SAP HANA Content Security Roles Setup
SAP HANA Content Security Roles Setup: A few months ago I was given a task to implement content security in SAP HANA. The main purpose for this task was to provide Business user access to information models created in SAP HANA. For example Finance user should only view finance package and can access information models in that package via BI tools such as Analysis for excel.
So, after a research and few discussions with various people I came up with following security model.
Let’s assume that content is maintained in following structure:
So based on each type of privilege I created the roles as shown below:
System Privilege Roles
These roles are mainly needed for System admin tasks (technical role)
X_HNS = S for System Privilege role
Role
Name |
Privilege
Type |
Assigned
Privileges |
X_HNS_USERADMIN
This role can create users, change their password and delete users |
System
Privilege |
USER ADMIN |
X_HNS_ROLEADMIN
This role can create roles, alter roles and drop roles with SQL commands1 |
System
Privilege |
ROLE ADMIN |
X_HNS_SYSADMIN
This roles can administer HANA system, alter system parameters and execute ALTER commands to change system |
System
Privilege |
INIFILE ADMIN
LICENSE ADMIN LOG ADMIN SERVICE ADMIN SESSION ADMIN TRACE ADMIN AUDIT ADMIN |
X_HNS_SYSMON
This role can change alert, enable logging and view logs to monitor system |
System
Privilege |
CATALOG READ
MONITOR ADMIN |
X_HNS_CONTENTADMIN
This role can create, alter, import, export and drop content. |
System
Privilege |
CREATE SCENARIO
CREATE STRUCTURED PRIVILEGE
STUCTUREDPRIVILEGE ADMIN |
X_HNS_DATAADMIN
This role can create schema, import and export tables and drop tables |
System
Privilege |
CATALOG READ
CREATE REMOTE SOURCE CREATE SCHEMA IMPORT EXPORT |
Object Privilege Roles
X_HNO = O for Object Privilege Role
Role
Name |
Privilege
Type |
Assigned
Privileges |
X_HNO_CONTENT_READ
This role give read access to activated views |
Object
Privilege |
_SYS_BI (SELECT, EXECUTE)
You would only need this _SYS_BIC (SELECT, EXECUTE) if you are using HANA studio to access views. Not using this for BI tools provides more security in terms of displaying activated views. Access to SYS_BIC will provide access to all activated views and therefore this model will be invalid. We can create separate role for this privilege |
X_HNO_CONTENT_WRITE
This role give write access for activated views and read access to schema |
Object
Privilege |
_SYS_BI (EXECUTE, SELECT, INSERT, UPDATE, DELETE)
_SYS_BIC (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE, DELETE, INDEX) |
X_HNO_CONTENT_LIST | Object
Privilege |
REPOSITORY_REST (EXECUTE) |
X_HNO_SCHEMA_READ
Where SCHEMA can be changed with required SCHEMA name |
Object
Privilege |
SCHEMA (SELECT) |
X_HNO_SCHEMA_WRITE
Where SCHEMA can be changed with required SCHEMA name |
Object
Privilege |
SCHEMA (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE, DELETE, INDEX) |
X_HNO_FI_CONTENT | Object
Privilege |
_SYS_BIC.FI Column Views |
X_HNO_CO_CONTENT | Object
Privilege |
_SYS_BIC.CO Column Views |
X_HNO_IM_CONTENT | Object
Privilege |
_SYS_BIC.IM Column Views |
X_HNO_LE_CONTENT | Object
Privilege |
_SYS_BIC.LE Column Views |
X_HNO_MM_CONTENT | Object
Privilege |
_SYS_BIC.MM Column Views |
X_HNO_PA_CONTENT | Object Privilege | _SYS_BIC.PA Column Views |
X_HNO_PU_CONTENT | Object Privilege | _SYS_BIC.PU Column Views |
X_HNO_SD_CONTENT | Object Privilege | _SYS_BIC.SD Column Views |
X_HNO_SP_CONTENT | Object Privilege | _SYS_BIC.SP Column Views |
Package Privilege Roles
<td
Role
Name |
Privilege
Type |
Assigned
Privileges |
X_HNP_FI_READ
This role give read access to Package FI |
Package
Privilege |
|
X_HNP_IM_READ
This role give read access to Package IM |
Package
Privilege |
|
X_HNP_LE_READ
This role give read access to Package LE |
Package
Privilege |
|
X_HNP_MM_READ
This role give read access to Package MM |
Package
Privilege |