Table of Contents
Dear Reader
Notes on Usage
Table of Contents
Preface
Introduction
1 Managing Security with the SAP HANA Cockpit
1.1 What Is the SAP HANA Cockpit?
1.1.1 SAP HANA Cockpit Architecture
1.1.2 Getting Started with the SAP HANA Cockpit
1.1.3 Navigating SAP HANA Cockpit
1.2 Security Areas in SAP HANA Cockpit
1.2.1 User & Role Management Area
1.2.2 Data Encryption
1.2.3 Authentication
1.2.4 Security Related Links
1.2.5 Anonymization Report
1.2.6 Auditing
1.3 SAP HANA Database Explorer and SQL Console
1.4 Summary
2 Introduction to SAP HANA Privileges
2.1 Privileges within SAP HANA
2.1.1 System Privileges
2.1.2 Object Privileges
2.1.3 Analytic Privileges
2.1.4 Package Privileges
2.1.5 Application Privileges
2.2 Privilege Validation and Assignment
2.2.1 Assigning Privileges
2.2.2 Validating Privileges
2.3 Summary
3 Catalog Objects
3.1 What Are SAP HANA Catalog Objects?
3.2 Creating and Managing Native Catalog Objects
3.2.1 Creating Schemas
3.2.2 Creating Catalog Tables
3.2.3 Creating Other Catalog Objects
3.3 Creating and Managing Repository Catalog Objects
3.3.1 Creating Repository Schemas
3.3.2 Creating Repository Tables
3.4 Deploying Repository Objects
3.5 Case Study
3.6 Summary
4 User Accounts
4.1 What Are User Accounts?
4.1.1 Standard User Accounts
4.1.2 Technical User Accounts
4.1.3 Restricted User Accounts
4.1.4 LDAP User Accounts
4.2 Creating and Managing User Accounts
4.2.1 Creating and Managing Users with SQL Statements
4.2.2 Creating and Managing Users in the SAP HANA Cockpit
4.2.3 Creating and Managing Users with the SAP HANA Web-Based Development Workbench
4.2.4 User Account System Views
4.2.5 Deleting User Accounts
4.3 Granting and Revoking Privileges
4.3.1 Granting and Revoking Privileges with SQL
4.3.2 Granting and Revoking Privileges with the SAP HANA Cockpit
4.3.3 Granting and Revoking Privileges with the SAP HANA Web-Based Development Workbench
4.3.4 Effective Privileges System View
4.4 Managing User Role Assignments
4.4.1 Granting and Revoking Roles with SQL
4.4.2 Granting and Revoking Roles with the SAP HANA Cockpit
4.4.3 Granting and Revoking Roles with the SAP HANA Web-Based Development Workbench
4.4.4 Effective Roles System View
4.5 Case Study: Provisioning Users with SQL Scripts and Stored Procedures
4.5.1 Creating a Repository Schema
4.5.2 Creating a Repository Table
4.5.3 Importing a CSV File into a Table
4.5.4 Creating a Repository Role to Access the Table
4.5.5 Creating Repository Stored Procedures
4.5.6 Executing the Repository Stored Procedure
4.6 Summary
5 Database Roles
5.1 What Are Roles?
5.2 Creating and Managing Roles
5.2.1 Creating and Deleting Roles with SQL Statements
5.2.2 Creating and Deleting Roles with the SAP HANA Cockpit
5.2.3 Creating and Deleting Roles with the SAP HANA Web-Based Development Workbench
5.3 Granting and Revoking Privileges
5.3.1 Methodologies for Granting Privileges to Roles
5.3.2 Granting and Revoking Privileges with SQL
5.3.3 Granting and Revoking Privileges with the SAP HANA Cockpit
5.3.4 Granting and Revoking Privileges with the SAP HANA Web-Based Development Workbench
5.4 Managing Nested Roles
5.4.1 Granting and Revoking Roles with SQL
5.4.2 Granting and Revoking Roles with the SAP HANA Cockpit
5.4.3 Granting and Revoking Roles with the SAP HANA Web-Based Development Workbench
5.5 Mapping LDAP Groups to Roles
5.5.1 Mapping Roles with SQL
5.5.2 Mapping Roles with the SAP HANA Cockpit
5.6 Summary
6 Repository Roles
6.1 What Are Repository Roles?
6.1.1 User Account _SYS_REPO and Repository Roles
6.1.2 Grantors and Privileges
6.1.3 Grantors and Roles
6.1.4 Why Use Repository Roles?
6.2 Managing Repository Roles with Design-Time Scripts
6.2.1 Creating a Repository Package
6.2.2 Creating Repository Roles within a Package
6.2.3 Defining the Role Name Tag
6.2.4 Extending Roles
6.2.5 Assigning Privileges
6.2.6 Save and Activate
6.2.7 Runtime Repository Roles
6.3 Granting and Revoking Privileges in Design-Time Scripts
6.3.1 System Privileges
6.3.2 Schema Privileges
6.3.3 Object Privileges
6.3.4 Structured Privileges
6.3.5 Remote Source Privileges
6.3.6 Analytic Privileges
6.3.7 Application Privileges
6.3.8 Package Privileges
6.4 Managing Repository Roles with the SAP HANA Web-Based Development Workbench
6.4.1 Accessing and Navigating the SAP HANA Web-Based Development Workbench Editor
6.4.2 System Privileges
6.4.3 Object Privileges
6.4.4 Analytic Privileges
6.4.5 Package Privileges
6.4.6 Application Privileges
6.5 Granting Repository Roles to Users
6.5.1 Granting and Revoking Repository Roles with Stored Procedures
6.5.2 Granting and Revoking Repository Roles with SAP HANA Cockpit
6.5.3 Granting and Revoking Repository Roles with the SAP HANA Web-Based Development Workbench
6.6 Case Study: Creating Basic Repository Roles
6.6.1 Consumer Repository Role
6.6.2 Power User Repository Role
6.6.3 Developer Repository Role
6.6.4 Security Administrator Repository Role
6.7 Summary
7 System Privileges
7.1 What Are System Privileges?
7.2 Default System Privileges
7.2.1 Developer-Related System Privileges
7.2.2 Security Admin-Related System Privileges
7.2.3 System Admin-Related System Privileges
7.2.4 Environment Monitoring-Related System Privileges
7.2.5 Environment Performance-Related System Privileges
7.3 Granting System Privileges
7.3.1 Granting System Privileges with SQL
7.3.2 Granting System Privileges with the SAP HANA Cockpit
7.3.3 Granting System Privileges with the SAP HANA Web-Based Development Workbench
7.3.4 Granting System Privileges with Repository Roles
7.4 Case Study: Security Administrator System Privileges
7.4.1 User Management Role
7.4.2 Role Management Role
7.4.3 Data and Communication Encryption Role
7.4.4 System Auditing Role
7.5 Summary
8 Object Privileges
8.1 What Are Object Privileges?
8.1.1 Catalog Object Privileges
8.1.2 Security Considerations for Catalog Objects
8.2 Granting Object Privileges with SQL
8.2.1 Securing Schemas with SQL
8.2.2 Securing Individual Catalog Objects with SQL
8.3 Granting Object Privileges with the SAP HANA Cockpit
8.4 Granting Object Privileges with the SAP HANA Web-Based Development Workbench
8.5 Granting Object Privileges with Repository Roles
8.5.1 Script-Based Repository Roles
8.5.2 SAP HANA Web-Based Development Workbench GUI
8.6 Case Study: Updating Repository Roles to Access Information Views
8.6.1 Consumer
8.6.2 Power User
8.6.3 Developer
8.7 Summary
9 Package Privileges
9.1 What Is the SAP HANA Development Repository?
9.1.1 Structure of the Development Repository
9.1.2 Creating Packages and Subpackages
9.1.3 Overview of Delivery Units
9.2 What Are Package Privileges?
9.3 Granting Package Privileges
9.3.1 Granting Package Privileges with SQL
