Sap ha240 col10 - hana sp10 version latest sample

HA240
Coll: 10
Material Number: 50130972
Training Manual
HA240
SAP HANA Security & Authorization
For Any SAP / IBM / Oracle - Materials Purchase Visit : www.erpexams.com OR Contact Via Email Directly At : sapmaterials4u@gmail.com

SAP SE Copyrights and Trademarks
© 2015 SAP SE. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without
the express permission of SAP SE. The information contained herein may be changed without
prior notice.
Some software products marketed by SAP SE and its distributors contain proprietary software
components of other software vendors.
• Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
• IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,
z/VM, z/OS, i5/0S, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, P0WER5+, P0WER5, POWER,
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent
Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of
IBM Corporation.
• Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
• Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
• Oracle is a registered trademark of Oracle Corporation
• UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
• Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
• HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World
Wide Web Consortium, Massachusetts Institute of Technology.
• Java is a registered trademark of Sun Microsystems, Inc.
• LabNetscape.
• SAP, SAP Fiori, SAP SAPUI5, R/3, SAP Fiori, SAP NW Gateway, SAP NetWeaver, Duet,
PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP SE in Germany and other countries.
• Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.
• Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product
specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP SE
and its affiliated companies ("SAP Group") for informational purposes only, without representation

or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to
the materials. The only warranties for SAP Group products and services are those that are set
forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.

CONTENTS
ABOUT THIS HANDBOOK..........................................................................................................................................5
UNIT 1: INTRODUCTION INTO THE AREA OF SECURITY AND AUTHORIZATION..................................... 6
Lesson: SAP HANA Introduction and overview..................................................................................................7
Exercise 1: HANA Security administration interfaces...................................................................................... 30
UNIT 2: REPOSITORY............................................................................................................................................... 35
Lesson: Repository................................................................................................................................................... 36
UNIT 3: AUTHORIZATION INSIDE SAP HANA.................................................................................................... 45
Lesson: General authorization concept............................................................................................................... 46
Lesson: Roles............................................................................................................................................................. 54
Lesson: From privileges and roles assignment to user management......................................................... 71
Exercise 2: Maintaining Users and Roles............................................................................................................ 93
Lesson: Object Ownership.................................................................................................................................... 100
Lesson: Privileges....................................................................................................................................................105
Exercise 3: Create Analytic Privileges................................................................................................................138
Lesson: Information about users and authorizations.................................................................................... 144
UNIT 4: GENERAL SECURITY REQUIREMENTS AND SOLUTIONS...........................................................149
Lesson: Authentication and Single Sign-On.....................................................................................................150
Lesson: Multitenant Database containers.........................................................................................................176
Lesson: Encryption.................................................................................................................... 191
Demonstration: Configure Encryption............................................................................................................... 207
Lesson: SAP GRC Integration for Governance Risk and Compliance......................................................209
Lesson: SAP Netweaver Identity Management integration............................................................................228
Lesson: Extended Application Services (XS) security and Application Privileges................................238
UNIT 5: AUTHORIZATION TRACE AND AUDITING..........................................................................................251
Lesson: Authorization trace.................................................................................................................................252
Exercise 4: Authorization trace............................................................................................................................ 262
Lesson: Auditing...................................................................................................................... 274
Exercise 5: Auditing................................................................................................................................................ 285
UNIT 6: INTEGRATIVE AUTHORIZATION SCENARIOS.................................................................................289
Lesson: Scenarios introduction............................................................................................................................290
Lesson: Scenario BW + SAP HANA.....................................................................................................................300
Exercise 6: BW authorizations reuse by SAPHANA...................................................................................... 316
Lesson: Business Object Bl Platform 4.X and HANA Integration................................................................335
Lesson: Reuse of ERP Authorization using SAP HANA Live....................................................................... 345
UNIT 7: (OPTIONAL) HANA ENTERPRISE CLOUD...........................................................................................362
Lesson: HANA Enterprise Cloud......................................................................................................................... 363

