SAP Operational Process Intelligence Security Guide

(1)

2015-09-24

(2)

Content

1 Introduction. . . . 3

2 Before You Start. . . .5

3 Architectural Overview. . . . 7

4 Authorizations and Roles. . . . 8

4.1 Assigning Roles to SAP Operational Process Intelligence Users. . . 13

5 User Mapping. . . .15

6 Personal Data. . . .17

7 Network and Communication Security. . . .18

SAP Operational Process Intelligence Security Guide

(3)

1 Introduction

This guide does not replace the daily operations handbook that we recommend customers create for their specific productive operations.

SAP Operational Process Intelligence powered by SAP HANA is inextricably bound to and integrated with the SAP HANA database. Therefore, SAP HANA security concepts widely apply to SAP Operational Process Intelligence as well. Almost all sections of the SAP Operational Process Intelligence Security Guide are directly linked to the respective sections in the SAP HANA Security Guide.

Target Audience

● Technology consultants ● System administrators ● IT experts

This document is not included as part of the installation guides, configuration guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software lifecycle, whereas the security guides provide information that is relevant for all lifecycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also increased. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors,

negligence, or attempted manipulation in your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Operational Process Intelligence. We provide this security guide to assist you in securing SAP Operational Process Intelligence.

About This Document

The SAP Operational Process Intelligence Security Guide provides an overview of the security-relevant information that applies to SAP Operational Process Intelligence powered by SAP HANA.

The SAP Operational Process Intelligence Security Guide comprises the following sections: ● Before You Start [page 5]

This section provides references to the most important SAP Notes that apply to the security of SAP Operational Process Intelligence powered by SAP HANA and further helpful resources.

● Architectural Overview [page 7]

This section provides a graphic to give you an overview of the architecture of SAP Operational Process Intelligence.

● Authorizations and Roles [page 8]

This section provides information about granting SAP HANA authorizations and, more importantly, about SAP Operational Process Intelligence-specific authorizations such as SQL and analytic privileges for scenario-generated HANA artifacts.

● User Mapping [page 15]

This section provides information about the authorizations that users require to access the SAP Operational Process Intelligence environment (that is, space.me), as well as how to customize and manage user

authorizations. The section also provides an overview of SAP Operational Process Intelligence roles and descriptions.

(4)

● Personal Data [page 17]

This section provides information about protecting security-sensitive personal data. ● Network and Communication Security [page 18]

This section provides information about the SAP Operational Process Intelligence communication channels and security aspects.

(5)

2 Before You Start

For more information about the SAP Operational Process Intelligence and the SAP HANA landscape, administration, and security, see the resources listed in the table below:

Topic Guide/Tool Link

SAP HANA-Relevant Documentati on, Master Guide, Security Guide

SAP HANA Appliance Software Knowledge Center on the SAP Help Portal

SAP HANA Appliance Important Guides: SAP HANA Master Guide SAP HANA Security Guide

SAP HANA Security Guide - Trigger-Based Data Replication SAP BusinessObjects Data Replication

SAP Operational Process Intelligence In stallation, Upgrade, and Configuration

Installation and Upgrade Guide SAP Operational Process Intelligence Installation and Upgrade Guide

SAP Gateway Security Guide https://help.sap.com/nwgateway20 Important SAP Notes

The most important SAP Notes relating to SAP Operational Process Intelligence and SAP HANA database security are shown in the table below:

Table 1:

Content SAP Note

Missing permissions in SAP HANA 1761917 User authorizations for analytic objects in SAP HANA 1612696 Additional Information

For more information about specific topics, see the quick links in the table below: Table 2:

Content Quick Link on SAP Service Marketplace or SCN

Security http://scn.sap.com/community/security

Security Guides https://service.sap.com/securityguide Related SAP Notes

https://support.sap.com/notes http://support.sap.com/securitynotes

(6)

Content Quick Link on SAP Service Marketplace or SCN

Released Platforms https://support.sap.com/release-upgrade-maintenance/ pam.html

SAP Solution Manager https://support.sap.com/solutionmanager

SAP Netweaver http://sdn.sap.com/irj/sdn/netweaver

In-Memory Computing http://www.sdn.sap.com/irj/sdn/in-memory

(7)

3 Architectural Overview

This graphic gives you an overview of the architecture of SAP Operational Process Intelligence:

(8)

4 Authorizations and Roles

Authorizations and roles define the objects that users can access and the actions they can perform. In SAP Operational Process Intelligence, there are several roles that need to be assigned to users to enable them to perform operations, for example, on business scenarios, tasks, workflows, and rules.

