SAP GRC 10.1/12.0 – HANA DB Rule set and Risk Analysis

 

Purpose of the Document

The purpose of this blog is to explain how GRC risk analysis functionality works for HANA DB Users and Roles and also to share few HANA DB access risks (SoD and Critical Access) which I have come across as the requirement in few projects and also recommended by SAP as part of HANA security checklist.

Designing HANA DB rule set is very challenging as the HANA DB authorization involves different types of access privileges and these privileges can be assigned to users either directly or through the roles.

Different types of privileges in HANA DB are listed below:

Access Model Setup in HANA DB

To setup and test the risk analysis functionality for HANA DB Users and Roles, first you have to perform basic integration of SAP GRC system with HANA DB. The details discussed below will be more on the technical setup which will include DB Connection Setup from GRC to HANA DB, Deployment of Delivery Unit in HANA DB etc.

Required Configuration to enable GRC system integration with HANA DB

 

HANA Database Connector Setup

Create HANA database connector in GRC system using transaction code DBCO (Database Connection Maintenance)

DB Connection: Fill in the DB Connection name. This name will be used in the connector setup so name it accordingly.

DBMS: Select the type of Database Management System as “HDB” (HANA Database)

User Name and Password: Valid user authentication details to connect to HANA DB. User should have been already created in HANA DB and assigned with required privileges.

Since the RFC user (GRC_FF in this case) is used for integration between GRC and HANA DB and not for interactive use or manual login to database, it is recommended that password of this user is disabled (i.e. no change required for the password).

You can do this using following SQL command:

ALTER USER GRC_FF DISABLE PASSWORD LIFETIME
CONNECT GRC_FF PASSWORD <PASSWORD>

Connection Info: HANA database system details (Hostname details along with Port Number)

Save the database connection after entering all required details as mentioned above.

Testing HANA DB Connection created in GRC

HANA database connection can be tested using ABAP report “ADBC_TEST_CONNECTION”

Execute transaction SE38 and run report “ADBC_TEST_CONNECTION”

HANA DB connection can also be verified using the transaction “DBACOCKPIT” .

HANA Database Connector in SM59

Create a connector in SM59 with connection type as “L” (Logical Destination) and connector name same as the connection created in DBCO.

HANA Connector Config Setup in GRC

Define connectors in the following IMG path

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors

Define connector groups in the following IMG path and assign HANA DB connectors to this connector group

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups

Maintain Connection Settings

Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings

Maintain Connector Settings

Maintain connector settings in the following path:

SPRO -> IMG -> GRC -> Access Control -> Maintain Connector Settings

Delivery Unit deployment in HANA DB

Delivery Unit deployment into HANA DB and activating the SQL procedures under AC folder in HANA DB is a prerequisite and must be followed according to the steps mentioned in following SAP Note:

https://launchpad.support.sap.com/#/notes/1869912

GRC Procedures Activation

For details on how the corresponding SQL procedures under ARA and ARQ folders are required to be activated are available in SAP Note 1869912.

SQL Procedures under ARA folder – Just execute in any sequence

SQL Procedures under ARQ folder – Execute procedures starting with ‘IS’ or ‘INS’ first followed by procedures starting with GRANT and REVOKE and finally remaining procedures.

“GET_USERS_SYNC” procedure has an updated version released through the following SAP Note. Hence, download this from the note and activate it as it is not updated in the latest version by default.

2451688 – Repository sync job not syncing back user validity dates from HANA

However, there are few errors which you will come across during SQL procedures activation like mentioned below. Please go through the note and then implement the corresponding procedures attached in the note to resolve the errors:

2671192 – GRC HANA Plugin enablement for HANA 2.0 SPS 03

Get_action_permissions_info.sql procedure may still throw error. Please fix with code as shown below:

Manual steps mentioned in the below note must be also executed in HANA studio or Web IDE even though you are in latest version 12.0 as there are some updates to procedures in ARQ folder which need to be manually updated in HANA DB.

Manual steps mentioned in the below note must be also executed in HANA studio or Web IDE even though you are in latest version 12.0 as there are some updates to procedures in ARQ folder which need to be manually updated in HANA DB.

