Categories Top Downloads
Login Register Upload

Sap Ha240 en Col09 Hana Sp09

May 5, 2018 | Author: NARENDRA | Category: Sap Se, Databases, Oracle Corporation, Oracle Database, Ibm System I
Share Embed Donate
Report this link


Short Description

Descripción: SAP HA240 HANA SP09...

Description

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

HA240 Authorization, security and scenarios

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

www.sap.com

SAP SE Copyrights and Trademarks © 2014 SAP SE. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. x Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. x IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. x Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. x Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. x Oracle is a registered trademark of Oracle Corporation x UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. x Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. x HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. x Java is a registered trademark of Sun Microsystems, Inc. x LabNetscape. x SAP, SAP Fiori, SAP SAPUI5, R/3, SAP Fiori, SAP NW Gateway, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. x Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. x Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

© SAP SE

HA240

2

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

CONTENTS ABOUT THIS HANDBOOK ...............................................................................................................................4 UNIT 1: INTRODUCTION INTO THE AREA OF SECURITY AND AUTHORIZATION ...................................5 Lesson: SAP HANA Introduction and overview ................................................................................................. 6 UNIT 2 REPOSITORY ......................................................................................................................................26 Lesson: Repository ............................................................................................................................................. 27 UNIT 3 AUTHORIZATION INSIDE SAP HANA ..............................................................................................36 Lesson: Gerneral authorization concept .......................................................................................................... 37 Lesson:Roles ....................................................................................................................................................... 46 Lesson: Assigments from privileges to user ................................................................................................... 60 Lesson: Object Ownership ................................................................................................................................. 75 Exercise 1 : Maintaining Users and Authorizations ....................................................................................... 110 UNIT 4: GENERAL SECURITY REQUIREMENTS AND SOLUTIONS ........................................................116 Lesson: Introduction ......................................................................................................................................... 117 Lesson: SAP GRC Integration for Governance Risk and Compliance ....................................................... 150 Lesson: SAP Netweaver Identity Management integration ........................................................................... 171 Lesson: Authorization, Security and Scenarios ............................................................................................. 184 UNIT 5. AUTHORIZATION TRACE AND AUDITING ....................................................................................197 Lesson: Authorization trace ............................................................................................................................ 198 Exercise 3 : Authorization trace ....................................................................................................................... 209 Lesson: Auditing ............................................................................................................................................... 221 Exercise 4 : Auditing ........................................................................................................................................ 233 UNIT 6 INTEGRATIVE AUTHORIZATION SCENARIOS............................................................................237 Lesson : Scenarios introduction..................................................................................................................... 238 Lesson : Scenario BW + SAP-HANA ............................................................................................................... 248 Exercise 5: BW authorizations reuse by SAPHANA ..................................................................................... 263 Lesson : BI4 and HANA Integration ................................................................................................................. 279 Lesson : Reuse of ERP Authorization using SAP HANA Live ...................................................................... 289 Exercise 6 : HANA Live Analytic Authorization assistant ............................................................................. 304 UNIT 7 : OPTIONAL : MULTINENANT DB UND HANA ENTERPRISE CLOUD.........................................309 Lesson : Multitenant .......................................................................................................................................... 310 Lesson: HANA Enterprise Cloud ..................................................................................................................... 315

© SAP SE

HA240

3

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. American English is the standard used in this handbook. The following typographic conventions are also used: Use

Example/Visualization

Demonstration by Instructor A hint or advanced detail is shown or clarified by the instructor – please indicate reaching any of these points to the instructor Warning or Caution A word of caution – generally used to point out limitations or actions with potential negative impact that need to be considered consciously Hint A hint, tip or additional detail that helps increate performance of the solution or help improve understanding of the solution Additional information An indicator for pointing to additional information or technique beyond the scope of the exercise but of potential interest to the participant Discussion/Group Exercise Used to indicate that collaboration is required to conclude a given exercise. Collaboration can be a discussion or a virtual collaboration. User Interface Text

Find the Flavor Gallery button

Solution or SAP Specific term

E.g. Flavors are transaction specific screen personaslization created and rendered using SAP Screen Personas.

© SAP SE

HA240

4

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Unit 1: Introduction into the area of Security and authorization .

© SAP SE

HA240

5

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Lesson: SAP HANA Introduction and overview

Image 1: Learning Objective

© SAP SE

HA240

6

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 2: SAP HANA as the powerful center of any data flow For on premise deployment, SAP HANA comes either preinstalled on certified hardware provided by an SAP hardware partner (appliance) or

It must be installed on certified hardware by a certified administrator. The installation itself is part of the course HA200 and there is a special certificate C_HANAINSTxxy .

xx = the last two numbers of a year y = number of a halfyear.

© SAP SE

HA240

7

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Certification

SAP HANA SPS

141

SPS07

142

SPS08

151

SPS09

Image 3: SAP HANA as a platform of a system landscape

© SAP SE

HA240

8

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 4: SAP HANA as Part of the Customer Solution Provide a holistic operations concept SAP HANA is just one element of your IT solution You will benefit from a holistic operations concept

© SAP SE

HA240

9

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 5: SAP HANA In-Memory Strategy

© SAP SE

HA240

10

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 6: Why is security necessary?

© SAP SE

HA240

11

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 7: Traditional security architecture

© SAP SE

HA240

12

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 8: SAP HANA scenarios – 3-tier application, data mart (analytics)

© SAP SE

HA240

13

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 9: SAP HANA scenarios – SAP HANA extended application services

© SAP SE

HA240

14

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 10: SAP HANA Security Architecture

© SAP SE

HA240

15

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 11: SAP HANA – authentication and single sign-on

Access to SAP HANA data and applications is enabled by authentication functions

Password policies, e.g. password length and complexity, can be defined to enforce password quality.

Passwords for the user name/password authentication of database users are subject to certain rules or password policy. You can change the default password policy in line with your organization’s security requirements. You cannot deactivate the password policy.

   

© SAP SE

HA240

16

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 12: Password policy

© SAP SE

HA240

17

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 13: SAP HANA – user and role management Client Any possible client for the HANA Platform, this includes: SAP HANA Studio, Business Object BI Platform but also Web Browser, Analysis for Office, Office Excel, etc.

Application Server In the common SAP Architecture this is normally the role of NetWeaver Application Server ABAP and/or Java. In this case the HANA Platform can also be the Application Server because it can act only as a database but also as a server for native functionalities and applications.

Database HANA is a database at its core and can be used just like another relational database e.g. in a classical 3-tier deployment like Suite on HANA.

© SAP SE

HA240

18

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 14: SAP HANA – authorization Privilege types

© SAP SE

HA240

19

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 15: SAP HANA – communication and data encryption

© SAP SE

HA240

20

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 16: SAP HANA – audit logging

© SAP SE

HA240

21

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 17: SAP HANA – security administration SQLDBC is a SAP HANA-specific interface that is also the basis for the SAP HANA ODBC interface.

© SAP SE

HA240

22

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 18: SAP HANA – security administration SAP HANA studio

© SAP SE

HA240

23

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 19: Important info sources

© SAP SE

HA240

24

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 1: Introduction into the area of Security and authorization Lesson: SAP HANA Introduction and overview

Image 20: Security information map

© SAP SE

HA240

25

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: SAP HANA Introduction and overview

Unit 2 Repository

© SAP SE

HA240

26

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Lesson: Repository

Image 21: Learning Objective

© SAP SE

HA240

27

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 22: Terminology: repository where design-time objects reside The SAP HANA database repository is structured hierarchically with packages assigned to other packages as subpackages. If you grant privileges to a user for a package, the user is automatically also authorized for all corresponding sub-packages.

In the SAP HANA repository, a distinction is made between native and imported packages. Native packages are packages that were created in the current system and should therefore be edited in the current system. Imported packages from another system should not be edited, except by newly imported updates.

An imported package should only be manually edited in exceptional cases. If you grant privileges to a user for a package, the user is automatically also authorized for all corresponding sub packages

© SAP SE

HA240

28

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 23: _SYS_REPO Authorization in the Repository _SYS_REPO must be explicitly authorized for objects that are not created in the repository but on which repository objects are modeled.

© SAP SE

HA240

29

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 24: Proposed Repository Layout See Developer Guide

© SAP SE

HA240

30

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 25: Working in the repository Studio perspectives and web IDE

© SAP SE

HA240

31

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 26: Managing Repository Objects Deleting objects, Changing objects

© SAP SE

HA240

32

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 27: Transporting Repository Objects

© SAP SE

HA240

33

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 28: Procedures in definer mode: What’s the deal?

© SAP SE

HA240

34

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 2 Repository Lesson: Repository

Image 29: Implications of using definer mode

© SAP SE

HA240

35

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Repository

Unit 3 Authorization inside SAP HANA

© SAP SE

HA240

36

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Lesson: Gerneral authorization concept

Image 30: Learning Objective

© SAP SE

HA240

37

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 31: Authorization administration

© SAP SE

HA240

38

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 32: Tools for authorization administration SAP HANA studio

© SAP SE

HA240

39

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 33: Tools for authorization administration Web based editor

You can call the Web based editor directly or from SAP HANA cockpit. This editor has the same functionality like SAP HANA Studio.

From the technical side this editor is part of: SAP HANA Web-based Developer Workbench. For using this workbench all the necessary privileges are bundled in the following role: sap.hana.xs.ide.roles::EditorDeveloper

© SAP SE

HA240

40

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 34: Basic Authorization entities

© SAP SE

HA240

41

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 35: Relationships between Entities Privileges can be assigned to users directly or indirectly using roles. Privileges are required to model access control. Roles can be used to structure the access control scheme and model reusable business roles.

It is recommended to manage authorization for users by using roles. Roles can be nested so that role hierarchies can be implemented. This makes them very flexible, allowing very fine- and coarse -grained authorization management for individual users.

All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorization check using the user, the user's roles, and directly allocated privileges.

It is not possible to explicitly deny privileges. This means that the system does not need to check all the user roles. As soon as all requested privileges have been found, the system aborts the check and grants access. Several predefined roles exist in the database. Some of them are templates that need to be customized; others can be used as they are. User management is configured using SAP HANA Studio.

© SAP SE

HA240

42

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 36: Authorization Example

© SAP SE

HA240

43

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 37: Authorization design process

© SAP SE

HA240

44

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Gerneral authorization concept

Image 38: Define and Create Roles

© SAP SE

HA240

45

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Lesson:Roles

After completing this lesson, you will be able to:

x x x x x

Create and use Runtime Roles Grant and revoke Runtime Roles Explain difference between Catalog and Repository Roles Create and use Repository Roles Know common pre-delivered roles

© SAP SE

HA240

46

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 39: Creating Roles using SAP HANA Studio Prerequisite for creating roles is the privileg ROLE ADMIN.

