SAP HANA Security Guide - Trigger-Based Replication

SAP In-Memory Appliance (SAP HANA) 1.0

Target AudienceConsultantsAdministratorsSAP Hardware PartnerOthers

PublicDocument version 1.0 – 06/27/2011

Copyright

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may bechanged without prior notice.Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM,z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower,PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBMCorporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, andother SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, CrystalDecisions, Web Intelligence, Xcelsius, and other Business Objects products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarks ofBusiness Objects S.A. in the United States and in other countries. Business Objects is anSAP company.

All other product and service names mentioned are the trademarks of their respectivecompanies. Data contained in this document serves informational purposes only. Nationalproduct specifications may vary.

These materials are subject to change without notice. These materials are provided by SAPAG and its affiliated companies ("SAP Group") for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP Group products and

SAP HANA Security Guide – Trigger-Based Replication June 2011

SAP In-Memory Appliance (SAP HANA) 2

services are those that are set forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed as constituting anadditional warranty.

Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types ofinformation at a glance. For more information, see Help on Help General InformationClasses and Information Classes for Business Information Warehouse on the first page of anyversion of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include fieldnames, screen titles, pushbuttons labels, menu names, menu paths,and menu options.

Cross-references to other documentation.Example text Emphasized words or phrases in body text, graphic titles, and table

titles.

EXAMPLE TEXT Technical names of system objects. These include report names,program names, transaction codes, table names, and key concepts of aprogramming language when they are surrounded by body text, forexample, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and theirpaths, messages, names of variables and parameters, source text, andnames of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in thesystem exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace thesewords and characters with appropriate entries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

SAP HANA Security Guide – Trigger-Based Replication June 2011

SAP In-Memory Appliance (SAP HANA) 3

User Administration and Authentication .............................................................................. 6

Authorizations .................................................................................................................... 7

Network and Communication Security ................................................................................ 8

Network Security ............................................................................................................ 8

Communication Destinations .......................................................................................... 8

Configuration ..................................................................................................................... 8

Configuration .................................................................................................................. 8

SAP HANA Security Guide – Trigger-Based Replication June 2011

SAP In-Memory Appliance (SAP HANA) 4

Technical System LandscapeThe Trigger-Based Replication system transfers database activity from source systemdatabases to replicate databases. The source system is typically an SAP ERP or CRMsystem, and the replicate database is the SAP HANA In-Memory Database.

The figures below show the two possible technical system landscapes for the Trigger-BasedData Replication Using SAP LT (Landscape Transformation) Replicator.

Option 1 - Separate SLT system

With this option the SLT component is installed in its own SAP system consequently there aretwo network communication channels in use from this system. Firstly there is an RFCconnection to the source system and a second connection to the SAP HANA system.

Option 2 - SLT installation in Source system

With this option the SLT system component is installed in the source system which meansthat only one external network communication channel is required to the SAP HANA system.

An overview of the system landscape components is provided below.

SAP HANA Security Guide – Trigger-Based Replication June 2011

SAP In-Memory Appliance (SAP HANA) 5

Source systemThe source system tracks database changes via database triggers and copies relevantchanges into the Logging Tables.

SLT componentThe SLT system polls the log tables in the source system via an RFC connection on ascheduled basis. If there is replication data which should be transferred to the SAP HANAsystem this is transferred to via the DB connection.

SAP HANA systemThe SAP HANA system contains the SAP In-Memory Database; this is used to store thereplicated data. The connections between the SLT component and the SAP HANA systemare provided by the DB connection.

Topic Guide/Tool Quick Link to the SAP Service Marketplace

Trigger-basedReplication

InstallationGuide

SAP HANA 1.0 Installation Guide – Trigger Based Replication

SAP HANA GuidesFor more information about SAP HANA landscape, security, installation and administration,see the resources listed in the table below.

