Eine kleine Einführung in Benutzer- und

Berechtigungen im SAP HANA Universum

PwC für SNP Transformation World

Eine kleine Einführung in Benutzer- und Berechtigungsthemen im neuen SAP HANA Universum

SNP Transformation World

Agenda

1. HANA & S/4 Introduction

2. HANA Scenarios

3. HANA & Authorizations

4. HANA & PwC Standards

Folie 2

Oktober 2016SAP HANA & Authorizations

HANA & S/4Eine Einführung


HANA & S/4Eine Einführung

Das Herzstück von HANA ist die neue In-Memory-Datenbank. Programme werden direkt im Arbeitsspeicher ausgeführt statt über Speichermedien. Aktionen (insb. Analytische) werden so erheblich beschleunigt.

Durch die neue Datenbanktechnologie können die bisherigen relationalen fragmentierten Tabellenstrukturen zusammengeführt werden. SAP startet dies im FI/CO-Modul mit dem Universal Ledger.

Eine Vielzahl von Analysefunktionen ist für HANA bereits vorbereitet. Diese erleichtern die Auswertung der Summe an Daten, die in HANA erfasst werden und unterstützen somit die Entscheidungsfindung.

HANADaten-bank

Mit S/4 HANA überarbeitet und optimiert SAP auch eine Reihe transaktionaler Funktionen. Dies betrifft aktuell Finance und Logistik. In Finance ist eine wichtige Änderung, die Zusammenführung der FI & CO-Buchungsfunktionen.

SAP vermarktet mit HANA intensiv die „neue“ SAP Benutzeroberfläche SAP Fiori. Diese kann u.a. für transaktionale Programme in der SAP S/4 Business Suite oder analytische native HANA Apps genutzt werden.

Optimiertes HANADatenmodell

NativeAnalyseProgramme

S/4 - Neue BusinessFunktionen

FioriApps

Folie 4


HANASzenarien


DatabaseLayer

ApplicationLayer

FrontendLayer

HANA ScenariosScenarios in Comparison

Analytical Scenarios

EmbeddedBW

Gate-way

Server

HANA

Transactional Scenarios

S/4 BusinessSuite

Gate-way

Server

SAPGUI

FioriUI

FioriUI

SAPGUI

Folie 6



HANA ScenariosHANA Scenarios, Users & Roles

on HANA (ECC or BW)

The first HANA evolution step is to switch the database layer from Non-SAP solutions to HANA as a pure database.

For end users nothing changes. Access is still controlled via WAS.

Technical Access Rights on the HANA layer have to be granted via native HANA Roles containing Privileges.

Transaction Apps (S/4 Business Suite)

The second HANA evolution step is switching over to S/4 Business Suite with an optimized data model and new transactions.

End users are still getting access via WAS, users and roles but with possibly changed transactions and authorizations.

Requires HANA roles for administering the technical layer as described to the left.

Analytical Apps (HANA)

Another step using HANA is to create and use direct analytical functions on the HANA layer.

This requires native users with assigned analytical HANA roles containing native analytical HANA privileges.

With embedded BW only the classical WAS roles with analytical privileges are required.

SAP R/3(ECC or BW)

We start our comparison with the classical R/3 PRE-on or S/4HANA scenario.

Access is controlled via Users and Roles on the SAP Web Application Server Layer (WAS).

Roles contain authorizations for authorization objects with fields and field values.

Folie 7



DatabaseLayer

ApplicationLayer

FrontendLayer

HANA ScenariosHANA Scenarios, Users & Roles

on HANA (ECC or BW)

SAP R/3 ECC

Hana Database

Transaction Apps (S/4 BS)

Fiori Gateway

Server

Hana Database

S/4 BusinessSuite

Analytical Apps (HANA)

Fiori Gateway

Server

Hana Layer

SAP R/3(ECC or BW)

SAP R/3 ECC

Oracle Database

HANARole

FioriRole

FioriRole

ABAPRole

ABAPRole

ABAPRole

Folie 8


HANA &Authorizations


HANA & AuthorizationsSAP R/3 Access Assignment

SAP R/3 • A user gets access through a useraccount in the Web Application Server Layer (typically using transaction Su01)

• The access rights to give access to dataand functions are granted either via composite roles consisting of singleroles or direct assignment of singleroles

• The single roles do consist ofauthorizations for authorizationobjects each protecting specificbusiness objects

• Each authorization has object fieldsand field values each differentiatingthe access to the business objectsaccording to different criteria

• A direct assignment ofauthorizations to users is not possible

User

Composite Role

Authori-zation

Authorizations

A-Field

A-Field-Values

SingleRole

Folie 10



HANA & AuthorizationsSAP HANA Access Assignment

SAP HANA • A user is authorized using a useraccount in the native HANA Layer.

• Access to perform specific functions canbe granted either by roles collectively orspecifically via privileges.