About This Handbook
This handbook is intended to complement the instructor-led presentation of this course, and serve
as a source of reference. American English is the standard used in this handbook. The following
typographic conventions are also used:
Use Example/Visualization
Demonstration by Instructor
A hint or advanced detail is shown or
clarified by the instructor - please indicate
reaching any of these points to the
instructor
•
M l
Warning or Caution
A word of caution - generally used to point
out limitations or actions with potential
negative impact that need to be considered
consciously
A
Hint
A hint, tip or additional detail that helps
increate performance of the solution or help
improve understanding of the solution
Y
Additional information
An indicator for pointing to additional
information or technique beyond the scope
of the exercise but of potential interest to
the participant
■
1
Discussion/Group Exercise
Used to indicate that collaboration is
required to conclude a given exercise.
Collaboration can be a discussion or a
virtual collaboration.
User Interface Text
Find the Flavor Gallery button
Solution or SAP Specific term E.g. Flavors are transaction specific screen
personaslization created and rendered using
SAP Screen Personas.

Unit 1: Introduction into the area of Security and authorization

Lesson: SAP HANA Introduction and overview
Learning Objective
After completing this lesson, you will be able to:
What is HANA from the viewpoint of security and
authorization ?
Explain:
• Terminology
• Scenarios ...
Infosources
C 2014 SAP SE or an SAP affftate company A l rights reserved
Image 1: Learning Objective
The course material contains the security features available in SAP HANA SPS09 and also
updates from HANA SPS10.

SAP HANA Platform 1
O ne Platform for Any Kind of Application
Open, standard interfaces
- Supporting all types of devices
Integrated Application Server Components
- Native application infrastructure
One DB for OLAP and OLTP Workloads
- With built-in functions for data-intensive
processing
Data persistence and integration
- Integrate any data from any source
- Ready for Big Data Scenanos
€2014 SAP AG or an SAP affiliate company All nghls reserved
I l
SAP HANA Platform
Replication, Streaming and ETL Integration Service!
y t i t #
SlmctureOData Socialnetmm Text Data GeosoakalData MachineData RFID RC0I4S,Hadooe
Image 2: SAP HANA as the powerful center of any data flow
For on premise deployment, SAP HANA comes either preinstalled on certified hardware provided
by an SAP hardware partner (appliance) or you can realize the installation self-reliant.
But the prerequisite for that is SAP HANA must be installed on certified hardware by a certified
administrator.
The installation itself is part of the course HA200 and there is a special certificate E_HANAINSxxy .
xx = the last two numbers of a year
y = number of a half year.
Certification SAP HANA SPS
142 SPS08
151 SPS09

Certification SAP HANA SPS
152 SPS10
SAP HANA Platform
Deploym ent Landscape Example
Windoes server D
Personal Computer
Replication
server E
SAP Solution Manager
SAP Landscape &Virt. Manager
/
*
6 □
i
Linux serverA Linux server B Linux server B Linuxserver C
V

l v '4
, . ,
C / / /
* 0
StructuredData SeoaNstwrt Tent Data GeospataiData MachineData RFC RDBMS/Hadoop
C 2014 SAP AG or an SAP affiliate company All rights reserved Customer 9
Image 3: SAP HANA as a platform of a system landscape

SAP HANA
In-Memory Strategy
Analytics Transactions Custom Applications
In-memory analytics One store The app platform
SAP HANA real-time SAP HANA persistence • Broad investments in in-
■— —■ operational analytics layer for OLAP and OLTP memory platform for
Capabilities Complete Bl Suite with Bl SAP Business Suite applications and solutions
4 runs on SAP HANA optimized for in-memory Extended application
SAP BW powered by data management services (XS)
SAP HANA • SAP HANA pnmary • Developer services and tools
SAP industry & line of
business apps &
accelerators
■ 3"1party BI/ETL
certification program and
openness
persistence layer for SAP
Business Suite
• Openness
Flexible real time analysis Landscape simplification ■ Lowertotal cost of ownership
Benefits of operations on detail • Improved performance and development
level • Business process • Reduced time-to-value
Primary persistence and innovation • Quicker RTO
optimized for SAP BW
This s the current state of ptannng and may be changed by SAP at any time
• 2014 SAP SE or an SAP affftate company AJ nghts reserved
Image 4: SAP HANA In-Memory Strategy
Deployment Choices
Flexibility
• Various deployment
options (on-premise,
public cloud, managed
cloud, hosted)
Develop test, and deploy
in any environment or in a
hybrid model
• Fully capable and ready
to use software and
environments
License cost, scalability
and support options
Flexible and tailored options
• Reduced cost and barrier to
entry
• Instant availability
• Quicker adoption

