Berechtigungen im SAP HANA Universum

Werbung
Eine kleine Einführung in Benutzer- und Berechtigungsthemen
im neuen SAP HANA Universum
Berechtigungen im SAP
HANA Universum
PwC für SNP Transformation World
Agenda
1.
HANA & S/4 Introduction
2.
HANA Scenarios
3.
HANA & Authorizations
4.
HANA & PwC Standards
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 2
HANA & S/4
Eine Einführung
HANA & S/4
Eine Einführung
HANA
Datenbank
Das Herzstück von HANA ist die neue In-Memory-Datenbank. Programme
werden direkt im Arbeitsspeicher ausgeführt statt über Speichermedien.
Aktionen (insb. Analytische) werden so erheblich beschleunigt.
Optimiertes
HANA
Datenmodell
Durch die neue Datenbanktechnologie können die bisherigen relationalen
fragmentierten Tabellenstrukturen zusammengeführt werden. SAP startet dies
im FI/CO-Modul mit dem Universal Ledger.
Native
Analyse
Programme
Eine Vielzahl von Analysefunktionen ist für HANA bereits vorbereitet. Diese
erleichtern die Auswertung der Summe an Daten, die in HANA erfasst werden
und unterstützen somit die Entscheidungsfindung.
S/4 - Neue
Business
Funktionen
Mit S/4 HANA überarbeitet und optimiert SAP auch eine Reihe transaktionaler
Funktionen. Dies betrifft aktuell Finance und Logistik. In Finance ist eine
wichtige Änderung, die Zusammenführung der FI & CO-Buchungsfunktionen.
Fiori
Apps
SAP vermarktet mit HANA intensiv die „neue“ SAP Benutzeroberfläche SAP
Fiori. Diese kann u.a. für transaktionale Programme in der SAP S/4 Business
Suite oder analytische native HANA Apps genutzt werden.
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 4
HANA
Szenarien
HANA Scenarios
Scenarios in Comparison
Transactional
Scenarios
Frontend
Layer
Application
Layer
SAP
GUI
Analytical
Scenarios
Fiori
UI
Gateway
Server
S/4 Business
Suite
SAP
GUI
Embedded
BW
Fiori
UI
Gateway
Server
HANA
Database
Layer
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 6
HANA Scenarios
HANA Scenarios, Users & Roles
SAP R/3
(ECC or BW)
on HANA
(ECC or BW)
Transaction Apps
(S/4 Business Suite)
Analytical Apps
(HANA)
We start our
comparison with the
classical R/3 PREon or S/4HANA
scenario.
The first HANA
evolution step is to
switch the database
layer from Non-SAP
solutions to HANA as
a pure database.
The second HANA
evolution step is
switching over to S/4
Business Suite with
an optimized data
model and new
transactions.
Another step using
HANA is to create
and use direct
analytical functions
on the HANA layer.
Access is controlled
via Users and Roles
on the SAP Web
Application Server
Layer (WAS).
Roles contain
authorizations for
authorization objects
with fields and field
values.
SAP HANA & Authorizations
SNP Transformation World
For end users nothing
changes. Access is
still controlled via
WAS.
Technical Access
Rights on the HANA
layer have to be
granted via native
HANA Roles
containing Privileges.
End users are still
getting access via
WAS, users and roles
but with possibly
changed transactions
and authorizations.
Requires HANA roles
for administering the
technical layer as
described to the left.
This requires native
users with assigned
analytical HANA
roles containing
native analytical
HANA privileges.
With embedded BW
only the classical
WAS roles with
analytical privileges
are required.
