Authorization is checked when a user tries to connect to HANA database and perform some database operations. When a user connects to HANA database using client tools via JDBC/ODBC or Via HTTP to perform some operations on database objects, corresponding action is determined by the access that is granted to the user.
Privileges granted to a user are determined by Object privileges assigned on user profile or role that has been granted to user. Authorization is a combination of both accesses. When a user tries to perform some operation on HANA database, system performs an authorization check. When all required privileges are found, system stops this check and grants the requested access.
There are different types of privileges, which are used in SAP HANA as mentioned under User role and Management −
They are applicable to system and database authorization for users and control system activities. They are used for administrative tasks such as creating Schemas, data backups, creating users and roles and so on. System privileges are also used to perform Repository operations.
They are applicable to database operations and apply to database objects like tables, Schemas, etc. They are used to manage database objects such as tables and views. Different actions like Select, Execute, Alter, Drop, Delete can be defined based on database objects.
They are also used to control remote data objects, which are connected through SMART data access to SAP HANA.
They are applicable to data inside all the packages that are created in HANA repository. They are used to control modeling views that are created inside packages like Attribute View, Analytic View, and Calculation View. They apply row and column level security to attributes that are defined in modeling views in HANA packages.
They are applicable to allow access to and ability to use packages that are created in repository of HANA database. Package contains different Modeling views like Attribute, Analytic and Calculation views and also Analytic Privileges defined in HANA repository database.
They are applicable to HANA XS application that access HANA database via HTTP request. They are used to control access on applications created with HANA XS engine.
Application Privileges can be applied to users/roles directly using HANA studio but it is preferred that they should be applied to roles created in repository at design time.
_SYS_REPO is the user owns all the objects in HANA repository. This user should be authorized externally for the objects on which repository objects are modeled in HANA system. _SYS_REPO is owner of all objects so it can only be used to grant access on these objects, no other user can login as _SYS_REPO user.
GRANT SELECT ON SCHEMA "<SCHEMA_NAME>" TO _SYS_REPO WITH GRANT OPTION
All SAP HANA users that have access on HANA database are verified with different Authentications method. SAP HANA system supports various types of authentication method and all these login methods are configured at time of profile creation.
Below is the list of authentication methods supported by SAP HANA −
- User name/Password
- Kerberos
- SAML 2.0
- SAP Logon tickets
- X.509

User Name/Password
This method requires a HANA user to enter user name and password to login to database. This user profile is created under User management in HANA Studio → Security Tab.
Password should be as per password policy i.e. Password length, complexity, lower and upper case letters, etc.
You can change the password policy as per your organization’s security standards. Please note that password policy cannot be deactivated.

Kerberos
All users who connect to HANA database system using an external authentication method should also have a database user. It is required to map external login to internal database user.
This method enables users to authenticate HANA system directly using JDBC/ODBC drivers through network or by using front end applications in SAP Business Objects.
It also allows HTTP access in HANA Extended Service using HANA XS engine. It uses SPENGO mechanism for Kerberos authentication.

SAML
SAML stands for Security Assertion Markup Language and can be used to authenticate users accessing HANA system directly from ODBC/JDBC clients. It can also be used to authenticate users in HANA system coming via HTTP through HANA XS engine.
SAML is used only for authentication purpose and not for authorization.

SAP Logon and Assertion Tickets
SAP Logon/assertion tickets can be used to authenticate users in HANA system. These tickets are issued to users when they login into SAP system, which is configured to issue such tickets like SAP Portal, etc. User specified in SAP logon tickets should be created in HANA system, as it does not provide support for mapping users.

X.509 Client Certificates
X.509 certificates can also be used to login to HANA system via HTTP access request from HANA XS engine. Users are authenticated by certificated that are signed from trusted Certificate Authority, which is stored in HANA XS system.
User in trusted certificate should exist in HANA system as there is no support for user mapping.

