Designing, configuring, and implementing SAP Security is a complex and resource-intensive task. Hence, companies should identify the right approach before building authorizations. This is also important when it comes to SAP HANA privilege-based roles.
I have personally experienced and helped a few organizations with the design of the role definition approach. From this experience, I can say that identifying the proper security requirements during the system build helps in avoiding the need for redesigning at a later stage.
Before we move on, please note that the SAP HANA platform has its own role model, which is more complex than the SAP NetWeaver ABAP authorization model. SAP HANA has:
Analytic Privileges that will restrict user authorization on dataSystem Privileges that will control the authorization on administrative tasksObject Privileges that allows various authorizations such as SELECT, DELETE, EXECUTE, etc., on database objectsPackage Privileges are used for providing read/write authorization on repositoriesApplication Privileges are used for managing HANA applications, mostly XS Engine based
Oops! This image does not follow our content guidelines. To continue publishing, please remove it or upload a different image.
These privileges can be assigned to the users directly from the HANA Studio, or Web IDE if the administrator has a USER ADMIN privilege assigned to him. However, before designing the authorization approach, I would also like to highlight a few points that should be considered:
– Assigning privileges directly is not a recommended approach as:
It increases the maintenance activityMakes the authorization management weird, and you will have no clue of who has whatUnnecessary access has to be provided to the administrators due to the GRANT authorization limitation.Issues with ownership as objects are owned by the creator and not by the repository owner.
