Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dvankempen
Product and Topic Expert
Product and Topic Expert

Last Update: May 28, 2018



Introduction


In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 03.

The topic of this blog is SAP HANA Database Security.

For the previous versions of this blog, see

For the full SAP HANA 2.0 SPS 03 blog list, see

For the blogs from Product Management on the topic, see

For an update about the documentation, see

What's New?


SAP HANA Security Playlist


On the SAP HANA Academy, there is a full playlist covering all aspects of security


SAP HANA Cockpit


SAP HANA cockpit support package 06 has a number of new and enhanced features for user and role management and auditing.

For more information, see

Data Anonymization


As of SPS 03, SAP HANA provides native support for data anonymization. This allows you to gain statistically valid insights from data containing personal or sensitive information while protecting the privacy of individuals.



https://youtu.be/IYX4AK8s4cQ?list=PLkzo92owKnVzSGq6vtFC_LWSxwLhZXIHS

https://youtu.be/_iNJJw7AnrY?list=PLkzo92owKnVx6qZK63YmISEnVWddx_LA_

https://youtu.be/wTRe8kZhKNI?list=PLkzo92owKnVx6qZK63YmISEnVWddx_LA_

https://youtu.be/QtBGKvSDzQY?list=PLkzo92owKnVx6qZK63YmISEnVWddx_LA_

https://youtu.be/SIdJiT_6rls?list=PLkzo92owKnVx6qZK63YmISEnVWddx_LA_

For the documentation, see

Shared Business Authorizations in SAP HANA


SAP S/4 HANA and other ABAP-based SAP applications use authorization objects to control access.  As of SPS 03, you can now create analytic privileges in SAP HANA that leverage these ABAP authorization objects.

The new built-in procedure SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION connects both worlds. PFCG is the role maintenance transaction for the Profile Generator.
CALL SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION( 
'A_TEST_SCHEMA',
'CHECKID1',
'{"data":
{
"CHECKID1":
{
"authobj":"OBJ1",
"filter":[{"key":"ACTVT","valueList":["03"]}],
"mappings":[{"fieldName":"SACMTSOID", "mappedName":"SO_ID"},
{"fieldName":"SACMTSOLCS", "mappedName":"LIFECYCLE_STATUS"}]
}
}
}',
?)

For the documentation, see

User Group-Specific Password Policies


https://youtu.be/WZu6k2t7XqE

User groups were introduced in the previous release, SPS 02, see

As of SPS 03 this concept has been further enhanced and you can now configure a customized password policy for user groups.



For the documentation, see

LDAP Authentication with Automatic User Creation


https://youtu.be/9OGphP_1npY

As of SPS 03, SAP HANA can now automatically create database accounts for LDAP users and map their LDAP roles. This can significantly reduce complexity and cost for maintaining users and authorizations in larger system landscapes.

For this to work, the LDAP provider needs to be enabled for user creation and the user needs to be a member of at least one LDAP/HANA mapped group.
CREATE LDAP PROVIDER my_ldap_provider [...]
ENABLE USER CREATION FOR LDAP
[USER TYPE { STANDARD | RESTRICTED }]

For the documentation, see


Data Encryption


Password hash algorithm


Database user passwords are now stored in hashed and salted form using PBKDF2 (Password-Based Key Derivation Function 2) using the SHA-256 secure hash algorithm and 15,000 iterations.

If you are not at home in the jargon of cryptography, you might find this article helpful

Encryption configuration in tenant databases


The default status of data-at-rest encryption services in tenant databases is no longer inherited from the system database but is now controlled in the system database with parameters in the new database_initial_encryption section of the global.ini configuration file.





For the documentation, see

Client-side Data Encryption


With client-side data encryption, you can encrypt columns using an encryption key accessible only by the client, which means that column data is encrypted and decrypted only on the client.

There is a full playlist on the topic on the Academy, explaining Setup, Configuration, Export/Import, DML/DDL.

URL: https://www.youtube.com/playlist?list=PLkzo92owKnVygoKWpwy4boITfzsJCqgxw



https://www.youtube.com/watch?v=6ql1odUjsCY

For the documentation, see

Data Masking


In addition to views, you can now also mask data in tables.



For the documentation, see

Auditing


Auditing for XSA


Auditing for XS advanced has been integrated into the SAP HANA auditing framework.

The XSA Audit Log viewer now displays a deprecation message.



The XSA_AUDIT_LOG view in the Database Explorer.



For the documentation, see

New Auditing Actions


The following new auditing actions have been added:

  • CREATE | DROP AGENT GROUP

  • PERSONAL DATA ACCESS

  • PERSONAL DATA MODIFICATION

  • CONFIGURATION CHANGE

  • SECURITY EVENT


For the documentation, see

Authorization


Any user with the system privilege ROLE ADMIN can now revoke catalog roles granted by another user.

For the recommendations, see

A user can now grant all currently available privileges on a schema by granting the ALL PRIVILEGES object privilege.

For the documentation, see

References


SAP Help Portal



SAP Notes



Thank you for watching


The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library - by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy

2 Comments