Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

Customer Coffee Corner for SAP IQ * Upgrade from IQ 15.x to IQ 16.x

Customer Coffee Corner for SAP IQ – Roles
Saroj Bagai/SAP Global Product Support
July 9, 2015
Customer
Agenda
SAP IQ Roles Based Access Control presentation
Open Discussion about Roles Based Access Control
Common links for information
Product components
BC-SYB-IQ (IQ)
BW-SYS-DB-IQ (IQNLS)
XX-SER-LIKEY-SYB ( License Key)
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
2
Roles Based Access Control
•
Permissions are associated with roles, and uses are assigned to appropriate roles.
•
Roles can be created based on job functions and organization structure.
•
According to user job requirements, users may be assigned to roles.
•
User assignments to role can change, but Role definitions are relatively static.
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
3
Role Based Access Control - Feature
•
Support principles of Least Privilege and Separation of duties.
•
Create new permissions and permission sets to enable extreme flexibility in delegating
administrative tasks.
•
This feature create separation between role administrators and permission owners.
•
Two types of Roles:
- System Roles
- User Defined Roles
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
4
Role Based Access Control - Feature
•
Role could be grantor and grantee of privileges and roles
•
Role can be schema objects owner
•
Support for ANSI SQL ‘WITH ADMIN OPTION’ Grant type
•
This feature extends ANSI ROLE standard to support ‘WITH ADMIN ONLY OPTION’ Grant
type.
•
ADMIN ONLY Role Grant Type:
- Provides only administrative access over a role
- Prevents accidental misuse
- Better separation of duties and also achieves principle of least privilege
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
5
Roles
•
A System Privilege allows a user the ability to perform a database administrative operation
or a privileged task.
•
Object-Level Privilege allows a user to perform an authorized task on a specified object.
•
A Role is a container that may contain one or more System Privileges, Object-Level
Privileges of the role.
•
A User-Defined Role is a custom collection of system and object-level privileges, created to
group privileges that are related to a specific task or set of tasks.
•
System roles are built-in roles that are automatically created in each new database.
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
6
System Privileges
Syntax:
GRANT <system-priv-name>[,…] TO <grantee>[,…]
[WITH {NO ADMIN | ADMIN | ADMIN ONLY } OPTION ]
REVOKE [ ADMIN OPTION FOR ] <system-priv-name>[,…]
FROM <grantee>[,…]
Permissions: System Privilege Administrator
Grant Options:
•
WITH NO ADMIN OPTION (Default): Allows grantee to use the system privilege
•
WITH ADMIN OPTION: Allows grantee to use the system privilege and
•
WITH ADMIN ONLY OPTION: Allows grantee administrative rights over the system privilege
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
also administrative rights over the system privilege
Customer
7
User-Defined Roles
Syntax
CREATE [ OR REPLACE ] ROLE <role-name> [ WITH ADMIN [ONLY ] <admin> [, … ] ]
•
Role name cannot have ‘SYS_’ prefix and ‘_ROLE’ suffix
•
MANAGE ROLES system privilege required to create a new role.
•
Role administrator names can be supplied at the time of role creation.
•
The admin list specified should satisfy the min_role_admins.
•
MANAGE ROLES is the default admin if admin list is not specified.
•
OR REPLACE – could be used to replace the current set of role administrators with a new set
- Requires MANAGE ROLES system privilege and Admin privilege on the role
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
8
User-Defined Roles – Drop Role
Syntax:
DROP ROLE <role-name> [ WITH REVOKE ]
Permissions: Role Administrator
•
WITH REVOKE – should be used to forcefully drop a role granted to multiple users/roles
•
DROP ROLE will fail if min_role_admins condition is violated
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
9
Grant Role
Syntax:
GRANT ROLE <role-name>[,...] TO <grantee>[,…]
[ WITH { NO ADMIN | ADMIN | ADMIN ONLY } OPTION ]
REVOKE [ ADMIN OPTION FOR ] <role-name>[,…]
FROM <grantee>[,…]
Permissions: Role Administrator
Grant Options:
•
WITH NO ADMIN OPTION (Default): Allows grantee to use the privileges associated with role
•
WITH ADMIN OPTION: Allows grantee to use the privileges associated with role and also administrative rights over the role
•
WITH ADMIN ONLY OPTION: Allows grantee administrative rights over the role
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
10
Use Case Scenarios
1. Permissions for Login administration
• Allow user user1 to manage users and manage login policies
grant MANAGE ANY USER to user1
grant MANAGE ANY LOGIN POLICY to user1
2. Permissions for a help desk operator
• Allow help desk operator user2 to reset passwords for users who call in with forgotten passwords
grant CHANGE PASSWORD to user2
3. Permissions for Multiplex Setup and administration
• Allow users user3 and user4 to setup multiplex and administer multiplex servers
create role mpx_admin_role
grant MANAGE MULTIPLEX to mpx_admin_role
grant role mpx_admin_role to user3, user4
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
11
Use Case Scenarios
4. Permissions for importing data into database
• Allow user user5 to import data into IQ database from external files
grant LOAD ANY TABLE to user5
5. Permissions for database backup administration
• Allow user user6 to perform database backup
grant BACKUP DATABASE to user6
6. Permissions for managing historical data
• Allow users user7 and user8 to manage historical data by moving the old database objects to some
separate database files
create role dbspace_admin_role
GRANT MANAGE ANY DBSPACE to dbspace_admin_role
grant role dbspace_admin_role to user7, user8
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
12
New Database Option
•
Min_Role_Admins: Minimum number of required administrators for all roles. Values(1-10)
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
13
Auto Unlocking Feature
•
Automatic unlocking will happen:
- User exceeded max_failed_login_attempts criteria and tries to log in again with correct username/password
and time difference between current time and last failed login attempt time is more than that specified by
appropriate login policy option.
- User exceeded max_failed_login_attempts criteria but database server is restarted and user tries to log in
with correct username/password.
•
New Login Policy Option
- root_auto_unlock_time: This login policy applies only to users with ‘Manage Any User’ System Privilege and
can be only set in root login policy. Default: 15 min
- Auto_unlock_time: Default: unlimited
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
14
New System Procedures
•
sp_displayroles
•
sp_objectpermission
•
sp_sys_priv_role_info
•
sp_auth_sys_role_info
•
sp_proc_priv
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
15
Change Password Dual Control
New Secure way to reset user’s password
Two security administrators with CHANGE PASSWORD system privilege required to change password of a target user
New Login Policy Option: change_password_dual_control . Default (Off)
Syntax:
ALTER USER <user_name> IDENTIFIED [ FIRST | LAST ] BY <password>
•
Password can be set in any order and can be re-specified
•
Max each dual password length: 127
•
User provides both passwords on next login and must change the password
•
Dual Control does not apply if setting password to NULL
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
16
Change Password Dual Control
•
GRANT CONNECT IDENTIFIED BY cannot be used to reset password in dual control mode
•
Enhanced sa_get_user_status() stored procedure
- “password_change_state” = 0 ( Default; Password change is not in progress), 1 ( Password
change is in progress)
- “password_change_first_user” = NULL (Default), user_id (user who specified the first part of
dual password)
- “password_change_second_user” = NULL (Default), user_id (user who specified the second
part of dual password)
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
17
SETUSER RESTRICTIONS
•
User impersonating to another user for performing certain task using ‘SETUSER’ statement
need ‘SET USER’ privilege.
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
18
Common Links For The Information
•
Product documentation
http://help.sap.com/iq
•
Roles Based Access Control
Roles Based Access Control
•
Support Portal
https://support.sap.com/home.html
•
How to get best results from an SAP search
https://service.sap.com/sap/support/notes/2081285
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
19
Common Links For the Information
•
SAP IQ communties
http://scn.sap.com/community/iq
•
SAP IQ Wiki
http://wiki.scn.sap.com/wiki/display/SYBIQ/IQ
•
IQ 16 Best Practices
http://scn.sap.com/docs/DOC-39896
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
20
Common Links For the Information
•
Social Media Product Support Channels
https://twitter.com/SAPSupporthelp
https://www.facebook.com/SapProductSupport
•
IQ 16 Hardware Sizing Guide
http://scn.sap.com/docs/DOC-41455
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Customer
21
Thank you
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Related documents
Sample Parent / Teacher Conference Form
Sample Parent / Teacher Conference Form
Delphi
Delphi
Terms of Reference
Terms of Reference
Creating a Message on the SAP Service Marketplace (SMP)
Creating a Message on the SAP Service Marketplace (SMP)
Case Study I - Concept Software & Services Inc.
Case Study I - Concept Software & Services Inc.
Download