SAP HANA SPS 09 - Security PDF

SAP HANA SPS 09 - Whats New?
Security
(Delta from SPS 08 to SPS 09)
Andrea Kristen, SAP HANA Product Management
2014 SAP AG or an SAP affiliate company. All rights reserved.
November, 2014
Agenda
Authentication
User/role management
Authorization
Encryption
Audit logging
Antivirus software support
Support for multitenant database containers
2014 SAP SE or an SAP affiliate company. All rights reserved.
Public
Authentication
Whats New in SAP HANA SPS09: Security

Changed emergency reset mechanism for the of SYSTEM user password
The new mechanism for resetting the SYSTEM user password uses the index server in
emergency mode
This password reset mechanism should only be used if the SYSTEM user password was lost.
Emergency reset of the SYSTEM user password
Prerequisite: Credentials of the operating system administrator <sid>adm, access to the master index server
1. As <sid>adm, log on to the server on which the master index server is running
2. On the command line, shut down the SAP HANA system, then start the name, compile and index servers
3. Use the following command to reset the password
/usr/sap/<SID>/HDB<instance>/exe/hdbindexserver resetUserSystem
Afterwards, the index server is automatically stopped
4. End the name and compile server processes
5. On the command line, start the SAP HANA system
Note: In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the
same way by starting the name server (for the system database) or index server (for tenant databases) in
emergency mode
Public

System view showing authentication method for connected users
The system view M_CONNECTIONS now
contains additional information about the
authentication method
Per default, users can only query information about
themselves
Viewing information for all connected users
Prerequisite: system privilege CATALOG READ
1. In SAP HANA Studio, open the SQL editor
2. Enter the following SQL statement:
SELECT USER_NAME, AUTHENTICATION_METHOD
FROM M_CONNECTIONS
Public
User/role management

Repository role editor (I)
A graphical editor for repository roles is now available as part of the SAP HANA Web-based
Development Workbench (Web IDE)
In earlier versions, only a text editor in SAP HANA studio was available.
There are two types of roles in SAP HANA: catalog roles and repository roles. For most use cases it is
recommended to use repository roles. Compared to catalog roles, they offer several advantages, e.g.
Versioning
Integration with standard transport mechanisms
Decoupling of role creation from role granting/revoking
Support for standard DEV QA PROD landscapes
Separation of duties
Role lifecycle
1. A developer/role designer creates the role in the repository of the development system and tests it
2. The role is transported to the production system, e.g. using HALM or CTS+
3. In the production system, a user administrator grants the role to end users
Public

Repository role editor (II)
Design time
Runtime
User
administrators
Developers/
role designers
Studio
Web IDE
Studio
New
Repository
package1
subpackage1
.hdbroles
DEV
Database
Repository
Export/import:
Delivery Unit (DU)
Transport:
HANA Application
Lifecycle Manager,
CTS+, ...
package1
subpackage1
.hdbroles
Activation
via
_SYS_REPO
role
Grant/revoke
PROD
Public

Repository role editor (III)
Creating a new repository role
Prerequisites
o sap.hana.xs.ide.roles::EditorDeveloper role
o Package privileges on the required packages
1. Open the Editor of the Web IDE in your web browser:

http://<database_server>:80<instance_no>/sap/hana/xs/ide/editor
2. In the Content tree, right-click on the folder where you

want to create the new role and choose New Role
3. Enter a role name and choose Create
4. Select the roles and privileges that you want to
include in the new role
5. Save the role using
(Save)
Note: The role will be saved and activated in one step. If
you want to only save the role, choose
(Settings) and
select Enable inactive save. An additional icon will be
displayed in the toolbar:
(Save without Activating)
Public

Web-based administration and development tools
Web-based administration and development tools
As part of the general SAP UI strategy, administration and development functions are being made
available in web-based tools such as SAP HANA Cockpit and SAP HANA Web-based Development
Workbench (Web IDE).
One of the prerequisites for using these functions is a web browser with SAPUI5 support.
Information on web browsers with SAPUI5 support
SAP Note 1716423 - SAPUI5 Browser Support
PAM for SAPUI5: https://websmp130.sapag.de/sap(bD1lbiZjPTAwMQ==)/support/pam/pam.html?smpsrv=https%3A%2F%2Fwebsmp105.sapag.de#pvnr=01200314690900004969&pt=t%7CWBRPFM&ainstnr=01200314694900015214&ts=0
Public
10

