Upload
digikreations
View
219
Download
2
Tags:
Embed Size (px)
DESCRIPTION
SAP HANA Integrations with SAP BI 4.1
Citation preview
SAP HANA Security and Integration
with SAP BI 4.1 Vishal Dhir, SAP Customer Solution Adoption (CSA)
August 2013
© 2013 SAP AG. All rights reserved. 2 Public
Legal Disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without
the permission of SAP. This presentation is not subject to your license agreement or any other service or
subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation and SAP's strategy and possible future developments, products and
or platforms directions and functionality are all subject to change and may be changed by SAP at any time
for any reason without notice. The information in this document is not a commitment, promise or legal
obligation to deliver any material, code or functionality. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement. This document is for informational purposes and may not be
incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except
if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results
to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-
looking statements, which speak only as of their dates, and they should not be relied upon in making
purchasing decisions.
© 2013 SAP AG. All rights reserved. 3 Public
Agenda
Overview
User Provisioning
Users and Roles
Privileges
Authentication
Encryption
Auditing
BI 4.1 Integration
More Information
Key Learning Points
© 2013 SAP AG. All rights reserved. 5 Public
HANA Architecture
HANA
CMS DB
Audit DB
Sources
HANA
Studio
DS 4.0
DS Repos Small DBs
Cubes/
Views
BI 4.1 Server
DB Layer
_SYS_BIC
DB
Schemas
BW
ECC
Tables SLT
Real time
ETL 3rd Party
DBs
User
User
User
User
BOE
Explorer
Universe
Web Layer
Webi
Presentation Layer
Dashboards
© 2013 SAP AG. All rights reserved. 7 Public
Generic Schema Architecture
SFLIGHT_USER Modelers/
Developers
Activate
Views
End Users Modeling Repository
Cubes
_SYS_BIC Studio
SFLIGHT
Other Apps
HANA
© 2013 SAP AG. All rights reserved. 9 Public
User Provisioning
There are three ways in HANA to provision users
Manual creation of roles and users from HANA Studio
Programmatic creation of roles and users with SQL statements
CREATE ROLE <role_name>;
GRANT SELECT ON SCHEMA _SYS_BIC TO <role_name>;
GRANT SELECT ON <schema>.<table_1> TO <role_name> WITH GRANT OPTION;
…
CREATE USER <user_name> PASSWORD <password>;
GRANT <role_name> TO <user_name>;
© 2013 SAP AG. All rights reserved. 10 Public
User Provisioning
SAP NetWeaver Identity Management
SAP IDM <-> SAP HANA Connector
Using SQL Interface in HANA
Create / delete users
Create / delete roles
Grant / revoke roles
Change passwords
Corporate
Directory
(AD, LDAP)
SAP
HANA
BOE Server
Import
SAP IDM
Push Push / Pull
HANA, BOE, IDM and AD/LDAP
© 2013 SAP AG. All rights reserved. 12 Public
User Management in HANA
3. Manage Users
Lock users
Password policy
Manage user
privileges
Integration with BI
2. Assign Security
Object-level
Row-level security
1. Create Users
Set initial password
Authentication
User-specific
parameters
DB user passwords
hashed with the
SHA-256 algorithm
© 2013 SAP AG. All rights reserved. 13 Public
Predefined Roles in HANA
MODELING
Contains all the privileges required for using the information modeler in the SAP HANA studio
Contains the _SYS_BI_CP_ALL Analytic Privilege which allows access to ALL data in ALL views
Role should be used as a template
MONITORING
Allows full read-only access to all metadata and data collected by the statistics server
PUBLIC
This role contains privileges for filtered read-only access to the system views
Every user automatically has this role, it cannot be revoked
CONTENT_ADMIN
Role contains the same privileges as the MODELING role but with additional authorization to grant these privileges to
other users
Use role as a template
© 2013 SAP AG. All rights reserved. 14 Public
Predefined Roles in HANA
SAP_INTERNAL_HANA_SUPPORT (renamed from the SUPPORT role in HANA SPS 6)
Contains system privileges (for example, CATALOG READ) and object privileges (for example, SELECT on SYS
schema) that allow access to certain low-level internal system views needed by SAP HANA development support in
support situation
All access is read only. This role does not allow access to any customer data
The following restrictions apply
It cannot be granted to user SYSTEM
It cannot be granted to more than one user at a time
It cannot be granted to another role
No role can be granted to it
Only system privileges can be granted to this role
© 2013 SAP AG. All rights reserved. 15 Public
Predefined Users in HANA
SYS, _SYS_STATISTICS, _SYS_AFL, SYSTEM
_SYS_REPO
SAP HANA database comes with a built-in repository, _SYS_REPO is the owner of this
repository
The repository stores
Runtime data, such as calculation scenarios
Design time data, such as models (Attribute, Analytic, Calculation Views) and Analytic Privileges
Design time objects need to be activated to become runtime objects
The _SYS_REPO user needs SELECT privileges to the schema where the source tables
are located, therefore you may need to run the following command to grant access
GRANT SELECT ON SCHEMA <schema name> TO _SYS_REPO WITH GRANT OPTION
© 2013 SAP AG. All rights reserved. 16 Public
HANA User and Schema Structure
Each user can own one or more schemas
View’s are activated by the _SYS_REPO User
SELECT DISTINCT OWNER_NAME, SCHEMA_NAME
FROM SYS.OWNERSHIP
WHERE SCHEMA_NAME is NOT NULL
ORDER BY 2
© 2013 SAP AG. All rights reserved. 17 Public
HANA User and Schema Structure
SYSTEM SYS _SYS_BI _SYS_RT _SYS_BIC _SYS_XS _SYS_REPO _SYS_STATIS
TICS SLTECC SFLIGHT
SYSTEM SYS _SYS_REPO
_SYS_STATISTICS SLTECC HANAUSER
Inbuilt System Schemas Custom schemas
TECHINICAL USERS Schema/Users
End Users
Modeling
Modeling Users
_SYS_REPO user need select permission on data schemas
Repository
Other Admin
Users
© 2013 SAP AG. All rights reserved. 18 Public
General HANA Authorization Steps
Avoid having SQL Privileges and Analytic Privileges in the same roles
Restrict access to a view via SQL Privileges and to specific values via
Analytic Privileges
Recommended to have different roles, for example
SYSTEM Roles – DB specific functions, ex: create users
SQL Roles – SQL specific functionality, ex: select, update table
Analytic Roles – Restrict access to certain data in a view
Define and
Create Roles
Create Privileges
Assign Privileges to Roles
Assign Roles to
Other Roles
Create Users
Assign Roles to Users
© 2013 SAP AG. All rights reserved. 19 Public
What’s New in SAP HANA SPS 6
Core User Properties
Additional core user properties are now available for applications based on
SAP HANA
Default e-mail address
Locale
Time zone
Validity period
To add and remove these properties use the following SQL
Prerequisites
Users can change their own properties (exception: validity period)
To change the properties of other users, the system privilege USER ADMIN is required
CREATE/ALTER USER <user_name>...[VALID FROM <timestamp> [UNTIL <timestamp>]
| VALID UNTIL <timestamp>] [SET PARAMETER LOCALE/TIME ZONE/EMAIL ADDRESS=…]
© 2013 SAP AG. All rights reserved. 20 Public
Roles in HANA
Concept of roles in SAP HANA
Are a named bundles of privileges
Roles and privileges can be bundled to form further roles, building a hierarchy of
roles
Role concept provides reusable building blocks for granular access control,
based on administrating certain aspects of a database, for example
Business end users
Consume reports using client tools
Modellers
Create models and reports
Database administrators
Operate and maintain the database
Authorization by
Granted Roles
System Privileges
Object Privileges
Analytic Privileges
Role A
Role B
Role C
User
© 2013 SAP AG. All rights reserved. 21 Public
Roles in HANA
Creating roles
Grouping individual privileges into roles
Create hierarchies of roles
Granting roles
Direct granting via SQL / SAP HANA Studio
Via SAP NetWeaver Identity Management
(requires separate license)
Role:
edit model
Role:
activate model
User
Role:
edit + activate
Package:
create / edit
models
SQL:
select
Package:
activate
SQL:
write
runtime
object
© 2013 SAP AG. All rights reserved. 22 Public
What’s New in SAP HANA SPS 6
EFFECTIVE_ROLES system view
New system view
EFFECTIVE_ROLES shows
what roles the currently
logged-on user has
It shows both roles that were
granted directly to the user,
and roles that were inherited
from other roles
Column name Description
USER_NAME Name of the user for whom the effective roles are shown
GRANTEE Shows to which user or role the role was granted
GRANTEE_TYPE Shows whether the role was granted directly ('USER') or is
inherited from another role ('ROLE‘)
GRANTOR User that granted the role
ROLE_NAME Role that was granted
IS_GRANTABLE Shows whether the role was granted 'WITH ADMIN
OPTION': 'TRUE‘ or 'FALSE'
© 2013 SAP AG. All rights reserved. 24 Public
What’s an Analytic Privilege?
Controls what users can do
Row-level security for data models
Example: See only data for cost center 1000
Only applied at processing time of the user query
Can only be used for attribute views, analytic views, and calculation views
Can not be used for tables or row store views
Can be combined
Example: AP1 + AP2 will allow a user to see data specified by AP1 or by AP2 or both
Filter for the restriction can be static or dynamic (values returned by a procedure)
_SYS_BI_CP_ALL privilege
Allows user to see ALL data in ALL views
© 2013 SAP AG. All rights reserved. 25 Public
Types of Privileges
For more information have a look at the SAP HANA Security Guide
http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
Privilege Type Description
System privilege System privileges are SQL privileges that control general system activities
Ex: Can I create users?
Object privilege This privileges that are used to restrict access to and modification of database
objects, such as tables and views
Analytic privilege Analytic privileges are used to restrict read access to
data in SAP HANA information models. Analytic
privileges are evaluated during query processing
Ex: What data can I see?
Package privileges Package privileges are used to restrict access to and the
ability to work in packages in the repository of the SAP
HANA database
SQL privileges Define coarse-grained restrictions at object level only
Ex: Which tables can I ready or write to?
Application Privileges Authorize user and client access to XS applications
© 2013 SAP AG. All rights reserved. 26 Public
What’s New in SAP HANA SPS 6
Application Privileges in HANA
Application privileges can now be granted/revoked in SAP HANA studio
Developers of applications based on SAP HANA Extended Application Services (SAP
HANA XS) can create application privileges.
These privileges authorize user and client access to the application, for example to start
the application or to perform administrative actions in the application.
To grant an application privilege to a user:
Expand the Security folder in the SAP HANA studio navigator Users and double-click on the user
On the Application Privileges tab, assign the privilege
© 2013 SAP AG. All rights reserved. 27 Public
Analytic Privileges
Analytic Privileges are repository objects
Create and manage via SAP HANA Studio
Create in any package
Does not need to be the same package as views
Can be created with no restrictions to display all data a user is allowed to see
© 2013 SAP AG. All rights reserved. 28 Public
Analytic Privileges
The views that the privilege
grants access to List of fields for
attribute restrictions
List of restrictions implemented for the
selected field from the above list
Result
© 2013 SAP AG. All rights reserved. 30 Public
Displaying Privileges Granted to a User
To display which privileges a specific user has been granted, either directly or
indirectly (via a role), use the system view EFFECTIVE_PRIVILEGES
SELECT * FROM "SYS"."EFFECTIVE_PRIVILEGES" WHERE USER_NAME = <user name>
© 2013 SAP AG. All rights reserved. 31 Public
What’s New in SAP HANA SPS 6
Dynamic Analytic Privileges in HANA
You can now create dynamic analytic privileges in SAP HANA studio,
repository/catalog procedures can now be to the filter list of analytic privileges
Dynamic analytical privileges provide a flexible approach for specifying user-
specific filter conditions. The filter conditions are obtained by SAP HANA at
runtime from a database procedure, which can contain complex logic. This
makes it possible to,
Reuse the same analytical privilege for many users
Change the filter condition in the underlying tables and views without having to change the analytic
privilege itself
© 2013 SAP AG. All rights reserved. 33 Public
What’s New in SAP HANA SPS 6
Authentication: SAML and X.509 support for SAP HANA XS
Overview of authentication methods for SQL and HTTP access
User Name/Password Authentication – credentials are stored in HANA Database
Kerberos Authentication - User ID is stored in HANA and mapped to an External User ID
stored in a central directory (Windows Active Directory or LDAP). External User ID is used
by HANA to enforce privileges
Authentication Method SQL Access HTTP Access
(SAP HANA XS)
User Name/Password Y Y
Kerberos Y -
SAML (version 2) Y Y
SAP logon ticket - Y
X.509 - Y
© 2013 SAP AG. All rights reserved. 34 Public
What’s New in SAP HANA SPS 6
Password Policy
The password policy can now be configured in SAP HANA studio
Passwords for user name/password authentication are subject to certain rules
(password policy)
You can change the settings in line with your organization’s security
requirements, e.g.
Password quality (length, complexity)
Blacklist of forbidden words that are not allowed as passwords or parts of passwords
Configured by double clicking Security in HANA Studio
© 2013 SAP AG. All rights reserved. 35 Public
SAML Authentication
Security Assertion Markup Language (SAML)
SAML is an XML standard that allows parties to
exchange authentication and authorization data
Requires a trusted 3rd party (identity provider) that can
issue SAML assertions for clients (e.g. browser)
The SAP HANA database can only act as a SAML
service provider
Prior to using SAML, SSL needs to be configured on the
HANA server
© 2013 SAP AG. All rights reserved. 36 Public
SAML Authentication
Certificate can be imported directly in HANA Studio and SAML Providers
can be configured via HANA Studio
© 2013 SAP AG. All rights reserved. 37 Public
SAML Authentication
Each user in HANA can have an external identity for the SAML assertion
For example a Business Objects User
© 2013 SAP AG. All rights reserved. 39 Public
SSL Encryption
SSL encryption is available for connections
between the SAP HANA database and the
SAP HANA interfaces
Supported interfaces: SQLDBC, ODBC,
JDBC
Supported crypto providers: OpenSSL,
sapcrypto
© 2013 SAP AG. All rights reserved. 40 Public
SSL Encryption
Server-side configuration
SSL libraries need to be installed – for example OpenSSL
A valid SSL certificate is required and needs to be installed on the HANA server and root
certificates installed on the client
Steps: Generate a CSR on the HANA server, have it signed by a Certificate Authority
(CA), install the root certificate and intermediate certificates (if required)
HANA requires the certificate to be in the PEM format – key.pem, trust.pem
SSL parameters need to be configured in the indexserver.ini > Communication section
Example
See blog for more information
http://bit.ly/17U3p68
© 2013 SAP AG. All rights reserved. 41 Public
SSL Encryption
SSL configuration for SAP HANA studio
1. In SAP HANA studio, click Add System
2. Enter your user credentials and select Connect with SSL
3. Select whether you want to validate the certificate and whether you want to also check
the host name in the certificate.
4. All connections from SAP HANA Studio to the database will now be encrypted – you will
see the lock on the SSL connection
SSL on the ODBC connection
The HANA ODBC Client, also allows for SSL.
To enable it select Connect using SSL. The
necessary certificates will need to be installed
for this to work properly
© 2013 SAP AG. All rights reserved. 43 Public
What is Auditing?
Many regulatory requirements require audit logging
Audit logging provides traceability for security-relevant events. It records security breaches
and privilege abuse, and can be used for data forensics in the case of suspected abuse or
criminal investigations. It also helps protect companies against unsubstantial charges.
Audit logging records critical actions performed in the database such as
Who did what?
What did they do?
When did they do it?
Threats
Internal - Majority of all attacks and security breaches come from inside the intranet!