Why is security necessary?
As it becomes more and more important for organizations to protect their critical
data from unauthorized access and to ensure compliance with a growing number of
rules and regulations, the demands on security are also on the rise.
As an in-memory computing platform that supports multiple implementation
scenarios and use cases - from traditional relational database underneath SAP
applications to platform for the development and deployment of innovative new
applications - SAP HANA can play an important part in critical IT and application
infrastructures.
It is therefore essential that you integrate SAP HANA into your infrastructures
securely and that you protect your data in SAP HANA
• 2014 SAP SE or an SAP affftate company AJ nghta reserved
Image 5: Why is security necessary?

Traditional security architecture
J
Database
• 2014 SAP SE or «n SAP affftate company AJ nghts reserved
Image 6: Traditional security architecture
Client
Any possible client for the HANA Platform, this includes: SAP HANA Studio, Business Object Bl
Platform but also Web Browser, Analysis for Office, Office Excel, etc.
Application Server
In the common SAP Architecture this is normally the role of NetWeaver Application Server ABAP
and/or Java.
In this case the HANA Platform can also be the Application Server because it can act only as a
database but also as a server for native functionalities and applications.
Database
HANA is a database at its core and can be used just like another relational database e.g. in a
classical 3-tier deployment like Suite on HANA.

SAP HANA scenarios - 3-tier application, data mart
(analytics)
3-tier application
e g. SAP NetWeaver Business Warehouse
Application Server
Data mart (analytics)
e g. SAP BusinessObjects businessintelligence solution
with data replicated from SAP ERP
© 2014 SAP SC or an SAP affftate company AJ nghts reserved
Image 7: SAP HANA scenarios - 3-tier application, data mart (analytics)

SAP HANA scenarios - SAP HANA extended application
services
Technical infrastructurefor new
applications
e g browser-based application builtdirectly
on top of SAP HANA XS
Rationale: Enable application development and
deployment - minimize layers
http-based Ul (browser, mobile apps)
• to run directly on SAP HANA, without an
additional external application
leveraging the built-in strengths of SAP HANA for
the best possible performance
Scope
light-weight small web-based applications
• high-speed business applications with deep
integration of differentiating SAP HANA database
feature
• 2014 SAP SE or an SAP affftate company AJ nghts reserved
Image 8: SAP HANA scenarios - SAP HANA extended application services

SAP HANA - overview of security functions
Application Server
Client
• 2014 SAP S£ or on SAP offtote company A l nght* reserved
Image 9: SAP HANA Security Architecture

SAP HANA - authentication and single sign-on
Authentication options: User name and password, Kerberos/SPNEGO, SAML, SAP
logon and assertion tickets, X.509 (only XS)
Password policy: change frequency, strength, etc.
No default passwords, every user needs to change the password after first logon
• 2014 SAP S£ or an SAP aff*ate company A l nghta reserved
Image 10: SAP HANA - authentication and single sign-on
Access to SAP HANA data and applications is enabled by authentication functions
Password policies, e.g. password length and complexity, can be defined to enforce password
quality.