Accessing the web-based user and catalog role editors in Web IDE
The SAP HANA Web IDE contains a user editor
and a catalog role editor for scenarios where
only web-based tools are available
Access from Web IDE
Prerequisites:
o USER ADMIN or ROLE ADMIN system privilege
o sap.hana.xs.ide.roles::SecurityAdmin role
1. Log on to Web IDE (http://<host>:<port>/sap/hana/xs/ide)

2. Click on the Security tile
Access from SAP HANA Cockpit

Prerequisites (in addition to above):
o sap.hana.admin.roles::Monitoring
1. Log on to SAP HANA Cockpit

(http://<host>:<port>/sap/hana/admin/cockpit)
2. Click on the Manage Roles and Users tile
Public
11

Maintaining user parameters in SAP HANA Studio
You can now maintain user parameters in SAP
HANA Studio
Users can change their own parameters.
Maintaining user parameters for other users
Prerequisites: USER ADMIN system privilege
1. In the Systems view, double-click the user under
Security Users and open the User Parameters tab
2. Choose the user parameter and enter a value
3. Save by choosing the
(Deploy) button
User parameter
Description
EMAIL ADDRESS
E-mail address
LOCALE
Locale
PRIORITY
The priority with which the thread scheduler handles statements executed by the user
MEMORY STATEMENT LIMIT The maximum memory (in GB) that can be used by a statement executed by the user (if feature enabled globally)
TIME ZONE
Time zone
Public
12

New alert: Support role granted to users
Alert notifies administrators when a user is granted the SAP_HANA_INTERNAL_SUPPORT role
The support role contains privileges that allow access to certain low-level internal system views
needed by SAP HANA development support in support situations, which otherwise would only be
accessible to the SYSTEM user. All access is read only, and the role does not allow access to any
customer data. The low-level internal system views are not part of the stable end-user interface and
might change from revision to revision. To avoid users accidentally accessing these internal system
views in applications or scripts, this role is subject to usage restrictions.
Configuring the alert thresholds
Prerequisite: system privilege INIFILE ADMIN
1. In the Administration editor in SAP HANA Studio, open the Alerts tab and choose the (Configure...) button.
2. Open the Configure Check Thresholds tab and choose check 63.
3. Specify the threshold values. Default: 1 user, alert priority low
Switching off the alert

See SAP Note 1991615
Public
13

New built-in procedures to check compliance with password policy
Application developers can use the new procedures to verify that a new user name and
password are compliant before actually creating the user
Some restrictions apply to the characters that may be used in user names. Passwords need to adhere
to the password policy that has been configured for the system.
Procedures:
SYS.IS_VALID_USER_NAME
SYS.IS_VALID_PASSWORD
Syntax
Prerequisite: EXECUTE privilege on the procedures
IS_VALID_USER_NAME (IN user_name NVARCHAR(256), OUT error_code INT, OUT
error_message NVARCHAR(5000))
IS_VALID_PASSWORD(IN password NVARCHAR(256), OUT error_code INT, OUT error_message
NVARCHAR(5000))
Public
14

Web-based user self-services (I)
SAP HANA now provides web-based user selfservices for resetting your own password and
for requesting a new user account
The user self-services are part of the
HANA_XS_BASE delivery unit (autocontent).
When enabled, they are available on the SAP
HANA logon screen. They are disabled by default.
Public
15