© SAP SE

HA240

47

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 40: Repository Roles vs. Catalog roles

© SAP SE

HA240

48

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 41: Terminology: repository where design-time objects reside

© SAP SE

HA240

49

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 42: Properties of Catalog Roles Runtime Role management has several challenges, especially with regards to revocation of privileges and roles.

© SAP SE

HA240

50

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 43: Properties of Repository Roles

© SAP SE

HA240

51

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 44: Creating Catalog Roles

© SAP SE

HA240

52

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 45: Difficulties with catalog roles Creation / Modification

© SAP SE

HA240

53

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 46: Less known properties of catalog roles revoking of roles

© SAP SE

HA240

54

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 47: Creating Repository Roles Create transportable roles with design time and run time representation

© SAP SE

HA240

55

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 48: How can you manage roles safely (and respecting typical compliance requirements)

© SAP SE

HA240

56

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 49: Transporting Repository Roles

© SAP SE

HA240

57

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Image 50: Template Roles MODELING: Contains all privileges required for using the information modeler in the SAP HANA studio. Contains the database authorization for a modeler to create all kinds of views and Analytic Privileges. Allows access to all data in activated views without any filter (_SYS_BI_CP_ALL Analytic Privilege). However, this is restricted by missing SQL Privileges on those activated objects. Note: Use caution when using the _SYS_BI_CP_ALL Analytic Privilege. Use this predefined role as a template.

MONITORING: Contains privileges for full read-only access to all meta data, the current system status in system and monitoring views, and the data of the statistics server. PUBLIC: Contains privileges for filtered read-only access to the system views. Only objects for which the users have access rights are visible. By default, this role is assigned to each user.

CONTENT_ADMIN: Contains the same privileges as the MODELING role, but with the extension that users allocated this role are allowed to grant these privileges to other users. In addition, it contains repository privileges for working with imported objects.

© SAP SE

HA240

58

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson:Roles

Use this role as a template for what content administrators might need as privileges.

SUPPORT: Contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data of the statistics server. Additionally it contains the privileges to access the base information of the system and monitoring views (this information is otherwise only available to the SYSTEM user). For security reasons, the following restrictions apply: - It cannot be granted to user SYSTEM - It cannot be granted to more than one user at a time - It cannot be granted to another role - No role can be granted to it - Only system privileges can be granted to this role

Image 51: Summary

© SAP SE

HA240

59

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Lesson: Assigments from privileges to user

Image 52: Assign Privileges to Roles

© SAP SE

HA240

60

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 53: Assign Privileges to Roles

© SAP SE

HA240

61

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 54: Create Users

© SAP SE

HA240

62

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 55: Different User types: Database User It is often necessary to specify different security policies for different types of database user. In the SAP HANA database, we differentiate between database users that correspond to real people and technical database users. Note! Database users that correspond to real people are dropped when the person leaves the organization. This means that any database objects that they own are also automatically dropped, and any privileges that they granted are automatically revoked. Compared to standard database users, restricted users are initially limited in the following ways: They cannot create objects in the database as they are not authorized to create objects in their own database schema. They cannot view any data in the database as they are not granted (and cannot be granted) the standard PUBLIC role. They are only able to connect to the database using HTTP. Users connecting via ODBC or JDBC require the standard role RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCESS.

© SAP SE

HA240

63

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 56: Different User types: Technical Database Users

The SYSTEM database user is the Bootstrapping-User. With it you can realize the inital system set and to create other database users, access system tables, and so on. Note however that SYSTEM database user does not automatically have access to objects created in the SAP HANA repository. The recommendation from SAp is to inactivate thus user for commence operation!

adm user ( where is the ID of the SAP HANA system)

The adm user is an operating system user and is also referred to as the operating system administrator. This operating system user has unlimited access to all local resources related to SAP systems. This user is not a database user but a user at the operating system level.

Hint: The following usere are internal user , means it is't possible to log on in the database with them.

© SAP SE

HA240

64

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

SY -SYS user is a technical database user. It is the owner of database objects such as system tables and monitoring views.

_SYS_AFL - is a technical user that owns all objects for Application Function Libraries

  _SYS_EPM - is a technical database used by the SAP Performance Management (SAP EPM) application

_SYS_REPO is a technical database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions.

_SYS_STATISTICS _SYS_STATISTICS is a technical database user used by the internal monitoring mechanism of the SAP HANA database. It collects information about status, performance, and resource usage from all components of the database and issues alerts if necessary.

HINT. What to do in an emergency situation? You have to reset the SYSTEM password

In this case the following mechanism for resetting the SYSTEM user password is available

x x x x x x x x

Prerequisite: Credentials of the operating system administrator adm, access to the master index server As adm, log on to the server on which the master index server is running On the command line, shut down the SAP HANA system, then start the name, compile and index servers Use the following command to reset the password  /exe/hdbindexserver -resetUserSystem Afterwards, the index server is automatically stopped End the name and compile server processes On the command line, start the SAP HANA system

You can find this emergency procedure in SAP HANA Administration guide too . Note: In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the same way by starting the name server (for the system database) or index server (for tenant databases) in emergency mode

© SAP SE

HA240

65

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 57: Creating named Users In SAP HANA Studio

© SAP SE

HA240

66

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 58: Creating named Users in SAP HANA Studio

© SAP SE

HA240

67

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 59: Creating named Users Using SQL

© SAP SE

HA240

68

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 60: Modifying users

© SAP SE

HA240

69

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 61: User Self Service Tools By default, SAP HANA user self-service tools are disabled; the tools are neither visible in the user interface nor configured in SAP HANA.

To provide access to embedded tools that enable users to request the creation of a new user account in the SAP HANA database or set a new password, the SAP HANA administrator must activate and set up the user self-service feature.

© SAP SE

HA240

70

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 62: User Management

© SAP SE

HA240

71

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 63: Grant Role to User

© SAP SE

HA240

72

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 64: Grant Roles to User Note: System Privilege ROLE ADMIN supersedes this GRANT OPTION

© SAP SE

HA240

73

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Assigments from privileges to user

Image 65: Revoke Roles from User Note on Cascaded Dropping of Privileges If the user had granted the role to other users, revoking the role (and the grant option) also revokes the role from this grantee

© SAP SE

HA240

74

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Lesson: Object Ownership

Image 66: Security: Owner vs. schema How HANA handles ownership of catalog objects Note:

© SAP SE

HA240

75

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Restricted users cannot create objects in the database as they are not authorized to create objects in their own database schema.

Image 67: Security: Dropping of DB users Impact of dropping with “cascade”

© SAP SE

HA240

76

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 68: Security: Dropping DB accounts safely UI support in SAP HANA Studio

© SAP SE

HA240

77

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 69: Object ownership finding ownership information

© SAP SE

HA240

78

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 70: Privileges

After completing this section you will be able to: •Explain what are the possible types of Privileges •Explain the use of Object Privileges, System Privileges, Package Privileges, Analytic Privileges •Describe privileges to be set for Information Consumers •Describe ownership rationale for possible Privilege Types •Explain the use of Dynamic Analytic Privileges

© SAP SE

HA240

79

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 71: Type of privileges

Object Privileges: This is used to restrict access and modification of database objects, such as tables. Depending on the object type (for example, table, view), different actions (for example, CREATE ANY, ALTER, DROP) can be authorized.

For Object Privileges in the SAP HANA database, the SQL standard behavior is applied.

Analytic Privileges: This is used to restrict the access for read operations to certain data in Analytic, Attribute, and Calculation Views. This is done by filtering the attribute values. It is only applied at the processing time of the user query. Analytic Privileges need to be defined and activated before they can be granted to users and roles.

Package Privileges:

© SAP SE

HA240

80

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

This is used to restrict the access to and the use of packages in the repository of the SAP HANA database. Packages contain design-time versions of various objects, such as Analytic, Attribute, and Calculation Views, as well as Analytic Privileges, and functions. To be able to work with packages, the respective Package Privileges must be granted.

Application Privileges: Developers of SAP HANA XS applications can create application privileges to authorize user and client access to their application. They apply in addition to other privileges It is recommended to grant application privileges to roles created in the SAP HANA Repository at design time.

All kinds of Privileges are assigned to users and roles.

Image 72: System and Object privileges More details on Object Privileges activities:

CREATE ANY

© SAP SE

HA240

81

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

This privilege allows the creation of all kinds of objects, in particular, tables, views, sequences, synonyms, SQL script functions or database procedures in a schema. This privilege can only be granted on a schema.

ALL PRIVILEGES This privilege is a collection of all Data Definition Language (DDL) and Data Manipulation Language (DML) privileges that the grantor currently possesses and is allowed to grant further. The privilege it grants is specific to the particular object being acted upon. ALL PRIVILEGES is not applicable to a schema, but only a table, view, or table type.

DROP and ALTER These are DDL privileges and authorize the DROP and ALTER SQL commands. While the DROP privilege is valid for all kinds of objects, the ALTER privilege is not valid for sequences and synonyms as their definitions cannot be changed after creation.

SELECT, INSERT, UPDATE, and DELETE These are DML privileges and authorize respective SQL commands. While SELECT is valid for all kinds of objects, except for functions and procedures, INSERT, UPDATE, and DELETE are only valid for schemas, tables, table types, and updatable views.

INDEX This special DDL privilege authorizes the creation, alteration or revocation of indexes for an object using the CREATE INDEX, ALTER INDEX, and DROP INDEX commands. This privilege can only be applied to a schema, table, and table type.

EXECUTE This special DML privilege authorizes the execution of an SQL script function or a database procedure using the CALLS or CALL command, respectively.

© SAP SE

HA240

82

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 73: System privileges Some Examples for this system types:

User and Roles:

ROLE ADMIN Authorizes the creation and deletion of roles using the CREATE ROLE and DROP ROLE commands. This privilege also authorizes the granting and revocation of roles using the GRANT and REVOKE commands.

Catalog and schema Management

© SAP SE

HA240

83

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

CATALOG READ Authorizes unfiltered read-only access to all system views. Normally, the content of these views is filtered based on the privileges of the accessing user

Analytics

CREATE STRUCTURED PRIVILEGE Authorizes the creation of structured privileges. Only the owner of an analytic privilege can further grant or revoke that privilege to other users or roles.

Auditing:

AUDIT ADMIN Controls the execution of the auditing-related commands CREATE AUDIT POLICY, DROP AUDIT POLICY, and ALTER AUDIT POLICY, as well as changes to auditing configuration. It also authorizes access to AUDIT_LOG system view

System Management

BACKUP ADMIN Authorizes backup and recovery commands for defining and initiating backup and recovery procedures. It also authorizes changes to system configuration options with respect to backup and recovery.

Data Import and Export

IMPORT Authorizes import activity in the database using the IMPORT commands Note that in addition to this privilege the user requires the INSERT privilege on the target tables to be imported.

All the system privileges are describe in the SAP HANA Security guide.

