Week 3: Managing Individual Databases

Unit 2: Security
Security
Individual database security in SAP HANA

User & Role Management Data Encryption

Create standard and restricted Protect your data with data
users; customize roles with a volume, log volume, and backup
variety of privileges encryption

DBA

Authentication Auditing
Authenticate users using Monitor and record selected
passwords and a diverse range Certificate Management actions performed in your
of SSO options Secure internal and external database
communication channels, user
authentication mechanisms

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Security
User and role management
Control system
administrative privileges

Choose validity range,

ODBC/JDBC access, and
whether or not public role is
automatically assigned

Users can be authenticated

using passwords or SSO
options

Access and modify

database objects

Configure custom user properties

such as locale, execution priority,
user time zone, etc.  Easily create new users, new roles, and assign roles
to users all through the SAP HANA cockpit interface
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3
Security
Authentication

 Customize the password policy and

blacklist to ensure that corporate
standards are met
 Password policy parameters:
– Customize the password length,
composition, and lifetime
– Configure user lock settings
 Blacklist words to prevent
vulnerabilities due to weak passwords
– Case sensitivity
– Partial or whole word

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Security
Data storage security

 Safeguard SAP HANA data saved to disk from

unauthorized access at the operating system View alerts associated with
level data encryption
 Data at Rest Encryption protects data
volumes on disk
 Log Volume Encryption protects log entries Manage master key or
before they are written to disk specific root keys
 Backup Encryption protects against
unauthorized parties accessing content of
backups
 Enabling encryption does not increase data
size

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

Security
Auditing

Directly enable/disable auditing

 Record important system events from Overview page
with audit logging:
– User management
– System access/configuration
– Data access
 Auditing does not directly increase
system security, but well-designed
audit policies can help achieve
greater security
 Choose audit level, trail target,
audited action status, and Choose actions, objects,
and users to be audited
individually enable/disable audit
policies

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

Security
Best practices

 User and Role Management

– Only use the SYSTEM user to set up the database and appropriate users
– Deactivate the SYSTEM user afterwards to prevent misuse of its permissions

 Data Storage Security

– Change root keys used for data volume encryption and redo log encryption
– Enable data volume and redo log encryption
– Periodically change root keys in line with your security policy

 Consult the security related links in the SAP HANA cockpit

© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

Thank you.
Contact information:

open@sap.com
© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this docume nt or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ st rategy and possible future developments, products,
and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various
risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companie s.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.