Skip to Content

Last Update: May 28, 2018

Introduction

In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 03.

The topic of this blog is SAP HANA Database Security.

For the previous versions of this blog, see

For the full SAP HANA 2.0 SPS 03 blog list, see

For the blogs from Product Management on the topic, see

For an update about the documentation, see

What’s New?

SAP HANA Security Playlist

On the SAP HANA Academy, there is a full playlist covering all aspects of security

SAP HANA Cockpit

SAP HANA cockpit support package 06 has a number of new and enhanced features for user and role management and auditing.

For more information, see

Data Anonymization

As of SPS 03, SAP HANA provides native support for data anonymization. This allows you to gain statistically valid insights from data containing personal or sensitive information while protecting the privacy of individuals.

For the documentation, see

Shared Business Authorizations in SAP HANA

SAP S/4 HANA and other ABAP-based SAP applications use authorization objects to control access.  As of SPS 03, you can now create analytic privileges in SAP HANA that leverage these ABAP authorization objects.

The new built-in procedure SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION connects both worlds. PFCG is the role maintenance transaction for the Profile Generator.

CALL SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION( 
'A_TEST_SCHEMA',
'CHECKID1',
'{"data":
    {
        "CHECKID1":
        {
            "authobj":"OBJ1",
            "filter":[{"key":"ACTVT","valueList":["03"]}],
            "mappings":[{"fieldName":"SACMTSOID", "mappedName":"SO_ID"},
        {"fieldName":"SACMTSOLCS", "mappedName":"LIFECYCLE_STATUS"}]
        }
    }
}',
?)

For the documentation, see

User Group-Specific Password Policies

User groups were introduced in the previous release, SPS 02, see

As of SPS 03 this concept has been further enhanced and you can now configure a customized password policy for user groups.

For the documentation, see

LDAP Authentication with Automatic User Creation

As of SPS 03, SAP HANA can now automatically create database accounts for LDAP users and map their LDAP roles. This can significantly reduce complexity and cost for maintaining users and authorizations in larger system landscapes.

For this to work, the LDAP provider needs to be enabled for user creation and the user needs to be a member of at least one LDAP/HANA mapped group.

CREATE LDAP PROVIDER my_ldap_provider [...]
 ENABLE USER CREATION FOR LDAP
 [USER TYPE { STANDARD | RESTRICTED }]

For the documentation, see

Data Encryption

Password hash algorithm

Database user passwords are now stored in hashed and salted form using PBKDF2 (Password-Based Key Derivation Function 2) using the SHA-256 secure hash algorithm and 15,000 iterations.

If you are not at home in the jargon of cryptography, you might find this article helpful

Encryption configuration in tenant databases

The default status of data-at-rest encryption services in tenant databases is no longer inherited from the system database but is now controlled in the system database with parameters in the new database_initial_encryption section of the global.ini configuration file.

For the documentation, see

Client-side Data Encryption

With client-side data encryption, you can encrypt columns using an encryption key accessible only by the client, which means that column data is encrypted and decrypted only on the client.

There is a full playlist on the topic on the Academy, explaining Setup, Configuration, Export/Import, DML/DDL.

URL: https://www.youtube.com/playlist?list=PLkzo92owKnVygoKWpwy4boITfzsJCqgxw

For the documentation, see

Data Masking

In addition to views, you can now also mask data in tables.

For the documentation, see

Auditing

Auditing for XSA

Auditing for XS advanced has been integrated into the SAP HANA auditing framework.

The XSA Audit Log viewer now displays a deprecation message.

The XSA_AUDIT_LOG view in the Database Explorer.

For the documentation, see

New Auditing Actions

The following new auditing actions have been added:

  • CREATE | DROP AGENT GROUP
  • PERSONAL DATA ACCESS
  • PERSONAL DATA MODIFICATION
  • CONFIGURATION CHANGE
  • SECURITY EVENT

For the documentation, see

Authorization

Any user with the system privilege ROLE ADMIN can now revoke catalog roles granted by another user.

For the recommendations, see

A user can now grant all currently available privileges on a schema by granting the ALL PRIVILEGES object privilege.

For the documentation, see

References

SAP Help Portal

SAP Notes

Thank you for watching

The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply