changes made for providing security features for the web-based applications involved in the setup. On the other hand, in the SAP HANA XS advanced model, security provisions are made such that SAP HANA XS advanced model can be deployed in a separate network. In this case, a firewall is made between SAP HANA XS and database layers.
3. Integrated Scenario: EPR Data in SAP HANA
SAP HANA users can get direct access to ERP data through SAP HANA Live for reporting purposes. To get this direct ERP data access, you must assign SAP HANA privileges to selected users through SAP HANA system. The security features mainly involve some authorization checks and related processes.
4. Integrated Scenario: BW Data in SAP HANA
SAP HANA is used as data marts which are a Business Warehouse architecture. In this scenario, data from different data sources is replicated in the SAP HANA database and used for analytical reporting purposes. This setup requires a project-specific model where authorization checks are conducted using SAP HANA privileges.
Do you know about SAP HANA Data Warehousing?
Core Features of SAP HANA Security
- User and Role Management
- Encryption of data in Persistence Layer
- Encryption of data in Network Layer
- Single sign-on
- Transport/data encryption
- Audit logging
- Secure configuration and encryption
- Communication channel encryption
- Secure development
Risks in SAP HANA
A robust security framework protects a system from some potential threats and risks. The same holds true for SAP HANA. These are some key risks to SAP HANA system against which the security functionalities are implemented:
1. Web Applications
In a lot of SAP HANA scenarios, users use web browsers to access applications deployed on SAP HANA system. Thus, a lot of SAP HANA systems are easily available on the internet which makes them prone to hacking. Also, unauthorized access is possible through web applications where hackers can interfere with HANA services. In addition to this, risks on SAP HANA includes several web weaknesses such as XSS, SQL injection, ABAP code injection, etc. which makes intruding into the system easy for the hackers.
2. RAM Scraping
In RAM scraping security threat, the malware or virus runs on the in-memory along with the normal processes of SAP HANA. This makes detecting the malware very difficult as the malware also disappears as soon as the in-memory processes terminate and leaves no footprint. RAM scraping poses as the most dangerous threat to SAP HANA as it uses in-memory virus vectors because SAP HANA is also an in-memory technology. You can also not encrypt the HANA in-memory processes on the RAM level as it would degrade the performance of the system.
3. Basis Security
In most scenarios, SAP HANA runs parallelly to other systems in a system landscape which increases the overall complexity. The entire system landscape becomes more prone to security failures and glitches as multiple security processes and functions related to SAP HANA are also involved in the system environment.
SAP HANA User Administration
In SAP HANA, user accounts are created having their unique username and password with a specific set of privileges assigned to them in the form of roles. One can only use SAP HANA capabilities and database if they have a user profile created in HANA Studio. The Administrators administer these users using different kinds of tools.
Types of SAP HANA Users
Based on the difference in security policies and purpose of usage, SAP HANA users broadly classify into two categories; Technical (DBA) user and Database user.
1. Technical (DBA) User
The technical users are the ones that perform database administration tasks in SAP HANA system. They are not the general users using HANA tools for accessing and transforming data from the HANA database rather, they manage all the other users. Some typical tasks performed by technical users are creating database objects, assigning privileges to database users, assigning privileges on packages and applications. SYSTEM, SYS, and _SYS_REPO are the names of technical users that are present in the SAP HANA system by default.
2. Database User
The database users are the actual users that interact with the SAP HANA database to access and use data from it for several management and analytical purposes. Thus, it is compulsory for every HANA user to have a database user profile. You can create database users by either SAP HANA Studio GUI method or by SQL commands. The SQL statement for creating a database user is CREATE USER (for standard user) and CREATE RESTRICTED USER (for restricted user).
3. Standard Database User
The standard users are those who can create database objects in the schemas owned by them and have read access for system views. The read access is granted as a part of the PUBLIC role assigned to all standard users in SAP HANA system. The standard users are created using CREATE USER SQL statement.
Learn to create schema in SAP HANA in easy steps
4. Restricted Database User
The restricted database user type is the user who provisions other users using SAP HANA through client applications. Initially, restricted users are given no privileges and have limited SQL access via SQL console. A restricted user is assigned application-specific roles which grant it only those privileges which are required for their work and are specific to their purpose.
Apart from this, there are some limitations on restricted database users:
- Cannot create objects in their database schema as they are not authorized.
- Cannot read or view data in the database because they are not granted PUBLIC role.
- Can only connect to HANA database using HTTP/HTTPS.
- To connect via ODBC/JDBC client, users need predefined roles such as RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCES.
