Upload
vunhi
View
266
Download
3
Embed Size (px)
Citation preview
April 26th, 2016
SAP Hana security & authorization
What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|2
SAP HANA, Business Suite or BW powered by
HANA & S/4 HANA
What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|4
Traditional Security Architecture
DB
Application Server
Audit Logging Authorization
Authentication Encryption Identity
Store
Application
Client
Hana Security Architecture
DB
Application Server
Audit Logging Authorization
Authentication Encryption Identity
Store
Application
Client
SAP HANA
Audit Logging Authorization
Authentication Encryption Identity
Store
Application
Client SAP HANA
Studio (admin & dev)
XS Engine
Application
Server
Client
Traditional HANA
Integrative Authorization Scenarios
SAP HANA Source
Application Server
(e.g. ECC or BW)
Client
Traditional
• DB migration to HANA
No changes to security
model
SAP HANA
Application Server
(e.g. ECC or BW)
Client
SAP HANA
Client
Native 2-tier application
• HANA act as DB &
Application Server
• Direct user access to HANA
Integrated security model
Data mart (3-tier or 2-tier)
• Reporting ERP or BW data in
HANA
• Direct user access to HANA
Modified security model
replication
Client
What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|8
SAP HANA Security Functions (overview)
SAP HANA
Identity Store
Application
XS Engine
Authentication
Audit Logging
Encryption
Authorization
What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|10
Authorization Entities
Goal
• Create user
• Manage users
• Assign security
User
Role
Privilege
Object
• Person accessing the system
• Collection of privileges
• Granted to user or another role
• Restrict operations on objects
• E.g. a table, a view, …
• Particular object: stored procedure
Authorization Entities
Stored procedure
• SQL statement
• Standard behaviour:
invoker authorizations checked
• Definer behaviour:
creator authorizations checked
• Best practice: control who can create stored procedure
in definer behaviour
Entities relations
Role
Privilege Role
Privilege Best practice :
Object owns
Role
Role
Attention
• Action “grant” is also considered
as an object !
“grant” is owned by his creator
granted
to
Repository Catalog
Object definition
(e.g. table def.)
Object
(e.g. table)
Repository vs Catalog (2 ways of working)
_SYS_REPO
• Store for design-time
• Owner: _SYS_REPO
• When activated, owner of
run-time object = _SYS_REPO
• Run-time
Repository vs Catalog (2 ways of working)
Repository Catalog
Object definition
(e.g. table def.)
Object
(e.g. table)
• +/- DB definition
Design time
• Packages & subpackages
• Package privilege
• Rep. object type:
data models (views)
analytical privileges
repository roles
• Transportable (DEV, QA, PRD)
• Owner = technical user _SYS_REPO
• When activated, owner of run-time object = _SYS_REPO
• +/- DB content
Run-time object
• Not transportable
• Creator = user
• Creator deleted -> all linked objects
deleted
Entities relations
Role
Privilege Role
Privilege Best practice :
Object owns
Role
Role
Attention
• Action “grant” is also considered
as an object !
“grant” is owned by his creator
granted
to
Privilege
Object
Authorization Entities: user
Role
User User type
• DB users
real user
deletable
all “owned” objects deleted
all privileged “they granted” deleted
• Internal DB users
not real user
not deleted
for most: no logon possible
for admin tasks
E.g. technical user _SYS_REPO
Privilege
Object
Authorization Entities: user
Role
User Single user maintenance
• Create 1 user directly in HANA
attention: no first name, last name, department, function, … !
only user id & email address
Privilege
Object
Authorization Entities: user
Role
User Single user maintenance
• Replication from ABAP user to HANA user
• Maintenance of DBMS (database management system) users in SU01
create / delete a DBMS user
delete the assigned DBMS user when ABAP user is deleted
Privilege
Object
Authorization Entities: user
Role
User Single user maintenance
Result in HANA:
Privilege
Object
Authorization Entities: user
Role
User User mass maintenance
• Via: ABAP program RSUSR_DBMS_USERS
mass mapping of ABAP users to DBMS users.
if DBMS user does not exist -> will be created in the DB system.
assign or unassign DBMS Roles to/from DBMS users.
