Professional Documents
Culture Documents
HA940 EN Col17
HA940 EN Col17
.
.
PARTICIPANT HANDBOOK
INSTRUCTOR-LED TRAINING
.
Course Version: 17
Course Duration: 2 Day(s)
Material Number: 50157407
SAP Copyrights, Trademarks and
Disclaimers
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. Please see https://www.sap.com/corporate/en/legal/copyright.html for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software
components of other software vendors.
National product specifications may vary.
These materials may have been machine translated and may contain grammatical errors or
inaccuracies.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only,
without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate
company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business
outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’
strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any
reason without notice. The information in this document is not a commitment, promise, or legal
obligation to deliver any material, code, or functionality. All forward-looking statements are subject to
various risks and uncertainties that could cause actual results to differ materially from expectations.
Readers are cautioned not to place undue reliance on these forward-looking statements, which speak
only as of their dates, and they should not be relied upon in making purchasing decisions.
Demonstration
Procedure
Warning or Caution
Hint
Facilitated Discussion
TARGET AUDIENCE
This course is intended for the following audiences:
● Database Administrator
● System Administrator
Lesson 1
Introducing SAP HANA 3
Lesson 2
Outlining security functions 9
Lesson 3
Describing SAP HANA implementation scenarios 19
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Describe basic features of SAP HANA
Data Provisioning
Several data provisioning mechanisms are available for obtaining data from different
sources and accessing it in SAP HANA. For example, in a data mart or analytics scenario,
data is replicated into SAP HANA from source systems using one of the supported
replication technologies. For applications that use SAP HANA as their primary database
(such as, SAP S/4HANA), data is created directly in SAP HANA.
Data Recovery
Although the SAP HANA database holds the bulk of its data in memory for maximum
performance, it still uses persistent storage to support system restart and recovery.
There is minimal delay and no loss of data in the event of failure. For example, after a
power failure, the database can be restarted like any disk-based database and returned
to its most recent consistent state. In addition, SAP HANA provides functions for backup
and recovery, as well as high availability (disaster recovery and fault recovery).
advanced server applications, and SAP HANA database content. It is based on SAP HANA XS
advanced and HDI, and uses Git for source code management.
Note:
SAP recommends that customers and partners who want to develop new
applications use SAP HANA XS advanced model. If you want to migrate existing
XSC applications to run in the new XS advanced run-time environment, we
recommend that you first check the features available with the installed version of
XS advanced; if the XS advanced features match the requirements of the XS
classic application you want to migrate, then you can start the migration process.
For more information, see the SAP HANA XS Advanced Migration Guide.
Hint:
SAP HANA Extended Application Services, advanced model, is backwards
compatible; you can provide access to new features by installing the latest
version of the XS advanced component even on older versions of SAP HANA.
Note:
SAP HANA XSC and the SAP HANA repository are deprecated as of SAP HANA
2.0 SPS 02. For more information, see SAP Note 2465027.
Database Isolation
System Database
The system database, which is created during installation, is used for central system
administration, for example, the creation of tenant databases and global system
configuration. The system database stores overall system landscape information, including
knowledge of the tenant databases that exist in the system. However, it doesn't own
database-related topology information, that is, information about the location of tables and
table partitions in databases. Database-related topology information is stored in the relevant
tenant database catalog.
Tenant Database
Every tenant database is self-contained and isolated in terms of users, database catalog,
repository, logs, and so on. However, to protect against unauthorized access at the operating
system (OS) level, it's possible to increase isolation further through OS user separation and
authenticated communication within databases.
Authenticated Communication
In addition, once high isolation has been configured, internal database communication is
secured using the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocol.
Certificate-based authentication is used to ensure that only the processes belonging to the
same database can communicate with each other. It is also possible to configure internal
communication so that all data communication within the databases is encrypted.
Note:
If cross-database access is enabled, communication between configured tenant
databases is allowed.
Internal database communication is secured with the same mechanism used for securing
other internal SAP HANA communication channels. Once high isolation has been configured,
authenticated communication within databases is enabled without any change required to the
default TLS/SSL configuration for internal communication. However, encryption of data
communication may need to be configured explicitly.
OS User Separation
By default, all database processes run under the default OS user <sid>adm. If it's important
to mitigate against cross-database attacks through OS mechanisms, you can configure the
system for high isolation. In this way, the processes of individual tenant databases must run
under dedicated OS users belonging to dedicated OS groups, instead of all database
processes running under <sid>adm. Database-specific data on the file system is then
protected using standard OS file and directory permissions.
You can specify the isolation level of the system during installation. The default isolation level
is low. It’s also possible to change the isolation level of an existing system (from low to high or
from high to low) at any time. For more information, see Increase the System Isolation Level
in the SAP HANA Administration Guide. Once high isolation has been configured, a dedicated
OS user and group must exist for every tenant database. Otherwise, it is not possible to
create or start a tenant database.
LESSON SUMMARY
You should now be able to:
● Describe basic features of SAP HANA
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Outline the security functions in SAP HANA
SAP HANA provides a range of security features and functions at the database and system
level to ensure secure access control and secure system setup and configuration.
Access Channels
SAP HANA provides standard database interfaces, such as, Java Database Connectivity
(JDBC) and Open Database Connectivity (ODBC), and supports standard SQL with SAP
HANA-specific extensions.
In addition to this channel, the embedded application server available on SAP HANA allows
HTTP(S) access to the database.
For JDBC and ODBC client connections, user passwords are always transmitted in encrypted
hashed form during the user authentication process. The passwords are never transmitted in
plain text.
For HTTP connections, HTTPS can be configured.
In SSO environments, we recommend using encrypted communication channels for all client
connections.
User Management
Every user who wants to work directly with the SAP HANA database must have a database
user with the necessary privileges. Depending on the situation, the user accessing SAP HANA
may be a technical system user or a user corresponding to a real person.
For basic authentication (with user name and password) you can define password policies
(for example, password length and complexity) to enforce password quality.
Password Policy
Passwords for the basic authentication of database users are subject to certain rules. These
rules are defined in the password policy. You can change the default password policy so that it
is in line with your organization's security requirements.
The password policy is defined by parameters in the password policy section of the
indexserver.ini system properties file. Although you can configure your password policy
directly in the indexserver.ini file, it is recommended that you use either the Password Policy
and Blacklist app of the SAP HANA cockpit (available since HANA 1.0 SPS12) or the Security
Editor of the SAP HANA studio.
Authorizations
SAP HANA standard authorization mechanisms are applied to users at the database level.
Several privilege types are used in SAP HANA (system, object, analytic, package, and
application).
Figure 8: Authorizations
SAP HANA's standard authorization mechanisms are applied to users at the database level
with the following additions:
● In the system database, the system privilege: DATABASE ADMIN exists to allow system
administrators to perform certain tasks on tenant databases (for example, stop a tenant
database or back up a tenant database).
● A cross-database authorization mechanism exists to support read-only queries between
tenant databases. This is made possible through the association of a user in one tenant
database with a user in another database. Cross-database access is disabled by default
and must be enabled and configured by a system administrator before such user
mappings can be set up.
SAP HANA
Roles
A role is a collection of privileges that can be granted to either a database user or another role
at runtime. A role typically contains the privileges required for a particular function or task.
Privileges can be granted directly to users of the SAP HANA database. However, roles are the
standard mechanism of granting privileges as they allow you to implement complex, reusable
authorization concepts that can be modeled on business roles.
Roles bundle privileges for specific groups of users. Role transport available is for DEV, QA,
and PROD system landscapes.
The three main connection types that can be encrypted are as follows:
● Client to server connections
● Internal connection between SAP HANA components (for example, different SAP HANA
nodes in a scale-out system)
● Connections between data centers (for example, for disaster recovery using SAP HANA
System Replication)
TLS/SSL
TLS/SSL is available for all communication channels, and can be enforced for clients. It
provides automatic setup of key management infrastructure (PKI) for internal
communication channels
Minimal TLS/SSL versions can be configured.
Note:
Certified SAP HANA hosts use a separate network adapter with a separate IP
address for each of the different networks.
To protect data saved to disk from unauthorized access at operating system level, the SAP
HANA database supports data encryption.
Auditing
Auditing provides you with visibility on what actions were performed in the SAP HANA
database, and when. Actions performed in every tenant database and the system database
can be audited individually.
To ensure the privacy of tenant database audit trails, they are by default written to a database
table that is local to the database being audited. By default, tenant database administrators
cannot change the audit trail targets for their database. The system administrator can change
the audit trail but this is not recommended.
If the audit trail target for tenant databases is changed to the syslog, audit entries contain a
field Database Name so that it is possible to differentiate entries from different tenant
databases.
Although auditing does not directly increase your system's security, it can, if wisely designed,
help you achieve greater security in the following ways:
● Uncover security holes if too many privileges were granted to a user
Only actions that take place inside the database engine can be audited. If the database engine
is not online when an action occurs, it cannot be detected and therefore cannot be audited.
Audit policies
● Include events to be recorded
● If audit logging is enabled, some critical events are always logged; for example,
disabling of audit logging
Audit trail
● Linux syslog or secure database table
LESSON SUMMARY
You should now be able to:
● Outline the security functions in SAP HANA
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Describe SAP HANA implementation scenarios
Client
Any possible client for the SAP application server. This includes SAP GUI, SAP Business
Client, and SAP Fiori Launchpad.
Application Server
In the common SAP architecture, this is normally the role of SAP Application Server
ABAP or Java. In this case, the SAP HANA platform can also be the application server,
because it can be a database as well as a server for native functionalities and
applications.
Database
SAP HANA is a database at its core, and can be used like any another relational database.
