Creating Analytic Privileges in SAP HANA Studio

Technical Paper

1www.entota.com

This technical briefing paper explains the Analytic Privilege functionality that comes under User Management of SAP HANA and aims to provide a high level understanding of SAP HANA Analytic Privileges including how to create, design and assign them.

“Analytic Privileges are used in the SAP HANA database to provide fine-grained control of what data particular users can see for analytic use. They provide the ability for row-level authorization, based on filtering the values in one or more columns. All Attribute Views, Analytic Views, and Calculation Views, which have been designed in the information modeler and have been activated from the information modeler of the SAP HANA studio, are automatically supported by the Analytic Privilege mechanism.” [1]

The following steps will demonstrate the granting of Analytic Privileges to users CAL_USR and CAL_USR_2 in order to allow reporting of the Analytic View (AN_EFASHION), restricting access to only show data for the STATE California.

2www.entota.com

Prerequisites / Assumptions

It is recommended that the reader of this document has implemented the following:

• SAP HANA Database has already been set up and configured and is reachable from the SAP HANA Studio.

• Data has been loaded into the SAP HANA Database and created the applicable Attribute and Analytic Views from the efashion tutorial. [2]

• Modelling privileges are present for the authenticating user when creating the Analytic Privilege.

• SYSTEM privileges are present for the authenticating user when creating users, systems and assign roles / privileges.

It is assumed that the reader of this document is familiar with:

• SAP HANA Database Administrator (Version 1.50).

SAP HANA Studio (Version 1.0.29) and the components within e.g. Packages etc.

NOTE: Analytic Privileges can only be activated once. If there is a need to change the Analytic Privilege after it has been successfully activated, it must be deleted and re-created from scratch.

3www.entota.com

1 Opening SAP HANA Studio

Launch SAP HANA Studio by navigating to: Start > All Programs > SAP HANA Studio.

Once the SAP HANA Studio has successfully launched, connect to a SAP HANA System ensuring that:

• The authenticating user has a minimum of Modelling privileges present. Note: This is required to create, define and activate the Analytic Privilege.

• The Modeler view is selected.

4www.entota.com

2 Create Analytic Privilege

Right click the applicable Package under Content and click New > Analytic Privilege.

NOTE: If a package does not exist create a new package by right clicking Content, click New > Package… The naming convention for SAP HANA Packages should only contain lowercase alphabets (a-z), number (0-9) and up to 9 dots (.) – Dots must not be the last character in a package name.

5www.entota.com

Select the required Information Model to define the Analytic Privilege for. Click Finish.

NOTE: For the purposes of this demonstration, an Analytic View is selected; however, Analytic Privileges can be applied to Attribute, Analytic and Calculation Views within SAP HANA Studio.

Enter an appropriate name and description e.g. AP_EFASHION_STATE_CALI. Click Next.

NOTE: The naming convention for Analytic Privileges should only contain alpha-bets (a-z, A-Z), number (0-9) or underscores (_).

6www.entota.com

3 Define Analytic Privilege

Once the Information Model(s) have been selected the following screen is presented. There are 3 main areas of interest (labelled 1-3) in the diagram on this page.

1 Reference Models Select additional views for which this privilege should be valid (optional).

2 Associated Attributes Restrictions Select attributes on which a restriction shall be defined (All fields from the views selected in Section 1 will be shown).

3 Assign Restrictions Define value restrictions for the attributes selected in Section 2.

NOTE: Although this section is labelled ‘Assign Restrictions’ the actual action is to provide an allowance e.g.

- A restriction prevents an action where it is granted by default

- An allowance enables an action where it is denied by default

7www.entota.com

3.1 Adding FiltersUnder Associated Attributes Restrictions click Add…Select the desired attribute, in this case STATE under the AT_OUTLET and click OK.

3.2 Adding RestrictionsUnder Assign Restrictions click the Add button (This increases the counter for the number of restrictions for STATE in Associated Attributes Restrictions section).

Click into the Value field in and click the ellipses icon. In the search window, search for California by typing (or partially typing) the value and clicking Find or by clicking Find to display all possible values.

Select California from the search list and click OK.

8www.entota.com

3.3 ActivatingOnce the Analytic Privilege has been created, it must be saved and validated. Click the Save and Validate and Save and Activate icons.

A success message will appear under the Current tab of the Job Log.

NOTE: The following window is displayed if the authenticating user has privileges higher than a Modeling user/role i.e. SYSTEM. This screen will allow the user to add or remove other inactive Analytic Privileges.

Select the application Analytic Privileges and click Activate.

9www.entota.com

4 Assigning Analytic Privilege There are 2 methods to achieve this; create a user with specific privileges or by creating a Role and applying the role to a user. For further information regarding privileges provided below please see References [1]

NOTE: Assigning Analytic Privileges is done as administrator task (i.e. SYSTEM or user with relevant permissions to grant privileges and creating users/roles).

4.1 Method 1: Creating a user with specific privilegesLog on as a SYSTEM user. Create a new user called CAL_USR and assign the following roles and privileges.

NOTE: The naming convention for SAP HANA Roles should not contain spaces or special characters except (_).

