Show TOC

Authorization for SAP Access Control Role AnalyticsLocate this document in the navigation structure

Use

Users of the SAP Access Control Role Analytics application accessing the data replicated from the SAP GRC system use SAP HANA studio users. There is no direct relationship between a user in GRC Server and the corresponding user in the SAP HANA studio accessing the analytic application. Therefore, it is necessary to configure various authorization-relevant settings in the SAP HANA studio to restrict access to the replicated data.

Authorization Settings

General Settings

You must ensure that users have the right level of authorization to access data replicated from SAP GRC, and that it is available in the analytic application. To do so, ensure that the following authorization-relevant settings have been made:

  • To enable access to the SAP Access Control Role Analytics application, an administrator has created users in the SAP HANA studio.

  • You have installed and activated the virtual data model views for GRC in the SAP HANA studio.

  • You have configured data replication between the GRC server and the SAP HANA server. For more information, see the Installation Steps - General Information section of this guide, as well as the documentation available on SAP Help Portal at http://help.sap.com/hba Start of the navigation path Application Help Next navigation step SAP HANA Live for SAP solutions for GRC End of the navigation path.

Settings for Business Users

Grant authorization to users that only need to access the analytic application as follows:

  1. Create and assign analytic privileges to users for granting access to the following query views from the package sap.hba.apps.grcra-reuse.views:

    • AccessControlCriticalLevelQuery

    • AccessControlRoleActionQuery

    • AccessControlRoleComparisonQuery

    • AccessControlRoleSensitivityQuery

    • AccessControlRoleTypeQuery

    • AccessControlUserRoleRelationQuery

    • BusRoleMgmtConnGroupQuery

    • BusRoleMgmtRoleQuery

    • FreqUsedRolesDetailQuery

    • FreqUsedRolesQuery

    • OrphanedRolesDetailQuery

    • OrphanedRolesQuery

    • UnusedRolesDetailQuery

    • UnusedRolesQuery

    Recommendation

    SAP recommends that you create analytic privileges for the above query views with restrictions on the view attributes according to your business requirements.

  2. Grant the following SQL privileges to the user:

    • In the Unused Role Analysis for the SAP Access Control Role Analytics application, users can choose to deprovision unused roles. You must assign SELECT, INSERT and UPDATE privileges to them for the table SAP_HBA.sap.hba.apps.grcra-reuse.db::GRCANA_DEPROVISION.

    • SELECT privilege on the following query views:

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlCriticalLevelQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleActionQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleComparisonQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleSensitivityQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleTypeQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlUserRoleRelationQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/BusRoleMgmtConnGroupQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/BusRoleMgmtRoleQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/FreqUsedRolesDetailQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/FreqUsedRolesQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/OrphanedRolesDetailQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/OrphanedRolesQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/UnusedRolesDetailQuery

      • _SYS_BIC.sap.hba.apps.grcra-reuse.views/UnusedRolesQuery

      Note

      SAP recommends that you do not grant SYSTEM user permissions to users accessing the SAP Access Control Role Analytics application, as this will give them full access to the data.

Defining Restrictions on Views in the SAP HANA Studio

You can restrict access to data for users of the SAP Access Control Role Analytics application as follows:

  • By defining row-based access restrictions by analytic privileges on query views according to your data access control requirements. For example, in the query view UnusedRolesQuery, you can assign the restriction on the attribute SAPClient in the analytic privilege. This ensures client isolation, which means that this analytic privilege grants access to view the data for that particular client only. If you do not assign any restriction on the attribute SAPClient in the analytic privilege, this analytic privilege grants access to view data for all clients.

  • In the analytic privilege, you can restrict the range of attribute values and their combinations that a particular user can see in the application.

Recommendation

SAP recommends that you define the authorizations as SAP HANA roles, which can then be more easily assigned to existing and new users. Such a role can, for example, contain the necessary SQL privileges for accessing the query views and non-query views, and for assigning analytic privileges to the query views and non-query views.

More Information

For more information, see the SAP HANA Security Guide (including SAP HANA Database Security) available on SAP Help Portal at http://help.sap.com/hana_applianceStart of the navigation path Security Information End of the navigation path.