SAP HANA Security Part 1: The Difference Between Run-Time and Design-Time Roles

  • by Ned Falk, Senior Education Consultant, SAP
  • October 7, 2015
The basics about SAP HANA security can be a somewhat confusing topic, even for experienced users. However, there are some terms and concepts that users must understand in order to properly set up security in SAP HANA. In the first of this two-part series about SAP HANA security, gain an overview of two ways for building security roles: run-time and design-time roles. There are significant differences between these two techniques, each with its own advantages and disadvantages.
Learning Objectives

Reading this article, you will learn about:

  • The features SAP HANA has to deploy reporting security and when reporting security is needed in SAP HANA
  • The difference between run-time (catalog) and design-time (repository) roles
Key Concept
In the early days of SAP HANA, there was only one way to build roles that enabled some users to see data X and others to see data Y: it had to be coded manually. Now there are SAP HANA graphical and automated tools that allow security roles to be built that can be assigned to users to do this task. When choosing which graphical option to use, the SAP HANA SQL-compliant database codes the required data control language (DCL) syntax behind the scenes. There are options on which user interface (UI) to use, however, and even though either UI creates code, which one is chosen affects the ultimate goal of achieving an easy-to-administer yet still secure SAP HANA system.

SAP HANA is a SQL-compliant database that comes with many extra features that are not standard in most databases. These capabilities include text searching, a built-in web server, geo-spatial data handling, and more. As I understand it, a SQL-compliant database has to have the SQL basics implemented in order to secure the data. With SAP HANA, SAP has done this: implemented the basic requirements of standard SQL. However, although the basics of SAP HANA’s security features are adequate for complying with SQL standards, the bare minimum security features are not enough for a complex corporate security environment.

To meet these needs, SAP HANA offers multiple user interfaces (UIs) that allow for more than one way to deploy security schemes and various features over and above the basics needed for SQL compliance. In this article I address one major area where options exist—the area of deploying security roles (run-time [catalog] or design-time [repository] roles). First, I give a high-level overview of the security options that come with the SAP HANA database, its features for deploying reporting security, and when reporting security is needed in SAP HANA. Then I examine in more detail the differences between run-time and design-time roles, and clear up some confusion that exists about these two options for deploying roles.

A High-Level Overview of Security in SAP HANA

Many different components make up SAP HANA security. This is because not only does SAP HANA operate in most scenarios as a database to support applications running in their own servers; it also behaves as an application itself with users getting information directly from the SAP HANA system. Both these scenarios have different security demands.

Ned Falk

Ned Falk is a senior education consultant at SAP. In prior positions, he implemented many ERP solutions, including SAP R/3. While at SAP, he initially focused on logistics. Now he focuses on SAP HANA, SAP BW (formerly SAP NetWeaver BW), SAP CRM, and the integration of SAP BW and SAP BusinessObjects tools. You can meet him in person when he teaches SAP HANA, SAP BW, or SAP CRM classes from the Atlanta SAP office, or in a virtual training class over the web. If you need an SAP education plan for SAP HANA, SAP BW, BusinessObjects, or SAP CRM, you may contact Ned via email.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.