2482955 – Redesign of logging and messaging in HANA Plugin

For improving the performance of role risk analysis, update the GET_ROLE_PERMISSION sql procedure in HANA system as per following note:

2729781 – Performance upgrade for Role level Risk Analysis against a HANA system

HANA DB Rule set (Segregation of Duties and Critical Access Rules)

Critical Access (CA): Sensitive or Privileged tasks by which a user can take control of the system affecting its integrity or can have a high impact on the system and should be assigned to certain authorized group of users only.

Following are some of the recommended Critical Access risks for HANA DB:

CA Risk #1:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
DATA ADMIN Privilege1. The system privilege DATA ADMIN is a powerful privilege. It authorizes a user to read all data in system views, as well as to execute all data definition language (DDL) commands in the SAP HANA database. No user in a production system should have this privilege, with the exception of the SYSTEM and _SYS_REPO users, which have this privilege by default
2. Executing select * from GRANTED_PRIVILEGES where privilege = ‘DATA ADMIN’ should return only SYSTEM and _SYS_REPO
Critical Action

Use following action to create a function in GRC system and then define a critical action risk for that function:

DATA ADMIN

CA Risk #2:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
DEVELOPMENT privilege

The system privilege DEVELOPMENT authorizes some internal ALTER SYSTEM commands. No user should have this privilege, with the exception of the SYSTEM and _SYS_REPO users, which have this privilege by default.

You can verify whether a user has the DEVELOPMENT privilege by executing SELECT * from granted_privileges where privilege = ‘DEVELOPMENT’

 

Critical Action

 

Use following action to create a function in GRC system and then define a critical action risk for that function:

sap.hana.xs.lm::Developer

sap.hana.xs.lm::DevelopmentExpert

sap.hana.xs.lm.hanaCockpit::WidgetAccess:developerCatalog

CA Risk #3:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
System Privileges (Support Users)Only administrative or support users should have the system privileges CATALOG READ and TRACE ADMIN in a production system.Critical Action

Use following actions to create a function in GRC system and then define a critical action risk for that function:

CATALOG READ
TRACE ADMIN

CA Risk #4:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
DEBUG and ATTACH DEBUGGER privilegesPrivileges DEBUG, DEBUG MODIFY and ATTACH DEBUGGER should not be assigned to any user in production systems.Critical Action

Use following actions to create a function in GRC system and then define a critical action risk for that function:

ATTACH DEBUGGER
DEBUG
DEBUG MODIFY

CA Risk #5:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
System Privileges (Administrators)Only administrative users should have the mentioned system privilegesCritical Action

Use following actions to create a function in GRC system and then define a critical action risk for that function:

ADAPTER ADMIN
AGENT ADMIN
AUDIT ADMIN
AUDIT OPERATOR
BACKUP ADMIN
BACKUP OPERATOR
CERTIFICATE ADMIN
CREATE REMOTE SOURCE
CREDENTIAL ADMIN
EXTENDED STORAGE ADMIN
INIFILE ADMIN
LICENSE ADMIN
LOG ADMIN
MONITOR ADMIN
OPTIMIZER ADMIN
RESOURCE ADMIN
SAVEPOINT ADMIN
SERVICE ADMIN
SESSION ADMIN
SSL ADMIN
TABLE ADMIN
TRUST ADMIN
VERSION ADMIN
WORKLOAD ADMIN

CA Risk #6:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
CONTENT_ADMIN roleThe CONTENT_ADMIN role is very privileged and should not be granted to users, particularly in production systems. The CONTENT_ADMIN role should only be used as a template.Critical Role or Critical Action

Option 1: “CONTENT_ADMIN” role can be defined as a critical role in GRC system.

Option 2:Use following actions to create a function in GRC system and then define a critical action risk for that function:

CREATE SCENARIO
CREATE STRUCTURED PRIVILEGE
REPO.EXPORT
REPO.IMPORT
REPO.MAINTAIN_DELIVERY_UNITS
REPO.WORK_IN_FOREIGN_WORKSPACE
STRUCTUREDPRIVILEGE ADMIN

CA Risk #7:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
_SYS_BI_CP_ALL analytic privilege should not be granted to users

The MODELING role contains the predefined analytic privilege _SYS_BI_CP_ALL.