• When creating a role, privileges will beassigned and then be stored as a repository object = design time role.

• A role may also extend other roles, thusinheriting all their respective privileges.

• There are 5 different privilege types, system, object, package, analytic andapplication privileges.

• On activation of repository roles, runtime roles are created from them andcan then be assigned to the user.

User

Privileges

System Object Package AnalyticAppli-cation

RuntimeRole

RepositoryRole

Folie 11



HANA & AuthorizationsRole Orchestra in the HANA universe

On HANA, embedded BW or S/4 Business Suite:ABAP roles areused either in on HANA scenarios aswell as forembedded BW orS/4-HANA Business Suite scenarios. This independent of the UI whether Fiori, SAP or WebGui

HANA Configuration, Administration, Development:The HANA layerrequires a totallynew approach totechnical roles foradministration, development and configuration due to it‘s newauthorizationstructures

Direct analyticalaccess via HANA:when analyticalapplications aredirectly accessingdata via HANA, native analyticalHANA roles withanalytical andobject privilegesare to be created

Directtransactionalaccess via HANA:Currently we do not really see HANA applications withtransactionalcharacter. Shouldthis come up, it will require native HANA Roles, mostprobably withApplicationPrivileges

Fiori User Interface:Fiori grants Users access toapplications via tabs and tiles in the launchpad. This has to beauthorized bycreating users and granting FioriRoles in the SAP gateway server

ClassicalABAPRoles

Technical HANARoles

AnalyticalHANARoles

TransactionalHANARoles

FioriRoles

Folie 12



HANA & AuthorizationsHANA Privileges

• What:Controls access to administrative functions within HANA (e.g. USER ADMIN, CREATE SCHEMA, etc)

• Who: Admins, Developer

• What:Privileges based on SQL statements (e.g, SELECT, UPDATE, etc.) for Catalog Objects (Run-time) such as tables & views

• Who: Developers, Modellers

• What:Restricts access to and the use of packages in the HANA repository (modelling environment)

• Who: Developers, Modellers

• What:Provides access to reporting objects for view-only purposes. Provides filter or contextual controls on a report. Comparable to BW Analysis Authorization

• Who: End Users (Reporting)

• What:Controls access to applications and functions within apps connecting directly to HANA running on the XS Engine

• Who: Developer of or End User of any HANA XS app

System Object Package AnalysisAppli-cation

Folie 13



HANA & AuthorizationHANA User Types (Restricted vs. Normal)

• By Standard able to create own objects like Tables and Views in their own Schema. Inherits the ‘PUBLIC’ role upon creation.

• Is able to use ODBC/JDBC to access the SQL console for objects, access has been granted to.

NormalUser

• Initially has no privileges.

• Is neither able to view, nor alter or create any objects.

• Therefore all privileges to perform actions have to be given to the user explicitly or using a role.

• Access is primarily performed using http, unless explicitly changed and special role given to the user

RestrictedUser

Folie 14



HANA & AuthorizationHANA Role Types (Catalog vs. Repository)

RepositoryRoles

CatalogRoles

Role Creation Requires SQL knowledge or web-interface

Easy to create via integration HANA UI

Transports Roles and privileges are transportable Roles and privileges are not transportable and not versioned

Privileges Role creator can assign any privilege to a role

Role creator must have a privilege to assign it to a role. Removing a privilege from the role creator revokes the privilege from role

RoleOwnership

Role creation more similar to ECC, owned by system ID _SYS_REPO

Only the role grantor can revoke a role from a given user. Privileges revoked if grantor is dropped

Folie 15



HANA & AuthorizationsKey Challenges

• Even with a pure on HANA scenario, the operating and database security shifts from separate technology layers e.g. MS and Oracle to HANA

• Organizations are increasingly evaluating HANA as a true platform via SAP’s S/4 HANA products. Data, users and their authorizations will then move over to HANA

• As soon as sensitive data & transactions move to another new platform, internal & external audit and validation functions will turn their attention towards HANA

• Organizations will have to re-evaluate of how and by whom HANA security should be managed and also have to train their teams to cope with the new security concepts & leading practices

• Depending on the chosen HANA-scenario or even scenario combination, the security concept will change to a complex combination of up to three different environments.

• Companies current IAM-processes & –tools will most probably not be able to cope with this new challenge.

