Part of your SAP HANA security strategy should be granting objects explicit permissions to access only the data they should be accessing. One way you can grant these object privileges is through the SAP HANA Web-Based Development Workbench.
The SAP HANA Web-Based Development Workbench editor, hosted within the XS engine, provides an interface that you can use to build and test development artifacts. From a security perspective, we can use this interface to create and manage repository-based roles.
This interface offers all the advantages of repository-based roles without the need to define those roles using scripts. The interface is not exclusive, meaning that you can edit repository-based roles created using scripts with the GUI interface, and you can edit a repository-based role’s scripts, those created using a GUI, in SAP HANA Studio. This flexibility allows the security administrator to manage the repository role using either interface.
You can access the SAP HANA Web-Based Development Workbench editor via a supported Internet browser. The following URLs can be customized to match the details of your environment:
http://sap-hana.myhost.com:8000/sap/hana/ide/editor
http://<sap_hana_host>:80<instance_number>/sap/hana/ide/editor
Replace <sap_hana_host> with the hostname of the SAP HANA system in your environment and <instance_number> with the two-digit instance number corresponding to your SAP HANA system.
For secure access, the following examples should help you construct the correct URL:
https://<sap_hana_host>:43<instance_number>/sap/hana/ide/editor
https://sap-hana.myhost.com:4300/sap/hana/ide/editor
To use the workbench and define a role, the user account first will need to be granted one of the roles listed below. Users only need one of the two roles to use the workbench.
The SAP HANA Web-Based Development Workbench editor interface is very similar to the development areas within the Repositories tab of SAP HANA studio. The figure below shows the editor; on the left side, you’ll see a Content folder with the package hierarchy below it.
As you expand the package hierarchy nodes, you’ll likely begin seeing development artifacts, depending on what’s available within your environment. To create a repository role, right-click the package where you want to store it and choose New > Role. A small window will appear asking for the Role Name.
After entering the name, click OK and a new tab-based window will appear on the right (see below). Click the Object Packages tab to manage object privileges. Select or add a catalog object to manage its privileges.
To grant catalog object privileges, on the right side of the tab under the section labeled Privileges, select the checkbox next to each privilege name. Items that are checked will be granted; those unchecked won’t be granted. When finished, click the Save All icon to save and activate the repository role. Security administrators won’t be able to grant this repository role to other user or roles.
Users that want to provide SAP HANA security but also want to avoid using SQL to grant catalog privileges or scripts to define catalog privileges in a repository role will find the SAP HANA Web-Based Development Workbench very useful. The GUI is very easy to use and decouples the security developer from the need to memorize SQL statements or script syntax.
Learn more about SAP security here, and explore more about creating SAP HANA repository roles in this case study.
Editor’s note: This post has been adapted from a section of the book SAP HANA 2.0 Security Guide by Jonathan Haun.