For example, in a classical three-tier deployment, like SAP S/4HANA.
Nevertheless, SAP HANA can be implemented in different ways, depending on how you want
to use the platform. The different implementation scenarios will determine what you need to
consider from a security perspective.
The implemented architecture determines the extent to which security-related aspects are
handled in SAP HANA. However, user and role management in the database layer of SAP
HANA is required, at least for technical users and administrators. The following text outlines
the relevance of SAP HANA security-related features in this implementation scenario.
Authorization
SAP HANA authorization applies to users managed directly in the database.
Auditing
Actions performed in the SAP HANA database can be audited.
Authorization
SAP HANA authorization applies only to technical and administrative database users
managed in the database.
Auditing
Actions performed in the SAP HANA database can be audited.
Figure 19: SAP HANA as Technical Infrastructure for Native Applications, XS Advanced
XS advanced applications are strictly isolated from each other. They are deployed in
dedicated containers via the SAP HANA deployment infrastructure (HDI) at the database
layer. At the application layer, you can use dedicated operation system users per application.
For more information about secure application development, see the section Maintaining
Application Security in XS Advanced in the SAP HANA Developer Guide for SAP HANA XS
Advanced Model.
Note:
SAP recommends that customers and partners who want to develop new
applications use SAP HANA XS advanced model. If you want to migrate existing
XSC applications to run in the new XS advanced runtime environment, SAP
recommends that you first check the features available with the installed version
of XS advanced; if the XS advanced features match the requirements of the XSC
application you want to migrate, then you can start the migration process. For
more information, see the SAP HANA XS Advanced Migration Guide.
Note:
SAP HANA XSC and the SAP HANA repository are deprecated as of SAP HANA
2.0 SPS 02. For more information, see SAP Note 2465027. SAP strongly
recommends moving any application to the advanced model.
The architecture of SAP HANA XSC is depicted in the figure, SAP HANA as Technical
Infrastructure for Native Applications, XS Classic.
Figure 20: SAP HANA as Technical Infrastructure for Native Applications, XS Classic
Classic native SAP HANA applications rely on the security-related features of SAP HANA. In
particular, users of native SAP HANA applications must always have a corresponding user in
the SAP HANA database.
The following items outline the relevance of SAP HANA security-related features in this
implementation scenario.
Authorization
User access to native SAP HANA applications and applications functions is determined by the
privileges granted to the database user.
Auditing
Actions performed in the SAP HANA database can be audited.
LESSON SUMMARY
You should now be able to:
● Describe SAP HANA implementation scenarios
Learning Assessment
1. SAP HANA is an in-memory platform, which is used for performing real-time analytics,
and for developing and deploying real-time applications.
Determine whether this statement is true or false.
X True
X False
2. You want system settings to be set so that users are only able to view and perform actions
required to fulfill their tasks. Which security function provides this?
Choose the correct answer.
X A Authentication
X B Authorization
X C Audit logging
X D Encryption
3. Which of the following are part the implementation scenario for a native two-tier
application?
Choose the correct answers.
X A Client
X B XS Application Server
X D BI Server
X E SAP HANA
1. SAP HANA is an in-memory platform, which is used for performing real-time analytics,
and for developing and deploying real-time applications.
Determine whether this statement is true or false.
X True
X False
This is correct! SAP HANA is an in-memory platform, which is used for performing real-
time analytics, and for developing and deploying real-time applications.
2. You want system settings to be set so that users are only able to view and perform actions
required to fulfill their tasks. Which security function provides this?
Choose the correct answer.
X A Authentication
X B Authorization
X C Audit logging
X D Encryption
3. Which of the following are part the implementation scenario for a native two-tier
application?
Choose the correct answers.
X A Client
X B XS Application Server
X D BI Server
X E SAP HANA
Correct. Client, XS Application Server, and SAP HANA are part of the implementation
scenario for a native two-tier application.
Lesson 1
Using security administration tools 31
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Use security administration tools
SAP HANA Cockpit is the native tool for SAP HANA database administration. It can be used
for administration and monitoring of SAP HANA databases, including system configuration,
user management, and performance monitoring capabilities.
SAP HANA Cockpit is a Web-based tool that is built on SAP HANA XS Advanced to leverage
the latest SAP technology. It allows faster delivery and new innovations. SAP HANA Cockpit is
a single Web console that simplifies the administration for landscape, group, and individual
SAP HANA databases.
SAP HANA Cockpit provides an overview of important security KPIs. It allows easy access to
the security configuration.
● Use SAP Solution Manager for end-to-end root cause analysis and a unified alert inbox for
the entire landscape and for business process reporting.
● SAP Solution Manager has a central alerting and monitoring infrastructure.
● It runs on AS ABAP-based SAP systems.
● Use SAP Landscape Management for automating advanced SAP HANA operations and to
avoid business downtime during maintenance activities.
● SAP Landscape Management is a central landscape management solution, running on AS
Java-based SAP systems.
SAP HANA can be integrated with SAP security tools and services. Information gathered from
SAP Solution Manager is used to develop a set of services to help ensure secure configuration
during initial system setup. On the one hand, the security specific information in the SAP
EarlyWatch Alert service and the more detailed security optimization services (SOS) compare
customer settings (configurations and critical basis authorizations) with SAP- recommended
standards. The overall goal of these tools is to compare customer systems to the SAP
security recommendations.
The following list is a basic description of these tools and services:
System Recommendations
● These are detailed recommendation of SAP notes which should be implemented
based on the actual status of the system and previously implemented notes.
Configuration Validation
● The Configuration Validation checks if the customer systems adhere to the customer-
specific security policies.
● It provides reporting on how homogeneous security system is.
● The Configuration Validation uses centrally stored configuration data in Solution
Manager to validate a large number of systems using a subset of the collected
configuration data.
Based on these checks, a customer-specific security baseline can be derived that also takes
into account customer-specific conditions and security regulations. Any changes during
operations can subsequently be monitored with the help of change diagnostics and be
compared against this customer-specific security baseline using configuration validation, to
help ensure that unwanted change are noticed.
On top of regular monitoring, SAP advises running the complete set of reports from SOS or
SAP EarlyWatch Alert periodically to help ensure compliance of the landscape.
SAP HANA cockpit provides a single point of access to a range of tools for administration and
detailed monitoring of SAP HANA databases. It also integrates SQL development capabilities
required by administrators. SAP HANA cockpit provides aggregate, system, and tenant
database administration features (for example, database monitoring, user management, and
data backup).
Administrators can use the SAP HANA Cockpit to start and stop services, to monitor the
system, to configure system settings, and to manage users and authorizations.
Initially, the SAP HANA cockpit displays data at a landscape or enterprise level. You can
quickly drill down to an overview of an individual database. Links, data, cards, and different
parts of a single card are drillable, providing access to more detailed information and
functions.
SAP HANA cockpit provides several security related cards with an overview of the important
security KPIs during operation of your system and allows easy access to the security
configuration.
From SAP HANA cockpit, you can manage, administer configure, and monitor SAP HANA
database systems as for the following security areas:
● User and role management
● Management of privileges
● Management of audit policies
● Configuration of password policies
● Certificate management
Within the Database Overview app, you can choose the Security and User Management view
on the top left corner, to filter down to the main security related cards.
As an example, in SAP HANA Cockpit you can perform user management tasks and assign
roles to users. To achieve this, in the Database Overview app of your system or tenant
database, search for the User & Role Management card and choose the Role Assignment link.
LESSON SUMMARY
You should now be able to:
● Use security administration tools
Learning Assessment
X True
X False
2. SAP HANA only allows a user to log on using a user and password as the authentication
method.
Determine whether this statement is true or false.
X True
X False
3. SAP HANA includes a specific functionality: Audit Log, to track the activities performed by
the users.
Determine whether this statement is true or false.
X True
X False
X True
X False
This is correct. In SAP HANA, user management cannot be delegated to an ABAP system.
2. SAP HANA only allows a user to log on using a user and password as the authentication
method.
Determine whether this statement is true or false.
X True
X False
3. SAP HANA includes a specific functionality: Audit Log, to track the activities performed by
the users.
Determine whether this statement is true or false.
X True
X False
This is correct. Audit Log is available in SAP HANA, so that you can track the activities
performed by users.
Lesson 1
Comparing User Types 41
Lesson 2
Managing User Groups 47
Lesson 3
Describing User Administration Tools 53
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Compare the different user types in SAP HANA
User Types
Every user who wants to work with the SAP HANA database must have a database user. As a
user administrator, you create and provision the required users, as well as perform other
tasks related to user administration.
Note:
Users of SAP HANA SAP HANA Extended Services (SAP HANA XS) advanced
applications are managed independently of the SAP HANA database. Dedicated
administration tools are available for managing application users and roles.
It is often necessary to specify different security policies for different types of database user.
In the SAP HANA database, we differentiate between database users that correspond to real
people, and technical database users.
● Database users that correspond to real people
The database administrator creates a database user for every person who works in the
SAP HANA database. Database users that correspond to real people are dropped when the
person leaves the organization. This means that the database objects they own are also
automatically dropped, and privileges they granted are automatically revoked.
● Technical database users
Technical database users do not correspond to real people, they are not dropped if a
person leaves the organization. Therefore, you can use them for administrative tasks, such
as, creating objects and granting privileges for a particular application. Some technical
users are available as standard, for example, users SYS and _SYS_REPO. Other technical
database users are created for application-specific purposes. For example, an application
server can log on to the SAP HANA database using a dedicated technical database user.
Technically, these user types are the same. The only difference between them is conceptual.
Database users that correspond to real people can be grouped according to different tasks.
