SAP HANA 2.0 SPS 02 What’s New: Security – by the SAP HANA Academy
Introduction
In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 02.
The topic of this blog is security.
For the previous versions of this blog, see
- SAP HANA 2.0 SPS 01 What’s New: Security – by the SAP HANA Academy
- SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy
- SAP HANA 1.0 SPS 12 What’s New: Security – by the SAP HANA Academy
- SAP HANA 1.0 SPS 11 What’s New: Security – by the SAP HANA Academy
- SAP HANA 1.0 SPS 10 What’s New: Security – by the SAP HANA Academy
For the full SAP HANA 2.0 SPS 02 blog list, see
- What’s New with SAP HANA 2.0 SPS 02 – by the SAP HANA Academy
For an overview on the topic from Product Management, see
Tutorial Video
URL: https://www.youtube.com/watch?v=ihYtbuioGBM
What’s New?
Encryption (Changed)
We have seen log encryption being added to SAP HANA in SPS 00 and backup encryption in SPS 01 but for the configuration, so far, only the SQL interface was available.
What’s New in SPS 02, is that we can now enable the encryption of all data-at-rest components using SAP HANA cockpit with the flick of the ON/OFF switch on the Overview page.
Selecting the tile will open the Data Encryption Configuration page with the same switches but with additional information about root key and configuration change.
Additionally, there is the new Manage Keys page, which provides additional information (description, active versions, last change time stamp) of all four root keys. This page includes links to change root keys, back up root keys and set the root key password.
The encryption root key management process (generate, back up, activate) is now implemented as workflow in SAP HANA cockpit. If you don’t have an up-to-date backup of your encryption root keys you might not be able to recover your database to its most recent state.
The root key backup password can also be (re-)set from the Manage Keys page.
Note that when using SQL, this is not enforced and you need to explicitly append WITHOUT ACTIVATE to he ALTER SYSTEM <TYPE> ENCRYPTION CREATE KEY statement.
For more information, see
- Encryption Key Management – SAP HANA Security Guide
- Changing Encryption Root Keys – SAP HANA Administration Guide
- Change Root Keys Using SAP HANA Cockpit – SAP HANA Administration Guide
User Groups (New)
Just like any other database in the market today, SAP HANA manages security through users and roles. You grant privileges – what can you see and do? – to a role and then grant the role(s) to a user.
The objective of user groups is different. They are not meant for authorization purposes. User groups don’t control data access. User groups provide a separation of duties for user management.
With a user group you can manage related users together and assign a group administrator for its (exclusive) management. This group administrator requires the new object privilege GROUP OPERATOR on the group. This way, you can have the administrator of the sales group manage the sales users and the administrator of the training group manage the marketing users.
There is no UI support for user groups yet (planned). For SPS 02, the implementation is with SQL.
-- as user admin
-- create a usergroup only sales_admin can manage (not you)
CREATE USERGROUP sales DISABLE USER ADMIN;
CREATE USER sales_admin PASSWORD Password1;
GRANT USERGROUP OPERATOR ON USERGROUP sales TO sales_admin;
-- create a usergroup training admin (and you) can manage
CREATE USERGROUP training;
CREATE USER training_admin PASSWORD Password1;
GRANT USERGROUP OPERATOR ON USERGROUP training TO training_admin;
SELECT * FROM USERGROUPS;
For more information, see
LDAP Group Authorization (New)
Support for LDAP was introduced with SAP HANA 2.0 SPS 00.
For more information, see
- SAP HANA 2.0 SPS 00 What’s New: Security – by the SAP HANA Academy
- LDAP group authorization – by Aleks Aleksic
What’s new in SPS 02, is that it is now possible to obtain the groups that users are indirectly members of through nested groups. Nested group lookup can be configured with the NESTED GROUP LOOKUP URL clause of the CREATE LDAP PROVIDER and ALTER LDAP PROVIDER statements.
