Eine kleine Einführung in Benutzer- und Berechtigungsthemen im neuen SAP HANA Universum Berechtigungen im SAP HANA Universum PwC für SNP Transformation World Agenda 1. HANA & S/4 Introduction 2. HANA Scenarios 3. HANA & Authorizations 4. HANA & PwC Standards SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 2 HANA & S/4 Eine Einführung HANA & S/4 Eine Einführung HANA Datenbank Das Herzstück von HANA ist die neue In-Memory-Datenbank. Programme werden direkt im Arbeitsspeicher ausgeführt statt über Speichermedien. Aktionen (insb. Analytische) werden so erheblich beschleunigt. Optimiertes HANA Datenmodell Durch die neue Datenbanktechnologie können die bisherigen relationalen fragmentierten Tabellenstrukturen zusammengeführt werden. SAP startet dies im FI/CO-Modul mit dem Universal Ledger. Native Analyse Programme Eine Vielzahl von Analysefunktionen ist für HANA bereits vorbereitet. Diese erleichtern die Auswertung der Summe an Daten, die in HANA erfasst werden und unterstützen somit die Entscheidungsfindung. S/4 - Neue Business Funktionen Mit S/4 HANA überarbeitet und optimiert SAP auch eine Reihe transaktionaler Funktionen. Dies betrifft aktuell Finance und Logistik. In Finance ist eine wichtige Änderung, die Zusammenführung der FI & CO-Buchungsfunktionen. Fiori Apps SAP vermarktet mit HANA intensiv die „neue“ SAP Benutzeroberfläche SAP Fiori. Diese kann u.a. für transaktionale Programme in der SAP S/4 Business Suite oder analytische native HANA Apps genutzt werden. SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 4 HANA Szenarien HANA Scenarios Scenarios in Comparison Transactional Scenarios Frontend Layer Application Layer SAP GUI Analytical Scenarios Fiori UI Gateway Server S/4 Business Suite SAP GUI Embedded BW Fiori UI Gateway Server HANA Database Layer SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 6 HANA Scenarios HANA Scenarios, Users & Roles SAP R/3 (ECC or BW) on HANA (ECC or BW) Transaction Apps (S/4 Business Suite) Analytical Apps (HANA) We start our comparison with the classical R/3 PREon or S/4HANA scenario. The first HANA evolution step is to switch the database layer from Non-SAP solutions to HANA as a pure database. The second HANA evolution step is switching over to S/4 Business Suite with an optimized data model and new transactions. Another step using HANA is to create and use direct analytical functions on the HANA layer. Access is controlled via Users and Roles on the SAP Web Application Server Layer (WAS). Roles contain authorizations for authorization objects with fields and field values. SAP HANA & Authorizations SNP Transformation World For end users nothing changes. Access is still controlled via WAS. Technical Access Rights on the HANA layer have to be granted via native HANA Roles containing Privileges. End users are still getting access via WAS, users and roles but with possibly changed transactions and authorizations. Requires HANA roles for administering the technical layer as described to the left. This requires native users with assigned analytical HANA roles containing native analytical HANA privileges. With embedded BW only the classical WAS roles with analytical privileges are required. Oktober 2016 Folie 7 HANA Scenarios HANA Scenarios, Users & Roles SAP R/3 (ECC or BW) Frontend Layer SAP R/3 ECC ABAP Role on HANA (ECC or BW) SAP R/3 ECC ABAP Role Application Layer Transaction Apps (S/4 BS) Analytical Apps (HANA) Fiori Gateway Server Fiori Gateway Server Fiori Role Fiori Role S/4 Business Suite Hana Layer ABAP Role Database Layer SAP HANA & Authorizations SNP Transformation World Oracle Database Hana Database Hana Database HANA Role Oktober 2016 Folie 8 HANA & Authorizations HANA & Authorizations SAP R/3 Access Assignment SAP R/3 User • A user gets access through a user account in the Web Application Server Layer (typically using transaction Su01) • The access rights to give access to data and functions are granted either via composite roles consisting of single roles or direct assignment of single roles • The single roles do consist of authorizations for authorization objects each protecting specific business objects • Each authorization has object fields and field values each differentiating the access to the business objects according to different criteria • A direct assignment of authorizations to users is not possible Composite Role Single Role Authorizations Authorization SAP HANA & Authorizations SNP Transformation World AField A-FieldValues Oktober 2016 Folie 10 HANA & Authorizations SAP HANA Access Assignment SAP HANA User Runtime Role Repository Role • A user is authorized using a user account in the native HANA Layer. • Access to perform specific functions can be granted either by roles collectively or specifically via privileges. • When creating a role, privileges will be assigned and then be stored as a repository object = design time role. • A role may also extend other roles, thus inheriting all their respective privileges. • There are 5 different privilege types, system, object, package, analytic and application privileges. • On activation of repository roles, run time roles are created from them and can then be assigned to the user. Privileges System Object SAP HANA & Authorizations SNP Transformation World Package Analytic Application Oktober 2016 Folie 11 HANA & Authorizations Role Orchestra in the HANA universe Classical ABAP Roles Technical HANA Roles Analytical HANA Roles Transactional HANA Roles On HANA, embedded BW or S/4 Business Suite: ABAP roles are used either in on HANA scenarios as well as for embedded BW or S/4-HANA Business Suite scenarios. This independent of the UI whether Fiori, SAP or WebGui HANA Configuration, Administration, Development: The HANA layer requires a totally new approach to technical roles for administration, development and configuration due to it‘s new authorization structures Direct analytical access via HANA: when analytical applications are directly accessing data via HANA, native analytical HANA roles with analytical and object privileges are to be created Direct transactional access via HANA: Currently we do not really see HANA applications with transactional character. Should this come up, it will require native HANA Roles, most probably with Application Privileges SAP HANA & Authorizations SNP Transformation World Fiori Roles Fiori User Interface: Fiori grants Users access to applications via tabs and tiles in the launchpad. This has to be authorized by creating users and granting Fiori Roles in the SAP gateway server Oktober 2016 Folie 12 HANA & Authorizations HANA Privileges System Object Package Analysis • What: Controls access to administrative functions within HANA (e.g. USER ADMIN, CREATE SCHEMA, etc) • What: Privileges based on SQL statements (e.g, SELECT, UPDATE, etc.) for Catalog Objects (Runtime) such as tables & views • What: Restricts access to and the use of packages in the HANA repository (modelling environment) • Who: Admins, Developer • Who: Developers, Modellers • Who: Developers, Modellers • What: Provides access to reporting objects for viewonly purposes. Provides filter or contextual controls on a report. Comparable to BW Analysis Authorization • Who: End Users (Reporting) SAP HANA & Authorizations SNP Transformation World Application • What: Controls access to applications and functions within apps connecting directly to HANA running on the XS Engine • Who: Developer of or End User of any HANA XS app Oktober 2016 Folie 13 HANA & Authorization HANA User Types (Restricted vs. Normal) Normal User • By Standard able to create own objects like Tables and Views in their own Schema. Inherits the ‘PUBLIC’ role upon creation. • Is able to use ODBC/JDBC to access the SQL console for objects, access has been granted to. • Initially has no privileges. • Is neither able to view, nor alter or create any objects. Restricted User • Therefore all privileges to perform actions have to be given to the user explicitly or using a role. • Access is primarily performed using http, unless explicitly changed and special role given to the user SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 14 HANA & Authorization HANA Role Types (Catalog vs. Repository) Repository Roles Catalog Roles Role Creation Requires SQL knowledge or webinterface Easy to create via integration HANA UI Transports Roles and privileges are transportable Roles and privileges are not transportable and not versioned Privileges Role creator can assign any privilege to a role Role creator must have a privilege to assign it to a role. Removing a privilege from the role creator revokes the privilege from role Role Ownership Role creation more similar to ECC, owned by system ID _SYS_REPO Only the role grantor can revoke a role from a given user. Privileges revoked if grantor is dropped SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 15 HANA & Authorizations Key Challenges • Even with a pure on HANA scenario, the operating and database security shifts from separate technology layers e.g. MS and Oracle to HANA • Organizations are increasingly evaluating HANA as a true platform via SAP’s S/4 HANA products. Data, users and their authorizations will then move over to HANA • As soon as sensitive data & transactions move to another new platform, internal & external audit and validation functions will turn their attention towards HANA • Organizations will have to re-evaluate of how and by whom HANA security should be managed and also have to train their teams to cope with the new security concepts & leading practices • Depending on the chosen HANA-scenario or even scenario combination, the security concept will change to a complex combination of up to three different environments. • Companies current IAM-processes & –tools will most probably not be able to cope with this new challenge. SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 16 HANA & PwC Standards HANA & PwC Standards PwC Standard Materials Privilege Matrix Privilege Glossary Work Program • Overview of all HANA Standard Privileges (w/o analysis privileges) • Assignment of each privilege to a Privilege Group (e.g. Database, Interface) • Definition of tasks per process and subprocess area (e.g. DB Monitoring) • Assignment of