Preface

SAP HANA powers SAP applications and hosts data from a variety of sources, functionalities that are often critical to an organization’s operations. Failure to properly secure an SAP HANA environment often can lead to system instability and hurt data integrity; therefore, SAP HANA security must be given the proper attention and scrutiny.

Purpose

This book was written with the goal of educating readers about securing SAP HANA. We’ll focus on key aspects of the SAP HANA security model, including user provisioning, role creation, privilege assignment, encryption, auditing, and authentication. We’ll also discuss the tools you can use to create and maintain an SAP HANA security model. Such information is critical for SAP HANA security architects to implement security models for their organizations. This information is also necessary for organizations to protect the data hosted within SAP HANA and to maintain the reliability of systems that rely on SAP HANA.

Who Should Read This Book?

This book will help security teams, SAP Basis teams, security consultants, and anyone looking for a comprehensive guide to implementing an SAP HANA security model.

We recommend the following prerequisites for readers of this book:

Each chapter is structured to offer background and theory for specific security-related concepts. Many chapters conclude with a case study—centering on the fictitious E-Corporation—for a “real-world” application of the topics covered in the book. Our goal is to provide you with technical knowledge and a unique perspective on how security has been implemented in the field based on real customer engagements.

Structure of This Book

The book is structured into 18 chapters. The Introduction and Chapter 1 through Chapter 4 introduce SAP HANA, SAP HANA security, the SAP HANA cockpit, privileges, and database objects. Chapter 4, Chapter 5, and Chapter 6 introduce users and roles. Chapter 7 through Chapter 11 discuss the various privilege types within SAP HANA. The remaining chapters discuss SAP HANA authentication, encryption, lifecycle management, audit policies, security troubleshooting, and general recommendations for securing your SAP HANA environment.

Introduction

Representing the next evolution of data management for many organizations, SAP HANA also powers critical applications for managing your organization. Thus, SAP HANA can be a valuable asset in many organizations. Because of its importance, SAP HANA must be secured. In the Introduction, we’ll provide an overview of SAP HANA’s hardware and software layers. We’ll introduce the basic concepts of SAP HANA security and list several reasons why securing your SAP HANA environment is important.

Chapter 1: Managing Security with the SAP HANA Cockpit

This chapter introduces the SAP HANA cockpit, a key tool for managing SAP HANA security. We’ll start with an overview of the architecture of the SAP HANA cockpit. We’ll explain how you can navigate the SAP HANA cockpit. We’ll also provide a detailed workflow to help identify key security management areas within the SAP HANA cockpit, including all security-related functionalities, the SAP HANA database explorer, and the SQL console.

Chapter 2: Introduction to SAP HANA Privileges

This chapter introduces the key privilege types available within SAP HANA. We’ll provide a summary of each privilege type, including system, object, analytic, package, and application privileges. We’ll also discuss how SAP HANA validates the assignment of privileges for users and roles.

Chapter 3: Catalog Objects

This chapter explains the role catalog objects play within an SAP HANA system. We’ll review the process for creating both standard schemas and repository-based schemas. We’ll also review how you can create other standard schema- and repository-based catalog objects. You’ll need to understand the nature of catalog objects because they relate to object privileges and the overall SAP HANA security model architecture.

Chapter 4: User Accounts

Authentication and authorization center on user accounts. Every individual user and every application that interacts with SAP HANA requires a user account. This chapter will provide detailed information on types of user accounts, on how to create user accounts, and how privileges are granted or revoked from user accounts. We’ll also discuss how roles are granted to user accounts. At the end, we’ll provide a case study to review a programmatic approach to provisioning users from external sources.

Chapter 5: Database Roles

When granting privileges, you should always avoid granting them directly to users, which can lead to significant inconsistencies within a security model. As an alternative, you can grant privileges to roles, which can then be granted to one or more users, thus providing consistency. In this chapter, we’ll explore multiple options for creating roles. We’ll also discuss the different ways that privileges can be granted or revoked from roles and how roles can be nested to simplify the management of the security model.