Oktober 2016
Folie 7
HANA Scenarios
HANA Scenarios, Users & Roles
SAP R/3
(ECC or BW)
Frontend
Layer
SAP R/3 ECC
ABAP
Role
on HANA
(ECC or BW)
SAP R/3 ECC
ABAP
Role
Application
Layer
Transaction
Apps (S/4 BS)
Analytical
Apps (HANA)
Fiori
Gateway
Server
Fiori
Gateway
Server
Fiori
Role
Fiori
Role
S/4 Business
Suite
Hana
Layer
ABAP
Role
Database
Layer
SAP HANA & Authorizations
SNP Transformation World
Oracle
Database
Hana
Database
Hana
Database
HANA
Role
Oktober 2016
Folie 8
HANA &
Authorizations
HANA & Authorizations
SAP R/3 Access Assignment
SAP R/3
User
•
A user gets access through a user
account in the Web Application Server
Layer (typically using transaction Su01)
•
The access rights to give access to data
and functions are granted either via
composite roles consisting of single
roles or direct assignment of single
roles
•
The single roles do consist of
authorizations for authorization
objects each protecting specific
business objects
•
Each authorization has object fields
and field values each differentiating
the access to the business objects
according to different criteria
•
A direct assignment of
authorizations to users is not possible
Composite
Role
Single
Role
Authorizations
Authorization
SAP HANA & Authorizations
SNP Transformation World
AField
A-FieldValues
Oktober 2016
Folie 10
HANA & Authorizations
SAP HANA Access Assignment
SAP HANA
User
Runtime
Role
Repository
Role
•
A user is authorized using a user
account in the native HANA Layer.
•
Access to perform specific functions can
be granted either by roles collectively or
specifically via privileges.
•
When creating a role, privileges will be
assigned and then be stored as a
repository object = design time
role.
•
A role may also extend other roles, thus
inheriting all their respective privileges.
•
There are 5 different privilege types,
system, object, package, analytic and
application privileges.
•
On activation of repository roles, run
time roles are created from them and
can then be assigned to the user.
Privileges
System
Object
SAP HANA & Authorizations
SNP Transformation World
Package
Analytic
Application
Oktober 2016
Folie 11
HANA & Authorizations
Role Orchestra in the HANA universe
Classical
ABAP
Roles
Technical
HANA
Roles
Analytical
HANA
Roles
Transactional
HANA
Roles
On HANA,
embedded BW
or S/4 Business
Suite:
ABAP roles are
used either in on
HANA scenarios as
well as for
embedded BW or
S/4-HANA
Business Suite
scenarios. This
independent of the
UI whether Fiori,
SAP or WebGui
HANA
Configuration,
Administration,
Development:
The HANA layer
requires a totally
new approach to
technical roles for
administration,
development and
configuration due
to it‘s new
authorization
structures
Direct analytical
access via
HANA:
when analytical
applications are
directly accessing
data via HANA,
native analytical
HANA roles with
analytical and
object privileges
are to be created
Direct
transactional
access via
HANA:
Currently we do not
really see HANA
applications with
transactional
character. Should
this come up, it will
require native
HANA Roles, most
probably with
Application
Privileges
SAP HANA & Authorizations
SNP Transformation World
Fiori
Roles
Fiori User
Interface:
Fiori grants Users
access to
applications via
tabs and tiles in
the launchpad.
This has to be
authorized by
creating users and
granting Fiori
Roles in the SAP
gateway server
Oktober 2016
Folie 12
HANA & Authorizations
HANA Privileges
System
Object
Package
Analysis
• What:
Controls access
to
administrative
functions within
HANA (e.g.
USER ADMIN,
CREATE
SCHEMA, etc)
• What:
Privileges based
on SQL
statements (e.g,
SELECT,
UPDATE, etc.)
for Catalog
Objects (Runtime) such as
tables & views
• What:
Restricts access
to and the use of
packages in the
HANA
repository
(modelling
environment)
• Who:
Admins,
Developer
• Who:
Developers,
Modellers
• Who:
Developers,
Modellers
• What:
Provides access
to reporting
objects for viewonly purposes.
Provides filter or
contextual
controls on a
report.
