Secure Development With SAP Hana XSA

With Hana1.0 SPS11, SAP Hana Extended Application Services, Advanced Model (SAP HanaXSA) was introduced. This model is based on a microservices approach andenables the modulization of software development.

Hana XSAmakes different deployments (separated development environments) in one singleHana database possible. Every application operates in a separate container andin its own environment, meaning that problems in one application do not affect theothers.

Companieshave to consider various security guidelines to ensure diligent accessmanagement. SAP Hana XSA Cockpit orchestrates the solution, managing users,access and security configurations (e.g. tenants or SAML identity providers).

In user management, admins can create new accounts or convert existing Hana users to XSA users. Access is granted by so-called role collections. For example, for user management the role collection XS User Admin is necessary, and for role management users need the role collection XS Authorization Admin. For viewing only, standard role collections XS Authorization Display and XS User Display are available. Accountability is guaranteed by Hana’s auditing.

How SAP Hana XSA works

The basicstructure of SAP Hana XSA consists of organizations and spaces. In spaces, userscan develop applications. Organizations are containers meant to structure thespaces. Developers operate in spaces. After the user master data have beencreated, developers are assigned spaces and access rights. There are three typesof roles: Space Manager (space management as wells as evaluating applications);Space Developer (implementing, activating and deactivating of applications,matching applications to services); and Space Auditor (evaluation ofapplications and role management).

Regarding organizations, the role Organization Manager enables user management andmaintaining the spaces in an organization. Any changesof organizations or spaces are recorded in trace files on the operating systemthat can be analyzed with e.g. Hana Database Explorer.

The central development platform for SAPUI5 applications is SAP WebIDE (integrateddevelopment environment). It supports various programming languages like Java,Java Script, SAPUI5 HTML5, Node.js and more. WebIDE can be used for on-prem applications(Hana XSA) and as central development application for SAP Cloud Platform (CloudFoundry).

To leverageWebIDE, developers have to be assigned corresponding access rights in SAP HanaXSA. Two standard templates already exist for this purpose: WebIDE Developerand WebIDE Administrator. To authorize users for application development, arole has to be created from the template WebIDE Developer.

Toimplement access rights in customized solutions, companies have to define theirown rules. They can also integrate actions into customized solutions that canbe recorded using Hana’s auditing (category application auditing).

Inconclusion, the use of SAP Hana XSA requires following strict securityguidelines and practicing diligent user and access management.