[vc_row][vc_column][vc_column_text css=”.vc_custom_1704657843759{margin-bottom: 0px !important;}”]
In enterprise applications, it’s important to establish a structure for assessing the different privileges to grant to your team. Managers should have a different level of access to your applications than employees, and vice-versa. You certainly wouldn’t want your newly hired employees having the ability to view your core finances. These functional separations of activity are all possible in a specialized Hana Cloud Platform architecture, combining the object privileges of the HANA database with the application view of security of the Fiori Launchpad.
In this article, we will introduce you to three techniques that you can apply today to secure your applications in SAP HANA and provide a more intuitive experience to your end-users.
Before you start, you will need the following:
- a HANA DB Server running in the cloud or on premise;
- a Fiori UI License;
- a Portal Service License;
- a HANA Web Development-based Workbench;
- and a HANA Web IDE License (optional, but recommended for ease of use).
Also, prior to beginning, review our primer “Everything You Need to Know About Configuring the Fiori Launchpad” for help with setting up your portal service along with general tips and tricks. Many of the items we discuss in the Fiori Launchpad article relate to this topic and vice-versa.
Without further ado, let’s get started!
Tip #1: Create an Object-Based Privilege
Object-based privileges are an essential part of any HANA installation. In short, these permissions allow your system administrator to set database level access in varying increments for user groups and individual users of the system. Each object type (i.e. tables, views, sequences) in HANA has a different set of permissions.
As an example, for tables you can activate or deactivate Alter, Drop, Select, Insert, Update, Delete, Index, Trigger and References. Views have other types of permissions.
By combining your tables, views and sequences strategically with different permission sets, it’s possible to create a use case for both individuals and groups of end-users.
In terms of security, the object privileges (along with other “back-end” permissions) are the last line of defense against malicious attacks. If someone happens to acquire an S-User ID for your system, and bypasses the Fiori Launchpad link, they still need these back-end privileges to view any data in your application. Even if they get to this point and launch your application, an error message will be displayed, stating that the user has insufficient privileges. Additionally, for legitimate users on your system, these privileges prevent cases where one user could potentially see another user’s personal information.
Here is an example of how you would create an object-based privilege:
- Navigate to your HANA Cloud Platform and open up the Applications > HANA XS Applications tab. Click on one of your applications and choose the blue hyperlink “Open in Web Based Development Workbench.” You should now be inside the HANA Back-end Editor. If you have not yet created a “.hdbrole file,” take a look at SAP Help Portal’s on creating a design-time role. Now that you’ve created two individual “.hdbrole” files, name one “employee” and one “projectManager.” Next, you will be configuring the permissions for each role.
- Navigate to your “.hdbrole” file, click on the “Object Privilege” tab and click the + button. From here you can associate individual tables, views, and sequences to the role.
- For the the Project Manager .hdbrole file, set the “read” and “write” permissions on all your tables that are necessary for the app to run. For the Employee .hdbrole file, give them only “read” permissions on all the tables that the Project Manager was previously associated with. Make sure to save your changes, and exit.
Now that the .hdbrole files are set, you can create a catalog in Fiori to associate these created roles to actual users in the system.
Tip #2: Create a Catalog in Fiori
- Go into your services area of HANA Cloud Platform and click on the “Portal” link.
- Click “Go to service.” If you haven’t already set up a Fiori Launchpad site, check out our article “Everything You Need to Know About Configuring the Fiori Launchpad.”
- Open your site in edit mode by using the hyperlinks, navigate to the side menu and click “Content Management” then “Catalogs.”
This page is your central hub for designating application level permissions. Whenever you create a new catalog here, you will have the opportunity to designate which individual applications this catalog can see, as well as which roles are assigned to the catalog. If you skipped to this page, take a quick look on page one to discover how to create your “.hdbrole” files for your application. For best practices you will want to assign only one role per catalog, or you risk some redundancies in the permissions structure.
For example, let’s assume you’re building some applications for both employees and project managers. The intent is to build a timesheet submittal application for the employees and a timesheet reporting application for the PMs. In this case we would need two separate catalogs – one catalog will show only the timesheet submission app for employees, and the other catalog will show the timesheet reporting app for project managers.
Let us start by creating the catalog for PMs. To do this:
- Navigate to your HANA Cloud Platform and click on “Services.”
- Click on “Portal.”
- Select “Go to Service.”
- Choose “Go to Site Directory” on the left side. This should display a list of Fiori Launchpads, or “Sites” that you had created previously.
- Select “edit” on one of them and you will be put into the main Fiori Launchpad config utility.
- There are some buttons on the side, one of which will read “Content Management”. Select this button then select “Catalogs.”
- From here, you have the option to create a catalog by clicking the + in the lower left corner, and assign a role to it. Name the catalog in the main tab, then click the “Roles” tab.
- Your previously created “.hdbrole” files should appear in the tab listed “roles” when you try to add a new one.
That’s it! You have successfully created a catalog entry and segregated the duties between your team members using the Fiori Launchpad.
Tip #3: Tile Groups in Fiori
Tile Groups are the final step in making your Fiori page more user-friendly. These enable you to logically group applications under useful headings.
For example, if you want the default layout for project managers to include two apps, time tracking and vacation request, you would combine these underneath the heading “Time Apps.” Though users are still able to modify where their application tiles go, these settings provide the default configuration for the page layout. Also, it is much easier to see which apps need to be utilized if you have logically grouped them by some workflow or other grouping. For example, in a warehouse situation you might logically group the Sales Order, Purchase Order, and Goods Receipts apps into a warehouse management tile group.
There you have it – three ways to enhance your security and experience on SAP HANA. If you have any questions, please comment below. If you’d like to share your thoughts or wish to discuss any of our products and accelerators, please don’t hesitate to contact us.
Thomas Rautenbach, Architect
Thomas Rautenbach has over 20 years of diverse systems experience with a strong focus on system and integration architecture and software design and development. He has detailed technical, functional and system knowledge across the SAP technology platform, including extensive experience with the Finance, Supply Chain, Sales and Distribution, and Human Resources modules.
Follow Pangaea Solutions on LinkedIn
Glossary
Site | The html webpage which displays your configured Fiori Launchpad |
Portal Service | The User Interface provided by SAP to allow configuration of your Fiori Launchpad instance. |
Catalog Group | One or many apps related to a user group, which can be dynamically hid or shown based on permissions. |
Tile Group | A logical grouping of apps which stick together in the interface of the Fiori Launchpad |
Tile | A square shaped link to your UI5 application, shown on the Fiori Launchpad. |
[/vc_column_text][/vc_column][/vc_row]