Scribd Logo
Upload

Welcome to Scribd!

  • 322 views

    SAP HANA Content Security Roles Setup

    Uploaded by

    Appu Malla
    The document discusses setting up content security roles in SAP HANA to provide business users access to specific information models. It proposes creating different types of roles - system privilege roles for technical users, object privilege roles to grant access to specific schemas and views, package privilege roles to grant access to particular packages, and analytic privilege roles to restrict access to attributes. Sample roles are defined for each type with their assigned privileges like a role for finance users with access only to the finance package and views.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    SAP HANA Content Security Roles Setup

    Uploaded by

    Appu Malla
    322 views10 pages
    The document discusses setting up content security roles in SAP HANA to provide business users access to specific information models. It proposes creating different types of roles - system privilege roles for technical users, object privilege roles to grant access to specific schemas and views, package privilege roles to grant access to particular packages, and analytic privilege roles to restrict access to attributes. Sample roles are defined for each type with their assigned privileges like a role for finance users with access only to the finance package and views.

    Original Description:

    SAP HANA Content Security Roles Setup

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses setting up content security roles in SAP HANA to provide business users access to specific information models. It proposes creating different types of roles - system privilege roles for technical users, object privilege roles to grant access to specific schemas and views, package privilege roles to grant access to particular packages, and analytic privilege roles to restrict access to attributes. Sample roles are defined for each type with their assigned privileges like a role for finance users with access only to the finance package and views.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    322 views10 pages

    SAP HANA Content Security Roles Setup

    Uploaded by

    Appu Malla
    The document discusses setting up content security roles in SAP HANA to provide business users access to specific information models. It proposes creating different types of roles - system privilege roles for technical users, object privilege roles to grant access to specific schemas and views, package privilege roles to grant access to particular packages, and analytic privilege roles to restrict access to attributes. Sample roles are defined for each type with their assigned privileges like a role for finance users with access only to the finance package and views.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 10

    SAP HANA Content Security Roles Setup

    A few months ago I was given a task to implement content security in SAP HANA. The main purpose for this task was to
    provide Business user access to information models created in SAP HANA. For example Finance user should only view finance
    package and can access information models in that package via BI tools such as Analysis for excel.
    So, after a research and few discussions with various people I came up with following security model.


    Let's assume that content is maintained in following structure:




    So based on each type of privilege I created the roles as shown below:
    System Privilege Roles
    These roles are mainly needed for System admin tasks (technical role)
    X_HNS = S for System Privilege role

    Role
    Name
    Privilege
    Type
    Assigned
    Privileges
    X_HNS_USERADMIN

    This role can create users, change
    their password and delete users
    System
    Privilege USER ADMIN
    X_HNS_ROLEADMIN

    This role can create roles, alter roles
    and drop roles with SQL commands
    1

    System
    Privilege ROLE ADMIN
    X_HNS_SYSADMIN

    This roles can administer HANA
    System
    Privilege
    INIFILE ADMIN
    LICENSE ADMIN
    system, alter system parameters and
    execute ALTER commands to change
    system
    LOG ADMIN
    SERVICE ADMIN
    SESSION ADMIN
    TRACE ADMIN
    AUDIT ADMIN
    X_HNS_SYSMON

    This role can change alert, enable
    logging and view logs to monitor
    system
    System
    Privilege
    CATALOG READ
    MONITOR ADMIN
    X_HNS_CONTENTADMIN

    This role can create, alter, import,
    export and drop content.
    System
    Privilege
    CREATE SCENARIO
    CREATE STRUCTURED PRIVILEGE
    A. REPO.EXPORT
    B. REPO.IMPORT
    C. REPO.MAINTAIN_DELIVERY_UNITS
    D. REPO.WORK_IN_FOREIGN_WORKSPACE
    STUCTUREDPRIVILEGE ADMIN
    X_HNS_DATAADMIN

