SAP HANA Security: Complete Tutorial

What is Sap Hana Security?

SAP HANA Security is protecting important data from unauthorized

access and ensures that the standards and compliance meet as security
standard adopted by the company.

SAP HANA provides a facility i.e. Multitenant database, in which

multiple databases can be created on single SAP HANA System. It is
known as multitenant database container. So SAP HANA provide all
security related feature for all multitenant database container.

SAP HANA Provide following security-related feature –

 User and Role Management

 Authorization
 Authentication
 Encryption of data in Persistence Layer
 Encryption of data in Network Layer

SAP HANA User and Role

SAP HANA User and Role management configuration depend on the

architecture as below –

1. 3-Tier Architecture.

SAP HANA can be used as a relational database in a 3-Tier

Architecture.

In this architecture, security features (authorization,

authentication, encryption, and auditing) are installed on
application server layers.

SAP application (ERP, BW, etc.) connects to database only with

the help of a technical user or database administrator (Basis
 Person). The end-user cannot directly access to database or
database server.

2. 2-Tier Architecture.

SAP HANA Extended Application Services (SAP HANA XS) is based

on 2 –Tier Architecture, in which Application server, Web Server
and Development Environment are embedded in a single system.
SAP HANA Authentication
Database user identifies who is accessing the SAP HANA Database. It is
verified through a process Named "Authentication." SAP HANA support
many authentication methods. Single Sign-on (SSO) are used to
integrate several Authentication method.

SAP HANA supports following authentication method -

 Kerberos: It can be used in the following case –

o Directly from JDBC and ODBC Client (SAP HANA Studio).
o When HTTP is used to access SAP HANA XS.
 User Name / Password

When the user enters their database username and password,

then SAP HANA Database authenticate the user.

 Security Assertion Markup Language(SAML)

SAML can be used to authenticate SAP HANA User, who is

accessing SAP HANA Database directly through ODBC/JDBC. It is
a process of mapping external user identity to the internal
database user, so user can login in sap database with the external
user id.

 SAP Logon and Assertion Tickets

The user can be authenticated by Logon or Assertion Tickets,

which is configured and issued to the user for creating a ticket.

 X.509 Clients Certificates

When SAP HANA XS Access by HTTP, Client certificates signed by

a trusted Certification authority (CA) can be used to authenticate
the user.

SAP HANA Authorization

SAP HANA Authorization is required when a user using client interface
(JDBC, ODBC, or HTTP) to access the SAP HANA database.

Depending on the authorization provided to the user, it can perform

database operations on the database object. This authorization is called,
"privileges."

The Privileges can be granted to the user directly or indirectly (through

roles). All Privileges assign to users are combined as a single unit.

When a user tries to access any SAP HANA Database object, HANA
System performs authorization check on the user through user roles
and directly grants the privileges.

When requested Privileges found, HANA system skips further checks

and grant access to request database objects.

In SAP HANA following privileges are their -

Privileges Description

Types

System It controls normal system activity.

Privileges

System Privileges are mainly used for –

 Creating and Deleting Schema in SAP HANA Database

 Managing user and role in SAP HANA Database

  Monitoring and tracing of SAP HANA database

 Performing data backups

 Managing license

 Managing version

 Managing Audit

 Importing and Exporting content

 Maintaining Delivery Units

Object Object Privileges are SQL privileges that are used to give authorization to

Privileges database objects. To access database objects user needs object privileges

or on the schema in which database object exists. Object privileges can be

objects (table, view, etc.) or non-catalog objects (development objects). O

as below –

 CREATE ANY

 UPDATE, INSERT, SELECT, DELETE, DROP, ALTER, EXECUTE

 INDEX, TRIGGER, DEBUG, REFERENCES

Analytic Analytic Privileges are used to allow read access on data of SAP HANA Info

Privileges (attribute view, Analytic View, calculation View).

 This privilege is evaluated during query processing.

 Analytic Privileges grants different user access on different part of d

 Same information view based on user role.

 Analytic Privileges are used in SAP HANA database to provide row l

Control for individual users to see the data is in the same view.

Package Package Privileges are used to provide authorization for actions on individ

Privileges HANA Repository.

Application Application Privileges are required in In SAP HANA Extended Application S

Privileges XS) for access application.

Application privileges are granted and revoked through the

proceduresGRANT_APPLICATION_PRIVILEGE and REVOKE_APPLICATION_

procedure in the _SYS_REPO schema.

 Privileges on It is an SQL Privileges, which can grant by the user on own user.

User

ATTACH DEBUGGER is the only privilege that can be granted to a user.

SAP HANA User Administration and Role

Management
To Access SAP HANA Database, users are required. Depending on the
different security policy there are two types of user in SAP HANA as
below –

1. Technical User (DBA User) – It is a user who directly work with

SAP HANA database with necessary privileges. Normally, these
users don't get deleted from the database.

These users are created for an administrative task such as

creating an object and granting privileges on database object or
on the application.

SAP HANA Database system provides following user by default as

standard user–

 SYSTEM
 SYS
 _SYS_REPO

2. Database or Real User: Each user who wants to work on SAP

HANA database, need a database user. Database user are a real
person who works on SAP HANA.

There are two types of Database user as below –

User Type Description Role assigned

Standard This user can create objects in an own PUBLIC role is assigned for re

User schema and reads data in system views.