Chapter 6: Repository Roles

In addition to creating standard database roles, you can also define roles within the SAP HANA development repository. Using repository-based roles can overcome many issues associated with standard database roles. In this chapter, we’ll discuss why you should use repository-based roles. We’ll also review the syntax needed to define repository roles within design-time scripts. As an alternative to defining scripts, we’ll also review how you can use the SAP HANA Web-Based Development Workbench editor graphical user interface (GUI) to create repository-based roles. We’ll also discuss how repository-based roles are granted to existing users and roles. In the end, we’ll walk through a case study in which we’ll discuss common roles implemented at E-Corporation.

Chapter 7: System Privileges

System privileges govern your ability to perform specific actions within an SAP HANA system. These actions are typically related to administrative and development roles. In this chapter, we’ll explore the system privileges available within SAP HANA. We’ll demonstrate how system privileges are granted using SQL statements, the SAP HANA cockpit, and the SAP HANA Web-Based Development Workbench security manager as well as within repository-based roles. We’ll close this chapter with a case study outlining several commonly used administrative roles and their required system privileges.

Chapter 8: Object Privileges

Object privileges play an important role in the development of any SAP HANA security model since they define the types of SQL script actions a user can perform on a catalog object. SAP HANA hosts multiple types of catalog objects. In this chapter, we’ll look closely at object privileges. We’ll demonstrate how you to grant object privileges to users or roles using SQL statements or the SAP HANA cockpit as well as within repository-based roles. We’ll close the chapter with a case study reviewing the workflow used by E-Corporation to add object privileges to a few existing repository-based roles.

Chapter 9: Package Privileges

SAP HANA is a development platform in addition to a data management solution. To facilitate application development, application code storage, security, and application lifecycle management, SAP HANA provides a repository organized into packages. To secure a repository at the package level, you must implement package privileges. In this chapter, we’ll start by discussing the SAP HANA development repository. We’ll then review the various privileges that can be granted for packages and how they’re granted to grantees. Finally, we’ll walk through a case study in which E-Corporation identifies and resolves the gaps in their existing package hierarchy and package privilege design.

Chapter 10: Analytic Privileges

Analytic privileges are used to grant or restrict access to data hosted within the SAP HANA system. In this chapter, we’ll provide an overview of analytic privileges. We’ll discuss the differences between static analytic privileges and dynamic analytic privileges and discuss how classic XML-based analytic privileges are being replaced with newer SQL-based analytic privileges. We’ll demonstrate how to manage and create static and dynamic privileges and review the process for troubleshooting a grantee’s effective analytic privileges. Finally, we’ll discuss the processes available to grant analytic privileges.

Chapter 11: Application Privileges

SAP HANA is an application development platform in which web-based applications are both developed and hosted. At times, these applications also need their own security models, which are called application privileges. In this chapter, we’ll provide an overview of application privileges within SAP HANA, how you can create them, and how they’re granted to roles using a variety of options. We’ll also review the Privileges on Users option and show you how to use it for granting the ATTACH DEBUGGER privilege to another grantee.

Chapter 12: Authentication

For authorization mechanisms to work properly, the SAP HANA system must first properly identify each user. To identify users, SAP HANA supports several authentication mechanisms. In this chapter, we’ll walk through the details of SAP HANA’s internal basic authentication system and its configurable password policy settings. We’ll also discuss the various external providers supported for seamless authentication with the SAP HANA system. Finally, we’ll walk through the process by which E-Corporation defines a stored procedure to add a Security Assertion Markup Language (SAML) identity to an existing user account within SAP HANA.

Chapter 13: Certificate Management and Encryption

In addition to authorization and authentication, you’ll also need encryption to protect your SAP HANA system. In this chapter, we’ll review Secure Sockets Layer (SSL) certificate management within SAP HANA. We’ll also discuss the options available for encrypting communication between client applications and the SAP HANA server. Finally, we’ll discuss the necessary steps for encrypting SAP HANA data and log volumes.

