SAP HANA 2.0 SPS04 - Authorizations, Scenarios & Security ...

HA240SAP HANA 2.0 SPS04 - Authorizations, Scenarios & Security Requirements

..

COURSE OUTLINE.

Course Version: 16Course Duration:

SAP Copyrights, Trademarks and Disclaimers

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

This course may have been machine translated and may contain grammatical errors or inaccuracies.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© Copyright. All rights reserved. iii

Typographic Conventions

American English is the standard used in this handbook.

The following typographic conventions are also used.

This information is displayed in the instructor’s presentation

Demonstration

Procedure

Warning or Caution

Hint

Related or Additional Information

Facilitated Discussion

User interface control Example text

Window title Example text

iv © Copyright. All rights reserved.

Contents

ix Course Overview

1 Unit 1: Introducing SAP HANA Security

1 Lesson: Introducing SAP HANA1 Lesson: Describing SAP HANA implementation scenarios1 Lesson: Outlining security functions

3 Unit 2: Using SAP HANA administration tools

3 Lesson: Using security administration tools

5 Unit 3: Securing SAP HANA network and communications

5 Lesson: Describing communication channels5 Lesson: Securing Data Communications

7 Unit 4: Managing certificates

7 Lesson: Managing certificates

9 Unit 5: Securing data storage

9 Lesson: Describing Data-at-Rest Encryption

11 Unit 6: Managing users

11 Lesson: Comparing User Types11 Lesson: Describing User Administration Tools11 Lesson: Managing User Groups

13 Unit 7: Managing authentication

13 Lesson: Managing Authentication

15 Unit 8: Developing applications in XS Advanced

15 Lesson: Explain the reason why the security administrator develops applications

15 Lesson: Introducing the Application Architecture15 Lesson: Describing the Application Development Tools15 Lesson: Introducing the Multi-Target Application15 Lesson: Describing the MTA Development Descriptor File mta.yaml

© Copyright. All rights reserved. v

17 Unit 9: Creating the persistence data model using Core Data Services

17 Lesson: Introducing the SAP HANA Database Module17 Lesson: Introducing Core Data Services17 Lesson: Using the CDS Entity17 Lesson: Using the CDS Context, Association, and View

19 Unit 10: Implementing authorizations in the SAP HANA Database

19 Lesson: Describing object ownership rules19 Lesson: Introducing Authorizations in the SAP HANA Database19 Lesson: Introducing database roles management19 Lesson: Creating HDI roles for system privileges19 Lesson: Creating HDI roles to access objects in a remote schema19 Lesson: Using Data Masking20 Lesson: Describing Anonymization20 Lesson: Using LDAP Group Authorization20 Lesson: Describing Cross-Database Authorizations in Tenant

Databases

21 Unit 11: Analyzing users and authorizations

21 Lesson: Tracing authorization errors21 Lesson: Viewing Information about Users and Authorizations

23 Unit 12: Using Audit Logging

23 Lesson: Using Audit Logging

25 Unit 13: Defining the application security in XS Advanced

25 Lesson: Creating a Basic HTML5 Module25 Lesson: Introducing Application Security in XS Advanced25 Lesson: Creating a User with authorization for development in the

SAP Web IDE for SAP HANA25 Lesson: Creating the Security Concept Within an HTML5 Module

27 Unit 14: Integration with SAP BusinessObjects BI (optional)

27 Lesson: Understanding Authentication Options and User Management Implicationsfor the Integration of SAP BusinessObjects BI 4.X and SAP HANA (optional)

29 Unit 15: SAP HANA with ERP or S/4HANA and the Analytics Authorization Assistant (optional)

29 Lesson: Describing SAP HANA with ERP or SAP S/4HANA and the Analytics Authorization Assistant (optional)

vi © Copyright. All rights reserved.

31 Unit 16: Integration with SAP GRC (optional)

31 Lesson: Outlining SAP GRC Integration for Governance, Risk and Compliance

33 Unit 17: Integration with SAP Identity Management (optional)

33 Lesson: Understanding SAP Identity Management Integration

© Copyright. All rights reserved. vii

viii © Copyright. All rights reserved.

Course Overview

TARGET AUDIENCEThis course is intended for the following audiences:

● Database Administrator

● System Administrator

© Copyright. All rights reserved. ix

x © Copyright. All rights reserved.

