Synchronization mechanisms between SAP BW and SAP HANA authorizations April 25 th, 2017 Christophe Decamps
What we will cover Introduction SAP Security and HANA Authorizations Scenarios SAP HANA Security: authorizations SAP HANA Security Administration SAP HANA Authorizations Replication Tools for BW SAP HANA Custom Replication Tool for BW 2
Introduction SAP Authorizations : Roles (What? Where?) DATA PROCESSES
What we will cover Introduction SAP Security and HANA Authorizations Scenarios SAP HANA Security: authorizations SAP HANA Security Administration SAP HANA Authorizations Replication Tools for BW SAP HANA Custom Replication Tool for BW 4
SAP Security and HANA Client Client HANA Studio Client Application Application server Application Authentication Authorization Identity Store Encryption Audit Logging Authentication Identity Store XS Engine Encryption Application Server Authorization Audit Logging SAP HANA DB Traditional HANA
What we will cover Introduction SAP Security and HANA Authorizations Scenarios SAP HANA Security: authorizations SAP HANA Security Administration SAP HANA Authorizations Replication Tools for BW SAP HANA Custom Replication Tool for BW 6
Authorizations scenarios Client Client Client Client Application Server (e.g. ECC or BW) Application Server (e.g. ECC or BW) SAP HANA Source replication SAP HANA SAP HANA Traditional DB migration to HANA No changes to security model Data mart (3-tier or 2-tier) Reporting ERP or BW data in HANA Direct user access to HANA Modified security model Native 2-tier application HANA act as DB & Application Server Direct user access to HANA Integrated security model
What we will cover Introduction SAP Security and HANA Authorizations Scenarios SAP HANA Security: authorizations SAP HANA Security Administration SAP HANA Authorizations Replication Tools for BW SAP HANA Custom Replication Tool for BW 8
Authorizations approach ECC - Tcodes - Auth. objects SR CR BW - InfoProv. - BW Analysis Authorizations SR CR HANA - Privileges Roles consistency
Authorizations: roles HANA roles Role hierarchy is possible Roles in roles in roles in roles. is possible! 2 layer model does not exists in HANA (no Composite Roles & Single Roles) Create a design like the 2 layer model to keep it clear Function: Role: edit & activate model Tasks: Role: Edit model Role: Activate model Package priv.: create / edit models Object priv.: Select / update Package priv.: activate Object priv.: Write runtime object
SAP HANA Privileges Client SAP HANA Application Application privilege XS Engine Package privilege package tables / views Object privilege row level access Analytic privilege System privilege
Entities relations owns Object Role granted to Privilege Role Role Attention Action grant is also considered as an object! grant is owned by his creator Best practice : Role Privilege
Repository vs Catalog concept Object definition (e.g. table def.) Object (e.g. table) +/- DB definition Design time Packages & subpackages Package privilege Rep. object type: data models (views) analytical privileges repository roles +/- DB content Run-time Not transportable Creator = user Creator deleted -> all linked objects deleted Transportable (DEV, QA, PRD) Owner = technical user _SYS_REPO When activated, owner of run-time object = _SYS_REPO
Authorizations entities: roles REPOSITORY (design time) ROLES CATALOG (runtime) ROLES Owner: _SYS_REPO Use with grant option for _SYS_REPO Grantor can grant/revoke all roles if he can execute the Grant Activated Role stored procedure No need to have privilege to grant it to the role but _SYS_REPO does!! SOD possible btw creation, ownership & granting Transportable (DEV, QA, PRD) Owner = creator. Delete Owner = delete role Only grantor can revoke role If grantor is deleted -> privileges are revoked Need to have privilege to grant it to the role Privileges are transitive (removed from grantor -> removed from role) Not transportable Best practice Not recommended
Repository Role assignment Design time Run-time Repository Role activate Repository Role own owner = _SYS_REPO _SYS_REPO stored procedure
What we will cover Introduction SAP Security and HANA Authorizations Scenarios SAP HANA Security: authorizations SAP HANA Security Administration SAP HANA Authorizations Replication Tools for BW SAP HANA Custom Replication Tool for BW 16
