Управление полномочиями для разработки в SAP HANA
Privilege management for SAP HANA programming

Today almost every SAP user faces SAP HANA, a database management system that’s also used as an environment for programming applications. But before you started coding applications or even writing simple queries to the database, you need to configure user access and determine the priveleges that are available to them.

In this article we don’t address specific security requirements because they vary from factory to factory. Here is just general information about working with priveleges – creating and assigning roles to users. This text is relevant for the SAP HANA Studio version In other versions there could be some differences but the general concept is the same.

Creating new user in SAP HANA

Let’s suppose that HANA Studio is already installed, configured, systems (landscapes) for programming are created.

First of all, you need to create a user account. To do this, select the system in which the user will be created. Select the Security folder in the directory tree and the Users object in the folder. In the context menu click on New User – this is the standard user. You can also select Restricted User – this user can not create objects, see data, and it connects only via HTTP.

In the opened window enter the user name in accordance with the orders of your organization. Next, you need to select the type of authentication. If you use a password, please, enter and confirm the initial password. It’s also possible to authenticate using Kerberos protocol, which matches identification in Windows Active Directory. To do this, specify the login, which will be authorized by the protocol.

The following screenshot shows that the user was created with the help of the Kerberos authentication option. The checked box opposite the SAML parameter means that the user is using the SAML certificate. With this certificate, a single sign-on technology is implemented, i.e. it allows you not to re-authenticate and use this account for several systems and software products. For example, in this way you can access SAP HANA and Business Object, the reporting tool. Configure the certificate using the Configure button:

It is assumed that when you configure systems the certificate has already been installed in the system. In the opened window press the Add button, select the required certificate from the list and click on the user for the target system – in this case Business Object:

Using the X.509 certificate is also possible. It is necessary for SAP HANA XS to access via HTTP. To use it you need to repeat actions similar to the SAML protocol.

After all these steps, you need to make activation:

The above actions must be repeated for the user in each system in which it is started.

Assigning privileges for SAP HANA users

The created account needs privileges to carry out a programming of full value. The default role when you’re creating a standard user is PUBLIC which provides read-only access:

Other roles are assigned as needed. Each role gives certain privilege to certain objects. If you take a specific role, it can have several types of privileges.

System Privileges – privileges for administration (creation and modification of schemes, monitoring, user management). For a regular user and for most developers this type of privilege is not required.

Object Privileges – privileges for a specific object (directory, schema, view, etc.). Below is an example of how a schema object is granted permission to just start a select operation:

Analytic Privileges – privileges to access data in a specific object. They are used when you need to delimit the uploaded data depending on the user’s role. Typically, analytical privileges are bound to a specific object, for example, to a view. In a general role, for example, analytical privileges are not added to the whole scheme, although this depends on the safety regulations adopted at the organization.

Package Privileges – privileges on packages (directories, folders) in which objects are located. For example, in a general role on a schema you can separate which packages the user will have access to and which options will be available at the same time. The example below shows that this role provides access to a list of packages, with the ability to read, edit, activate both for existing objects and for imported ones:

Application Privileges – privileges to use SAP HANA XS applications. In this case the application will be specified as an object.

Privileges on Users – privileges granted to a specific user. For example, this role is used to perform object debugging.

After creating a user account and determining the need for granted privileges, a role is created in accordance with enterprise security rules. To create a role you must select the Security folder in the selected system and select New Role in the context menu:

In the role creation menu you must specify the role name in accordance with the rules of your enterprise. Further, clicking the “plus” button in the relevant sections adds the necessary roles and privileges if you need. In this way you can create a so-called group role which includes several roles and a separate role for a particular object. After all selected objects the role must be activated.

You can assign the created role to the necessary user by opening the properties of the user account and pressing the “plus” in the assigned roles section by selecting the required from the list:

After all these steps have been completed, the user account is ready, a role is created and assigned to it. The user can already carry out coding in SAP HANA Studio, if, of course, he has been assigned the necessary roles. As soon as the programmer creates objects – for example, an analytical report for users – you will need to make roles for such an object. It will allow you to separate access to data that is downloaded from this report.

Creating roles for analytical privilege objects in SAP HANA

With a large number of users in different business areas and developments for them it may be necessary to share access, for example, to data or specific reports to maintain confidentiality. Let’s say that the analyst department, which deals with sales reports, does not need to know the data on salaries – they should only be seen by the accounting and personnel departments. Thus, it will be necessary to create at least two roles that separate these spheres. This can be done by storing procedures for extracting such data in two different directories which will be restricted in access to the execution of the created roles.

In the previous section a process was described, as a result of which there is a user account with the assigned role (for example, for a specific package with objects). However, while creating a report in the Business Object you may need to have the authority to the object (i.e. to a specific view) and access to certain data. In this case you can create an object role to restrict access to the object, also you may create an analytical privilege to limit the data.

Object role

Object role, as the name implies, is needed to provide access to a specific object. If you can create roles in the Security directory, the process has already been described above. A new role is created in the directory. The Object Privileges section lists the objects to which access will be granted. If it is a question of the Business Object report, then you can specify the report model in HANA and possible operations (in case of user access to the report only “select” is need).

There can be a situation when there is no possibility to create a role in the Security directory, for example, if the role is created by the programmer and only the administrator of the system has the privilege to create roles in this directory. In this case, the role is created in the repository, i.e. locally on your disk, and then transferred to a shared directory. If the repository is not in the section next to the systems, to open it you need to go to the Window section, then Show View – Other. In the window that appears you select the SAP HANA section and Repositories in it:

In the opened repository select the necessary system (at the first start HANA Studio will prompt you to select the disk space for local file storage). Next, create a role in the necessary directory – note that you should store the roles separately from other objects in a separate package. Right click on the package calls the context menu in which you should select New, then Other and in the opened window in the Database Development section you need to find the Role object.

Enter the name and select the Finish action. The created role will be opened in the working area of HANA Studio. The location of the role, the objects to be included in it and the allowable operations with them are specified in the role itself by SQL code:

After creating the role you must save and activate the role so that it is transferred from the repository to the system. The role is saved by click on the toolbar. Activation is performed by calling the right-click context menu on the object role that you want to activate.

Analytic Privilege

If the object role restricts access to a particular object then the analytic privilege limits a certain slice of the data. For example, the data is formed in the context of several departments of the enterprise. In this case it makes sense to split the output of the data in the report, depending on the user’s belonging to the department (this division depends on the security policy in the company).

The Classical Analytic Privileges parameter must be set on the SAP HANA model for the report. This means that the user will not be able to run the report to view the data if he does not have an analytical privilege on this report.

You can create an analytical privilege in the Systems section. To do this, you must select the system and the directory in which the object will be created. Right click on the directory calls the context menu, it selects the item New – Analytic Privilege. Enter the name and, if necessary, create the privilege as a copy of another privilege.

Next, in the Secured Models section you should specify the models required for the report in which the analytic privilege parameter is set (see above). In the Associated Attributes Restrictions section you may define fields for which the data section will be limited. In the Assign Restrictions section you can choose the values of the fields for which the data will be restricted. After all necessary actions make sure you save and activate the privilege.

The resulting privilege can be added to the role, and the role, in turn, can be assigned to the user. Thus, you have separated the access to the data.

The steps in this article show how roles are created and assigned to SAP HANA users. Creating roles, you can both grant access to certain objects (folders, systems, procedures, etc.) and restrict access to them or uploaded data. In a situation with a large number of users who can relate to different business areas, you will need to add each development to a certain role or group of roles and assign them to users.


Back to press center