Web-based user self-services (II)
Configuring user self-services
Prerequisites:
o See the SAP HANA Administration Guide
1. Configure the XSSQLCC technical user which is used

by the user self-services
2. Configure the user self-service parameters in the
xsengine.ini file
3. Configure the SMTP server that SAP HANA XS
applications can use to send mails
4. Configure dedicated administrators for the user selfservice administration tool. These administrators
process user requests and manage blacklists and
whitelists
Parameter
Description
Default
automatic_user_creation
Defines whether a user creation

request needs approval
forgot_password
Defines whether the password reset false

self-service is enabled
request_new_user
Defines whether the new user

account self-service is enabled
false
reset_locked_user
Defines whether password reset for

a locked user is enabled
false
sender_email
Mail address for sending out the

registration mails/tokens
token_expiry_time
Duration (in s) for which a generated 3600

token is valid
user_creation_request_count Number of times a user with the
false
same mail address can request an

account before being added to the
blacklist
Public
16

Web-based user self-services (III)
Resetting your password
Prerequisite:
o User self-service is enabled in the SAP
HANA system
1. On the SAP HANA logon page, choose

Forgot your password?
2. Enter your user name
3. A mail is sent to your mail address with
a link to reset the password
4. Enter a new password and answer the
security question that you specified
when you initially set up your account
Public
17

Web-based user self-services (IV)
Requesting a new account
Prerequisite:
o User self-service is enabled in the SAP
HANA system
1. On the SAP HANA logon screen, choose

Request account
2. Choose a user name and enter your mail
address
3. A verification link is sent to your mail
address
4. After clicking the verification link, choose
a password and a security question
5. Your request is sent to the system
administrator for approval
6. After approval, your account is activated
and you get notified by mail
Public
18

Web-based user self-services (V)
Approving new account requests
Prerequisites:
o User self-service is enabled in the SAP HANA system
o sap.hana.xs.selfService.admin.roles::USSAdministrator
role
1. Log on to the user self-service administration tool:

http://<host>:<port>/sap/hana/xs/selfService/admin
2. Review the pending requests

o Approve/reject request
o Assign application roles if required
Note: To assign roles, you can use the Web IDE user and
role editor
o Add domain/mail address/IP range to blacklist if required
3. After you have approved a request, a notification mail

is sent to the user.
Account is requested
for this XS application
Open user and role

editor in Web IDE
User is activated
and notified
Public
19
Authorization

Extension of SQL-based analytic privileges
SQL-based analytic privileges can now also be used with SQL views
In earlier versions, SQL-based analytic privileges could only be applied to analytic views.
Analytic privileges allow row-based access control to views. They filter query results according to the
attributes of the session user.
Comparison between XML-based and SQL-based analytic privileges
XML-based analytic privileges
SQL-based analytic privileges
More difficult to use due to complex XML format

Limited expressiveness with regard to filtering
capabilities
Only analytic views are supported
Design time available
CREATE STRUCTURED PRIVILEGE

<xml_definition>
CREATE STRUCTURED PRIVILEGE <name> FOR

SELECT ON <view> WHERE a=10
Intuitive specification using SQL syntax

Flexible combination of filters
Sub-queries as filters
Analytic and SQL views are supported
No design time support yet
Public
21

New system privilege: TABLE ADMIN
A new system privilege for administrators has been introduced
The new system privilege TABLE ADMIN authorizes the following administrative actions that are
related to the management of tables:
LOAD
Load specified column store tables from disk into memory (otherwise they will be loaded into memory on first
access)
UNLOAD
Unload specified column store tables from memory to disk (e.g. to free up memory; the tables will be loaded into
memory again on next access)
MERGE DELTA
Merge the column store tables delta storage to the tables main storage
Public
22
Encryption

XS encryption service for applications
XS applications can now store values in encrypted form
Application developers can use the XS API $.security.Store to define a secure store for
encrypted name-value pairs for their XS application.
Options
Application-wide data visibility
All users of the XS application have access to one secure store
All users share the same data and can decrypt or encrypt data
Example: passwords for a remote system
User-specific data visibility
Each user of the XS application has a separate container to securely store encrypted data
Only the owner of the secure store and the respective user can decrypt the data
Examples: credit card numbers or personal-information-number (PIN) codes
More information
SAP HANA Developer Guide
Public
24

