Secure development with SAP Hana XSA

With Hana 1.0 SPS11, SAP Hana Extended Application Services, Advanced Model (SAP Hana XSA) was introduced. This model is based on the microservices approach and enables modularization of software development. This enables different deployments (separate development environments) within a single Hana database.

Each application is stored in its own container and has its own runtime environment. This means that any problems with the application do not affect other applications.

When using SAP Hana XSA, various security criteria must be observed so that application development can be authorized in accordance with requirements.

The solution is managed with the SAP Hana XSA Cockpit. Users and authorizations are managed here, as is the security configuration. The latter includes, for example, the tenants that can be managed from here and the management of the SAML identity providers.

In the user administration, new users can be created or existing Hana users can be migrated to XSA users. The authorizations for this are assigned via so-called Role Collections. For example, the Role Collection XS User Admin is required for user administration, and the Role Collection XS Authorization Admin is required for role administration.

The XS Authorization Display and XS User Display standard role collections are available for pure display. The traceability of the user and authorization management is enabled via the auditing of the Hana database; the corresponding auditing actions must be activated here.

The basic structure of SAP Hana XSA consists of Organizations and Spaces. The applications are developed within the Spaces. Organizations are containers for structuring the Spaces. Developers are assigned to the Spaces.

They must have been created as a user master record beforehand. During the assignment to the Spaces, the authorizations are assigned to the users. A distinction is made between a Space Manager (maintenance of the user assignment to the Space and display and evaluation of the applications), Space Developer (integration, starting and stopping of applications, assignment of applications to services) and Space Auditor (display and evaluation of the applications and the user assignments to the Space).

This defines which users are active as developers within the Space. On the Organization level, the Organization Manager permission can be used to maintain the user assignment to the Organization and to maintain the Spaces in the Organization.

Changes to Organizations and Spaces are logged in a trace file in the operating system. They can be evaluated with the Hana Database Explorer, for example.

The central development platform for SAPUI5 applications is the SAP WebIDE (Integrated Development Environment). Various languages are supported, such as Java, Java Script, SAPUI5 HTML5, Node.js, etc. WebIDE can be used both for on-premises applications (Hana XSA) and as a central development application for the SAP Cloud Platform (Cloud Foundry).

To use the WebIDE, developers must be assigned authorizations in SAP Hana XSA. Two template roles already exist for this purpose, WebIDE Developer and WebIDE Administrator. To authorize users for application development, a role must be derived from the template WebIDE Developer.

Company-internal specifications must be defined for the implementation of authorizations in custom developments. Actions can also be integrated into the custom developments, which are logged via Hana Auditing.

For this purpose, the Application Auditing category exists in auditing, in which, among other things, actions such as Personal Data Access and Personal Data Modification can be recorded. A separate security and authorization concept must be created for the use of SAP Hana XSA, which is also regularly reviewed.