1.2    Security Areas in SAP HANA Cockpit

Up to this point in the chapter, we’ve discussed the architecture of the SAP HANA cockpit, including deployment options. We’ve explored the SAP HANA cockpit manager and described the high-level steps required to set up users, resource groups, and registered systems. Finally, we provided high-level information about how you can access a registered system in the SAP HANA cockpit and then access a registered system’s System Overview page. On the System Overview page, you can filter the various options available using the Filter by Area dropdown list. For the purposes of managing security, we’ll find most options in this area.

The security area provides tiles and links to the Data Encryption, Auditing, Authentication, Security Related Links, User & Role Management, and Anonymization Report areas. In the next section, we’ll provide a high-level overview of each area and describe how you’ll use these areas to manage an SAP HANA security model.

1.2.1    User & Role Management Area

The User & Role Management area provides several links, such as the Manage Users, Assign roles to users, Assign privileges to users, Manage roles, Manage user groups, and View database object dependencies links, as shown in Figure 1.11.

Figure 1.11    The User & Role Management Tile in SAP HANA Cockpit

The following list outlines what each link in this tile is used for. In subsequent chapters, we’ll demonstrate these items in more detail. However, in this chapter, we’ll only provide a basic overview of each link. Let’s briefly look at each link:

• Manage users
  You’ll use this link to create, edit, and delete database users. You can only configure user account settings in this link. For example, you can configure the user’s authentication mode, password, third-party authentication settings, and custom user properties in this area. You cannot use this area to grant roles or privileges to users. Instead, you’ll use the Assign role to users and Assign privilege to users links for those activities. We’ll discuss these options in more detail in Chapter 4.

• Assign role to users
  You’ll use this link to grant or revoke a role from a user account. We’ll discuss this link in more detail within Chapter 5.

• Assign privilege to users
  You’ll use this link to grant or revoke individual privileges to a user. We’ll discuss this link in more detail in Chapter 4 and from Chapter 6 through Chapter 11.

• Manage roles
  You’ll use this link to view and manage standard database runtime roles, for example, granting additional roles, system privileges, and object privileges to a role. You’ll also use this link to create and delete roles. We’ll discuss this link in more detail in Chapter 5.

• Manage user group
  You’ll use this link to create and edit user groups. User groups help organize users into groups. You can configure user groups so that only specific users can manage the other user accounts within the group. You can also establish a unique password policy for each user group.

• View database object dependencies
  You’ll use this link to review the authorization dependencies of a given catalog objects, an important step that security administrators must perform before deleting database objects and for determining which users have access to a database object.

In the next section, we’ll explore the Data Encryption tile and its links.

1.2.2    Data Encryption

You’ll use the Data Encryption tile and its links to manage data encryption options for data at rest. The tile itself contains slider buttons where you can quickly enable or disable (ON or OFF) Data Volume Encryption, Redo Log Encryption, and Backup Encryption, as shown in Figure 1.12.

Figure 1.12    Data Encryption Tile and Links in SAP HANA Cockpit

In addition to using the sliders, each item can be clicked, including the tile’s title, to navigate to additional options for each item in the Data Encryption configuration interface. We’ll discuss this interface and these options in more detail in Chapter 13. You should now have a basic understanding of how to access the Data Encryption tile and of the options it offers for managing an SAP HANA security model. In the next section, we’ll explore the Authentication tile and links.

1.2.3    Authentication

You’ll use the Authentication tile and its links to manage password policies, single sign-on (SSO), and the SYSTEM user’s password. The links in this tile (Password Policy, Single Sign-On, and SYSTEM User Password) can be clicked to manage each specific area, as shown in Figure 1.13.

Figure 1.13    Authentication Tile and Links in SAP HANA Cockpit

In Chapter 12, we’ll discuss these link options in more detail. You should now have a basic understanding of how to access the Authentication tile and the options available when managing an SAP HANA security model. In the next section, we’ll explore the Security Related Links tile and its links.

1.2.4    Security Related Links

You’ll use the Security Related Links tile and its links to manage several security-related items SAP HANA database, as shown in Figure 1.14.

Figure 1.14    Security Related Links Tile and Links in SAP HANA Cockpit

Let’s explore the purpose and intended use of each link in more detail:

• Manage certificates
  You’ll use this link to access in-database certificates. As we’ll discuss further in Chapter 13, you’ll use this interface to import and delete certificates.

