Skip to Content

Introduction

In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 1.0 Support Package Stack (SPS) 12.

The topic of this blog is security.

For the previous versions of this blog, see

For the full SAP HANA 2.0 SPS 02 blog list, see

 

Overview Video

SAP HANA Security – SPS 12 – YouTube

What’s New?

Security Administration with SAP HANA Cockpit

The tile catalog SAP HANA Security Overview has a new tile: Authentication, which lists the status of the password policy and any SSO configuration. The tile opens the Password Policy and Blacklist app.

Screen Shot 2016-05-12 at 17.04.48.png

The new Password Policy and Blacklist app allows you to view and edit password policy and blacklist of the SAP HANA database. In previous versions, SAP HANA studio was required for these tasks.

Screen Shot 2016-05-12 at 16.57.07.png

The Auditing tile now allows you to configure auditing: enable/disable, audit trail targets and create/change/delete audit policies. In previous versions, SAP HANA studio was required for these tasks.

Screen Shot 2016-05-12 at 17.03.34.png

The Data Volume Encryption app now allows you to change the root key used for data volume encryption. Alternatively, the root key can be changed using SQL (see below). In previous versions, the command line tool hdbnsutil was required to perform this task.

Screen Shot 2016-05-12 at 17.10.00.png

You can also see a history of root key changes using the view M_PERSISTENCE_ENCRYPTION_KEYS.

Authorization

Two new system views are available for analysing user authorisations:

  • EFFECTIVE_PRIVILEGE_GRANTEES
  • EFFECTIVE_ROLE_GRANTEES

Screen Shot 2016-05-12 at 16.53.25.png

Two new roles are available to support users administrating SAP HANA using SAP Solution Manager and SAP NetWeaver tools:

  • sap.hana.admin.roles::SolutionMangagerMonitor
  • sap.hana.admin.roles::RestrictedUserDBSLAccess

Authentication

You can now disable authentication mechanisms that are not used in your environment.

Screen Shot 2016-05-12 at 16.38.28.png

SAP HANA smart data access now supports SSO with Kerberos and Microsoft Active Directory for connections to SAP HANA remote sources.

Encryption

You can change the root key for data volume encryption using either SAP HANA cockpit or SQL (note that no native UI for HANA studio has been included).

SQL> ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY

SAP HANA studio now support client certification validation for the SAP HANA database connection

Screen Shot 2016-05-12 at 16.16.15.png

The SAP HANA user store (hdbuserstore) now also supports JDBC connections and multitenant databases.

Auditing

Several new user actions in the SAP HANA database can now be audited:

  • CREATE | ALTER | DROP PSE
  • CREATE | DROP CERTIFICATES
  • CREATE | DROP SCHEMA

Screen Shot 2016-05-12 at 16.22.59.png

Cross-database queries in SAP HANA multitenant database containers are now audited in the tenant database in which the query is executed.

The maximum length of a statement can set set using the system parameter audit_statement_length in section [auditing configuration] of global.ini.

Enhanced Database Trace Information for Authorization issues

On this topic, see the blog by Sinéad Higgins:

Enhanced database trace information for authorization issues in SAP HANA SPS 12

Security Checklists and Recommendations

A new guide has been added to the SAP HANA documentation set: SAP HANA Security Checklists and Recommendations. This guide extends and replaces the Security Configuration Checklist paragraph from the SAP HANA Security Guide.

Screen Shot 2016-05-12 at 16.24.42.png

Security for SAP HANA Extended Application Services, Advanced Model

A new paragraph has been added to the SAP HANA Security Guide on the topic of Extended Application Services:

Security for SAP HANA Extended Application Services, Advanced Model

Additional Information

SAP HANA Security Playlist

SAP HANA

Help Portal: SAP HANA Platform Core SPS 12

SAP Notes

 SCN

 

Thank you for watching

The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy

 

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Abhishek Ranjan

    Hi,

    I am trying to get SAML to work for my XSA application .

    Prior to XSA , we had to open the HANA user using Studio and check the “SAML” checkbox , then click on “Configure” and choose my IDP . I could also set the SAML assertion validation to be done via “EMAIL ADDRESS” in the “User Parameters” list .

    However in XSA admin page , I don’t see  an option of enabling SAML for a user . So what’s happening is that if a user exists in my IDP’s ActiveDirectory , he is able to access the xsa application . Is that the expected behaviour ? Is there no way to validate the saml assertion based on the emailid as was the case earlier ?

    (0) 

Leave a Reply