SAP HANA 2.0 Security Guide - Part 4
Authorization Concept
Basic Authorization Entities
Before we can start building our authorization and security concept in SAP HANA, it is important to understand the basic authorization entities and the relationship between them.
Privileges are assigned to users directly or indirectly using roles. Best practice to manage authorization for users by using roles.
Relationships Between Entities
All the database privileges granted to a user are combined. That means when user try to access any object, the system performs an authorization check using the user, the user's roles, and directly allocated privileges.
Several predefined roles exist in the database. Some of them are templates that need to be customized and others can be used as they are.
User management is configured using SAP HANA Studio and the Web-based editor.
The recommended process to manage what the users are authorized to do in the system is as follows:
- Define and create roles
- Assign privileges to roles.
- Create users
- Grant roles to the users
Privileges
When a user accesses the SAP HANA database using a client interface (for example, ODBC, JDBC, or HTTP), their ability to perform database operations on database objects is determined by the privileges that they have been granted.Roles
Roles are the collection of privileges that granted to either a database user or another role in runtime.
A role usually contains the privileges needed for a specific function or task
Roles within the SAP HANA database can be runtime objects (catalog roles), or design-time objects that can be converted into catalog objects on deployment after the activation(database artifact with file suffix .hdbrole).
We have two types of Roles
- Catalog Role
- Repository Role
Catalog Roles
A catalog role is also called runtime role.
Managing catalog roles has several challenges, especially with regard to transportation and revocation of privileges and roles.
Important properties of Catalog role:
- Non-transportable( created directly in the DB catalog (no design time))
- Only grantor can revoke role
- Not versioned
- Privileges revoke if grantor is dropped
To create a catalog role, the ROLE ADMIN system privilege is needed. This system privileges also allows granting of any catalog role.
Only the grantor can revoke the privilege
Repository Roles
Repository roles, also known as design-time roles, are created within the SAP HANA Repository. This means that the creation of the role is decoupled from the ownership as the runtime version of the role will be created in runtime by _SYS_REPO technical user.
Repository roles can also be transported to other systems using delivery units.
Design time roles and analytic privileges are transportable
Important properties of repository roles:
- Grantor can grant/revoke any design time role
- Developer will edit any role in package (if authorized)
- Create using HANA developer perspective and Web-based Development Workbench.
- Design time stored in Repository
- Run time created during activation
- Transportable as part of delivery units
- A developer or role designer creates the role in the repository of the development system and tests it.
- The role is transported to the production system, for example, using HALM or CTS+.
- In the production system, a user administrator grants the role to users.
SAP HANA 2.0 Security Guide - Part 4
Reviewed by NEXT GEN Technologies
on
1:32 PM
Rating:
No comments: