Slide 1
7/26/20121Security & AuthorizationsUser & Roles
Management
SAP HANA [email protected]/26/20122
[email protected]/26/20123
User and Role [email protected]/26/20124User
Management and SecurityUser Provisioning and User
ManagementSecurity Details Types of PrivilegesTemplate Roles for
Typical Use Cases
[email protected]/26/20125User Provisioning and User
ManagementCreating Users in HANAActual Database Users Create via
SAP HANA Studio Or using standard SQL statements
Authentication MethodsUser / Password Set up and manage
passwords usingSAP HANA Studio or SQL
Kerberos Authentication Certificate-based Requires Named User in
HANA [email protected]/26/20126
[email protected]/26/20127
Managing Users and RolesStep-by-step
[email protected]/26/20128Creating / managing
rolesIn SAP HANA Studio
[email protected]/26/20129Using SQL SyntaxRun the
following statement:CREATE ROLE ;
[email protected]/26/201210
Assign Privileges to
[email protected]/26/201211Assign Privileges to
Roles
[email protected]/26/201212
Define the initial password (user/password) Or define the
external User ID (e.g. Kerberos) - SSOCreating UsersUsing SAP HANA
[email protected]/26/201213Creating UsersUsing SQL
Syntax CREATE USER IDENTIFIED BY ; CREATE USER IDENTIFIED
EXTERNALLY AS 'user@domain';
To set the Session Client parameter for the user: ALTER USER SET
PARAMETER CLIENT='';
[email protected]/26/201214
[email protected]/26/201215Grant Role to UserUsing HANA
Studio:
[email protected]/26/201216Grant Role to UserUsing SQL
Statements:Enter the following SQL statement: GRANT TO ;
To also allow granting the role: GRANT TO WITH GRANT
OPTION;[email protected]/26/201217Revoke Role from UserUsing
Studio:
Click the [email protected]/26/201218User
ManagementUseful SQL Statements Check history of invalid connect
attempts for a given user:SELECT * FROM INVALID_CONNECT_ATTEMPTS
WHERE USER_NAME = '';
Reset counter of invalid connection attempt for a given user
(required to unlock user):ALTER USER RESET CONNECT ATTEMPTS;
Force a given user to change their password:ALTER USER FORCE
PASSWORD CHANGE;
Deactivate a given user:ALTER USER DEACTIVATE USER NOW;
To re-activate a user that has been deactivated, change the
users password (asadministrator [System privilege USER ADMIN])ALTER
USER IDENTIFIED BY ;
Exempt a given user from password lifetime rule:ALTER USER
DISABLE PASSWORD
LIFETIME;[email protected]/26/201219SECURITY DETAILS TYPES
OF PRIVILEGES
[email protected]/26/201220Types of Privileges in HANA1.
System Privileges2. SQL Privileges3. Analytic privileges4. Package
privileges
E.g USER ADMIN; CREATE TABLE; E.g. SELECT ON ; DROP ON E.g. see
only data for cost center 1000E.g. edit / activate data models in
package [email protected]/26/201221Analytic Privileges :
ConceptAnalytic Privileges are used to control access to SAP HANA
data modelsWithout Analytic Privilege, no data can be viewed from
Attribute Views Analytic Views Calculation ViewsImplement row-level
security with Analytic Privileges
Restrict access to a given data container to selected Attribute
Values Field from Attribute View Field from Attribute View used in
Analytic View Private Dimension of Analytic View Attribute field in
Calculation View Combinations of the above Single value,
[email protected]/26/201222Create Analytic
Privilege
*** Activated Analytic Privileges belong to _SYS_REPO
***[email protected]/26/201223Package Privileges are Object
Privileges
Reading the list of views inside of a package: REPO.READ
Creation of views inside of a package:
REPO.EDIT_NATIVE_OBJECTS
Modification of views inside of a package:
REPO.EDIT_NATIVE_OBJECTS
Reading view definitions inside of a package: REPO.READ
Activation of views inside of a package:
REPO.ACTIVATE_NATIVE_OBJECTS
Creation of sub-packages inside of a package
REPO.MAINTAIN_NATIVE_PACKAGESGranting Package Privileges (via
SQL):GRANT ON "" TO ;[email protected]/26/201224Template
Roles for Typical Use CasesWhat kind of roles might be
created:ADMINISTRATOR:Users that set up the system, create other
roles, users, 2. DEVELOPERUsers who create data models, activate
models, import/export, 3. INFORMATION CONSUMERUser who is allowed
to read from certain [email protected]/26/201225
[email protected]
