Technical Articles
Data Masking for the SAP HANA Service – by the SAP HANA Academy
LATEST UPDATE: September 1, 2020 ========================================= The SAP Cloud Platform, SAP HANA Service will be retired in 2021. For more information, see For the latest information about SAP HANA database-as-a-service, visit our blog post series about SAP HANA Cloud: |
Introduction
Data masking provides an additional layer of object-level access control, for example to complement SELECT privileges. Regular object-level access control privileges return either a result set or an error: insufficient privileges. With data masking, a result set is always returned. However, unless the user has the UNMASKED object-level privilege, the data will be hidden as defined by the mask.
Different implementations are possible. Below a simple example.
For an introduction of the data masking feature, see the blogs from Aleks Aleksic:
- Protect your sensitive data using SAP HANA’s new dynamic data masking (SAP HANA 2.0 SPS 01 – Apr, 2017)
- Extended dynamic data masking in SAP HANA: Mask data at the table level (SAP HANA 2.0 SPS 03, Apr, 2018)
Tutorial Video
In the video tutorial below, we demonstrate how to implement data masking.
Data Masking for the SAP Cloud Platform, SAP HANA Service works the same as for a regular on-premise SAP HANA versions, like the platform and express edition.
Data masking was introduced with SAP HANA 2.0 SPS 01 (April, 2017) and is not available for the SAP HANA Service in the Neo environment, currently on version SAP HANA 1.0 SPS 12.
Code Sample
For the full code sample, see the repository on the SAP HANA Academy GitHub site. Below the most essential parts. This is a sample implementation. Other approaches are possible.
Here we create a function which will perform the actual masking when called.
CONNECT mask_owner PASSWORD ******
CREATE FUNCTION credit_mask(INPUT VARCHAR(19))
RETURNS OUTPUT VARCHAR(19) LANGUAGE SQLSCRIPT AS
temp VARCHAR(19);
BEGIN
SELECT LEFT(INPUT,4) || '-XXXX-XXXX-' || RIGHT(INPUT,4)
INTO temp
FROM SYS.DUMMY;
OUTPUT := temp;
END;
GRANT EXECUTE ON credit_mask TO data_owner;
Next, as the object owner of the table with sensitive data, we create a view which calls the mask.
CONNECT data_owner PASSWORD ******
CREATE VIEW credit_view AS
SELECT * FROM credit_tab
WITH MASK
(CREDIT_CARD USING mask_owner.credit_mask(credit_card));
GRANT SELECT ON credit_view TO end_user;
Finally, as end_user we query the view and get a result set with masked data for the credit card column.
Granting the UNMASKED object privilege to the user returns an unmasked view on the data.
CONNECT data_owner PASSWORD ****
GRANT UNMASKED ON credit_view TO end_user;
YouTube Playlist(s)
The tutorials has been posted to the following playlists:
References
For the GitHub code repository, see
For the documentation, see
- Data Masking – SAP HANA Security Guide for SAP HANA Service
- CREATE VIEW Statement (Data Definition) – SAP HANA SQL and System Views Reference for SAP HANA Service
- 2159014 – FAQ: SAP HANA Security
- SAP HANA Security
Thank you for watching
The SAP HANA Academy provides free online video tutorials for the developers, consultants, partners and customers of SAP HANA.
Topics range from practical how-to instructions on administration, data loading and modeling, and integration with other SAP solutions, to more conceptual projects to help build out new solutions using mobile applications or predictive analysis.
For the full library, see SAP HANA Academy Library – by the SAP HANA Academy.
For the full list of blogs, see Blog Posts – by the SAP HANA Academy.
- Subscribe to our YouTube channel for updates
- Join us on LinkedIn: linkedin.com/in/saphanaacademy
- Follow us on Twitter: @saphanaacademy
- Facebook: @saphanaacademy
Great Material !
But, in all samples, no body (neither in the user manual) talks about Calculation Views and those privileges assignament.
I have a hands-on material from TechEd 2018 about it, but uses HANA WebIDE and containers…
Do you have any quick sequence to assign the unmask privilege for a Calc View ? I´ve tested some scenarios and only giving to _SYS_REPO user this permission works, but in this way I will open all calc engine to unmask…
Thanks in advance,
Fernando Santos
Hi Fernando,
Good question. Thanks for asking. You already provided a clue, actually. I had to ask around a bit but Jan Zwickel provided the answer. To rephrase:
By design, the UNMASKED object privilege is only checked for the direct consumer of the masked table/view. For Calculation Views, the direct consumer is _SYS_REPO and in a HDI environment this is the technical user of the container.
In other words, as soon as you put a (Calculation or SQL) view on top of the object with data mask, you loose the ability to selectively mask/unmask on query-user level.
If you need user-specific masking the best way is probably to build it into the uppermost Calculation View so that no further View is stacked on top. Then the query-user privileges should count unless they use a technical user. Also, keep an eye on the performance of the different scenarios.