Note:
For a complete overview of the technical users of the SAP HANA database, see the
SAP HANA Security Guide.
Database users that correspond to real people are dropped when the person leaves the
organization. This means that any database objects that they own are also automatically
dropped, and any privileges that they granted are automatically revoked.
Note:
Database users created by an LDAP provider must be dropped manually by a user
administrator. If the user is dropped on the LDAP server, the corresponding
database user in SAP HANA is not automatically dropped.
Database users are created with either the CREATE USER or CREATE RESTRICTED USER
statement, or using SAP HANA cockpit (User Management).
HTTP/S client access is used for a connection between a Web browser or mobile device and
applications based on SAP HANA extended application services.
Note:
To find out which users can connect via JDBC/ODBC, you can check the column
IS_CLIENT_CONNECT_ CONNECT_ENABLED = TRUE in the USERS system view.
Compared to standard database users, restricted users are initially limited in the following
ways:
● They cannot create objects in the database as they are not authorized to create objects in
their own database schema.
● They cannot view any data in the database as they are not granted the standard PUBLIC
role.
● They are only able to connect to the database using HTTP/HTTPS.
Note:
Disabling ODBC/JDBC access for a user, either a restricted user or a standard
user, does not affect the user's authorizations or prevent the user from executing
SQL commands via channels other than JDBC/ODBC. If the user has been
granted SQL privileges (for example, system privileges and object privileges), they
are still authorized to perform the corresponding database operations using, for
example, a HTTP/HTTPS client.
● _SYS_STATISTICS
This is an internal database user used by the internal monitoring mechanism of the SAP
HANA database. It collects information about status, performance, and resource usage
from all components of the database and issues alerts if necessary.
Other technical database users are created for application-specific purposes. For example, an
application server may log on to the SAP HANA database using a dedicated technical
database user.
Technical users are standard users created with the CREATE USER statement.
LESSON SUMMARY
You should now be able to:
● Compare the different user types in SAP HANA
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Manage user groups
In the example scenario shown in the figure, User Groups, the user groups were set up for
exclusive administration. Only the group admins for the restricted user group Sales can
create or delete users in this user group and manage security properties of the Sales users.
The Sales group admins can only manage users of the Sales group, but not users from other
user groups like Research or Training.
User groups are an efficient way to manage users:
● Every user group can have its own dedicated administrator(s). In this way, user
management tasks can be delegated to several people independently of each other.
● A user group can be configured for exclusive administration, which means that only the
designated group administrator(s) can manage the users in the group. This could be
useful, for example, to protect highly-privileged users or technical users from accidental
deletion or manipulation.
● Group specific-user configuration is possible. By setting user properties at the group level,
you can configure related users quickly and differently to users in other groups. For
example, you could put the technical users required by connecting applications into their
own user group with a customized password policy so that the passwords of these users
are extra complex.
Caution:
User groups do not control data access. They are intended to support a
separation of user management duties. A users authorization (roles and
privileges) controls data access.
Figure 30: User Groups: How Do they Relate to Roles and Authorization?
Note:
A user can be the group administrator of more than one group.
The USERGROUP OPERATOR privilege authorizes a user to change the settings for a user
group, and to add and remove users to/from a user group. Users with the USERGROUP
OPERATOR privilege can also create and drop users, but only within the user group on which
they have the USERGROUP OPERATOR privilege (CREATE USER <user_name> SET
USERGROUP <usergroup_name>).
Note:
A user can have the USERGROUP OPERATOR privilege on more than one user
group, and a user group can have more than one user with the USERGROUP
OPERATOR privilege on it.
User administrators can also specify the administration "mode" of the user group. This
determines who can administer the group:
● Group administrators and user administrators (shared administration)
Not only designated group administrators can modify the group but also any user
administrator (that is, any user with system privilege USER ADMIN).
This is the default administration mode.
● Group administrators only (exclusive administration)
Only the designated group administrator(s) can modify the group, for example, adding
new users to the group or removing users from the group. In this way, groups of users can
be managed completely independently of each other.
Note:
To add an existing user from the global pool of users to the user group, as well as
remove a user from the group (and return it to the global pool of users), the group
administrator also needs to be a user administrator, that is have system privilege
USER ADMIN.
The user administrator can configure the administration mode when creating the group, or
later by editing the group. The authorization mode is configured with the option ENABLE |
DISABLE USER ADMIN of the CREATE USERGROUP and ALTER USERGROUP statements as
follows:
If the user group is configured for exclusive administration, only the designated group
administrator(s) can modify the group, for example, adding new users to the group or
removing users from the group. In this way, groups of users can be managed independently of
each other.
Note:
A user can belong to only one user group, but a user does not have to be a
member of any group. Users who are not in any group are managed as normal by
user administrators.
To move a user from one group to another, a user authorized for both user groups simply add
the user to the new user group with the ALTER USER <username> SET USERGROUP
<usergroupname>. This automatically removes the user from the original user group.
Similarly to the configuration of authorization mode, the user parameters can be configured
when the user group is created or by editing the group later.
To see the group-specific values of parameters, query the USERGROUP_PARAMETERS view.
Note:
The base setup does not guarantee that the configuration is optimal for your
particular system. To optimize the configuration, it may be advisable to manually
configure specific settings.
LESSON SUMMARY
You should now be able to:
● Manage user groups
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Create Users
Manage Users
Native User Management Tasks
● Deleting users
● Reactivating users after too many failed logon attempts
● Deactivating users if a security violation has been detected
● Resetting user passwords
The following table provides an overview of who does which of these tasks and the SAP HANA
tools available:
Application developer Create roles for new applica- SAP HANA XS classic: SAP
tions developed on SAP HA- HANA Web-based Develop-
NA XS classic ment Workbench
Note:
SAP HANA XS advanced has the additional concept of application roles and role
collections. These are independent of database roles in SAP HANA itself. In the XS
advanced context, SAP HANA database roles are used only to control access to
database objects (for example, tables, views, and procedures) for XS advanced
applications. For more information about the authorization concept of XS
advanced.
You can configure additional user properties for client applications. The following custom user
properties are available by default:
● LOCAL
This is the user's locale.
● PRIORITY
This is the priority with which the thread scheduler handles statements executed by the
user. The priority can be in the range 0-9, with 9 representing the highest priority. 5 is the
default priority.
● STATEMENT MEMORY LIMIT
This is the maximum memory (in GB) that can be used by a statement executed by the
user.
● STATEMENT THREAD LIMIT
This is the maximum number of threads that can be used by a statement executed by the
user.
● TIME ZONE
This is the user's time zone. The standard database formats for locale and time zone are
supported.Local
SQL Commands
Another option is to perform all the administration tasks using SQL commands.
More details about the additional options and parameters available in the command can be
found in the SAP HANA SQL and System Views Reference guide, available at http://
help.sap.com/hana_platform.
Note:
A user is only identified as a restricted user in system view USERS if he doesn't
have the PUBLIC role or authorization for his own schema.
When your SAP system is running on SAP HANA DB, to simplify DMBS user administration,
you can define a connection between user administration in AS ABAP and the DBMS. When
you create users in AS ABAP, users in the DBMS are created automatically with the same
user IDs and the same passwords. When an administrative lock is set for a user in AS ABAP,
the corresponding DBMS user is also locked. You can also add or remove DBMS
authorizations for the DBMS user, as long as the DBMS supports this.
Note:
Password synchronization and password locks are not supported.
Hint:
This customizing is client-specific.
Only customize one ABAP client. The same user ID on different ABAP clients can
represent different users with different authorizations. It is not good practice to
map them to the same DBMS user.
Hint:
The option to synchronize users created with transaction SU01 in ABAP with the
SAP HANA database, must be configured first.
● The database user must log on with user name and password.
2. Add a database connection in table DBCON with Change View "Description of Database
Connections": Overview (transaction DBCO) for the database user and database type HDB.
3. Enter the name of the database connection and the client in the USR_DBMS_SYSTEM view
with Maintain Table View (transaction SM30).
Note:
To perform user management tasks the system privilege USER ADMIN is
required.
Note:
Currently, authorization and authentication with OpenLDAP is only supported for
Active Directory.
To use the SAP HANA connector for SAP NetWeaver ID Management, a dedicated SAP HANA
database user must be created with the following roles and privileges:
● Standard role MONITORING
● System privilege ROLE ADMIN and USER ADMIN
● Object privilege EXECUTE on the procedure GRANT_ACTIVATED_ROLE
Create Users
Native User Management Tasks
● Deleting users
● Reactivating users after too many failed logon attempts
● Deactivating users if a security violation has been detected
● Resetting user passwords
The following table provides an overview of the users assigned to the tasks and the SAP
HANA tools available:
Application developer Create roles for new applica- SAP HANA XSC: SAP HANA
tions developed on SAP HA- Web-based Development
NA XSC Workbench
User administrator Create user groups SAP HANA cockpit
Create SAP HANA database
users in user groups
Grant roles to database users
Delete, deactivate, and reac-
tivate database users
Reset user passwords
Note:
SAP HANA XS advanced has the additional concept of application roles and role
collections. These are independent of database roles in SAP HANA itself. In the XS
advanced context, SAP HANA database roles are used only to control access to
database objects (for example, tables, views, and procedures) for XS advanced
applications. For more information about the authorization concept of XS
advanced.
The PUBLIC role contains the privileges for filtered read-only access to the system
views. To see data in a particular view, the user also needs the SELECT privilege on the
view.
- Optional: Disable ODBC or JDBC Access.
This indicates whether or not the user can connect to the database via ODBC or JDBC.