Comparable to
BW Analysis
Authorization
• Who:
End Users
(Reporting)
SAP HANA & Authorizations
SNP Transformation World
Application
• What:
Controls access
to applications
and functions
within apps
connecting
directly to
HANA running
on the XS
Engine
• Who:
Developer of or
End User of any
HANA XS app
Oktober 2016
Folie 13
HANA & Authorization
HANA User Types (Restricted vs. Normal)
Normal
User
• By Standard able to create own objects like Tables and
Views in their own Schema. Inherits the ‘PUBLIC’ role
upon creation.
• Is able to use ODBC/JDBC to access the SQL console for
objects, access has been granted to.
• Initially has no privileges.
• Is neither able to view, nor alter or create any objects.
Restricted
User
• Therefore all privileges to perform actions have to be given
to the user explicitly or using a role.
• Access is primarily performed using http, unless explicitly
changed and special role given to the user
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 14
HANA & Authorization
HANA Role Types (Catalog vs. Repository)
Repository
Roles
Catalog
Roles
Role Creation
Requires SQL knowledge or webinterface
Easy to create via integration HANA
UI
Transports
Roles and privileges are transportable
Roles and privileges are not
transportable and not versioned
Privileges
Role creator can assign any privilege
to a role
Role creator must have a privilege to
assign it to a role. Removing a
privilege from the role creator revokes
the privilege from role
Role
Ownership
Role creation more similar to ECC,
owned by system ID _SYS_REPO
Only the role grantor can revoke a
role from a given user. Privileges
revoked if grantor is dropped
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 15
HANA & Authorizations
Key Challenges
• Even with a pure on HANA scenario, the operating and
database security shifts from separate technology layers
e.g. MS and Oracle to HANA
• Organizations are increasingly evaluating HANA as a true
platform via SAP’s S/4 HANA products. Data, users and
their authorizations will then move over to HANA
• As soon as sensitive data & transactions move to
another new platform, internal & external audit and
validation functions will turn their attention towards HANA
• Organizations will have to re-evaluate of how and by whom
HANA security should be managed and also have to train
their teams to cope with the new security concepts &
leading practices
• Depending on the chosen HANA-scenario or even scenario
combination, the security concept will change to a complex
combination of up to three different environments.
• Companies current IAM-processes & –tools will most
probably not be able to cope with this new challenge.
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 16
HANA &
PwC Standards
HANA & PwC Standards
PwC Standard Materials
Privilege
Matrix
Privilege
Glossary
Work
Program
• Overview of all HANA
Standard Privileges
(w/o analysis
privileges)
• Assignment of each
privilege to a Privilege
Group (e.g. Database,
Interface)
• Definition of tasks per
process and subprocess area (e.g. DB
Monitoring)
• Assignment of all
privileges necessary
for task
• Introdocution into the
privilege matrix, the
target and the
structure
• Description of the
overall structure of the
HANA authorization
concept and privilege
types
• Description of the
process areas and
additional information
on the tasks per subprocess
• Audit guide for
HANA DB and HANA
S/4
• Requirements on
authorization and
authentication related
HANA aspects to be
complied to
• Identification of
authorizations to be
regarded as sensitive
or critical as part of
the privilege matrix
SAP HANA & Authorizations
SNP Transformation World
Transactions
Map
• Overview of new S/4
transactions, old R/3
transactions replaced
by new S/4
transactions, R/3
transactions to be
retired w/o
replacement
• This can be used to
identify old roles with
transactions possibly
to be replaced by new
roles or to be fully
retired
Oktober 2016
Folie 18
HANA & PwC Standards
IAGM-Service-Sequence
IAG Modelling
Technical HANA-Roles
IAGM1
Transactional-S/4-Roles
IAGM2
Analytical BW-roles
IAGM3
Analytical HANA-Roles
IAGM4
Fiori-UI-Roles
IAGM5
HANA-Business Roles
IAG Governance
HANA Conventions
IAGG1
HANA Organization
& Training
IAG Compliance
IAG Automation
SAP HANA & Authorizations
SNP Transformation World
IAGM6
IAGG2
HANA Rules &
Requirements
IAGC1
HANA Automation &
Integration
IAGA1
Oktober 2016
Folie 19
Ihre Fragen an uns?