© SAP SE

HA240

84

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 74: Package privileges

© SAP SE

HA240

85

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 75: Sub-package privileges

© SAP SE

HA240

86

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 76: Native and imported package privileges Developers should be granted the following privileges for native packages:

REPO.READ: This privilege authorizes read access to packages and design-time objects, including both native and imported objects. REPO.EDIT_NATIVE_OBJECTS: This privilege authorizes all kinds of inactive changes to design-time objects in native packages. REPO.ACTIVATE_NATIVE_OBJECTS: This privilege authorizes the user to activate or reactivate design-time objects in native packages. REPO.MAINTAIN_NATIVE_PACKAGES: This privilege authorizes the user to update or delete native packages, or create subpackages of native packages.

Developers should only be granted the following privileges for imported packages in exceptional cases: REPO.EDIT_IMPORTED_OBJECTS : This privilege authorizes all kinds of inactive changes to design-time objects in imported packages. REPO.ACTIVATE_IMPORTED_OBJECTS : This privilege authorizes the user to activate or reactivate design-time objects in imported packages.

© SAP SE

HA240

87

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

REPO.MAINTAIN_IMPORTED_PACKAGES : This privilege authorizes the user to update or delete imported packages, or create subpackages of imported packages.

In the SAP HANA studio, you can manage the repository system privileges together with the other system privileges on the System Privileges tab: REPO.EXPORT : This privilege authorizes the user to export, for example, delivery units REPO.IMPORT : This privilege authorizes the user to import transport archives. REPO.MAINTAIN_DELIVERY_UNITS : This privilege authorizes the user to maintain delivery units (DU, DU-vendor must equal system-vendor). REPO.WORK_IN_FOREIGN_WORKSPACE : This privilege authorizes theuser to work in a foreign inactive workspace.

Image 77: Analytic privileges Analytic Privileges are used in the SAP HANA database to provide fine-grained control of what data particular users can see for Analytic use. They provide the ability for row-level authorization, based on the values in one or more columns.

All Attribute Views, Analytic Views, and Calculation Views, which have been designed in the modeler and have been activated from the modeler of the HANA studio, are automatically supported by the Analytic Privilege mechanism.

© SAP SE

HA240

88

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

If you are already familiar with the authorization model of SAP NetWeaver Business Warehouse (SAP NetWeaver BW), you will see many similarities between the two models. The overall idea behind Analytic Privileges is the reuse of Analytic Views by different users. However, the different users may not be allowed to see the same data. For example, different regional sales managers, who are only allowed to see sales data for their regions, could reuse the same Analytic View. They would get the Analytic Privilege to see only data for their region, and their queries on the same view would return the corresponding data. This is a major difference to the SAP NetWeaver BW model. While the concept itself is very similar, SAP NetWeaver BW would forward an error message if you executed a query that would return values you are not authorized to see. With the SAP HANA database, the query would be executed and, corresponding to your authorization, only values you are entitled to see returned.

An Analytic Privilege consists of several restrictions. Three of these restrictions are always present and have the following special meanings: - One restriction (cube restriction) determines for which column views (Attribute, Analytic, or Calculation Views) the privilege is used. This may involve a single view, a list of views or, by means of a wildcard, all applicable views. - One restriction (activity restriction) determines the effected activity, for example, READ. This means that the activity READ is restricted and not available for use. - One restriction (validity restriction) determines at what times the privilege is valid.

In addition to these three restrictions, many additional dimension restrictions are used. These are applied to the actual attributes of a view. Each dimension restriction is relevant for one dimension attribute, which can contain multiple value filters. Each value filter is a tuple of an operator and its operands, which is used to represent the logical filter condition. For example, a value filter (EQUAL 2014) can be defined for a dimension attribute YEAR in a dimension restriction to filter accessible data using the condition YEAR=2014 for potential users. Only dimension attributes, and no measures or key figures, can be employed in dimension restrictions.

© SAP SE

HA240

89

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 78: Analytic Privilege - Start creation wizard In general, the user has access to an individual, independent view (Attribute, Analytic, or Calculation View) if the following prerequisites are met:

x x

The user was granted the SELECT privilege on the view or the containing schema. The user was granted an Analytic Privilege that is applicable to the view. An Analytic Privilege is applicable to a view if it contains the view in the Cube restriction and contains at least one filter on one attribute of this view.

No SELECT privilege on the underlying base tables or views of this view is required.

© SAP SE

HA240

90

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 79: SAP HANA – authorization Runtime access control

© SAP SE

HA240

91

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 80: Analytic Privilege - Select Information Models Analytic Privilege-Capable Views The Analytic Privilege mechanism is automatically enforced for all three kinds of views that can be defined using the information modeler, namely Attribute, Analytic, and calculation Views: x x x

Attribute View Analytic Views Calculation Views

© SAP SE

HA240

92

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 81: Analytic Privilege - Editor Overview

© SAP SE

HA240

93

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 82: Analytic Privilege Select field for attribute restriction When relevant Analytic Privileges are found for the current user and the query directed to the particular view, the evaluation process ensures that, according to the value filters specified in the Dimension restrictions, the appropriate view data is presented to the user. In particular: x x x x

Within one Dimension restriction, all value filters on the corresponding dimension attribute are combined with logical OR. Within one Analytic Privilege, all Dimension restrictions are combined with logical AND. Multiple Analytic Privileges are combined with logical OR. For example, if there is only one Analytic Privilege found with two Dimension restrictions, YEAR=2008 and COUNTRY=US, the user is only allowed to see data fulfilling the condition YEAR=2008 AND COUNTRY=US.

However, if these two conditions were put in two different Analytic Privileges found for this user and this view, the user is allowed to see more data, namely the OR combination of the filters of the individual Analytic Privileges: YEAR=2008 OR COUNTRY=US.

Operators for defining value filters in the restrictions of analytic privileges:

© SAP SE

HA240

94

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

x x x x x

IN CONTAINSPATTERN EQUAL (=), LESSEQUAL, (=) BETWEEN IS_NULL and NOT_NULL IS_NULL filters rows with null values in the corresponding attribute, NOT_NULL filters rows with non-null values in the attribute

- All filter operators, except IS_NULL and NOT_NULL, accept empty strings (“ “) as filter operands Examples: IN (“ “, “A”, “B”) As lower limit in comparison operators, e.g. BETWEEN (” “, “XYZ”)

Image 83: Analytic Privilege - Activation In an Analytic Privilege, in addition to static values filtering conditions, it is also possible to determine the filtering conditions via a stored procedure.

© SAP SE

HA240

95

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

With this approach the filtering conditions that apply for a specific user are determined at run-time, when querying a specific table or view. This allows a more scalable approach where the same analytic privilege can be applied to multiple users, with different authorization requirements. An Analytic Privilege where a procedure is used to determine the authorized values is also called a Dynamic Analytic Privilege.

The procedure used in a Dynamic Analytic Privilege must have the following signature: x x x x

No input parameters Only 1 output parameter as table type with one single column for the IN operator Only 1 output parameter of a scalar type for all unary operators, such as EQUAL Only 2 output parameters of a scalar type for the binary operator BETWEEN

Further restrictions apply as documented in the SAP HANA Developer Guide available on the SAP Help Portal.

Image 84: Dynamic analytic privileges

© SAP SE

HA240

96

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 85: Sample dynamic analytic privileges

© SAP SE

HA240

97

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 86: Analytic Privilege Check

© SAP SE

HA240

98

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 87: Analytic Privileges Caveats

© SAP SE

HA240

99

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 88: Ownership of Privileges

© SAP SE

HA240

100

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 89: System privileges Ownership, granting

© SAP SE

HA240

101

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 90: Object Privileges Ownership, granting

© SAP SE

HA240

102

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 91: Package privileges Ownership, granting

© SAP SE

HA240

103

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 92: Analytic Privileges / Structured Privileges Ownership, granting

© SAP SE

HA240

104

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 93: Information Consumers (I) Required privileges for reading from views

© SAP SE

HA240

105

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 94: Information Consumers (II) Required privileges for reading from views

© SAP SE

HA240

106

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 95: Information Consumers (III) Required privileges for reading from views

© SAP SE

HA240

107

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 96: Information Consumers (IV) Required privileges for reading from views

© SAP SE

HA240

108

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Lesson: Object Ownership

Image 97: Recursive revoking of privileges Take care when dropping users or revoking privileges

© SAP SE

HA240

109

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations

Exercise 1 : Maintaining Users and Authorizations

After completing this exercise, you will be able to: • Create roles • Assign privileges to a role • Create a user • Assign roles to a user • Create an analytic privilege

Task 1: Create a role “ROLE_ANALYTIC_##”, where ## is your group ID and assign the following roles and privileges to your new role. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role. Add the Object Privilege REPOSITORY_REST with privilege EXECUTE. Add a Package Privilege to give access to repository package sap/hana/democontent/epm/modelsand assign authorization REPO.READ. Then deploy the role and confirm that the role has been created. Perform this task with SYSTEM user. 1. Create a role “ROLE_ANALYTIC_##” where ## is your group ID. 2. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role. 3. Add the Object privilege REPOSITORY_REST with privilege EXECUTE to your role. 4. Add a Package Privilege to give access to repository package sap.hana.democontent.epm.models and assign authorization REPO.READ. 5. Deploy the role and confirm that the role has been created.

Task 2:

Create a user named USER##, where ## is your group ID. Assign the role you

© SAP SE

HA240

110

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations

have just created to this user. Then confirm that your user has been created. After you have created the user successfully, you can log on and add the user to the Navigator View of the HANA studio. Then confirm that your user’s schema has been created under Catalog. 1. Create a user named USER##, where ## is your group ID. 2. Assign the role ROLE_ANALYTIC_##, where ## is your group ID to this user. 3. Confirm that your user has been created. 4. Add the user to the Navigator View of the HANA studio. Task 3:

Check if the user USER## is authorized to access the Analytic View AN_PURCHASE_OVERVIEW. 1. Check if the user USER## is authorized to access the Analytic View AN_PURCHASE_OVERVIEW. Task 4:

Create a new analytic privilege, AP_PURCHASE_OVERVIEW_DE, in the package sap.hana.democontent.epm.models. This analytic privilege should give access to the Analytic View sap.hana.democontent.epm.models.AN_PURCHASE_OVERVIEW with restriction to the attribute SUPPLIER_COUNTRY = DE. 1. Navigate to the Modeler Perspective and create a new analytic privilege AP_PURCHASE_OVERVIEW_DE, in the Package sap.hana.democontent.epm.models

Task 5:

Add the new analytic privilege to your role ROLE_ANALYTIC_## using the user USER##. Then test the authorizations of user USER## by selecting the Analytic View AN_PURCHASE_OVERVIEW. 1. Add the new analytic privileges to your role ROLE_ANALYTIC_##. 2. Select the Analytic View AN_PURCHASE_OVERVIEW to test the authorizations.