External - Hackers
© 2013 SAP AG. All rights reserved. 44 Public
HANA Audit Logging
Audit trails stored in Linux syslog, secure operating
system log
Audit policies stored in the database catalog
Logging of successful and unsuccessful events
Audit logging of critical events
Create/drop user/role
Create/drop analytic privilege
Grant/revoke SQL/system/analytic privilege
Grant/revoke role
Enable/disable audit policy
Database objects: Tables/Views/Procedures
Write and read access to data
(SELECT/INSERT/UPDATE/DELETE/EXECUTE)
User connects to the database
Configuration changes (via ini files)
License key installation
© 2013 SAP AG. All rights reserved. 45 Public
What’s New in SAP HANA SPS 6
Audit Logging
New audit events
Disconnect/cancel session
Drop table
Activate, import, export repository content
Backup lifecycle management (truncate backup catalog/delete backups)
New fields have been added to the audit trail
Client IP address
Client process ID
Client port number
© 2013 SAP AG. All rights reserved. 46 Public
Configuring Audit Logging
Auditing can be enabled and disabled for the entire system only
Show Audit Policies
More Information – SAP HANA Reference
http://help.sap.com/hana/html/sql_create_audit_policy.html
alter system alter configuration ('global.ini','SYSTEM') set ('auditing
configuration','global_auditing_state' ) = 'true' with reconfigure;
–select * from "PUBLIC"."AUDIT_POLICIES"
© 2013 SAP AG. All rights reserved. 47 Public
Audit Logging Example
Create audit policy
Activate audit policy
Syslog output
/var/log/messages
CSV output can be enabled (column names need to be added manually for now)
Aug 15 17:18:01 myhanaserver HDB[61990]: 2013-08-15
17:18:01;indexserver;myhanaserver;HDB;00;30003;10.10.10.10;myclient.sap.corp;13076;524
95;KHNC_DEMO_POLICY;CRITICAL;CREATE USER;SYSTEM;;;;;;KHNC_DEMO;SUCCESSFUL;;;;;;;CREATE
USER KHNC_DEMO PASSWORD XXXXXXXXXXXXX;243491;
AUDIT POLICY KHNC_DEMO_POLICY AUDITING ALL CREATE USER, DROP USER LEVEL Critical;
ALTER AUDIT POLICY KHNC_DEMO_POLICY ENABLE;
© 2013 SAP AG. All rights reserved. 49 Public
Discovery and Analysis Dashboards and Apps Reporting
Reporting on HANA 1.0 with BI 4.1
Client and connectivity options
Web
Intelligence
Dashboards Crystal Reports
(2008*, 2011*,
Enterprise)
Semantic Layer
(relational universe UNX)
Analysis Office* Explorer
JDBC ODBC Analysis OLAP
* SBO BI Platform is optional
BICS
Design Studio*
Lumira
ODBC
JDBC ODBC JDBC
direct access to views
JDBC ODBC JDBC
ODBC
JDBC
ODBC
JDBC
access to views, tables, stored procedures
views tables stored procedures
© 2013 SAP AG. All rights reserved. 50 Public
BI User Provisioning
SAP BOBJ BI
SAP HANATM
SAP IDM
1. Users and Groups Import
2. Users and Roles
Creation / Delete
Corporate
Directory
Corporate Users and
Groups are leveraged
by BI 4
SAP IDM leverages
the same Users and
Groups to create
Users and Roles in
HANA
© 2013 SAP AG. All rights reserved. 51 Public
BI User Provisioning
All existing User and Group Provisioning methods with BOE / BI 4 remain valid
Example: you can provision Users and Groups from Windows AD with the traditional
WinAD configuration options from the CMC
Database Credentials Mapping in BI 4 can be
done from the CMC or programmatically (*).
(*) Use these methods of the BOE SDK: IUser.setProfileString(“DBUSER”, HANA_user_ID);
IUser.addSecondaryCredential(“DBPASS”, HANA_user_pwd);
Important!
If BI 4 is configured with WinAD, make sure the
option “Synchronization of Credentials” is
unchecked to avoid the credentials mapping
being overwritten
© 2013 SAP AG. All rights reserved. 52 Public
SAP HANA + BI: What Are My Options?
Three options for HANA and BI SSO - Credential Mapping, Kerberos , SAML
If you are running BI on Windows
Set up Windows SSO to BI Portal, or manually log on using AD credentials
SSO at view time using Exploration view, Semantic Layer (Web Intelligence, Crystal Reports),
OLAP Analysis
Still no scheduling SSO using Kerberos
If you are running on Linux
Configure LDAP connectivity for MS AD
Enable Kerberos authentication from your LDAP authentication plug-in
Manually log on, then SSO to database possible
Any platform, all clients
Set up user database credentials for Direct DB authentication, exposed through CMC
Can be scripted
© 2013 SAP AG. All rights reserved. 53 Public
SAP HANA + BI: What Are My Options?
