The authorization concept of SAP HANA is based on so called privileges. Though the naming is different to other SAP modules or platforms such as ECC or the SAP Business Warehouse (SAP BW), the underlying concept is the same.
Within SAP HANA there are 5 types of privileges:
- System
- Object
- Analytic
- Package
- Application
Each privilege serves a different security aspect. Basically, the privilege type already tells you straight forward what it does.
System privileges are system related and therefore most important do administrators or developers, that need to adjust or configure the SAP HANA system itself like audit logging, database insights etc.
Object privileges relate to database objects such as tables or views. Of course those database objects are based on SQL which implicates, that the privileges do manage the access on SQL level. Meaning, you kind of “set a filter” on what the assigned user can use within her/his SQL statement.
Referring to the object privileges, the analytic privileges work similiarily. The analytic privileges do “filter” the SQL statement of the user at the WHERE-clause. Analytic privileges can also be more dynamic by writing code. But this is for another post.
Package privileges can be seen as the access management for the SAP HANA file system. It manages who can access which branch or package of the development. This is specifically important to application and content developers.
The application privileges do grant access to certain, defined applications running on SAP HANA.
SAP provides a great overview of the different privileges, its target users and what it is applicable to:
| Privilege Type | Applicable To | Target User | Description |
|---|---|---|---|
| System privilege | System, database | Administrators, developers | System privileges control general system activities. They are mainly used for administrative purposes, such as creating schemas, creating and changing users and roles, monitoring and tracing. System privileges are also used to authorize basic repository operations.System privileges granted to users in a particular tenant database authorize operations in that database only. The only exception is the system privileges DATABASE ADMIN, DATABASE STOP, DATABASE START, and DATABASE AUDIT ADMIN. These system privileges can only be granted to users of the system database. They authorize the execution of operations on individual tenant databases. For example, a user with DATABASE ADMIN can create and drop tenant databases, change the database-specific properties in configuration (*.ini) files, and perform database-specific backups. |
| Object privilege | Database objects (schemas, tables, views, procedures and so on) | End users, technical users | Object privileges are used to allow access to and modification of database objects, such as tables and views. Depending on the object type, different actions can be authorized (for example, SELECT, CREATE ANY, ALTER, DROP). Schema privileges are object privileges that are used to allow access to and modification of schemas and the objects that they contain.Source privileges are object privileges that are used to restrict access to and modification of remote data sources, which are connected through SAP HANA smart data access.Object privileges granted to users in a particular database authorize access to and modification of database objects in that database only. That is, unless cross-database access has been enabled for the user. This is made possible through the association of the requesting user with a remote identity on the remote database. For more information, see Cross-Database Authorization in Tenant Databases in the SAP HANA Security Guide. |
| Analytic privilege | Analytic views | End users | Analytic privileges are used to allow read access to data in SAP HANA information models (that is, analytic views, attribute views, and calculation views) depending on certain values or combinations of values. Analytic privileges are evaluated during query processing.Analytic privileges granted to users in a particular database authorize access to information models in that database only. |
| Package privilege | Packages in the classic repository of the SAP HANA database | Application and content developers working in the classic SAP HANA repository | Package privileges are used to allow access to and the ability to work in packages in the classic repository of the SAP HANA database.Packages contain design time versions of various objects, such as analytic views, attribute views, calculation views, and analytic privileges.Package privileges granted to users in a particular database authorize access to and the ability to work in packages in the repository of that database only.NoteWith SAP HANA XS advanced, source code and web content are not versioned and stored in the SAP HANA database, so package privileges are not used in this context. For more information, see Authorization in SAP HANA XS Advanced. |
| Package privilege | Packages in the classic repository of the SAP HANA database | Application and content developers working in the classic SAP HANA repository | Package privileges are not relevant in the SAP HANA service for SAP BTP context as the SAP HANA repository is not supported. |
| Application privilege | SAP HANA XS classic applications | Application end users, technical users (for SQL connection configurations) | Developers of SAP HANA XS classic applications can create application privileges to authorize user and client access to their application. They apply in addition to other privileges, for example, object privileges on tables.Application privileges can be granted directly to users or roles in runtime in the SAP HANA studio. However, it is recommended that you grant application privileges to roles created in the repository in design time. NoteWith SAP HANA XS advanced, application privileges are not used. Application-level authorization is implemented using OAuth and authorization scopes and attributes. For more information, see Authorization in SAP HANA XS Advanced. |
| Application privilege | SAP HANA XS classic applications | Application end users, technical users (for SQL connection configurations) | Application privileges are not relevant in the SAP HANA service for SAP BTP context as SAP HANA XS classic is not supported. |
Make a one-time donation
Make a monthly donation
Make a yearly donation
Choose an amount
Or enter a custom amount
Your contribution is appreciated.
Your contribution is appreciated.
Your contribution is appreciated.
DonateDonate monthlyDonate yearly
SAP Authorization Universe 