Task 6:

© SAP SE

HA240

111

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations

You need a user with authorizations for database administration. This database administrator should perform the following tasks: x x x x

All actions that any DB administrator will expect they are allowed to do and that Are not specific to data schemas or repository packages. All backup-related tasks. Create new database schemas and to Import and Export catalog objects.

Create the roles which allow performing these administrative tasks.

1. Create a new role BASIC_ADMIN. This role collects all actions that any DB administrator will expect they are allowed to do and that are not specific to data schemas or repository packages. Therefore the following privileges should be granted

Privilege

What does it do?

System privilege CATALOG READ

Read access to all metadata of the database catalog. Among other things, required to enter into the administration editor of SAP HANA studio

System privilege SERVICE ADMIN

Start and stop individual services(processes) of the database

System privilege INIFILE ADMIN

Modify the database configuration

System privilege TRACE ADMIN

Start and stop database traces, change the trace levels of the kernel trace

System privilege SESSION ADMIN

Kill sessions

System privilege VERSION ADMIN

Trigger garbage collection of the database’s version history (part of MVCC implementation)

System privilege LICENSE ADMIN

Install or delete license key

SELECT on schema _SYS_STATISTICS

Read alerts of the statistics server process

2. Create a new role BACKUP_ADMIN.

This role allows all backup-related tasks, such as creating a database backup or managing the backup catalog or deleting backups from disk. Therefore the following privileges should be granted:

© SAP SE

HA240

112

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations

Privilege

What does it do?

System privilege CATALOG READ

Read access to all metadata of the database catalog Access to all backup functionalities

System privilege BACKUP ADMIN

except for restore (which requires OS user credentials)

Create a new role DATA_ADMIN. This role defines a user who can create new database schemas directly in the catalog and import and export catalog objects. Therefore the following privileges should be granted:

Privilege

What does it do?

System privilege CREATE SCHEMA

Create new schemas directly in the database catalog

System privilege EXPORT

Export catalog objects to the DB server (csv/binary) or to the client machine Import catalog objects from the

System privilege IMPORT

DB server (csv/binary) or from the client machine

Task 7:

Create a user named ADMIN##, where ## is your group ID. Assign the database administration roles you have just created to this user. Then confirm that your user has been created.

After you have created the user successfully, you can log on and add the user to the Navigator View of the HANA studio. Then confirm that your user’s schema has been created under Catalog.

1. Create a user named ADMIN##, where ## is your group ID. 2. Assign the roles BASIC_ADMIN, BACKUP_ADMIN, and DATA_ADMIN to this user. 3. Confirm that your user has been created

© SAP SE

HA240

113

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations

4. Add the user to the Navigator View of the HANA studio.

Task 8:

Check the authorizations of the user ADMIN##. 1. Check if the user ADMIN## is authorized to export table TRAIN00.PRODUCTS 2. Check if the user ADMIN## is authorized to perform a backup 3. Check if the user ADMIN## is authorized to change configuration Parameters

Solution of the Exercise 1

Task 1:

Create a role “ROLE_ANALYTIC_##”, where ## is your group ID and assign the following roles and privileges to your new role.

Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role.

Add the Object Privilege REPOSITORY_REST with privilege EXECUTE. Add a Package Privilege to give access to repository package

sap/hana/democontent/epm/models and assign authorization REPO.READ.

Then deploy the role and confirm that the role has been created. Perform this task with SYSTEM user.

© SAP SE

HA240

114

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 3 Authorization inside SAP HANA Exercise 1 : Maintaining Users and Authorizations

1. Create a role “ROLE_ANALYTIC_##” where ## is your group ID. a) Log on to the SAP HANA studio with SYSTEM user. b) Choose Administration Perspective: Window → Open Perspective →Other... → Administrative Console. c) Expand the content of the SAP HANA system → Security → Roles. d) Right-click Roles → New Role. e) Give your role the following name: ROLE_ANALYTIC_##. Save (CRTL+S).

2. Add the Object Privileges _SYS_BI and _SYS_BIC with privilege SELECT to your role. a) Select theObject Privileges tab and click +. b) Search for Object Privilege _SYS_BI, highlight it, and click OK. c) Select the object that has just been added. d) Scroll to the right, and assign the privilege SELECT to object _SYS_BI. e) Repeat the same steps for the Object Privilege _SYS_BIC.

© SAP SE

HA240

115

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Exercise 1 : Maintaining Users and Authorizations

Unit 4: General Security Requirements and Solutions

© SAP SE

HA240

116

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Lesson: Introduction

Image 98: Learning Objective

© SAP SE

HA240

117

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 99: Scenario

© SAP SE

HA240

118

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 100: SAP HANA Authentication Options

User Name/Password Authentication Users accessing the SAP HANA database authenticate themselves by entering their database user name and password.

Kerberos A Kerberos authentication provider can be used to authenticate users accessing SAP HANA in the following ways: x x x x

Directly from ODBC and JDBC database clients within a network (for example, the SAP HANA studio) Indirectly from front-end applications such as SAP BusinessObjects applications using Kerberos delegation Via HTTP access by means of SAP HANA Extended Services (SAP HANA XS). In this case, Kerberos authentication is enabled with Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). Security Assertion Markup Language (SAML)

A SAML bearer assertion can be used to authenticate users accessing SAP HANA directly from ODBC/JDBC database clients. SAP HANA can act as service provider to authenticate users accessing via HTTP by means of SAP HANA XS.

SAP Logon and Assertion Tickets

© SAP SE

HA240

119

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Users can be authenticated by logon or assertion tickets issued to them when they log on to an SAP system that is configured to create tickets (for example, the SAP Web Application Server or Portal).

X.509 Client Certificates For HTTP access to SAP HANA by means of SAP HANA XS, users can be authenticated by client certificates signed by a trusted Certification Authority (CA), which can be stored in the SAP HANA XS trust store.

Image 101: SAP HANA Authentication User configuration for authentication and SSO

© SAP SE

HA240

120

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 102: Single Sign-On Introduction Kerberos A user who connects to the database using an external authentication provider must also have a database user known to the database. SAP HANA maps the external identity to the identity of an internal database user.

Security Assertion Markup Language (SAML) A user who connects to the database using an external authentication provider must also have a database user known to the database. SAP HANA maps the external identity to the identity of an internal database user.

SAP Logon and Assertion Tickets To implement SAP logon/assertion tickets, the user specified in the logon/assertion ticket must already exist in SAP HANA; there is no support for user mapping.

X.509 Client Certificates To implement X.509 client certificates, the user specified in the certificate must already exist in SAP HANA; there is no support for user mapping.

© SAP SE

HA240

121

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 103: Kerberos Introduction Kerberos is a network authentication protocol that provides authentication for client-server applications across an insecure network connection using secret-key cryptography.

ODBC and JDBC database clients support the Kerberos protocol, for example, the SAP HANA studio. Access from front-end applications (for example, SAP BusinessObjects XI applications) can also be implemented using Kerberos delegation.

Note however that constrained delegation and protocol transition are not supported. Kerberos is supported for HTTP access via SAP HANA XS with Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). It is up to the HTTP client whether it uses Kerberos directly or SPNEGO.

© SAP SE

HA240

122

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 104: Kerberos Prerequisites

© SAP SE

HA240

123

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 105: Kerberos Configuration: ODBC/JDBC In distributed SAP HANA systems that use Kerberos delegation (SSO2DB), application disruptions resulting from expired authentication are avoided though the use of session cookies. This mechanism is active by default but can be disabled in the indexserver.ini file with the session_cookie_for_kerberos parameter.

Figure: Mapping the new DB user to Windows Active Directory user (External ID).

© SAP SE

HA240

124

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 106: Kerberos Configuration: SPNEGO Changing the Service User Password Since the keys stored in the key tab are generated from the Service User password, you should change the Service User password periodically.

After the password has been changed, the key tab has to be either created again or extended to contain the new key(s), since a password change implies an increment of the Key Version Number (kvno).

© SAP SE

HA240

125

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 107: Kerberos Troubleshooting

© SAP SE

HA240

126

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 108: SAML Introduction SAML provides the mechanism by which the identity of users accessing the SAP HANA database from client applications is authenticated by XML-based assertions issued by a trusted identity provider. The internal database user to which the external identity is mapped is used for authorization checks during the database session.

© SAP SE

HA240

127

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 109: SAML: What is SAML?

© SAP SE

HA240

128

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 110: SAML: How it works?

© SAP SE

HA240

129

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 111: SAML Assertion Specification SAP HANA supports plain SAML 2.0 assertions as well as unsolicited SAML responses that include an unencrypted SAML assertion. SAML assertions and responses must be signed using XML signatures.

© SAP SE

HA240

130

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 112: SAML User Mapping

© SAP SE

HA240

131

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 113: SAML Prerequisites

© SAP SE

HA240

132

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 114: SAML Configuration in HANA Studio

© SAP SE

HA240

133

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 115: SAML Configuration for XS Engine APPs

© SAP SE

HA240

134

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 116: X.509 Certificates Introduction

© SAP SE

HA240

135

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 117: X.509 Certificates Prerequisites

© SAP SE

HA240

136

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 118: X.509 Certificates Configuration Overview

© SAP SE

HA240

137

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 119: X.509 Usage

© SAP SE

HA240

138

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 120: SAP Logon and Assertion Tickets SAP Logon Tickets

© SAP SE

HA240

139

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 121: SAP Logon and Assertion Tickets SAP Assertion Tickets

© SAP SE

HA240

140

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 122: SAP Logon and Assertion Tickets Prerequisites: Trust Store

© SAP SE

HA240

141

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 123: SAP Logon and Assertion Tickets Prerequisites: User Configuration

© SAP SE

HA240

142

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 124: SAP Logon and Assertion Tickets Configurations

© SAP SE

HA240

143

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 125: SAP Logon and Assertion Tickets Usage

© SAP SE

HA240

144

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 126: SAP HANA – encryption

© SAP SE

HA240

145

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 127: SAP HANA – Certified 3rd party backup tools

© SAP SE

HA240

146

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 128: SAP HANA – network security

© SAP SE

HA240

147

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Image 129: Summary

Exercise 2: Configure Encryption Exercise Objectives

After completing this exercise, you will be able to: • Configure Data Volume Encryption

Task:

Configure Data Volume Encryption using the Security editor in SAP HANA Studio. 1. Activate Data Volume Encryption 2. Monitor the progress of the data volume encryption.

© SAP SE

HA240

148

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Introduction

Solution: Configure Encryption Task:

Configure Data Volume Encryption using the Security editor in SAP HANA Studio.

1. Activate Data Volume Encryption a) In the Systems view in SAP HANA studio, choose Security and open the Data Volume Encryption tab. b) Choose: Encrypt data volumes. c) Choose the Deploy button. 2. Monitor the progress of the data volume encryption. a) Choose the Refresh button to monitor the status of the data volume encryption. During encryption the status “Encryption running ...” is displayed. The status “Encrypted” indicates that the data volumes are encrypted.

