SAP HANA Security – User Management

Legal disclaimer

This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this
presentation. This presentation and SAP's strategy and possible future
developments are subject to change and may be changed by SAP at any time for
any reason without notice. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement. SAP assumes
no responsibility for errors or omissions in this document, except if such damages
were caused by SAP intentionally or grossly negligent.

© 2011 SAP AG. All rights reserved. 2

Agenda

HANA use cases / Impacts on Security Setup

Authentication

Authorization

Auditing

Network Security

Details HANA Data Mart <-> BI Integration

© 2011 SAP AG. All rights reserved. 3

IT-Systems with SAP HANA
With or without application server?
SAP HANA without Application Server
Relevant for Security Implementation within SAP HANA

Data Marts with SAP HANA Applications on top of SAP HANA

BI Tools Stand-Alone Application

Access through BI Direct Access Using HANA as Database

BI 4.0 (optional)
Semantic Layer

SAP HANA Appliance

SAP HANA Database
HANA Data Models
Calculation Engine
Olap Engine
SAP HANA Engine
Database
Database Tables

This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice.
© 2011 SAP AG. All rights reserved. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. 5
SAP HANA with Application Server
Mainly Not Relevant for Security within SAP HANA

Accelerator Scenarios HANA as Database in App Server

SAP Application Server Application Server

E.g. SAP NetWeaver BW 7.3
E.g. COPA Application

Aggregation Read
Levels Interface

Primary DB Secondary DB SAP HANA Database

connection connection
Read / write Read / write Calculation Engine
Olap Engine
Engine
Traditional SAP HANA
Database Database Database Tables

This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice.
© 2011 SAP AG. All rights reserved. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. 6
User Management
User Management, Authentication
User management in SAP HANA Database

Creating of users
Authentication
User-specific
parameters

User management
Authorization Lock users
Object-level Password policy
Row-level security Integration with BI

© 2011 SAP AG. All rights reserved. 8

Creating named users

Creating user accounts

Named accounts in the database
Creation via SAP HANA Studio
or via SQL syntax
or via SAP NetWeaver Identity Management
(version 7.2 SP 3)
No replication of existing authorizations from
source systems

Authentication
Name / password
Password management via SAP HANA
Studio or via SQL
Kerberos Authentication
Based on certificates
Enables SSO authentication
SAML (as of SPS 4)

© 2011 SAP AG. All rights reserved. 9

Integration HANA, IDM, LDAP and BOE

Connector SAP IDM <-> SAP HANA Central repository for

As of SAP IDM 7.2 SP 3 user accounts
Using SQL Interface in HANA
SAP IDM
Create / delete users
Create / delete roles
Grant / revoke roles Push
Change passwords Active
Directory /
LDAP
Authentication BOE <-> HANA
Up to recently: name / password Import
Using “Credential Mapping” SAP HANA
Duplicate maintenance of user accounts Database Kerberos BOE Server
As of BI 4.0 FP 3: Kerberos integration User Store (BI 4.0
User Store
FP 3)

© 2011 SAP AG. All rights reserved. 10

Authentication via Kerberos

Kerberos
Domain Controller
SAP HANA Server

User logs on and

receives ticket

Users starts application

(e.g. Analysis for Office);
Authentication via domain
controller

End user

© 2011 SAP AG. All rights reserved. 11

Passwords and Authorization

Password-Policy in SAP HANA User

Features:
Minimal length; required character groups Role:
Password life time edit + activate
Lock / unlock users
… Role: Role:
edit model activate model
Concept of roles in SAP HANA
Creating roles
Package: SQL:
Grouping individual privileges into roles SQL: Package:
create / edit write
select activate
Create hierarchies of roles models runtime
object
Granting roles
Direct granting via SQL / SAP HANA Studio
Via SAP NetWeaver Identity Management

© 2011 SAP AG. All rights reserved. 12

Authorization
Known and new types of privileges

Privilege What for?

System Privileges Restrict possible actions

E.g. backup/restore; create user; …

SQL Privilege Restrict Access to Database Object

E.g. SELECT on <table>

Analytic Privilege Row-Level Security on HANA models

HANA specific Restrict on Attribute Values
Affects run-time objects

Package Privilege Restrict actions on data models

HANA specific Read / edit / activate
On design-time objects only
© 2011 SAP AG. All rights reserved. 13
Do I need to know all this?

