SAP HANA 2.0 SPS 03 What’s New: Security – by the SAP HANA Academy
Last Update: May 28, 2018
Introduction
In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 03.
The topic of this blog is SAP HANA Database Security.
For the previous versions of this blog, see
- SAP HANA 2.0 SPS 02 What’s New: Security
- SAP HANA 2.0 SPS 01 What’s New: Security
- SAP HANA 2.0 SPS 00 What’s New: Security
- SAP HANA 1.0 SPS 12 What’s New: Security
For the full SAP HANA 2.0 SPS 03 blog list, see
For the blogs from Product Management on the topic, see
- Take data privacy to the next level with SAP HANA 2.0 SPS 03 by Andrea Kristen
- Extended dynamic data masking in SAP HANA: Mask data at the table level by Former Member
For an update about the documentation, see
- SAP HANA 2.0 SPS 03 – Security Documentation by Sinead Higgins
- Best practices and recommendations for developing HDI-based roles by Former Member
What’s New?
SAP HANA Security Playlist
On the SAP HANA Academy, there is a full playlist covering all aspects of security
SAP HANA Cockpit
SAP HANA cockpit support package 06 has a number of new and enhanced features for user and role management and auditing.
For more information, see
Data Anonymization
As of SPS 03, SAP HANA provides native support for data anonymization. This allows you to gain statistically valid insights from data containing personal or sensitive information while protecting the privacy of individuals.
For the documentation, see
- Data Anonymization – SAP HANA Administration Guide
- SAP HANA Data Anonymization – SAP HANA Security Guide
- Anonymize Data Using Calculation Views – SAP HANA Modeling Guide
Shared Business Authorizations in SAP HANA
SAP S/4 HANA and other ABAP-based SAP applications use authorization objects to control access. As of SPS 03, you can now create analytic privileges in SAP HANA that leverage these ABAP authorization objects.
The new built-in procedure SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION connects both worlds. PFCG is the role maintenance transaction for the Profile Generator.
CALL SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION(
'A_TEST_SCHEMA',
'CHECKID1',
'{"data":
{
"CHECKID1":
{
"authobj":"OBJ1",
"filter":[{"key":"ACTVT","valueList":["03"]}],
"mappings":[{"fieldName":"SACMTSOID", "mappedName":"SO_ID"},
{"fieldName":"SACMTSOLCS", "mappedName":"LIFECYCLE_STATUS"}]
}
}
}',
?)
For the documentation, see
User Group-Specific Password Policies
User groups were introduced in the previous release, SPS 02, see
As of SPS 03 this concept has been further enhanced and you can now configure a customized password policy for user groups.
For the documentation, see
LDAP Authentication with Automatic User Creation
As of SPS 03, SAP HANA can now automatically create database accounts for LDAP users and map their LDAP roles. This can significantly reduce complexity and cost for maintaining users and authorizations in larger system landscapes.
For this to work, the LDAP provider needs to be enabled for user creation and the user needs to be a member of at least one LDAP/HANA mapped group.
CREATE LDAP PROVIDER my_ldap_provider [...]
ENABLE USER CREATION FOR LDAP
[USER TYPE { STANDARD | RESTRICTED }]
For the documentation, see
Data Encryption
Password hash algorithm
Database user passwords are now stored in hashed and salted form using PBKDF2 (Password-Based Key Derivation Function 2) using the SHA-256 secure hash algorithm and 15,000 iterations.
If you are not at home in the jargon of cryptography, you might find this article helpful
Encryption configuration in tenant databases
The default status of data-at-rest encryption services in tenant databases is no longer inherited from the system database but is now controlled in the system database with parameters in the new database_initial_encryption section of the global.ini configuration file.
For the documentation, see
Client-side Data Encryption
With client-side data encryption, you can encrypt columns using an encryption key accessible only by the client, which means that column data is encrypted and decrypted only on the client.
There is a full playlist on the topic on the Academy, explaining Setup, Configuration, Export/Import, DML/DDL.
URL: https://www.youtube.com/playlist?list=PLkzo92owKnVygoKWpwy4boITfzsJCqgxw
For the documentation, see
- Getting Started With Client-Side Encryption – SAP HANA Security Guide
- Client-Side Data Encryption – SAP HANA Administration Guide
- Configuring the Client for Client-Side Encryption and LDAP – SAP HANA Client Interface Programming Reference
Data Masking
In addition to views, you can now also mask data in tables.
For the documentation, see
Auditing
Auditing for XSA
Auditing for XS advanced has been integrated into the SAP HANA auditing framework.
The XSA Audit Log viewer now displays a deprecation message.
The XSA_AUDIT_LOG view in the Database Explorer.
For the documentation, see
New Auditing Actions
The following new auditing actions have been added:
- CREATE | DROP AGENT GROUP
- PERSONAL DATA ACCESS
- PERSONAL DATA MODIFICATION
- CONFIGURATION CHANGE
- SECURITY EVENT
For the documentation, see
Authorization
Any user with the system privilege ROLE ADMIN can now revoke catalog roles granted by another user.
For the recommendations, see
A user can now grant all currently available privileges on a schema by granting the ALL PRIVILEGES object privilege.
For the documentation, see
References
SAP Help Portal
- SAP HANA Database Security (New and Changed) – SAP HANA Platform 2.0 SPS 03 Features
- SAP HANA Security Guide
- SAP HANA Security Checklists and Recommendations
SAP Notes
Thank you for watching
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy
For the full list of blogs, see Blog Posts – by the SAP HANA Academy
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn linkedin.com/in/saphanaacademy
- Follow us on Twitter @saphanaacademy
- Google+ plus.google.com/+saphanaacademy
- Facebook facebook.com/saphanaacademy
This is really a very detailed information and covers most of the topics.
However I am looking an option to configure " Audit Retention policy" in Hana 2.0 SP03 version but
I don't see the option enable where as I could see in 2.0 SP04
( https://blogs.sap.com/2019/04/08/address-business-challenges-in-security-and-privacy-with-sap-hana-2.0-sps-04/)
Is there any other way to configure Audit Retention Period in SP03 , Please help to provide the steps or document if any.
Thanks again.
Hi,
This feature is documented for SPS 04:
It is not available in earlier releases.