Topic Guide/Tool Quick Link

SAP HANALandscape,Deployment &Installation

SAP HANA KnowledgeCenter on SAP ServiceMarketplace

https://service.sap.com/hana

SAP HANA 1.0 Master Guide

SAP HANA 1.0 Installation Guide

SAP HANAAdministration &Security

SAP HANA KnowledgeCenter on SAP HelpPortal

http://help.sap.com/hana

SAP HANA 1.0 Technical Operations ManualSAP HANA 1.0 Security Guide

SAP HANA Security Guide – Trigger-Based Replication June 2011

SAP In-Memory Appliance (SAP HANA) 6

User Administration and AuthenticationThe SAP LT Replicator uses the user management and authentication mechanisms providedwith the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server.Therefore, the security recommendations and guidelines for user administration andauthentication as described in the SAP NetWeaver Security Guide [SAP Library]Application Server ABAP Security Guide also apply to the SAP LT Replicator.

This section provides information about user management, administration and authenticationthat specifically applies to SAP LT replicator in addition to the standard procedures.

For accessing the source systems by remote function call (RFC), requires a communicationuser. As communication user, the access to the source system is exclusively by RFC withoutthe ability to execute steps in dialog mode directly in a system. For more information aboutthis user type, see the section User Types in the SAP Web AS ABAP Security Guide.

The following security measures apply with regard to user management for SAP LTReplicator:

Irrespective of all security measures, the users who have access to the SLT system will have(indirect) access to the production data in the source system and may be able to seeinformation stored there. Consequently, we recommend that you limit the number of users inthe SLT system to a minimum to prevent unauthorized access to production data.

SAP HANA Security Guide – Trigger-Based Replication June 2011

SAP In-Memory Appliance (SAP HANA) 7

AuthorizationsThe SAP LT Replicator uses the authorization concept provided by the SAP NetWeaver ASABAP. Therefore, the recommendations and guidelines for authorizations as described in theSAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java alsoapply to the SAP LT Replicator.

The SAP NetWeaver authorization concept is based on assigning authorizations to usersbased on roles. For role maintenance, use the profile generator (transaction PFCG) on the ASABAP and the User Management Engine’s user administration console on the AS Java.

For more information about how to create roles, see Role Administration (SAPLibrary)

Specific authorizations apply for each system. Authorizations for source system(s) and SLTsystem are available in user profiles to control the actions that a user is authorized to perform.

Amongst many other existing SAP NetWeaver based authorization objects, the followingauthorization objects are specifically important for the use of SAP LT replicator:

S_DMISDescription: Authority object for SAP SLO Data migration

Authorization fields

Field name Heading

MBT_PR_ARE MBT PCL: Scenario

MBT_PR_LEV MBT PCL: Processing Role Level

ACTVT Activity

S_DMC_S_RDescription: MWB: Reading / writing authorization in sender / receiver

Authorization fields

Field name Heading

ACTVT Activity

User RolesWith SAP LT replicator, the composite role SAP_IUUC_USER is available that includes thefollowing roles:

SAP_IUUC_REMOTESAP_DMIS_USERSAP_SLOP_USER

SAP HANA Security Guide – Trigger-Based Replication June 2011

SAP In-Memory Appliance (SAP HANA) 8

Network SecurityAccess to source systems using SAP LT replicator takes place exclusively through RFCconnections. For more information about security issues in connection with RFC, see therelevant sections in the SAP Library on SAP Help Portal.

Communication DestinationsSAP LT replicator does not come with fixed destinations or user names. The followingdestinations need to be created:

Source System(s)Users in RFC destinations need to be of type Communication / CPIC – and requireauthorizations specified by one of the following composite roles:

o SAP_LT_RFC_USER

o SAP_LT_RFC_USER_700

o SAP_IUUC_USER or SAP_IUUC_REMOTE

ConfigurationConfiguration settings as defined in LT based replication schemas are be stored in SAP LTreplicator control tables on the SLT system.

In source system(s), there is no specific initial configuration data created, however with theinitialization of the data replication, DB triggers and logging tables are created.

For logging tables, it is possible to create a separate table space within the database formonitoring the size of logging tables.

No specific configuration settings are required on the SAP HANA system.