The global and independent platform for the SAP community.

Secure development with SAP Hana XSA

With SAP Hana XSA, different deployments are possible within a single Hana database. Various security criteria must be observed so that application development can be authorized according to requirements.
Thomas Tiede, IBS
April 9, 2020
It Security
This text has been automatically translated from German to English.

With Hana 1.0 SPS11, SAP Hana Extended Application Services, Advanced Model (SAP Hana XSA) was introduced. This model is based on the microservices approach and enables modularization of software development. This enables different deployments (separate development environments) within a single Hana database.

Each application is stored in its own container and has its own runtime environment. This means that any problems with the application do not affect other applications.

When using SAP Hana XSA, various security criteria must be observed so that application development can be authorized in accordance with requirements.

The solution is managed with the SAP Hana XSA Cockpit. Users and authorizations are managed here, as is the security configuration. The latter includes, for example, the tenants that can be managed from here and the management of the SAML identity providers.

In the user administration, new users can be created or existing Hana users can be migrated to XSA users. The authorizations for this are assigned via so-called Role Collections. For example, the Role Collection XS User Admin is required for user administration, and the Role Collection XS Authorization Admin is required for role administration.

The XS Authorization Display and XS User Display standard role collections are available for pure display. The traceability of the user and authorization management is enabled via the auditing of the Hana database; the corresponding auditing actions must be activated here.

The basic structure of SAP Hana XSA consists of Organizations and Spaces. The applications are developed within the Spaces. Organizations are containers for structuring the Spaces. Developers are assigned to the Spaces.

They must have been created as a user master record beforehand. During the assignment to the Spaces, the authorizations are assigned to the users. A distinction is made between a Space Manager (maintenance of the user assignment to the Space and display and evaluation of the applications), Space Developer (integration, starting and stopping of applications, assignment of applications to services) and Space Auditor (display and evaluation of the applications and the user assignments to the Space).

This defines which users are active as developers within the Space. On the Organization level, the Organization Manager permission can be used to maintain the user assignment to the Organization and to maintain the Spaces in the Organization.

Changes to Organizations and Spaces are logged in a trace file in the operating system. They can be evaluated with the Hana Database Explorer, for example.

The central development platform for SAPUI5 applications is the SAP WebIDE (Integrated Development Environment). Various languages are supported, such as Java, Java Script, SAPUI5 HTML5, Node.js, etc. WebIDE can be used both for on-premises applications (Hana XSA) and as a central development application for the SAP Cloud Platform (Cloud Foundry).

To use the WebIDE, developers must be assigned authorizations in SAP Hana XSA. Two template roles already exist for this purpose, WebIDE Developer and WebIDE Administrator. To authorize users for application development, a role must be derived from the template WebIDE Developer.

Company-internal specifications must be defined for the implementation of authorizations in custom developments. Actions can also be integrated into the custom developments, which are logged via Hana Auditing.

For this purpose, the Application Auditing category exists in auditing, in which, among other things, actions such as Personal Data Access and Personal Data Modification can be recorded. A separate security and authorization concept must be created for the use of SAP Hana XSA, which is also regularly reviewed.

Thomas Tiede, IBS

Thomas Tiede is managing director of IBS Schreiber.

Work on SAP Basis is crucial for successful S/4 conversion. This gives the so-called Competence Center strategic importance among SAP's existing customers. Regardless of the operating model of an S/4 Hana, topics such as automation, monitoring, security, application lifecycle management, and data management are the basis for the operative S/4 operation. For the second time already, E3 Magazine is hosting a summit in Salzburg for the SAP community to get comprehensive information on all aspects of S/4 Hana groundwork. With an exhibition, expert presentations, and plenty to talk about, we again expect numerous existing customers, partners, and experts in Salzburg. E3 Magazine invites you to Salzburg for learning and exchange of ideas on June 5 and 6, 2024.


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024


Early Bird Ticket - Available until 29.03.2024
EUR 440 excl. VAT
Regular ticket
EUR 590 excl. VAT

Secure your Early Bird ticket now!


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.