2015-09-24 SAP Operational Process Intelligence Security Guide
Content 1 Introduction.... 3 2 Before You Start....5 3 Architectural Overview.... 7 4 Authorizations and Roles.... 8 4.1 Assigning Roles to SAP Operational Process Intelligence Users....13 5 User Mapping....15 6 Personal Data....17 7 Network and Communication Security....18 2 2015 SAP SE or an SAP affiliate company. All rights reserved. Content
1 Introduction This guide does not replace the daily operations handbook that we recommend customers create for their specific productive operations. SAP Operational Process Intelligence powered by SAP HANA is inextricably bound to and integrated with the SAP HANA database. Therefore, SAP HANA security concepts widely apply to SAP Operational Process Intelligence as well. Almost all sections of the are directly linked to the respective sections in the SAP HANA Security Guide. Target Audience Technology consultants System administrators IT experts This document is not included as part of the installation guides, configuration guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software lifecycle, whereas the security guides provide information that is relevant for all lifecycle phases. Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also increased. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation in your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Operational Process Intelligence. We provide this security guide to assist you in securing SAP Operational Process Intelligence. About This Document The provides an overview of the security-relevant information that applies to SAP Operational Process Intelligence powered by SAP HANA. The comprises the following sections: Before You Start [page 5] This section provides references to the most important SAP Notes that apply to the security of SAP Operational Process Intelligence powered by SAP HANA and further helpful resources. Architectural Overview [page 7] This section provides a graphic to give you an overview of the architecture of SAP Operational Process Intelligence. Authorizations and Roles [page 8] This section provides information about granting SAP HANA authorizations and, more importantly, about SAP Operational Process Intelligence-specific authorizations such as SQL and analytic privileges for scenariogenerated HANA artifacts. User Mapping [page 15] This section provides information about the authorizations that users require to access the SAP Operational Process Intelligence environment (that is, space.me), as well as how to customize and manage user authorizations. The section also provides an overview of SAP Operational Process Intelligence roles and descriptions. Introduction 2015 SAP SE or an SAP affiliate company. All rights reserved. 3
Personal Data [page 17] This section provides information about protecting security-sensitive personal data. Network and Communication Security [page 18] This section provides information about the SAP Operational Process Intelligence communication channels and security aspects. 4 2015 SAP SE or an SAP affiliate company. All rights reserved. Introduction
2 Before You Start For more information about the SAP Operational Process Intelligence and the SAP HANA landscape, administration, and security, see the resources listed in the table below: Topic Guide/Tool Link SAP HANA- Relevant Documentati on, Master Guide, Security Guide SAP Operational Process Intelligence In stallation, Upgrade, and Configuration SAP HANA Appliance Software Knowledge Center on the SAP Help Portal Installation and Upgrade Guide SAP HANA Appliance Important Guides: SAP HANA Master Guide SAP HANA Security Guide SAP HANA Security Guide - Trigger-Based Data Replication SAP BusinessObjects Data Replication SAP Operational Process Intelligence Installation and Upgrade Guide SAP Gateway Security Guide https://help.sap.com/nwgateway20 Important SAP Notes The most important SAP Notes relating to SAP Operational Process Intelligence and SAP HANA database security are shown in the table below: Table 1: Content SAP Note Missing permissions in SAP HANA 1761917 User authorizations for analytic objects in SAP HANA 1612696 Additional Information For more information about specific topics, see the quick links in the table below: Table 2: Content Security Security Guides Related SAP Notes Quick Link on SAP Service Marketplace or SCN http://scn.sap.com/community/security https://service.sap.com/securityguide https://support.sap.com/notes http://support.sap.com/securitynotes Before You Start 2015 SAP SE or an SAP affiliate company. All rights reserved. 5
Content Released Platforms SAP Solution Manager SAP Netweaver In-Memory Computing Quick Link on SAP Service Marketplace or SCN https://support.sap.com/release-upgrade-maintenance/ pam.html https://support.sap.com/solutionmanager http://sdn.sap.com/irj/sdn/netweaver http://www.sdn.sap.com/irj/sdn/in-memory 6 2015 SAP SE or an SAP affiliate company. All rights reserved. Before You Start
3 Architectural Overview This graphic gives you an overview of the architecture of SAP Operational Process Intelligence: Architectural Overview 2015 SAP SE or an SAP affiliate company. All rights reserved. 7