• Granted Roles › Public

• SQL Privilege › _SYS_BI – Execute – With EXECUTE, SELECT, INSERT and UPDATE (not grantable to others) › _SYS_BIC – Execute – With EXECUTE and SELECT (not grantable to others) › REPOSITORY_REST (SYS) – With EXECUTE (not grantable to others)

• Analytic Privilege › AP_EFASHION_STATE_CALI (or any other Analytic Privilege that has been set up and activated)

• System Privilege › NONE

• Package Privilege › NAME OF PACKAGE - REPO.READ (not grantable to others) e.g. nr-efashion

NOTE: Only apply ROOT Package if the Analytic Privilege is required across differ-ent packages. In some cases SAP HANA Studio has been known to not find pack-ages that actually exist. In this case ensure that the System node being used is not held within sub-folders in the Navigation panel.

10www.entota.com

4.2 Method 2: Creating a New RoleAn alternative method is to create a new Role e.g. CAL_USERS and add the role to applicable users.

Within SAP HANA it is recommended practise to use roles to manage authorisation. A role is a collection of privileges and can be granted to either a user or another role (nesting roles).

“All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorisation check using the user, the user’s roles, and directly allocated privileges.

It is not possible to explicitly deny privileges. This means that the system does not need to check all the user’s role. As soon as the requested privilege has been found, the system aborts the check and grants access.”[1]

This directly affects the view or result of your data and is a common reason why Analytic Privileges appear not to work as some indirect route may still exist to allow the action.

To create a new role navigate to Catalog > Authorization > Roles – right click and click New Role.

11www.entota.com

Enter a name for the role e.g.ROLE_CAL and assign the following roles / privileges.

NOTE: The naming convention for SAP HANA Roles should not contain spaces or special characters except (_).

• Granted Roles › NONE• Parted Roles › NONE• SQL Privilege

› _SYS_BI – Execute – With EXECUTE, SELECT, INSERT and UPDATE (not grantable to others) › _SYS_BIC – Execute – With EXECUTE and SELECT (not grantable to others) › REPOSITORY_REST (SYS) – With EXECUTE (not grantable to others)

• Analytic Privilege › AP_EFASHION_STATE_CALI (or any other Analytic Privilege that has been set up and activated)

• System Privilege › NONE• Package Privilege

› NAME OF PACKAGE - REPO.READ (not grantable to others) e.g. nr-efashionNOTE: Only apply ROOT Package if the Analytic Privilege is required across differ-ent packages. In some cases SAP HANA Studio has been known to not find pack-ages that actually exist. In this case ensure that the System node being used is not held within sub-folders in the Navigation panel.

4.2.1 Add a Role to a UserLog on to the system and create a new user e.g. CAL_USR_2 or select an existing user. Add the new Role (CAL_USERS) to the user under Granted Roles and click Deploy.

12www.entota.com

5 Consuming Analytic Privilege This section will detail how to check that the user can read from Analytic View AN_EFASHION as expected within SAP HANA Studio.

NOTE: There are various other ways to consume data from a SAP HANA database (Microsoft Excel, SAP BusinessObjects BI Clients etc.) which are not covered in this document.

5.1 Add new system for userLog on as a SYSTEM user. Create a new user called CAL_USR and assign the following roles and privileges.

1 Under the Navigator section right click the white space and click Add System…

2 Enter Hostname, Instance number and Description (Description is optional). Click Next.

3 Enter CAL_USR and password created above as the authenticated user. Click Next.

4 Click Finish.

13www.entota.com

5.2 Verify ResultsOnce connection to the new system has been established, navigate to Content > nr-efashion > Analytic View

Right click AN_EFASHION and click Data Preview from the context menu.

Verify that the data contains only records where the STATE = California.

14www.entota.com

This concludes the steps required in order to create, define and apply Analytic Privileges with SAP HANA Studio.

References

[1] SAP HANA Security Guide (Including SAP HANA Database Security), SAP HANA Appliance Software SPS 04 – Public Document version 1.1 – 24/04/2012. http://help.sap.com/hana/hana1_sec_en.pdf

[2] Introduction to SAP HANA for Developers - A Pocketbook of Tutorials, Version 2.0 December 29, 2011.

https://www.experiencesaphana.com/docs/DOC-1138

15www.entota.com

AcronymsDS: SAP Data service

IM: Information Management

Confidentiality, Liability & CopyrightThis document shall be treated as confidential. This document is only to be used and copied within the client company and in relation to the intended activity. The information and methodology in this document are proprietary to ENTOTA. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of ENTOTA. The information contained herein may be changed without prior notice.

ENTOTA assumes no responsibility for errors or omissions in this document. ENTOTA does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. ENTOTA shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. ENTOTA has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

About ENTOTAENTOTA is one of the largest specialist SAP Data Services consultancies providing best of breed solutions in Data Migration, Data Governance, Data Integration and Data Warehousing. Formed by some of the most experienced SAP Information Management specialists in the industry our sole focus is to help customers solve complex data challenges using SAP Data Services and related Information Management software.

We are a SAP Global Best Practice development partner and have played an active role in both the development and deployment of the SAP Data Migration framework. Our unrivalled depth of knowledge and unique approach is driven from years of project experience and a deep understanding of how data impacts business process. This combination of deep technical experience, innovative methodology, pre-built templates and commercial know means that your project will start delivering value from day one. To find out more simply visit www.entota.com or email info@entota.com

www.linkedin.com/company/entota

www.twitter.com/entota