Purpose of the Document
The purpose of this blog is to explain how GRC risk analysis functionality works for HANA DB Users and Roles and also to share few HANA DB access risks (SoD and Critical Access) which I have come across as the requirement in few projects and also recommended by SAP as part of HANA security checklist.
Designing HANA DB rule set is very challenging as the HANA DB authorization involves different types of access privileges and these privileges can be assigned to users either directly or through the roles.
Different types of privileges in HANA DB are listed below:
Access Model Setup in HANA DB
To setup and test the risk analysis functionality for HANA DB Users and Roles, first you have to perform basic integration of SAP GRC system with HANA DB. The details discussed below will be more on the technical setup which will include DB Connection Setup from GRC to HANA DB, Deployment of Delivery Unit in HANA DB etc.
Required Configuration to enable GRC system integration with HANA DB
HANA Database Connector Setup
Create HANA database connector in GRC system using transaction code DBCO (Database Connection Maintenance)
DB Connection: Fill in the DB Connection name. This name will be used in the connector setup so name it accordingly.
DBMS: Select the type of Database Management System as “HDB” (HANA Database)
User Name and Password: Valid user authentication details to connect to HANA DB. User should have been already created in HANA DB and assigned with required privileges.
Since the RFC user (GRC_FF in this case) is used for integration between GRC and HANA DB and not for interactive use or manual login to database, it is recommended that password of this user is disabled (i.e. no change required for the password).
You can do this using following SQL command:
ALTER USER GRC_FF DISABLE PASSWORD LIFETIME
CONNECT GRC_FF PASSWORD <PASSWORD>
Connection Info: HANA database system details (Hostname details along with Port Number)
Save the database connection after entering all required details as mentioned above.
Testing HANA DB Connection created in GRC
HANA database connection can be tested using ABAP report “ADBC_TEST_CONNECTION”
Execute transaction SE38 and run report “ADBC_TEST_CONNECTION”
HANA DB connection can also be verified using the transaction “DBACOCKPIT” .
HANA Database Connector in SM59
Create a connector in SM59 with connection type as “L” (Logical Destination) and connector name same as the connection created in DBCO.
HANA Connector Config Setup in GRC
Define connectors in the following IMG path
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors
Define connector groups in the following IMG path and assign HANA DB connectors to this connector group
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups
Maintain Connection Settings
Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings
Maintain Connector Settings
Maintain connector settings in the following path:
SPRO -> IMG -> GRC -> Access Control -> Maintain Connector Settings
Delivery Unit deployment in HANA DB
Delivery Unit deployment into HANA DB and activating the SQL procedures under AC folder in HANA DB is a prerequisite and must be followed according to the steps mentioned in following SAP Note:
https://launchpad.support.sap.com/#/notes/1869912
GRC Procedures Activation
For details on how the corresponding SQL procedures under ARA and ARQ folders are required to be activated are available in SAP Note 1869912.
SQL Procedures under ARA folder – Just execute in any sequence
SQL Procedures under ARQ folder – Execute procedures starting with ‘IS’ or ‘INS’ first followed by procedures starting with GRANT and REVOKE and finally remaining procedures.
“GET_USERS_SYNC” procedure has an updated version released through the following SAP Note. Hence, download this from the note and activate it as it is not updated in the latest version by default.
2451688 – Repository sync job not syncing back user validity dates from HANA
However, there are few errors which you will come across during SQL procedures activation like mentioned below. Please go through the note and then implement the corresponding procedures attached in the note to resolve the errors:
2671192 – GRC HANA Plugin enablement for HANA 2.0 SPS 03
Get_action_permissions_info.sql procedure may still throw error. Please fix with code as shown below:
Manual steps mentioned in the below note must be also executed in HANA studio or Web IDE even though you are in latest version 12.0 as there are some updates to procedures in ARQ folder which need to be manually updated in HANA DB.
Manual steps mentioned in the below note must be also executed in HANA studio or Web IDE even though you are in latest version 12.0 as there are some updates to procedures in ARQ folder which need to be manually updated in HANA DB.
