In the upcoming weeks we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced with SAP HANA Support Package Stack (SPS) 10.
The topic of this blog is security.
Two new apps (tiles) have been added to the SAP HANA cockpit in the User Management catalog:
- Assign Roles to User
- Configure Role-Based Cockpit Access (defines which role has access to which cockpit tile catalog and/or group)
Both apps simplify role assignment, which helps in making the SAP HANA platform more secure.
Security is further enhanced by making JDBC/ODBC client connections for database users a matter of choice. For database users that only connect using HTTP(S), client connections can now be disabled.
A new option is available in the User editor of the SAP HANA studio: Disable ODBC/JDBC access.
Alternatively, you can also use the SQL statement:
ALTER USER <user_name> DISABLE CLIENT CONNECT
Encryption: Unified Certificate Handling and Secure Internal Communication
SAP HANA SPS 10 introduces in-database X.509 client certificate management for:
- All certificate-based user authentication mechanisms in SAP HANA: SAML, X.509, and logon and assertion tickets
- SSL-secured communication for JDBC/ODBC clients
There is a new database object type for this purpose: certificate collection. New SQL statements: CREATE/DROP CERTIFICATE; CREATE/ALTER/DROP PSE. New system views for monitoring in-database certificates and certificate collections: CERTIFICATES, and PSE_CERTIFICATES, and a new system privilege CERTIFICATE ADMIN and SSL ADMIN.
In-database certificate management in SPS 10 can currently only be performed using SQL but there are two news apps in SAP HANA cockpit that provide view access: Certificate Store and Certificate Collections in the Certificate Management catalog.
In SPS 10, the main internal communication channels are now secured using public-key infrastructure (PKI), set up during installation. No user interaction is required for this. For multitenant database container (MDC) systems, secured internal communication is activated when MDC is configured for high isolation (see below).
Security of SAP HANA Multitenant Database Containers
The number of features that can be disabled in multiple-container systems has grown from 24 (SPS 09) to 39 (SPS 10). This includes
- Application Function Libraries (AFL) for business logic in native C++
- R language
- Low-level procedures used for the graph engine and the planning engine
- Low-level procedures used for SAP HANA options Dynamic Tiering and Smart Data Access (Federation).
User Self-Service Administration
SAP HANA SPS 10 simplifies user self-service administration by adding e-mail templates for new account, account activation and forgot password. Additionally the required configuration of the built-in application server (xsengine) can now be performed from a friendly web page. Run Simple!
Finally, SAP HANA SPS 10 introduces some enhancements for authorisation management. The most notable is SQL-based analytic privileges, which allows you to more easily formulate complex filter conditions that might be cumbersome to model using XML-based analytic privileges. SQL-based analytic privileges can be created both in the SAP HANA Web-based Development Workbench as with SAP HANA studio.
In this video, I will show how the new apps for SAP HANA cockpit, in-database certificate management, disable ODBC/JDBC access, user self-service administration and multitenant database container isolation mode.
Thank you for watching
You can view more free online videos and hands-on use cases to help you answer the What, How and Why questions about SAP HANA and the SAP HANA Cloud Platform on the SAP HANA Academy at youtube.com/saphanaacademy.
Follow us on Twitter @saphanaacademy
Connect with us on http://linkedin.com/in/saphanaacademy