UNIT 1 Introducing SAP HANA Security

Lesson 1: Introducing SAP HANALesson ObjectivesAfter completing this lesson, you will be able to:

● Describe basic features of SAP HANA

Lesson 2: Describing SAP HANA implementation scenariosLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe SAP HANA implementation scenarios

Lesson 3: Outlining security functionsLesson ObjectivesAfter completing this lesson, you will be able to:

● Outline the security functions in SAP HANA

© Copyright. All rights reserved. 1

Unit 1: Introducing SAP HANA Security

2 © Copyright. All rights reserved.

UNIT 2 Using SAP HANA administration tools

Lesson 1: Using security administration toolsLesson ObjectivesAfter completing this lesson, you will be able to:

● Use security administration tools

© Copyright. All rights reserved. 3

Unit 2: Using SAP HANA administration tools

4 © Copyright. All rights reserved.

UNIT 3 Securing SAP HANA network and communications

Lesson 1: Describing communication channelsLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe SAP HANA communication channels

Lesson 2: Securing Data CommunicationsLesson ObjectivesAfter completing this lesson, you will be able to:

● Recognize the options to secure data communications in SAP HANA

© Copyright. All rights reserved. 5

Unit 3: Securing SAP HANA network and communications

6 © Copyright. All rights reserved.

UNIT 4 Managing certificates

Lesson 1: Managing certificatesLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe in-database certificate management process and tools

© Copyright. All rights reserved. 7

Unit 4: Managing certificates

8 © Copyright. All rights reserved.

UNIT 5 Securing data storage

Lesson 1: Describing Data-at-Rest EncryptionLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe use of data-at-rest encryption in SAP HANA

© Copyright. All rights reserved. 9

Unit 5: Securing data storage

10 © Copyright. All rights reserved.

UNIT 6 Managing users

Lesson 1: Comparing User TypesLesson ObjectivesAfter completing this lesson, you will be able to:

● Compare the different user types in SAP HANA

Lesson 2: Describing User Administration ToolsLesson ObjectivesAfter completing this lesson, you will be able to:

● Understand which tools are available for user management tasks

Lesson 3: Managing User GroupsLesson ObjectivesAfter completing this lesson, you will be able to:

● Manage user groups

© Copyright. All rights reserved. 11

Unit 6: Managing users

12 © Copyright. All rights reserved.

UNIT 7 Managing authentication

Lesson 1: Managing AuthenticationLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe the different authentication mechanisms availablein SAP HANA

© Copyright. All rights reserved. 13

Unit 7: Managing authentication

14 © Copyright. All rights reserved.

UNIT 8 Developing applications in XS Advanced

Lesson 1: Explain the reason why the security administrator develops applicationsLesson ObjectivesAfter completing this lesson, you will be able to:

● Explain the reason why the security administrator develops applications

Lesson 2: Introducing the Application ArchitectureLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe the basic concepts of application architecture in SAP HANA

Lesson 3: Describing the Application Development ToolsLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe the tools used by the application developer in SAP HANA

Lesson 4: Introducing the Multi-Target ApplicationLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe the basic concepts about the MTA development project

Lesson 5: Describing the MTA Development Descriptor File mta.yamlLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe the information contained in the MTA Development Descriptor mta.yaml file

© Copyright. All rights reserved. 15

Unit 8: Developing applications in XS Advanced

16 © Copyright. All rights reserved.

UNIT 9 Creating the persistence data model using Core Data Services

Lesson 1: Introducing the SAP HANA Database ModuleLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe the main features of the SAP HANA Database module

Lesson 2: Introducing Core Data ServicesLesson ObjectivesAfter completing this lesson, you will be able to:

● Explain the basic concepts of Core Data Services

Lesson 3: Using the CDS EntityLesson ObjectivesAfter completing this lesson, you will be able to:

● Create a Core Data Services Entity, converted at runtime into a database table

Lesson 4: Using the CDS Context, Association, and ViewLesson ObjectivesAfter completing this lesson, you will be able to:

● Use context, association, and view in Core Data Services

© Copyright. All rights reserved. 17

Unit 9: Creating the persistence data model using Core Data Services

18 © Copyright. All rights reserved.