    This role can create schema, import
    and export tables and drop tables
    System
    Privilege
    CATALOG READ
    CREATE REMOTE SOURCE
    CREATE SCHEMA
    IMPORT
    EXPORT




    Object Privilege Roles
    X_HNO = O for Object Privilege Role

    Role
    Name
    Privilege
    Type
    Assigned
    Privileges
    X_HNO_CONTENT_READ

    This role give read access to activated
    views
    Object
    Privilege
    _SYS_BI (SELECT, EXECUTE)
    You would only need this _SYS_BIC (SELECT,
    EXECUTE) if you are using HANA studio to access
    views. Not using this for BI tools provides more
    security in terms of displaying activated views. Access
    to SYS_BIC will provide access to all activated views
    and therefore this model will be invalid. We can create
    separate role for this privilege
    X_HNO_CONTENT_WRITE

    This role give write access for
    activated views and read access to
    schema
    Object
    Privilege
    _SYS_BI (EXECUTE, SELECT, INSERT, UPDATE,
    DELETE)
    _SYS_BIC (CREATE ANY, ALTER, DROP,
    EXECUTE, SELECT, INSERT, UPDATE, DELETE,
    INDEX)
    X_HNO_CONTENT_LIST
    Object
    Privilege REPOSITORY_REST (EXECUTE)
    X_HNO_SCHEMA_READ
    Where SCHEMA can be changed
    with required SCHEMA name
    Object
    Privilege SCHEMA (SELECT)
    X_HNO_SCHEMA_WRITE
    Where SCHEMA can be changed
    with required SCHEMA name
    Object
    Privilege
    SCHEMA (CREATE ANY, ALTER, DROP,
    EXECUTE, SELECT, INSERT, UPDATE, DELETE,
    INDEX)
    X_HNO_FI_CONTENT
    Object
    Privilege _SYS_BIC.FI Column Views
    X_HNO_CO_CONTENT
    Object
    Privilege _SYS_BIC.CO Column Views
    X_HNO_IM_CONTENT
    Object
    Privilege _SYS_BIC.IM Column Views
    X_HNO_LE_CONTENT
    Object
    Privilege _SYS_BIC.LE Column Views
    X_HNO_MM_CONTENT
    Object
    Privilege _SYS_BIC.MM Column Views
    X_HNO_PA_CONTENT
    Object
    Privilege _SYS_BIC.PA Column Views
    X_HNO_PU_CONTENT
    Object
    Privilege _SYS_BIC.PU Column Views
    X_HNO_SD_CONTENT
    Object
    Privilege _SYS_BIC.SD Column Views
    X_HNO_SP_CONTENT
    Object
    Privilege _SYS_BIC.SP Column Views


    Package Privilege Roles

    Role
    Name
    Privilege
    Type
    Assigned
    Privileges
    X_HNP_FI_READ

    This role give read access to
    Package FI
    Package
    Privilege
    A. REPO.READ on FI
    X_HNP_IM_READ

    This role give read access to
    Package IM
    Package
    Privilege
    A. REPO.READ on IM
    X_HNP_LE_READ Package
    A. REPO.READ on LE

    This role give read access to
    Package LE
    Privilege
    X_HNP_MM_READ

    This role give read access to
    Package MM
    Package
    Privilege
    A. REPO.READ on MM
    X_HNP_PP_READ

    This role give read access to
    Package PP
    Package
    Privilege
    A. REPO.READ on PP
    X_HNP_PU_READ

    This role give read access to
    Package PU
    Package
    Privilege
    A. REPO.READ on PU
    X_HNP_SD_READ

    This role give read access to
    Package SD
    Package
    Privilege
    A. REPO.READ on SD
    X_HNP_SP_READ

    This role give read access to
    Package SP
    Package
    Privilege
    A. REPO.READ on SP
    X_HNP_CO_READ

    This role give read access to
    Package CO
    Package
    Privilege
    A. REPO.READ on CO
    X_HNP_PA_READ Package
    A. REPO.READ on PA

