SAP HANA SPS 10 What’s New: Security – by the SAP HANA Academy
In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 02.
The topic of this blog is security.
For the full SAP HANA 1.0 SPS 10 blog list, see
- What’s New with SAP HANA 1.0 SPS 10 – by the SAP HANA Academy
Two new apps (tiles) have been added to the SAP HANA cockpit in the User Management catalog:
- Assign Roles to User
- Configure Role-Based Cockpit Access (defines which role has access to which cockpit tile catalog and/or group)
Both apps simplify role assignment, which helps in making the SAP HANA platform more secure.
Security is further enhanced by making JDBC/ODBC client connections for database users a matter of choice. For database users that only connect using HTTP(S), client connections can now be disabled.
A new option is available in the User editor of the SAP HANA studio: Disable ODBC/JDBC access.
Alternatively, you can also use the SQL statement:
ALTER USER <user_name> DISABLE CLIENT CONNECT
Encryption: Unified Certificate Handling and Secure Internal Communication
SAP HANA SPS 10 introduces in-database X.509 client certificate management for:
- All certificate-based user authentication mechanisms in SAP HANA: SAML, X.509, and logon and assertion tickets
- SSL-secured communication for JDBC/ODBC clients
There is a new database object type for this purpose: certificate collection. New SQL statements: CREATE/DROP CERTIFICATE; CREATE/ALTER/DROP PSE. New system views for monitoring in-database certificates and certificate collections: CERTIFICATES, and PSE_CERTIFICATES, and a new system privilege CERTIFICATE ADMIN and SSL ADMIN.
In-database certificate management in SPS 10 can currently only be performed using SQL but there are two news apps in SAP HANA cockpit that provide view access: Certificate Store and Certificate Collections in the Certificate Management catalog.
In SPS 10, the main internal communication channels are now secured using public-key infrastructure (PKI), set up during installation. No user interaction is required for this. For multitenant database container (MDC) systems, secured internal communication is activated when MDC is configured for high isolation (see below).
Security of SAP HANA Multitenant Database Containers
The number of features that can be disabled in multiple-container systems has grown from 24 (SPS 09) to 39 (SPS 10). This includes
- Application Function Libraries (AFL) for business logic in native C++
- R language
- Low-level procedures used for the graph engine and the planning engine
- Low-level procedures used for SAP HANA options Dynamic Tiering and Smart Data Access (Federation).
User Self-Service Administration
SAP HANA SPS 10 simplifies user self-service administration by adding e-mail templates for new account, account activation and forgot password. Additionally the required configuration of the built-in application server (xsengine) can now be performed from a friendly web page. Run Simple!
Finally, SAP HANA SPS 10 introduces some enhancements for authorisation management. The most notable is SQL-based analytic privileges, which allows you to more easily formulate complex filter conditions that might be cumbersome to model using XML-based analytic privileges. SQL-based analytic privileges can be created both in the SAP HANA Web-based Development Workbench as with SAP HANA studio.
In this video, I will show how the new apps for SAP HANA cockpit, in-database certificate management, disable ODBC/JDBC access, user self-service administration and multitenant database container isolation mode.
Thank you for watching
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy
For the full list of blogs, see Blog Posts – by the SAP HANA Academy
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Google+: plus.google.com/+saphanaacademy
- Facebook: facebook.com/saphanaacademy