Escolar Documentos
Profissional Documentos
Cultura Documentos
Business Analytics
Applicable Releases:
SAP HANA 1.0 SPS 03
Version 1.0
December 2011
All other product and ser vice names mentioned ar e the tr ademarks of their resp ectiv e co mpani es. Dat a cont ained in this document serves information al purposes only. N ational product specifications may vary.
The information in this document is proprietar y to SAP. No part of this document may b e rep roduced, copied, or tr ans mitted in an y form or for any purpos e without the express prior writ ten permis sion of SAP AG.
This document is a preli minary v ersion and not subject to your licens e agr eement or any other agr eement with SAP. This document contains only int ended str at egies, d evelop ments , and functionalities of the SAP product and is not intended to be binding upon SAP to an y parti cular course of business , product str ategy, and /or dev elopment. Pl eas e note that this docu ment is subject to ch ange and may be ch anged by S AP at any ti me without notice.
SAP assu mes no r esponsibility for errors or omissions in this do cument. S AP does not w arr ant the accur acy or compl et eness of the information, text, graphics, links , or other items contained within this mat erial . This document is provided without a warrant y of any kind, either expr ess or i mplied, including but not limited to the i mplied w arr anties of mer chant ability, fitness for a particular purpose, or non -infringement.
SAP sh all hav e no liability for damages of any kind including without limit ation direct , special, indir ect , or consequ ential d amages that may r esult from the us e of these materi als. Thi s limit ation shall not apply in cases of intent or gross negligence.
The statutor y liability for p ersonal injur y and defectiv e products is not affected. SAP has no control over the information t hat you may access th rough the use of hot links contained in thes e materials and does not endors e your use of third-party Web pag es nor provide an y war ranty whatso ever rel ating to third-part y Web pages .
Business Objects and the Business Objects logo, BusinessObjects, explained in a practical business context, it is not implied that those
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other features and procedures are the only approach in solving a specific
Business Objects products and services mentioned herein as well as their business problem using SAP NetWeaver. Should you wish to receive
respective logos are trademarks or registered trademarks of Business additional information, clarification or support, please refer to SAP
Objects Software Ltd. Business Objects is an SAP company. Consulting.
Sybase and Adapti ve S erv er , iAnywh er e, S ybas e 365, SQL Anywhere, and other S ybas e products and services mentioned herein as well as thei r respective logos are tr ademarks or regist ered t rad emar ks of Sybase, Inc. S ybase is an SAP comp any.
Any software coding and/or code lines / strings (Code) included in this
documentation are only examples and are not intended to be used in a
productive system environment. The Code is only intended better explain
and visualize the syntax and phrasing rules of certain coding. SAP does
not warrant the correctness and completeness of the Code given herein,
and SAP shall not be liable for errors or damages caused by the usage of
the Code, except if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java. Any code change
in these components may cause unpredictable and severe malfunctions
and is therefore expressively prohibited, as is any decompilation of these
components.
Any Java Source Code delivered with this product is only to be used by
SAPs Support Services and may not be modified or altered in any way.
Document History
Document Version Description
3. Prerequisites ..........................................................................................................................1
1. Scenario
When implementing a SAP HANA system, a security concept for SAP HANA has to be created and
implemented. Such a concept will entail groups of users with typical tasks such as database
administrators, user administrators etc. These groups of users will need individual sets of privileges
which can be bundled in roles. What particular roles are needed will depend on the set up of the
corresponding IT organization, legal requirements,
In this How-To guide we propose a set of roles that may be used as a starting point for a security
model in a SAP HANA Database system. For all roles, we explain the actions enabled by the role
(and important actions that would not be enabled), and we explain all privileges contained in the
role. All SQL Statements required in order to create the role are given as well. These statements
can be copied into an SQL editor of SAP HANA Studio to create the role directly in the database
system.
2. Background Information
SAP HANA Database offers a selection of pre-installed roles for standard tasks. These roles are:
PUBLIC, MONITORING, MODELING and CONTENT_ADMIN. However, typically in a given
setup, different roles will be needed: either more granular roles, modifications to existing roles, or
additional roles.
The pre-delivered roles should therefore be considered templates or examples of those roles that
may be implemented in a given HANA system.