By default, ODBC and JDBC access is enabled for standard users and is disabled for
restricted users. This means that restricted users can only connect via HTTP or HTTPS.
- Optional: Comment
Enter a comment.
- Optional: Set the authorization mode to LDAP if the user's authorization is based on
LDAP group membership.
- Specify how the user can be authenticated.
You can configure additional user properties for client applications. The following custom user
properties are available by default:
● LOCAL
This is the user's locale.
● PRIORITY
This is the priority with which the thread scheduler handles statements executed by the
user. The priority can be in the range 0-9, with 9 representing the highest priority. 5 is the
default priority.
● STATEMENT MEMORY LIMIT
This is the maximum memory (in GB) that can be used by a statement executed by the
user.
● STATEMENT THREAD LIMIT
This is the maximum number of threads that can be used by a statement executed by the
user.
● TIME ZONE
This is the user's time zone. The standard database formats for locale and time zone are
supported.
SQL Commands
Another option is to perform all the administration tasks using SQL commands.
More details about the additional options and parameters available in the command can be
found in the SAP HANA SQL and System Views Reference guide, available at http://
help.sap.com/hana_platform.
Note:
A user is only identified as a restricted user in system view USERS if he doesn't
have the PUBLIC role or authorization for his own schema.
When your SAP system is running on SAP HANA DB, to simplify DMBS user administration,
you can define a connection between user administration in AS ABAP and the DBMS. When
you create users in AS ABAP, users in the DBMS are created automatically with the same
user IDs and the same passwords. When an administrative lock is set for a user in AS ABAP,
the corresponding DBMS user is also locked. You can also add or remove DBMS
authorizations for the DBMS user, as long as the DBMS supports this.
Note:
Password synchronization and password locks are not supported.
Hint:
This customizing is client-specific.
Only customize one ABAP client. The same user ID on different ABAP clients can
represent different users with different authorizations. It is not good practice to
map them to the same DBMS user.
Hint:
The option to synchronize users created with transaction: SU01 in ABAP with the
SAP HANA database, must be configured first.
● The database user must log on with user name and password.
2. Add a database connection in the DBCON table with Change View "Description of
Database Connections": Overview (transaction DBCO) for the database user and database
type HDB.
3. Enter the name of the database connection and the client in the USR_DBMS_SYSTEM view
with Maintain Table View (transaction SM30).
LESSON SUMMARY
You should now be able to:
● Create Users
Learning Assessment
X A Power users
X B Standard users
X C Technical users
X D Restricted users
X True
X False
3. Which of the following options can be used for user management in SAP HANA?
Choose the correct answers.
X B DBA Cockpit
X C SQL command
X A Power users
X B Standard users
X C Technical users
X D Restricted users
X True
X False
That is correct. User groups are designed to provide separation of duties for user
management.
3. Which of the following options can be used for user management in SAP HANA?
Choose the correct answers.
X B DBA Cockpit
X C SQL command
This is correct. SAP HANA Cockpit, SAP HANA Netweaver IDM, and SQL commands can
be used for user management in SAP HANA.
Lesson 1
Describing object ownership rules 73
Lesson 2
Introducing Authorizations in the SAP HANA Database 79
Lesson 3
Introducing database roles management 89
Lesson 4
Creating Catalog Roles 93
Lesson 5
Creating HDI roles 99
Lesson 6
Comparing Role Types 109
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Describe object ownership rules and effects
In the figure, Owner Versus Schema: How SAP HANA Handles Ownership of Catalog Objects,
we can see the following example:
● User BILL owns the schema BILL and the schema WDF.
● User JIM owns the schema JIM.
● As the owners can grant privileges to others, user BILL grants user JIM the privilege to
create objects over schema BILL.
● User JIM creates the table ORDERS inside schema BILL (table name = BILL.ORDERS).
Figure 45: Owner Versus Schema: How SAP HANA Handles Ownership of Catalog Objects
Based on our example, we need to understand which objects can be accessed by the relevant
users. The following object ownership rules dictate who can access objects:
● The owner of the object
● The owner of the schema in which the object is located
● Users to whom the owner of the object has granted privileges
● Users to whom the owner of the parent schema has granted privileges
Taking this into consideration, we can conclude that user BILL can only access schema JIM
and the table BILL.ORDERS. On the other hand, user BILL has access to schema WDF and
schema BILL. Notice that user BILL also has access to all the content of those schemas, and
therefore, user BILL also has access to table BILL.ORDERS.
Let's look at the implications of the ownership concept in the case where one of the users
needs to be dropped. The following rules apply:
● You can only drop a user if they own no objects (except their own schema).
● If the user owns further objects, the only option is to drop the user with the “cascade”
option. This means that all the objects owned by the user are dropped and all the privileges
on these objects are revoked.
● If one of the objects of the user that is going to be dropped is a schema, all the objects
located in that schema are also dropped (even if they are owned by a different user).
Returning to our example, let us analyze what would happen if we drop each of the users. The
following rules apply:
● In both cases we need to use the cascade option as both users own other objects beside
their own schema.
● If we drop user JIM with the “cascade” option, the schema JIM and the table BILL.ORDERS
are also dropped.
● If we drop user BILL with the “cascade” option, the schema WDF and its content (table
WDF.SALES) are dropped. Also, the schema BILL and the table BILL.ORDERS (owned by
JIM) are dropped.
The deletion of users also has an impact on the privileges that the user granted to others.
When a user is dropped, all the privileges granted by the user to others (users or roles) are
also revoked.
When we drop a user that is accessing UI support from SAP HANA studio or SAP HANA
Cockpit, we can easily analyze the impact of the action. This is because we can identify all the
objects owned by the user to be deleted.
Note:
Dropping users using SQL commands is risky as the objects to be dropped are not
displayed.
You can also analyze the ownership of the objects in your SAP HANA system by using the
system view named “OWNERSHIP”, “SCHEMAS,” or “ROLES” depending on the type of
object you would like to analyze.
Similar to dropping a user, revoking a privilege from a user can also provoke a “recursive”
revoking situation in cases where the privilege was extended further to other users or roles.
To understand this, you should know that the following options for granting privileges exist:
Note:
To grant a privilege, the user granting the privilege should be the “owner” of the
privilege (owner of the object related to the privilege) or should have the privilege
assigned to them with the GRANT/ADMIN option.
In the example shown in the figure, Recursive Revoking of Privileges: Take Care when
Dropping Users or Revoking Privileges, user A granted a privilege to user B with the GRANT/
ADMIN option. Afterwards, user B granted the same privilege to user C.
Figure 49: Recursive Revoking of Privileges: Take Care when Dropping Users or Revoking Privileges
If user A revokes the privilege from user B, the privilege is also revoked indirectly from user C
as user B no longer has the privilege. This also happens if user A is dropped from the
database.
In the case of roles, these are owned by the database user who creates them. To create a role,
a database user needs to be granted all the privileges of the role. If any of these privileges are
revoked from the creating user, they are automatically revoked from the role. Similarly, if the
creating user is dropped, all roles that they created are also dropped.
LESSON SUMMARY
You should now be able to:
● Describe object ownership rules and effects
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Describe the basic authorization concepts of the SAP HANA database
User
Identifies the person accessing the system.
Object
Any database object in the system.
Privilege
Privileges are used to impose restrictions on operations carried out on an object. They
can be granted to a user or to a role.
Role
Roles are a collection of privileges. They can be granted to a user or to another role
(nesting).
A database object is owned by a user. Depending on the type of object, there is a set of
privileges associated with the object in order to control which operations can be carried out
on it.
Privileges can be assigned to users directly or indirectly using roles. Privileges are required to
model access control. Roles can be used to structure the access control schemes and model
reusable business roles.
It is recommended that you manage authorization for users accessing roles. Roles can be
nested so that role hierarchies can be implemented. This makes them flexible by allowing
granular authorization management for individual users.
All the privileges granted directly or indirectly to a user are combined. This means whenever a
user tries to access an object, the system performs an authorization check using the user, the
user's roles, and directly allocated privileges.
It is not possible to explicitly deny privileges. This means that the system does not need to
check all the user's roles. As soon as all requested privileges have been found, the system
aborts the check and grants access.
Several predefined roles exist in the database. Some of the roles are templates that need to
be customized and others can be used as they are.
User management is configured using the SAP HANA Cockpit.
3. Create users.
Describing Privileges
When a user accesses the SAP HANA database using a client interface (for example, ODBC,
JDBC, or HTTP), their ability to perform database operations on database objects is
determined by the privileges that they have been granted.
All the privileges granted to a user, either directly or indirectly through roles, are combined.
This means that whenever a user tries to access an object, the system performs an
authorization check on the user, the user's roles, and the user’s directly granted privileges. It
is not possible to explicitly deny privileges. This means that the system does not need to
check all the user's privileges. As soon as all requested privileges have been found, the
system skips further checks and grants access.
System Privileges
System privileges control general system activities. They are mainly used for
administrative purposes, such as, creating schemas, creating and changing users and
roles, monitoring and tracing. System privileges are also used to authorize basic
repository operations.
Object Privileges
Object privileges are used to allow access to and modification of database objects, such
as, tables and views. Depending on the object type, different actions can be authorized
(for example, SELECT, CREATE ANY, ALTER, and DROP).
Schema privileges are object privileges that are used to allow access to and modification
of schemas and the objects that they contain.
Object privileges granted to users in a particular database, authorize access to and
modification of database objects in that database only.
Analytic Privileges
Analytic privileges are used to allow read access to data in SAP HANA information
models (that is, analytic views, attribute views, and calculation views) depending on
certain values or combinations of values. Analytic privileges are evaluated during query
processing.
