Use this title slide only with an image Customer Coffee Corner for SAP IQ – Roles Saroj Bagai/SAP Global Product Support July 9, 2015 Customer

©2015 SAP SE or an SAP affiliate company. All rights reserved.2 Customer Agenda SAP IQ Roles Based Access Control presentation Open Discussion about Roles Based Access Control Common links for information Product components BC-SYB-IQ (IQ) BW-SYS-DB-IQ (IQNLS) XX-SER-LIKEY-SYB ( License Key)

©2015 SAP SE or an SAP affiliate company. All rights reserved.3 Customer Roles Based Access Control Permissions are associated with roles, and uses are assigned to appropriate roles. Roles can be created based on job functions and organization structure. According to user job requirements, users may be assigned to roles. User assignments to role can change, but Role definitions are relatively static.

©2015 SAP SE or an SAP affiliate company. All rights reserved.4 Customer Role Based Access Control - Feature Support principles of Least Privilege and Separation of duties. Create new permissions and permission sets to enable extreme flexibility in delegating administrative tasks. This feature create separation between role administrators and permission owners. Two types of Roles: - System Roles - User Defined Roles

©2015 SAP SE or an SAP affiliate company. All rights reserved.5 Customer Role Based Access Control - Feature Role could be grantor and grantee of privileges and roles Role can be schema objects owner Support for ANSI SQL ‘WITH ADMIN OPTION’ Grant type This feature extends ANSI ROLE standard to support ‘WITH ADMIN ONLY OPTION’ Grant type. ADMIN ONLY Role Grant Type: - Provides only administrative access over a role - Prevents accidental misuse - Better separation of duties and also achieves principle of least privilege

©2015 SAP SE or an SAP affiliate company. All rights reserved.6 Customer Roles A System Privilege allows a user the ability to perform a database administrative operation or a privileged task. Object-Level Privilege allows a user to perform an authorized task on a specified object. A Role is a container that may contain one or more System Privileges, Object-Level Privileges of the role. A User-Defined Role is a custom collection of system and object-level privileges, created to group privileges that are related to a specific task or set of tasks. System roles are built-in roles that are automatically created in each new database.

©2015 SAP SE or an SAP affiliate company. All rights reserved.7 Customer System Privileges Syntax: GRANT [,…] TO [,…] [WITH {NO ADMIN | ADMIN | ADMIN ONLY } OPTION ] REVOKE [ ADMIN OPTION FOR ] [,…] FROM [,…] Permissions: System Privilege Administrator Grant Options: WITH NO ADMIN OPTION (Default): Allows grantee to use the system privilege WITH ADMIN OPTION: Allows grantee to use the system privilege and also administrative rights over the system privilege WITH ADMIN ONLY OPTION: Allows grantee administrative rights over the system privilege

©2015 SAP SE or an SAP affiliate company. All rights reserved.8 Customer User-Defined Roles Syntax CREATE [ OR REPLACE ] ROLE [ WITH ADMIN [ONLY ] [, … ] ] Role name cannot have ‘SYS_’ prefix and ‘_ROLE’ suffix MANAGE ROLES system privilege required to create a new role. Role administrator names can be supplied at the time of role creation. The admin list specified should satisfy the min_role_admins. MANAGE ROLES is the default admin if admin list is not specified. OR REPLACE – could be used to replace the current set of role administrators with a new set - Requires MANAGE ROLES system privilege and Admin privilege on the role

©2015 SAP SE or an SAP affiliate company. All rights reserved.9 Customer User-Defined Roles – Drop Role Syntax: DROP ROLE [ WITH REVOKE ] Permissions: Role Administrator WITH REVOKE – should be used to forcefully drop a role granted to multiple users/roles DROP ROLE will fail if min_role_admins condition is violated

©2015 SAP SE or an SAP affiliate company. All rights reserved.10 Customer Grant Role Syntax: GRANT ROLE [,...] TO [,…] [ WITH { NO ADMIN | ADMIN | ADMIN ONLY } OPTION ] REVOKE [ ADMIN OPTION FOR ] [,…] FROM [,…] Permissions: Role Administrator Grant Options: WITH NO ADMIN OPTION (Default): Allows grantee to use the privileges associated with role WITH ADMIN OPTION: Allows grantee to use the privileges associated with role and also administrative rights over the role WITH ADMIN ONLY OPTION: Allows grantee administrative rights over the role

©2015 SAP SE or an SAP affiliate company. All rights reserved.11 Customer Use Case Scenarios 1. Permissions for Login administration Allow user user1 to manage users and manage login policies grant MANAGE ANY USER to user1 grant MANAGE ANY LOGIN POLICY to user1 2. Permissions for a help desk operator Allow help desk operator user2 to reset passwords for users who call in with forgotten passwords grant CHANGE PASSWORD to user2 3. Permissions for Multiplex Setup and administration Allow users user3 and user4 to setup multiplex and administer multiplex servers create role mpx_admin_role grant MANAGE MULTIPLEX to mpx_admin_role grant role mpx_admin_role to user3, user4

©2015 SAP SE or an SAP affiliate company. All rights reserved.12 Customer Use Case Scenarios 4. Permissions for importing data into database Allow user user5 to import data into IQ database from external files grant LOAD ANY TABLE to user5 5. Permissions for database backup administration Allow user user6 to perform database backup grant BACKUP DATABASE to user6 6. Permissions for managing historical data Allow users user7 and user8 to manage historical data by moving the old database objects to some separate database files create role dbspace_admin_role GRANT MANAGE ANY DBSPACE to dbspace_admin_role grant role dbspace_admin_role to user7, user8

©2015 SAP SE or an SAP affiliate company. All rights reserved.13 Customer New Database Option Min_Role_Admins: Minimum number of required administrators for all roles. Values(1-10)

©2015 SAP SE or an SAP affiliate company. All rights reserved.14 Customer Auto Unlocking Feature Automatic unlocking will happen: - User exceeded max_failed_login_attempts criteria and tries to log in again with correct username/password and time difference between current time and last failed login attempt time is more than that specified by appropriate login policy option. - User exceeded max_failed_login_attempts criteria but database server is restarted and user tries to log in with correct username/password. New Login Policy Option - root_auto_unlock_time: This login policy applies only to users with ‘Manage Any User’ System Privilege and can be only set in root login policy. Default: 15 min - Auto_unlock_time: Default: unlimited

©2015 SAP SE or an SAP affiliate company. All rights reserved.15 Customer New System Procedures sp_displayroles sp_objectpermission sp_sys_priv_role_info sp_auth_sys_role_info sp_proc_priv

©2015 SAP SE or an SAP affiliate company. All rights reserved.16 Customer Change Password Dual Control New Secure way to reset user’s password Two security administrators with CHANGE PASSWORD system privilege required to change password of a target user New Login Policy Option: change_password_dual_control. Default (Off) Syntax: ALTER USER IDENTIFIED [ FIRST | LAST ] BY Password can be set in any order and can be re-specified Max each dual password length: 127 User provides both passwords on next login and must change the password Dual Control does not apply if setting password to NULL

©2015 SAP SE or an SAP affiliate company. All rights reserved.17 Customer Change Password Dual Control GRANT CONNECT IDENTIFIED BY cannot be used to reset password in dual control mode Enhanced sa_get_user_status() stored procedure - “password_change_state” = 0 ( Default; Password change is not in progress), 1 ( Password change is in progress) - “password_change_first_user” = NULL (Default), user_id (user who specified the first part of dual password) - “password_change_second_user” = NULL (Default), user_id (user who specified the second part of dual password)

©2015 SAP SE or an SAP affiliate company. All rights reserved.18 Customer SETUSER RESTRICTIONS User impersonating to another user for performing certain task using ‘SETUSER’ statement need ‘SET USER’ privilege.

©2015 SAP SE or an SAP affiliate company. All rights reserved.19 Customer Common Links For The Information Product documentation Roles Based Access Control Support Portal How to get best results from an SAP search

©2015 SAP SE or an SAP affiliate company. All rights reserved.20 Customer Common Links For the Information SAP IQ communties SAP IQ Wiki IQ 16 Best Practices

©2015 SAP SE or an SAP affiliate company. All rights reserved.21 Customer Common Links For the Information Social Media Product Support Channels IQ 16 Hardware Sizing Guide

©2015 SAP SE or an SAP affiliate company. All rights reserved. Thank you

©2015 SAP SE or an SAP affiliate company. All rights reserved.23 Customer © 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward- looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

©2015 SAP SE or an SAP affiliate company. All rights reserved.24 Customer © 2015 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet. SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum Markenrecht finden Sie unter Die von SAP SE oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte können länderspezifische Unterschiede aufweisen. Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren. Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von den Erwartungen abweichen können. Die vorausschauenden Aussagen geben die Sicht zu dem Zeitpunkt wieder, zu dem sie getätigt wurden. Dem Leser wird empfohlen, diesen Aussagen kein übertriebenes Vertrauen zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.