• Manage certificate collections
  You’ll use this link to manage certificate collections. A certificate collection is a physical or logical store that holds a certificate and defines its purpose. As we’ll discuss further in Chapter 13, you’ll use this interface to manage certificate collections stored within the database.

• View network security information
  You’ll use this link to access a page that provides general information concerning the status of communication encryption, the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) settings and types, and internal communication encryption. This information is read-only, and no settings can be changed within this interface.

• Manage SAML identity providers
  You’ll use this link to manage third-party Security Assertion Markup Language (SAML) authentication providers and to import and delete SAML certificates critical to this mechanism. As we’ll discuss further in Chapter 12, SAML can provide SSO capabilities to the SAP HANA database and web application interfaces.

• Manage JWT identity providers
  You’ll use this link to manage JSON Web Token (JWT) providers supported for SSO within the SAP HANA system. JWT is an open standard (RFC 7519) that outlines a means for communicating security information between two parties using JavaScript Object Notation (JSON) objects. SAP HANA has limited support for this functionality, as we’ll discuss further in Chapter 12.

• Security checklist
  You’ll use this link to access SAP’s checklist for comparing current SAP HANA security settings to recommendations from SAP. This checklist provides real-time reports, warnings, and information related to securing your SAP HANA system. The interface only provides warnings and does not recommend specific actions. See Chapter 17 for ways to mitigate the risk associated with some of the warnings found in the checklist.

• Security administration help
  You’ll use this link to open the SAP HANA Administration with SAP HANA Cockpit Guide hosted on the SAP HANA cockpit web application server. This guide provides detailed information on administering the SAP HANA cockpit. This link will take you directly to the “Security Administration” section of the guide.

• SAP HANA security website
  You’ll use this link to open the SAP HANA security product page at www.sap.com. On this page, you’ll find links to pertinent security help documents, white papers, and case studies.

You should now have a basic understanding of how to access the Security Related Links tile and the options it offers when managing an SAP HANA Security model. In the next section, we’ll explore the Anonymization Report tile and its links.

1.2.5    Anonymization Report

Starting with SAP HANA 2.0 SPS 04, you can define SQL views for anonymizing data when the data is queried based on a variety of parameters and methods. Views protected with the functionality are called anonymization views. You can use Anonymization Report tile and link to access the View Available Anonymization Views link navigating you to the Anonymization Report interface. On the Anonymization Report interface, you’ll see a list of catalog views where this feature is enabled. You can click on each listed view to view read-only information about the Anonymization Parameters and method that have been applied to the view.

Note that you can apply this feature to a view using SQL statements or when developing a calculation view with SAP Web IDE for SAP HANA. You cannot create these views using the SAP HANA cockpit at this time.

You should now have a basic understanding of how to access the Anonymization Report tile and the options it offers when managing an SAP HANA security model. In the next section, we’ll explore the Auditing tile and its links.

1.2.6    Auditing

The Auditing tile and its links can be used to access audit settings and to configure audit policies within the SAP HANA database. Audit polices, as discussed further in Chapter 15, are used to track specific actions within the SAP HANA database. All the links in this tile can be clicked, including the Auditing header, which navigates you to the Auditing configuration interface, as shown in Figure 1.15.

Figure 1.15    Auditing Tile and Links in SAP HANA Cockpit

The Status link; the Audit Trail Target link; the Enabled Audit Policies link, which includes a summary of the enabled polices; and the Disabled Audit Policies link, which also includes a summary, can be clicked to take you directly to the corresponding setting in the Auditing configuration interface. At the bottom of the tiles is Turn on Auditing link, which will enable the auditing mechanism.

You should now have a basic understanding of how to access the Auditing configuration interface using the Auditing tile and the links options it provides. We’ve concluded our high-level overview of the tiles and links that the SAP HANA cockpit provides for managing security. Subsequent chapters will provide additional information on how to use each tile and their links to manage your SAP HANA security mode.

In the next section, we’ll explore the SAP HANA database explorer and the SQL console, both important tool sets within the SAP HANA cockpit. As you’ll discover, you’ll need to use these tools to explore the database and to execute SQL statements, all of which are necessary to manage an SAP HANA security model.