© SAP SE

HA240

149

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 130: Learning Objective

© SAP SE

HA240

150

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 131: Scenario

© SAP SE

HA240

151

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 132: SAP HANA – data center integration SSAP HANA supports standard and documented interfaces to enable integration with customer security network and datacenter infrastructures

© SAP SE

HA240

152

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 133: SAP solutions for GRC Integrated suite and endorsed partner solutions

© SAP SE

HA240

153

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 134: SAP Access Control Manage access risk and prevent fraud SAP Access Control enables customers to manage access risk and prevent fraud. Automation is the key here.

Note: This slide reads starting at the 1 o’clock slot with Analyze Risk.

Through this set of capabilities, SAP Access Control helps you to Get clean (Analyze risk) Stay clean (Manage access and maintain roles) Stay in control (certify authorizations and monitor privileges

© SAP SE

HA240

154

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 135: SAP Access Control 10.1 System Components and Plugins

© SAP SE

HA240

155

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 136: Usage Scenario Comprehensive, pre-defined rule set

x x x

SAP Access Control is delivered with a comprehensive rule set based on business process and best practice experience. Technical rules are delivered for SAP ERP, Oracle, JD Edwards, and PeopleSoft Business risks are identified across 10 business processes, and technical rules for additional systems can easily be mapped to these risks.

Terminology:

Business Process

The business area categories in which you would like to report Risk analysis results.

© SAP SE

HA240

156

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Risk: An opportunity for physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a specific condition

Function

A Function is a grouping of one or more related Actions and/or Permissions for a specific business area.

Action

An activity that is performed in the system in order to fulfill a specific Function, for example, Create Purchase Order or Create Material Master Record

Action = Transaction Code

Permission

Authorizations that allows a user to perform a particular activity in a system

Permission = Authorization Object

Rule

Rule is a one-to-one transaction code conflict. One risk can have many Rules.

© SAP SE

HA240

157

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 137: Access Risk Definition based on SAP HANA Security Model Function Actions

© SAP SE

HA240

158

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 138: Access Risk Definition based on SAP HANA Security Model Function Permissions

© SAP SE

HA240

159

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 139: Example 1 SoD Risk Analyse in SAP HANA

© SAP SE

HA240

160

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 140: Example 1 Analysis Criteria & Result Screen

© SAP SE

HA240

161

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 141: Example 2 Critical Action Risk Analyse in SAP HANA

© SAP SE

HA240

162

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 142: DEMO 2 Analysis Criteria & Result Screen

© SAP SE

HA240

163

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 143: Usage Scenario Self-service access request and approval process Workflow driven by SAP Business Workflow technology helps to eliminate manual tasks and make it faster and easier for users to obtain the access that they need in a compliant manner.

Pull user details from HR, LDAP, or IdM systems to leverage a single authoritative source and make the process easier on the end user.

© SAP SE

HA240

164

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 144: User Provisioning in SAP HANA Supported and Unsupported Scenarios

© SAP SE

HA240

165

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 145: Access Request for a New User in SAP HANA Including assignment of HANA Role & Analytical Privilege (Runtime)

© SAP SE

HA240

166

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 146: Request Approval Can Include SoD-Risk Analysis and Mitigation Control Assignment

© SAP SE

HA240

167

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 147: Access Request for New User in SAP HANA Provisioned User in HANA Studio

© SAP SE

HA240

168

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 148: SAP Basis Risk from SAP GRC Standard Rule Set Risks that may be applicable to SAP HANA

© SAP SE

HA240

169

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP GRC Integration for Governance Risk and Compliance

Image 149: Requirements and Best Practices in Security Administration that are currently hard to implement in SAP HANA

© SAP SE

HA240

170

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Lesson: SAP Netweaver Identity Management integration

Image 150: Learning Objective

© SAP SE

HA240

171

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 151: Scenario

© SAP SE

HA240

172

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 152: SAP HANA – data center integration SSAP HANA supports standard and documented interfaces to enable integration with customer security network and datacenter infrastructures

© SAP SE

HA240

173

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 153: SAP NetWeaver Identity Management Introduction Ensure that people have the correct authorizations in the back-end systems!

© SAP SE

HA240

174

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 154: SAP NetWeaver Identity Management Holistic identity management approach Holistic identity management Approach

With SAP NetWeaver identity management, SAP offers integrated identity management capabilities for a heterogeneous system landscapes (SAP and non-SAP software), driven by business processes.

Central identity store: The central store consolidates identity data from different source systems (example: SAP HCM) and then distributes this information to the target systems.

Approval Workflows: Workflows distribute the responsibility for authorization assignments to the different business process owners and managers.

Identity Virtualization / Identity as a service: The data within SAP NetWeaver identity management can be accessed using services and standard protocols such as LDAP.

SAP Business Suite Integration: The integration of HCM as one of the possible source systems for identity information is a key functionality for enabling business-driven identity management.

© SAP SE

HA240

175

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Compliance Checks / GRC: The integration with SAP BusinessObjects Access Enforcer offers extensive functions for assuring compliance and segregation of duties in the role and authorization assignment process.

Definition and Rule-Based Assignment of Business Roles: You can define different rule sets for the assignment of roles to users. This means that the assignment can be performed automatically based on attributes of the identity.

Monitoring and Audit: Provides auditors with one central place to check employees’ authorizations in all systems. This information is also available for the past.

Password Management: A centralized password management reduces calls to the help desk for password resets, and enables password provisioning across heterogeneous landscape.

Distribution of Users and Role Assignments: Handles user accounts and role assignments of SAP and non-SAP applications.

Image 155: SAP Identity Management 8.0 SP0 Product road map overview – key themes and capabilities

© SAP SE

HA240

176

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 156: SAP Identity Management Capabilities

© SAP SE

HA240

177

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 157: SAP NetWeaver Identity Management Use cases

© SAP SE

HA240

178

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 158: SAP NetWeaver Identity Management Example of integration with HR Processes

© SAP SE

HA240

179

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 159: Main changes in IdM 8.0 compared to IdM 7.2 (1 of 2)

© SAP SE

HA240

180

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 160: Main changes in IdM 8.0 compared to IdM 7.2 (2 of 2)

© SAP SE

HA240

181

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 161: HANA connector for SAP NetWeaver Identity Management Introduction

© SAP SE

HA240

182

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: SAP Netweaver Identity Management integration

Image 162: HANA connector for SAP NetWeaver Identity Management Use cases

© SAP SE

HA240

183

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Lesson: Authorization, Security and Scenarios

Image 163: Learning Objective

© SAP SE

HA240

184

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 164: Scenario

© SAP SE

HA240

185

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 165: SAP HANA Extended Application Services (XS) Introduction

© SAP SE

HA240

186

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 166: Traditional 3-tier applications (Java, ABAP)

© SAP SE

HA240

187

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 167: User handling in XS Plain DB user Plain DB User Scenario

Since the same user is used on all levels, the roles that are assigned to the user must contain all privileges that the user needs to execute the application.

x x

homogeneous way of granting all privileges working with personal DB users requires that the HANA user base is maintained properly; this can be a complex and expensive process (creation and deletion of users, and especially updates to the roles they should have)

© SAP SE

HA240

188

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 168: User handling in XS SQLCC scenario (best practice for stand-alone XS Apps) SQLCC Scenario

The logon user maps to a personal DB user, but this is user is used on XS level only, the DB activities run via sqlcc connections and thus using a technical user.

x x

the necessary SQL privileges are granted to the SQLCC user only, the logon user just needs the XS application privileges -> no security risk anymore maintaining the personal DB users is still complex (see above)

© SAP SE

HA240

189

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 169: User handling in XS Anonymous section scenario Anonymous Section Scenario

No logon is enforced; XS privilege checks will thus fail and must be avoided. OData services and plain DB access from xsjs are only possible in packages with configured default connection.

User-specific Instance-filtering is for obvious reasons not possible.

© SAP SE

HA240

190

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 170: User handling in XS Technical user scenario "Technical User Scenario" (maybe we need a better name for this) The logon may be successful without mapping to a DB user; XS will continue working as long as no user is required: XS privilege checks will fail, plain DB access is not possible. To support DB access, packages must be configured with a default connection. All SQL connections (xsjs and OData) are then opened for the configured sqlcc user, which is thus used for checking all SQL privileges. + the necessary SQL privileges are granted to the technical user(s) only -> no security hole + no personal DB users are used -> no User Maintenance nightmare - in case that multiple technical users are used (not the case for HPAs), the User Maintenance nightmare is replaced with the still difficult task of defining a mapping of logon users to the few technical users Since XS application privileges cannot be used, the application must use other means to protect their semantics in a finegrained way. The HPAs use the HDB_AUTHORITY_CHECK. In order to support this, XS provides access to the name of the logged-on user. The ABAP client and the schema of the ABAP tables must be provided to the HPA e.g. via static configuration.

© SAP SE

HA240

191

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 171: Application Privileges Introduction

© SAP SE

HA240

192

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 172: Application Privileges Details The application privileges referenced in the role definition (for example, Display and View) are actually defined in an application-specific .xsprivileges file which also contains entries for additional privileges.

The package where the .xsprivileges resides defines the scope of the application privileges; the privileges specified in the .xsprivileges file can only be used in the package where the .xsprivileges resides (or any sub-packages). This is checked during activation of the .xsaccess file and at runtime in the by the XS JavaScript API $.session.(has|assert)AppPrivilege().

The privileges are authorized for use with an application by inserting the authorization keyword into the corresponding .xsaccess file. Like the .xsprivileges file, the .xsaccess file must reside either in the root package of the application to which the privilege authorizations apply or the specific subpackage which requires the specified authorizations.

Note: If a privilege is inserted into the .xsaccess file as an authorization requirement, a user must have this privilege to access the application package where the .xsaccess file resides. If there is more than one privilege, the user must have at least one of these privileges to access the content of the package.

© SAP SE

HA240

193

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Image 173: Server Side JavaScript Security Considerations Note : If you want to create own XS-application please have a look in the SAP HANA Development guide. Here you will find best practice how you should write it from security from standpoint of security .

The following list illustrates the areas where special attention is required to avoid security-related problems when writing server-side JavaScript. Each of the problems highlighted in the list is described in detail in its own dedicated section:

SSL/HTTPS Enable secure HTTP (HTTPS) for inbound communication required by an SAP HANA application.

Injection flaws In the context of SAP HANA Extended Application Services (SAP HANA XS) injection flaws concern SQL injection that modifies the URL to expand the scope of the original request.

Cross-site scripting (XSS)

© SAP SE

HA240

194

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Web-based vulnerability that involves an attacker injecting JavaScript into a link with the intention of running the injected code on the target computer.

Broken authentication and session management Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.

Insecure direct object references An application lacks the proper authentication mechanism for target objects.