SAP HANA Security Administration SAP HANA Studio or XS Web Interface SAP HANA studio Client Admin Application Admin XS Engine SAP HANA
What we will cover Introduction SAP Security and HANA Authorizations Scenarios SAP HANA Security: authorizations SAP HANA Security Administration SAP HANA Authorizations Replication Tools for BW SAP HANA Custom Replication Tool for BW 18
SAP HANA replication tools When is it needed? Direct connection to SAP HANA For BW authorizations: SAP HANA Model Generation part of BW replicate ABAP authorizations (BW Analysis Authorizations) in HANA Analytic Privileges Client Application Server (e.g. ECC or BW) Client For ECC authorizations: SAP HANA Live Analytics Authorization Assistant SAP HANA Studio add-on Replicate ABAP PFCG authorizations in HANA Analytic Privileges Source replication SAP HANA
SAP HANA Model Generation Prerequisite The BW user has to have a DBMS user (SU01) or a user with the same name has to exist on HANA side: With the Transaction DBCO create a connection with the SAP<SID> to the underlying HANA database and assign this connection in the User DBMS System View (SM30 on Table USR_DBMS_SYSTEM). After this, you can assign the user in the Transaction SU01 in the DMBS-Tab. BW users can also be synchronized in mass using program RSUSR_DBMS_USERS.
SAP HANA Model Generation Prerequisite Single user maintenance via DBMS tab:
SAP HANA Model Generation Prerequisite Result in HANA:
SAP HANA Model Generation Prerequisite Mass maintenance via RSUSR_DBMS_USERS:
SAP HANA Model Generation Prerequisite Result in HANA:
SAP HANA Model Generation Set the Content Package, Assignment Type and HANA User Mapping In RS2HAN_VIEW Default Content Package = system-local.bw.bw2hana Assignment Type = - D for Direct Assignment to a User (default) HANA User [Analytic Privileges] - R for Roles HANA User [Granted Roles] HANA User Mapping = - D for DBMS-User in SU01 (default) - C for mapping to the user with the same name
SAP HANA Model Generation Some general Object Privileges and Package Privileges are required To be able to access SAP HANA views that have been generated from the BW system, you need the following authorizations: Object privilege: SELECT on _SYS_BI Object privilege: EXECUTE on REPOSITORY_REST(SYS) Package privilege: REPO.READ on the Content Package where generated SAP HANA views are stored.
SAP HANA Model Generation Check prerequisites Transaction RS2HANA_CHECK allows you to check all prerequisites for successful replication of BW authorizations to SAP HANA.
SAP HANA Model Generation Authorizations generation Analytic privileges are created during BW object activation after the view has been deployed, or by running the program RS2HANA_AUTH_RUN. The view itself is always created with a certain privilege type, either XML based privileges or SQL based privileges. The required Analytic Privileges themselves are created from the existing BW Analysis Authorizations, and assigned to a role which is automatically created and attached to the DB user. Should no BW Analysis Authorization exist, no Analytic Privileges are created and it is not possible to query the HANA view since Analytic Privileges are always required for access.
SAP HANA Model Generation Results
What we will cover Introduction SAP Security and HANA Authorizations Scenarios SAP HANA Security: authorizations SAP HANA Security Administration SAP HANA Authorizations Replication Tools for BW SAP HANA Custom Replication Tool for BW 30
SAP HANA Custom Replication Tool Problem The standard replication tools does not work in the following scenario: ECC on HANA BW on regular DB Direct reporting with on HANA DB with same access as in BW required Client Client Client ECC replication BW SAP HANA Regular DB
SAP HANA Custom Replication Tool Solution: create a custom program to: Replicate BW data to ECC tables Creation/update in HANA User creation Analytic Privileges creation Analytic & Object Privileges assignment to users
SAP HANA Custom Replication Tool Solution: create a custom program The tool is accessible from ECC
Thanks for listening! Any questions? Christophe Decamps Senior Consultant Governance, Risk & Compliance +32 473 720 125 christophe.decamps@expertum.net www.expertum.net Inspire by Experience.