Package Privileges (deprecated)
Package privileges are used to allow access to and the ability to work in packages in the
classic repository of the SAP HANA database.
Packages contain design time versions of various objects, such as, analytic views,
attribute views, calculation views, and analytic privileges.
Package privileges granted to users in a particular database, authorize access to and the
ability to work in packages in the repository of that database only.
With SAP HANA extended application services, advanced model (XSA), source code and
Web content are not versioned and stored in the SAP HANA database. Therefore,
package privileges are not used in this context.
Application Privileges (deprecated)
Developers of SAP HANA extended application services, classic model (XSC)
applications can create privileges to authorize user and client access to their application.
They apply in addition to other privileges, for example, object privileges on tables.
Application privileges can be granted directly to users or roles in runtime in the SAP
HANA studio. However, it is recommended to grant application privileges to roles created
in the repository in design time.
With SAP HANA XSA, application privileges are not used. Application-level authorization
is implemented using OAuth and authorization scopes and attributes.
Privileges on Users
An additional privilege type, privileges on users, can be granted to users. Privileges for
users are SQL privileges that users can grant to their user. ATTACH DEBUGGER is the
only privilege that can be granted to a user.
For example, User A can grant User B the privilege ATTACH DEBUGGER to allow User B
debug SQLScript code in User A's session. User A is the only user who can grant this
privilege. User B also needs the object privilege DEBUG on the relevant SQLScript
procedure.
SQL Privileges
In the SAP HANA database, a number of privileges are available to control the authorization of
SQL commands. Following the principle of least privilege, users should only be given the
smallest set of privileges required for their role.
For this purpose two groups of SQL privileges are available:
System privileges
These are system-wide privileges that control some general system activities, mainly for
administrative purposes, such as, creating schema and creating and changing users and
roles.
Object privileges
These privileges are bound to an object, for example, to a database table, and to enable
object-specific control activities, such as, SELECT, UPDATE, or DELETE.
System privileges
System privileges control general system activities. They are mainly used for administrative
purposes, such as, creating schemas, creating and changing users and roles, performing data
backups, managing licenses, and so on.
System privileges are also used to authorize basic repository operations.
Note:
System privileges should always be assigned with caution.
Object Privileges
Object privileges are SQL privileges that are used to allow access to and modification of
database objects.
For each SQL statement type (for example, SELECT, UPDATE, or CALL), a corresponding
object privilege exists. If a user wants to execute a particular statement on a simple database
object (for example, a table), he or she must have the corresponding object privilege for either
the actual object itself, or the schema in which the object is located. This is because the
schema is an object type that contains other objects. A user who has object privileges for a
schema automatically has the same privileges for all objects currently in the schema and any
objects created in the system in the future.
Object privileges are not only granted for database catalog objects, such as, tables, views, and
procedures; Object privileges can also be granted for non-catalog objects such as
development objects in the repository of the SAP HANA database.
Initially, the owner of an object and the owner of the schema in which the object is located are
the only users who can access the object and grant object privileges to other users.
An object can therefore be accessed only by the following users:
● The owner of the object
● The owner of the schema in which the object is located
Caution:
The database owner concept stipulates that when a database user is deleted, all
objects created by that user and privileges granted to others by that user are
also deleted. If the owner of a schema is deleted, all objects in the schema are
also deleted even if they are owned by a different user. All privileges on these
objects are also deleted.
Note:
The owner of a table can change its ownership with the ALTER TABLE SQL
statement. In this case, the new owner becomes the grantor of all privileges on the
table granted by the original owner. The original owner is also automatically
granted all privileges for the table with the new owner as grantor. This ensures
that the original owner can continue to work with the table as before.
Analytic Privileges
Analytic privileges are used to allow read access to data in SAP HANA information models
(that is, analytic views, attribute views, and calculation views) depending on certain values or
combinations of values. Analytic privileges are evaluated during query processing.
Analytic Privileges are used in the SAP HANA database to provide fine-grained control of the
data that particular users can see for analytic use. They provide the ability for row-level
authorization, based on the values in one or more columns.
All Calculation Views, which have been designed in the modeler and have been activated, are
supported by the Analytic Privilege mechanism by default.
If you are already familiar with the authorization model of SAP NetWeaver Business
Warehouse (SAP NetWeaver BW), you will see many similarities between the two models.
The overall idea behind Analytic Privileges is the reuse of Analytic Views by different users.
However, different users may not be allowed to see the same data. For example, different
regional sales managers, who are only allowed to see sales data for their regions, could reuse
the same Analytic View. They would use the Analytic Privilege to see only data for their region,
and their queries on the same view would return to the corresponding data. This is a major
difference to the SAP NetWeaver BW model. While the concept itself is very similar, SAP
NetWeaver BW would forward an error message if you executed a query that returns values
that you are not authorized to see. With the SAP HANA database, the query would be
executed and, corresponding to your authorization, only values that you are entitled to see
would be returned.
An Analytic Privilege consists of several restrictions. Three of these restrictions are always
present and have the following special meanings:
● One restriction (cube restriction) determines the Calculation Views for which the privilege
is used. This may involve a single view, a list of views or, by means of a wildcard, all
applicable views.
● One restriction (activity restriction) determines the effected activity (for example, READ).
This means that the activity READ is restricted and not available for use.
● One restriction (validity restriction) determines the times at which the privilege is valid.
In addition to these three restrictions, many additional dimension restrictions are used. These
are applied to the actual attributes of a view. Each dimension restriction is relevant for one
dimension attribute, which can contain multiple value filters. Each value filter is a tuple of an
operator and its operands, used to represent the logical filter condition. For example, a value
filter (EQUAL 2006) can be defined for a dimension attribute YEAR in a dimension restriction
to filter accessible data using the condition YEAR=2006 for potential users.
Only dimension attributes, and no measures or key figures, can be employed in dimension
restrictions.
In general, the user has access to an individual Calculation View if the following prerequisites
are met:
● The user was granted the SELECT privilege on the view or the containing schema.
● The user was granted an Analytic Privilege that is applicable to the view. An Analytic
Privilege is applicable to a view if it contains the view in the Cube restriction and contains
at least one filter on one attribute of this view.
● No SELECT privilege on the underlying base tables or views of this view are required.
Before you implement row-level authorization using analytic privileges, you need to decide
which type of analytic privilege is suitable for your scenario. In general, SQL-based analytic
privileges allow you to more easily formulate complex filter conditions using sub-queries that
might be cumbersome to model using XML-based analytic privileges.
LESSON SUMMARY
You should now be able to:
● Describe the basic authorization concepts of the SAP HANA database
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Describe the role concept of the SAP HANA database
Privileges can be granted directly to users of the SAP HANA database. However, roles are the
standard mechanism of granting privileges as they allow you to implement complex, reusable
authorization concepts that can be modeled on business roles
Roles in the SAP HANA database can exist as runtime objects only (catalog roles), or as
design-time objects that become catalog objects on deployment (database artifact with file
suffix .hdbrole).
In an SAP HANA extended applications services, classic model (XSC) environment, database
roles are created in the built-in repository of the SAP HANA database using either the SAP
HANA Web Workbench or the SAP HANA studio. These are also referred to as repository
roles. In an SAP HANA extended applications services advanced model (XSA) environment,
design-time roles are created using the SAP Web IDE and deployed using SAP HANA
deployment infrastructure (SAP HANA DI, or HDI).
Note:
Due to the container-based model of HDI where each container corresponds to a
database schema, HDI roles, once deployed, are schema specific.
SAP HANA XSA has the additional concept of application roles and role collections. These are
independent of database roles in SAP HANA itself. In the XSA context, SAP HANA database
roles are used only to control access to database objects (for example, tables, views, and
procedures) for XSA applications. For more information about the authorization concept of
XS advanced, see the SAP HANA Security Guide.
Note:
There are no HDI or XSA equivalents in the SAP HANA authorization concept for
package privileges on repository packages and applications privileges on SAP
HANA XSC applications. For more information about the authorization concept of
XSA, see the SAP HANA Security Guide.
For the best performance of role operations (in particular, granting and revoking), keep the
following basic rules in mind:
● Create roles with the smallest possible set of privileges for the smallest possible group of
users who can share a role (principle of least privilege).
● Avoid granting object privileges at the schema level to a role if only a few objects in the
schema are relevant for intended users.
● Avoid creating and maintaining all roles as a single user. Use several role administrator
users instead.
Types of Roles
Roles in the SAP HANA database can exist as runtime objects only (catalog roles), or as
design-time objects (repository roles) that become catalog objects on deployment (database
artifact with the file suffix .hdbrole).
Before the arrival of SAP HANA XSA, there were two types of roles in HANA: catalog roles,
which are created directly in the catalog, and repository roles, which are created using the
SAP HANA repository.
With the introduction of SAP HANA XSA, new types of roles were also introduced, known as
HDI-based roles. Like repository roles, HDI-based roles provide role versioning and can be
transported between systems.
Types of Roles
In an SAP HANA XSC environment, database roles are created in the built-in repository of the
SAP HANA database using either the SAP HANA Web IDE or the SAP HANA cockpit. These
are also referred to as repository roles. In an SAP HANA XSA environment, design-time roles
are created using the SAP Web IDE and deployed using SAP HANA Deployment Infrastructure
(SAP HANA DI, or HDI).
SAP HANA XSA has the additional concept of application roles and role collections. These are
independent of database roles in SAP HANA itself. In the XSA context, SAP HANA database
roles are used only to control access to database objects (for example, tables, views, and
procedures) for XSA applications. For more information about the authorization concept of
XS advanced, see the SAP HANA Security Guide.
