What's New?

User Management

Two new apps (tiles) have been added to the SAP HANA cockpit in the User Management catalog:

• Assign Roles to User


• Configure Role-Based Cockpit Access (defines which role has access to which cockpit tile catalog and/or group)

Both apps simplify role assignment, which helps in making the SAP HANA platform more secure.



Security is further enhanced by making JDBC/ODBC client connections for database users a matter of choice. For database users that only connect using HTTP(S), client connections can now be disabled.

A new option is available in the User editor of the SAP HANA studio: Disable ODBC/JDBC access.



Alternatively, you can also use the SQL statement:

ALTER USER <user_name> DISABLE CLIENT CONNECT

Encryption: Unified Certificate Handling and Secure Internal Communication

SAP HANA SPS 10 introduces in-database X.509 client certificate management for:

• All certificate-based user authentication mechanisms in SAP HANA: SAML, X.509, and logon and assertion tickets


• SSL-secured communication for JDBC/ODBC clients

There is a new database object type for this purpose: certificate collection. New SQL statements: CREATE/DROP CERTIFICATE; CREATE/ALTER/DROP PSE. New system views for monitoring in-database certificates and certificate collections: CERTIFICATES, and PSE_CERTIFICATES, and a new system privilege CERTIFICATE ADMIN and SSL ADMIN.

In-database certificate management in SPS 10 can currently only be performed using SQL but there are two news apps in SAP HANA cockpit that provide view access: Certificate Store and Certificate Collections in the Certificate Management catalog.



In SPS 10, the main internal communication channels are now secured using public-key infrastructure (PKI), set up during installation. No user interaction is required for this. For multitenant database container (MDC) systems, secured internal communication is activated when MDC is configured for high isolation (see below).

Security of SAP HANA Multitenant Database Containers

SAP HANA SPS 10 introduces an additional hardening option for multitenant database container (MDC) isolation. In a regular configuration, all database processes in an MDC system run under a single operating system user, the Linux account that owns the software. Tenant databases are self-contained/isolated in terms of users, database catalog, repository, logs, etc. but from the operation system point of view share all resources. To provide additional protection at the OS level, you can now configure your system for high isolation, which provides a dedicated operating system user and group for each tenant database.



The number of features that can be disabled in multiple-container systems has grown from 24 (SPS 09) to 39 (SPS 10). This includes

• Application Function Libraries (AFL) for business logic in native C++


• R language


• Low-level procedures used for the graph engine and the planning engine


• Low-level procedures used for SAP HANA options  Dynamic Tiering and Smart Data Access (Federation).

User Self-Service Administration

SAP HANA SPS 10 simplifies user self-service administration by adding e-mail templates for new account, account activation and forgot password. Additionally the required configuration of the built-in application server (xsengine) can now be performed from a friendly web page. Run Simple!

Authorization

Finally, SAP HANA SPS 10 introduces some enhancements for authorisation management. The most notable is SQL-based analytic privileges, which allows you to more easily formulate complex filter conditions that might be cumbersome to model using XML-based analytic privileges. SQL-based analytic privileges can be created both in the SAP HANA Web-based Development Workbench as with SAP HANA studio.

Tutorial Video

In this video, I will show how the new apps for SAP HANA cockpit, in-database certificate management, disable ODBC/JDBC access, user self-service administration and multitenant database container isolation mode.

Documentation

See Security Documentation Updates for SPS 10