Skip to Content
0
Jun 04, 2020 at 07:04 PM

Best practices for securing HDI developments

201 Views

Dear community,

Customer wants to replicate about 500 tables from ECC in HANA Cloud and – in the end – create HDI .hdbcalculationview’s for business users to query.

10 of these tables have sensitive data and will be masked in secured .hdbviews. (GDPR)

They will have only 2 specific developers to work on a specific HDI container that can create 500 .hdbviews (one view per table), with 10 secured masked views due to sensitive information. No other developers can have access to this HDI container design-time developments or persisted objects.

Then, they want to create another HDI container for the rest of the 10’s of developers to create multiple calculation views upon the 500 .hdbviews (developed by these 2 specific developers above). In this way they want to secure that no one (except those 2 specific developers) will have access to the tables, not anyone else

I created a new HANA Cloud instance from scratch and then created a HDIADMIN DB user and granted HDI ADMIN privileges:

CREATE LOCAL TEMPORARY TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;

INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'HDIADMIN', PRIVILEGE_NAME, OBJECT_NAME FROM _SYS_DI.T_DEFAULT_DI_ADMIN_PRIVILEGES;

CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('_SYS_DI', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

DROP TABLE #PRIVILEGES;

Then I created 2 container groups, one for secured dev (2 developers), and other for (normal) dev (all other developers). Also created 2 DB users: HDIDEVSECURITY (for the 2 specific developers) and HDIDEV (for all other developers):

CALL _SYS_DI.CREATE_CONTAINER_GROUP('HDIDEV_CG', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

CALL _SYS_DI.CREATE_CONTAINER_GROUP('HDIDEVSECURITY_CG', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

Granted them to the users:

CREATELOCALTEMPORARYCOLUMNTABLE #PRIVILEGESLIKE _SYS_DI.TT_API_PRIVILEGES;

INSERTINTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT'HDIDEV', PRIVILEGE_NAME, OBJECT_NAME FROM _SYS_DI.T_DEFAULT_CONTAINER_GROUP_ADMIN_PRIVILEGES;

CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('HDIDEV_CG', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

DROPTABLE #PRIVILEGES;

CREATELOCALTEMPORARYCOLUMNTABLE #PRIVILEGESLIKE _SYS_DI.TT_API_PRIVILEGES;

INSERTINTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT'HDIDEVSECURITY', PRIVILEGE_NAME, OBJECT_NAME FROM _SYS_DI.T_DEFAULT_CONTAINER_GROUP_ADMIN_PRIVILEGES;

CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('HDIDEVSECURITY_CG', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

DROPTABLE #PRIVILEGES;

Then created containers logged as each different user:

// logged as HDIDEVSECURITY

CALL _SYS_DI#HDIDEVSECURITY_CG.CREATE_CONTAINER('SHOWCASESECURITY', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

// logged as HDIDEV

CALL _SYS_DI#HDIDEV_CG.CREATE_CONTAINER('SHOWCASE', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

But now I did not find any documentation explaining how to set these 2 HDI containers to develop/deploy in WebIDE, or Business Application Studio.

I ran “cf create-service hana hdi-shared SHOWCASEHDI” command in or Business Application Studio and it created another HDI container but now in “_SYS_DI#BROKER_CG” and did not linked to my prior container “SHOWCASE”. It has created a new container named 72D3FECE031F4698AF8AFF1FCE054E86 instead of SHOWCASE).

hdi.jpg

So the question is: how to set the SHOWCASESECURITY container to one HDI project in WebIDE, and SHOWCASE container to another HDI project in WebIDE? Or, if this is not possible, how to create from WebIDE or cf, containers in different CONTAINER_GROUPS managed by different users, in order to have the required security?

I've been trying to find a solution for that, but I could not find a detailed documentation or guidance yet.

I will be waiting for your feedback ��

Best regards,

Chris

https://help.sap.com/viewer/3823b0f33420468ba5f1cf7f59bd6bd9/2.0.04/en-US/1ca64155ec5a465294e0d8b10383cea8.html