It’s Not Rocket Science But it’s Getting There: SAP HANA Security: SAP_INTERNAL_HANA_SUPPORT in SPS09.
The best security procedures are clear and straight forward. In this video by the SAP HANA Academy Denys justifies the role of SAP_INTERNAL_HANA_SUPPORT in SPS09. This topic could be complex but Denys tells you what you with need to know when you need to know it. He showcases the relevant sections of key documentation and discusses how and why the role exists. This is no mean feat for a 5 minute video.
What, why and when?
The SAP_INTERNAL_HANA_SUPPORT role was introduced in SPS05. The role was introduced to allow read only access to catalog metadata and the privilege to activate tracing. The justification for this role was that in the event that issues arose that necessitated SAP Support a preconfigured, dedicated role would be enabled which could be later locked when the issues had been dealt with. This would mean that the role would not have access to confidential parts of the business such as customer data.
Denys then refers to the Security Guide for more details on this role. It concerns low internal system views, all access is read only and there is no access to customer data.
Denys reviews the restrictions to the role as below. The role cannot be modified. There may be occasions where it is necessary to add system privileges. However, SAP recommends these should be added to a user NOT the role. This should be an exceptional tactic and any additional privileges should only be added when needed and removed straight afterwards. With every upgrade the role is automatically reset.
Denys demonstrates how the role is configured from a Windows Computer connected to SAP HANA Studio. He is logged on as Bill the Security Administration user. The System User has been disabled. Bill has created user SAP and granted this user the SAP_INTERNAL_HANA_SUPPORT role which has no granted roles, not Part of Roles and has the System Privileges and Object Privileges shown.
In the Administration Console, under Configuration you can set the maximum number of user that can be assigned this role. This is set by default to 1 but in the example below has been set to 2. Any attempt to assign a third user with this role will be met with an error message.
When you connect as your support user SAP you can browse the catalog but do not have access to the repository.
Under Alerts you can see that alert is generated when a user is granted the role. This is a new feature.
You need the Kernel Profiler to activate a trace. It collects information about frequent execution tasks during query processing. It’s built in, so no additional software needs to be installed. You can set the services to profile, any wait time and a memory limit. This is important because profiling requires a lot of memory and you don’t want to let the SAP HANA Server run out of it.