HOW TO SAP

3 SAP HANA Security Best Practices

1 – Operate on a least access rights model. The more access an employee has, the more potential damage they could do to your organization — either through an inadvertent breach or an intentional leak. Because SAP applications play such an integral role in the organization financials, businesses need to restrict each user to the information needed to do their job.

Even display access or access to seemingly innocuous information can potentially expose the organization, and needs to be controlled in line with SAP HANA security best practices. For example, a glance at a bill of materials could show competitors what products the company is working on, or even what it takes to construct a cutting edge project from the ground up.

2 – Ensure you have the right expertise. In previous versions of SAP, all users would interact through the SAP GUI, and use it to access a wide range of SAP applications and development tools. With SAP HANA, users who needs direct access to the database will leverage SAP HANA Studio or SAP Web IDE. Traditionally SAP permissions are controlled via “transactions” and “authorizations.” Inside an SAP HANA database, however, they’re called “privileges.”

They’re conceptually similar but the implementation is different. An ABAP backend Netweaver administrator will have a rather large learning curve to understand how the administration is performed within the SAP HANA database. For example, administration in a HANA database is performed via SQL statements, which can be generated via SAP HANA Studio or SAP Web IDE. This is one of many reasons organizations should consider moving to an IT managed services model after an SAP HANA migration.

3 – Understand how HANA handles objects. HANA applications are built out of development objects, which are stored in the HANA repository. When user and role administration is performed as design-time objects, the roles are owned by the technical user, so personnel can change without affecting the objects. That means they can be transported and versioned, even if the database user changes.

If roles are created as runtime objects, however, they’re associated with the database user — i.e. the actual person who created the role. If that person leaves the organization and is deleted from the database, their role creations and assignments are deleted with them, which can be catastrophic.

Stay safe in SAP HANA. Although security principles vary little between applications, the implementations and knowledge base required do. SAP HANA security best practices require a combination of security expertise and experience and HANA-specific knowledge. Whether you’re looking for an SAP security services partner, or just need someone to get your admin up to speed, contact us to learn how Symmetry can help.

Source https://symmetrycorp.com/blog/3-sap-hana-security-best-practices/ Continue Reading

Video - SAP HANA Creating a User with Schema access

June 06, 2019 creating user, hana, security, video,

https://www.youtube.com/watch?v=L_ICwmBycdQ

How to create user in SAP

June 04, 2019 Authorization, security, su01, user,

Steps

Execute SU01
Enter user name and press CREATE (notepad)
Enter necessary details such as Firstname and Lastname
Click on Logon Data Tab and enter password a password eg: enjoysap123
Click Save (floppy disk icon). Now you can informed the user that his/her account has been created.

How to create User in SAP HANA - Assign Role and Activate User

June 02, 2019 assign role, create, hana, user,

SAP HANA Security is to protect important data from unauthorized access and ensures that the standards and compliance meet as security standard adopted by the company.

SAP HANA Provide following security-related feature –

User and Role Management
Authorization
Authentication
Encryption of data in Persistence Layer
Encryption of data in Network Layer

CREATE USER IN SAP HANA

Create User in SAP HANA- only database user with ROLE ADMIN privileges can create user and role in SAP HANA.
Step 1) To create new user in SAP HANA Studio go to security tab as shown below and follow the following steps;
1. Go to security node.
2. Select Users (Right Click) -> New User.
Step 2) A user creation screen appear.
1. Enter User Name.
2. Enter Password for the user.
3. These are authentication mechanism, by default User name / password is used for authentication.

By Clicking on the deploy Button user will be created.

2. Define and Create Role

A role is a collection of privileges that can be granted to other users or role. The role includes privileges for database object & application and depending on the nature of the job.

It is a standard mechanism to grant privileges. Privileges can be directly granted to the user. There are many standard roles (e.g. MODELLING, MONITORING, etc.) available in SAP HANA database.

We can use the standard role as a template for creating a custom role.

A role can contain following privileges –

System Privileges for administrative and development task (CATALOG READ, AUDIT ADMIN, etc.)
Object Privileges for database objects (SELECT, INSERT, DELETE, etc.)
Analytic Privileges for SAP HANA Information View
Package Privileges on repository packages (REPO.READ, REPO.EDIT_NATIVE_OBJECTS, etc.)
Application Privileges for SAP HANA XS applications.
Privileges on the user (For Debugging of procedure).

CREATE ROLE IN SAP HANA

Step 1) In this step,

Go to Security node in SAP HANA System.
Select Role Node (Right Click) and select New Role.

Step 2) A role creation screen is displayed.

Give Role name under New Role Block.
Select Granted Role tab, and click "+" Icon to add Standard Role or exiting role.
Select Desired role (e.g. MODELLING, MONITORING, etc.)

STEP 3) In this step,

Selected Role is added in Granted Roles Tab.
Privileges can be assign to the user directly by selecting System Privileges, object Privileges, Analytic Privileges, Package Privileges, etc.
Click on deploy icon to create Role.

Tick option "Grantable to other users and roles", if you want to assign this role to other user and role.

GRANT AND ASSING ROLE TO USER IN SAP HANA

STEP 1) In this step, we will Assign Role "MODELLING_VIEW" to another user "ABHI_TEST".

Go to User sub-node under Security node and double click it. User window will show.
Click on Granted roles "+" Icon.
A pop-up will appear, Search Role name which will be assign to the user.

STEP 2) In this step, role "MODELLING_VIEW" will be added under Role.

STEP 3) In this step,

Click on Deploy Button.
A Message " User 'ABHI_TEST" changed is displayed.

RESET SAP HANA USER PASSWORD

If user password needs to reset, then go to User sub-node under Security node and double click it. User window will show.

STEP 1) In this step,

Enter new password.
Enter Confirm password.

STEP 2) In this step,

Click on Deploy Button.
A message "User 'ABHI_TEST" changed is displayed.

REACTIVATE / DEACTIVATE SAP HANA USERS

Go to User sub-node under Security node and double click it. User window will show.

There is De-Activate User icon. Click on it

A confirmation message "Popup" will appear. Click on 'Yes' Button.

A message "User 'ABHI_TEST' deactivated" will be displayed. The De-Activate icon changes with name "Activate user". Now we can activate user from the same icon.

Source:
https://www.guru99.com/sap-hana-security.html

What is SAP Authorization?

June 02, 2019 Authorization, security,

Authorization in SAP means giving users access right to a T-Code. Using T-Code PFCG allows Basis to change user’s authorization inside a T-Code. By adjusting the object you also can control user’s activity such as display, edit, or change certain field in the T-Code.

A Role Is created with the profile generator and allows the automatic generation of an authorization profile. The role contains the authorization data and the logon menu for the user.

When we have a few roles, we can group them up as Composite role.