Folie 16


HANA &PwC Standards


HANA & PwC StandardsPwC Standard Materials

• Overview of all HANA Standard Privileges(w/o analysisprivileges)

• Assignment of eachprivilege to a PrivilegeGroup (e.g. Database, Interface)

• Definition of tasks per process and sub-process area (e.g. DB Monitoring)

• Assignment of all privileges necessaryfor task

• Introdocution into theprivilege matrix, thetarget and thestructure

• Description of theoverall structure of theHANA authorizationconcept and privilegetypes

• Description of theprocess areas andadditional informationon the tasks per sub-process

• Audit guide forHANA DB and HANA S/4

• Requirements on authorization andauthentication relatedHANA aspects to becomplied to

• Identification ofauthorizations to beregarded as sensitive or critical as part ofthe privilege matrix

• Overview of new S/4 transactions, old R/3 transactions replacedby new S/4 transactions, R/3 transactions to beretired w/o replacement

• This can be used toidentify old roles withtransactions possiblyto be replaced by newroles or to be fullyretired

PrivilegeMatrix

PrivilegeGlossary

WorkProgram

TransactionsMap

Folie 18



HANA & PwC StandardsIAGM-Service-Sequence

Technical HANA-Roles IAGM1IAG Modelling

IAG Governance

IAG Compliance

IAG Automation

Transactional-S/4-Roles IAGM2

Analytical BW-roles IAGM3

Analytical HANA-Roles IAGM4

Fiori-UI-Roles IAGM5

HANA-Business Roles IAGM6

HANA Conventions IAGG1

HANA Organization& Training

IAGG2

HANA Rules & Requirements

IAGC1

HANA Automation & Integration

IAGA1

Folie 19


Ihre Fragen an uns?

Johannes Liffers Kapelle-Ufer 410117 BerlinTel.: +49 30 2636-1658email: [email protected]

Martin KrauseAlsterufer 120354 HamburgTel.: +49 40 6378 1520email: [email protected]

Torsten Lechelt Kapelle-Ufer 410117 BerlinTel.: +49 30 2636-1700email: [email protected]

© 2016 PricewaterhouseCoopers Aktiengesellschaft Wirtschaftsprüfungsgesellschaft.

Alle Rechte vorbehalten. „PwC“ bezeichnet in diesem Dokument die PricewaterhouseCoopers

Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, die eine Mitgliedsgesellschaft der

PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der Mitgliedsgesellschaften der PwCIL

ist eine rechtlich selbstständige Gesellschaft.


HANA, Authorizations & ComplianceAudit aspects, Q2 2016

No. Aspect Description

1 Passwort Settings(Authentication)

Authentication Parameters for Passwords (HA01), Blacklist for Generic Passwords (HA03)

2 Privileged Accounts (PA) and PA Management

Use of Generic Privileged Accounts (HA02), Process Privileged Access Management (HA04)

3 Logs & Protocolls Correct Log Parameter Settings (HA05) and adequate policies for log settings and reviewprocecdures / controls , limitation / prevention to modify logs (HA06)

4 Sensitive Data Encryption Adequate identification of sensitive data (HA07),

5 Processes & Organization User Maintenance and Role / Privilege Assignment (HA08), Recertification (HA09), LeaversProcess (HA13), Role Change Management (HC01), Transport Management (HC03), Backup Procedures (HO01), Desaster Recovery (HO03), Batch Processing (HO03)

6 Ruleset for Sensitive Privileges Sensitive Object Privileges (HA10), Schema Ownership (HA11), Non-Read Procedure Access in Production (HA12), Sensitive System Privileges (HA14), Repository Changes in Production(HC02), Backup Configuration (HO02), Background Scheduling & Review (HO05&06),

Folie 21



Key HANA Terminology

Term Definition

SAP Business Suite Powered by HANA

Current version SAP applications (ECC6.0, etc) run on HANA database. Alternative to traditional database (e.g. Oracle) achieved via non-disruptive database migration.

S/4 HANA SAP’s next generation ERP application (upgrade of ECC). 400M lines of re-engineered ABAP code optimized to run on HANA. Fiori interface options for most commonly used functions.

Simple Finance First SAP modules optimized to run on HANA (includes: Accounting, Cash Mgmt, Business Planning, Receivables, Payables, etc). Option for ERP on HANA or S/4HANA customers.

Simple Logistics Second HANA optimized module will be made available end 2015 and will include:inventory management, purchasing, sales, productions and manufacturing.

HANA Live Standard SAP-delivered reporting content in form of SAP HANA calculation views for easyto leverage real-time operational reporting off the HANA database.

Folie 22



Key HANA Terminology

Term Definition

HANA XS Engine Extended Application Services (XS) engine is a built-in application & web server enabling application development and deployment directly on the HANA database (a true ‘platform’).

HANA Studio Administration and development front-end client for SAP HANA.

HANA Web IDE Integrated Development Environment (IDE) – Web-based front-end for development and administration functionality of HANA – alternative to HANA studio.

HANA One Fully featured SAP HANA instance hosted on Amazon Web Services that can be used to build and deploy on-demand applications (SaaS).

HANA Cloud Platform

HCP – SAP’s subscription based cloud platform for HANA solutions (PaaS).

Fiori New HTML5 user interface for SAP software optimized for modern design & mobile devices.

Folie 23


Documents

Eine kleine Einführung in Benutzer- und