cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization Administration Tools

Go to solution
martin_chambers
Participant

on ‎06-12-2015 9:17 PM

0 Kudos

Hi,

Until now I have done quite a bit of authorization stuff in SAP ERP and BW, i.e. in the ABAP world. Recently, I have been introduced to SAP HANA and somehow somebody thought I should do authorization here as well. When I first read about catalog roles, I was genuinely shocked. How on earth could someone create something like that! Later, I discovered that repository roles exist which are much better.

But, I still haven't been able to find all the tools and reports that I used for authorizations, roles and users in SAP ERP and BW.

So here are my questions:

  1. Where can I the search tools when I want to know, e.g. which users (or which roles) have the SELECT privilege for table XYZ?
  2. How can I display and search the log files showing which users ran up against authorization Errors?
  3. How do I switch an authorization trace on and off?

I realize that a competent SQL programmer can code a solution to these tasks. But I hope that there are some readymade tools which will make my life easier.

I'm looking forward to your replies,

Martin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-13-2015 12:13 PM
0 Kudos

I'm not too much involved in the security area, but perhaps the following remarks are useful for you (although e.g. my reply to 1. is not more than the "competent programmer" solution you already mentioned as an option):

Ad 1. You can use SQL: "HANA_Security_GrantedRolesAndPrivileges" (SAP Note 1969700) with a properly configured "Modification section" to check for privilege and role assignments.

Ad 3. The database trace (SAP Note 2119087) can be activated for certain authorization related traces (e.g. authentication or xsauthentication). Also an "authorization" trace is available there. The trace information will be part of the normal service trace files.

You may also have a look at SAP Note 2159014 which is supposed to be an entry point in the world of SAP HANA security.

Show replies
Show replies
martin_chambers
Participant
‎06-14-2015 10:02 PM
0 Kudos

Hi Martin,

Thanks for your answer. It seems that the authorization cockpit that I was looking for doesn't exist in SAP HANA. All the notes you have listed refer to tables, views and SQL code.

Do you happen to know what priority SAP has given to developing these tools? Anything to look forward to in SPS10?

Regards,

Martin

martin_kittel
Advisor
Advisor
‎06-16-2015 9:58 AM
0 Kudos

Hi Martin,

the HANA Administration Guide also mentions some system views for checking user authorizations (System Views for Verifying Users' Authorization - SAP HANA Administration Guide - SAP Library) and the Authorization Dependency Viewer (http://help.sap.com/saphelp_hanaplatform/helpdata/en/e8/fc62ef07cb46988504692a65de85bd/content.htm?f...).

An authorization trace concept is on our roadmap but will not be available with SPS10.

Best wishes,

Martin.

martin_chambers
Participant
‎06-16-2015 10:14 AM
0 Kudos

Hi Martin,

thanks again. Those links are quite useful.

How do you know so much about SPS10? I haven't even been able to find the release date for the first revision.

Regards,

Martin

Former Member
‎06-16-2015 11:23 AM
0 Kudos

Hi Martin C.,

the previous answer was from Martin K. working in the SAP HANA development area, because I pinged him on this topic. This explains why he knows more than us about SPS 10

Kind regards

Martin F.

martin_chambers
Participant
‎06-16-2015 12:27 PM
0 Kudos

Too many Martins in this thread!

My thanks to Martin F. and Martin K.

Martin C

martin_chambers
Participant
‎12-22-2015 3:11 AM
0 Kudos

Hi Martin K,

is there any news regarding an authorization trace in SPS11? Or SPS12?

I have tried the trace configuration according to   2151612 - How to activate and deactivate the authorization database trace for indexserver in a Hana...

And it has worked a few times. But recently, when I tried to delete a repository role, all I could find in the trace file, were the set and the unset commands, not my role deletion attempt.

Regards,

Martin C

former_member183326
Active Contributor
‎12-22-2015 12:56 PM
0 Kudos

Hello,

You could try this?

http://scn.sap.com/community/hana-in-memory/blog/2015/07/07/authorization-dependency-viewer

KR

Michael

martin_chambers
Participant
‎12-22-2015 8:46 PM
0 Kudos

Hi Michael,

Thanks for your post. The authorization dependency viewer sounds like a very useful feature.

Unfortunately, as far as I can tell, it only works from SPS10 onward. We're still stuck on SPS9

Although, we will upgrade early next year

Pity that, the ADV is really cool

Regards,

Martin

Answers (1)

Answers (1)

Former Member
‎06-12-2015 10:25 PM
0 Kudos

Hi,

Please use the below document from Richard Bremer for reference and create the roles to customize the user access

The document is very detail and precise to all kinds of roles that are required for an organization

Hope ths helps

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c02c2004-899d-3110-8488-b3ff8362b...

Sunil

Show replies
Show replies
martin_chambers
Participant
‎06-12-2015 10:52 PM
0 Kudos

Hi Sunil,

Thanks for the reference.

My question was actually more about the administration tools for authorizations, i.e. Tools that help me search, trae, evaluate logs, etc. These are tools available in the ABAP world which I have not yet found in SAP HANA.

Martin

Ask a Question