Skip to Content

HANA Security - Dynamic Analytic Privilege Model - How to Maintain helper auth tables

HANA Security documentation describes a security model using Dynamic Analytic Privileges with Stored Procedures to reference a 'helper table' to restrict users to only see field values they are mapped to within the helper table. (reference: SAP HANA Academy - Documentation: Analytic Privileges II).

My question is not how to define the table or AP or Procedure, but how are companies managing this helper table? Are there any IDM tools available from SAP or others that have the ability to manage a helper table via Roles? I'm looking for an automated solution that can add users, remove users, etc from these tables just like it would add/remove catalog/repository roles and manage the user's account attributes.

I imagine it is possible that everyone implementing Dynamic AP with helper tables is doing this helper table maintenance manually, but I'm hoping someone out there has found an IDM solution which has this feature.


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • May 09, 2018 at 08:44 PM

    HI Chris,

    Well I've only implemented "Manual" Scenarios but we have been having discussion about switching to a more automated approach.

    Each employee in an enterprise is tagged to a Windows AD group.

    So theoretically, what we are planning:

    1. Replicate the User to group mapping into HANA.

    2. Map authorized filters to user groups instead of Users. Like in your example, I map EMEA to Finance_Grp rather than an individual user.

    3 This way, user maintenance is done by Windows AD and you only touch the config table when your entire group needs an auth change.

    Again, I've not researched into the technical challenges of this but theoretically this should work.

    The point is not about Windows AD, but that if you maintain auths for groups rather than users, it would make your life much easier in terms of maintenance.



    Add comment
    10|10000 characters needed characters exceeded

    • Hi Chris,

      By AD groups, I mean Windows Active Directory groups.

      Every individual is assigned certain groups in the organization's directory.

      I was talking about replicating that User to group mapping as a table in HANA and then assigning roles based on those groups.

      Of course this only works if your authorizations can be based on these Windows AD groups.

      In essence, the Helper table example you stated allows for minimal data changes. If you can get HelperTable1 populated and replicated from somewhere else in your landscape (like the Windows AD example), it helps the process automation even further.