Chapter 14: Security Lifecycle Management

Since SAP HANA is a development platform, security administrators will discover that security-related development artifacts can be transported easily between different SAP HANA instances. In this chapter, we’ll outline the best practices and options available to use this transportation mechanism. We’ll start by discussing how you can maintain a consistent security model. We’ll then review the necessary steps for defining a delivery unit containing security-related artifacts. Then, we’ll review how you can access the SAP HANA application lifecycle management tool. Finally, we’ll discuss additional features within SAP HANA application lifecycle management that can benefit the lifecycle management of security artifacts.

Chapter 15: Auditing

Auditing allows organizations to configure rules that record important activities conducted within the SAP HANA system. In this chapter, we’ll discuss why you need auditing within SAP HANA. We’ll also discuss the required steps for enabling auditing and for defining policies to record critical activities. Finally, we’ll walk through a case study in which you’ll create auditing rules to track important changes within E-Corporation’s SAP HANA landscape.

Chapter 16: Security Tracing and Troubleshooting

In the real world, most security models are quite complex. SAP HANA offers security trace options and system views to help administrators manage their security models. This chapter outlines the required steps for enabling security-related authorization traces and describe how you can review trace file results. In addition, we’ll review various system views that provide details about the rights effectively granted to individual users. We’ll close the chapter with a case study in which E-Corporation queries system views to troubleshoot authorization issues within its environment.

Chapter 17: Security Recommendations

Knowing how to configure and implement security within SAP HANA is vital, and guidelines based on established best practices can help. This chapter provides several recommendations for securing an SAP HANA system based on the principles learned throughout this book. We’ll discuss recommendations related to password authentication, encryption, high-level privileges, the SYSTEM account, escalation vulnerabilities, appliance handover, and audit policies.

Chapter 18: SAP HANA XSA Security

SAP has enhanced the application server included within the SAP HANA platform with SAP HANA extended application services, advanced model (SAP HANA XSA). With this enhancement, a new layer of security and a new methodology for securing application components was introduced. In this chapter, we’ll take a closer look at the security structure of the SAP HANA XSA platform. We’ll start with an overview of the SAP HANA XSA platform. We’ll then discuss SAP HANA XSA users, role collections, organizations, and spaces and show you how they are administered and secured. We’ll briefly discuss SAP Web IDE for SAP HANA, including why it is needed and how you can secure access to the application. Finally, we’ll review the SAP HANA Deployment Infrastructure (HDI) container’s architecture, how runtime security works within the HDI container, how HDI container roles work, and how security administrators can manage runtime access to objects outside of an HDI container.

Acknowledgments

I would like to dedicate this book to God, for the blessing of wisdom and knowledge you have bestowed upon me. To my family and loved ones, thank you for your support and understanding during the endless hours and many weekends that were committed to the completion of this project. To Samantha, Addison, and Mason Haun: Without your thoughtfulness and support, this book would not have been possible. Completing 18 chapters on my own was only possible because you were willing to sacrifice our precious family time. I cherish and love every moment with you and thank for your support.

I’d also like to thank our customers for trusting me with their SAP HANA initiatives. Without these experiences from the field, this book wouldn’t be possible.

I’d also like to recognize Enowa and show my appreciation for the use of its SAP HANA environments hosted within its SAP Center of Excellence. Without Enowa’s support, some of the content within this book could not have been created.

My thanks to Roy Wells, a past coworker and good friend who helped me pioneer many security concepts over years of implementing SAP HANA solutions with our customers. Your wisdom and guidance have helped shape this book.

Finally, my sincere and utmost thanks go to everyone at Rheinwerk Publishing, especially Hareem Shafi and Meagan White. This book required hard-fought battles to complete, and their patience, dedication, and guidance helped me see another publication dream become a reality.