This analytic privilege potentially allows a user to access all the data in activated views that are protected by XML-based analytic privileges, regardless of any other analytic privileges that apply.

Although the user must also have the SELECT object privilege on the views to actually be able to access data, the _SYS_BI_CP_ALL analytic privilege should not be granted to users, particularly in production systems.

For this reason, the MODELING role should only be used as a template.

Critical Role or Critical Action

Option 1: “[AP]_SYS_BI_CP_ALL” role can be defined as a critical role in GRC system.

Option 2:Use following actions to create a function in GRC system and then define a critical action risk for that function:

_SYS_BI:*
_SYS_BIC:*
_SYS_BI_CP_ALL

CA Risk #8:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
SAP_INTERNAL_HANA_SUPPORT roleShould be granted only to SAP HANA development support users for the their support activities.
To avoid accidental use of this role in day-to-day activities, the following restrictions apply to the SAP_INTERNAL_HANA_SUPPORT role. It cannot be granted to the SYSTEM users.
Critical Role“SAP_INTERNAL_HANA_SUPPORT” role can be defined as a critical role in GRC system.

CA Risk #9:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
Grant Application Function Library (AFL) Roles only to authorized usersGrant Application Function Library (AFL) Roles only to users who need to execute Predictive Analysis Library (PAL) and SAP HANA Business Function Library (BFL) proceduresCritical Role

Following roles will be defined as a critical roles in GRC system:

AFL__SYS_AFL_AFLPAL_EXECUTE
AFL__SYS_AFL_AFLPAL_EXECUTE_WITH_GRANT_OPTION
AFL__SYS_AFL_AFLBFL_EXECUTE
AFL__SYS_AFL_AFLBFL_EXECUTE_WITH_GRANT_OPTION

Segregation of Duties (SOD): Conscious separation of accesses to perform certain functions wherein a fraudulent activity can be performed when accesses are granted together to a single user

SoD Risk #1:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
Critical combinations of system privileges should not be granted togetherUSER ADMIN vs.ROLE ADMINSegregation of Duties

Use following actions to create Function 1: Maintain User Master in GRC system:

USER ADMIN
USERGROUP OPERATOR

Use following actions to create Function 2: Maintain Roles:

ROLE ADMIN

SoD Risk #2:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
Critical combinations of system privileges should not be granted togetherCREATE SCENARIO vs. SCENARIO ADMINSegregation of Duties

Use following actions to create Function 1: Maintain Scenarios:

CREATE SCENARIO

Use following actions to create Function 2: Scenario Admin:

SCENARIO ADMIN

SoD Risk #3:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
Critical combinations of system privileges should not be granted togetherAUDIT ADMIN vs. AUDIT OPERATORSegregation of Duties

Use following actions to create Function 1: Audit Administration

AUDIT ADMIN

Use following actions to create Function 2: Audit Operations

AUDIT OPERATOR

SoD Risk #4:

HANA DB Privilege/RoleSAP RecommendationsType of RiskHow to configure or implement the risk
Critical combinations of system privileges should not be granted togetherCREATE STRUCTURED PRIVILEGE vs. STRUCTUREDPRIVILEGE ADMINSegregation of Duties

Use following actions to create Function 1: Maintain Structured Privileges

CREATE STRUCTURED PRIVILEGE

Use following actions to create Function 2: Structured Privileges Administration

STRUCTUREDPRIVILEGE ADMIN

HANA DB Rules Configuration in GRC

Below are some of the functions which have been configured in GRC for HANA DB.

Function 1: User Admin Privileges

Function 2: Role Admin Privileges

SoD Risk: User Admin Privileges vs. Role Admin Privileges

SoD Risk: User Admin Privileges vs. Role Admin Privileges (Generated Rules)

HANA DB Risk Analysis in GRC

For testing user risk analysis, I have created a Test User ID (EXT_MADS) with access to User Admin and Role Admin system privileges.

User level Risk Analysis

Results

For testing role risk analysis, I have used PI Admin role which has access to User Admin and Role Admin system privileges.

Role level Risk Analysis

Results