11    Security

Securing access to functionality and business information is of high importance in most data warehouses. In this chapter, we’ll discuss the security capabilities, roles, and authorizations used in SAP BW/4HANA to help keep your organization’s information safe.

SAP BW/4HANA uses the user administration and authentication mechanisms from the Application Server for ABAP (AS ABAP), which is a role-based security framework. The standard ABAP security functions have been enhanced with customizable SAP BW/4HANA analysis authorizations to enable flexible security that can be designed to match the organizational structure in any company easily.

This chapter discusses the most important security concepts: authentication and authorizations within an SAP BW/4HANA system. We’ll start by providing an overview of the authentication methods supported by SAP BW/4HANA in Section 11.1, followed by a deep dive into the authorization concept in SAP BW/4HANA (Section 11.2). We’ll then review the standard authorization objects provided by SAP (Section 11.3), followed by a discussion of how to define and set up analysis authorizations (Section 11.4). Roles, which tie authorizations together and are used to assign both functionality and data access to end users, will be covered in Section 11.5. The process of assigning roles and other user administration activities will be covered in Section 11.6. Finally, we’ll conclude the chapter with a brief discussion of troubleshooting authorization problems (Section 11.7).

11.1    Authentication and Single Sign-On

The authentication process makes it possible to check a user’s identity before granting that user access to SAP BW/4HANA or to data in SAP BW/4HANA. Both AS ABAP and the SAP HANA database support various authentication mechanisms, as we’ll discuss in the following sections.

11.1.1    Application Server for ABAP Authentication

SAP BW/4HANA generally requires a user ID and password for logon, but it also supports Secure Network Communications (SNC) and SAP logon tickets. To make single sign-on (SSO) available for several systems, users can obtain an SAP logon ticket after logging on to the SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user doesn’t need to enter a user ID or password for authentication and can access the system directly after the system has checked the logon ticket.

As an alternative to user authentication with user IDs and passwords, users with Internet applications via the Internet Transaction Server (ITS) can provide X.509 client certificates. User authentication then takes place on the web server using the Secure Sockets Layer (SSL) protocol without transferring any passwords. User authorizations are valid in accordance with the authorization concept in the SAP system.

Note

SAP BW/4HANA uses the authentication and SSO mechanisms provided by SAP NetWeaver. The security recommendations and guidelines for user administration and authentication described in the Security Guide for SAP NetWeaver therefore also apply to SAP BW/4HANA.

11.1.2    SAP HANA Authentication

SAP HANA Studio supports both standard authentication and SSO using either SAML or Kerberos authentication. Developers working in the Eclipse-based modeling tools will always need access to SAP HANA Studio to work with BW projects to access metadata objects from the backend system (SAP BW/4HANA).

A BW project represents a real system connection on the frontend client. Therefore, it requires an authorized user in order to access the backend system. With the standard authentication method, the user enters a user name and password to log on to the backend system.

Warning

Standard authentication with explicit specification of a user name and password means that the user data entered on the frontend client is loaded as plain text into the memory of the local host. A password saved locally is a potential security breach, as it could be extracted from memory by third parties.

Tip

Activating SNC for the selected system connection is mandatory for security reasons.

We recommend using SSO as well. When used with SNC, SSO also meets the security requirements for working with large-scale BW projects. With SSO, the user doesn’t need to enter a user name and password and can simply access the system as soon as the logon ticket has been checked.