2482955 – Redesign of logging and messaging in HANA Plugin
For improving the performance of role risk analysis, update the GET_ROLE_PERMISSION sql procedure in HANA system as per following note:
2729781 – Performance upgrade for Role level Risk Analysis against a HANA system
HANA DB Rule set (Segregation of Duties and Critical Access Rules)
Critical Access (CA): Sensitive or Privileged tasks by which a user can take control of the system affecting its integrity or can have a high impact on the system and should be assigned to certain authorized group of users only.
Following are some of the recommended Critical Access risks for HANA DB:
CA Risk #1:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| DATA ADMIN Privilege | 1. The system privilege DATA ADMIN is a powerful privilege. It authorizes a user to read all data in system views, as well as to execute all data definition language (DDL) commands in the SAP HANA database. No user in a production system should have this privilege, with the exception of the SYSTEM and _SYS_REPO users, which have this privilege by default
2. Executing select * from GRANTED_PRIVILEGES where privilege = ‘DATA ADMIN’ should return only SYSTEM and _SYS_REPO | Critical Action | Use following action to create a function in GRC system and then define a critical action risk for that function: DATA ADMIN |
CA Risk #2:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| DEVELOPMENT privilege | The system privilege DEVELOPMENT authorizes some internal ALTER SYSTEM commands. No user should have this privilege, with the exception of the SYSTEM and _SYS_REPO users, which have this privilege by default. You can verify whether a user has the DEVELOPMENT privilege by executing SELECT * from granted_privileges where privilege = ‘DEVELOPMENT’ | Critical Action | Use following action to create a function in GRC system and then define a critical action risk for that function: sap.hana.xs.lm::Developer sap.hana.xs.lm::DevelopmentExpert sap.hana.xs.lm.hanaCockpit::WidgetAccess:developerCatalog |
CA Risk #3:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| System Privileges (Support Users) | Only administrative or support users should have the system privileges CATALOG READ and TRACE ADMIN in a production system. | Critical Action | Use following actions to create a function in GRC system and then define a critical action risk for that function: CATALOG READ
TRACE ADMIN |
CA Risk #4:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| DEBUG and ATTACH DEBUGGER privileges | Privileges DEBUG, DEBUG MODIFY and ATTACH DEBUGGER should not be assigned to any user in production systems. | Critical Action | Use following actions to create a function in GRC system and then define a critical action risk for that function: ATTACH DEBUGGER
DEBUG
DEBUG MODIFY |
CA Risk #5:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| System Privileges (Administrators) | Only administrative users should have the mentioned system privileges | Critical Action | Use following actions to create a function in GRC system and then define a critical action risk for that function: ADAPTER ADMIN
AGENT ADMIN
AUDIT ADMIN
AUDIT OPERATOR
BACKUP ADMIN
BACKUP OPERATOR
CERTIFICATE ADMIN
CREATE REMOTE SOURCE
CREDENTIAL ADMIN
EXTENDED STORAGE ADMIN
INIFILE ADMIN
LICENSE ADMIN
LOG ADMIN
MONITOR ADMIN
OPTIMIZER ADMIN
RESOURCE ADMIN
SAVEPOINT ADMIN
SERVICE ADMIN
SESSION ADMIN
SSL ADMIN
TABLE ADMIN
TRUST ADMIN
VERSION ADMIN
WORKLOAD ADMIN |
CA Risk #6:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| CONTENT_ADMIN role | The CONTENT_ADMIN role is very privileged and should not be granted to users, particularly in production systems. The CONTENT_ADMIN role should only be used as a template. | Critical Role or Critical Action | Option 1: “CONTENT_ADMIN” role can be defined as a critical role in GRC system. Option 2:Use following actions to create a function in GRC system and then define a critical action risk for that function: CREATE SCENARIO
CREATE STRUCTURED PRIVILEGE
REPO.EXPORT
REPO.IMPORT
REPO.MAINTAIN_DELIVERY_UNITS
REPO.WORK_IN_FOREIGN_WORKSPACE
STRUCTUREDPRIVILEGE ADMIN |
CA Risk #7:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| _SYS_BI_CP_ALL analytic privilege should not be granted to users | The MODELING role contains the predefined analytic privilege _SYS_BI_CP_ALL. This analytic privilege potentially allows a user to access all the data in activated views that are protected by XML-based analytic privileges, regardless of any other analytic privileges that apply. Although the user must also have the SELECT object privilege on the views to actually be able to access data, the _SYS_BI_CP_ALL analytic privilege should not be granted to users, particularly in production systems. For this reason, the MODELING role should only be used as a template. | Critical Role or Critical Action | Option 1: “[AP]_SYS_BI_CP_ALL” role can be defined as a critical role in GRC system. Option 2:Use following actions to create a function in GRC system and then define a critical action risk for that function: _SYS_BI:*
_SYS_BIC:*
_SYS_BI_CP_ALL |
CA Risk #8:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| SAP_INTERNAL_HANA_SUPPORT role | Should be granted only to SAP HANA development support users for the their support activities.
