on 05-08-2018 3:13 PM
HANA Security documentation describes a security model using Dynamic Analytic Privileges with Stored Procedures to reference a 'helper table' to restrict users to only see field values they are mapped to within the helper table. (reference: SAP HANA Academy - Documentation: Analytic Privileges II).
My question is not how to define the table or AP or Procedure, but how are companies managing this helper table? Are there any IDM tools available from SAP or others that have the ability to manage a helper table via Roles? I'm looking for an automated solution that can add users, remove users, etc from these tables just like it would add/remove catalog/repository roles and manage the user's account attributes.
I imagine it is possible that everyone implementing Dynamic AP with helper tables is doing this helper table maintenance manually, but I'm hoping someone out there has found an IDM solution which has this feature.
Thanks,
Chris
HI Chris,
Well I've only implemented "Manual" Scenarios but we have been having discussion about switching to a more automated approach.
Each employee in an enterprise is tagged to a Windows AD group.
So theoretically, what we are planning:
1. Replicate the User to group mapping into HANA.
2. Map authorized filters to user groups instead of Users. Like in your example, I map EMEA to Finance_Grp rather than an individual user.
3 This way, user maintenance is done by Windows AD and you only touch the config table when your entire group needs an auth change.
Again, I've not researched into the technical challenges of this but theoretically this should work.
The point is not about Windows AD, but that if you maintain auths for groups rather than users, it would make your life much easier in terms of maintenance.
Regards,
Shyam
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shyam,
Thanks for taking the time to reply. We are doing the group mapping as you specify in point 1. but I am not sure what you mean by the AD group mapping.
For example,
HelperTable1
USER1 | USERGROUP1
USER2 | USERGROUP1
USER3 | USERGROUP2
HelperTable2
USERGROUP1 | EMEA
USERGROUP1 | ASIA
USERGROUP2 | US
So helperTable2 remains static until you have an auth change, but how then even with AD groups do you populate HelperTable1? Or is there a way to do this without HelperTable1 and mapping AD groups somehow directly to HelperTable2?
Thanks,
Chris
Hi Chris,
By AD groups, I mean Windows Active Directory groups.
Every individual is assigned certain groups in the organization's directory.
I was talking about replicating that User to group mapping as a table in HANA and then assigning roles based on those groups.
Of course this only works if your authorizations can be based on these Windows AD groups.
In essence, the Helper table example you stated allows for minimal data changes. If you can get HelperTable1 populated and replicated from somewhere else in your landscape (like the Windows AD example), it helps the process automation even further.
Regards,
Shyam
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.