cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HANA Security - Dynamic Analytic Privilege Model - How to Maintain helper auth tables

chrissap
Explorer

on ‎05-08-2018 3:13 PM

0 Kudos

HANA Security documentation describes a security model using Dynamic Analytic Privileges with Stored Procedures to reference a 'helper table' to restrict users to only see field values they are mapped to within the helper table. (reference: SAP HANA Academy - Documentation: Analytic Privileges II).

My question is not how to define the table or AP or Procedure, but how are companies managing this helper table? Are there any IDM tools available from SAP or others that have the ability to manage a helper table via Roles? I'm looking for an automated solution that can add users, remove users, etc from these tables just like it would add/remove catalog/repository roles and manage the user's account attributes.

I imagine it is possible that everyone implementing Dynamic AP with helper tables is doing this helper table maintenance manually, but I'm hoping someone out there has found an IDM solution which has this feature.

Thanks,
Chris

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

shyam_uthaman
Participant
‎05-09-2018 9:44 PM
0 Kudos

HI Chris,

Well I've only implemented "Manual" Scenarios but we have been having discussion about switching to a more automated approach.

Each employee in an enterprise is tagged to a Windows AD group.

So theoretically, what we are planning:

1. Replicate the User to group mapping into HANA.

2. Map authorized filters to user groups instead of Users. Like in your example, I map EMEA to Finance_Grp rather than an individual user.

3 This way, user maintenance is done by Windows AD and you only touch the config table when your entire group needs an auth change.

Again, I've not researched into the technical challenges of this but theoretically this should work.

The point is not about Windows AD, but that if you maintain auths for groups rather than users, it would make your life much easier in terms of maintenance.

Regards,

Shyam

Show replies
Show replies
chrissap
Explorer
‎05-17-2018 10:29 PM
0 Kudos

Hi Shyam,

Thanks for taking the time to reply. We are doing the group mapping as you specify in point 1. but I am not sure what you mean by the AD group mapping.

For example,

HelperTable1

USER1 | USERGROUP1

USER2 | USERGROUP1

USER3 | USERGROUP2

HelperTable2

USERGROUP1 | EMEA

USERGROUP1 | ASIA

USERGROUP2 | US

So helperTable2 remains static until you have an auth change, but how then even with AD groups do you populate HelperTable1? Or is there a way to do this without HelperTable1 and mapping AD groups somehow directly to HelperTable2?

Thanks,

Chris

shyam_uthaman
Participant
‎05-21-2018 8:16 PM
0 Kudos

Hi Chris,

By AD groups, I mean Windows Active Directory groups.

Every individual is assigned certain groups in the organization's directory.

I was talking about replicating that User to group mapping as a table in HANA and then assigning roles based on those groups.

Of course this only works if your authorizations can be based on these Windows AD groups.

In essence, the Helper table example you stated allows for minimal data changes. If you can get HelperTable1 populated and replicated from somewhere else in your landscape (like the Windows AD example), it helps the process automation even further.

Regards,

Shyam

Ask a Question