Privilege
Object
Authorization Entities: user
Role
User User mass maintenance
• Other solutions:
via tools (IDM, …)
via own automation (SQL script)
User
Privilege
Object
Authorization Entities: role
• Transportable (DEV, QA, PRD)
• No need to have privilege to grant
it to the role
• Grantor can grant/revoke all roles
if he can execute the “Grant
Activated Role” stored procedure
Use “with grant option” for
_SYS_REPO
SOD possible btw creation,
ownership & granting
Role
Repository roles Catalog roles
• Not transportable
• Need to have privilege to
grant it to the role
• Only grantor can revoke
role
Privileges are transitive
(removed from grantor ->
removed from role)
If grantor is deleted ->
privileges are revoked
Best practice Not recommended
User
Privilege
Object
Authorization Entities: role(assignment)
Role
Repository Catalog
Role
(origin:
catalog)
Best practice :
Not recommended:
User
Privilege
Object
Authorization Entities: role(assignment)
Role
Repository Catalog
Role
Role
(origin:
repository)
_SYS_REPO
own
Best practice :
Not recommended:
stored
procedure (via “Granted
Roles”)
owner = _SYS_REPO
activate
User
Privilege
Object
Authorization Entities: role(assignment)
Role
stored
procedure
execution
User
Object
Role
Privilege
Authorization Entities: privilege (overview)
SAP HANA
• table
Application
Client
XS Engine
• view
• Application privilege
• Object privilege
• Analytic privilege
• package
• Package
privilege
• System privilege
User
Object
Role
Privilege
Authorization Entities: privilege (overview)
Object Privilege
Privilege
System Privilege
Analytic Privilege
Package Privilege
Application
Privilege
• SQL statements on DB objects
• Admin tasks
• Provide row-level
authorizations
• Access & use of packages
in repositories
• HANA applications
(XS engine)
User
Object
Role
Privilege
Authorization Entities: privilege (system priv.)
System Privilege
Pack. Priv.
Analyt. Priv.
Obj. Priv.
System Privilege
• System-wide privilege
• Cannot be created or changed
• Authorize user for admin tasks:
Users & roles mngt
Catalog & repository mngt
Auditing
System mngt
Data import/export
Appl. Priv.
User
Object
Role
Privilege
Authorization Entities: privilege (system priv.)
System Privilege
User
Object
Role
Privilege
Authorization Entities: privilege (application priv.)
Application
Privilege
Syst. Priv.
Pack. Priv.
Obj. Priv.
Analyt. Priv.
Application Privilege
• Grant access to HANA based
applications
e.g. to access the Web IDE
interface application
(sap.hana.xs.ide)
• Used by HANA application developers
Authorization Entities: privilege (application priv.)
Application Privilege
User
Object
Role
Privilege
Package Privilege
• Only for developers & modelers
• Access & use of packages in the
repository
• Hierarchical access to packages &
corresponding sub-packages
• Packages contains objects such as:
object privileges
Hana views
…
Syst. Priv.
Appl. Priv.
Authorization Entities: privilege (package priv.)
Obj. Priv.
Package
Privilege
Analyt. Priv.
Package Privilege
Authorization Entities: privilege (package priv.)
User
Object
Role
Privilege
Authorization Entities: privilege (object priv.)
Object Privilege
• Are linked to an object
• Restrict access on DB objects
(e.g. table, view)
• Actions:
select
update / create
delete
…
Syst. Priv.
Pack. Priv.
Appl. Priv.
Object Privilege
Analyt. Priv.
Authorization Entities: privilege (object priv.)
Object Privilege
User
Object
Role
Privilege
Analytic Privilege
• Control access to data with row-level
authorization
• Dynamic analytic privilege can be
created
Syst. Priv.
Appl. Priv.
Authorization Entities: privilege (analytic priv.)
Analytic Privilege
Obj. Priv.
Pack. Priv.
Dynamic analytic privilege
Authorization Entities: privilege (analytic priv.)
User_Name Region Position
User1 America Manager
User2 Asia Employee
User3 Europe Manager
Table “User_Region” :
SQL dynamic analytic privilege:
Dynamic analytic privilege
Authorization Entities: privilege (analytic priv.)
Assign the dynamic procedure to the analytic privilege:
User
Object
Role
Privilege
• Dynamic analytic privilege
ease of maintenance
filter obtained from a stored
procedure with a complex logic
e.g. check user’s region from a table
Syst. Priv.
Appl. Priv.
Authorization Entities: privilege (analytic priv.)
Analytic Privilege
Obj. Priv.
