A few months ago I was given a task to implement content security in SAP HANA. The main purpose for this task was to provide Business user access to information models created in SAP HANA. For example Finance user should only view finance package and can access information models in that package via BI tools such as Analysis for excel.

So, after a research and few discussions with various people I came up with following security model.

Let’s assume that content is maintained in following structure:

So based on each type of privilege I created the roles as shown below:

System Privilege Roles

These roles are mainly needed for System admin tasks (technical role)

X_HNS = S for System Privilege role

                                                                            

Role  

Name

Privilege

Type

Assigned

Privileges

X_HNS_USERADMIN

This role  can create users, change their password and delete users

System

Privilege

USER ADMIN

X_HNS_ROLEADMIN

This role can  create roles, alter roles and drop roles with SQL commands1

System

Privilege

ROLE ADMIN

X_HNS_SYSADMIN

This roles  can administer HANA system, alter system parameters and execute ALTER  commands to change system

System

Privilege

INIFILE ADMIN

LICENSE ADMIN

LOG  ADMIN

SERVICE ADMIN

SESSION ADMIN

TRACE ADMIN

AUDIT ADMIN   

X_HNS_SYSMON

This role can  change alert, enable logging and view logs to monitor system

System

Privilege

CATALOG READ

MONITOR ADMIN

X_HNS_CONTENTADMIN

This role can  create, alter, import, export and drop content.

System

Privilege

CREATE SCENARIO

CREATE STRUCTURED PRIVILEGE

  1. REPO.EXPORT
  2. REPO.IMPORT
  3. REPO.MAINTAIN_DELIVERY_UNITS
  4. REPO.WORK_IN_FOREIGN_WORKSPACE

STUCTUREDPRIVILEGE ADMIN

X_HNS_DATAADMIN

This role can  create schema, import and export tables and drop tables

System

Privilege

CATALOG READ

CREATE REMOTE SOURCE

CREATE SCHEMA

IMPORT

EXPORT

Object Privilege Roles

X_HNO = O for Object Privilege Role

                                                                                                                                                                    

Role  

Name

Privilege

Type

Assigned

Privileges

X_HNO_CONTENT_READ

This role  give read access to activated views

Object

Privilege

_SYS_BI (SELECT, EXECUTE)

You would only need this _SYS_BIC (SELECT, EXECUTE) if you are using HANA studio to access views. Not using this for BI tools provides more security in terms of displaying activated views. Access to SYS_BIC will provide access to all activated views and therefore this model will be invalid. We can create separate role for this privilege

X_HNO_CONTENT_WRITE

This role  give write access for activated views and read access to schema

Object

Privilege

_SYS_BI (EXECUTE, SELECT, INSERT, UPDATE, DELETE)

_SYS_BIC (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE,  DELETE, INDEX)

X_HNO_CONTENT_LIST

Object

Privilege

REPOSITORY_REST (EXECUTE)

X_HNO_SCHEMA_READ

Where SCHEMA can be changed with required SCHEMA name

Object

Privilege

SCHEMA (SELECT)

X_HNO_SCHEMA_WRITE

Where SCHEMA can be changed with required SCHEMA name

Object

Privilege

SCHEMA (CREATE ANY, ALTER, DROP, EXECUTE, SELECT,  INSERT, UPDATE, DELETE, INDEX)

X_HNO_FI_CONTENT

Object

Privilege

_SYS_BIC.FI Column Views

X_HNO_CO_CONTENT

Object

Privilege

_SYS_BIC.CO Column Views

X_HNO_IM_CONTENT

Object

Privilege

_SYS_BIC.IM Column Views

X_HNO_LE_CONTENT

Object

Privilege

_SYS_BIC.LE Column Views

X_HNO_MM_CONTENT

Object

Privilege

_SYS_BIC.MM Column Views

X_HNO_PA_CONTENT

Object Privilege

_SYS_BIC.PA Column Views

X_HNO_PU_CONTENT

Object Privilege

_SYS_BIC.PU Column Views

X_HNO_SD_CONTENT

Object Privilege

_SYS_BIC.SD Column Views

X_HNO_SP_CONTENT

Object Privilege

_SYS_BIC.SP Column Views

Package Privilege Roles

                                                                                                                                                         

Role  

Name

Privilege

Type

Assigned

Privileges

X_HNP_FI_READ

This role  give read access to Package FI

Package

Privilege

  1. REPO.READ on FI

X_HNP_IM_READ

This role  give read access to Package IM

Package

Privilege

  1. REPO.READ on IM

X_HNP_LE_READ

This role  give read access to Package LE

Package

Privilege

  1. REPO.READ on LE

X_HNP_MM_READ

This role  give read access to Package MM

Package

Privilege