Johannes Liffers
Kapelle-Ufer 4
10117 Berlin
Tel.: +49 30 2636-1658
email: johannes.liffers
@de.pwc.com
Martin Krause
Torsten Lechelt
Alsterufer 1
20354 Hamburg
Tel.: +49 40 6378 1520
email: martin.krause
@de.pwc.com
Kapelle-Ufer 4
10117 Berlin
Tel.: +49 30 2636-1700
email: torsten.lechelt
@de.pwc.com
© 2016 PricewaterhouseCoopers Aktiengesellschaft Wirtschaftsprüfungsgesellschaft.
Alle Rechte vorbehalten. „PwC“ bezeichnet in diesem Dokument die PricewaterhouseCoopers
Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, die eine Mitgliedsgesellschaft der
PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der Mitgliedsgesellschaften der PwCIL
ist eine rechtlich selbstständige Gesellschaft.
HANA, Authorizations & Compliance
Audit aspects, Q2 2016
No.
Aspect
Description
1
Passwort Settings
(Authentication)
Authentication Parameters for Passwords (HA01), Blacklist for Generic Passwords (HA03)
2
Privileged Accounts (PA)
and PA Management
Use of Generic Privileged Accounts (HA02), Process Privileged Access Management (HA04)
3
Logs & Protocolls
Correct Log Parameter Settings (HA05) and adequate policies for log settings and review
procecdures / controls , limitation / prevention to modify logs (HA06)
4
Sensitive Data Encryption
Adequate identification of sensitive data (HA07),
5
Processes & Organization
User Maintenance and Role / Privilege Assignment (HA08), Recertification (HA09), Leavers
Process (HA13), Role Change Management (HC01), Transport Management (HC03), Backup
Procedures (HO01), Desaster Recovery (HO03), Batch Processing (HO03)
6
Ruleset for Sensitive Privileges
Sensitive Object Privileges (HA10), Schema Ownership (HA11), Non-Read Procedure Access
in Production (HA12), Sensitive System Privileges (HA14), Repository Changes in Production
(HC02), Backup Configuration (HO02), Background Scheduling & Review (HO05&06),
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 21
Key HANA Terminology
Term
Definition
SAP Business Suite
Powered by HANA
Current version SAP applications (ECC6.0, etc) run on HANA database. Alternative to
traditional database (e.g. Oracle) achieved via non-disruptive database migration.
S/4 HANA
SAP’s next generation ERP application (upgrade of ECC). 400M lines of re-engineered
ABAP code optimized to run on HANA. Fiori interface options for most commonly used
functions.
Simple Finance
First SAP modules optimized to run on HANA (includes: Accounting, Cash Mgmt, Business
Planning, Receivables, Payables, etc). Option for ERP on HANA or S/4HANA customers.
Simple Logistics
Second HANA optimized module will be made available end 2015 and will include:
inventory management, purchasing, sales, productions and manufacturing.
HANA Live
Standard SAP-delivered reporting content in form of SAP HANA calculation views for easy
to leverage real-time operational reporting off the HANA database.
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 22
Key HANA Terminology
Term
Definition
HANA XS Engine
Extended Application Services (XS) engine is a built-in application & web server enabling
application development and deployment directly on the HANA database (a true ‘platform’).
HANA Studio
Administration and development front-end client for SAP HANA.
HANA Web IDE
Integrated Development Environment (IDE) – Web-based front-end for development and
administration functionality of HANA – alternative to HANA studio.
HANA One
Fully featured SAP HANA instance hosted on Amazon Web Services that can be used to
build and deploy on-demand applications (SaaS).
HANA Cloud
Platform
HCP – SAP’s subscription based cloud platform for HANA solutions (PaaS).
Fiori
New HTML5 user interface for SAP software optimized for modern design & mobile devices.
SAP HANA & Authorizations
SNP Transformation World
Oktober 2016
Folie 23
Herunterladen