In this blog Rob Case (
rob.case@sap.com) explains how to set up a technical user in
SAP HANA Rules Framework 1.0 SPS 07 (for the set up of a business user please read the
next blog😞
Introduction
One of the more major modifications to SAP HANA Rules Framework 1.0 in the SPS 07 release is the delivery of a new technical user authorization mechanism. This change was made in order to align SAP HRF with other SAP HANA applications that isolate the business user from direct access to the HANA database. The role of a technical user has been introduced to take on the responsibility of data access and now it is this user that needs to be granted database access privileges instead of a business user. In this and future releases of SAP HRF each time a business user needs to perform tasks such as, for example, the creation and editing of rules and rule services and the consumption of a rule service, the business user now hands over the task of data extraction to be fulfilled by the technical user.
As a result of this care needs to be taken during the installation or upgrade of SAP HRF in order to assign the correct privileges to the technical user and all business users. Close attention to the
SAP HANA Rules Framework SPS 07 Installation and Upgrade Guide will reveal that there is an additional section devoted to creation of user HRF_TECH_USER and the
SAP HANA Rules Framework SPS 07 Security Guide describes the updated and extended shipped roles that supersede the roles that were previously implemented. The increase in assignable roles available now allows the implementer tighter control over execution of SAP HRF functionality. By combining the information from these two documents you can successfully install SAP HRF, create a technical user, create the desired business users and be able to assign the most applicable roles and privileges to each of them.
The intention of this document is to ease the process of understanding the new HRF_TECH_USER authorization mechanism and to supplement the comprehensive coverage provided by the release documentation. I have provided an example of how to do this using screenshots and explanations based on the installation and configuration of the SAP HRF Banking Demo. I will limit the discussion here to the setup of the technical user and its authorizations as apart from this topic the install documentation remains largely unchanged from the SAP HRF 1.0 SPS 06 release. However, it may be useful to remind you of the recommended steps for installation, configuration and authorization that should be adopted for this SAP HRF release: -
- 1. Install/upgrade to SAP HANA SPS 10 or SPS 11 as necessary
- 2. Install SAP HRF 1.0 SPS 07 using hdbalm
- 3. ** Create technical user HRF_TECH_USER
- 4. Run the supplied SAP HRF automated configuration script
- 5. Import an existing SAP HRF application or provide an existing application data schema
- 6. Assign privileges to the technical user
- 7. Create business users and assign to them specific SAP HRF roles. When upgrading from previous support package stacks, existing business user authorizations may need to be re-evaluated in accordance with the updated application privileges implemented in SAP HRF 1.0 SPS 07.
** This step is not required if your solution already has an application technical user defined and you wish this user to also act as an SAP HRF technical user.
I can now jump to step 5 of the above list of installation steps having assumed that you have successfully implemented steps 1 to 4.
There is obviously no requirement for you to import an existing SAP HRF application or to provide an application data schema to work with at this stage of the installation. Developing SAP HRF applications and setting user authorisation is an iterative process that is repeatable throughout the lifetime of the application. However doing things in this order is helpful for the sake of this document as we can then apply all the application and runtime data schema authorizations at the same time without having to revisit them. In terms of the example I am providing, completing step 5 allows me to import and activate the SAP HRF Banking Demo artefacts ready for user authorisation assignment. Success in importing the application has the added benefit of being a good indicator that SAP HRF has installed correctly. If you wish to check your install of SAP HRF in a similar fashion, the SAP HRF Validation application is available for download and import from the
SAP HRF Jam site and exists under the heading
Example HRF Application.
Technical User Authorizations
Now that we have everything in place we can start to assign privileges to the HRF_TECH_USER default technical user. These authorizations allow the business user to handover database access tasks to the technical user as direct database access should no longer be granted to a business user.
Your may have elected to employ the alternative application technical user option for your implementation instead of creating an HRF_TECH_USER. Instead of handing over database access to be fulfilled by HRF_TECH_USER an application technical user is also responsible for data retrieval and requires an extra privilege to allow this. To help provide clarification in this section I will refer to an example application technical user called APP_TECH_USER, please note that the user name selected is completely arbitrary and can be replaced with a name of your own choosing.