4 Authorizations and Roles Authorizations and roles define the objects that users can access and the actions they can perform. In SAP Operational Process Intelligence, there are several roles that need to be assigned to users to enable them to perform operations, for example, on business scenarios, tasks, workflows, and rules. The following sections describe the typical user assignments and the technical role assignments that are needed for the activities. Operator or line-of-business user (with full access) The operator is responsible for ensuring the smooth running of the business process and takes necessary action to resolve any bottlenecks and move the process forward. Table 3: Required Roles sap.opi.pv.roles::opintuser Description Allows the user to access space.me. Note sap.opi.pv.roles::opintuser provides SELECT access to the _SYS_BIC schema. This schema contains run time objects of all the activated views. If you want to provide access only to the required views, you must assign object privileges to the views that are part of the generated role, <package_name>.gen_<scenario_name>::<scenario_name>_operator. <package_name>.gen_<scenario_name>::<scenario_name>_ OPERATOR <package_name>.<technical_name>.v1.security::start sap.bc.hwf.security::hwfenduser sap.bc.pv.roles:opintadminviewer Allows the user to acsess specific scenarios and all relevant data in space.me. Allows the user to process workflows of the specific workflow template. Allows the user to complete workflow tasks. Required if the operator is a power user who needs to inspect the administration status. Note The user requires an analytical privilege that grants access to the source of the SAP HANA-based measure. 8 2015 SAP SE or an SAP affiliate company. All rights reserved. Authorizations and Roles
Operator or line-of-business user (with restricted access) The operator is responsible for ensuring the smooth running of the business process and takes necessary action to resolve any bottlenecks and move the process forward. Table 4: Required Roles sap.opi.pv.roles::opintuser Description Allows the user to access space.me. Note sap.opi.pv.roles::opintuser provides SELECT access to the _SYS_BIC schema. This schema contains run time objects of all the activated views. If you want to provide access only to the required views, you must assign object privileges to the views that are part of the generated role, <package_name>.gen_<scenario_name>::<custom_role_name>_operator. <package_name>.gen_<scenario_name>::<custom_role_nam e>_operator sap.bc.hwf.security::hwfenduser sap.bc.pv.roles:opintadminviewer Allows the user to access specific scenarios and the restricted data in space.me. Allows the user to complete workflow tasks. Required if the operator is a power user who needs to inspect the administration status. Note The user requires an analytical privilege that grants access to the source of the SAP HANA-based measure. Requestor Table 5: Required Roles sap.opi.pv.roles::opintuser Description Allows the user to access space.me. Note sap.opi.pv.roles::opintuser provides SELECT access to the _SYS_BIC schema. This schema contains run time objects of all the activated views. If you want to provide access only to the required views, you must assign object privileges to the views that are part of the generated role, <package_name>.gen_<scenario_name>::<scenario_name>_requestor. <package_name>.gen_<scenario_name>::<scenario_name>_ REQUESTOR Allows the user to access specific scenarios in space.me as a requestor. Authorizations and Roles 2015 SAP SE or an SAP affiliate company. All rights reserved. 9
Solution Expert Table 6: Required Roles sap.opi.pv.roles::opintdeveloper MODELING Description Access for modeling business scenarios. Access for working with SAP HANA studio, creating packages/calculation views/attribute views and other HANA artifacts. This role is required by SAP Operational Process Intelligence to create or generate a business scenario. The MODELING role grants permissions for the root package and also grants the _SYS_BI_CP_ALL analytical privilege, which is surplus to requirements. Tip We recommend that you modify the content of your custom roles by changing the package privileges. Below are the basic privileges that need to be provided: Package Privileges sap.opi and sap.bc.taskmgt - Rights for the packages: REPO.READ Package rights for imported objects - REPO.EDIT_IMPORTED_OBJECTS, REPO.ACTI VATE_IMPORTED_OBJECTS, and REPO.MAIN TAIN_IMPORTED_PACKAGES Package where you want to create objects - REPO.READ, REPO.EDIT_NATIVE_OBJECTS, REPO.ACTIVATE_NATIVE_OBJECTS, and REPO.MAINTAIN_NATIVE_PACKAGES Object Privileges _SYS_BI with SELECT System Privileges CREATE SCENARIO CREATE STRUCTURED PRIVILEGE STRUCTUREDPRIVILEGE ADMIN (Optional - If you want the solution expert to provide access to the business scenario). Analytical Privileges (Optional) _SYS_BI_CP_ALL - If you want the solution expert to view data and test the calculation views. 10 2015 SAP SE or an SAP affiliate company. All rights reserved. Authorizations and Roles
Required Roles Grant select, execute, trigger for schema <schema_name> to <user_name or role_name> Description Grant select, execute, and trigger authorizations for the schema where the source of your event/process context and operational data exists. This is needed to access data from source systems and to generate your business scenario successfully. Note System creates insert and update triggers for the tables used as operational data stores (ODS), to monitor the state change of the table columns. Therefore, for ODS scenarios, the solution expert needs to have the trigger authorization. sap.hrf.role.model::hrfruleconsumer Permits assigned users to run determination services based on the rules and rule services created in the system. To enable a user based on this role, you must grant permission for the application schema to the user. The consumption of determination services can be done in one of the following ways: REST API rule service execution Simulation rule service execution ODBC consumption, by running the service procedure directly. sap.bc.hwf.security::hwfdeveloper Allows the user to model and generate workflows. Administrator Table 7: Required Role sap.bc.hwf.security::hwfsuperadmin Description Grants read access to the following artifacts without restriction to specific workflow templates: Workflow instances Workflow templates Allows the user to set workflow templates to active or inactive, if developer mode is disabled. Allows the user to enable and disable the developer mode. sap.opi.pv.roles::opintadmin This includes the authorizations necessary to administrate basic SAP Operational Process Intelligence capabilities including job scheduling and SMTP configuration. Authorizations and Roles 2015 SAP SE or an SAP affiliate company. All rights reserved. 11
HANA Workflow Administrator with Restricted Access Table 8: Required Role sap.bc.hwf.security::hwfadmin <package_name>.<technical_name>.v1.security::read (generated role) Description Allows the user to set workflows to active or inactive, if developer mode is disabled. Grants read access to the following artifacts restricted to the specific workflow template: Workflow instances Workflow templates Workflow context HANA Workflow Administrator with Full Access Table 9: Required Role sap.bc.hwf.security::hwfsuperadmin Description Grants read access to the following artifacts without restriction to specific workflow templates: Workflow instances Workflow templates Allows the user to set workflow templates to active or inactive, if developer mode is disabled. Allows the user to enable and disable the developer mode. <package_name>.<technical_name>.v1.security::read (generated role) Grants read access to the following artifacts restricted to the specific workflow template: Workflow instances Workflow templates Workflow context Technical User _SYS_REPO _SYS_REPO is a technical database user and does not correspond to a real person. 12 2015 SAP SE or an SAP affiliate company. All rights reserved. Authorizations and Roles
Table 10: Required Roles Grant select for schema <schema_name> to _SYS_REPO WITH GRANT OPTION Description Grant select and create any authorizations for the schema (used by SAP Operational Process Intelligence) where the source of your event/process context and operational data exists. This is needed to access data from source systems and to generate your business scenario successfully. Note <schema_name> is a source system schema. Service User Table 11: Required Roles sap.opi.pv.roles::opintservice <package_name>.<technical_name>.v1.security::job sap.bc.taskmgt.roles::taskmgt_service_connection Grant select, execute for schema <schema_name> to <user_name or role_name> Description Allows the user to schedule jobs for correlation and notifications in SAP Operational Process Intelligence. Allows the user to schedule XS jobs for processing the started instances of the specific workflow template. Needs to be used to configure the generated XS job. It must be entered as a parameter during the configuration of the generated XS job. Allows the user to execute tasks. Grant select and execute authorizations for the schema where the source of your event/process context and operational data exists. This is needed to access data from source systems and to execute correlation and notification jobs. 4.1 Assigning Roles to SAP Operational Process Intelligence Users Follow these steps to assign the necessary roles to the SAP Operational Process Intelligence users. Prerequisites Users are created. For more information on creating users, see the Managing SAP HANA Users section in the SAP HANA Administration Guide. Authorizations and Roles 2015 SAP SE or an SAP affiliate company. All rights reserved. 13
Procedure 1. In the SAP HANA Systems view, select the required system. 2. Under the system, choose Security/Users. 3. Select the user ID to which you want to assign a role. 4. From the context menu of the selected user ID, choose Open. 5. On the Granted Roles tab, choose the + icon. 6. Select the required role. 7. Choose OK. 8. Repeat steps 5 through 7 to add more roles. Note For service users and users running background jobs, the password expires according to the specified expiration date. When this happens, jobs will fail. To avoid this situation, disable the password lifetime by using the command, ALTER USER <user_name> DISABLE PASSWORD LIFETIME. 14 2015 SAP SE or an SAP affiliate company. All rights reserved. Authorizations and Roles