CommonCryptoLib part of standard delivery
CommonCryptoLib is now part of the SAP HANA standard delivery.
Up to now, customers were required to download CommonCryptoLib from SAP Marketplace.
SAP CommonCryptoLib is the successor of SAPCRYPTOLIB and is the default cryptographic library
for SAP HANA. It is used for operations that require cryptography, for example data volume encryption
and SSL communication encryption.
CommonCryptoLib is installed as part of SAP HANA server installation at the default location for library
lookup: /usr/sap/<SID>/SYS/exe/hdb/libsapcrypto.so
Note: The OpenSSL library is also installed as part of the operating system installation. For most use
cases it is also possible to use OpenSSL instead of CommonCryptoLib. However, there are already
some features in SAP HANA that are only supported by CommonCryptoLib, and future features might
also only be supported by CommonCryptoLib.
For information on the migration process from OpenSSL to CommonCryptoLib, see SAP Note
2093286.
Public
25
Audit logging

Specify schema when creating audit policy on database objects
You can now specify a schema if you want to
audit all database objects belonging to the
schema
Creating an audit policy for a schema
Prerequisites: System privilege AUDIT ADMIN
1. In the Systems view, double-click on Security and
open the Auditing tab
2. In the Audit Policies area, choose Create New Policy
3. Enter the policy name
4. In Audited Actions, select an audit action that applies
to database objects, e.g. DELETE
5. As Target Object, select the schema
6. Choose the
(Deploy) button
Public
27

More granular audit trail target definition (I)
You can now specify the audit trail target per audit policy
Options for the audit trail target
System-wide default: Audit entries are written to the audit trail target(s) configured for the system if no other
trail target has been configured per audit level
Audit level (optional): Audit entries from audit policies with the audit level EMERGENCY, CRITICAL, or ALERT
are written to the specified audit trail target(s). If no audit trail target is configured, entries are written to the audit
trail target configured for the system.
New Audit policy (optional): Audit entries from a particular policy are written to the specified audit trail
target(s). If no audit trail target is configured for an audit policy, entries are written to the audit trail target for the
audit level if configured, or the audit trail target configured for the system. Several audit trail targets are
configurable for each individual policy.
Public
29

More granular audit trail target definition (II)
Specifying multiple audit trail targets
Prerequisites: system privilege AUDIT ADMIN, auditing
has been enabled
1. In the Systems view, double-click on Security and
open the Auditing tab
2. In the Audit Trail Target section of the audit policy,
select the audit trail targets
3. Choose the
(Deploy) button.
Public
30

Audit entries of prepared statements show parameter values
Parameter values in prepared statements are
now recorded in the audit trail
Up to now, only ? was displayed in the audit trail.
Example
1. Create and deploy a new audit policy for INSERT
actions on your test table
2. Insert a value into the test table using a prepared
SQL statement
3. Check the STATEMENT_STRING field in the audit
trail
Public
31

New audit actions for data volume encryption
Changes to the data volume encryption can
now be recorded in the audit trail
When you include ALTER PERSISTENCE
ENCRYPTION in an audit policy, the following
actions will be recorded in the audit trail:
Switching the data volume encryption on/off
Creating a new encryption key
Re-encrypting old encrypted data with the current key
Public
32
Antivirus software support

XS antivirus interface
XS applications can now integrate antivirus tools to check uploaded data
Application developers can use the XS API $.security.Antivirus to integrate an antivirus engine
with their XS applications.
Note: For production systems, only certified antivirus engines should be used.
More information:
SAP HANA Developer Guide
Supported antivirus engines/certification: SAP Note 786179
Public
34
Support for multitenant

database containers

Multitenant database containers: Overview
Multitenant database containers are a new way
to run multiple applications/scenarios on one
SAP HANA system
1 system database and multiple tenant databases
Shared installation of database system software
Strong isolation features, the system database and
each of the tenant databases have their own:
Database users, database catalog, repository,
persistence, backups, traces and diagnosis files
Distinction between tasks performed at system level
and those performed at database level
Integration with data center operation procedures
Application 1
Application 2
Tenant
database 1*
Tenant
database 2
System
database
SAP HANA system

