Skip to Content

Security - connection to HANA DB with ODBC or ODATA?


in our company many Business requests are coming up to extract data from S/4 (ABAP CDS Views) or BW/HANA (HANA Views) to other tools or databases. They are using different tools - some cannot use full capabilites of ODATA Service (e.g. PowerBI) so they want to connect with ODBC.

Are those ODBC connectons directly to HANA DB a security risk? Or is it the same risk to use ODATA?



Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Jul 18, 2020 at 07:54 AM

    This question is rather unclear.

    What does "risk" mean to you in this context?

    Based on the presented examples, you seem to consider the mentioned two data access technologies as otherwise equal options to access the same system.

    This holds only true on a high-level view. As soon as technology components are considered, it becomes clear that accessing S/4, BW, and HANA means accessing different, but interdependent systems.
    They even have separate user, privilege, and access handling mechanisms.

    On a high-level data-access can be managed in similar ways with both technologies (i.e. only expose data that is allowed to be accessed...). So, on that level of consideration, you may consider the "risk" the same.

    Now, with ODATA the service definition literally defines what questions can be asked - at all. There is no consumer-driven option to change DB queries, combine/join/union different data sources, etc.

    This, in turn, means the queries posed to the system can be a lot more predictable than free-query access by DB/ODBC/JDBC query tools, which is a nice thing to have when managing the system. And that may be a security concern.

    The flip side is the same thing: using ODATA services limits the kind of questions that can be asked about the data compared to DB level access.

    It's possible to set up DB level access for users with tight security restrictions and auditing. Many customers are doing that.

    If this is the right choice for your organization has to be understood by your team for themselves. Coming back to your question it appears to me that it is not yet fully understood what exact limitations should be overcome by changing the data access technology. PowerBI supports OData, so what feature cannot be used by your team?

    Another aspect to consider is that the OData services from ABAP systems are barely ever simple 1:1 presentations of tables and views where the same data could be queries from the DB level.

    In fact, most ABAP level query interfaces leverage the application context and/or add a whole computation layer to the OData services.
    In short: if the OData service doesn't give you what you're looking for, it's not a given that accessing the DB will fix this.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.