Depends on HANA Use Case

Data Marts with SAP HANA (e.g. RDS Content)
Named users required in SAP HANA Database
Authorizations in SAP HANA Database

Applications on SAP HANA Database

(e.g. CO-PA Accelerator; BW 7.30 auf HANA)
All standard security handled by SAP NetWeaver
No changes in authorization/authentication
No named users required in SAP HANA Database

© 2011 SAP AG. All rights reserved. 14

Data Marts with SAP HANA
Overview of BI <-> HANA Interaction

BI Tools
Access through BI Direct Access Three layers in BI <-> HANA
Anything else Explorer Analysis Consumption layer (end-user tools)
WebI, Dashboards, Crystal
SAP BusinessObjects Explorer
Analysis suite (Analysis Office, OLAP, …)
BI 4.0
Semantic Explorer BI 4.0 Server
Layer Services
Semantic Layer:
– “Universe” based on HANA data providers
Explorer Services:
– Technical layer with “Explorer logic”
SAP HANA Database
– Search, index, … (delegates most tasks to HANA)
HANA Data Models
SAP HANA Database
Either plain tables
SAP HANA
or Data Models created in HANA
Database (Analytic Views, Calculation Views)

© 2011 SAP AG. All rights reserved. 15

Data Marts with SAP HANA
Interaction Analysis <-> HANA

BI Tools
Access through BI Direct Access Consumption via Analysis Suite
Anything else Explorer Analysis Analysis User Interface
Front-end on end-user PC
Store workbooks,
get connection Direct ODBC connection into HANA DB
(Optional) SQL and MDX calls into HANA
BI 4.0 No authorization features in client

In BI 4.0 server
Only used for auxiliary tasks (optional)
SAP HANA Database
HANA Data Models
In SAP HANA Database
Tables Can only consume HANA Data Models
Authorization must be defined in HANA
– Requires named users in HANA
– Analytic and SQL privileges

© 2011 SAP AG. All rights reserved. 16

Data Marts with SAP HANA
Interaction Explorer <-> HANA

BI Tools
Access through BI Direct Access Consumption via Explorer
Anything else Explorer Analysis Explorer UI
Flash-based web interface
HTTP connector into Explorer Server

BI 4.0
In BI 4.0 server – Explorer servers
Semantic Explorer
Layer Services Exploration server, search server, …
Delegates search/explore calls to HANA
(extended SQL syntax via JDBC)
No appropriate authorization features
SAP HANA Database
HANA Data Models In SAP HANA Database
Can only consume HANA Data Models
Tables
Authorization must be defined in HANA
– Requires named users in HANA
– Analytic and SQL privileges

© 2011 SAP AG. All rights reserved. 17

Data Marts with SAP HANA
Interaction “Other Tools” <-> HANA (not Explorer, not Analysis)

BI Tools
Access through BI Direct Access
Consumption via Other Tools
BI Front-End
Anything else Explorer Analysis
Typically web-based UI
Connects against Universe or other BI server
component (WebI server, …)

BI 4.0 In BI 4.0 server

Tool-specific server component (some tools)
Semantic Layer
Access of Semantic Layer (Universe)
Connect to HANA via JDBC/ODBC
Authorization options:
– Implement all authorization in BI
(enables having one single service user)
SAP HANA Database – Or have authorization and named users in HANA
Data Models
In SAP HANA Database
Either: Consume HANA Data Models
Tables (Universe is 1:1 mapping of this model)
Or define entire data model in semantic layer
(consuming tables directly in universe)

© 2011 SAP AG. All rights reserved. 18

Account Integration HANA, IDM, LDAP and BOE
Before BI 4.0 FP 3

Connector SAP IDM <-> SAP HANA Central repository for

As of SAP IDM 7.2 SP 3 user accounts
Using SQL Interface in HANA
Create / delete users SAP IDM
Create / delete roles
Grant / revoke roles Push /
Change passwords Push Pull
Active
Authentication BOE <-> HANA Directory /
Name / Password Authentication Define LDAP
DB
Either single-user connection Cre-
– If authorization defined in BI server dentials Import
Or named accounts in HANA SAP HANA
Name /
– Using “Credential Mapping” Database Password BOE Server
– Duplicate maintenance of user accounts
– Authorizations defined in HANA User Store User Store

© 2011 SAP AG. All rights reserved. 19

Account Integration HANA, IDM, LDAP and BOE
Starting with BI 4.0 FP 3

Connector SAP IDM <-> SAP HANA Central repository for

As of SAP IDM 7.2 SP 3 user accounts
Using SQL Interface in HANA
SAP IDM
Create / delete users
Create / delete roles Push /
Grant / revoke roles Push Pull
Change passwords Active
Directory /
LDAP
Authentication BOE <-> HANA
Kerberos authentication (since FP 3) Import
Maintain named accounts in HANA SAP HANA
Kerberos ID instead of password Database Kerberos BOE Server
Or name / password as before User Store (BI 4, FP3
User Store