*tenant database = database container
Public
36

Security aspects of multitenant database containers (I)
http - Virtual host names per XS
Clients connect via dedicated ports to

individual databases
Security-relevant features are
configurable per database
Only controlled access between
databases
Tenant databases are created and
managed from the system database
o But: No direct access to tenant database
table content from the system database
Host 1
Web Dispatcher
SQL Port
3XX13
XS
System database
SQL Port
3XX45
Metadata
Landscape info
SQL Port
3XX41
XS
XS
XS
Tenant DB1
Tenant DB2
Tenant DB3
Metadata
Tables
Metadata
Tables
Metadata
Tables
SQL Port
3XX49
SAP HANA System

Public
37

Security aspects of multitenant database containers (II)
Unlike a single database system in which system and database are a single unit and
administered as one, an MDC system has 2 levels of administration.
Administration tasks performed in the system database include:
Starting and stopping the whole system

Monitoring the system
Configuring parameters at system level
Managing tenant databases: Creating/dropping databases, configuring database-specific parameters, adding
services to databases for scalability, backing up databases, recovering databases
Administration tasks performed in tenant databases include:
Monitoring the database

Provisioning database users
Creating and deleting schemas, tables, and indexes in the database
Backing up the database
Configuring database-specific parameters
Public
38

Security aspects of multitenant database containers (III)
Function
Details
Authentication
User name and password (incl. password policy), Kerberos/SPNEGO, SAML, SAP logon and assertion tickets, X.509 (XS
access only)
Note: For details on the available configuration options (system-wide/per database), please refer to the documentation.
Isolation of users and roles between the system database and all of the tenant databases
SYSTEM user in system database and SYSTEM user in each tenant database
Standard privilege concept
Additional system privilege DATABASE ADMIN in the system database for tenant database administration
Read-only cross-database queries supported (disabled by default)
Option to disable specific administration functions in tenant databases, e.g. export/import
Encryption
Communication encryption (SSL), data volume encryption (per database, separate root keys), backup encryption via 3rd
party backup tools
Audit logging
Standard audit logging concept; audit trail written to Linux syslog or to SAP HANA database table
Audit trail configuration via system database, audit policy configuration per database
SAP HANA Studio, XS Administration Tool, SQL interface (command line tool hdbsql)
Users and roles

Authorization
Security
administration
Public
39

Restricted features in tenant databases (I)
Certain security-relevant features can be enabled/disabled in tenant databases
Not all features are required/desirable in all environments, e.g. features that provide direct access to
the file system, the network, or other critical resources.
The system view M_CUSTOMIZABLE_FUNCTIONALITIES provides information about such restricted features
that can be disabled in tenant databases. This view exists in both the SYS schema of every database, where it
contains database-specific information, and in the SYS_DATABASES schema of the system database, where it
contains information about the enablement of features in all databases.
You disable/enable restricted features in tenant databases via the global.ini file of the system database.
All restricted features are enabled in the system database and cannot be disabled there.
Public
40

Restricted features in tenant databases (II)
Enabling/disabling features in tenant databases
Prerequisites: User in the system database with
CATALOG READ and INIFILE ADMIN privileges
1. In the Administration editor in SAP HANA Studio,
open the Configuration tab
2. In the global.ini file
customizable_functionalities section,
double-click on the feature to be disabled
3. Select Database as the layer and set the value to
FALSE. Note: Features are hierarchically structured. If
you enable a feature with sub-features, these are also
enabled.
4. Restart the tenant database.
ALTER SYSTEM STOP DATABASE <tenant_db>;
ALTER SYSTEM START DATABASE <tenant_db>;
Prerequisite: DATABASE ADMIN privilege
Public
41

Cross-database queries (I)
In multiple-container systems, read-only
queries across database containers are
supported but not enabled by default
If enabled, a user from one tenant database can
execute queries in another tenant database if this
user is mapped to a user with remote identity
there.
A user in the target database can only be associated
with one user in the source database
The association is unidirectional
Only the SELECT privileges of the user in the target
database are considered during a cross-database
query, all other privileges of the remote user are
ignored.
Tenant database TN1