SAP Business Objects and SAP HANA support identity forwarding for scenarios where authorization
enforcement in SAP HANA is required
Steps
1. User authenticates against BOE server with one of the mechanisms supported by BOE
2. BOE securely forwards the user identity to SAP HANA with one of the following methods
– User name/password
o SAP HANA database user name/password stored in BOE server
o Manual synchronization
– Kerberos (As of SP4)
o Users must log on to BOE server using Active Directory authentication
o BOE server must run on Linux or Microsoft Windows
– SAML via JDBC (New with 4.1) - BOE server acts as identity provider
o BOE server generates SAML ticket for the user, sends it to the SAP HANA database to validate,
if valid session will be established for the user
o Using SSL BOE and HANA is highly recommended
o User ID’s must match between systems.
© 2013 SAP AG. All rights reserved. 54 Public
SAP HANA + BI: What Are My Options?
Authentication
Credentials are defined in the Connection object from Information Design Tool
“Use Specified User Name and
Password” if all users share the
same data access restrictions
“Use BusinessObjects Credential Mapping”
if you need user-specific restrictions
and direct authentication
“Use Single Sign On when refreshing
reports at view time” if you need user-
specific restrictions and Kerberos
delegated authentication
© 2013 SAP AG. All rights reserved. 55 Public
SSO with Credential Mapping
BusinessObjects Credentials
Mapping
Each individual BI 4 user is
assigned HANA
This is can be done from the
CMC or programmatically with
the BOE SDK
(CMC -> Users and Groups -> UserID -> Properties)
© 2013 SAP AG. All rights reserved. 56 Public
Authentication BOE <-> HANA
Name / Password Authentication
Either single-user connection
– If authorization defined in BI server
Or named accounts in HANA
– Using “Credential Mapping”
– Duplicate maintenance of user accounts
– Authorizations defined in HANA
SSO with Credential Mapping
Corporate
Directory
(AD, LDAP)
SAP
HANA
BOE Server
Import
SAP IDM
Name /
Password
Push / Pull Push
Define DB
Credentials
© 2013 SAP AG. All rights reserved. 57 Public
Reporting on HANA Client and Connectivity Options Using
Kerberos SSO
JDBC JDBC ODBC
SAP HANA Database
JDBC ODBC
Web
Intelligence
Dashboards Crystal Reports for
Enterprise
Semantic Layer
(relational universe UNX)
Exp
lore
r
CR
2
01
1
© 2013 SAP AG. All rights reserved. 58 Public
SSO with Kerberos
SAP BOBJ BI
SAP HANATM
SAP IDM
1. authentication to BI 4
Corporate
Directory Kerberos
3. authentication to HANA
4. authorization checks
in HANA (views,
tables, data)
2. Authorization checks in BI 4
(reports, dashboards, data(*)
Authentication BOE
<-> HANA
Kerberos authentication
(since FP 3)
Maintain named
accounts in HANA
Kerberos ID instead of
password
BI 4 secures reports,
dashboards, optionally
data
HANA secures views,
tables and data
Kerberos allows SSO
© 2013 SAP AG. All rights reserved. 59 Public
Kerberos Configuration Steps
Step 1: Active Directory
Create the keytab
Setting up the SPN’s on the Domain Controller
Step 2: HANA
Install the Kerberos client
Copy the keytab from the AD server and setup the krb5.conf file
Enable Kerberos for a HANA user and enter an External ID for the user
Add the User to HANA Studio to test SSO
Step 3: BOE
Copy the krb5.conf from the HANA Server and create the bscLogin.conf
Configure the web application server for Kerberos
Configure BI4 service account for Kerberos
Configure Webi Rich Client, Information Design Tool (IDT), APS, Explorer for Kerberos
Refer to these for more information
Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0
– http://bit.ly/125UHfD
SAP Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory
– https://service.sap.com/sap/support/notes/1837331
© 2013 SAP AG. All rights reserved. 60 Public
SSO with SAML
Based on trust configured between BI and HANA
Less work to setup than Kerberos
User ID’s must match between HANA & BI system
Works with any type of authentication to BOE:
Enterprise, AD, LDAP, SAP, and supports all
platforms
© 2013 SAP AG. All rights reserved. 61 Public
SSO with SAML
Enter HANA server details
Generate a certificate on the BI side
to import into the HANA server
Once both systems are setup, user
can test connection from CMC
directly to validate setup
© 2013 SAP AG. All rights reserved. 62 Public
SAML SSO Process Flow
SP – Service Provider - HANA
ldP – Identity Provider – BI 4.1
HANA Manages
The SAML Providers
Mapping between HANA users and External
Users
BI
Generates the SAML assertion and passes
it to HANA
Authentication is based on system trust.