CREATE LDAP PROVIDER my_ldap_provider
CREDENTIAL TYPE 'PASSWORD'
USING 'user=cn=LookupAccount,o=largebank.com;password=secret'
USER LOOKUP URL
'ldap://myhostname:389/ou=Users,
dc=largebank,
dc=com??sub?(&(objectClass=user)
(sAMAccountName=*))'
NESTED GROUP LOOKUP URL
'ldap://myhostname:389/ou=groupsOU,
dc=x??sub?(member:1.2.840.113556.1.4.1941:=*)'
ATTRIBUTE DN ’distinguishedName’
SSL ON
DEFAULT ON
ENABLE PROVIDER;
LDAP group authorization has been added to the list of restricted features for tenant databases, which means that you can disable LDAP groups for a tenant, if it is not required.
For more information, see
All aspects of LDAP group authorization configuration can be audited in SAP HANA. For troubleshooting issues with LDAP authorization, as of SPS 02, you can now enable the database trace component LDAP to obtain diagnostic information not only from SAP HANA, but also the OpenLDAP library.
Finally, you can now set the authorization mode of a user to LDAP when creating a new user in the SAP HANA cockpit. Users configured for LDAP authorization are then automatically granted the roles that are mapped to the groups of which they are a member.
There is one caveat: a user with authorization mode LDAP is granted roles exclusively based on their LDAP group membership. You cannot grant your LDAP user any other roles or privileges.
Authorization and Authentication Enhancements (New and Changed)
DATABASE ADMIN System Privilege
Two new system privileges have been added defining access to the DATABASE START and STOP commands, to manage the state of tenant databases, as to the M_DATABASES system view.
In earlier releases, only the DATABASE ADMIN system privilege was available.
For more information, see
- Tenant Database Management Statements – SAP HANA SQL and System Views Reference
Comment (New)
You can now add comments to database objects, including tables, columns and views but also users, roles, and user groups.
For more information, see
- COMMENT ON Statement (Data Definition) – SAP HANA SQL and System Views Reference
Hyphen (-) (New)
A hyphen or minus sign ( – ) is now supported in a user name.
For more information, see
- Unpermitted Characters in User Names – SAP HANA Administration Guide
hdbuserstore (Changed)
Key names containing underscores (_), hyphens (-), and periods (.) are now supported for the hdbuserstore command.
For more information, see
- Secure User Store (hdbuserstore) – SAP HANA Security Guide
- SAP HANA database interactive terminal (hdbsql) – by the SAP HANA Academy
Playlist
On the SAP HANA Academy, there is a full playlist covering all aspects of security:
Documentation
For more information see:
SAP HANA Blogs
SAP Product Information
- SAP HANA Security
- Security at SAP
- SAP Support Portal: SAP Security Notes & News
- SAP HANA Security Whitepaper [SAP HANA 2.0 SPS00, January 2017]
SAP Help Portal
- Encryption Key Management – SAP HANA Security Guide
- Changing Encryption Root Keys – SAP HANA Administration Guide
- Change Root Keys Using SAP HANA Cockpit – SAP HANA Administration Guide
- User Groups– SAP HANA Security Guide
- CREATE USERGROUP Statement (Access Control) – SAP HANA SQL and System Views Reference
- CREATE USER Statement (Access Control) – SAP HANA SQL and System Views Reference
- USERGROUPS System View – SAP HANA SQL and System Views Reference
- Restricted Features in Tenant Databases – SAP HANA Tenant Databases Operations Guide
- COMMENT ON Statement (Data Definition) – SAP HANA SQL and System Views Reference
- Tenant Database Management Statements – SAP HANA SQL and System Views Reference
- Unpermitted Characters in User Names – SAP HANA Administration Guide
- Secure User Store (hdbuserstore) – SAP HANA Security Guide
- SAP HANA Database Security (New and Changed) – What’s New in the SAP HANA Platform 2.0 (Release Notes)
- User Management and Security Administration – SAP HANA Cockpit SP 03 Features (Release Notes)
- User Management and Security Administration – SAP HANA Cockpit SP 03 Features (Release Notes)
- SAP HANA Security Guide
- SAP HANA Security Checklists and Recommendations
SAP Notes
- 2460914 – SAP HANA Platform 2.0 SPS 02 Release Note
- 2462387 – SAP HANA cockpit 2.0 SP 03
- 2159014 – FAQ: SAP HANA Security
Thank you for watching
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy
For the full list of blogs, see Blog Posts – by the SAP HANA Academy
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Google+: plus.google.com/+saphanaacademy
- Facebook: facebook.com/saphanaacademy