Users of the SAP Access Control Role Analytics application accessing the data replicated from the SAP GRC system use SAP HANA studio users. There is no direct relationship between a user in GRC Server and the corresponding user in the SAP HANA studio accessing the analytic application. Therefore, it is necessary to configure various authorization-relevant settings in the SAP HANA studio to restrict access to the replicated data.
Authorization Settings
General Settings
You must ensure that users have the right level of authorization to access data replicated from SAP GRC, and that it is available in the analytic application. To do so, ensure that the following authorization-relevant settings have been made:
To enable access to the SAP Access Control Role Analytics application, an administrator has created users in the SAP HANA studio.
You have installed and activated the virtual data model views for GRC in the SAP HANA studio.
You have configured data replication between the GRC server and the SAP HANA server. For more information, see the Installation Steps - General Information section of this guide, as well as the documentation available on SAP Help Portal at http://help.sap.com/hba .
Settings for Business Users
Grant authorization to users that only need to access the analytic application as follows:
Create and assign analytic privileges to users for granting access to the following query views from the package sap.hba.apps.grcra-reuse.views:
AccessControlCriticalLevelQuery
AccessControlRoleActionQuery
AccessControlRoleComparisonQuery
AccessControlRoleSensitivityQuery
AccessControlRoleTypeQuery
AccessControlUserRoleRelationQuery
BusRoleMgmtConnGroupQuery
BusRoleMgmtRoleQuery
FreqUsedRolesDetailQuery
FreqUsedRolesQuery
OrphanedRolesDetailQuery
OrphanedRolesQuery
UnusedRolesDetailQuery
UnusedRolesQuery
SAP recommends that you create analytic privileges for the above query views with restrictions on the view attributes according to your business requirements.
Grant the following SQL privileges to the user:
In the Unused Role Analysis for the SAP Access Control Role Analytics application, users can choose to deprovision unused roles. You must assign SELECT, INSERT and UPDATE privileges to them for the table SAP_HBA.sap.hba.apps.grcra-reuse.db::GRCANA_DEPROVISION.
SELECT privilege on the following query views:
_SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlCriticalLevelQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleActionQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleComparisonQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleSensitivityQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlRoleTypeQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/AccessControlUserRoleRelationQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/BusRoleMgmtConnGroupQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/BusRoleMgmtRoleQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/FreqUsedRolesDetailQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/FreqUsedRolesQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/OrphanedRolesDetailQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/OrphanedRolesQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/UnusedRolesDetailQuery
_SYS_BIC.sap.hba.apps.grcra-reuse.views/UnusedRolesQuery
SAP recommends that you do not grant SYSTEM user permissions to users accessing the SAP Access Control Role Analytics application, as this will give them full access to the data.
Defining Restrictions on Views in the SAP HANA Studio
You can restrict access to data for users of the SAP Access Control Role Analytics application as follows:
By defining row-based access restrictions by analytic privileges on query views according to your data access control requirements. For example, in the query view UnusedRolesQuery, you can assign the restriction on the attribute SAPClient in the analytic privilege. This ensures client isolation, which means that this analytic privilege grants access to view the data for that particular client only. If you do not assign any restriction on the attribute SAPClient in the analytic privilege, this analytic privilege grants access to view data for all clients.
In the analytic privilege, you can restrict the range of attribute values and their combinations that a particular user can see in the application.
SAP recommends that you define the authorizations as SAP HANA roles, which can then be more easily assigned to existing and new users. Such a role can, for example, contain the necessary SQL privileges for accessing the query views and non-query views, and for assigning analytic privileges to the query views and non-query views.
For more information, see the SAP HANA Security Guide (including SAP HANA Database Security) available on SAP Help Portal at http://help.sap.com/hana_appliance .