HANA trusts BI to do the authentication.
Once a user is authenticated to BI, BI
will generate a SAML assertion for the
user and pass it to HANA for SSO
© 2013 SAP AG. All rights reserved. 63 Public
Authentication from Analysis
Analysis OLAP and Office leverage OLAP connections defined from the CMC
OLAP Connections point to a HANA system or a specific HANA view
Use “Pre-defined” user and
password if all users share the
same data access restrictions
Use “Prompted” if you need
user-specific restrictions and
direct authentication
Use “SSO” if you require
Single-sign on
© 2013 SAP AG. All rights reserved. 64 Public
Summary of Security BI to HANA
(1) Crystal Reports for Enterprise via a Universe (UNX)
(2) Crystal Reports 2011
(3) Support on Linux and Windows platforms only
Crystal
Reports
Web
Intelligence
SBOP
Dashboards
Design
Studio
Analysis,
edition for
Microsoft
Office
Analysis,
edition for
OLAP
SBOP
Explorer Lumira
Direct
Authentication
(user/password) Yes Yes Yes Yes Yes Yes Yes Yes
Kerberos Yes (1)
No (2) Yes (3) Yes (3) No Yes No Yes (3) No
SAML Yes Yes Yes Yes Yes Yes Yes Yes
Secured
Connection (SSL) Yes Yes Yes No Yes No Yes No
© 2013 SAP AG. All rights reserved. 65 Public
Security Authorizations: What can you secure where?
Item to secure In HANA In the Universe
(Semantic Layer) In BI 4.x
Database schema - -
Table - -
Database (SQL) view - -
Attribute view - -
Analytic view - -
Calculation view - -
Data in a table (column values) - -
Data in an attribute view (dimension
values) -
Connection to HANA - -
Universe, Report, Dashboard, Explorer
Information Space, etc. - -
Excel worksheet with Analysis Office - -
Excel worksheet with PivotTable - - -
© 2013 SAP AG. All rights reserved. 66 Public
BI 4.x SSL Support
SSL encryption is available for connections between the SAP HANA database
and the SAP HANA interfaces
Supported Interfaces: ODBC, JDBC
Authentication is handled via certificates
Enabling SSL in IDT 4.0 Enabling SSL in IDT 4.1
© 2013 SAP AG. All rights reserved. 67 Public
More Information
HANA Security Guide
http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
SSL with HANA and BI4 Feature Pack 3
http://bit.ly/17U3p68
Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0
http://bit.ly/125UHfD
SAP Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory
https://service.sap.com/sap/support/notes/1837331
SAP Note 1813724 - HANA SSO/Kerberos: create keytab and validate conf
https://service.sap.com/sap/support/notes/1813724
Configuring SAML with SAP HANA and SAP BusinessObjects 4.1 - Part 1
http://bit.ly/1aZ2ROm
© 2013 SAP AG. All rights reserved. 68 Public
Key Learning Points
How to provision users to HANA
What are the pre-defined users and roles
The authentication types supported by HANA
What are analytic privileges
What auditing in HANA
How to integrate HANA and BI 4.1 and the SSO options available
Contact information:
Vishal Dhir
Customer Solution Adoption (CSA)
We value your opinion. Let us know how you like this CSA presentation and how we
can make adopting SAP innovations a more beautiful experience. Please send
questions and comments to [email protected].
© 2013 SAP AG. All rights reserved. 70 Public
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing
herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in
Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.