To avoid accidental use of this role in day-to-day activities, the following restrictions apply to the SAP_INTERNAL_HANA_SUPPORT role. It cannot be granted to the SYSTEM users. | Critical Role | “SAP_INTERNAL_HANA_SUPPORT” role can be defined as a critical role in GRC system. |
CA Risk #9:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| Grant Application Function Library (AFL) Roles only to authorized users | Grant Application Function Library (AFL) Roles only to users who need to execute Predictive Analysis Library (PAL) and SAP HANA Business Function Library (BFL) procedures | Critical Role | Following roles will be defined as a critical roles in GRC system: AFL__SYS_AFL_AFLPAL_EXECUTE
AFL__SYS_AFL_AFLPAL_EXECUTE_WITH_GRANT_OPTION
AFL__SYS_AFL_AFLBFL_EXECUTE
AFL__SYS_AFL_AFLBFL_EXECUTE_WITH_GRANT_OPTION |
Segregation of Duties (SOD): Conscious separation of accesses to perform certain functions wherein a fraudulent activity can be performed when accesses are granted together to a single user
SoD Risk #1:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| Critical combinations of system privileges should not be granted together | USER ADMIN vs.ROLE ADMIN | Segregation of Duties | Use following actions to create Function 1: Maintain User Master in GRC system: USER ADMIN
USERGROUP OPERATOR Use following actions to create Function 2: Maintain Roles: ROLE ADMIN |
SoD Risk #2:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| Critical combinations of system privileges should not be granted together | CREATE SCENARIO vs. SCENARIO ADMIN | Segregation of Duties | Use following actions to create Function 1: Maintain Scenarios: CREATE SCENARIO Use following actions to create Function 2: Scenario Admin: SCENARIO ADMIN |
SoD Risk #3:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| Critical combinations of system privileges should not be granted together | AUDIT ADMIN vs. AUDIT OPERATOR | Segregation of Duties | Use following actions to create Function 1: Audit Administration AUDIT ADMIN Use following actions to create Function 2: Audit Operations AUDIT OPERATOR |
SoD Risk #4:
| HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
| Critical combinations of system privileges should not be granted together | CREATE STRUCTURED PRIVILEGE vs. STRUCTUREDPRIVILEGE ADMIN | Segregation of Duties | Use following actions to create Function 1: Maintain Structured Privileges CREATE STRUCTURED PRIVILEGE Use following actions to create Function 2: Structured Privileges Administration STRUCTUREDPRIVILEGE ADMIN |
HANA DB Rules Configuration in GRC
Below are some of the functions which have been configured in GRC for HANA DB.
Function 1: User Admin Privileges
Function 2: Role Admin Privileges
SoD Risk: User Admin Privileges vs. Role Admin Privileges
SoD Risk: User Admin Privileges vs. Role Admin Privileges (Generated Rules)
HANA DB Risk Analysis in GRC
For testing user risk analysis, I have created a Test User ID (EXT_MADS) with access to User Admin and Role Admin system privileges.
User level Risk Analysis
Results
For testing role risk analysis, I have used PI Admin role which has access to User Admin and Role Admin system privileges.
Role level Risk Analysis
Results
1 comment:
nice post.
SAP Grc training
SAP Secrity training
oracle sql plsql training
Post a Comment