1 – Operate on a least access rights model. The more access an employee has, the more potential damage they could do to your organization — either through an inadvertent breach or an intentional leak. Because SAP applications play such an integral role in the organization financials, businesses need to restrict each user to the information needed to do their job.
Even display access or access to seemingly innocuous information can potentially expose the organization, and needs to be controlled in line with SAP HANA security best practices. For example, a glance at a bill of materials could show competitors what products the company is working on, or even what it takes to construct a cutting edge project from the ground up.
2 – Ensure you have the right expertise. In previous versions of SAP, all users would interact through the SAP GUI, and use it to access a wide range of SAP applications and development tools. With SAP HANA, users who needs direct access to the database will leverage SAP HANA Studio or SAP Web IDE. Traditionally SAP permissions are controlled via “transactions” and “authorizations.” Inside an SAP HANA database, however, they’re called “privileges.”
They’re conceptually similar but the implementation is different. An ABAP backend Netweaver administrator will have a rather large learning curve to understand how the administration is performed within the SAP HANA database. For example, administration in a HANA database is performed via SQL statements, which can be generated via SAP HANA Studio or SAP Web IDE. This is one of many reasons organizations should consider moving to an IT managed services model after an SAP HANA migration.
3 – Understand how HANA handles objects. HANA applications are built out of development objects, which are stored in the HANA repository. When user and role administration is performed as design-time objects, the roles are owned by the technical user, so personnel can change without affecting the objects. That means they can be transported and versioned, even if the database user changes.
If roles are created as runtime objects, however, they’re associated with the database user — i.e. the actual person who created the role. If that person leaves the organization and is deleted from the database, their role creations and assignments are deleted with them, which can be catastrophic.
Stay safe in SAP HANA. Although security principles vary little between applications, the implementations and knowledge base required do. SAP HANA security best practices require a combination of security expertise and experience and HANA-specific knowledge. Whether you’re looking for an SAP security services partner, or just need someone to get your admin up to speed, contact us to learn how Symmetry can help.


Source https://symmetrycorp.com/blog/3-sap-hana-security-best-practices/