6.4    SAP S/4HANA Security

The security strategy for SAP S/4HANA should be part of the overall landscape security strategy, including authentication and authorization. This includes user provisioning with correct roles so that the right users can perform the relevant role and have the option to access systems through Single Sign-On (SSO). There also needs to be audit logging so that a trace is available for critical user actions. Other aspects of security include encryption, network security, data center security certifications, and so on.

The SAP HANA platform provides unified security options from both the database perspective and the analytics engine perspective, as shown in Figure 6.20.

Figure 6.20    SAP HANA Security Model

The key security functions of the SAP HANA database are the following:

• Authentication and SSO
  SAP HANA supports basic authentication using username and password for both types of access, either through JDBC/ODBC access from the application server to the SAP HANA database or HTTP access used by web clients directly talking to the SAP HANA XS engine.
  SSO can be set using various means that are typically used in SAP environments such as Kerberos, Security Assertion Markup Language (SAML), SAP Logon and assertion tickets, and security certificates (e.g., X.509), depending on the access through web clients, GUI clients, and so on.
• User and role management through the identity store
  • For logon, users must exist in the identity store of the SAP HANA database.
  • Roles and privileges can be assigned to users and can be catalog or repository roles.
• SAP HANA authorization
  This can include the following privileges:
  • Database access privileges
  • Application privileges
  • Repository privileges
• Encryption
  Encryption can be at the communication, data, or data backup levels:
  • Data volume encryption is used to encrypt the data persisted in the database. However, when the data are loaded in memory, they are decrypted. Thus, the data in memory aren’t encrypted.
  • For certain applications that need encryption as part of security from an application perspective, the internal encryption service is available, for example, for storing credentials used by SAP HANA for outbound interfaces.
  • Instance Secure Store in File System (SSFS) is used to securely store internal root keys in the file systems.
• Audit logging
  This includes logging of critical events for security and compliance, for example:
  • User, role, privilege, and configuration changes
  • Data access logging
  • Read and write access (tables, views), and execution of procedures
  • Firefighter logging, for example, for support cases

On-premise deployments of SAP S/4HANA generally rely on the user management and authentication mechanisms provided with the SAP NetWeaver platform, specifically the SAP NetWeaver AS ABAP and the SAP HANA platform. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver AS ABAP Security Guide and SAP HANA platform also apply to SAP S/4HANA.

A few example scenarios and the type of permissions required in each case are shown in Figure 6.21.

Figure 6.21    SAP HANA User Scenarios

Following are some examples of user provisioning for the different layers of the application:

• SAP Fiori apps: Usability layer
  These apps requires user provisioning in the frontend server as well as the backend server. User provisioning for the SAP Fiori apps is done manually in the SAP Gateway, and the corresponding frontend roles are assigned. Depending on the type of SAP Fiori apps used, the roles need to be assigned in the ABAP frontend, ABAP backend, and SAP HANA database.
• SAP S/4HANA: Application layer
  User master data and roles are created in SAP S/4HANA for the end users and IT team. Role assignment needs to be done for the users. Authorizations will be provided to users based on the job roles they will perform in the organization.
• SAP HANA database: Database layer
  The user provisioning for the SAP HANA database will be carried out manually. As for the SAP Fiori apps (analytical app and fact sheets app), users may need access (privileges) in SAP HANA database, depending on configuration requirements of the specific SAP Fiori apps.