The following sections describe the typical user assignments and the technical role assignments that are needed for the activities.

Operator or line-of-business user (with full access)

The operator is responsible for ensuring the smooth running of the business process and takes necessary action to resolve any bottlenecks and move the process forward.

Table 3:

Required Roles Description

sap.opi.pv.roles::OPINTUSER Allows the user to access space.me.

Note

sap.opi.pv.roles::OPINTUSER provides SELECT access to the _SYS_BIC schema. This schema contains run time ob jects of all the activated views. If you want to provide ac cess only to the required views, you must assign object privileges to the views that are part of the generated role, <package_name>.gen_<scenario_name>::<sce nario_name>_OPERATOR.

<package_name>.gen_<scenario_name>::<scenario_name>_ OPERATOR

Allows the user to acsess specific scenarios and all relevant data in space.me.

<package_name>.<technical_name>.v1.security::Start Allows the user to process workflows of the specific workflow template.

sap.bc.hwf.security::HWFEndUser Allows the user to complete workflow tasks.

sap.bc.pv.roles:OPINTADMINVIEWER Required if the operator is a power user who needs to inspect the administration status.

Note

The user requires an analytical privilege that grants access to the source of the SAP HANA-based measure.

(9)

Operator or line-of-business user (with restricted access)

The operator is responsible for ensuring the smooth running of the business process and takes necessary action to resolve any bottlenecks and move the process forward.

Table 4:

Note

sap.opi.pv.roles::OPINTUSER provides SELECT access to the _SYS_BIC schema. This schema contains run time ob jects of all the activated views. If you want to provide ac cess only to the required views, you must assign object privileges to the views that are part of the generated role, <package_name>.gen_<scenario_name>::<cus tom_role_name>_OPERATOR.

<package_name>.gen_<scenario_name>::<custom_role_nam e>_OPERATOR

Allows the user to access specific scenarios and the restricted data in space.me.

sap.bc.hwf.security::HWFEndUser Allows the user to complete workflow tasks.

sap.bc.pv.roles:OPINTADMINVIEWER Required if the operator is a power user who needs to inspect the administration status.

Note

The user requires an analytical privilege that grants access to the source of the SAP HANA-based measure.

Requestor

Table 5:

Note

sap.opi.pv.roles::OPINTUSER provides SELECT access to the _SYS_BIC schema. This schema contains run time ob jects of all the activated views. If you want to provide ac cess only to the required views, you must assign object privileges to the views that are part of the generated role, <package_name>.gen_<scenario_name>::<sce nario_name>_REQUESTOR.

<package_name>.gen_<scenario_name>::<scenario_name>_ REQUESTOR

Allows the user to access specific scenarios in space.me as a requestor.

(10)

Solution Expert

Table 6:

sap.opi.pv.roles::OPINTDEVELOPER Access for modeling business scenarios.

MODELING Access for working with SAP HANA studio, creating pack ages/calculation views/attribute views and other HANA arti facts. This role is required by SAP Operational Process Intelli gence to create or generate a business scenario.

The MODELING role grants permissions for the root package and also grants the _SYS_BI_CP_ALL analytical privilege, which is surplus to requirements.

Tip

We recommend that you modify the content of your cus tom roles by changing the package privileges. Below are the basic privileges that need to be provided:

● Package Privileges

○ sap.opi and sap.bc.taskmgt - Rights for the pack ages: REPO.READ

○ Package rights for imported objects -

REPO.EDIT_IMPORTED_OBJECTS, REPO.ACTI VATE_IMPORTED_OBJECTS, and REPO.MAIN TAIN_IMPORTED_PACKAGES

○ Package where you want to create objects - REPO.READ, REPO.EDIT_NATIVE_OBJECTS, REPO.ACTIVATE_NATIVE_OBJECTS, and REPO.MAINTAIN_NATIVE_PACKAGES ● Object Privileges

○ _SYS_BI with SELECT ● System Privileges

○ CREATE SCENARIO

○ CREATE STRUCTURED PRIVILEGE

○ STRUCTUREDPRIVILEGE ADMIN (Optional - If you want the solution expert to provide access to the business scenario).

● Analytical Privileges (Optional)

○ _SYS_BI_CP_ALL - If you want the solution expert to view data and test the calculation views.