Password Policy
Auditing Password Pokey SAML Identity Providers Data Volume Encryption
Password Pokey
Password Length and Composition
Minimum Password Length 8
Required Character Types: J Lowercase letter J Uppercase letter J Numerical digit Special character
User Lock Settings
• lock For 1440 1M inutes w Lock indefinitely
Miscellaneous
V User must change password at first logon: Last Used Password S
Number of Allowed Failed Logon Attempts: 6
Lifetime of Initial Password 7 ’
Mtfiimum Password Ldetime 1 0 * , -
Maximum Duration of User Inactivity: 3M [o<y> *
Maximum Password Ldetime 182 0 * 5
Notification of Password Expiration: 1 8 ( 0 * , J
Password Blarkfist
V X
Blacklisted Word Contained m password Case Sensitive
C 20U SAP SC or an SAP affibate company AI rights reserved
Image 11: Password policy
Passwords for the user name/password authentication of database users are subject to certain
rules or password policy.
You can change the default password policy in line with your organization’s security requirements.
You cannot deactivate the password policy.

Two access channels for
users to SAP HANA
* JDBC/ODBC
* HTTP (for XS
applications)
You can enforce that users
can only connect via HTTP by
disabling JDBC/ODBC
access
By default, JDBC/ODBC
access is
* Enabled for normal users
Disabled for restricted users
JDBC/ODBC
V
JDBC/ODBC HTTP(S)
r Application ^
SAP H A N A
L ______ _________________________________ J
Image 12: SAP HANA - access channels

For logon to SAP HANA, a user in SAP HANA‘s user store is required
Bootstrapping user SYSTEM created during installation. Recommendation to create
dedicated administrators
Users can be locked -> manually or automatically (e.g. after user validity expired)
Identity management systems can be connected (e.g. SAP Identity Management)
User self services for web-based password reset, new user account available
• 2014 SAP S£ or an SAP affifcate company A l nghts reserved
Image 13: SAP HANA - user management

• Roles are stored in SAP HANA
• Roles are used to bundle privileges
create roles for specific groups of users, e.g. different types of administrators
Role transport available integration into development/production system landscapes
Image 14: SAP HANA - role management

SAP HANA - authorization
Privilege types
Database access privileges - access to database content and functions
Application privileges - additional privileges for native XS applications
Repository privileges - access to the repository for developers
Image 15: SAP HANA - authorization Privilege types

SQL (object) privileges
Access to data and operations
on database objects (tables,
views, procedures etc.)
Analytic privileges
Read access on analytic views
• Provide row-level access
control based on dimensions
Application privileges
Start and execution of native
XS applications
Individual
end users
Database
administrators
System privileges
Execution of administrative
actions for the entire SAP
HANA database
E g. privilege for backup, user
management
• 2014 SAP S£ or on SAP offtote company A l nghta reserved
Image 16: SAP HANA - access privileges in details

Communication encryption using TLS available for all communication channels:
- Server - client; can be enforced for all client connections
* Internal channels
Automatic setup of key management infrastructure for internal channels
Minimal TLS/SSL version can be configured
Image 17: SAP HANA - secure communication
There are 3 main connection types that can be encrypted:
1. Client to server connections
2. Internal connection between HANA components (e.g. different HANA nodes in a scale-out
system)
3. Connections between Data Center (e.g. for Disaster Recovery using HANA System
Replication)

Data at rest encryption: Data volumes on disk
Application data encryption: XS encryption service
Backup encryption: Recommended to use a suitable 3rd party backup tool
Encryption libraries: SAP CommonCryptoLib (recommended, FIPS-certified): OpenSSL
Image 18: SAP HANA - data encryption

Logging of critical events for security and compliance,
e.g. user, role and privilege changes, configuration changes, failed logons
Data access logging: read and write access (tables, views), execution of procedures
Firefighter logging, e.g. for support cases
Audit trail written to Linux syslog or to secure database table within SAP HANA
Image 19: SAP HANA - audit logging

Sap ha240 col10 - hana sp10 version latest sample

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Similar to Sap ha240 col10 - hana sp10 version latest sample

Similar to Sap ha240 col10 - hana sp10 version latest sample (20)

Recently uploaded

Recently uploaded (20)

Sap ha240 col10 - hana sp10 version latest sample