Pack. Priv.
user 1
user 2
user 3
View
dynamic
privilege
user 1 restrictions
user 2 restrictions
user 3 restrictions
User
Object
Role
Privilege
Authorization Entities: privilege (summary)
Access a table/ view
via object privilege
Access a row via
analytic privilege
Access a specific column
via a created view
1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|42
2 possibilities:
SAP HANA
Application
Client
XS Engine
SAP HANA
Studio
Admin
Admin
Security Administration
SAP HANA Studio XS Web Interface
Repository Catalog
Design-time Run-time
SAP HANA
Security Administration
Best practice :
Not recommended:
XS Web Interface
Security Administration (role: repository vs catalog)
SAP HANA Studio
Role creation:
Repository Catalog
SAP HANA
Security Administration
Best practice :
Not recommended:
XS Web Interface
Security Administration (user: repository vs catalog)
SAP HANA Studio
User creation:
Design-time Run-time
Repository Catalog
SAP HANA
Security Administration
Best practice :
Not recommended:
XS Web Interface
Security Administration (role assignment: repository vs catalog)
SAP HANA Studio
Role assignment:
Design-time Run-time
What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|47
Tools to replicate authorizations
When is it needed ?
• When there is a direct connection to SAP HANA
For BW authorizations:
• SAP HANA Model Generation
part of BW
replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges
o generate analytic priv.
o update analytic priv.
Tools to replicate authorizations
For ECC authorizations:
• SAP HANA Live Authorization Assistant
SAP HANA Studio add-on
Replicate ABAP PFCG
authorizations in HANA Privileges
o generate analytic priv.
o update analytic priv.
Attention !
SAP HANA privileges are less granular than authorizations in application layer
therefore: all BW/ECC authorizations are not supported in HANA
Tools to replicate authorizations
Impact to GRC
• In GRC user provisioning flow
if no replication, use Business Roles in GRC
• HANA rule Set in GRC
limited to IT maintenance & development*
HANA
BW
Replication scenario:
Composite Role
GRC
assigned
corresponding
HANA roles
assigned
No replication scenario:
Business Role
GRC
Single roles
BW Composite roles
HANA roles
HANA BW
assigned assigned
What we will cover
1. SAP HANA, Powered by HANA & S/4 HANA
2. Security Architecture & Authorization Scenarios
3. SAP HANA Security Functions (overview)
4. Authorization Concept
5. Security Administration
6. Tools to replicate authorizations
7. Tips & Tricks
|51
Tips & tricks
Tips & tricks:
• Create roles in Design-time (repository roles).
• Ensure you are in the repository when working with the HANA Studio or the XS Web Interface
for role creation.
• Transfer ownership of all what you have created in the repository to _SYS_REPO to avoid issues
if your user is deleted.
• Transport roles from DEV to QA & PRD & activate them on each system to have _SYS_REPO as
the owner of the run-time roles.
• Assign roles via “Granted Roles” (executing stored procedure (via user _SYS_REPO)).
• Control who can create stored procedure in define behaviour to mitigate the risk of abuse.
• Create a similar design to the 2 layer model to keep it clear.
• Even if there is no limit on # of privileges assigned ( >< ECC 312 max profiles), be logical in
grouping the views.
• SAP template roles are too wide. Create custom roles instead.
• Restrict access to only the needed packages for modellers.
Tips & tricks
Tips & tricks:
• System privileges cannot be created/changed. Use stored procedures for a more granular
approach.
• Ensure the new custom XS HANA applications created by developers are secured to avoid
exposing the DB.
• If the user has not the full access to a view, the user will see partial data (only authorized
data). >< with BI were the user has no results in that case.
• If a filter is applied to 1 view in an analytical privilege, it will apply to all views in the analytical
privilege.
• Dynamic analytic privileges can be used to have an ease of maintenance but be aware that
it will reduce transparency in authorizations !
• Use a tool to replicate BW & ECC authorizations to HANA authorizations.
• Note that HANA rule set in GRC is limited to IT maintenance & development.
Tips & tricks
Don’t forget the important Security Notes:
• 2197397: SAP HANA Extended Application Services (XS) has a Buffer Overflow vulnerability.
• 2197428: Potential remote code execution in HANA.
• 2197459: Potential log injection vulnerability in SAP HANA audit log.
• …
www.expertum.net
Inspire by Experience.
Christophe Decamps
Consultant
Governance, Risk & Compliance
+32 473 720 125
Thanks for listening! Any questions?