Please refer to the following tables where I have described user privilege settings in SAP HANA Studio for the Banking Demo example for both types of technical user. For the purposes of SAP HRF, neither technical user should need additional privileges to those specified in these tables and all other user privileges tabs can be left empty.
Default SAP HRF Technical User Authorization – HRF_TECH_USER
|
Granted Roles tab - SAP HANA Studio
|
HRF_TECH_USER
Granted Roles
|
When viewed in SAP HANA Studio under the Granted Roles tab, you will be able to see that the automated configuration script has already assigned the HRF_TECH_ROLE role to my default technical user. The sap.hrf.role.model::HRF_TECH_ROLE role provides the necessary privileges to enable the technical user to access relevant SAP HRF artefacts.
Due to the configuration script role assignment already performed this tab does not need amendment
|
Object Privileges tab - SAP HANA Studio
|
HRF_ TECH _USER
Object Privileges -
Catalog Objects
|
The Object Privileges tab is the place where application and runtime schema access needs manual assignment to allow the technical user to access relevant data.
|
HRF_ TECH _USER
Object Privileges -
Catalog Object
_SYS_BIC
|
The banking demo utilizes calculation views as a data source, these views along with attribute and analytic views are stored in the _SYS_BIC schema. If your application features these types of view your technical user also requires SELECT privilege access to the _SYS_BIC schema.
|
HRF_ TECH _USER
Object Privileges -
Catalog Object
<APPLICATION SCHEMA>
|
The banking demo sample data resides in the schema SAP_BANKING_DEMO and the technical user will require SELECT permission to this schema.
You should assign the SELECT privilege to your own application data schema in place of <SAP_BANKING_DEMO> shown here.
|
HRF_ TECH _USER
Object Privileges -
Catalog Object
<RUNTIME SCHEMA>
|
The technical user requires privileges in order to access the runtime schema that you specified when running the SAP HRF configuration script. In this example the default runtime schema SAP _HRF is being used rather than a user defined schema.
To enable execution of rule service procedures the technical user requires EXECUTE permission to the runtime schema and SELECT permission for execution of rule services with views. Additionally, INSERT and UPDATE permissions are needed if you wish users to be able to specify rule and rule service package locations via the SAP HRF Framework Configuration tile.
In my example I have assigned all four privileges to the runtime schema.
|
SAP HRF Application Technical User Authorization – APP_TECH_USER
|
Granted Roles tab - SAP HANA Studio
|
APP_TECH_USER
Granted Roles
|
Assignment of the sap.hrf.role.model::HRF_TECH_ROLE role to the application technical user is not performed by the SAP HRF automated configuration script and therefore must be granted manually.
Once added the Granted Roles tab looks identical to the same tab for HRF_TECH_USER.
|
Object Privileges tab - SAP HANA Studio
|
APP_TECH_USER
Object Privileges -
Catalog Objects
|
The Object Privileges tab is the place where application and runtime schema access needs manual assignment to allow the application technical user to access relevant data.
|
APP_TECH_USER
Object Privileges -
Catalog Object
_SYS_BIC
|
Exactly the same assignments are required as performed for HRF_TECH_USER. Please reference the related section above for further details
|
APP_TECH_USER
Object Privileges -
Catalog Object
<APPLICATION SCHEMA>
|
Exactly the same assignments are required as performed for HRF_TECH_USER. Please reference the related section above for further details
|
APP_TECH_USER
Object Privileges -
Catalog Object
<RUNTIME SCHEMA>
|
Exactly the same assignments are required as performed for HRF_TECH_USER. Please reference the related section above for further details
|
Application Privileges tab
|
APP_TECH_USER
Application Privileges
|
The application technical user requires one further privilege assignment that is not granted to the default technical user.
|
APP_TECH_USER
Application Privileges - AllPrivilegesForTechnicalUser
|
The application privilege sap.hrf::AllPrivilegesForTechnicalUser needs to be assigned to allow the application technical user to directly access a range of functions of the SAP HANA Rules Framework.
|