SAP HANA 2.0 Security Guide - Part 4

SAP HANA 2.0 Security Guide - Part 4

Authorization Concept

Basic Authorization Entities
Before we can start building our authorization and security concept in SAP HANA, it is important to understand the basic authorization entities and the relationship between them.

Privileges are assigned to users directly or indirectly using roles. Best practice to manage authorization for users by using roles.

Relationships Between Entities
All the database privileges granted to a user are combined. That means when user try to access any object, the system performs an authorization check using the user, the user's roles, and directly allocated privileges.

Several predefined roles exist in the database. Some of them are templates that need to be customized and others can be used as they are.
User management is configured using SAP HANA Studio and the Web-based editor.

Authorization Design Process
The recommended process to manage what the users are authorized to do in the system is as follows:

1. Define and create roles
2. Assign privileges to roles.
3. Create users
4. Grant roles to the users

Privileges

When a user accesses the SAP HANA database using a client interface (for example, ODBC, JDBC, or HTTP), their ability to perform database operations on database objects is determined by the privileges that they have been granted.

Roles
Roles are the collection of privileges that granted to either a database user or another role in runtime.
A role usually contains the privileges needed for a specific function or task
Roles within the SAP HANA database can be runtime objects (catalog roles), or design-time objects that can be converted into catalog objects on deployment after the activation(database artifact with file suffix .hdbrole).

System privilege ROLE ADMIN required to create catalog role
We have two types of Roles

• Catalog Role
• Repository Role 

Catalog Roles
A catalog role is also called runtime role.
Managing catalog roles has several challenges, especially with regard to transportation and  revocation of privileges and roles.
Important properties of Catalog role:

• Non-transportable( created directly in the DB catalog (no design time))
• Only grantor can revoke role
• Not versioned
• Privileges revoke if grantor is dropped

Catalog roles can be created using SAP HANA Studio, SAP HANA Cockpit and on a SQL console.
To create a catalog role, the ROLE ADMIN system privilege is needed. This system privileges also allows granting of any catalog role.
Only the grantor can revoke the privilege

Repository Roles
Repository roles, also known as design-time roles, are created within the SAP HANA Repository. This means that the creation of the role is decoupled from the ownership as the runtime version of the role will be created in runtime by _SYS_REPO technical user.
Repository roles can also be transported to other systems using delivery units.
Design time roles and analytic privileges are transportable
Important properties of repository roles:

• Grantor can grant/revoke any design time role
• Developer will edit any role in package (if authorized)
• Create using HANA developer perspective and Web-based Development Workbench.
• Design time stored in Repository
• Run time created during activation
• Transportable as part of delivery units

The following three steps are part of the role lifecycle:

• A developer or role designer creates the role in the repository of the development system and tests it.
• The role is transported to the production system, for example, using HALM or CTS+.
• In the production system, a user administrator grants the role to users.