Single Sign On in HANA system
Single sign on can be configured in HANA system, which allows users to login to HANA system from an initial authentication on the client. User logins at client applications using different authentication methods and SSO allows user to access HANA system directly.
SSO can be configured on below configuration methods −
- SAML
- Kerberos
- X.509 client certificates for HTTP access from HANA XS engine
- SAP Logon/Assertion tickets
Technical database users are used only for administrative purpose such as creating new objects in database, assigning privileges to other users, on packages, applications etc.
SAP HANA User Administration Activities
Depending on business needs and configuration of HANA system, there are different user activities that can be performed using user administration tool like HANA studio.
Most common activities include −
- Create Users
- Grant roles to users
- Define and Create Roles
- Deleting Users
- Resetting user passwords
- Reactivating users after too many failed logon attempts
- Deactivating users when it is required
How to create Users in HANA Studio?
Only database users with the system privilege ROLE ADMIN are allowed to create users and roles in HANA studio. To create users and roles in HANA studio, go to HANA Administrator Console. You will see security tab in System view −

When you expand security tab, it gives option of User and Roles. To create a new user right click on User and go to New User. New window will open where you define User and User parameters.
Enter User name (mandate) and in Authentication field enter password. Password is applied, while saving password for a new user. You can also choose to create a restricted user.
The specified role name must not be identical to the name of an existing user or role. The password rules include a minimal password length and a definition of which character types (lower, upper, digit, special characters) have to be part of the password.

Different Authorization methods can be configured like SAML, X509 certificates, SAP Logon ticket, etc. Users in the database can be authenticated by varying mechanisms −
Internal authentication mechanism using a password.
External mechanisms such as Kerberos, SAML, SAP Logon Ticket, SAP Assertion Ticket or X.509.
A user can be authenticated by more than one mechanism at a time. However, only one password and one principal name for Kerberos can be valid at any one time. One authentication mechanism has to be specified to allow the user to connect and work with the database instance.
It also gives an option to define validity of user, you can mention validity interval by selecting the dates. Validity specification is an optional user parameter.
Some users that are, by default, delivered with the SAP HANA database are − SYS, SYSTEM, _SYS_REPO, _SYS_STATISTICS.
Once this is done, the next step is to define privileges for user profile. There are different types of privileges that can be added to a user profile.
Granted Roles to a User
This is used to add inbuilt SAP.HANA roles to user profile or to add custom roles created under Roles tab. Custom roles allow you to define roles as per access requirement and you can add these roles directly to user profile. This removes need to remember and add objects to a user profile every time for different access types.

PUBLIC − This is Generic role and is assigned to all database users by default. This role contains read only access to system views and execute privileges for some procedures. These roles cannot be revoked.

Modeling
It contains all privileges required for using the information modeler in the SAP HANA studio.
System Privileges
There are different types of System privileges that can be added to a user profile. To add a system privileges to a user profile, click on + sign.
System privileges are used for Backup/Restore, User Administration, Instance start and stop, etc.
Content Admin
It contains the similar privileges as that in MODELING role, but with the addition that this role is allowed to grant these privileges to other users. It also contains the repository privileges to work with imported objects.

Data Admin
This is a type of privilege, required for adding Data from objects to user profile.