Cross-site request forgery (XSRF) Exploits the trust boundaries that exist between different Web sites running in the same web browser session.

Incorrect security configuration Attacks against the security configuration in place, for example, authentication mechanisms and authorization processes.

Insecure cryptographic storage Sensitive information such as logon credentials is not securely stored, for example, with encryption tools. Missing restrictions on URL Access Sensitive information such as logon credentials is exposed. Insufficient transport layer protection Network traffic can be monitored, and attackers can steal sensitive information such as logon credentials or credit-card data.

Invalid redirects and forwards Web applications redirect users to other pages or use internal forwards in a similar manner.

XML processing issues Potential security issues related to processing XML as input or to generating XML as output Enable secure HTTP (HTTPS) for inbound communication required by an SAP HANA application.

Injection flaws In the context of SAP HANA Extended Application Services (SAP HANA XS) injection flaws concern SQL injection that modifies the URL to expand the scope of the original request.

Cross-site scripting (XSS) Web-based vulnerability that involves an attacker injecting JavaScript into a link with the intention of running the injected code on the target computer. Broken authentication and session management

© SAP SE

HA240

195

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 4: General Security Requirements and Solutions Lesson: Authorization, Security and Scenarios

Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data. Insecure direct object references An application lacks the proper authentication mechanism for target objects.

Cross-site request forgery (XSRF) Exploits the trust boundaries that exist between different Web sites running in the same web browser session.

Incorrect security configuration Attacks against the security configuration in place, for example, authentication mechanisms and authorization processes.

Insecure cryptographic storage Sensitive information such as logon credentials is not securely stored, for example, with encryption tools.

Missing restrictions on URL Access Sensitive information such as logon credentials is exposed.

Insufficient transport layer protection Network traffic can be monitored, and attackers can steal sensitive information such as logon credentials or credit-card data.

Invalid redirects and forwards Web applications redirect users to other pages or use internal forwards in a similar manner.

XML processing issues Potential security issues related to processing XML as input or to generating XML as output

© SAP SE

HA240

196

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization, Security and Scenarios

Unit 5. Authorization trace and Auditing

© SAP SE

HA240

197

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Lesson: Authorization trace

Image 174: Learning Objective

© SAP SE

HA240

198

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 175: Scenario

© SAP SE

HA240

199

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 176: Authorization Trace Prerequisites

© SAP SE

HA240

200

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 177: Procedure: How to use authorization trace

For additional information see the following note 1809199 - SAP HANA DB: Debugging user authorization errors

© SAP SE

HA240

201

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 178: Procedure: How to use authorization trace Activate the trace

© SAP SE

HA240

202

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 179: Procedure: How to use authorization trace Reproduce the issue

© SAP SE

HA240

203

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 180: Procedure: How to use authorization trace Deactivate the trace

© SAP SE

HA240

204

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 181: Procedure: How to use authorization trace Analyze the trace

© SAP SE

HA240

205

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 182: Procedure: How to use authorization trace Object IDs

© SAP SE

HA240

206

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 183: Additional information In the definition of the analytical privileges, pay attention to two restrictions with the restriction types CUBERESTRICTION and DIMENSIONRESTRICTION: Only if a view is included in the one of the cube restrictions and at least one of its attribute is employed by one of the dimension restrictions, access to the view is granted by this analytical privilege. Without specific authorization a user can only see privileges granted to himself in the system views EFFECTIVE_PRIVILEGES and STRUCTURED_PRIVILEGES. This is sufficient to find out own missing analytical privileges.

© SAP SE

HA240

207

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Authorization trace

Image 184: Summary

© SAP SE

HA240

208

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Exercise 3 : Authorization trace Exercise 8: Authorization Trace 1.

Login to the HANA Database using your STUDENTXX user (where XX corresponds to your grup ID)

2.

Check the Attribute View “HA240_AT_CUSTOMERS” under the package “TRAINING”

3.

Login to the HANA Database with USERXX user (where XX corresponds to your grup ID)

4.

Preview the content of “HA240_AT_CUSTOMERS” view under the package “TRAINING”

5.

Using STUDENTXX activate the trace for user USERXX

6.

Try again to preview the content as per step number 4

7.

Deactivate the trace

8.

Analyze the trace

9. Assign to user USERXX the relevant privileges using the Analytic Privilege HA240_AP_CUSTOMERS under package TRAINING 10. Try again to preview the content as per step number 4 11. Close the connections. 12. This completes the exercise.

© SAP SE

HA240

209

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 185: Exercise 3 :Solution Task 1 - 2

© SAP SE

HA240

210

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 186: Exercise 3 :Solution Task 2 - 3 3. Login to the HANA Database with USERXX user (where XX corresponds to your grup ID)

a. Click with the right button on the T64 system entry and select “Add System with different User Name…” b Fill the username and password with the following data.

Name

Property

------------------------------------------------------User name USERXX Password Training1

4. Preview the content of “HA240_AT_CUSTOMERS” view under the package “TRAINING” a. Navigate to Content > TRAINING > Attribute Views > HA240_AT_CUSTOMERS b. Right click on the name of the view and select Data Preview

© SAP SE

HA240

211

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 187: Exercise 3 :Solution Task 4 c. An error is shown

© SAP SE

HA240

212

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 188: Exercise 3 :Solution Task 5

© SAP SE

HA240

213

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 189: Exercise 3 :Solution Task 5; the end of the task.

© SAP SE

HA240

214

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 190: Exercise 3 :Solution Task 6 and 7

© SAP SE

HA240

215

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 191: Exercise 3 :Solution Task 8

© SAP SE

HA240

216

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 192: Exercise 3 :Solution Task 8 and the end of the task

© SAP SE

HA240

217

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 193: Exercise 3: Solution Task 9

© SAP SE

HA240

218

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 194: Exercise 3:Solution Task 10

© SAP SE

HA240

219

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 3 : Authorization trace

Image 195: Exercise 3: The end of the exercise

11. Close the connections . This completes the exercise .

© SAP SE

HA240

220

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Lesson: Auditing

Image 196: Learning Objective Around 20 percent of respondents in North America and 31 percent in EMEA say one or more of their co-workers have used administrative privileges to reach confidential or sensitive information.

The auditing feature of the SAP HANA database allows you to track actions performed in the database: who did what (or tried to do what), and when. SAP HANA provides audit actions for critical security events and for access to sensitive data. Both successful and unsuccessful events can be logged. In the case of logging of successful and unsuccessful events, one has to specify for each audit policy if successful and/or unsuccessful events will be audited. Audit logging is not enabled by default.

© SAP SE

HA240

221

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Image 197: Audit with audit activity The first step for using the AUDIT Activity is to "enable" this function like you see it on the screenshot above. For that do you need the system privilege AUDIT ADMIN.

Currently the configuration parameter for auditing are stored i global.ini configuration file, in the auditing configuration section. As for all configuration parameters, these parameters can be selected in view M_INIFILE_CONTENTS, assuming that the current user has the required privileges.

System Views AUDIT_POLICIES : All audit policies and their states. M_INIFILE_CONTENTS : Configuration parameter concerning auditing. AUDIT_LOG : Audit log. Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.

© SAP SE

HA240

222

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Image 198: Audit action Main Topics of audit actions are:

x x x x x x x x x

Backup Deletions Data Definitions Data Queries Encryption Granting and Revoking Authorizations License deletion and installation Procedure executions Repository content operations User and role management

© SAP SE

HA240

223

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Image 199: Enable Audit Policy in SAP HANA Studio Can be combined together in the same policy, therefore compatible audit actions have been grouped together. When you select an action, those actions that are not compatible with the selected action become unavailable for selection. If you need to two audit incompatible audit actions, you need to create two separate audit policies.

In addition to the actions to be audited, an audit policy specifies additional parameters that further narrow the number of events actually audited.

• Audited action status On successful execution On unsuccessful execution On both successful and unsuccessful execution

© SAP SE

HA240

224

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

• Target object Tables Views Procedures

• Audited user Individual users can be included/excluded from an audit level EMERGENCY ALERT CRITICAL WARNING INFO

When an audit policy is triggered, that is, when an action in the policy occurs under the conditions defined in the policy, an audit entry is created in the audit trail. Firefighter logging logs all actions performed by a specific user. This covers not only all actions that can be audited individually, but also actions that cannot otherwise be audited. Such a policy is useful if you want to audit the actions of a particularly privileged user.

Note: Some actions cannot be audited using database auditing even with a policy that includes all actions, in particular, system restart and system recovery. Caution: Firefighter logging may generate a lot of audit entries, so only enable it if required Audit entries written to the table are only accessible through the public system view AUDIT_LOG. Only SELECT operations can be performed on this view by users with the system privilege AUDIT OPERATOR or AUDIT ADMIN.

© SAP SE

HA240

225

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Image 200: Events that Can be Audited Changes to user authorization • Create/drop user, create/drop role • Grant/revoke role • Grant/revoke SQL privilege, system privilege, analytical privilege • Create/drop analytical privilege • Create/drop and alter structured privilege

Authentication of users • Connection attempts of users to the database

Changes to system configuration • Changes to system configuration, e.g. ini file • Uninstall and install license key • Set system license/unset system license all

© SAP SE

HA240

226

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Access to or changing of sensitive data You can specify the following database objects to be audited: • Tables • Views • Procedures Both write and read access to data can be recorded: • SELECT • INSERT • UPDATE • DELETE • EXECUTE .

Changes to system configuration As of SPS08 the previous values of parameters are written to the audit trail if audit logging for configuration changes is enabled.

Hint: Only actions that take place inside the database engine can be audited. If the database engine is not online when an action occurs, it cannot be detected and therefore cannot be audited. These actions are, for example, an upgrade of an SAP HANA database instance or direct changes to system configuration files using operating system commands.

Activation of Audit Policies Auditing is implemented through the creation and activation of audit polices. An audit policy defines the actions to be audited, as well as the conditions under which the action must be performed to be relevant for auditing. For example, actions in a particular policy are audited only when they are performed by a particular user on a particular object. When an action occurs, the audit policy is triggered and an audit event is written to the audit trail. The following slides give an overview how to configure and switch on audit logging.

© SAP SE

HA240

227

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Image 201: Audit Logging – Infrastructure When an audit policy is triggered, an audit entry is created in the audit trail. The audit trail is written to Linux syslog or to an internal system table.

• Linux syslog The logging system of the Linux operating system (syslog) is a secure storage location for the audit trail because not even the database administrator can access or change it. There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, the syslog is the default log daemon in UNIX systems. The syslog therefore provides a high degree of flexibility and security, as well as integration into a larger system landscape. For more information about how to configure syslog, refer to the documentation of your operating system.