    This role give read access to
    Package PA
    Privilege
    X_HNP_ROOT_WRITE

    This role give edit access to ALL
    Packages
    Package
    Privilege
    A. REPO.READ
    A. REPO.EDIT_NATIVE_OBJECTS
    A. REPO.ACTIVATE_NATIVE_OBJECTS
    A. REPO.MAINTAIN_NATIVE_PACKAGES
    on ROOT

    Analytic Privilege Roles

    There can be many analytic privileges assigned to a role. For example: I am creating one single analytic privilege first and then
    create a role for department with this analytic privilege. In future, more analytic privileges can be added to it. In our case, we are
    not using analytic privileges which means no attribute restrictions

    X_HND = D for Data level restriction

    Analytic
    Privilege Package Content
    Attributes
    Restrictions
    X_HND_CO_AP1 CO
    column views under
    _SYS_BIC.CO/ NA
    X_HND_FI_AP1 FI
    All column views under
    __SYS_BIC.FI/ NA
    X_HND_IM _AP1 IM
    column views under
    __SYS_BIC.IM/ NA
    X_HND_LE _AP1 LE
    column views under
    _SYS_BIC.LE/ NA
    X_HND_MM _AP1 MM
    column views under
    _SYS_BIC.MM/ NA
    X_HND_PP _AP1 PP
    column views under
    _SYS_BIC.PP/ NA
    X_HND_PA _AP1 PA column views under NA
    __SYS_BIC.PA/
    X_HND_PU _AP1 PU
    column views under
    _SYS_BIC.PU/ NA
    X_HND_SD _AP1 SD
    column views under
    _SYS_BIC.SD/ NA
    _SYS_BI_CP_ALL ROOT
    All column views
    under _SYS_BIC
    No
    Restrictions. Currently
    being used
    Now the Analytic Roles

    X_HNA = A for Analytic Privilege roles


    Role
    Name
    Analytic
    Privilege
    X_HNA_FI X_HND_FI_AP1
    X_HNA_IM X_HND_IM_AP1
    X_HNA_LE X_HND_LE_AP1
    X_HNA_CO X_HND_CO_AP1
    X_HNA_MM X_HND_MM_AP1
    X_HNA_PU X_HND_PU_AP1
    X_HNA_PP X_HND_PP_AP1
    X_HNA_PA X_HND_PA_AP1
    X_HNA_SD X_HND_SD _AP1
    X_HNA_ALL _SYS_BI_CP_ALL (This one is being used only)
    Let's take a look at how we can use system privilege roles to create technical roles:

    Technical Roles


    Role
    Granted Roles
    Name
    Y_HNT_SECURTY

    Add/delete/edit users and assign other
    roles
    X_HNS_USERADMIN
    X_HNS_ROLEADMIN
    Y_HNT_ADMINS

    Perform admin tasks and security tasks
    X_HNS_USERADMIN
    X_HNS_ROLEADMIN
    X_HNS_SYSADMIN
    X_HNS_SYSMON
    X_HNS_CONTENTADMIN
    X_HNS_DATAADMIN
    Y_HNT_CONTENT_DEVS

    Create and activate information models
    in packages
    X_HNS_CONTENTADMIN
    X_HNO_SCHEMA_READ
    X_HNO_CONTENT_WRITE
    X_HNO_CONTENT_LIST
    X_HNP_ROOT_WRITE
    X_HNA_ALL

    Now, lets take a look at functional role example. In this example, Finance user A need access to FI package and it's information
    views. So, in this case create a functional role for Finance department and add user A into it.


    Role
    Name Granted Roles
    Y_HNF_FI
    X_HNO_CONTENT_READ
    X_HNO_FI_CONTENT
    X_HNP_FI_READ
    X_HNA_ALL

    In the same way we can create other functional roles depending upon our requirements then assign them to user. Now, it is not
    mandatory that everyone follow this way to setup rule but it can be used as reference.

    You might also like