all privileges necessary for task • Introdocution into the privilege matrix, the target and the structure • Description of the overall structure of the HANA authorization concept and privilege types • Description of the process areas and additional information on the tasks per subprocess • Audit guide for HANA DB and HANA S/4 • Requirements on authorization and authentication related HANA aspects to be complied to • Identification of authorizations to be regarded as sensitive or critical as part of the privilege matrix SAP HANA & Authorizations SNP Transformation World Transactions Map • Overview of new S/4 transactions, old R/3 transactions replaced by new S/4 transactions, R/3 transactions to be retired w/o replacement • This can be used to identify old roles with transactions possibly to be replaced by new roles or to be fully retired Oktober 2016 Folie 18 HANA & PwC Standards IAGM-Service-Sequence IAG Modelling Technical HANA-Roles IAGM1 Transactional-S/4-Roles IAGM2 Analytical BW-roles IAGM3 Analytical HANA-Roles IAGM4 Fiori-UI-Roles IAGM5 HANA-Business Roles IAG Governance HANA Conventions IAGG1 HANA Organization & Training IAG Compliance IAG Automation SAP HANA & Authorizations SNP Transformation World IAGM6 IAGG2 HANA Rules & Requirements IAGC1 HANA Automation & Integration IAGA1 Oktober 2016 Folie 19 Ihre Fragen an uns? Johannes Liffers Kapelle-Ufer 4 10117 Berlin Tel.: +49 30 2636-1658 email: johannes.liffers @de.pwc.com Martin Krause Torsten Lechelt Alsterufer 1 20354 Hamburg Tel.: +49 40 6378 1520 email: martin.krause @de.pwc.com Kapelle-Ufer 4 10117 Berlin Tel.: +49 30 2636-1700 email: torsten.lechelt @de.pwc.com © 2016 PricewaterhouseCoopers Aktiengesellschaft Wirtschaftsprüfungsgesellschaft. Alle Rechte vorbehalten. „PwC“ bezeichnet in diesem Dokument die PricewaterhouseCoopers Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, die eine Mitgliedsgesellschaft der PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der Mitgliedsgesellschaften der PwCIL ist eine rechtlich selbstständige Gesellschaft. HANA, Authorizations & Compliance Audit aspects, Q2 2016 No. Aspect Description 1 Passwort Settings (Authentication) Authentication Parameters for Passwords (HA01), Blacklist for Generic Passwords (HA03) 2 Privileged Accounts (PA) and PA Management Use of Generic Privileged Accounts (HA02), Process Privileged Access Management (HA04) 3 Logs & Protocolls Correct Log Parameter Settings (HA05) and adequate policies for log settings and review procecdures / controls , limitation / prevention to modify logs (HA06) 4 Sensitive Data Encryption Adequate identification of sensitive data (HA07), 5 Processes & Organization User Maintenance and Role / Privilege Assignment (HA08), Recertification (HA09), Leavers Process (HA13), Role Change Management (HC01), Transport Management (HC03), Backup Procedures (HO01), Desaster Recovery (HO03), Batch Processing (HO03) 6 Ruleset for Sensitive Privileges Sensitive Object Privileges (HA10), Schema Ownership (HA11), Non-Read Procedure Access in Production (HA12), Sensitive System Privileges (HA14), Repository Changes in Production (HC02), Backup Configuration (HO02), Background Scheduling & Review (HO05&06), SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 21 Key HANA Terminology Term Definition SAP Business Suite Powered by HANA Current version SAP applications (ECC6.0, etc) run on HANA database. Alternative to traditional database (e.g. Oracle) achieved via non-disruptive database migration. S/4 HANA SAP’s next generation ERP application (upgrade of ECC). 400M lines of re-engineered ABAP code optimized to run on HANA. Fiori interface options for most commonly used functions. Simple Finance First SAP modules optimized to run on HANA (includes: Accounting, Cash Mgmt, Business Planning, Receivables, Payables, etc). Option for ERP on HANA or S/4HANA customers. Simple Logistics Second HANA optimized module will be made available end 2015 and will include: inventory management, purchasing, sales, productions and manufacturing. HANA Live Standard SAP-delivered reporting content in form of SAP HANA calculation views for easy to leverage real-time operational reporting off the HANA database. SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 22 Key HANA Terminology Term Definition HANA XS Engine Extended Application Services (XS) engine is a built-in application & web server enabling application development and deployment directly on the HANA database (a true ‘platform’). HANA Studio Administration and development front-end client for SAP HANA. HANA Web IDE Integrated Development Environment (IDE) – Web-based front-end for development and administration functionality of HANA – alternative to HANA studio. HANA One Fully featured SAP HANA instance hosted on Amazon Web Services that can be used to build and deploy on-demand applications (SaaS). HANA Cloud Platform HCP – SAP’s subscription based cloud platform for HANA solutions (PaaS). Fiori New HTML5 user interface for SAP software optimized for modern design & mobile devices. SAP HANA & Authorizations SNP Transformation World Oktober 2016 Folie 23