In the previous blob posts of this mini-series I was showing you how you can easily and natively integrate between SAP and Big Data platforms using Datavard Glue as middleware and workbench to identify data, build ETL processes, and consume it on (for example) Data Lakes.
Glue is natively integrated into SAP’s Business Applications. It is built in ABAP – so the integration comes natural and Glue can use the SAP authorization concept, and the SAP TMS (Transport Management System).
- Authorizations: This makes Glue very safe to use: you can define roles and profiles which allow only the “right” user to access data, and it follows SAP best practices for software logistics where you develop on a development system, you test on a test system, and only when everything is working to your satisfaction you move on to the production system.
- SAP TMS: by leveraging the SAP Transport Management System for Big Data objects such as tables on Hadoop, data extractors, etc., Glue allows to use SAP as it was meant to be used. Development work takes place on a SAP Development system, testing takes place on a SAP QA system, and only after a successful test, Glue scenarios, data models and ETL data flows are transported to SAP production.
This has some advantages when comparing to classical ETL tools.
With a classic ETL tool, you would tap directly into the SAP system database. This may sound easy and straightforward but opens up a Pandora box of questions when it comes to security. Who can access all kinds of data? You may want to limit the access of users of an ETL tool to a list of tables, and to a subset of the data in these tables.
Because of the advanced – yet simple to implement – security features in Glue I like to compare the use of classical ETL tools vs. the use of Glue to this scenario: imagine that your SAP system is a house. Now, with a classical ETL tool, somebody would simply drill a tunnel into your basement, maybe enter your house while you’re not there, walk around your living room, check your music collection, and pick some things from your fridge. If, however, the access happens through Glue, then this person cannot simply break into your house. They’ve got to ring the door bell, and may only get access to the fridge and the music selection if you’re home and let them in.
On a technical level, with Glue you can restrict the access to tables to SAP modules, to SAP packages (formerly known as development classes), and even to a subset of data in these packages.
The security concept of Datavard Glue supports several levels of restrictions:
- Users with access to data need to have valid SAP logons
- Access to Glue ETL functionality can be restricted to transaction codes
- Data access can be restricted to SAP modules
- Data access can be restricted to SAP packages (development classes)
- Data access can be restricted to individual SAP tables
To achieve this, Glue uses some standard SAP authorization objects, similar as the SAP data browser (SE16) does. On top of this, Glue provides some Datavard specific authorization objects which you can simply use for your own roles and profiles. This way, you can simply restrict the access of Glue users, e.g. to a range of tables belonging to an SAP module. Even better: you don’t need to know these tables by heart, you can simply leverage the table assignment within the SAP system.
like it? share it!