It is possible to create roles as pure runtime objects that follow classic SQL principles or as
design-time objects in either an SAP HANA XSA or XSC environment.
Note:
SAP HANA XSC and the SAP HANA repository are deprecated as of SAP HANA
2.0 SPS 02. For more information, see SAP Note 2465027.
Catalog roles are useful in scenarios where user and role provisioning is carried out solely
using a higher-level application that connects to SAP HANA through a technical user, such as,
SAP Identity Management.
The following table summarizes the differences between catalog roles and design-time roles:
In general, it is recommended that you model roles as design-time objects for the following
reasons:
● Unlike roles created at runtime, roles created as design-time objects can be transported
between systems. This is important for application development as it means that
developers can model roles as part of their application's security concept and then ship
these roles or role templates with the application. Being able to transport roles is also
advantageous for modelers implementing complex access control on analytic content.
They can model roles in a test system and then transport them into a production system.
This avoids unnecessary duplication of effort.
● Roles created as design-time objects are not directly associated with a database user.
They are created by technical users and granted through the execution of stored
procedures. Any user with access to these procedures can grant and revoke a role. Roles
created at runtime are granted directly by the database user and can be revoked only by
the granting user or a user with the ROLE ADMIN system privilege. Additionally, if the
database user is deleted, all roles that he or she granted are revoked. As database users
correspond to real people, this could impact the implementation of your authorization
concept, for example, if an employee leaves the organization or is on vacation.
LESSON SUMMARY
You should now be able to:
● Describe the role concept of the SAP HANA database
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Define, create and manage catalog roles
Managing catalog roles has several challenges, especially with regard to transportation and
revocation of privileges and roles.
Catalog roles can be created on Role Management page of the SAP HANA Cockpit or using an
SQL command.
To create a catalog role, the ROLE ADMIN system privilege is needed. This system privileges
also allows granting of any catalog role.
To grant a system privilege, the granting user requires the system privilege being granted
and to be authorized to grant it to other users and roles.
Object privilege
To grant an object privilege on an object that exists only in runtime, the granting user
needs the object privilege being granted and to be authorized to grant it to other users
and roles.
Role
To grant a role created at runtime, the granting user requires the role being granted and
to be authorized to grant it to other users and roles, or, ROLE ADMIN system privilege.
The figure, Difficulties with Catalog Role Creation and Modification, outlines the limitations of
catalog roles, and the main reasons to use application-deployed roles.
The limitations are related to the object ownership concept, which is part of the basic
database functionalities.
There are disadvantages to take into consideration when working with catalog roles. If a user
grants a privilege using the GRANT statement, the privilege is automatically revoked when the
grantor is dropped or loses the granted privileges. Only the grantor can revoke the privilege.
With the stored procedures approach, any user with the EXECUTE privilege on the relevant
revoke procedure can revoke a granted privilege, regardless of the grantor. If the grantor is
dropped, none of the privileges that they granted are revoked.
Note:
The system privilege ROLE ADMIN supersedes the GRANT OPTION.
The following list shows some common errors that occur during a save:
● Missing privilege for editing role
● Missing grant option (for example, system privilege ROLE ADMIN missing), or, without
ROLE ADMIN, GRANT OPTION for the missing role
A role can also be revoked from users in the User Editor of SAP HANA Cockpit, or using the
REVOKE statement.
With regard to the cascaded dropping of privileges, if the user has granted the role to other
users, revoking the role (and the grant option) also revokes the role from the user who has
been granted access.
Note:
Only the grantor of a catalog role is allowed to revoke the role from a user.
LESSON SUMMARY
You should now be able to:
● Define, create and manage catalog roles
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Create HDI roles
● Create HDI Roles to access database objects located in a different SAP HANA instance or
schema
Design-time objects are created within a project stored in the GIT repository. When the
developer deploys the project, a runtime version of the objects is created in a HDI container in
the SAP HANA database.
With XSA, a new controller model has been introduced which is composed of a hierarchy of
organizations and spaces. This new model allows us to separate administration privileges per
organization and space, and to isolate resources and privileges between applications that are
in different spaces.
The HDI containers provide security isolation as it is based on a “zero” privileges principle by
default. All objects within a container are owned by the #OO user. This user has the following
characteristics:
● The object owner is a restricted database user.
● The object owner has CREATE ANY privileges on the schema.
At database level, the container has a schema for storage identified by the suffix #DI.
In the example in the figure, HDI Container Isolation, view X has no direct reference to table
ERP.Y.
The HDI container isolation also affects the creation of database roles through XSA. When we
create a database role, using XSA, the database role will be deployed within a HDI container
and it will be owned by the database object owner. Therefore, to be able to deploy the roles,
the role can only contain privileges that are assigned to the #OO user with GRANT / ADMIN
option. Otherwise, the deployment will fail due to a “Missing Authorization Error”.
Note:
The initial step is to setup and prepare XSA + SAP Web IDE application. Once the
setup is ready, we need to setup our organization and spaces in a way that suits
the needs of our organization.
How to create spaces, setup users, and call the SAP Web IDE can be found in
chapter Post-Installation Administration Tasks in the SAP Web IDE for SAP HANA
Installation and Upgrade Guide.
Our recommendation is to setup at least a dedicated space for role developing.
You can find more details in the Best practices and recommendations section in
the Best practices and recommendations for developing roles in SAP HANA
document.
Let's look at a scenario where you want to create your own custom roles for database
administration so that every user can have proper system privileges. You want the roles to be
transportable, so they cannot be catalog roles.
Since roles are database objects, you need to create a HDI Container and store the roles in it.
To create the HDI Container, you access the WebIDE and create a multi-target application
(MTA) containing a SAP HANA Database module.
In the module, you create the design time version of the Roles. When you build the module,
the HDI container is created with the runtime versions of the roles that can be assigned to
users by an administrator user with ROLE ADMIN system privilege.
Before you can build the application, the Object Owner needs to be provided with all the
additional authorizations it will use in the roles.
we are deploying the project for the first time or when transporting the roles, as the role will
be granted to the #OO when it is created and the deployment will succeed. Also, there won´t
be any additional work in scenarios with multiples containers as the role will be assigned to all
the #OO users.
However, as the _SYS_DI_OO_DEFAULTS role is assigned to all #OO users, this will break (at
HANA level) the separation created by different spaces at XSA level.
For further details on how to create the different development objects needed for role
developing, we can take a look at the SAP HANA Developer Guide for SAP HANA XS Advanced
Model.
HDI roles are created using the SAP Web IDE. You create them as design time development
artifacts (text files with .hdbrole extension) within a MTA development project.
When the project is built, a small software application is created in XSA, together with a HDI
container in the SAP HANA database. In the HDI container, the runtime database roles are
created.
Any change and rebuild of the existing design-time roles in the project will cause an automatic
regeneration of the runtime role, in line with the new design.
When you transport the role to a new system, the design time role is transferred and then
rebuilt. In this way, the runtime version is also aligned to the version in the original system
without the need to be explicitly transferred.
The MTA descriptor contains the metadata of all entities comprising an application, or, the
metadata used by it during deployment or runtime, and the dependencies between them.
The MTA descriptor (the mta.yaml file located in the root project folder) is automatically
generated when an application project is created from scratch, and it is updated when the
project properties change or when a module is added or removed. However, not all the
necessary information can be generated automatically. You need to maintain the descriptor
manually to define resources, properties, and dependencies, as well as fill in missing
information.
Figure 75: Properties of HDI Roles Created Using Design Time Artifacts
The design time role is a text file with a .hdbrole extension. The file has a JSON type structure
using curly and square brackets to delimit the content. The file content describes the role
name and the list of privileges to be assigned.
The structured privilege allows you to define authorizations at line and column level within a
specific database table. The design time structured privilege is a text file with
extension .hdbstructuredprivilege.
The definition of the subset of visible data is defined via a (SQL) SELECT statement within the
privilege definition. The privilege is then referenced within the role definition (file .hdbrole).
The role can be assigned to the user.
Let's take a look at a scenario where you have to create a database role that grants select
privileges to users on a table stored in your SAP HANA database. You want this role to be
transportable from your development system to your test system (you cannot create it as a
catalog role).
The solution steps are as follows:
1. In the XSA cockpit, create a user-defined service that can access the remote schema via a
technical user with select privileges to the remote table.
5. In the application, (optionally) create a structured privilege that gives access to specific
columns and lines of the view.
This way, the role is part of an application, and the application can be transported from your
development system to your test system.
LESSON SUMMARY
You should now be able to:
● Create HDI roles
● Create HDI Roles to access database objects located in a different SAP HANA instance or
schema
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Compare role types
LESSON SUMMARY
You should now be able to:
● Compare role types
Learning Assessment
X True
X False
X A Object
X B Role
X C System
X D Group
X E Package
X F Analytic
X True
X False
4. Catalog roles are owned by the database user who creates them.
Determine whether this statement is true or false.
X True
X False
5. In a MTA, you create a role containing a system privilege. Which of the following
alternative actions will allow you to build the application without errors?
Choose the correct answers.
X A Grant the system privilege to the ##OO user of the generated HDI container.
6. In a MTA, you want to create a HDI role that grants select privileges to a database table
located in a schema in a different SAP HANA Database. What do you use, in XSA, to
access the remote database?
Choose the correct answer.
X B A user-defined service
X C A Connectivity service
X D A Destination
X E A Route
X True
X False
This is correct. The owner of an object is the user who creates the object.
X A Object
X B Role
X C System
X D Group
X E Package
X F Analytic
This is correct. Object, System, Package, and Analytic are all privilege types in SAP HANA.
X True
X False
4. Catalog roles are owned by the database user who creates them.
Determine whether this statement is true or false.
X True
X False
Correct. Catalog roles are owned by the database user who creates them.
5. In a MTA, you create a role containing a system privilege. Which of the following
alternative actions will allow you to build the application without errors?
Choose the correct answers.
X A Grant the system privilege to the ##OO user of the generated HDI container.
This is correct! When you create a role containing a system privilege, you need to grant
the same privilege to the #OO user of the generated HDI container. Alternatively, you can
grant it to the _SYS_DI_OO_DEFAULTS role.
6. In a MTA, you want to create a HDI role that grants select privileges to a database table
located in a schema in a different SAP HANA Database. What do you use, in XSA, to
access the remote database?
Choose the correct answer.
X B A user-defined service
X C A Connectivity service
X D A Destination
X E A Route
Lesson 1
Set up personalized database administrator users 117
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Knowing the SYSTEM database user
Note:
However, the SYSTEM does not automatically have access to objects created in
the SAP HANA repository.
In a system with multitenant database containers, the SYSTEM user of the system database
has additional privileges for managing tenant databases, for example, creating and dropping
databases, changing configuration (*.ini) files of databases, and performing database-specific
data backups.
It is important that the SYSTEM user is not scheduled for any background tasks, is not used in
interfaces, and its login data is not used for connections (e.g. in the SAP HANA Cockpit).
If the SYSTEM user's password is lost, you can reset it using the operating system user
(<sid>adm user). Changing the system parameter indexserver.ini - password
policy - password_lock_for_system_user (default value: TRUE), to the FALSE value,
forces the SYSTEM user so that they cannot be locked through false login attempts. This
enables brute force attacks on this user. We recommend the parameter value should remain
set to the TRUE default value.
The SYSTEM user of the system database requires the following additional system privileges
in comparison to the system user of a tenant database:
● DATABASE ADMIN
● DATABASE AUDIT ADMIN
● DATABASE BACKUP ADMIN
● DATABASE BACKUP OPERATOR
● DATABASE RECOVERY OPERATOR
● DATABASE START
● DATABASE STOP
Note:
You can find more about assigning important system privileges to administrator
users in SAP Note: 2950209 - Critical System Privilege in SAP HANA Database.
The SYSTEM user is the built-in user designed to bootstrap the database. Bootstrapping
entails creating the initial system setup, which includes a list of objects, user and roles, as well
as the initial system configuration.
Do not use SYSTEM for day-to-day activities in production systems. Instead, use it to create
database users with the minimum privilege required for their duties set (for example, user
administration,and system administration) and then deactivate the SYSTEM.
Note:
In the context of updating a SAP HANA extended application services, advanced
model (XSA) runtime installation, a lesser-privileged database user cannot be
used. The SYSTEM user is required and needs to be temporarily reactivated for
the duration of the update.
Each user should be granted a corresponding role. Multiple privileges can be combined and
assigned to a role.
Note:
It is not advised to create a copy of the SYSTEM user, as it would be another
powerful user. The next logical step is to define and create roles for those
administrative accounts.
In the SAP HANA cockpit, search for the User & Role Management card and click the User
Management link. In the User Management app, scroll down the Users list or leverage the
search field to filter for the desired user.
Choose the Deactivate button and confirm the dialog box.
Alternatively you can execute the following SQL statement:
ALTER USER SYSTEM DEACTIVATE USER NOW;
Note:
The SYSTEM user is not required to update the SAP HANA database system; a
lesser-privileged user can be created for this purpose.
The SYSTEM user is deactivated and can no longer connect to the SAP HANA database.
However, it may appear as though SYSTEM is still active in the system (for example, when a
procedure that was created by SYSTEM with DEFINER MODE is called).
You can verify that the SYSTEM user is deactivated in the USERS system view. For SYSTEM
user, check the values in theUSER_DEACTIVATED, DEACTIVATION_TIME, and
LAST_SUCCESSFUL_CONNECT columns.
You can still use the SYSTEM user as an emergency user even if it has been deactivated. Any
user with the USER ADMIN system privilege can reactivate SYSTEM with the statement
ALTER USER SYSTEM ACTIVATE USER NOW.
Note:
To ensure that an administrator does not do this surreptitiously, it is
recommended that you create an audit policy monitoring ALTER USER
statements. Also change the password of the SYSTEM user after reactivating it.
You can find more about deactivating the SYSTEM user in 2493657 - How do I
deactivate the SYSTEM User?.
In the SAP HANA cockpit, search for the User & Role Management card and start the User
Management app. Search and select the SYSTEM user.
Choose the Activate button and confirm the dialog box.
Alternatively you can execute the following SQL statement:
ALTER USER SYSTEM ACTIVATE USER NOW;
LESSON SUMMARY
You should now be able to:
● Knowing the SYSTEM database user
Learning Assessment
X True
X False
X A TRUST ADMIN
X B ALTER
X C USER ADMIN
X D UPDATE
X True
X False
Correct. The SYSTEM user is not required to update the SAP HANA database system; a
lesser-privileged user can be created for this purpose.
X A TRUST ADMIN
X B ALTER
X C USER ADMIN
X D UPDATE
That is correct. To deactivate the SYSTEM user, you need the USER ADMIN system
privilege.
Lesson 1
Managing Authentication 127
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Describe the different authentication mechanisms availablein SAP HANA
For HTTP/HTTPS access to SAP HANA by means of XSC and XSA, users can be
authenticated by client certificates signed by a trusted Certification Authority (CA),
which can be stored in the SAP HANA XS trust store.
JSON Web Token (JWT)
A JSON Web Token can be used to authenticate users accessing SAP HANA directly from
ODBC/JDBC database clients or indirectly through XSA.
Lightweight Directory Access Protocol (LDAP)
A password stored in an LDAP directory server can be used to authenticate users
accessing SAP HANA directly from ODBC/JDBC database clients, if authentication using
users' local SAP HANA authentication has been disabled.
Note:
A user who connects to the database using an external authentication
provider must also have a database user known to the database. The
external identity and the database user name are the same. If the LDAP
provider is enabled to create database users in SAP HANA, the required
user is created automatically if it doesn't exist.
Session cookies
Session cookies are not technically an authentication mechanism. However, they
reconnect users who have already been authenticated by Kerberos or SAML and extend
the validity period of logon and assertion tickets.
Note:
For JDBC and ODBC client connection, user passwords are always transmitted in
encrypted hashed form during the user authentication process, never in plain text.
For HTTP connections, HTTPS must be configured. In SSO environments, we
recommend using encrypted communication channels for all client connections.
A user who connects to the database using an external authentication provider
must also have a database user known to the database. The external identity is
mapped to the identity of an internal database user.
Caution:
If you have configured, in tenant databases or the system database, single sign-
on mechanisms that rely on trust stores located in the file system (such as, SAP
logon and assertion tickets or SAML) and the trust stores are shared, users of
one tenant database may be able to log on to other databases in the system.
● By default, only the system administrator can configure separate trust and key stores for
tenant databases by changing the relevant properties in the global.ini file. This is
because tenant database administrators are prevented from changing any communication
properties. They are in the default configuration change blocklist multidb.ini.
passwords hashed with secure hash algorithm SHA-256. Even if a password is listed as a
supported authentication method here, a user will not be able to log on with a SHA-256
hashed password if this hash method has been disabled with the parameter [authentication]
→ password_hash_methods.
Note:
If you are using SAP HANA dynamic tiering, it is not possible to disable logon and
assertion tickets (SAP Logon) as an authentication mechanism.
Caution:
Do not change configuration files directly. These changes cannot be audited.
In the Password Exclude List area of the Authentication app, add the words or partial words
that you want to prohibit in passwords. This is implemented in SAP HANA with the table
Figure 88: Configuring the password policy and add unwanted words to the blocklist
To view and edit information about authentication, the administrator needs the system
privileges CATALOG_READ and INIFILE ADMIN and must be granted the SELECT, INSERT,
and DELETE object privileges on the _SYS_PASSWORD_BLACKLIST table in the
_SYS_SECURITY schema.
● Maintain password policy parameters in the system database. Parameters are stored in
the nameserver.ini file; in a tenant database they are stored in the indexserver.ini file.
● Set the minimal password length to the value 10 in the system database:
ALTER SYSTEM ALTER CONFIGURATION ('nameserver.ini', 'SYSTEM') SET
('password policy', 'minimal_password_length') = '10'
● Set the minimal password length to the value 10 in a tenant database:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'DATABASE') SET
('password policy', 'minimal_password_length') = '10'
● Set the minimal password length to the value 10 in the system database for a tenant
database:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'DATABASE',
'<tenant_database_name>') SET ('password policy',
'minimal_password_length') = '10'
The console tool setParameter.py can be used either when the database is offline or online, if
for any reason it is not possible to make a configuration parameter change by executing an
SQL statement. The tool ensures that if changes are made simultaneously to an *.ini file the
changes are synchronized and applied correctly, this eliminates the need for administrators
to directly edit ini files. You can use the tool as a script to set or unset multiple values at the
same time.
The following example sets the password length to 10. The reconfigure argument is used
(assuming the system is running) so the command will also attempt to reconfigure the
service:
python setParameter.py -set="DATABASE:<database_name>/indexserver.ini/
password policy/minimal_password_length=10" -comment="<your_comment>" -
reconfigure -sapcontrol=1
After submitting the command one of the following codes is returned indicating success or
failure of the execution:
● 0 - Successful execution
● 1 - Could not be executed because of incorrect usage (unexpected parameter values)
● 2 - Other error
If the -sapcontrol=1 switch is set then one of the following is printed in the output:
● SAPCONTROL-OK
● SAPCONTROL-ERROR:<errorMsg>
If the users of a user group have different password requirements, you can configure group-
specific values for the individual parameters of the password policy in the definition of the
user groups.