Standard User created with "CREATE USER"

statement.

Restricted Restricted User has no full SQL Access via an RESTRICTED_USER_ODBC_A

User SQL Console and created with "CREATE RESTRICTED_USER_JDBC_AC

RESTRICTED USER" statement. If Privileges to user for Full Access of OD

required for use of any application, then they functionality

are provided through the role.

 Restricted User cannot create database

objects.

 Restricted User cannot view data in the

database.
  Restricted User connects to database

through HTTP Only.

 ODBC/JDBC access for client

connection must be enabled with SQL

statement.

SAP HANA User Administrator have access to the following activity –

1. Create/delete User.
2. Define and Create Role.
3. Grant Role to the user.
4. Resetting user password.
5. Re-activate / de-activate user according to requirement.

1. Create User in SAP HANA- only database user with ROLE ADMIN
privileges can create user and role in SAP HANA.

Step 1) To create new user in SAP HANA Studio go to security tab

as shown below and follow the following steps;

1. Go to security node.
2. Select Users (Right Click) -> New User.

Step 2) A user creation screen appear.

3. Enter User Name.

4. Enter Password for the user.
 5. These are authentication mechanism, by default User name
/ password is used for authentication.

By Clicking on the deploy Button user will be created.

2. Define and Create Role

A role is a collection of privileges that can be granted to other users or

role. The role includes privileges for database object & application and
depending on the nature of the job.

It is a standard mechanism to grant privileges. Privileges can be directly

granted to the user. There are many standard roles (e.g. MODELLING,
MONITORING, etc.) available in SAP HANA database.

We can use the standard role as a template for creating a custom role.

A role can contain following privileges –

 System Privileges for administrative and development task

(CATALOG READ, AUDIT ADMIN, etc.)
 Object Privileges for database objects (SELECT, INSERT, DELETE,
etc.)
 Analytic Privileges for SAP HANA Information View
 Package Privileges on repository packages (REPO.READ,
REPO.EDIT_NATIVE_OBJECTS, etc.)
 Application Privileges for SAP HANA XS applications.
 Privileges on the user (For Debugging of procedure).
Role Creation

Step 1) In this step,

1. Go to Security node in SAP HANA System.

2. Select Role Node (Right Click) and select New Role.

Step 2) A role creation screen is displayed.

1. Give Role name under New Role Block.

2. Select Granted Role tab, and click "+" Icon to add Standard Role
or exiting role.
3. Select Desired role (e.g. MODELLING, MONITORING, etc.)

STEP 3) In this step,

1. Selected Role is added in Granted Roles Tab.

 2. Privileges can be assign to the user directly by selecting System
Privileges, object Privileges, Analytic Privileges, Package
Privileges, etc.
3. Click on deploy icon to create Role.

Tick option "Grantable to other users and roles", if you want to assign
this role to other user and role.

3. Grant Role to User

STEP 1) In this step, we will Assign Role "MODELLING_VIEW" to

another user "ABHI_TEST".

1. Go to User sub-node under Security node and double click it. User
window will show.
2. Click on Granted roles "+" Icon.
3. A pop-up will appear, Search Role name which will be assign to
the user.
STEP 2) In this step, role "MODELLING_VIEW" will be added under Role.

STEP 3) In this step,

1. Click on Deploy Button.

2. A Message " User 'ABHI_TEST" changed is displayed.

4. Resetting User Password

If user password needs to reset, then go to User sub-node under

Security node and double click it. User window will show.

STEP 1) In this step,

1. Enter new password.

2. Enter Confirm password.
STEP 2) In this step,

1. Click on Deploy Button.

2. A message "User 'ABHI_TEST" changed is displayed.

5. Re-Activate/De-activate User

Go to User sub-node under Security node and double click it. User
window will show.

There is De-Activate User icon. Click on it

A confirmation message "Popup" will appear. Click on 'Yes' Button.

A message "User 'ABHI_TEST' deactivated" will be displayed. The De-

Activate icon changes with name "Activate user". Now we can activate
user from the same icon.

SAP HANA License Management

The license key is required to use SAP HANA Database. A license key can
be installed and deleted using SAP HANA Studio, SAP HANA HDBSQL
Command Line tool, and HANA SQL Query editor.

SAP HANA database support two types of license key –

 Permanent License Key: Permanent license keys are valid till

expiration date. We need to request and apply license key before
expire. If license key expires then Temporary License Key are is
automatically installed for 28 days.
 Temporary License Key: This is automatically installed with a new
SAP HANA Database Installation. It is valid for 90 days and later
can apply for Permanent key from SAP.

Authorization of License Management

"LICENSE ADMIN" privileges are required for License Management.

SAP HANA Auditing

SAP HANA Auditing features allow you to monitor and record action
which is performed in SAP HANA System. This features should be
activated for the system before creating audit policy.

Authorization for SAP HANA Auditing

"AUDIT ADMIN" System Privileges required for SAP HANA Auditing.

Summary:

In this tutorial, we have learned following topic -

 SAP HANA Security overview.

 SAP HANA Authentication in detail.
 SAP HANA Authorization in detail.
 SAP HANA User Administration method.
 SAP HANA Role Administration method
 SAP HANA license Management process.
 SAP HANA Role Auditing Process.