Published on

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. SAP HANA Security Privileges and Authorization – Roles PART ONE
  2. 2. Recently I passed the SAP c_hanatec_1 certification exam. One of the subject areas for the SAP c_hanatec_1 certification is “Security and Authorization.” This subject area is one that I am very interested in, not just for the certifications, but because I am zealous about database security. In fact, I present and write often about database security. The material in this series of presentations is not provided from the standpoint of covering all the security topics covered by the c_hanatec_1 certification exam (however, you may find it helpful as additional study material). Instead, I offer this as general information for those who are curious about HANA database security. The topic covered in this presentation is “ROLES”.
  3. 3. Roles  Based on my previous experience, the general concept of Roles in HANA is very similar to the general concept of Roles in both DB2 and Oracle  HANA database users who have the SYSTEM Privilege ROLE ADMIN can create roles  The SYSTEM privilege ROLE ADMIN is also needed to grant roles to users or other roles  But every user can grant privileges to an existing role (Example: the owner of an Analytical Privilege can grant that privilege to roles)  Roles can be useful for “bundling” the privileges required for specific functional tasks. Think of them as reusable objects.  There are Five Delivered roles (discussed on the following pages):  PUBLIC  MODELING  CONTENT_ADMIN  MONITORING  SAP_INTERNAL_HANA_SUPPORT (previously was named SUPPORT until SPS 06)  The delivered Roles can be used as a template for additional role creation.  The delivered Roles are runtime objects and they are not created in the repository.
  4. 4.  Granted implicitly whenever a user is granted  Provides filtered read-only access to system and monitoring views. Only objects for which the users have access rights are visible.  Provides execute privileges for some procedures.  The above privileges cannot be revoked  However, Public can be granted further privileges.  Those additionally granted privileges can subsequently be revoked.
  5. 5.  This role contains all privileges required for using the information modeler in the SAP HANA studio.  The Modeling Role provides the data modeler the range of database authorizations needed to create views and analytic privileges  Provides a template role that can be used to create users to work on content  CAUTION: The modeling role provides the analytic privilege _SYS_BI_CP_ALL, which, when coupled with SELECT allows the holder to access ALL data in ALL activated views. From a security standpoint, it is unlikely you would want this in any production environment. A good security best practice is to use the MODELING role only as a template.
  6. 6.  The same privileges as MODELING role.  Provides ability to grant these privileges to other users.  Provides SYSTEM privileges needed to work with imported objects in the repository.  Best role template to use for creating roles for content administrators.  Review the caution on the preceding slide.
  7. 7.  Read-only role which provides content of all system and monitoring views and data from the statistics server.  Most individuals who use the Administration Editor will benefit from this role (additional privileges, such as CATALOG READ may be needed, depending on the task).  This role contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data of the statistics server.
  8. 8.  Formerly named “Support” but was renamed as of SPS 06  Should never be used for day-to-day tasks  Contains SYSTEM privileges (such as CATALOG READ) and object privileges (such as SELECT on SYS schema)  Allows access to specific low-level internal system views  Read only access  No access to any customer data  Cannot be granted to a SYSTEM user
  9. 9. How to Create a Role ?  A user with the SYSTEM privilege, Role Admin can create and grant roles  The Role Name must be unique (cannot be the same as an existing user or role)  Syntax is: CREATE ROLE <ROLENAME>  Example: CREATE ROLE HR_SCHEMA;  System and Monitor Views that hold information about Roles:  ROLES: roles, creators and date created  GRANTED_ROLES: roles granted to users or roles.  GRANTED_PRIVILEGES: privileges granted to users or roles  Both roles (which are indirect privileges) and direct privileges are involved (in other words, they are combined) when considering whether to allow a user to access an object