Thanks for reading.
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
DATA ADMIN Privilege | 1. The system privilege DATA ADMIN is a powerful privilege. It authorizes a user to read all data in system views, as well as to execute all data definition language (DDL) commands in the SAP HANA database. No user in a production system should have this privilege, with the exception of the SYSTEM and _SYS_REPO users, which have this privilege by default 2. Executing select * from GRANTED_PRIVILEGES where privilege = 'DATA ADMIN' should return only SYSTEM and _SYS_REPO | Critical Action | Use following action to create a function in GRC system and then define a critical action risk for that function: DATA ADMIN |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
DEVELOPMENT privilege | The system privilege DEVELOPMENT authorizes some internal ALTER SYSTEM commands. No user should have this privilege, with the exception of the SYSTEM and _SYS_REPO users, which have this privilege by default. You can verify whether a user has the DEVELOPMENT privilege by executing SELECT * from granted_privileges where privilege = 'DEVELOPMENT' | Critical Action | Use following action to create a function in GRC system and then define a critical action risk for that function: sap.hana.xs.lm::Developer sap.hana.xs.lm::DevelopmentExpert sap.hana.xs.lm.hanaCockpit::WidgetAccess:developerCatalog |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
System Privileges (Support Users) | Only administrative or support users should have the system privileges CATALOG READ and TRACE ADMIN in a production system. | Critical Action | Use following actions to create a function in GRC system and then define a critical action risk for that function: CATALOG READ TRACE ADMIN |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
DEBUG and ATTACH DEBUGGER privileges | Privileges DEBUG, DEBUG MODIFY and ATTACH DEBUGGER should not be assigned to any user in production systems. | Critical Action | Use following actions to create a function in GRC system and then define a critical action risk for that function: ATTACH DEBUGGER DEBUG DEBUG MODIFY |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
System Privileges (Administrators) | Only administrative users should have the mentioned system privileges | Critical Action | Use following actions to create a function in GRC system and then define a critical action risk for that function: ADAPTER ADMIN AGENT ADMIN AUDIT ADMIN AUDIT OPERATOR BACKUP ADMIN BACKUP OPERATOR CERTIFICATE ADMIN CREATE REMOTE SOURCE CREDENTIAL ADMIN EXTENDED STORAGE ADMIN INIFILE ADMIN LICENSE ADMIN LOG ADMIN MONITOR ADMIN OPTIMIZER ADMIN RESOURCE ADMIN SAVEPOINT ADMIN SERVICE ADMIN SESSION ADMIN SSL ADMIN TABLE ADMIN TRUST ADMIN VERSION ADMIN WORKLOAD ADMIN |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
CONTENT_ADMIN role | The CONTENT_ADMIN role is very privileged and should not be granted to users, particularly in production systems. The CONTENT_ADMIN role should only be used as a template. | Critical Role or Critical Action | Option 1: "CONTENT_ADMIN" role can be defined as a critical role in GRC system. Option 2:Use following actions to create a function in GRC system and then define a critical action risk for that function: CREATE SCENARIO CREATE STRUCTURED PRIVILEGE REPO.EXPORT REPO.IMPORT REPO.MAINTAIN_DELIVERY_UNITS REPO.WORK_IN_FOREIGN_WORKSPACE STRUCTUREDPRIVILEGE ADMIN |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
_SYS_BI_CP_ALL analytic privilege should not be granted to users | The MODELING role contains the predefined analytic privilege _SYS_BI_CP_ALL. This analytic privilege potentially allows a user to access all the data in activated views that are protected by XML-based analytic privileges, regardless of any other analytic privileges that apply. Although the user must also have the SELECT object privilege on the views to actually be able to access data, the _SYS_BI_CP_ALL analytic privilege should not be granted to users, particularly in production systems. For this reason, the MODELING role should only be used as a template. | Critical Role or Critical Action | Option 1: "[AP]_SYS_BI_CP_ALL" role can be defined as a critical role in GRC system. Option 2:Use following actions to create a function in GRC system and then define a critical action risk for that function: _SYS_BI:* _SYS_BIC:* _SYS_BI_CP_ALL |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
SAP_INTERNAL_HANA_SUPPORT role | Should be granted only to SAP HANA development support users for the their support activities. To avoid accidental use of this role in day-to-day activities, the following restrictions apply to the SAP_INTERNAL_HANA_SUPPORT role. It cannot be granted to the SYSTEM users. | Critical Role | "SAP_INTERNAL_HANA_SUPPORT" role can be defined as a critical role in GRC system. |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
Grant Application Function Library (AFL) Roles only to authorized users | Grant Application Function Library (AFL) Roles only to users who need to execute Predictive Analysis Library (PAL) and SAP HANA Business Function Library (BFL) procedures | Critical Role | Following roles will be defined as a critical roles in GRC system: AFL__SYS_AFL_AFLPAL_EXECUTE AFL__SYS_AFL_AFLPAL_EXECUTE_WITH_GRANT_OPTION AFL__SYS_AFL_AFLBFL_EXECUTE AFL__SYS_AFL_AFLBFL_EXECUTE_WITH_GRANT_OPTION |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
Critical combinations of system privileges should not be granted together | USER ADMIN vs.ROLE ADMIN | Segregation of Duties | Use following actions to create Function 1: Maintain User Master in GRC system: USER ADMIN USERGROUP OPERATOR Use following actions to create Function 2: Maintain Roles: ROLE ADMIN |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
Critical combinations of system privileges should not be granted together | CREATE SCENARIO vs. SCENARIO ADMIN | Segregation of Duties | Use following actions to create Function 1: Maintain Scenarios: CREATE SCENARIO Use following actions to create Function 2: Scenario Admin: SCENARIO ADMIN |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
Critical combinations of system privileges should not be granted together | AUDIT ADMIN vs. AUDIT OPERATOR | Segregation of Duties | Use following actions to create Function 1: Audit Administration AUDIT ADMIN Use following actions to create Function 2: Audit Operations AUDIT OPERATOR |
HANA DB Privilege/Role | SAP Recommendations | Type of Risk | How to configure or implement the risk |
Critical combinations of system privileges should not be granted together | CREATE STRUCTURED PRIVILEGE vs. STRUCTUREDPRIVILEGE ADMIN | Segregation of Duties | Use following actions to create Function 1: Maintain Structured Privileges CREATE STRUCTURED PRIVILEGE Use following actions to create Function 2: Structured Privileges Administration STRUCTUREDPRIVILEGE ADMIN |
Thanks for reading.
Looking forward for your inputs in improving this blog with additional details or scenarios ?
Best Regards,
madhusap
Also special thanks to my colleague elise.oei for helping me out with this blog 🙂
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.