In a similar manner, the role templates introduced with this how-to guide should not be regarded as
final, ready-to-go roles. The privileges contained in the roles must be carefully checked against
legal requirements as well as requirements arising from security policies and project setup.
This this how-to guide does not introduce a security strategy. Considerations of how to set up a
security concept for SAP HANA will be introduced in a dedicated document.
3. Prerequisites
The steps described in this how-to guide require very few prerequisites:
SAP HANA Database system of version HANA 1.0 SP 3 (revision 20 or higher)
SAP HANA Studio matching the version of SAP HANA Database
Please refer to the following sources for further information on security topics in SAP HANA
Database
The SAP HANA Database Security Guide which is available in the SAP Library at
http://help.sap.com/hana_appliance Security Information SAP HANA Security
Guides SAP HANA Database - Security Guide
The Administrators Guide for SAP HANA Database in the SAP Library at
http://help.sap.com/hana_appliance System Administration and Maintenance
Information Administrators Guide
SAP Note 1605168: SAP HANA - Handling priviledges (sic.) after upgrade to Revision 15
SAP Note 1612520: Invalidated View
November 2012 1
How To Set Up Standard Roles in SAP HANA
4. Step-by-Step Procedure
In the following sub-sections, we introduce several example roles. For each role, a dedicated sub-
section Role generation via SQL lists all SQL statements required to generate the example role.
These statements can be copied out of this how-to guide and pasted into a SQL editor of SAP
HANA Studio to create and populate the role.
The roles can only be created by a sufficiently privileged database user. The pre-delivered user
SYSTEM can be used for setting up most of the roles. In exceptional cases, user SYSTEM may be
lacking individual privileges. This is mentioned in the description of the role.
4.1
...
Prerequisite: stored procedure wrappers
For granting certain privileges in a SAP HANA Database system there exist dedicated stored
procedures. The stored procedures themselves can only be invoked via prepared statements,
which makes granting these roles in the SQL Editor of SAP HANA Studio somewhat complicated.
For convenience, we suggest wrapping these stored procedures into SQLscript procedures that do
not require prepared statements.
The following table lists the privileges that require stored procedures, the name of the stored
procedure and the name of the proposed SLQscript procedure. In the table, the term activated
content refers to activated HANA data models, i.e. activated Attribute Views, Analytic Views,
Calculation Views or SQLscript procedures that have been created using the modeling component
of SAP HANA Studio.
November 2012 2
How To Set Up Standard Roles in SAP HANA
November 2012 3
How To Set Up Standard Roles in SAP HANA
in i3 varchar(256) )
language sqlscript
as
begin
/* select * from dummy; */
call GRANT_PRIVILEGE_ON_ACTIVATED_CONTENT('EXECUTE', :i2, :i3);
end;
4.1.2 Usage
All stored procedure wrappers introduced above must be invoked with two parameters:
- the first parameter is the technical name of the object on which the privilege is granted (the
activated HANA data model or the activate Analytic Privilege);
- the second parameter is the name of the database user or role to which the privilege is
being granted.
4.2
...
Data Admin Role
s
November 2012 4
How To Set Up Standard Roles in SAP HANA
Have a database user that is able to grant privileges on all application data to other users if
required
Have a database user that can create new application schemas or objects within these
schemas
Have a database user that is able to export tables to the file system of the SAP HANA
Database server and to import tables from the file system of the SAP HANA Database server
(e.g. in the course of SAP customer messages).
Have a database user that has important privileges on the database schemas of the modeler
application (_SYS_BIC and _SYS_BI) and can grant these privileges to other users or roles.
/*
If there are tables in schema system, someone must be able to at least
grant access to those tables
Note: normally this should not be required. Application data do not
belong into schema SYSTEM.