9.3.2 Granting Package Privileges with the SAP HANA Cockpit
9.3.3 Granting Package Privileges with the SAP HANA Web-Based Development Workbench
9.3.4 Granting Package Privileges within Repository-Based Roles
9.4 Case Study: Preventing Content Developers from Elevating Their Privileges
9.4.1 Assessing the Current Configuration
9.4.2 Recommendations
9.5 Summary
10 Analytic Privileges
10.1 What Are SAP HANA Information Views?
10.1.1 Attribute Views
10.1.2 Analytic Views
10.1.3 Calculation Views
10.2 What Are Analytic Privileges?
10.2.1 XML-Based Analytic Privileges
10.2.2 SQL-Based Analytic Privileges
10.3 _SYS_BI_CP_ALL: A System-Generated Analytic Privilege
10.4 Managing Static Analytic Privileges
10.4.1 Creating Static XML-Based Analytic Privileges
10.4.2 Creating Static SQL-Based Analytic Privileges
10.5 Managing Dynamic Analytic Privileges
10.5.1 Dynamic XML-Based Analytic Privileges
10.5.2 Dynamic SQL-Based Analytic Privileges
10.6 Managing Dynamic Expression-Based SQL Analytic Privileges
10.7 Troubleshooting Effective Analytic Privileges and Filter Conditions
10.8 Granting Analytic Privileges
10.8.1 Granting Analytic Privileges with SQL
10.8.2 Granting Analytic Privileges with the SAP HANA Cockpit
10.8.3 Granting Analytic Privileges with the SAP HANA Web-Based Development Workbench
10.8.4 Granting Analytic Privileges with Repository Roles
10.9 Summary
11 Application Privileges
11.1 What Are Application Privileges?
11.2 Creating Application Privileges
11.3 Granting Application Privileges
11.3.1 Granting Application Privileges with SQL
11.3.2 Granting Application Privileges with the SAP HANA Cockpit
11.3.3 Granting Application Privileges with the SAP HANA Web-Based Development Workbench Security Manager
11.3.4 Granting Application Privileges within Repository Roles
11.4 Privileges on Users
11.4.1 Granting Privileges on Users with the SAP HANA Cockpit
11.4.2 Granting Privileges on Users with SQL
11.5 Summary
12 Authentication
12.1 SAP HANA Internal Authentication Mechanism
12.1.1 Protecting SAP HANA Passwords with Encryption
12.1.2 Configuring the Internal Authentication Password Policy
12.1.3 Managing Password Policy Settings with SQL
12.1.4 Managing Password Policy Settings in GUIs
12.2 SAP HANA and LDAP Authentication
12.3 Supported Third-Party Authentication Providers
12.3.1 Kerberos Authentication
12.3.2 SAML Authentication
12.3.3 X.509 Authentication
12.3.4 SAP Logon Tickets
12.3.5 SAP Assertion Tickets
12.3.6 JWT Identity Providers
12.4 Case Study: Adding SAML Identity User Accounts
12.5 Summary
13 Certificate Management and Encryption
13.1 SSL Certificates
13.1.1 In-Database Certificate Management
13.1.2 External SAP HANA PSE File and Certificate Management
13.2 Client Encryption Settings
13.2.1 SAP HANA Studio
13.2.2 XS Engine Web-Based Applications
13.2.3 JDBC and ODBC Drivers
13.2.4 SAP HANA Cockpit
13.3 Encrypting Data
13.3.1 Server-Side Data Encryption
13.3.2 Managing Root Keys within the SSFS
13.3.3 Encrypting the Data Volume
13.3.4 Encrypting the Log Volume
13.3.5 Encryption the Backup Media
13.4 Summary
14 Security Lifecycle Management
14.1 Maintaining a Consistent Security Model
14.1.1 Best Practices
14.1.2 Testing Security Model Changes
14.1.3 Keeping Repository Roles in Sync
14.2 Creating Delivery Units for Security-Related Packages
14.2.1 Creating a Delivery Unit with SAP HANA Studio