Given below are common supported System Privileges −
Attach Debugger
It authorizes the debugging of a procedure call, called by a different user. Additionally, the DEBUG privilege for the corresponding procedure is needed.
Audit Admin
Controls the execution of the following auditing-related commands − CREATE AUDIT POLICY, DROP AUDIT POLICY and ALTER AUDIT POLICY and the changes of the auditing configuration. Also allows access to AUDIT_LOG system view.
Audit Operator
It authorizes the execution of the following command − ALTER SYSTEM CLEAR AUDIT LOG. Also allows access to AUDIT_LOG system view.
Backup Admin
It authorizes BACKUP and RECOVERY commands for defining and initiating backup and recovery procedures.
Backup Operator
It authorizes the BACKUP command to initiate a backup process.
Catalog Read
It authorizes users to have unfiltered read-only access to all system views. Normally, the content of these views is filtered based on the privileges of the accessing user.
Create Schema
It authorizes the creation of database schemas using the CREATE SCHEMA command. By default, each user owns one schema, with this privilege the user is allowed to create additional schemas.
CREATE STRUCTURED PRIVILEGE
It authorizes the creation of Structured Privileges (Analytical Privileges). Only the owner of an Analytical Privilege can further grant or revoke that privilege to other users or roles.
Credential Admin
It authorizes the credential commands − CREATE/ALTER/DROP CREDENTIAL.
Data Admin
It authorizes reading all data in the system views. It also enables execution of any Data Definition Language (DDL) commands in the SAP HANA database
A user having this privilege cannot select or change data stored tables for which they do not have access privileges, but they can drop tables or modify table definitions.
Database Admin
It authorizes all commands related to databases in a multi-database, such as CREATE, DROP, ALTER, RENAME, BACKUP, RECOVERY.
Export
It authorizes export activity in the database via the EXPORT TABLE command.
Note that beside this privilege the user requires the SELECT privilege on the source tables to be exported.
Import
It authorizes the import activity in the database using the IMPORT commands.
Note that beside this privilege the user requires the INSERT privilege on the target tables to be imported.
Inifile Admin
It authorizes changing of system settings.
License Admin
It authorizes the SET SYSTEM LICENSE command install a new license.
Log Admin
It authorizes the ALTER SYSTEM LOGGING [ON|OFF] commands to enable or disable the log flush mechanism.
Monitor Admin
It authorizes the ALTER SYSTEM commands for EVENTs.
Optimizer Admin
It authorizes the ALTER SYSTEM commands concerning SQL PLAN CACHE and ALTER SYSTEM UPDATE STATISTICS commands, which influence the behavior of the query optimizer.
Resource Admin
This privilege authorizes commands concerning system resources. For example, ALTER SYSTEM RECLAIM DATAVOLUME and ALTER SYSTEM RESET MONITORING VIEW. It also authorizes many of the commands available in the Management Console.
Role Admin
This privilege authorizes the creation and deletion of roles using the CREATE ROLE and DROP ROLE commands. It also authorizes the granting and revocation of roles using the GRANT and REVOKE commands.
Activated roles, meaning roles whose creator is the pre-defined user _SYS_REPO, can neither be granted to other roles or users nor dropped directly. Not even users having ROLE ADMIN privilege are able to do so. Please check documentation concerning activated objects.
Savepoint Admin
It authorizes the execution of a savepoint process using the ALTER SYSTEM SAVEPOINT command.
Components of the SAP HANA database can create new system privileges. These privileges use the component-name as first identifier of the system privilege and the component-privilege-name as the second identifier.
Object/SQL Privileges
Object privileges are also known as SQL privileges. These privileges are used to allow access on objects like Select, Insert, Update and Delete of tables, Views or Schemas.

Given below are possible types of Object Privileges −
- Object privilege on database objects that exist only in runtime
- Object privilege on activated objects created in the repository, like calculation views
- Object privilege on schema containing activated objects created in the repository,
- Object/SQL Privileges are collection of all DDL and DML privileges on database objects.
Given below are common supported Object Privileges −
There are multiple database objects in HANA database, so not all the privileges are applicable to all kinds of database objects.

Object Privileges and their applicability on database objects −

Analytic Privileges
Sometimes, it is required that data in the same view should not be accessible to other users who does not have any relevant requirement for that data.
Analytic privileges are used to limit the access on HANA Information Views at object level. We can apply row and column level security in Analytic Privileges.
Analytic Privileges are used for −
- Allocation of row and column level security for specific value range.
- Allocation of row and column level security for modeling views.

Package Privileges
In the SAP HANA repository, you can set package authorizations for a specific user or for a role. Package privileges are used to allow access to data models- Analytic or Calculation views or on to Repository objects. All privileges that are assigned to a repository package are assigned to all sub packages too. You can also mention if assigned user authorizations can be passed to other users.
Steps to add a package privileges to User profile −
- Click on Package privilege tab in HANA studio under User creation → Choose + to add one or more packages. Use Ctrl key to select multiple packages.
- In the Select Repository Package dialog, use all or part of the package name to locate the repository package that you want to authorize access to.
- Select one or more repository packages that you want to authorize access to, the selected packages appear in the Package Privileges tab.

Given below are grant privileges, which are used on repository packages to authorize user to modify the objects −
- REPO.READ − Read access to the selected package and design-time objects (both native and imported)
- REPO.EDIT_NATIVE_OBJECTS − Authorization to modify objects in packages.
- Grantable to Others − If you choose ‘Yes’ for this, this allows assigned user authorization to pass to the other users.
Application Privileges
Application privileges in a user profile are used to define authorization for access to HANA XS application. This can be assigned to an individual user or to the group of users. Application privileges can also be used to provide different level of access to the same application like to provide advanced functions for database Administrators and read-only access to normal users.

To define Application specific privileges in a user profile or to add group of users, below privileges should be used −
- Application-privileges file (.xsprivileges)
- Application-access file (.xsaccess)
- Role-definition file (<RoleName>.hdbrole)
Security means protecting company’s critical data from unauthorized access and use, and to ensure that Compliance and standards are met as per the company policy. SAP HANA enables customer to implement different security policies and procedures and to meet compliance requirements of the company.
SAP HANA supports multiple databases in a single HANA system and this is known as multitenant database containers. HANA system can also contain more than one multitenant database containers. A multiple container system always has exactly one system database and any number of multitenant database containers. AN SAP HANA system that is installed in this environment is identified by a single system ID (SID). Database containers in HANA system are identified by a SID and database name. SAP HANA client, known as HANA studio, connects to specific databases.
SAP HANA provides all security related features such as Authentication, Authorization, Encryption and Auditing, and some add on features, which are not supported in other multitenant databases.

Below given is a list of security related features, provided by SAP HANA −
- User and Role Management
- Authentication and SSO
- Authorization
- Encryption of data communication in Network
- Encryption of data in Persistence Layer
Additional Features in multitenant HANA database −
- Database Isolation − It involves preventing cross tenant attacks through operating system mechanism
- Configuration Change blacklist − It involves preventing certain system properties from being changed by tenant database administrators
- Restricted Features − It involves disabling certain database features that provides direct access to file system, the network or other resources.
SAP HANA User and Role Management
SAP HANA user and role management configuration depends on the architecture of your HANA system.
- If SAP HANA is integrated with BI platform tools and acts as reporting database, then the end-user and role are managed in application server.
- If the end-user directly connects to the SAP HANA database, then user and role in database layer of HANA system is required for both end users and administrators.
Every user wants to work with HANA database must have a database user with necessary privileges. User accessing HANA system can either be a technical user or an end user depending on the access requirement. After successful logon to system, user’s authorization to perform the required operation is verified. Executing that operation depends on privileges that user has been granted. These privileges can be granted using roles in HANA Security. HANA Studio is one of powerful tool to manage user and roles for HANA database system.
User Types
User types vary according to security policies and different privileges assigned on user profile. User type can be a technical database user or end user needs access on HANA system for reporting purpose or for data manipulation.
Standard Users
Standard users are users who can create objects in their own Schemas and have read access in system Information models. Read access is provided by PUBLIC role which is assigned to every standard users.

Restricted Users
Restricted users are those users who access HANA system with some applications and they do not have SQL privileges on HANA system. When these users are created, they do not have any access initially.
If we compare restricted users with Standard users −
- Restricted users cannot create objects in HANA database or their own Schemas.
- They do not have access to view any data in database as they don’t have generic Public role added to profile like standard users.
- They can connect to HANA database only using HTTP/HTTPS.
Microsoft Excel is considered the most common BI reporting and analysis tool by many organizations. Business Managers and Analysts can connect it to HANA database to draw Pivot tables and charts for analysis.
Connecting MS Excel to HANA
Open Excel and go to Data tab → from other sources → click on Data connection wizard → Other/ Advanced and click on Next → Data link properties will open.


Choose SAP HANA MDX Provider from this list to connect to any MDX data source → Enter HANA system details (server name, instance, user name and password) → click on Test Connection → Connection succeeded → OK.
It will give you the list of all packages in drop down list that are available in HANA system. You can choose an Information view → click Next → Select Pivot table/others → OK.

All attributes from Information view will be added to MS Excel. You can choose different attributes and measures to report as shown and you can choose different charts like pie charts and bar charts from design option at the top.
Crystal Reports for Enterprise
In Crystal Reports for Enterprise, you can access SAP HANA data by using an existing relational connection created using the information design tool.
You can also connect to SAP HANA using an OLAP connection created using information design tool or CMC.
Design Studio
Design Studio can access SAP HANA data by using an existing OLAP connection created in Information design tool or CMC same like Office Analysis.
Dashboards
Dashboards can connect to SAP HANA only through a relational Universe. Customers using Dashboards on top of SAP HANA should strongly consider building their new dashboards with Design Studio.
Web Intelligence
Web Intelligence can connect to SAP HANA only through a Relational Universe.
SAP Lumira
Lumira can connect directly to SAP HANA Analytic and Calculation views. It can also connect to SAP HANA through SAP BI Platform using a relational Universe.
Office Analysis, edition for OLAP
In Office Analysis edition for OLAP, you can connect to SAP HANA using an OLAP connection defined in the Central Management Console or in Information design tool.
Explorer
You can create an information space based on an SAP HANA view using JDBC drivers.
Creating an OLAP Connection in CMC
We can create an OLAP Connection for all the BI tools, which we want to use on top of HANA views like OLAP for analysis, Crystal Report for enterprise, Design Studio. Relational connection through IDT is used to connect Web Intelligence and Dashboards to HANA database.
These connection can be created using IDT as well CMC and both of the connections are saved in BO Repository.
Login to CMC with the user name and password.
From the dropdown list of connections, choose an OLAP connection. It will also show already created connections in CMC. To create a new connection, go to green icon and click on this.

