With Hana 1.0 SPS11, SAP Hana Extended Application Services, Advanced Model (SAP Hana XSA) was introduced. This model is based on a microservices approach and enables the modulization of software development.
Hana XSA makes different deployments (separated development environments) in one single Hana database possible. Every application operates in a separate container and in its own environment, meaning that problems in one application do not affect the others.
Companies have to consider various security guidelines to ensure diligent access management. SAP Hana XSA Cockpit orchestrates the solution, managing users, access and security configurations (e.g. tenants or SAML identity providers).
In user management, admins can create new accounts or convert existing Hana users to XSA users. Access is granted by so-called role collections. For example, for user management the role collection XS User Admin is necessary, and for role management users need the role collection XS Authorization Admin. For viewing only, standard role collections XS Authorization Display and XS User Display are available. Accountability is guaranteed by Hana’s auditing.
How SAP Hana XSA works
The basic structure of SAP Hana XSA consists of organizations and spaces. In spaces, users can develop applications. Organizations are containers meant to structure the spaces. Developers operate in spaces. After the user master data have been created, developers are assigned spaces and access rights. There are three types of roles: Space Manager (space management as wells as evaluating applications); Space Developer (implementing, activating and deactivating of applications, matching applications to services); and Space Auditor (evaluation of applications and role management).
Regarding organizations, the role Organization Manager enables user management and maintaining the spaces in an organization.
Any changes of organizations or spaces are recorded in trace files on the operating system that can be analyzed with e.g. Hana Database Explorer.
The central development platform for SAPUI5 applications is SAP WebIDE (integrated development environment). It supports various programming languages like Java, Java Script, SAPUI5 HTML5, Node.js and more. WebIDE can be used for on-prem applications (Hana XSA) and as central development application for SAP Cloud Platform (Cloud Foundry).
To leverage WebIDE, developers have to be assigned corresponding access rights in SAP Hana XSA. Two standard templates already exist for this purpose: WebIDE Developer and WebIDE Administrator. To authorize users for application development, a role has to be created from the template WebIDE Developer.
To implement access rights in customized solutions, companies have to define their own rules. They can also integrate actions into customized solutions that can be recorded using Hana’s auditing (category application auditing).
In conclusion, the use of SAP Hana XSA requires following strict security guidelines and practicing diligent user and access management.