The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 20-03

Secure development with SAP Hana XSA

With SAP Hana XSA, different deployments are possible within a single Hana database. Various security criteria must be observed so that application development can be authorized according to requirements.
Thomas Tiede, IBS
April 9, 2020
Content:
It Security
avatar
This text has been automatically translated from German to English.

With Hana 1.0 SPS11, SAP Hana Extended Application Services, Advanced Model (SAP Hana XSA) was introduced. This model is based on the microservices approach and enables modularization of software development. This enables different deployments (separate development environments) within a single Hana database.

Each application is stored in its own container and has its own runtime environment. This means that any problems with the application do not affect other applications.

When using SAP Hana XSA, various security criteria must be observed so that application development can be authorized in accordance with requirements.

The solution is managed with the SAP Hana XSA Cockpit. Users and authorizations are managed here, as is the security configuration. The latter includes, for example, the tenants that can be managed from here and the management of the SAML identity providers.

In the user administration, new users can be created or existing Hana users can be migrated to XSA users. The authorizations for this are assigned via so-called Role Collections. For example, the Role Collection XS User Admin is required for user administration, and the Role Collection XS Authorization Admin is required for role administration.

The XS Authorization Display and XS User Display standard role collections are available for pure display. The traceability of the user and authorization management is enabled via the auditing of the Hana database; the corresponding auditing actions must be activated here.

The basic structure of SAP Hana XSA consists of Organizations and Spaces. The applications are developed within the Spaces. Organizations are containers for structuring the Spaces. Developers are assigned to the Spaces.

They must have been created as a user master record beforehand. During the assignment to the Spaces, the authorizations are assigned to the users. A distinction is made between a Space Manager (maintenance of the user assignment to the Space and display and evaluation of the applications), Space Developer (integration, starting and stopping of applications, assignment of applications to services) and Space Auditor (display and evaluation of the applications and the user assignments to the Space).

This defines which users are active as developers within the Space. On the Organization level, the Organization Manager permission can be used to maintain the user assignment to the Organization and to maintain the Spaces in the Organization.

Changes to Organizations and Spaces are logged in a trace file in the operating system. They can be evaluated with the Hana Database Explorer, for example.

The central development platform for SAPUI5 applications is the SAP WebIDE (Integrated Development Environment). Various languages are supported, such as Java, Java Script, SAPUI5 HTML5, Node.js, etc. WebIDE can be used both for on-premises applications (Hana XSA) and as a central development application for the SAP Cloud Platform (Cloud Foundry).

To use the WebIDE, developers must be assigned authorizations in SAP Hana XSA. Two template roles already exist for this purpose, WebIDE Developer and WebIDE Administrator. To authorize users for application development, a role must be derived from the template WebIDE Developer.

Company-internal specifications must be defined for the implementation of authorizations in custom developments. Actions can also be integrated into the custom developments, which are logged via Hana Auditing.

For this purpose, the Application Auditing category exists in auditing, in which, among other things, actions such as Personal Data Access and Personal Data Modification can be recorded. A separate security and authorization concept must be created for the use of SAP Hana XSA, which is also regularly reviewed.

avatar
Thomas Tiede, IBS

Thomas Tiede is managing director of IBS Schreiber.


All articles of the author

Continuing to work closely together for the benefit of our joint customers

Is SAP’s Restructuring Program a Hit or a Miss?

ERP Knowledge Gaps

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

May 21 and 22, 2025

Early Bird Ticket

Available until March 1, 2025
€ 490 excl. VAT

Regular ticket:

€ 590 excl. VAT

Venue

Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket
EUR 490 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.