Introduction:
Database security is a top priority for organizations, ensuring the protection of sensitive information and maintaining regulatory compliance. In the realm of SAP HANA On-Premise Database, a robust security strategy is vital to safeguard data during system refresh scenarios.
One critical aspect of system refresh of a quality system with new data from the production system is handling the existing users in the quality system effectively to maintain their authorizations while incorporating new or delta data from the production system into the quality system.
Basis recommendations for User Handling in SAP HANA Database:
Here are some recommendations to streamline the user handling process during system refresh:
- Leverage Backup and Restore: In this scenario, it is advisable to use a backup of the original system and restore it to the target system. This provides a reliable starting point for the system refresh.
- Purge and Re-add Users and Roles: Once the restore is complete, remove the users and roles coming from the original system as necessary. Of course, technical users that own the objects in the database must remain. This step ensures a clean slate for importing the original users and roles.
Ideally, the best way would be to handle this scenario is to have Identity Management (IDM) system in place. In case your organization is not using the IDM system, you should consider the steps described in the following passage to make your manual user handling as simple as possible.
Specific Considerations for User Handling in SAP HANA Database:
User handling is a vital aspect of database security. SAP HANA offers several features and functionalities that facilitate the efficient management of users and their roles within the system.
During a system copy, where a copy of the original system is created for refreshing purposes, handling users requires specific considerations to ensure a smooth transition. Here are some best practices to consider:
- Avoid Password Authentication:
- Why to avoid: you cannot export passwords for security reasons and to simplify user export and import, you should consider leveraging Single Sign-On (SSO) options such as SAML, JWT, LDAP, X.509, or Kerberos.
- By using SSO, you can focus on restoring the respective provider configuration and trust, allowing for smoother user handling via scripts.
- Utilize HDI and Repository Roles: In the target system, ensure that you only grant HDI (HANA Deployment Infrastructure) and repository roles. By redeploying HDI containers and repository content, you can preserve the necessary content and obtain the required roles in your target system during the system refresh.
- Grant Roles via HDI Procedures:
- For HDI roles, it is recommended to grant them through HDI procedures rather than directly. Similarly, for repository roles, you must use repository procedures.
- This approach facilitates automation by enabling easy collection of role assignments before recovering the new backup. After the recovery, a single user with the privilege to grant all HDI and repository roles can restore the role assignments.
- Simplify SQL Roles:
- When working with plain SQL roles, avoid complex grant chains through multiple users. Instead, grant these roles to a single technical user.
- This simplifies the automation process, allowing you to mimic the HDI/repository procedure before and after the recovery.
Conclusion:
Effective user handling during a system refresh in the SAP HANA database is crucial for maintaining database security and ensuring a smooth transition. By following best practices for your user setup, organizations can streamline the process and minimize disruptions.
SAP HANA's robust security features, combined with proper user handling practices, empower organizations to protect their data while achieving efficient system copies.