*/
grant select on schema SYSTEM to DATA_ADMIN_ROLE with grant option;
/*
All required permissions on _SYS_BIC
*/
grant select on schema _SYS_BIC to DATA_ADMIN_ROLE with grant option;
grant create any on schema _SYS_BIC to DATA_ADMIN_ROLE with grant option;
grant drop on schema _SYS_BIC to DATA_ADMIN_ROLE with grant option;
/*
All required permissions on _SYS_BI
*/
grant select on schema _SYS_BI to DATA_ADMIN_ROLE with grant option;
grant insert on schema _SYS_BI to DATA_ADMIN_ROLE with grant option;
grant update on schema _SYS_BI to DATA_ADMIN_ROLE with grant option;
grant delete on schema _SYS_BI to DATA_ADMIN_ROLE with grant option;
/*
Allow creating of new Schemas
(System Privilege)
*/
grant CREATE SCHEMA to DATA_ADMIN_ROLE;
/*
Allow binary import of tables
(System Privilege)
*/
grant IMPORT to DATA_ADMIN_ROLE;
/*
Allow binary export of tables
(System Privilege)
*/
grant EXPORT to DATA_ADMIN_ROLE;
November 2012 5
How To Set Up Standard Roles in SAP HANA
November 2012 6
How To Set Up Standard Roles in SAP HANA
/*
Allow expanding repository tree
May be granted including "grant option" if repository admins are
supposed to pass on this privilege to others users or roles.
(SQL-Privilege)
*/
grant execute on REPOSITORY_REST to REPO_ADMIN_ROLE;
/*
allow reading metadata in the system
(System Privilege)
*/
grant CATALOG READ to REPO_ADMIN_ROLE;
/*
Allow server-side export
Add ADMIN OPTION if the privilege shall be
grantable to others
(System Privilege)
*/
grant REPO.EXPORT to REPO_ADMIN_ROLE;
/*
Allow server-side import
Aadd ADMIN OPTION if the privilege shall be
grantable to others
(System Privilege)
*/
grant REPO.IMPORT to REPO_ADMIN_ROLE;
/*
Allow creating etc of Delivery Units
(can be required for server-side export/import)
(System Privilege)
*/
grant REPO.MAINTAIN_DELIVERY_UNITS to REPO_ADMIN_ROLE;
/************************************************************/
November 2012 7
How To Set Up Standard Roles in SAP HANA
/*
Grant all package privileges on all kinds of packages
(native and imported) on all packages in the system
(on the root-note of the repository)
May be granted including "grant option" if repository admins are
supposed to pass on package privileges to others users or roles.
(Package Privilege)
*/
/* for native packages */
grant REPO.READ on ".REPO_PACKAGE_ROOT" to REPO_ADMIN_ROLE;
grant REPO.EDIT_NATIVE_OBJECTS on ".REPO_PACKAGE_ROOT" to REPO_ADMIN_ROLE;
grant REPO.ACTIVATE_NATIVE_OBJECTS on ".REPO_PACKAGE_ROOT" to
REPO_ADMIN_ROLE;
grant REPO.MAINTAIN_NATIVE_PACKAGES on ".REPO_PACKAGE_ROOT" to
REPO_ADMIN_ROLE;
/* for imported packages */
grant REPO.EDIT_IMPORTED_OBJECTS on ".REPO_PACKAGE_ROOT" to
REPO_ADMIN_ROLE;
grant REPO.ACTIVATE_IMPORTED_OBJECTS on ".REPO_PACKAGE_ROOT" to
REPO_ADMIN_ROLE;
grant REPO.MAINTAIN_IMPORTED_PACKAGES on ".REPO_PACKAGE_ROOT" to
REPO_ADMIN_ROLE;
November 2012 8
How To Set Up Standard Roles in SAP HANA
/* Allows to do: */
/* - CREATE USER */
/* - DROP USER */
/* - See list of roles in Studio -> Catalog */
/* without this, you only see the role assigned to you */
/* And no, role admin is not sufficient for that. */
/* (System Privilege) */
grant user admin TO USER_ADMIN_ROLE;
/* Allows to do: */
/* - Create roles in the system */
/* - Drop roles in the system */
/* - Grant any role in the system */
/* (System Privilege) */
grant role admin to USER_ADMIN_ROLE;
November 2012 9
How To Set Up Standard Roles in SAP HANA
November 2012 10
How To Set Up Standard Roles in SAP HANA
The same consideration as for system privileges applies for privileges that are similar to
system privileges, e.g.
o execute on REPOSITORY_REST
As is described in section 4.5, the role for maintaining Analytic Privileges may be fully or
partly included in the role for user administrators.