14.2.2 Creating a Delivery Unit with SAP HANA Application Lifecycle Management
14.2.3 Importing and Exporting Delivery Units with SAP HANA Application Lifecycle Management
14.3 Transporting Security Packages to Other SAP HANA Systems
14.3.1 Transporting a Delivery Unit with SAP HANA Application Lifecycle Management
14.3.2 Exporting a Delivery Unit to a File
14.3.3 Importing a Delivery Unit from a File
14.4 Additional Options in SAP HANA Application Lifecycle Management
14.4.1 Change Recording
14.4.2 Using the Change and Transport System
14.5 Summary
15 Auditing
15.1 Why Do You Need Auditing?
15.2 Configuring Auditing
15.2.1 Enable Auditing with the SAP HANA Cockpit
15.2.2 Audit Log Targets and Options in the SAP HANA Cockpit
15.2.3 Viewing Audit Logs in the SAP HANA Cockpit
15.2.4 Enabling Auditing with the SAP HANA Web-Based Development Workbench
15.2.5 Enabling Auditing with SQL
15.3 Creating Audit Policies
15.3.1 Components of the Audit Policy
15.3.2 Managing Policies with the SAP HANA Web-Based Development Workbench
15.3.3 Managing Audit Policies with SQL
15.3.4 Creating Policies with the SAP HANA Cockpit
15.4 Querying Audit Data
15.5 Case Study: Defining Audit Policies
15.5.1 Proactive Event Monitoring
15.5.2 Audit Reporting
15.5.3 Authentication Auditing
15.5.4 Unauthorized Action Auditing
15.5.5 System Change Auditing
15.5.6 Security Management Task Auditing
15.5.7 Super User Event Auditing
15.6 Summary
16 Security Tracing and Troubleshooting
16.1 Authorization Tracing
16.1.1 Enabling Tracing with the SAP HANA Cockpit
16.1.2 Enabling Tracing with SQL
16.1.3 Viewing the Trace File in the SAP HANA Cockpit
16.2 Querying the System to Review Effective Privileges
16.2.1 Granted Privileges
16.2.2 Granted Roles
16.2.3 Accessible Views
16.2.4 Effective Privilege Grantees
16.2.5 Effective Structured Privileges
16.2.6 Effective Privileges
16.2.7 Effective Role Grantees
16.2.8 Effective Roles
16.3 Case Study: Identifying Deficiencies in Information View Access
16.3.1 Troubleshooting the Problem
16.3.2 Reviewing the Results
16.3.3 Reviewing the Solution
16.4 Summary
17 Security Recommendations
17.1 Password Authentication Settings
17.1.1 Standard User Password Policies
17.1.2 Service Accounts
17.2 Encryption Settings
17.3 Identifying Users with Elevated Privileges
17.3.1 System Privileges
17.3.2 Root Package Privileges
17.3.3 Bypass Analytic Privileges
17.3.4 Default Standard Roles
17.3.5 WITH GRANT or WITH ADMIN
17.3.6 Trace, Dump File, and Debug Access
17.4 Disabling the SYSTEM Account
17.5 Identifying Privilege Escalation Vulnerabilities
17.6 Handover from Hardware Vendors
17.7 Creating Audit Policies
17.8 Summary
18 SAP HANA XSA Security
18.1 Overview of SAP HANA XSA
18.2 Managing Space Access, Users, and Roles Collections in SAP HANA XSA
18.2.1 Accessing Applications
18.2.2 Managing SAP HANA XSA Users
18.2.3 Managing SAP HANA XSA Role Collections
18.2.4 Managing Organization and Space Access
18.3 Working with SAP Web IDE for SAP HANA
18.3.1 SAP Web IDE for SAP HANA Overview
18.3.2 SAP HANA Database Explorer in SAP Web IDE for SAP HANA
18.4 HDI Containers and Security
18.4.1 Security Architecture of the HDI Container
18.4.2 HDI Container Roles
18.4.3 Granting the HDI Container Access to External Objects
18.5 Summary
The Author
Index
Service Pages
Legal Notes