Skip to Content

Introduction

In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 02.

The topic of this blog is security.

For the previous versions of this blog, see

For the full SAP HANA 2.0 SPS 02 blog list, see

For an overview on the topic from Product Management, see

 

Tutorial Video

URL: https://www.youtube.com/watch?v=ihYtbuioGBM

What’s New?

Encryption (Changed)

We have seen log encryption being added to SAP HANA in SPS 00 and backup encryption in SPS 01 but for the configuration, so far, only the SQL interface was available.

What’s New in SPS 02, is that we can now enable the encryption of all data-at-rest components using SAP HANA cockpit with the flick of the ON/OFF switch on the Overview page.

Selecting the tile will open the Data Encryption Configuration page with the same switches but with additional information about root key and configuration change.

 

Additionally, there is the new Manage Keys page, which provides additional information (description,  active versions, last change time stamp) of all four root keys. This page includes links to change root keys, back up root keys and set the root key password.

The encryption root key management process (generate, back up, activate) is now implemented as workflow in SAP HANA cockpit. If you don’t have an up-to-date backup of your encryption root keys you might not be able to recover your database to its most recent state.

The root key backup password can also be (re-)set from the Manage Keys page.

Note that when using SQL, this is not enforced and you need to explicitly append WITHOUT ACTIVATE to he ALTER SYSTEM <TYPE> ENCRYPTION CREATE KEY statement.

For more information, see

 

User Groups (New)

Just like any other database in the market today, SAP HANA manages security through users and roles. You grant privileges – what can you see and do? – to a role and then grant the role(s) to a user.

The objective of user groups is different. They are not meant for authorization purposes. User groups don’t control data access. User groups provide a separation of duties for user management.

With a user group you can manage related users together and assign a group administrator for its (exclusive) management. This group administrator requires the new object privilege GROUP OPERATOR on the group. This way, you can have the administrator of the sales group manage the sales users and the administrator of the training group manage the marketing users.

There is no UI support for user groups yet (planned). For SPS 02, the implementation is with SQL.

-- as user admin 
-- create a usergroup only sales_admin can manage (not you)
CREATE USERGROUP sales DISABLE USER ADMIN;
CREATE USER sales_admin PASSWORD Password1;
GRANT USERGROUP OPERATOR ON USERGROUP sales TO sales_admin;

-- create a usergroup training admin (and you) can manage
CREATE USERGROUP training;
CREATE USER training_admin PASSWORD Password1;
GRANT USERGROUP OPERATOR ON USERGROUP training TO training_admin;

SELECT * FROM USERGROUPS;

For more information, see

 

LDAP Group Authorization (New)

Support for LDAP was introduced with SAP HANA 2.0 SPS 00.

For more information, see

What’s new in SPS 02, is that it is now possible to obtain the groups that users are indirectly members of through nested groups. Nested group lookup can be configured with the NESTED GROUP LOOKUP URL clause of the CREATE LDAP PROVIDER and ALTER LDAP PROVIDER statements.

CREATE LDAP PROVIDER my_ldap_provider
 CREDENTIAL TYPE 'PASSWORD' 
   USING 'user=cn=LookupAccount,o=largebank.com;password=secret'
 USER LOOKUP URL 
   'ldap://myhostname:389/ou=Users,
     dc=largebank,
     dc=com??sub?(&(objectClass=user)
     (sAMAccountName=*))'
 NESTED GROUP LOOKUP URL 
   'ldap://myhostname:389/ou=groupsOU,
    dc=x??sub?(member:1.2.840.113556.1.4.1941:=*)'
 ATTRIBUTE DN ’distinguishedName’
 SSL ON
 DEFAULT ON
 ENABLE PROVIDER;

LDAP group authorization has been added to the list of restricted features for tenant databases, which means that you can disable LDAP groups for a tenant, if it is not required.

For more information, see

All aspects of LDAP group authorization configuration can be audited in SAP HANA. For troubleshooting issues with LDAP authorization, as of SPS 02, you can now enable the database trace component LDAP to obtain diagnostic information not only from SAP HANA, but also the OpenLDAP library.

Finally, you can now set the authorization mode of a user to LDAP when creating a new user in the SAP HANA cockpit. Users configured for LDAP authorization are then automatically granted the roles that are mapped to the groups of which they are a member.

There is one caveat: a user with authorization mode LDAP is granted roles exclusively based on their LDAP group membership. You cannot grant your LDAP user any other roles or privileges.

 

Authorization and Authentication Enhancements (New and Changed)

DATABASE ADMIN System Privilege

Two new system privileges have been added defining access to the DATABASE START and STOP commands, to manage the state of tenant databases, as to the M_DATABASES system view.

In earlier releases, only the DATABASE ADMIN system privilege was available.

For more information, see

Comment (New)

You can now add comments to database objects, including tables, columns and views but also users, roles, and user groups.

For more information, see

Hyphen (-)  (New)

A hyphen or minus sign ( – ) is now supported in a user name.

For more information, see

hdbuserstore (Changed)

Key names containing underscores (_), hyphens (-), and periods (.) are now supported for the hdbuserstore command.

For more information, see

 

Playlist

On the SAP HANA Academy, there is a full playlist covering all aspects of security:

 

Documentation

For more information see:

SAP HANA Blogs

SAP Product Information

SAP Help Portal

SAP Notes

Thank you for watching

The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply