SAP HANA Security Part 2: Classical Analytic Privileges Versus SQL Analytic Privileges

  • by Ned Falk, Senior Education Consultant, SAP
  • November 4, 2015
Learn about the differences between the various types of analytic privileges, and which ones to use to secure row-level data in an SAP HANA information view.
Learning Objectives
Reading this article, you will learn how to understand the:
  • Differences between and when to deploy SQL-based analytic privileges versus XML-based analytic privileges
  • Different settings needed to deploy either type
  • Use case for dynamic privileges
  • Different graphical user interfaces (GUIs) used to model analytical privileges
Key Concept

The privileges needed to control access to row-level data in SAP HANA are called analytic privileges. These allow some users to see data X and others to see only data Y when accessing the same information view.

Even as an SAP instructor, I was confused about some of the basics of security in SAP HANA. In part 1 of this series of articles, I discussed the first area of confusion—the difference between design-time (repository) and run-time (catalog) roles. In this article I address the confusion caused by the name change, for example, from XML to classical. I also address the differences between the types of analytic privileges, and why you would use one versus another in the ultimate goal of securing row-level data (for example, who can see what country in an SAP HANA information view).

Note
An information view is a specific type of SAP HANA database view that can be used to feed data to various BusinessObjects reporting tools.  Like other database views it collects data from tables at run time.

Originally, analytic privileges were modeled with an easy-to-use user interface (UI) tool in the content repository under the covers, in XML, using SAP HANA studio and now, more recently, using the SAP HANA Web Integrated Development Environment (SAP HANA Web IDE) tool. Although these techniques were easy to use, they were not flexible when it came to crafting more complex rules—for example, when you want users to be able to view sales data for company X, but only for country Y. It was not until the most recent Support Package Stack 10 (SPS10) was released that it became possible to create a newer type of SQL-based analytic privilege that solved this flexibility constraint, either created via the modeling perspective of SAP HANA studio or via web-based SAP HANA Web IDE.

Also as of the release of SPS10, the same convenient creation UI options that existed for XML-based analytical privileges can be used to deploy both XML- and SQL-based analytic privileges. There are, however, significant differences in features and settings for each. In this article I explore, in more detail, the differences between these two types of analytic privileges, why one might be better than the other in certain scenarios, and the UI options for building each. This is now possible because there are two tools (SAP HANA studio and SAP Web IDE). Both tools can build both types of privileges.

Ned Falk

Ned Falk is a senior education consultant at SAP. In prior positions, he implemented many ERP solutions, including SAP R/3. While at SAP, he initially focused on logistics. Now he focuses on SAP HANA, SAP BW (formerly SAP NetWeaver BW), SAP CRM, and the integration of SAP BW and SAP BusinessObjects tools. You can meet him in person when he teaches SAP HANA, SAP BW, or SAP CRM classes from the Atlanta SAP office, or in a virtual training class over the web. If you need an SAP education plan for SAP HANA, SAP BW, BusinessObjects, or SAP CRM, you may contact Ned via email.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.