5.5    Mapping LDAP Groups to Roles

Starting with SAP HANA 2.0 SPS 03, Lightweight Directory Access Protocol (LDAP)-based users can now be provisioned within SAP HANA, and their LDAP-managed passwords can be used for authentication. In addition to authentication, starting with SAP HANA 2.0 SPS 00, you can also map SAP HANA database roles to LDAP groups to simplify authorization. Effectively, SAP HANA will look up a user’s group memberships in the LDAP directory. If the LDAP group is mapped to an SAP HANA role, the user will be granted the SAP HANA database role and its privileges. This check is performed each time a user is authenticated. Before you can use this functionality, you’ll need to set up and configure an LDAP provider within the SAP HANA system. We’ll discuss this setup in more detail in Chapter 12. In this section, we’ll review the process for mapping LDAP groups to roles using both SQL statements and the SAP HANA cockpit.

5.5.1    Mapping Roles with SQL

You can use SQL to create an SAP HANA database role and map that role to an LDAP group in a single step. You can also modify an existing role and add an LDAP group. (Note that you can’t map an LDAP group to a repository role at this time.) Let’s first review the SQL required to create a role and map it to an LDAP group in a single step. The following SQL statement will create the SAP HANA role ECORP_SECURITY_ADMINS and map it to the LDAP group HANA Security Team:

CREATE ROLE ECORP_SECURITY_ADMINS LDAP GROUP 'CN=HANA_SECURITY_TEAM,CN=Users,DC=ecorp,DC=com';

To modify an existing role and add map and LDAP group, you would run the following SQL statement to add the LDAP group HANA Security Team to the SAP HANA role ECORP_SECURITY_ADMINS:

ALTER ROLE ECORP_SECURITY_ADMINS ADD LDAP GROUP 'CN=HANA_SECURITY_TEAM,CN=Users,DC=ecorp,DC=com';

To remove the LDAP group mapping from a role, run the following SQL statement:

ALTER ROLE ECORP_SECURITY_ADMINS DROP LDAP GROUP 'CN=HANA_SECURITY_TEAM,CN=Users,DC=ecorp,DC=com';

In the next section, we’ll review the process for mapping LDAP groups to SAP HANA roles using the SAP HANA cockpit.

5.5.2    Mapping Roles with the SAP HANA Cockpit

As an alternative to using SQL statements, you can use the SAP HANA cockpit GUI action called Manage Roles to map an LDAP group to a role. This interface allows you to both add or remove LDAP groups from a standard role. Most users will find using the SAP HANA cockpit easier than memorizing and entering in SQL statements.

To access the Manage Roles area, start at the SAP HANA cockpit Home screen and locate an SAP HANA system in the Resource Directory. Connect to the desired tenant database or SYSTEMDB, which will take you to the System Overview window. Using the Filter by Area dropdown list, choose the option Security. Click the Manage Roles link in the User & Role Management tile. This action will launch the Manage Roles window where you’ll see a list of roles on the left and selected roles properties on the right. The role list provides a search filter bar located at the top of the list that you can use to filter the list of roles. Select a role to reveal its assigned privileges in the Role Details pane to the right.

In the Role Details pane, locate the Edit button to the right of the role name, as shown in Figure 5.13. The role edit pane will appear allowing you to modify basic information for the role such as its Comments, Schema, and LDAP Groups.

Locating the Edit Button to Configure the Role’s Mapped LDPA Group

Figure 5.13    Locating the Edit Button to Configure the Role’s Mapped LDPA Group

In the LDAP Groups section, you’ll see the option to enable LDAP group mappings titled Assign LDAP Groups. Change the radio button option to Yes to enable additional LDAP group mapping options. In the LDAP Group Name field, click the Add LDAP Groups button and then type the name of the LDAP group using the LDAP naming convention, as shown in Figure 5.14.

Configuring LDAP Group Mappings Using the SAP HANA Cockpit

Figure 5.14    Configuring LDAP Group Mappings Using the SAP HANA Cockpit

Click the Save button to enable the LDAP group mapping. To remove the mapping, click the remove icon (X in a circle) to the right of the listed LDAP group and save to remove the mapping.

You now understand how you can use SQL and the SAP HANA cockpit to manage LDAP group mappings to roles.