UNIT 10 Implementing authorizations in the SAP HANA Database

Lesson 1: Describing object ownership rulesLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe object ownership rules and effects

Lesson 2: Introducing Authorizations in the SAP HANA DatabaseLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe the basic authorization concepts of the SAP HANA database

Lesson 3: Introducing database roles managementLesson ObjectivesAfter completing this lesson, you will be able to:

● Define, create, and manage roles

Lesson 4: Creating HDI roles for system privilegesLesson ObjectivesAfter completing this lesson, you will be able to:

● Create HDI Roles for System Privileges

Lesson 5: Creating HDI roles to access objects in a remote schemaLesson ObjectivesAfter completing this lesson, you will be able to:

● Create HDI Roles to access database objects located in a different SAP HANA instance or schema

Lesson 6: Using Data MaskingLesson Objectives

© Copyright. All rights reserved. 19

After completing this lesson, you will be able to:

● Describe how dynamic data masking works in SAP HANA

Lesson 7: Describing AnonymizationLesson ObjectivesAfter completing this lesson, you will be able to:

● Explain what anonymization is

Lesson 8: Using LDAP Group AuthorizationLesson ObjectivesAfter completing this lesson, you will be able to:

● Decribe LDAP Group authorization functionality in SAP HANA

Lesson 9: Describing Cross-Database Authorizations in Tenant DatabasesLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe Cross-Database Authorizations in Tenant Databases

Unit 10: Implementing authorizations in the SAP HANA Database

20 © Copyright. All rights reserved.

UNIT 11 Analyzing users and authorizations

Lesson 1: Tracing authorization errorsLesson ObjectivesAfter completing this lesson, you will be able to:

● Trace authorization errors

Lesson 2: Viewing Information about Users and AuthorizationsLesson ObjectivesAfter completing this lesson, you will be able to:

● View information about users and authorizations

© Copyright. All rights reserved. 21

Unit 11: Analyzing users and authorizations

22 © Copyright. All rights reserved.

UNIT 12 Using Audit Logging

Lesson 1: Using Audit LoggingLesson ObjectivesAfter completing this lesson, you will be able to:

● Use audit logging

© Copyright. All rights reserved. 23

Unit 12: Using Audit Logging

24 © Copyright. All rights reserved.

UNIT 13 Defining the application security in XS Advanced

Lesson 1: Creating a Basic HTML5 ModuleLesson ObjectivesAfter completing this lesson, you will be able to:

● Create and run an HTML5 module saying Hello World

Lesson 2: Introducing Application Security in XS AdvancedLesson ObjectivesAfter completing this lesson, you will be able to:

● Describe basic concepts of application security in XS Advanced

Lesson 3: Creating a User with authorization for development in the SAP Web IDE for SAP HANALesson ObjectivesAfter completing this lesson, you will be able to:

● Create the user with authorization for development in the SAP Web IDE for SAP HANA

Lesson 4: Creating the Security Concept Within an HTML5 ModuleLesson ObjectivesAfter completing this lesson, you will be able to:

● Create the security concept within an HTML5 module

© Copyright. All rights reserved. 25

Unit 13: Defining the application security in XS Advanced

26 © Copyright. All rights reserved.

UNIT 14 Integration with SAP BusinessObjects BI (optional)

Lesson 1: Understanding Authentication Options and User Management Implicationsfor the Integration of SAP BusinessObjects BI 4.X and SAP HANA (optional)Lesson ObjectivesAfter completing this lesson, you will be able to:

● Understand authentication options and user management implications for the integration of SAP BusinessObjects BI 4.X and SAP HANA

© Copyright. All rights reserved. 27

Unit 14: Integration with SAP BusinessObjects BI (optional)

28 © Copyright. All rights reserved.

UNIT 15 SAP HANA with ERP or S/4HANA and the Analytics Authorization Assistant (optional)

Lesson 1: Describing SAP HANA with ERP or SAP S/4HANA and the Analytics Authorization Assistant (optional)Lesson ObjectivesAfter completing this lesson, you will be able to:

● Describe different scenarios for SAP HANA with ERP or SAP S/4HANA

● Describe the Analytics Authorization Assistant (AAA)

© Copyright. All rights reserved. 29

Unit 15: SAP HANA with ERP or S/4HANA and the Analytics Authorization Assistant (optional)

30 © Copyright. All rights reserved.

UNIT 16 Integration with SAP GRC (optional)

Lesson 1: Outlining SAP GRC Integration for Governance, Risk and ComplianceLesson ObjectivesAfter completing this lesson, you will be able to:

● Outline the integration options with SAP Access Control

© Copyright. All rights reserved. 31

Unit 16: Integration with SAP GRC (optional)

32 © Copyright. All rights reserved.

UNIT 17 Integration with SAP Identity Management (optional)

Lesson 1: Understanding SAP Identity Management IntegrationLesson ObjectivesAfter completing this lesson, you will be able to:

● Understand possible integrations with SAP Identity Management

© Copyright. All rights reserved. 33