© 2011 SAP AG. All rights reserved. 20

Summary of Connectivity BI 4.0 <-> HANA
Capabilities / limitations for various BI tools

Analysis Suite(*) Explorer Other Tools

Direct connect into Indirect connect into Connect through

HANA HANA Semantic Layer
Requires named Server component Consume Universes
accounts in HANA for connects to HANA(*) Single-user connection
all end-users Requires named Don’t need named
accounts in HANA for all
Uses ODBC connection accounts in HANA for end-users
SSL encryption all end-users(*) Or credential mapping
FP 3: Can make use of JDBC need named accounts in
HANA for all end-users
Kerberos (no password SSL encryption
maintenance in HANA) JDBC or ODBC
Kerberos (as of FP 3)
SSL encryption
Only consumes HANA Only consumes HANA
data models Kerberos (as of FP 3)
data models(*)
(*) Main table applies to edition for (*) Technically, Explorer can
Analysis/Explorer cannot
Office. Analysis OLAP: JDBC, using connect through semantic layer consume semantic layer
a server component. SSL does not at high performance penalty /
work for Analysis OLAP. only on very small data sets

© 2011 SAP AG. All rights reserved. 21

Summary of Authorization BI 4.0 <-> HANA
Capabilities / limitations for various BI tools

Analysis Suite Explorer Other Tools

No authorization No authorization Two choices for

capabilities in UI
Only consumes HANA
data models
Requires named
accounts in HANA for
all end-users
Define all authorizations
(object- and row-level)
in HANA
Analytic Privileges and
SQL Privileges
Combine into one role per
end-user
capabilities in UI(*) Authorization
Only consumes HANA Report level authorization
data models Data-level authorization
Requires named Don’t need named
accounts in HANA for all
accounts in HANA for end-users
all end-users Authorizations not
Define all authorizations available for Analysis /
Explorer
(object- and row-level)
Or use HANA authorization
in HANA
/ named users for data
Analytic Privileges and authorization
SQL Privileges
Same as Analysis /
Combine into one role per
Explorer
end-user
Can use BI authorizations
(*) Assuming that authorization on top
InfoSpace is not sufficiently powerful

© 2011 SAP AG. All rights reserved. 22

Documentation and Information Around SAP HANA

www.sap.com/hana - official SAP HANA page with customer testimonials

www.experiencesaphana.com - SAP HANA collaboration space for customers

http://help.sap.com/hana_appliance - Official documentation

see especially the SAP HANA Database Security Guide

http://service.sap.com/HANA - Installation and Implementation knowledge

http://www.sdn.sap.com/irj/sdn/in-memory - SAP Developer Network for HANA

© 2011 SAP AG. All rights reserved. 23

© 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any
purpose without the express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,
System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,
zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390
Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,
Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM
Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or
other countries.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and
MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®,
World Wide Web Consortium, Massachusetts Institute of Technology.
© 2011 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
Explorer, StreamWork, and other SAP products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks of SAP AG
in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of Business Objects Software Ltd.
Business Objects is an
SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other
Sybase products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP
company.
All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document
may be reproduced, copied, or transmitted in any form or for any purpose without
the express prior written permission of SAP AG.
24
© 2011 SAP AG. Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind,
zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche
schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation
enthaltene Informationen können ohne vorherige Ankündigung geändert werden.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte
können Softwarekomponenten auch anderer Softwarehersteller enthalten.
Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken
der Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,
System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,
zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390
Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,
Netfinity, Tivoli und Informix sind Marken oder eingetragene Marken der IBM
Corporation.
Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen
Ländern.
Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder
eingetragene Marken von Adobe Systems Incorporated in den USA und/oder
anderen Ländern.
Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer
Tochtergesellschaften.
UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und
MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc.
© 2011 SAP AG. All rights reserved.
HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des
W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
Explorer, StreamWork und weitere im Text erwähnte SAP-Produkte und -
Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene
Marken der SAP AG in Deutschland und anderen Ländern.
Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text
erwähnte Business-Objects-Produkte und Dienstleistungen sowie die
entsprechenden Logos sind Marken oder eingetragene Marken der Business
Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG.
Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und
weitere im Text erwähnte Sybase-Produkte und -Dienstleistungen sowie die
entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc.
Sybase ist ein Unternehmen der SAP AG.
Alle anderen Namen von Produkten und Dienstleistungen sind Marken der
jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu
Informationszwecken. Produkte können länderspezifische Unterschiede
aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe
und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem
Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher
Genehmigung durch SAP AG gestattet.
25