(source)
Tenant database TN2

(target)
SELECT *
FROM TABLE_A
User_1
User_2 with
remote identity
Table_A
SAP HANA system
Public
42

Cross-database queries (II)
Configuring cross-database queries
Prerequisite: DATABASE ADMIN system privilege in the
system database
1. In the Administration editor, open the Configuration tab
2. In global.ini cross_database_access
system layer, set the property enable to true
3. Add a new parameter
targets_for_<source_db_name> and define the
target databases as a comma-separated list
Prerequisite: USER ADMIN system privilege in the target
database
1. In the target database, add a remote identity to a user
(= map this user to a user in the source database):
ALTER USER <target_user> ADD REMOTE
IDENTITY <source_user> AT DATABASE
<source_db>
Public
43
More Information
More information
SAP HANA information
SAP Help Portal: Security Guide, Master Guide (network
topics), Developer Guide, SQL Reference Guide
SAP HANA Security Whitepaper
How to Define Standard Roles for SAP HANA Systems
Important SAP notes
1598623: SAP HANA appliance: Security

1514967: SAP HANA appliance
1730928: Using external software in a HANA appliance
1730929: Using external tools in an SAP HANA appliance
1730930: Using antivirus software in an SAP HANA appliance
786179: Supported antivirus engines/certification
784391: SAP support terms and 3rd-party Linux kernel drivers
1730999: Configuration changes in HANA appliance
863362: Security checks with SAP EarlyWatch Alert
Public
45
SAP HANA security patches

Operating system security patches
Support operating systems: SUSE Linux Enterprise and RedHat Enterprise
Operating system security patches are provided and published by the operating system vendors
SAP HANA security patches

SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes)
Security notes for all SAP products are available at: http://service.sap.com/securitynotes
For SAP HANA, filter for component HAN*
Patches are delivered as SAP HANA revisions
More information:
FAQ SAP Security Notes
FAQ SAP Security Patch Process
Public
46
SAP security approach

Security is an important and integral part of every step of the SAP Development Lifecycle which
applies to all products. This includes security testing as well as a defined and established process to
report and deal with potential security issues.
SAP security solutions
http://www.sap.com/security
SAP security approach and vulnerability reporting
http://www.sap.com/pc/tech/application-foundation-security/software/security-at-sap/index.html
Public
47
Thank you
Contact information
Andrea Kristen
SAP HANA Product Management
AskSAPHANA@sap.com

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services
are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Public
49

SAP HANA SPS 09 - Security PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP HANA SPS 09 - Security PDF

Uploaded by

Copyright:

Available Formats

SAP HANA SPS 09 - Whats New?

2014 SAP AG or an SAP affiliate company. All rights reserved.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

1. Open the Editor of the Web IDE in your web browser:

2. In the Content tree, right-click on the folder where you

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

1. Log on to Web IDE (http://<host>:<port>/sap/hana/xs/ide)

Access from SAP HANA Cockpit

1. Log on to SAP HANA Cockpit

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

Switching off the alert

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

1. Configure the XSSQLCC technical user which is used

2014 SAP SE or an SAP affiliate company. All rights reserved.

Defines whether a user creation

Defines whether the password reset false

Defines whether the new user

Defines whether password reset for

Mail address for sending out the

Duration (in s) for which a generated 3600

user_creation_request_count Number of times a user with the

same mail address can request an

Whats New in SAP HANA SPS09: Security

1. On the SAP HANA logon page, choose

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

1. On the SAP HANA logon screen, choose

Whats New in SAP HANA SPS09: Security

1. Log on to the user self-service administration tool:

2. Review the pending requests

3. After you have approved a request, a notification mail

Open user and role

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

SQL-based analytic privileges

More difficult to use due to complex XML format

CREATE STRUCTURED PRIVILEGE

CREATE STRUCTURED PRIVILEGE <name> FOR

2014 SAP SE or an SAP affiliate company. All rights reserved.

Intuitive specification using SQL syntax

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

Whats New in SAP HANA SPS09: Security

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.

Whats New in SAP HANA SPS09: Security

2014 SAP SE or an SAP affiliate company. All rights reserved.