31
8/10/2019 HANA_Security.pdf http://slidepdf.com/reader/full/hanasecuritypdf 1/31

HANA_Security.pdf

Embed Size (px)

Citation preview

Page 1: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 1/31

Page 2: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 2/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAP'sstrategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.

Page 3: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 3/31

2 3SAP HANA

AuthorizationRoles

Management

1SAP HANA

scenarios andsecurity functions

4SAP HANA

AuthorizationUser Management

5Summary and

Q+A

SAP IdMConnector

GRC AccessManagement

Page 4: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 4/31

SAP HANATraditional Security Architecture

Page 5: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 5/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 5

Traditional security architecture

Database

Client

Application Server

Application Application

Authenti cat ion/SSO

Authorizatio n

Encryption

Audit LoggingIdentity Store

Page 6: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 6/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 6

SAP HANA – overview of security functions

SAP HANA

XS

H T T P ( S )

Client

S Q L

M D X

Application Server

Client

Authenti cat ion/SSO

Authorizatio n

Encryption

Audit LoggingIdentity Store

S Q L

SAP HANA Studio

Administrati on

Application

Page 7: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 7/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 7

SAP HANA – user and role management

SAP HANA

Authenti cat ion/SSO

Authorizatio n

Encryption

Audit LoggingIdentity Store

For logon, users must exist in the identity store of the SAP HANA databaseRoles (and privileges) can be assigned to usersRoles are used to bundle and structure privileges – Create roles for specific groups of users, role hierarchies supported

Role lifecycle: design time roles export to production system activate runtime

XS

Application

Page 8: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 8/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 8

SAP HANA – authorizationPrivilege types

SAP HANA

Authenti cat ion/SSO

Authorizatio n

Encryption

Audit LoggingIdentity Store

System privileges: Authorize execution of administrative actions for the entire SAP HANA databaseSQL privileges: Authorize access to data and operations on database objects

Analyt ic privileges: Authorize read access on analytic views at run-time, provide row-level accesscontrol based on dimensions of the respective viewPackage privileges: Authorize access in the repository (modeling environment) at design time

Application privileges: Authorize access to SAP HANA XS application functions

XS

Application

Page 9: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 9/31

HANA User ManagementVia SAP HANA Studio / hdbsql

Page 10: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 10/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 10

HANA User Managementvia different Tools

SAP HANA Studio hdbsql

Page 11: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 11/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 11

SAP HANASecurity administration with SAP HANA Studio

Page 12: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 12/31

Page 13: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 13/31

HANA Authorization RolesClarifying of terminology

Page 14: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 14/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 14

What is the current Landscape?

Which user management is implemented?

How many user wi ll work wi th the SAP HANA?

Which goal will be achieved in the future?

What kind of roles are still in place?

HANA Authorization RolesCurrent Situation

Page 15: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 15/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 15

HANA Authorization RolesWhat HANA Roles are

Roles:

Are a collection of privileges

Are the recommended practices for privilege management

Can be granted to multiple users

Can be used for complex role hierachies

HANA Role

System Privileges

Object Privileges

Schema Privileges

Source Privileges

Analyti c Priv ileges

Package Privileges

Applic atio n Priv ileges

Page 16: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 16/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 16

HANA AuthorizationPrivileges

Which Privilege… Will be used for…

System PrivilegePossible actions• f.e..: Backup/Restore, User Administration, Instance start /

stop

Object Privilege / SQL Allows access to objects

• f.e.: SELECT, UPDATE, INSERT, DELETE of Tables, Viewsor Schemas

• Objectowner can only grant access to others

Analytical Privilege Allocation of row and c olumn access• f.e.: specific value ranges• Is required for moddeling

Package Privi lege

Allows access to data models

• f.e.: Analytic or Calculation Views• Repository Objects

Page 17: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 17/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 17

HANA Privileges ManagementDirectly to Users or via Role

Users

Privileges

Roles

Objects

ownershipgranted

granted

allocated

Page 18: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 18/31

Demo

Page 19: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 19/31

HANA Authorization RolesDesign-time roles

Page 20: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 20/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 20

HANA Authorization RolesDesign-time Role

HANA Repository

Design TimeRoles

All Other Content

Design Time Rolesrepository

RuntimeRoles

B u s i n e s s U s er i n

D a t a b a s e

Role Assignment

Role Modeler User Admin

1

2

3

4

Design time role will be developed in theworkbench of the development system

The role will be stored in the repository, and buildin the DSL (text-based)

The design-time role can now be activated andbecome a runtime role

This runtime role can now be granted to an user by using the stored precudre for „GRANT_ACTIVATED_ROLE“

1

2

3

4

Page 21: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 21/31

Demo

Page 22: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 22/31

HANA User ManagementSAP Netweaver Identity Management Connector

Page 23: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 23/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 23

FunctionsSAP StandardHANA Kon nektor

ConsultingService

Provisioning

Create User with Password Yes

Password notification No Yes

Creating User with different authentication methods(KERBEROS, SAML,X509)

No (with next SP) Yes

Creating User with Session Client No YesProvisioning of HANA Roles Yes

Provisioning of HANA Privileges No (with next SP) No

Deprovisioning

Deleting Users Yes

Deprovisioning of HANA Roles Yes

Modify

Changing of Authentication Method No Yes

Changing of parameters of the corresponding Authentication Method No Yes

Changing the Session Client No Yes

Lock and Unlock of Users Yes

IdM Connector for SAP HANAFunctionality 1/2

Page 24: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 24/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 24

Functions SAP Standard Consulting Service

Synchronisation with HANA

Loading of HANA Roles Yes

Loading of HANA Privileges No(with next SP)

No

Loading of Users Yes

Mass Maintenances No Yes(On Basis of IdM RDS)

Reporting No Yes(On Basis of IdM RDS)

Managing of customer specific HANA Tables (f.e. ACL) No Yes(Requirements have to be clarified in the individual Project Scope)

IdM Connector for SAP HANAFunctionality 2/2

Page 25: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 25/31

HANA Access ManagementSAP GRC Access Control

Page 26: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 26/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 26

GRC for SAP HANAWhat is different on pure HANA applications?

If you use Suite on HANA -> No change, as SU01 and PFCG care as before for non-DB related access and permissions

If you use XSE-based applications l ike analytical applications there are 2 thingsno longer there:

Page 27: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 27/31

Page 28: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 28/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 28

Examples for role provisioning and SOD analysisData Access (via Analytical Privileges)

Page 29: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 29/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 29

Questions and answers

Questions

Page 30: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 30/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

Dankeschön!Kontaktinformation:

Christian WeideDipl.-Wirtsch.-Ing.Technology Consultant | GRC / SecuritySAP Deutsch land AG & Co. KG | Albert-Einstein-Allee 3 |64625 Bensheim | GermanyM +49 151 446 14 261 | F +49 6227 78-47741 | E [email protected]

Page 31: HANA_Security.pdf

8/10/2019 HANA_Security.pdf

http://slidepdf.com/reader/full/hanasecuritypdf 31/31

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 31

© 2014 SAP AG or an SAP affil iate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, andSAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forthin the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany andother countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.