© SAP SE

HA240

228

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

• Database table – Using an SAP HANA database table as the target for the audit trail makes it possible to query and analyze auditing information quickly. It also provides a secure and tamper-proof storage location. – Internal column store table in the _SYS_AUDIT schema of the SAP HANA database – Audit entries are only accessible through the public system view AUDIT_LOG. Only SELECT operations can be performed on this view by users with system privilege AUDIT ADMIN or AUDIT OPERATOR – To avoid the audit table growing too large, it is possible to delete old audit entries

Note: For test purposes in non-production systems, you can also use a CSV text file as the audit trail. A separate CSV file is created for every service that executes SQL.

Hint: As of SPS08 multiple audit trail targets could be configured. • System-wide default: Audit entries are written to the audit trail target(s) configured for the system if no other trail target has been configured per audit level

Audit level (optional): Audit entries from audit policies with the audit level EMERGENCY, CRITICAL, or ALERT are written to the specified audit trail target(s). If no audit trail target is configured, entries are written to the audit trail target configured for the system.

© SAP SE

HA240

229

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Image 202: Viewing the audit trail If the audit trail target is a database table, you can avoid the audit table growing indefinitely by deleting audit entries created up until a certain time and date.

Caution: All information in the audit trail that is older will be immediately deleted.

If auditing is active, certain actions are always audited and are therefore not available for inclusion in user-defined audit policies. In the audit trail, these action are labeled with the internal audit policy MandatoryAuditPolicy. Mandatory audit actions: • Creation, modification, or deletion of audit policies • Deletion of audit entries from the audit trail. This only applies if audit entries are written to column store database tables. • Changes to auditing configuration, that is:

© SAP SE

HA240

230

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

– Enabling or disabling auditing – Changing the audit trail target – Changing the location of the audit trail target if it is a CSV text file

AUDIT_POLICIES: All audit policies and their states. M_INIFILE_CONTENTS: Configuration parameter concerning auditing. AUDIT_LOG: Audit log.

Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.

Image 203: System settings for auditing

© SAP SE

HA240

231

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Lesson: Auditing

Image 204: Audit Policy Example

© SAP SE

HA240

232

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 4 : Auditing

Exercise 4 : Auditing Exercise Objectives

After completing this exercise, you will be able to: • Configuring Audit Logging • Enabling an Audit Policy

Business Example Task:

Enable audit logging and activate an audit policy which records read access on table PRODUCTS and an audit policy which records system configuration changes.

Use Database Table as audit trail target. Then perform a select on table PRODUCTS and check the resulting entry in the audit trail.

1. 2. 3. 4.

Enable audit logging and use Database Table as audit trail target. Activate an audit policy which records read access on table PRODUCTS. Activate an audit policy which records system configuration changes. Perform a select on table PRODUCTS and check the resulting entry in the audit trail.

© SAP SE

HA240

233

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 4 : Auditing

Image 205: Exercise 4 :Solution Audit Exercise Solution Auditing

Task:

Enable audit logging and activate an audit policy which records read access on table PRODUCTS and an audit policy which records system configuration changes. Use Database Table as audit trail target. Then perform a select on table PRODUCTS and check the resulting entry in the audit trail.

1. Enable audit logging and use Database Table as audit trail target.

1.

In the Systems view in SAP HANA studio, choose Security and open

the Auditing tab.

© SAP SE

HA240

234

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 4 : Auditing

b) Choose Enabled for the auditing status and Database Table for the audit trail target.

c) Choose the Deploy button.

2. Activate an audit policy which records read access on table PRODUCTS.

a) In the Systems view in SAP HANA studio, choose Security and open the Auditing tab. b) Select the Audit Policies tab and click +.

c) Enter a name for the audit Policy (for example: READ ACCESS).

d) Select the Audited Actions tab. Choose “....” button to open the Edit Actions ... dialog. Choose Data Query and Manipulation → SELECT for audited actions.

e) Exclude user _SYS_REPO from the audit policy. Select the Users tab. Choose “....” button to open the Select Users dialog.

f) Select user _SYS_REPO and choose Add. Choose “Exclude selected users from policy” and choose OK

g) Select table PRODUCTS (SYS_REPO) for auditing. Select the Target Object tab.

h) Select table PRODUCTS (SYS_REPO) and choose Add. and choose Add. Choose OK

i) Choose the Deploy button. Continued

3. Activate an audit policy which records system configuration changes.

© SAP SE

HA240

235

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 5. Authorization trace and Auditing Exercise 4 : Auditing

a) In the Systems view in SAP HANA studio, choose Security and open the Auditing tab.

b) Select the Audit Policies tab and click +. c) Enter a name for the audit Policy (for example: CONFIG CHANGES) . d) Select the Audited Actions tab. Choose “....” button to open the Edit Actions ... dialog. Choose Session Management and System Configuration → SYSTEM CONFIGURATION CHANGE for audited actions. e) Choose the Deploy button.

4. Perform a select on table PRODUCTS and check the resulting entry in the audit trail. a) Right click on the HANA system which uses ‘SYSTEM’ user for connection and select SQL Console

b) Enter the sql command below to create a schema and execute by clicking on a little white arrow in a green circle (F8 – Execute) select * from “SYS_REPO”. “PRODUCTS”

c) To check the resulting entry in the audit trail (database table) enter the sql command below: select TIMESTAMP, USER_NAME, AUDIT_POLICY_NAME, STATEMENT_STRING from “PUBLIC”. “AUDIT_LOG”

© SAP SE

HA240

236

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 4 : Auditing

Unit 6 Integrative authorization Scenarios

© SAP SE

HA240

237

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Lesson : Scenarios introduction

Image 206: Learning Objective

© SAP SE

HA240

238

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 207: Scenario

© SAP SE

HA240

239

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 208: SAP HANA Scenario Overview of different scenario types Traditional 3-tier application Classical architecture with Client, Application Server and SAP HANA used as a database for the NetWeaver platform Data mart (3-tier or 2-tier) HANA used as data mart platform to load data from external source and execute analysis and queries on those data using end-users client or analytics applications (Business Object BI Platform). Native 2-tier application In this architecture the XS Engine component is used and the HANA platform acts as Database and Application Server. In this case all the server pieces are provided by the HANA Platform.

© SAP SE

HA240

240

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 209: Traditional 3-tier application Database migration to HANA End-users authorizations All the authorization and user management functionaly previously used in Netweaver are still valid and working after the migration. No change here. Developers All the ABAP development and customizing can still be done using the same authorizations as before. No change here.

Administrators The basis administrators working on the application server can still work using the same authorizations. No change here. All the administrators working on the database level can still use the DBA Cockpit transaction or create a specific user with specific authorizations on the database level.

© SAP SE

HA240

241

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 210: Integrated Scenario Reporting in ERP Data in SAP HANA In this case tha HANA is used as database where data should be replicated (side-car) or reside (Netweaver on HANA). In addition to the standard access via Application Server (see previous scenario) you also would like to access the data in HANA directly and this requires a user on the database level with specific authorizations.

© SAP SE

HA240

242

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 211: Integrated Scenario Reporting on BW Data in SAP HANA -Starting with BW 740 SP5, BW can automatically generate views incl. HANA privileges based on BW privileges -These HANA privileges are always automatically assigned to a HANA role that is also automatically generated -This role is automatically granted to all database users in HANA if they fulfil the following requirements:

-For each database user in HANA exist a corresponding BW user (either configured in SU01, or via name matching BW user HANA database user) -The BW user is authorized to execute queries on the respective info provider

-Recommendation: to regularly update the HANA authorizations from the BW authorizations, schedule a regular process chain BW for this

© SAP SE

HA240

243

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 212: Integrated Scenario Users generation from ABAP

© SAP SE

HA240

244

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 213: Data Mart Customer-specific analytic reporting on SAP HANA

© SAP SE

HA240

245

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 214: HANA as Web Application Server Native applications built on SAP HANA XS

© SAP SE

HA240

246

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenarios introduction

Image 215: Summary

© SAP SE

HA240

247

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Lesson : Scenario BW + SAP-HANA Desired consistency of authorization between BW and SAP-HANA

Image 216: Learning Objective

© SAP SE

HA240

248

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 217: Scenario

© SAP SE

HA240

249

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 218: SAP HANA Model Generation The Idea behind

© SAP SE

HA240

250

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 219: SAP HANA Model Generation Access data from BW and SAP HANA Studio

© SAP SE

HA240

251

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 220: SAP HANA Model Generation Prerequisites when Replicating BW Authorizations to SAP HANA

© SAP SE

HA240

252

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 221: SAP HANA Model Generation Characteristics

© SAP SE

HA240

253

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 222: SAP HANA Model Generation Representation of BW Authorizations in SAP HANA

© SAP SE

HA240

254

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 223: SAP HANA Model Generation Pre-requisites in BW (1/2)

© SAP SE

HA240

255

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 224: SAP HANA Model Generation Users generation from ABAP

© SAP SE

HA240

256

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 225: SAP HANA Model Generation Pre-requisites in BW (2/2) Analysis authorizations must be created. The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.

© SAP SE

HA240

257

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 226: SAP HANA Model Generation Generating the View and the Authorizations

© SAP SE

HA240

258

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 227: SAP HANA Model Generation Role content in SAP HANA

© SAP SE

HA240

259

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 228: SAP HANA Model Generation Filter String in BW

© SAP SE

HA240

260

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 229: SAP HANA Model Generation Pre-requisites in SAP HANA for reporting user Analysis authorizations must be created. The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.

© SAP SE

HA240

261

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Scenario BW + SAP-HANA

Image 230: Summary

© SAP SE

HA240

262

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Exercise 5: BW authorizations reuse by SAPHANA

Image 231: Exercise 5 :Business Background

© SAP SE

HA240

263

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 232: Exercise 5 :Initial situation

© SAP SE

HA240

264

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 233: Exercise 5 :The cube ZH240_00

© SAP SE

HA240

265

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 234: Exercise 5 :Task 1

© SAP SE

HA240

266

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 235: Exercise 5 :Task 2

© SAP SE

HA240

267

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 236: Exercise 5 :Task 3

© SAP SE

HA240

268

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 237: Exercise 5 :Task 4

© SAP SE

HA240

269

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 238: Exercise 5 :Task 5

© SAP SE

HA240

270

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 239: Exercise 5 :The result

© SAP SE

HA240

271

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 240: Exercise 5 : Solution Task 1

© SAP SE

HA240

272

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 241: Exercise 5 : Solution Task 2 and 3

© SAP SE

HA240

273

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 242: Exercise 5 : Deep technical look in the table

© SAP SE

HA240

274

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 243: Exercise 5 : Solution Task 4

© SAP SE

HA240

275

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 244: Exercise 5 : Solution Task 5

© SAP SE

HA240

276

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 245: Exercise 5 : Solution Task 5/2

© SAP SE

HA240

277

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 5: BW authorizations reuse by SAPHANA

Image 246: Exercise 5 : the goal that was to be reached

© SAP SE

HA240

278

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Lesson : BI4 and HANA Integration

Image 247: Learning Objective

© SAP SE

HA240

279

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 248: Reporting on HANA 1.0 with BI 4 Client and connectivity options

What does it means BI 4?

