SAP HANA – Analytic Privileges

Within SAP HANA the analytic privileges grant access to specific data like a row-level security or a data point. But before we discuss analytic privileges, we need to understand SAP HANA object privileges. Those privileges do define access to database objects such as views or tables. Hence, before we take care of what data so grant access to, an object needs to be granted access to.

Example: take a look at the image of this post. Imagine one box or cluster of lockers is a database table. Before opening a single locker, you need to be able to “see” the cluster it is in. For example the number 21 (see image, right side). After having located that cluster, you need a key to access a single locker. This key would be an analyitc privilege.

Another classic example of the SAP universe are sales regions. Sales data for all regions are contained within one analytic view. However, regional sales managers should only see the data for their region. In this case, an analytic privilege could be modeled so that they can all query the view, but only the data that each user is authorized to see is returned (source: SAP HANA Security Guide for SAP HANA Platform).

Where to create analytic privileges at SAP HANA?

At SAP HANA analytic privileges must be maintained within the package structure, whereas most of the other privileges are being delivered out-of-the-box (e.g. system privileges).

This is due to the reason, that e.g. object privileges depend on the database and its catalog. All dbos (database objects) are being registered there, once they are created (e.g. CREATE TABLE XY).

Analytic privileges though do not only relate to a dbo, but to the data within those objects. Since this data is usually highly volatile (e.g. transactional data) and not autonomously recognizable by the database system SAP HANA without analytics, those privileges need some know how of the security engineer. This is the reason, why it is being created at the package level.

At the SAP Blog, the process is being presented very well. Here, I highlight the most important steps:

When applying the analytic privileges at a view, it instantly “locks out” any user without the created privilege. This is a very common issue in security management, since many developers create a view and apply those by default, without knowing the impact. The testing users or collegues without enough privileges then cannot access the view anymore (besides they have the privilege _SYS_BI_CP_ALL in combination with the neceassary object privileges).

Always use SQL Analytic Privileges and not the XML, since  XML-based analytic privileges are deprecated as of SAP HANA SPS 02