5 User Mapping To identify MY REQUESTS in the space.me workspace, SAP Operational Process Intelligence introduces a concept of user mapping that unifies the SAP HANA users and the SCOPE_OBJECT_USER_IDs (from the replicated event log from the provider systems) into SAP Operational Process Intelligence user IDs. Thus, the MY REQUESTS view only displays scenarios that are initiated (requested) by the logged-on SAP HANA user. The requester is the SCOPE_OBJECT_USER_ID of the scenario's start event. The default mapping logic is based on the equity of SAP Operational Process Intelligence user IDs. The current logged-on user is mapped to one (or more) of the SAP Operational Process Intelligence user IDs in the "_SYS_BIC"."sap.opi.pv/SPVR_CURRENT_USER" scripted calculation view. SAP Operational Process Intelligence Identity from SAP HANA System If the SAP HANA user has an external identity, the part before the @ symbol is used as the SAP Operational Process Intelligence identity. For SAP HANA users that were created with passwords (local identity), the SAP HANA user name is used for the SAP Operational Process Intelligence user ID. If SAML authentication is configured for the SAP HANA user for a concrete external identity, it is also used for the SAP Operational Process Intelligence user ID. One SAP HANA user can therefore be mapped to several SAP Operational Process Intelligence identities. As a SAP HANA user is always available, it is guaranteed that each SAP HANA user has at least one SAP Operational Process Intelligence user ID. Process Observer and Business Workflow on SAP Business Suite The replicated event log from Process Observer and Business Workflow systems contains the Logon ID that is used for the SAP Operational Process Intelligence user ID. SAP NetWeaver Business Process Management The replicated event log contains the UME Unique IDs. The unique name that is extracted from the UME Unique ID is used for the SAP Operational Process Intelligence identity. For example, for UME User ID USER.PRIVATE_DATASOURCE.un:Administrator, the unique name is Administrator. Caution Default user mapping may lead to incorrect results if SAP HANA users and the replicated event log contain equal entries for different end users. User Mapping Customization User mapping is implemented in the "_SYS_BIC"."sap.opi.pv/SPVR_CURRENT_USER" scripted calculation view. It returns the SAP Operational Process Intelligence identity as UserID for the currently logged-on user. If the default mapping logic is not suitable, this view can be customized to reflect the user management requirements in the specific landscape. The output schema of the view is preserved. User Mapping 2015 SAP SE or an SAP affiliate company. All rights reserved. 15
User Management SAP Operational Process Intelligence reuses the SAP HANA user management concept. For more information, see the SAP HANA Security Guide. 16 2015 SAP SE or an SAP affiliate company. All rights reserved. User Mapping
6 Personal Data SAP Operational Process Intelligence replicates and uses data from different provider systems by default only by User ID and User Display Name. Note Personal data can also be replicated from the process context (for example, context data from the process definition from a SAP Business Process Management system). If you want the replicated event log to be anonymous, you can use a transformation rule in the SAP LT Replication Server by setting both attributes as empty strings. This approach can also be applied to any other replicated table. If you need to remove personal data from data that has already been replicated, you can update the queries on the replicated tables. As SAP Operational Process Intelligence relies on real-time replication, however, newly replicated data will still contain personal data if transformation rules in the SAP LT Replication Server are not used. Caution If you use transformation rules and delete personal data, the MY REQUESTS view will not be visible in the space.me workspace and the requester data will also not be available. Personal Data 2015 SAP SE or an SAP affiliate company. All rights reserved. 17
7 Network and Communication Security For the full list of communication channels, see the SAP HANA Security Guide. SAP NetWeaver Gateway to SAP HANA Studio (End-User Clients) In addition to the standard SAP HANA communication channels, SAP Operational Process Intelligence uses the SAP NetWeaver Gateway to search and discover process definitions in the provider systems. SAP HANA studio sends requests to the Process Gateway via HTTP/HTTPS channels, thus forwarding the request to the provider system for which the SAP NetWeaver Gateway is configured. In order to have access to search and discover process definitions, the provider systems require the following authorization objects: Process Observer and SAP Business Workflow: SAP_POC_END_USER role SAP NetWeaver Business Process Management: SAP_BPM_EXPORT_MODEL action For a full list of SAP NetWeaver Gateway communication channels, see the SAP Gateway Security Guide. 18 2015 SAP SE or an SAP affiliate company. All rights reserved. Network and Communication Security
Important Disclaimers and Legal Information Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer). Important Disclaimers and Legal Information 2015 SAP SE or an SAP affiliate company. All rights reserved. 19
www.sap.com/contactsap 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see http://www.sap.com/corporate-en/legal/copyright/ index.epx for additional trademark information and notices.