A security concept is required in SAP HANA for the following reasons:
To restrict database administration to skilled (and empowered) people
To restrict access to SAP ERP tables
To restrict editing of SAP HANA data models to owners of the model
Security is important in SAP HANA because user administration plays a significant role, as follows:
Several front end tools offer direct access into SAP HANA.
Access to objects and to data model content must be controlled within SAP HANA.
Information consumers need named users in SAP HANA.
An exception to the security concept is when information consumers do not require user management. This occurs in the following situations:
Access to data does not need to be controlled.
All data access occurs through the SAP Business Intelligence (BI) semantic layer, and security is implemented in SAP BusinessObjects Enterprise.
User administrators create and configure users in SAP HANA. User administrators have the system privilege USER ADMIN, which authorizes them to manage all users.
In SAP HANA exist two different types of users when creating database accounts:
Database Users that Correspond to Real People
Technical Database Users
Database users are created either as standard users or as restricted users.
The database administrator creates a database user for every person who works in the SAP HANA database. Database users that correspond to real people are dropped when the person leaves the organization. This means that the database objects they own are also automatically dropped, and the privileges they granted are automatically revoked.
Compared to standard database users, restricted users are initially limited in the following ways:
They cannot create objects in the database because they are not authorized to create objects in their own database schema.
They cannot view any data in the database because they are not granted (and cannot be granted) the standard PUBLIC role.
They are only able to connect to the database using HTTP/HTTPS.
To enable a restricted user to use an application, grant the required application-specific roles. Initially, restricted users can only connect to the database using HTTP or HTTPS.
To allow restricted users to connect through ODBC or JDBC, enable ODBC or JDBC access explicitly.
Technical Database Users
Technical database users do not correspond to real people and are not dropped if a person leaves the organization. Typically this type of user is used for administrative tasks, which are done regularly, for example, creating objects and granting privileges for a particular application. Some technical users are available as standard, for example, users SYS and _SYS_REPO. Further use cases can be given when application-specific users are needed for specific scenarios.
Technically, these user types are the same. The only difference between them is conceptual.
Database users that correspond to real people can be grouped according to different tasks (see lesson User Groups in this unit.
User Administration Tools
User management is configured using the SAP HANA cockpit.
There is no replication of existing authorizations from the source system.
All the user management functions can also be executed from the command line using SQL requests. This is useful when using scripts for automated processing.
SAP Identity Management provides additional support for user provisioning in the SAP HANA database.
SAP Identity Management 7.2 SP 3 contains a connector to the SAP HANA database (IDM connector). With SAP Identity Management, you can perform the following actions in the SAP HANA database:
Create and delete user accounts
Set passwords for users
For more information about the SAP Identity Management and the IDM connector, see SAP Community at https://www.sap.com/community/topic/identity-management.html.
You can create a standard database user for every person who works directly with the SAP HANA database. When you create a user, you also configure how the user is authenticated. You can do this on the User page of the SAP HANA cockpit.
When you create a user, specify the following properties:
Enter a unique user name.
Optional: User Group
Enter the user group assigned to the user.
Optional: E-mail address
Enter the user's e-mail address.
Optional: Validity Period, including the appropriate time zone
Enter the validity period of the user. If the user account is not currently within its validity period, the user is inactive and cannot log on. If no validity period is configured, the user is indefinitely valid.
Optional: Creation of Objects in Own Schema
Prevent the user from being able to create objects in his own database schema.
Optional: PUBLIC Role.
Prevent the user from being granted the standard PUBLIC role.
The PUBLIC role contains the privileges for filtered read-only access to the system views. To see data in a particular view, the user also needs the SELECT privilege on the view.
Optional: Disable ODBC or JDBC access.
This indicates whether or not the user can connect to the database via ODBC or JDBC. By default, ODBC and JDBC access is enabled for standard users and is disabled for restricted users. This means that restricted users can only connect via HTTP or HTTPS.
Enter a comment.
Optional: Set the authorization mode to LDAP if the user's authorization is based on LDAP group membership
Specify how the user can be authenticated
Additional User Parameters
You can configure additional user properties for client applications. The following custom user properties are available by default:
This is the user's locale.
This is the priority with which the thread scheduler handles statements executed by the user. The priority can be in the range 0-9, with 9 representing the highest priority. 5 is the default priority.
STATEMENT MEMORY LIMIT
This is the maximum memory (in GB) that can be used by a statement executed by the user.
STATEMENT THREAD LIMIT
This is the maximum number of threads that can be used by a statement executed by the user.
This is the user's time zone. The standard database formats for locale and time zone are supported.