Enter the name of an OLAP connection and description. Multiple persons, to connect to HANA views, in different BI Platform tools, can use this connection.
Provider − SAP HANA
Server − Enter HANA Server name
Instance − Instance number

It also gives an option to connect to a single Cube (You can also choose to connect to single Analytic or Calculation view) or to the full HANA system.
Click on Connect and choose modeling view by entering user name and password.
Authentication Types − Three types of Authentication are possible while creating an OLAP connection in CMC.
- Predefined − It will not ask user name and password again while using this connection.
- Prompt − Every time it will ask user name and password
- SSO − User specific
- Enter user − user name and password for HANA system and save and new connection will be added to existing list of connections.
Now open BI Launchpad to open all BI platform tools for reporting like Office Analysis for OLAP and it will ask to choose a connection. By default, it will show you the Information View if you have specified it while creating this connection otherwise click on Next and go to folders → Choose Views (Analytic or Calculation Views).
SAP Lumira connectivity with HANA system
Open SAP Lumira from Start Program, Click on file menu → New → Add new dataset → Connect to SAP HANA → Next

Difference between connect to SAP HANA and download from SAP HANA is that it will download data from Hana system to BO repository and refreshing of data will not occur with changes in HANA system. Enter HANA server name and Instance number. Enter user name and password → click on Connect.

It will show all views. You can search with the view name → Choose View → Next. It will show all measures and dimensions. You can choose from these attributes if you want → click on create option.
There are four tabs inside SAP Lumira −
- Prepare − You can see the data and do any custom calculation.
- Visualize − You can add Graphs and Charts. Click on X axis and Y axis + sign to add attributes.
- Compose − This option can be used to create sequence of Visualization (story) → click on Board to add numbers of boards → create → it will show all the visualizations on left side. Drag first Visualization then add page then add second visualization.
- Share − If it is built on SAP HANA, we can only publish to SAP Lumira server. Otherwise you can also publish story from SAP Lumira to SAP Community Network SCN or BI Platform.
Save the file to use it later → Go to File-Save → choose Local → Save
Creating a Relational Connection in IDT to use with HANA views in WebI and Dashboard −
Open Information Design Tool → by going to BI Platform Client tools. Click on New → Project Enter Project Name → Finish.

Right-click on Project name → Go to New → Choose Relational Connection → Enter Connection/resource name → Next → choose SAP from list to connect to HANA system → SAP HANA → Select JDBC/ODBC drivers → click on Next → Enter HANA system details → Click on Next and Finish.

You can also test this connection by clicking on Test Connection option.

Test Connection → Successful. Next step is to publish this connection to Repository to make it available for use.
Right Click on connection name → click on Publish connection to Repository → Enter BO Repository name and password → Click on Connect → Next →Finish → Yes.

It will create a new relational connection with .cns extension.
.cns − connection type represents secured Repository connection that should be used to create Data foundation.
.cnx − represents local unsecured connection. If you use this connection while creating and publishing a Universe, it will not allow you to publish that to repository.
Choose .cns connection type → Right Click on this → click on New Data foundation → Enter Name of Data foundation → Next → Single source/multi source → click on Next → Finish.

It will show all the tables in HANA database with Schema name in the middle pane.
Import all tables from HANA database to master pane to create a Universe. Join Dim and Fact tables with primary keys in Dim tables to create a Schema.

Double Click on the Joins and detect Cardinality → Detect → OK → Save All at the top. Now we have to create a new Business layer on the data foundation that will be consumed by BI Application tools.
Right Click on .dfx and choose new Business Layer → Enter Name → Finish →. It will show all the objects automatically, under master pane →. Change Dimension to Measures (Type-Measure change Projection as required) → Save All.

Right-click on .bfx file → click on Publish → To Repository → click on Next → Finish → Universe Published Successfully.
Now open WebI Report from BI Launchpad or Webi rich client from BI Platform client tools → New → select Universe → TEST_SAP_HANA → OK.

All Objects will be added to Query Panel. You can choose attributes and measures from left pane and add them to Result Objects. The Run query will run the SQL query and the output will be generated in the form of Report in WebI as shown below.
