Your SlideShare is downloading. ×
0
×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Roles

329

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
329
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SAP HANA Security Privileges and Authorization – Roles PART ONE
  • 2. Recently I passed the SAP c_hanatec_1 certification exam. One of the subject areas for the SAP c_hanatec_1 certification is “Security and Authorization.” This subject area is one that I am very interested in, not just for the certifications, but because I am zealous about database security. In fact, I present and write often about database security. The material in this series of presentations is not provided from the standpoint of covering all the security topics covered by the c_hanatec_1 certification exam (however, you may find it helpful as additional study material). Instead, I offer this as general information for those who are curious about HANA database security. The topic covered in this presentation is “ROLES”.
  • 3. Roles  Based on my previous experience, the general concept of Roles in HANA is very similar to the general concept of Roles in both DB2 and Oracle  HANA database users who have the SYSTEM Privilege ROLE ADMIN can create roles  The SYSTEM privilege ROLE ADMIN is also needed to grant roles to users or other roles  But every user can grant privileges to an existing role (Example: the owner of an Analytical Privilege can grant that privilege to roles)  Roles can be useful for “bundling” the privileges required for specific functional tasks. Think of them as reusable objects.  There are Five Delivered roles (discussed on the following pages):  PUBLIC  MODELING  CONTENT_ADMIN  MONITORING  SAP_INTERNAL_HANA_SUPPORT (previously was named SUPPORT until SPS 06)  The delivered Roles can be used as a template for additional role creation.  The delivered Roles are runtime objects and they are not created in the repository.
  • 4.  Granted implicitly whenever a user is granted  Provides filtered read-only access to system and monitoring views. Only objects for which the users have access rights are visible.  Provides execute privileges for some procedures.  The above privileges cannot be revoked  However, Public can be granted further privileges.  Those additionally granted privileges can subsequently be revoked.
  • 5.  This role contains all privileges required for using the information modeler in the SAP HANA studio.  The Modeling Role provides the data modeler the range of database authorizations needed to create views and analytic privileges  Provides a template role that can be used to create users to work on content  CAUTION: The modeling role provides the analytic privilege _SYS_BI_CP_ALL, which, when coupled with SELECT allows the holder to access ALL data in ALL activated views. From a security standpoint, it is unlikely you would want this in any production environment. A good security best practice is to use the MODELING role only as a template.
  • 6.  The same privileges as MODELING role.  Provides ability to grant these privileges to other users.  Provides SYSTEM privileges needed to work with imported objects in the repository.  Best role template to use for creating roles for content administrators.  Review the caution on the preceding slide.
  • 7.  Read-only role which provides content of all system and monitoring views and data from the statistics server.  Most individuals who use the Administration Editor will benefit from this role (additional privileges, such as CATALOG READ may be needed, depending on the task).  This role contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data of the statistics server.
  • 8.  Formerly named “Support” but was renamed as of SPS 06  Should never be used for day-to-day tasks  Contains SYSTEM privileges (such as CATALOG READ) and object privileges (such as SELECT on SYS schema)  Allows access to specific low-level internal system views  Read only access  No access to any customer data  Cannot be granted to a SYSTEM user
  • 9. How to Create a Role ?  A user with the SYSTEM privilege, Role Admin can create and grant roles  The Role Name must be unique (cannot be the same as an existing user or role)  Syntax is: CREATE ROLE <ROLENAME>  Example: CREATE ROLE HR_SCHEMA;  System and Monitor Views that hold information about Roles:  ROLES: roles, creators and date created  GRANTED_ROLES: roles granted to users or roles.  GRANTED_PRIVILEGES: privileges granted to users or roles  Both roles (which are indirect privileges) and direct privileges are involved (in other words, they are combined) when considering whether to allow a user to access an object

×