In this case study, we’ll take a look at E-Corporation, which has recently implemented an analytic solution within the SAP HANA platform.
The company has provisioned tables; loaded data with an extract, transform, and load (ETL) tool; and created a series of SAP HANA information views. The user community will primarily interact with the SAP HANA information views, which will be secured with an analytic privilege that limits data access by region. Each user will have her own logon to the SAP HANA system to accommodate the data security requirements. However, users will primarily access the data via SAP BusinessObjects Business Intelligence (BI). The SAP BusinessObjects BI system has been configured to support single sign-on (SSO) for the SAP HANA platform with Security Assertion Markup Language (SAML) authentication.
In addition to the privileges needed to secure access to the information views, the security model must support power user access, developer access, and security administrator access.
E-Corporation has contacted its lead SAP HANA security consultant and requested help in defining a security model to accommodate its security requirements. The consultant has determined that a series of repository roles will need to be defined. Let’s look further at the consultant’s decision-making process and the four repository roles recommended for this project.
The first repository role will provide a base level of access to SAP HANA information views. The name of the repository role will be consumer. This role will grant SELECT and EXECUTE access to the _SYS_BI schema, which is required because additional metadata is published to this schema. The role will also grant SELECT access to the design time calculation view e-corp.sales.models::SCV_CUSTOMER_SALES. Users will need to have SELECT access, at a minimum, to query the information views and metadata in the _SYS_BIC schema.
When you reference the design-time calculation view in the repository role, the system will automatically grant access to its corresponding column view in the _SYS_BIC schema. An analytic privilege will also be granted. The analytic privileges will limit the consumer’s access to a series of information views and will dynamically filter the results of the views so that each user will be limited to one or more sales regions based on his predetermined security profile.
Data consumers also need access to the SAP HANA Info Access service hosted in the SAP HANA XS platform. To use this service, these users are granted the role sap.bc.ina.service.v2.userRole::INA_USER. In addition, some consumers need the ability to change their passwords using a web interface hosted in the SAP HANA XS platform. The role sap.hana.xs.formLogin.profile::ProfileOwner must be granted to allow consumers access to this utility.
The figure below shows the configuration of the consumer repository role script, which in our example, contains two catalog schema privileges and one analytic privilege.
In addition to the standard users at E-Corporation, a small group of power users require unique permissions. These users need access the SAP HANA Web-Based Development Workbench to query information views and tables for debugging purposes. They’ll also need to access the SAP HANA packages to view the design-time versions of the SAP HANA information views. Therefore, they’ll need basic access to the SAP HANA repository. To accommodate this requirement, the security consultant recommends that an additional repository role named poweruser be created.
The poweruser repository role will be an extension of the consumer repository role, which means that power users will inherit all the privileges assigned to the consumer repository role. The poweruser repository role will grant access to the REPOSITORY_REST stored procedure, which is required to access the package hierarchy within SAP HANA. It will also grant SELECT access to the schemas housing the data used by the SAP HANA information views. Finally, it will grant REPO.READ access to the e-corp package, which will allow a power user the ability to view the configuration of each information view within the repository.
Below shows the configuration of the poweruser repository role script, which contains all the privileges necessary to accommodate the security requirements.
The developers at E-Corporation will require access to SAP HANA and the SAP HANA Web-Based Development Workbench. These users will be responsible for creating the development artifacts used by the analytic solution. At a high level, developers require the following privileges and accesses:
To accommodate these requirements, a repository role named developer will be created. The next figure shows the repository role script designed to accommodate E-Corporation’s requirements for developers.
Let’s look at how the developer repository role script shown above fulfills the requirements:
As you can see, developer requirements can be fulfilled by including a few existing roles and by specifying several specific privileges. Referencing existing roles is helpful by reducing redundancy within custom repository roles. These references also ensure that the developer role will inherit the same privileges as the lower-level power user and consumer roles. Two of the existing repository roles also provided application privileges specific to the SAP HANA Web-Based Development Workbench.
The final recommended repository role grants privileges to a select group of security administrators. This role must provide security administrators the ability to manage users, create repository roles, and grant permissions. The following figure shows the privileges and additional roles that will be assigned to the repository role named SecurityAdmin.
As described in the comments within the script, the security administrator role is an extension of the developer role and three additional XS engine application-specific roles. The applications in the XS engine provide interfaces useful in managing a security model. Three additional system privilege lines are included to grant user, role, and audit management. The catalog sql object lines grant EXECUTE privileges for a series of stored procedures necessary to grant and revoke privileges for objects owned by _SYS_REPO. Finally, the package security lines are included to provide exclusive access to the top-level package that will be used to store security-related development artifacts.
Once the repository roles are activated and assigned to the appropriate users, E-Corporation will have the makings of a sound security model. Because the company used repository roles, the model can easily be transported to other systems and managed using lifecycle management best practices. In addition, the _SYS_REPO system account will be the primary owner and grantor of the privileges.
To learn more about granting object privileges with repository roles, check out this post.
Editor’s note: This post has been adapted from a section of the book SAP HANA 2.0 Security Guide by Jonathan Haun.