WHAT ARE SAP HANA ROLES?

Posted by Klea Duro on May 5, 2023 8:15:00 AM

Profiling also exists and can be implemented in the SAP HANA database.

 

SAP HANA ROLES

 

But not all roads lead to the same result. Some choices may not be ideal in the long run and in the management of authorizations in SAP HANA. What is important to know when defining SAP HANA roles?

 

This is not always done as this database is mainly used when using SAP applications. Such as S/4HANA.

 

What is the difference between SAP HANA and S/4HANA?

SAP HANA (High Performance Analytic Appliance) is the database created by SAP. In this case it is reductive to define HANA only as a database, in fact it has many functions:

 

  • It supports OLAP (Online Analytical Processing) and OLTP (Online transaction processing) modes at the same time.
  • Can be used in on-premises or on cloud mode
  • Contains native data manipulation capabilities from different sources (ETL Extract Transform and Load)
  • Contains an application part called SAP HANA Extended Application Server (SAP HANA XSA)
    • In this case there is an ad hoc profiling, consisting of different objects, such as: Scope and attributes, Role Collections.

 

 

How to connect to HANA?

There are two main ways at the moment. Via the SAP HANA Studio program (you can download it from the SAP support portal and install it on your PC) and via the SAP HANA Cockpit, a web feature that must be installed "server side".

 

Once SAP HANA Studio is installed, you can connect to the database.

 

SAP HANA STUDIO

 

However, SAP suggests using the SAP HANA Cockpit, for several reasons, for example:

 

What are the special features of SAP HANA in the Cloud?

In case HANA is managed in the cloud (SAP HANA Enterprise Cloud) what are the points of attention (SAP Cloud Security)?

 

  • Infrastructure logs will be managed by the provider (firewall, network, virtual machine)
  • As well as system management basis activities, will be managed by the provider
  • Profiling and authorization activities will be managed directly by you

 

But is it necessary to create HANA roles?

You may find yourself in two main scenarios:

 

  1. You will install only the S/4HANA application in your SAP HANA installation.
  2. You use SAP HANA to develop proprietary applications (not SAP then)

 

These scenarios are very different from each other. In the first case above, in most cases, you do not need to define many roles, except for system administrators.

 

While in the second case you may need to define many roles and use a variety of features to manage the HANA authorization concept.

 

So which users can you define in SAP HANA?

                                    Download our tutorial here!

 

What types of roles can you use in SAP HANA?

There are two types of roles in SAP HANA:

  • SAP Run-time Role o Catalog Role
  • SAP Design-time Role o Repository Role

 

Depending on the situation and scenario, it is necessary to figure out which is the best type of role to use. As there may be a lot of overlap. In other words, the same "authorization" can be assigned through both Catalog Roles and Repository Roles.

But how to figure out what to do and what type of HANA role to use?

 

Role Transport

  • Catalog Role: NO
  • Repository Role: SI

 

Version Management (Versioning)

  • Catalog Role: NO
  • Repository Role: SI

 

Role Ownership

  • Catalog Role: The ownership of who creates the roles is of the users who defined them
  • Repository Role: The technical user _SYS_REPO is used to avoid the very case above

 

GRANT and REVOKE

  • Catalog Role: if the user account of the person who created these roles is deleted, all entitlements are also revoked
  • Repository Role: the functionality above is not applied

 

Here you can find how to create a Repository Role.

 

You can recognize whether a HANA role is of type Repository Role by the fact that it is written in its definition. Unlike Catalog Roles that do not carry this definition, as shown in the image below.

 

REPOSITORY_ROLE_SAP_HANA

 

Repository Roles must be created through the definition of a project, where they are placed. Privileges (Privileges) must then be defined within them.

 

HANA_REPOSITORY_ROLE

 

 

Emergency users and PAM management in SAP HANA?

It is possible through the SAP GRC Access Control in version 12.x where you can create super-users for access to the HANA database as well.

 

In this case, a procedure is defined for Privileged Access Management (PAM) where the super user (firefighter) can access the HANA development environment.

 

SAP GRC EAM HANA REASON

 

More content like this above? Subscribe to our Blog, by using the link below:

 

Iscriviti al blog se ancora non lo hai fatto!

 

Topics: sap hanaHANA Securitysap grc 12HANA Rolesfirefighter HANA

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all