on 05-06-2014 9:53 PM
Hello,
from the security guide,
http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
'The database owner concept stipulates that when a database user is deleted, all objects created by that user
and privileges granted to others by that user are also deleted. If the owner of a schema is deleted, all objects in
the schema are also deleted even if they are owned by a different user. All privileges on these objects are also
deleted.'
we learned, whenever a user is deleted all grants performed by this user are also deleted.
We tested and this is, and it is even the case when you delete a user using restrict.
From an audit perspective we cannot use one generic user that performs central security management.
We are an enterprise company and got a central SAP security department,
which is supposed to cover HANA security handing as far as possible and it must be traceable who performed which grant.
They will create roles, assign privileges and other roles to these and assign these roles to our HANA users and
right now they use their personal HANA DB user for this purpose, which perfectly logs who was the granter.
From testing and reading the security guide we learned that when one of the group members leaves the security department,
and the related HANA account is deleted, all the work performed with his/her user ID is being lost.
So we see two options right now, which are both not perfect.
a.) never delete a user of this team on HANA, just deactivate the account.
b.) create a generic account and have the entire team work with this account to perform all grants.
Right now we will prefer option a.)
Does anyone see a different option...and/or how do you handle these 'stipulates'?
Regards
Florian
Hi Florian,
first, I assume that the actual "problem" at hand is the management of users and privileges, i.e. the granting of privileges to database users in SAP HANA.
For this scenario, there are two technically different methodologies, of which one has the drawbacks you describe, the other one does not.
If you do not want to work with the repository, you either have to use an identity management solution that supports SAP HANA (NetWeaver IDM and GRC Access control 10.1), or you have to basically create some IDM aspects in a small application, so that you can in the end have a technical database user who does the actual privilege management, and who is invoked through this application. For the reasons of auditability, you will then have to rely on the auditing capabilities of the "application", because technically in the database, all grants/revokes will be performed by the same technical database user.
Best regards,
Richard
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Richard,
the second way sounds like a working approach for our HANA sidecar solution.
Since we also got HANA systems running for NW. 7.40 SP6 based SAP suite systems, we found out that the configuration of DBMS User Management for SAP HANA, could be a key to archive a centralized and auditable HANA user management. We have plans to configure this on all of our HANA based SAP suite systems and run varies tests on how this will allow us move on from this point.
Thanks both of you Lars and Roland, for your input. I will have some internal discussions, tests and trials and keep this post updated.
Florian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.