Professional Documents
Culture Documents
Security
(Delta from SPS 08 to SPS 09)
Andrea Kristen, SAP HANA Product Management
November, 2014
Agenda
Authentication
User/role management
Authorization
Encryption
Audit logging
Antivirus software support
Support for multitenant database containers
Public
Authentication
Public
Public
User/role management
Role lifecycle
1. A developer/role designer creates the role in the repository of the development system and tests it
2. The role is transported to the production system, e.g. using HALM or CTS+
3. In the production system, a user administrator grants the role to end users
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
Runtime
User
administrators
Developers/
role designers
Studio
Web IDE
Studio
New
Repository
package1
subpackage1
.hdbroles
DEV
Database
Repository
Export/import:
Delivery Unit (DU)
Transport:
HANA Application
Lifecycle Manager,
CTS+, ...
package1
subpackage1
.hdbroles
Activation
via
_SYS_REPO
role
Grant/revoke
PROD
Public
Public
Public
10
Public
11
Description
EMAIL ADDRESS
E-mail address
LOCALE
Locale
PRIORITY
The priority with which the thread scheduler handles statements executed by the user
MEMORY STATEMENT LIMIT The maximum memory (in GB) that can be used by a statement executed by the user (if feature enabled globally)
TIME ZONE
Time zone
Public
12
Public
13
Syntax
Prerequisite: EXECUTE privilege on the procedures
IS_VALID_USER_NAME (IN user_name NVARCHAR(256), OUT error_code INT, OUT
error_message NVARCHAR(5000))
IS_VALID_PASSWORD(IN password NVARCHAR(256), OUT error_code INT, OUT error_message
NVARCHAR(5000))
Public
14
Public
15
Parameter
Description
Default
automatic_user_creation
forgot_password
request_new_user
false
reset_locked_user
false
sender_email
token_expiry_time
false
Public
16
Public
17
Public
18
Account is requested
for this XS application
Public
19
Authorization
Public
21
Public
22
Encryption
More information
SAP HANA Developer Guide
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
24
Public
25
Audit logging
Public
27
Public
29
Public
30
Public
31
Public
32
Public
34
Application 1
Application 2
Tenant
database 1*
Tenant
database 2
System
database
Public
36
Host 1
Web Dispatcher
SQL Port
3XX13
XS
System database
SQL Port
3XX45
Metadata
Landscape info
SQL Port
3XX41
XS
XS
XS
Tenant DB1
Tenant DB2
Tenant DB3
Metadata
Tables
Metadata
Tables
Metadata
Tables
SQL Port
3XX49
Public
37
Public
38
Details
Authentication
User name and password (incl. password policy), Kerberos/SPNEGO, SAML, SAP logon and assertion tickets, X.509 (XS
access only)
Note: For details on the available configuration options (system-wide/per database), please refer to the documentation.
Isolation of users and roles between the system database and all of the tenant databases
SYSTEM user in system database and SYSTEM user in each tenant database
Additional system privilege DATABASE ADMIN in the system database for tenant database administration
Encryption
Communication encryption (SSL), data volume encryption (per database, separate root keys), backup encryption via 3rd
party backup tools
Audit logging
Standard audit logging concept; audit trail written to Linux syslog or to SAP HANA database table
Audit trail configuration via system database, audit policy configuration per database
SAP HANA Studio, XS Administration Tool, SQL interface (command line tool hdbsql)
Security
administration
Public
39
Public
40
Public
41
SELECT *
FROM TABLE_A
User_1
User_2 with
remote identity
Table_A
SAP HANA system
Public
42
Public
43
More Information
More information
SAP HANA information
SAP Help Portal: Security Guide, Master Guide (network
topics), Developer Guide, SQL Reference Guide
SAP HANA Security Whitepaper
How to Define Standard Roles for SAP HANA Systems
Public
45
Public
46
Public
47
Thank you
Contact information
Andrea Kristen
SAP HANA Product Management
AskSAPHANA@sap.com
2014 SAP SE or an SAP affiliate company. All rights reserved.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services
are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Public
49