How to define the right defaults for a framework authorization structure of your SAP HANA database

SAST BLOG: Framework authorization structure for the SAP HANA database – defining the right defaults SAP HANA is based on an in-memory technology concept for data storage. This makes it possible to analyze large, non-aggregated datasets flexibly with extremely short processing times. Since data processing in SAP HANA differs significantly from that in SAP NetWeaver, it has its own user management and authorization system. But which default settings are needed for the SAP HANA authorizations?

SAP HANA Security Architecture

The authorization concept implemented in the SAP HANA database, with the use of privileges, is based on other database concepts. SSL encryption should be configured for each of the following three SAP HANA connection types:

  1. The connection between client and SAP HANA database
  2. Internal connections between the SAP HANA components
  3. Connections to data centers (for example, for backups using SAP HANA System Replication)

SAP HANA also enables logging of critical events such as changes to users, roles, and privileges, as well as changes to the configuration and failed logon attempts. In addition, read and write access to data (through tables or views, for example) and the execution of operations can be logged. A type of emergency logging is also provided.

SAP HANA User and Authorization Management

The SAP HANA database differentiates between three user types:

  • Users (standard users and restricted users)
  • SYSTEM users
  • Internal technical users

For these users to work in the SAP HANA database, authorizations are required. You can assigned privileges directly to users or grouped them together in roles.

SAP HANA Privileges

Privilege-based access management is a “positive authorization concept”, which means access is only allowed if the corresponding privileges have been assigned to the user. Like in SAP NetWeaver, privileges are additive: All privileges assigned to the user are grouped together during the authorization check, regardless of whether they are assigned directly or indirectly.

There are five different types of privileges:

  • Object privileges
  • System privileges
  • Analytics privileges
  • Repository privileges
  • Application privileges


In the SAP HANA database, roles are a collection of privileges and, in some cases, other roles. Roles can be nested to define inheritance, which creates an extremely flexible, granular authorization concept with business roles. To maintain roles, you should always work in the HANA Repository and create the roles as design-time objects (Repository roles), which you transport later. After transport, the role is activated automatically. Only these runtime roles (catalog roles) can be assigned.

Basic Considerations for the Authorization Concept 

When SAP HANA is used in your company, you have to check whether direct access to the data objects in the SAP HANA database is necessary, which varies according to use case. If SAP HANA is only used as the database for existing applications, the available user and authorization concept can continue to be used for the end users. If authorizations for the SAP HANA database have to be granted, however, and users created, this is done through privileges, which are grouped together in roles and assigned to users.

Framework Authorization Concept for SAP HANA

A framework authorization concept for SAP HANA defines standards and principles for the assignment of privileges and roles. This guarantees the level of security for communications and data for running SAP HANA database systems required by comprehensive policies and the state-of-the-art technology.

A framework authorization concept helps to improve IT security with regard to the handling of sensitive information. Therefore, your SAP HANA framework authorization concept should answer the following questions:

  • Who is authorized to create/change users?
  • Who is authorized to create roles?
  • Who is authorized to assign/change roles?
  • Who is responsible for database administration?
  • How will emergency users be managed and by whom?
  • Who will audit which users?
  • Who is authorized to develop XSA roles?
  • Who is authorized to transport roles?
  • Which constraints must roles have?
  • Who is authorized to create analytics views?

In general, a framework authorization concept should contain the following information:

  • Description of the separation of functions between administration and customers/user departments
  • Description of the user types “standard” and “restricted”
  • Handling of the SYSTEM user
  • Use of user types, such as:
    • Audit administrator
    • User administrator
    • Technical user
    • Cockpit user
    • XSA developer
  • Description of the roles of the individual user groups
  • Description of the roles with usage recommendation/requirement, such as:
  • Use of Repository and HDI roles
  • Use and authorization of privileges such as:
    • Object privileges
    • Analytics privileges
    • Standard privileges
  • Settings for auditing the SAP HANA DB, such as:
    • Audit trail
    • Linux syslog
    • Assignment of audit privileges to users
  • Description of access methods

Other optional defaults could describe how to handle emergency users and whether LDAP connectivity is available. References to legal requirements (such as the GDPR) should also be contained in your framework authorization structure.

Would you like to find out more about the SAP HANA database and the right authorization structure for you? Visit our SAST SOLUTIONS website or simply get in touch:

Matthias Anstötz (SAST SOLUTIONS)
Matthias Anstötz (SAP Security Consultant, SAST SOLUTIONS)



Authorizations for Batch Processing in Netweaver and S/4HANA Environments

SAP Authorization Management put to the Test at Berliner Wasserbetriebe