We explicitly do not include privileges to grant or revoke activated Analytic Privileges to/from users
or roles. These privileges are listed as part of the user admin role.
By separating the roles for maintaining Analytic Privileges and for user administration, one can
separate the definition of data access privileges from the granting of such privileges if so desired.
We assume that in many cases the user administrators will also have the role to maintain Analytic
Privileges.
/************************************************************/
/* Note on granting package privileges */
/* You may choose to grant such privileges not on the root */
/* node of the repository but rather on the master node of */
/* some sub-hierarchy of packages. */
/* In this case, you would create one role like this per */
/* sub-hierarchy of packages. */
/* Package privileges are valid for the given package and */
/* all sub-packages */
November 2012 11
How To Set Up Standard Roles in SAP HANA
to MAINTAIN_ANALYTIC_PRIVILEGES_ROLE;
/* allow creation of new packages inside of imported packages */
/* Note: you typically do not want to grant this privilege */
/* Imported packages should be read only. */
/*
grant REPO.MAINTAIN_IMPORTED_PACKAGES on ".REPO_PACKAGE_ROOT"
to MAINTAIN_ANALYTIC_PRIVILEGES_ROLE;
*/
/* Allow saving the ana priv (required for creating a ana priv) */
/* Grant this for native packages. */
/* (Package Privilege) */
grant REPO.EDIT_NATIVE_OBJECTS on ".REPO_PACKAGE_ROOT"
to MAINTAIN_ANALYTIC_PRIVILEGES_ROLE;
/* you should normally not grant this for imported packages: */
/*
grant REPO.EDIT_IMPORTED_OBJECTS on ".REPO_PACKAGE_ROOT"
to MAINTAIN_ANALYTIC_PRIVILEGES_ROLE;
*/
/* *************************************** */
/* Activation: */
/* */
/* Just one privilege required in addition: */
/* System Privilege */
grant CREATE STRUCTURED PRIVILEGE to MAINTAIN_ANALYTIC_PRIVILEGES_ROLE;
/* Allow dropping and re-creation of privileges */
grant STRUCTUREDPRIVILEGE ADMIN to MAINTAIN_ANALYTIC_PRIVILEGES_ROLE;
November 2012 12
How To Set Up Standard Roles in SAP HANA
/* Allow saving the ana priv (required for creating a ana priv) */
/* Grant this for native packages. */
November 2012 13
How To Set Up Standard Roles in SAP HANA
/* (Package Privilege) */
grant REPO.EDIT_NATIVE_OBJECTS on ".REPO_PACKAGE_ROOT"
TO MODELING_ROLE;
/* allow editing of objects inside of imported packages */
/* this should normally not be granted for imported package */
/*
grant REPO.EDIT_IMPORTED_OBJECTS on ".REPO_PACKAGE_ROOT"
to MODELING_ROLE;
*/
/* Activate the views underneath the given package (in this case the */
/* root node of the repository */
/* Grant this for all native and imported packages. */
/* (Package Privilege) */
grant REPO.ACTIVATE_NATIVE_OBJECTS on ".REPO_PACKAGE_ROOT"
to MODELING_ROLE;
grant REPO.ACTIVATE_IMPORTED_OBJECTS on ".REPO_PACKAGE_ROOT"
to MODELING_ROLE;
November 2012 14
How To Set Up Standard Roles in SAP HANA
November 2012 15
How To Set Up Standard Roles in SAP HANA
with any supported front-end (currently the front-ends from SAP BusinessObjects version 4
and MS Excel.
The information consumer role therefore contains SQL privileges on the activated data models,
Analytic Privileges, and some additional SQL privileges on metadata tables of the modeler
application (tables in schema _SYS_BI).
It should be noted that one will typically have one such role per user or group of users with identical
privileges.
/* Allow expanding the Content tree and seeing the list of packages */
grant execute on REPOSITORY_REST to INFORMATION_CONSUMER_ROLE;
November 2012 16
How To Set Up Standard Roles in SAP HANA
November 2012 17
www.sap.com/contactsap
www.sdn.sap.com/irj/sdn/howtoguides