Activities of User Administrator
Using different administration tools, an administrator can perform the following activities to manage the users in SAP HANA:
- Creating a new user
- Deleting an existing user
- Grant role to user
- Define and create a new Role
- Resetting user passwords
- Reactivating users (after failed login attempts)
- Deactivating users (when required)
User Administration Tools
Some common user administration tools available for SAP HANA user administration are:
- Developer Workbench of SAP HANA Studio: For role designing and creation, Application development.
- Editor tool of SAP HANA Development Workbench (web-based): For role designing and creation, Application development.
- User section in SAP HANA Cockpit: User and system administration
- User editor of SAP HANA Studio: User and system administration
- Security tool of SAP HANA Development Workbench (web-based): User and system administration
- SAP HANA HDBSQL: User and system administration
- Assign Roles section of SAP HANA Cockpit: User and system administration
Have you checked? – SAP BusinessObjects Reporting Tools
How to Create a User in SAP HANA Studio
To create a user and a role, a database user must have ROLE ADMIN privilege in SAP HANA.
Follow these easy steps to create a user in SAP HANA Studio:
Step 1: Open SAP HANA Studio (Administration Console). Go to the Security folder under your HANA system. Right-click on User and select New User. You can select New Restricted User if you wish to create that.
Step 2: In the window that opens, you can enter the name of the new user in the New User tab. In this section, you can enter a User Name and select Disable ODBC/JDBC access option.
Below this section is the Authentication section. From here, you can set the Password, and select the authentication mode (create a new password). There are several authentication modes available such as; SAML, Kerberos, X509, SAP Logon Ticket and SAP Assertion Ticket.
You can also set the validity period (Valid From, Valid Until) for the user, i.e. they can only work in HANA with the privileges given to them till the validity exists.
Step 3: In the lower section of the New User tab, you can grant roles (existing or standard), system privileges, object privileges, analytic privileges, package privileges, application privileges, etc.
Step 4: After filling the user credentials and adding privileges in the user profile, click on the Deploy or Execute button given on top (green arrow icon). The new user will successfully create, and a PUBLIC role will assign to it automatically which is a default role.
Step 5: To logon with this new user, click on the system icon and enter the user details asked in the dialog box. In the process, you will have to change the password. Click on Finish once the logon process is complete. A new user/system with all the nodes like Catalog, Content, Provisioning, Security will display in the Systems tab.
SAP HANA Role Management
A “Role” in SAP HANA is a collection of different privileges granted as a single unit to a database user or another role in runtime. The standard mechanism of granting privileges in SAP HANA is through Roles. By using roles instead of granting individual privileges to users, you can pass complex authorization concepts on to users and implemented in HANA system working. A role essentially contains such collection of privileges using which the database users can perform certain tasks like creating models and reports, reading reports using client tools such as Microsoft Excel, maintaining and operating databases and users, etc. It is just like using steering, clutch, accelerator, gear stick, breaks together to be able to drive a car.
A role typically comprises of different kinds of privileges such as system privileges, object privileges, analytic privileges, package privileges, and application privileges. The structure of a role is created when discrete privileges are selected and put together as a Role. The role will allow users to perform all the tasks that the privileges within a role grant them.
You must have a look at Analytic Privileges in SAP HANA
Creating and Granting Roles to HANA Users
For users to be able to do something in HANA, they need privileges or roles granted to them. Follow the steps given below to learn how to create roles and then grant the roles to HANA users.
1. Creating a Role
Go to SAP HANA Studio (Administration Console). Expand the Security node under a HANA user/system. Select Roles and right-click on it. Then select New Role.
In the tab that opens, enter the name of the new role (Role Name) and select a Schema for that. You can select the collection of privileges for that role from the privileges section given below the New Role section.
You can select some predefined roles and add them in the new role. To add predefined click on the green plus (+) sign given in Granted Roles tab. Select from the given list of predefined roles. Click on the Execute button (green arrow button on top) to implement the changes.
You can also create a new user through an SQL command in the SQL Editor. The SQL statement for creating a role is
CREATE ROLE <role_name>
2. Granting Roles to User
To grant roles to a HANA user, select a user from the list of users available in the Security node. The user profile will open.
In the user profile that appears, click on the green plus (+) icon given in the tab Granted Roles.
Upon clicking on the plus (+) icon, a list of available roles will open. Select roles from the list. The selected roles will be visible on the Granted Roles tab. After assigning the roles to a user, click on the green Deploy button on top to apply the changes. Upon successful deployment of this process, the user will be granted the roles you selected. You can also assign individual privileges in a similar way to a particular selected user.
This concludes our introductory tutorial on SAP HANA Security. We hope now you are clear with all the aspects of security in SAP HANA. In the coming tutorial, we will dive deep into different aspects of security process i.e. authentication, authorization, license management, and auditing. So, stay tuned for more!
Any queries? Feel free to enter in the comment section.
Get to know about all 5 SAP HANA Authentication Methods!