SAP HANA Security: Part 3 – SAP HANA Database Security
Let’s examine the biggest risk in SAP HANA first. In SAP HANA you can design roles and assign privileges (authorizations) and then assign the roles to users using 2 methods: Design Time Roles and Run Time Roles. Roles created in Run Time are granted directly by the HANA database user and can only be revoked by the same user. Additionally, if the HANA database user is deleted, all roles that he or she was granted are revoked.
Unlike roles created in Run Time, roles created as Design Time objects can be transported between systems. Roles created as Design Time objects are not directly associated with a HANA database user. They are created by the technical user _SYS_REPO and granted through the execution of stored procedures. If you create a Run Time role meaning a role created by an actual user ID, if that user ID is ever deleted, all the activities such as user role assignments, roles created etc. will be deleted from the database. To avoid this risk, always use Design Time Roles.
SecureHANA.it has pre-configured, task-based SAP HANA Design Time Roles that cover all the activities within the HANA Database. Each of the individual HANA Design Time Roles perform only a single task in HANA and contain all the privileges that can execute this task. This ensures that there are no Segregation of Duty Violations inherent in any HANA Design Time Roles.
The best practice in managing SAP HANA security is to always define the roles and create them in SAP Web IDE, assign privileges to these roles in the next step and only then create users/grant roles to these users. Using Design Time roles will help you version, transport and avoid the risk as mentioned previously.
SAP HANA has several features which can introduce risks from a compliance perspective. Some of the controls considerations include User Provisioning, Password Management, Privileged User Management, Generic Accounts, Role Maintenance, Authorizations, Audit Logging, User Data Encryption, Policies and Procedures, Audit Logging, Parameters to prevent changes in Production, Table Logging, Specification, Authorization, and Tracking of Change Requests, Approval of Change Requests, Batch Scheduling and Processing and Backup and Problem Management.
SecureHANA.it is a comprehensive package of over 30 controls with clear descriptions of the controls objectives and test procedures to test the control areas that are mentioned above and a SAP HANA Solution Framework, which includes a Security Assessment Solution to facilitate a “Get Clean” approach for the HANA Security Environment. SAP HANA Continuous Monitoring Solution Framework, which includes a Risk and Control Matrix to facilitate a “Stay Clean” approach for the SAP HANA Security Framework.
Learn More About SAP HANA Database Security
Download an in-depth customer case study presentation deck: Managing Security and Controls in SAP HANA – Tube Specialties Case Study.
Read Part One in this blog series and learn how SAP HANA can be used in different scenarios and each scenario requires a different security approach.
Read Part Two in this blog series where we examine key SAP HANA security and controls functions and detail the function architecture.