SAP HANA

SAP HANA Security: How to Grant Object Privileges with Repository Roles

Part of your SAP HANA security strategy should be granting objects explicit permissions to access only the data they should be accessing. One way you can grant these object privileges is through the SAP HANA Web-Based Development Workbench.

 

The SAP HANA Web-Based Development Workbench

The SAP HANA Web-Based Development Workbench editor, hosted within the XS engine, provides an interface that you can use to build and test development artifacts. From a security perspective, we can use this interface to create and manage repository-based roles.

 

This interface offers all the advantages of repository-based roles without the need to define those roles using scripts. The interface is not exclusive, meaning that you can edit repository-based roles created using scripts with the GUI interface, and you can edit a repository-based role’s scripts, those created using a GUI, in SAP HANA Studio. This flexibility allows the security administrator to manage the repository role using either interface.

 

How to Access the Development Workbench

You can access the SAP HANA Web-Based Development Workbench editor via a supported Internet browser. The following URLs can be customized to match the details of your environment:

 

http://sap-hana.myhost.com:8000/sap/hana/ide/editor

http://<sap_hana_host>:80<instance_number>/sap/hana/ide/editor

 

Replace <sap_hana_host> with the hostname of the SAP HANA system in your environment and <instance_number> with the two-digit instance number corresponding to your SAP HANA system.

 

For secure access, the following examples should help you construct the correct URL:

 

https://<sap_hana_host>:43<instance_number>/sap/hana/ide/editor 

https://sap-hana.myhost.com:4300/sap/hana/ide/editor

 

Granting Roles

To use the workbench and define a role, the user account first will need to be granted one of the roles listed below. Users only need one of the two roles to use the workbench.

 

Granting Roles
Granting Roles
Granting Roles

 

The SAP HANA Web-Based Development Workbench editor interface is very similar to the development areas within the Repositories tab of SAP HANA studio. The figure below shows the editor; on the left side, you’ll see a Content folder with the package hierarchy below it.

 

SAP HANA Web-Based Development Workbench Editor

 

As you expand the package hierarchy nodes, you’ll likely begin seeing development artifacts, depending on what’s available within your environment. To create a repository role, right-click the package where you want to store it and choose New > Role. A small window will appear asking for the Role Name.

 

After entering the name, click OK and a new tab-based window will appear on the right (see below). Click the Object Packages tab to manage object privileges. Select or add a catalog object to manage its privileges.

 

Managing Object Privileges

 

To grant catalog object privileges, on the right side of the tab under the section labeled Privileges, select the checkbox next to each privilege name. Items that are checked will be granted; those unchecked won’t be granted. When finished, click the Save All icon to save and activate the repository role. Security administrators won’t be able to grant this repository role to other user or roles.

 

Conclusion

Users that want to provide SAP HANA security but also want to avoid using SQL to grant catalog privileges or scripts to define catalog privileges in a repository role will find the SAP HANA Web-Based Development Workbench very useful. The GUI is very easy to use and decouples the security developer from the need to memorize SQL statements or script syntax.

 

Learn more about SAP security here.

 

Editor’s note: This post has been adapted from a section of the book SAP HANA Security Guide by Jonathan Haun.

Recommendation

SAP HANA Security Guide
SAP HANA Security Guide

How do you protect and defend your SAP HANA database and application development platform? This comprehensive guide details your options, including privileges, encryption, and more. Learn how to secure database objects, provision and maintain user accounts, and develop and assign roles. Then take an in-depth look at authentication and certificate management before seeing how to enable auditing and security tracing. Protect your SAP HANA system!

Learn More
SAP PRESS
by SAP PRESS

SAP PRESS is the world's leading SAP publisher, with books on ABAP, SAP S/4HANA, SAP C/4HANA, SAP Leonardo, SAP Cloud Platform, and more!

Comments

Latest Blogs