(11)

Grant select, execute, trigger for schema <schema_name> to

<user_name or role_name>

Grant select, execute, and trigger authorizations for the schema where the source of your event/process context and operational data exists. This is needed to access data from source systems and to generate your business scenario suc cessfully.

Note

System creates insert and update triggers for the tables used as operational data stores (ODS), to monitor the state change of the table columns. Therefore, for ODS sce narios, the solution expert needs to have the trigger au thorization.

sap.hrf.role.model::HrfRuleConsumer Permits assigned users to run determination services based on the rules and rule services created in the system. To enable a user based on this role, you must grant permission for the application schema to the user. The consumption of determi nation services can be done in one of the following ways:

● REST API rule service execution ● Simulation rule service execution

● ODBC consumption, by running the service procedure di rectly.

sap.bc.hwf.security::HWFDeveloper Allows the user to model and generate workflows.

Administrator

Table 7:

Required Role Description

sap.bc.hwf.security::HWFSuperAdmin _{Grants read access to the following artifacts without restric}

tion to specific workflow templates: ● Workflow instances

● Workflow templates

Allows the user to set workflow templates to active or inactive, if developer mode is disabled.

Allows the user to enable and disable the developer mode.

sap.opi.pv.roles::OPINTADMIN This includes the authorizations necessary to administrate ba sic SAP Operational Process Intelligence capabilities including job scheduling and SMTP configuration.

(12)

HANA Workflow Administrator with Restricted Access

Table 8:

sap.bc.hwf.security::HWFAdmin Allows the user to set workflows to active or inactive, if devel oper mode is disabled.

<package_name>.<technical_name>.v1.security::Read (gener

ated role) Grants read access to the following artifacts restricted to the specific workflow template:

● Workflow instances ● Workflow templates ● Workflow context

HANA Workflow Administrator with Full Access

Table 9:

sap.bc.hwf.security::HWFSuperAdmin _{Grants read access to the following artifacts without restric}

tion to specific workflow templates: ● Workflow instances

● Workflow templates

Allows the user to set workflow templates to active or inactive, if developer mode is disabled.

Allows the user to enable and disable the developer mode.

<package_name>.<technical_name>.v1.security::Read (gener

ated role) Grants read access to the following artifacts restricted to the specific workflow template:

● Workflow instances ● Workflow templates ● Workflow context

Technical User

_SYS_REPO

_SYS_REPO is a technical database user and does not correspond to a real person.

(13)

Table 10:

Grant select for schema <schema_name> to _SYS_REPO WITH GRANT OPTION

Grant select and create any authorizations for the schema (used by SAP Operational Process Intelligence) where the source of your event/process context and operational data exists. This is needed to access data from source systems and to generate your business scenario successfully.

Note

<schema_name> is a source system schema.

Service User

Table 11:

sap.opi.pv.roles::OPINTSERVICE Allows the user to schedule jobs for correlation and notifica tions in SAP Operational Process Intelligence.

<package_name>.<technical_name>.v1.security::Job Allows the user to schedule XS jobs for processing the started instances of the specific workflow template. Needs to be used to configure the generated XS job. It must be entered as a pa rameter during the configuration of the generated XS job.

sap.bc.taskmgt.roles::TASKMGT_SERVICE_CONNECTION Allows the user to execute tasks. Grant select, execute for schema <schema_name> to

<user_name or role_name>

Grant select and execute authorizations for the schema where the source of your event/process context and operational data exists. This is needed to access data from source sys tems and to execute correlation and notification jobs.

4.1 Assigning Roles to SAP Operational Process Intelligence

Users

Follow these steps to assign the necessary roles to the SAP Operational Process Intelligence users.

Prerequisites

Users are created. For more information on creating users, see the Managing SAP HANA Users section in the SAP HANA Administration Guide.

(14)

Procedure

1. In the SAP HANA Systems view, select the required system. 2. Under the system, choose Security/Users.

3. Select the user ID to which you want to assign a role.

4. From the context menu of the selected user ID, choose Open. 5. On the Granted Roles tab, choose the + icon.

6. Select the required role. 7. Choose OK.

8. Repeat steps 5 through 7 to add more roles.

Note

For service users and users running background jobs, the password expires according to the specified expiration date. When this happens, jobs will fail. To avoid this situation, disable the password lifetime by using the command, ALTER USER <user_name> DISABLE PASSWORD LIFETIME.

(15)

5 User Mapping

To identify MY REQUESTS in the space.me workspace, SAP Operational Process Intelligence introduces a concept of user mapping that unifies the SAP HANA users and the SCOPE_OBJECT_USER_IDs (from the replicated event log from the provider systems) into SAP Operational Process Intelligence user IDs. Thus, the MY REQUESTS view only displays scenarios that are initiated (requested) by the logged-on SAP HANA user. The requester is the

SCOPE_OBJECT_USER_ID of the scenario's start event. The default mapping logic is based on the equity of SAP Operational Process Intelligence user IDs. The current logged-on user is mapped to one (or more) of the SAP Operational Process Intelligence user IDs in the "_SYS_BIC"."sap.opi.pv/SPVR_CURRENT_USER" scripted calculation view.

● SAP Operational Process Intelligence Identity from SAP HANA System

If the SAP HANA user has an external identity, the part before the @ symbol is used as the SAP Operational Process Intelligence identity. For SAP HANA users that were created with passwords (local identity), the SAP HANA user name is used for the SAP Operational Process Intelligence user ID.

If SAML authentication is configured for the SAP HANA user for a concrete external identity, it is also used for the SAP Operational Process Intelligence user ID.

One SAP HANA user can therefore be mapped to several SAP Operational Process Intelligence identities. As a SAP HANA user is always available, it is guaranteed that each SAP HANA user has at least one SAP

Operational Process Intelligence user ID.

● Process Observer and Business Workflow on SAP Business Suite

The replicated event log from Process Observer and Business Workflow systems contains the Logon ID that is used for the SAP Operational Process Intelligence user ID.

● SAP NetWeaver Business Process Management

The replicated event log contains the UME Unique IDs. The unique name that is extracted from the UME Unique ID is used for the SAP Operational Process Intelligence identity. For example, for UME User ID

USER.PRIVATE_DATASOURCE.un:Administrator, the unique name is Administrator.

Caution

Default user mapping may lead to incorrect results if SAP HANA users and the replicated event log contain equal entries for different end users.

User Mapping Customization

User mapping is implemented in the "_SYS_BIC"."sap.opi.pv/SPVR_CURRENT_USER" scripted calculation view. It returns the SAP Operational Process Intelligence identity as UserID for the currently logged-on user. If the default mapping logic is not suitable, this view can be customized to reflect the user management requirements in the specific landscape.

The output schema of the view is preserved.

(16)

User Management

SAP Operational Process Intelligence reuses the SAP HANA user management concept. For more information, see the SAP HANA Security Guide.

(17)

6 Personal Data

SAP Operational Process Intelligence replicates and uses data from different provider systems by default only by User ID and User Display Name.

Note

Personal data can also be replicated from the process context (for example, context data from the process definition from a SAP Business Process Management system).

If you want the replicated event log to be anonymous, you can use a transformation rule in the SAP LT Replication Server by setting both attributes as empty strings. This approach can also be applied to any other replicated table.

If you need to remove personal data from data that has already been replicated, you can update the queries on the replicated tables. As SAP Operational Process Intelligence relies on real-time replication, however, newly

replicated data will still contain personal data if transformation rules in the SAP LT Replication Server are not used.

Caution

If you use transformation rules and delete personal data, the MY REQUESTS view will not be visible in the

space.me workspace and the requester data will also not be available.

(18)

7 Network and Communication Security

For the full list of communication channels, see the SAP HANA Security Guide.

SAP NetWeaver Gateway to SAP HANA Studio (End-User Clients)

In addition to the standard SAP HANA communication channels, SAP Operational Process Intelligence uses the SAP NetWeaver Gateway to search and discover process definitions in the provider systems. SAP HANA studio sends requests to the Process Gateway via HTTP/HTTPS channels, thus forwarding the request to the provider system for which the SAP NetWeaver Gateway is configured.

In order to have access to search and discover process definitions, the provider systems require the following authorization objects:

● Process Observer and SAP Business Workflow: SAP_POC_END_USER role

● SAP NetWeaver Business Process Management: SAP_BPM_EXPORT_MODEL action

For a full list of SAP NetWeaver Gateway communication channels, see the SAP Gateway Security Guide.

(19)

Important Disclaimers and Legal Information

Coding Samples

Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.

Accessibility

The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.

Gender-Neutral Language

As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet Hyperlinks

The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).

(20)

www.sap.com/contactsap

© 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.