BI 4 is a kind of acronym for SAP BusinessObjects Business Intelligence platform 4.0

SAP BusinessObjects Business Intelligence (BI) platform provides flexible systems management for an enterprise BI standard that allows administrators to confidently deploy and standardize their BI implementations on a proven, scalable, and adaptive service-oriented architecture.

© SAP SE

HA240

280

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 249: Reporting on HANA 1.0 with BI 4 BI User Provisioning

© SAP SE

HA240

281

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 250: Reporting on HANA 1.0 with BI 4 SAP HANA + BI: What Are My Authentication Options?

© SAP SE

HA240

282

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 251: Reporting on HANA 1.0 with BI 4 SSO with credential mapping

© SAP SE

HA240

283

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 252: Reporting on HANA 1.0 with BI 4 SSO with Kerberos Configuration steps Step 1: Active Directory Create the keytab Setting up the SPN’s on the Domain Controller Step 2: HANA Install the Kerberos client Copy the keytab from the AD server and setup the krb5.conf file Enable Kerberos for a HANA user and enter an External ID for the user Add the User to HANA Studio to test SSO Step 3: BOE Copy the krb5.conf from the HANA Server and create the bscLogin.conf Configure the web application server for Kerberos Configure BI4 service account for Kerberos Configure Webi Rich Client, Information Design Tool (IDT), APS, Explorer for Kerberos Refer to these for more information

SAP Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory

© SAP SE

HA240

284

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 253: Reporting on HANA 1.0 with BI 4 SSO with SAML Configuration Steps 1.Enter HANA server details 2.Generate a certificate on the BI side to import into the HANA server 3.Once both systems are setup, user can test connection from CMC directly to validate setup

© SAP SE

HA240

285

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 254: Reporting on HANA 1.0 with BI 4 Summary

© SAP SE

HA240

286

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 255: Reporting on HANA 1.0 with BI 4 What can be secure and where?

© SAP SE

HA240

287

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : BI4 and HANA Integration

Image 256: Summary

© SAP SE

HA240

288

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 257: Reuse of ERP Authorization using SAP HANA Live

© SAP SE

HA240

289

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 258: Learning Objective

© SAP SE

HA240

290

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 259: Scenario 1 Expose SAP HANA views in ERP

© SAP SE

HA240

291

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 260: Integrated Scenario Reporting in ERP Data in SAP HANA

In this case tha HANA is used as database where data should be replicated (side-car) or reside (Netweaver on HANA). In addition to the standard access via Application Server (see previous scenario) you also would like to access the data in HANA directly and this requires a user on the database level with specific authorizations.

© SAP SE

HA240

292

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 261: Analytics Authorization Assistant Introduction

With the SAP HANA Live Authorization Assistant, you can provide users authorizations in the SAP HANA system that is required to access business data displayed by the virtual data model of SAP HANA Live. For this, SAP HANA Live Authorization Assistant take those permissions into account that the same users already have in ABAP-based Business Suite application. See SAP Note 1796718 for details on this tool

© SAP SE

HA240

293

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 262: Analytics Authorization Assistant Benefit

You can select multiple query views for multiple users and create analytic privileges for all the query views. You do not need to manually check for privileges in the SAP ABAP system and manually create privileges for each query view. Hence, the mass process available with this tool reduces the effort required to create analytic privileges for query views. The existing analytic privileges can be reused between different users.

© SAP SE

HA240

294

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 263: Analytics Authorization Assistant Installation Overview

© SAP SE

HA240

295

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 264: Analytics Authorization Assistant Installation pre-requisites

For more information, refer to the Administration guide on SAP Service Marketplace at http://service.sap.com/instguides SAP In-memory Computing SAP HANA Live for SAP Business Suite (Section 4.3.5 Download and Deploy Content Package). _SYS_REPO user should have SQL Execute privilege REPOSITORY_REST with Grantable to others option selected. You have replicated the tables USRBF2 and UST12 from the ABAP— based system where you want to create the authorizations.

© SAP SE

HA240

296

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 265: Analytics Authorization Assistant Installation steps * The two available plug-ins are Analytic Authorization Assistant and Analytic Authorization Assistant — Metadata. If

the user does not want to enter new metadata and only generates analytic privileges with SAP delivered metadata, then you require only Analytic Authorization Assistant plug-in. For more information, refer to the Administration guide on SAP Service Marketplace at http://service.sap.com/instguides SAP In-memory Computing SAP HANA Live for SAP Business Suite (Section 4.3.5 Download and Deploy Content Package).

© SAP SE

HA240

297

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 266: Analytics Authorization Assistant Key content after the installation

Developer role is needed to maintain additional meta data for custom views.

© SAP SE

HA240

298

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 267: Analytics Authorization Assistant Implementation

There are two main tools available with AAA that are downloaded from SMP: x x

Generate Analytic Privileges (this also includes Update Privileges function) Maintain Analytics Meta Data

© SAP SE

HA240

299

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 268: Analytics Authorization Assistant Steps to generate privileges

If you have selected views that use tables from multiple SAP HANA schemas you can then select a schema in this step from where the user authorizations will be taken. A role is automatically generated with the name ROLE_ and the generated privilege is automatically assigned to this role. If this role already exists (from a previous generation) the new privilege will be added to the role. Note: Do not manually modify any analytic privilege or roles generated by the tool.

© SAP SE

HA240

300

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 269: Analytics Authorization Assistant Steps to update privileges

With the SAP HANA Live Authorization Assistant, you can also update analytic privileges generated earlier using SAP HANA Live Analytics Authorization Assistant. When you make changes in the ABAP authorizations, the changes are reflected in the SAP HANA authorization tables through replication. The update analytic privilege tool identifies the changes in the ABAP authorizations and new restrictions are created when you run the tool. The valid analytic privileges are retained in the role and newly created analytic privileges are added. If the analytic privilege is not valid, it is removed from the role and if analytic privilege is not assigned to any role, it is deleted. The tool only checks if the analytic privilege is assigned to the role.

© SAP SE

HA240

301

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 270: Analytics Authorization Assistant Maintain additional meta-data SAP delivers the required metadata for all the relevant query views of the virtual data model. For customer created views, the metadata is defined with the view as specific properties. To view the SAP delivered metadata, open the respective query view and navigate to Properties Analytics Metadata Maintain Metadata. In addition, you can use this tool to maintain metadata for views created using tables from the ERP system. You can add more rows by pressing the + button to map your own attributes to ABAP fields

© SAP SE

HA240

302

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Lesson : Reuse of ERP Authorization using SAP HANA Live

Image 271: Summary

© SAP SE

HA240

303

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant

Exercise 6 : HANA Live Analytic Authorization assistant Exercise 8: Authorization HANA Live Authorization Assistant. In this exercise you will learn how to use HANA Live Authorization Assistant. 1.

Login to the HANA Database using your STUDENTXX user.

2.

Generate the Analytic Privilege

3.

Check the generated role and analytic privilege.

4.

Close the connections.

5.

This completes the exercise.

Solution for Exercise regarding Authorization Assistent

Image 272: Exercise 6 : Solution Slide1

© SAP SE

HA240

304

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant

Image 273: Exercise 6 : Solution Slide2

© SAP SE

HA240

305

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant

Image 274: Exercise 6 : Solution Slide3

© SAP SE

HA240

306

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant

Image 275: Exercise 6 : Solution Slide4

3 .Check the generated role and analytic privilege

© SAP SE

HA240

307

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 6 Integrative authorization Scenarios Exercise 6 : HANA Live Analytic Authorization assistant

Image 276: Exercise 6 :Solution Slide5 4. Close the connection. This completes the exercise .

© SAP SE

HA240

308

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Exercise 6 : HANA Live Analytic Authorization assistant

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud

© SAP SE

HA240

309

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant

Lesson : Multitenant

Image 277: Learning Objective

© SAP SE

HA240

310

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant

Image 278: Multiple-Host Systems with Multitenant Database Containers A multiple-container system has exactly one system database.

It is created during system installation or migration from a single-container system. It contains the data and users for system administration.

System administration tools, such as the SAP HANA studio, can connect to this database. The system database stores overall system landscape information, including knowledge of the tenant databases that exist in the system.

However, it doesn't own database-related topology information, that is, information about the location of tables and table partitions in databases. Database-related topology information is stored in the relevant tenant database catalog

© SAP SE

HA240

311

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant

Image 279: Overview All the databases in the same multiple-container system share:

x x x

The same installation of database system software. The same computing resources. The same system administration.

However, each database is self-contained and fully isolated with its own: x x x x x x

Set of database users Database catalog Repository Persistence Backups Traces and logs

Although database objects such as schemas, tables, views, procedures, and so on are local to the database, cross-database SELECT queries are possible! This supports in particular cross-application reporting in MCOS (multiple components in one system) scenarios.

© SAP SE

HA240

312

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant

Image 280: Multiple-Host System with Multitenant Database Containers

© SAP SE

HA240

313

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson : Multitenant

Image 281: MDC and its Users SYSTEM is the database super user. It has irrevocable system privileges, such as the ability to create other database users, access system tables, and so on. In a system with multitenant database containers, the SYSTEM user of the system database has additional privileges for managing tenant databases, for example, creating and dropping databases, changing configuration (*.ini) files of databases, and performing database-specific data backups.

© SAP SE

HA240

314

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Lesson: HANA Enterprise Cloud

Image 282: Learning Objective

© SAP SE

HA240

315

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 283: HANA Enterprise Cloud (HEC)

© SAP SE

HA240

316

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 284: HANA Enterprise Cloud (HEC) The fundamental security architecture of the HEC infrastructure is the principal of a private cloud. This means customer will receive an isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other.

HEC administrative tasks will be done using management networks

© SAP SE

HA240

317

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 285: Details for Customer Landscapes

© SAP SE

HA240

318

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 286: Details for Network Integration

© SAP SE

HA240

319

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 287: Security & Data Protection Requirements – Data Center (Building / Facilities) Cloud hosted customer environments must be operated in an SAP Tier Level III, III+ or IV classified Datacenter to meet the physical security and operational compliance requirements of the customer.

For co-location data centers (non-SAP DC), access to SAP HEC infrastructure needs to be physically separated from other DC customers, e.g. using cages

© SAP SE

HA240

320

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 288: Benefits HANA Enterprise Cloud Multi Layers of Defense

© SAP SE

HA240

321

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 289: Holistic Security & Compliance Approach

© SAP SE

HA240

322

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

Unit 7 : Optional : Multinenant DB und HANA Enterprise Cloud Lesson: HANA Enterprise Cloud

Image 290: Security, Compliance & Data Protection Processes: Internal Control System – Certifications as of today

© SAP SE

HA240

323

For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : [email protected]

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF