SAP HANA SPS 12 What’s New: Security – by the SAP HANA Academy
Introduction
In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 1.0 Support Package Stack (SPS) 12.
The topic of this blog is security.
For the previous versions of this blog, see
- SAP HANA 1.0 SPS 11 What’s New: Security – by the SAP HANA Academy
- SAP HANA 1.0 SPS 10 What’s New: Security – by the SAP HANA Academy
For the full SAP HANA 2.0 SPS 02 blog list, see
- What’s New with SAP HANA 1.0 SPS 12 – by the SAP HANA Academy
Overview Video
SAP HANA Security – SPS 12 – YouTube
What’s New?
Security Administration with SAP HANA Cockpit
The tile catalog SAP HANA Security Overview has a new tile: Authentication, which lists the status of the password policy and any SSO configuration. The tile opens the Password Policy and Blacklist app.
The new Password Policy and Blacklist app allows you to view and edit password policy and blacklist of the SAP HANA database. In previous versions, SAP HANA studio was required for these tasks.
The Auditing tile now allows you to configure auditing: enable/disable, audit trail targets and create/change/delete audit policies. In previous versions, SAP HANA studio was required for these tasks.
The Data Volume Encryption app now allows you to change the root key used for data volume encryption. Alternatively, the root key can be changed using SQL (see below). In previous versions, the command line tool hdbnsutil was required to perform this task.
You can also see a history of root key changes using the view M_PERSISTENCE_ENCRYPTION_KEYS.
Authorization
Two new system views are available for analysing user authorisations:
- EFFECTIVE_PRIVILEGE_GRANTEES
- EFFECTIVE_ROLE_GRANTEES
Two new roles are available to support users administrating SAP HANA using SAP Solution Manager and SAP NetWeaver tools:
- sap.hana.admin.roles::SolutionMangagerMonitor
- sap.hana.admin.roles::RestrictedUserDBSLAccess
Authentication
You can now disable authentication mechanisms that are not used in your environment.
SAP HANA smart data access now supports SSO with Kerberos and Microsoft Active Directory for connections to SAP HANA remote sources.
Encryption
You can change the root key for data volume encryption using either SAP HANA cockpit or SQL (note that no native UI for HANA studio has been included).
SQL> ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY
SAP HANA studio now support client certification validation for the SAP HANA database connection
The SAP HANA user store (hdbuserstore) now also supports JDBC connections and multitenant databases.
Auditing
Several new user actions in the SAP HANA database can now be audited:
- CREATE | ALTER | DROP PSE
- CREATE | DROP CERTIFICATES
- CREATE | DROP SCHEMA
Cross-database queries in SAP HANA multitenant database containers are now audited in the tenant database in which the query is executed.
The maximum length of a statement can set set using the system parameter audit_statement_length in section [auditing configuration] of global.ini.
Enhanced Database Trace Information for Authorization issues
On this topic, see the blog by Sinéad Higgins:
Enhanced database trace information for authorization issues in SAP HANA SPS 12
Security Checklists and Recommendations
A new guide has been added to the SAP HANA documentation set: SAP HANA Security Checklists and Recommendations. This guide extends and replaces the Security Configuration Checklist paragraph from the SAP HANA Security Guide.
Security for SAP HANA Extended Application Services, Advanced Model
A new paragraph has been added to the SAP HANA Security Guide on the topic of Extended Application Services:
Security for SAP HANA Extended Application Services, Advanced Model
Additional Information
SAP HANA Security Playlist
SAP HANA
- Security | SAP HANA
- Security Whitepaper (SPS11)
- SAP Training HA240: Authorization, Security and Scenarios
Help Portal: SAP HANA Platform Core SPS 12
- SAP Security Guide – SAP Library
- Security Checklists and Recommendations for SAP HANA Database – SAP Library
- Configure the Password Policy and Blacklist in SAP HANA Cockpit – SAP HANA Administration Guide – SAP Library
- M_PERSISTENCE_ENCRYPTION_KEYS – SAP HANA SQL and System Views Reference – SAP Library
- Auditing Activity in SAP HANA Systems – SAP HANA Administration Guide – SAP Library
- ALTER SYSTEM PERSISTENCE ENCRYPTION – SAP HANA SQL and System Views Reference – SAP Library
- Secure User Store (hdbuserstore) – SAP Security Guide – SAP Library
- System Views for Verifying Users’ Authorization – SAP HANA Administration Guide – SAP Library
SAP Notes
SCN
Thank you for watching
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy
For the full list of blogs, see Blog Posts – by the SAP HANA Academy
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Google+: plus.google.com/+saphanaacademy
- Facebook: facebook.com/saphanaacademy
Hi,
I am trying to get SAML to work for my XSA application .
Prior to XSA , we had to open the HANA user using Studio and check the "SAML" checkbox , then click on "Configure" and choose my IDP . I could also set the SAML assertion validation to be done via "EMAIL ADDRESS" in the "User Parameters" list .
However in XSA admin page , I don't see an option of enabling SAML for a user . So what's happening is that if a user exists in my IDP's ActiveDirectory , he is able to access the xsa application . Is that the expected behaviour ? Is there no way to validate the saml assertion based on the emailid as was the case earlier ?
Nice collection on HANA Security. Thanks