You need the USERGROUP OPERATOR object privilege on the user group. If the user group is
configured for shared administration (administration mode: Group and user administrators),
USER ADMIN system privilege is also sufficient.
To configure a password policy for a specific user group, the following steps must be
performed in the SAP HANA cockpit:
1. On the Database Overview page, with the Security and User Management or All
view selected, choose the User Group Management link.
3. In the Password Policy area, choose Configure or Edit and configure the options in line with
the user group's requirements.
Note:
The initial values for all options are copied from the password policy
configured for the database. If you do not configure a group-specific value for a
particular parameter, the value from database password policy applies.
Choosing Reset Default reapplies all values from the database password
policy.
To determine which password policy a user is currently subject to, query the system view:
M_EFFECTIVE_PASSWORD_POLICY:
SELECT * from "PUBLIC"."M_EFFECTIVE_PASSWORD_POLICY" where USER_NAME =
'<user_name>';
Note:
In the Manage User Groups lesson, the following example creates a user group
called AdminGroup and sets several password policy options for the usergroup:
CREATE USERGROUP AdminGroup SET PARAMETER
'password_layout' = 'A1a!', 'minimal_password_length' =
'12' ENABLE PARAMETER SET 'password policy';
If a group-specific value is not explicitly set for a parameter, the value configured in the
password policy of the database appears as the user group value in
USERGROUP_PARAMETERS.
ODBC and JDBC database clients support the Kerberos protocol. Access from front-end
applications (for example, SAP BusinessObjects XI applications) can also be implemented
using Kerberos delegation. Support for constrained delegation and protocol transition is
limited to scenarios in which the middle-tier application connects to SAP HANA as the
database layer via JDBC.
Kerberos is supported for HTTP access using XSA and XSC with SPNEGO. It is up to the HTTP
client whether it uses Kerberos directly or SPNEGO.
The indirect authentication option is used in SDA (Smart Data Access) scenarios between
different SAP HANA or Hadoop systems, where the login to the first database can be reused
in another system connected to the first as a remote source.
SAP HANA smart data access makes it possible to connect remote data sources, and to
present the data contained in these data sources as if from local SAP HANA tables. This can
be used, for example, in SAP Business Warehouse installations running on SAP HANA to
integrate data from remote data sources.
Connections from SAP HANA system (source) to the remote source system (target) can be
authenticated through Kerberos single sign-on (SSO), in case the remote source is an SAP
HANA or Hadoop system.
To allow users to log on to the SAP HANA database from a client using Kerberos
authentication, the following configuration steps are necessary:
1. Install MIT Kerberos client libraries on the host(s) of the SAP HANA system.
2. Configure the SAP HANA system for Kerberos and/or SPNEGO authentication.
3. Map SAP HANA database users to their external identities stored in the Kerberos key
distribution center (KDC).
Note:
In distributed SAP HANA systems that use Kerberos delegation (SSO2DB),
application disruptions resulting from expired authentication are avoided though
the use of session cookies. This mechanism is active by default.
Since the keys stored in the keytab are generated from the service user password, you should
change the service user password periodically. After the password has been changed, the
keytab has to be either created again or extended to contain the new key(s), since a password
change implies an increment of the Key Version Number (KVNO).
Note:
For more information, see SAP Note: 1813724 - HANA SSO using Kerberos and
SPNEGO: Create keytab and validate Kerberos configuration
SAML
SAP HANA supports the Security Assertion Markup Language (SAML) for user authentication
in single sign-on environments. SAML is used for authentication purposes only, and not for
authorization.
SAML provides the mechanism by which the identity of users accessing the SAP HANA
database from client applications is authenticated. This authentication is done by XML-based
assertions that are issued by a trusted identity provider. The internal database user to which
the external identity is mapped is used for authorization checks during the database session.
With SAML, a user can log on to one system in an environment, and then access other
systems in that environment without needing to log on again (until the Web browser session is
ended).
The Identity Provider (IDP) maintains a directory of users and an authentication mechanism
to authenticate them. The Service Provider is the target application that a user tries to utilize.
The principal must be registered in the IDP.
The figure, How it Works for HTTP(S) Access, depicts the standard scenario for SAML
authentication usage between Web applications.
The IDP can authenticate the user in different ways (for example, using another SSO option
like Kerberos).
To enable logon using SAML bearer assertions, you must configure identity providers and
then map them to the required database users.
Two types of user mapping are supported, as follows:
You can configure SAML identity providers and configure user mapping for ODBC/JDBC-
based SAML authentication in the SAP HANA Cockpit.
To add a SAML Provider in the SAP HANA cockpit, you must have the following prerequisites:
● The USER ADMIN system privilege.
● A certificate collection created with the SAML purpose in the database, and have imported
the X.509 certificates that will be used to sign the SAML assertions from the IDP. Ensure
that the entire certificate chain of the X.509 certificate is available.
● The configured [authentication] saml_service_provider_name system property, if
necessary.
You can configure an SAP HANA system to act as a service provider for XSA that use single
sign-on (SSO) authentication based on Security Assertion Markup Language (SAML)
certificates.
The XSA Cockpit includes Trust Configuration, which you can use to configure SAML identity
providers at runtime. If you want your XSA applications to use SAML assertions as the logon
authentication method, the following steps must be performed:
● - Create a SAML IDP
- Manage trust configurations
- Map role collections to an SAML IDP
Note:
To use strong cryptographic keys with at least 256 bit in the SAML 2.0
assertion token, install Java Cryptography Extension (JCE) in your SAP JVM
and activate the use of 'unlimited' cryptographic keys.
For more information, see SAP Note 1240081 - Java Cryptography Extension
(JCE) Jurisdiction Policy Files.
While you can configure SAML providers for ODBC/JDBC-based SAML authentication using
the SAP HANA cockpit or SQL, always use the SAP HANA XS Administration Tool to configure
SAML providers that will be used for HTTP access via the XS server. You also use the SAP
HANA XS Administration Tool to configure an SAP HANA system to act as an SAML service
provider.
The SAP HANA XS Administration Tool is available on the SAP HANA XS Web server at the
following URL: http://<WebServerHost>:80<SAPHANAinstance>/sap/hana/xs/
admin/.
The information required to maintain details of an SAML IDP is specified in an XML document
containing the IDP metadata.
To add the new SAML IDP to the list of known SAML IDPs, choose Create. The new SAML IDP
is displayed in the list of known IDPs on the left-hand side of the SAML CONFIGURATION tool.
X.509 Certificates
For HTTP/HTTPS access to SAP HANA by means of SAP HANA XS, users can be
authenticated by client certificates signed by a trusted Certification Authority (CA), which can
be stored in the SAP HANA XS trust store.
To implement X.509 client certificates, the user specified in the certificate must already exist
in SAP HANA. There is no support for user mapping.
Note:
CommonCryptoLib is installed by default as part of SAP HANA server installation
in the usr/sap/<SID>/SYS/global/security/lib directory.
The SAP HANA XS Administration Tool is available on the SAP HANA XS Web server at the
following URL: http://<WebServerHost>:80<SAPHANAinstance>/sap/hana/xs/admin/
The SAP HANA XS Administration Tool is a Web-based tool that enables you to configure and
maintain the basic administration-related elements of the application-development process
and environment.
When you enter the URL for your application in the Web browser, it prompts you to select a
certificate, which enables you to log on without supplying logon credentials manually.
1. Add the root certificate of the X.509 user certificates in PEM format to your XS advanced
runtime platform.
2. Create a new user in the SAP HANA database based on the details specified in an existing
X.509 certificate. For example:
CREATE USER MyUserName WITH IDENTITY 'CN=MyUserName, O=SAP-AG, C=DE'
ISSUER 'CN=SSO_CA, O=SAP-AG, C=DE' FOR X509
3. Configure the user in SAP HANA. Use the SAP HANA administration tool of your choice,
select X509 and Configure X.509 user certificates.
4. Test the logon authentication settings for the XS advanced application using a Web
browser.
Entering the URL for your application in the Web browser, it prompts you to select a
certificate, which enables you to log on without supplying logon credentials manually.
The SAP Logon Ticket is an authentication token that can be used for repeated authentication
on the system that created it or for authentication on systems other than the system that
created it, eliminating the requirement to repeatedly enter logon IDs and passwords to get
access to those systems. It is typically transmitted as a non-persistent cookie and contains
details about the user and the system that created it but it does not contain user passwords.
The SAP logon ticket has a lifetime that is configured in the system that creates the ticket.
Logon tickets are used for user-to-system communication, whereas assertion tickets are
used for system-to-system communication. Logon tickets are transmitted as cookies,
whereas assertion tickets are transported as HTTP headers.
The validity of logon tickets is configured, whereas the validity of assertion tickets is hard-
coded (2 minutes).
Logon tickets never identify a recipient, as they target multiple systems. Assertion tickets are
always issued for a single recipient.
SAP HANA validates incoming logon/assertion tickets against certificates signed by a trusted
Certification Authority (CA) and stored in a dedicated trust store. This trust store must
contain all root certificate(s) used to validate logon/assertion tickets.
Figure 103: SAP Logon and Assertion Tickets Prerequisites: Trust Store
Caution:
By default, the same trust store in the file system is shared by all databases.
Different PSEs must be explicitly configured for tenant databases.
The user named in an incoming logon ticket must exist as a database user. The database user
also must be configured for authentication using logon/assertion tickets.
Figure 104: SAP Logon and Assertion Tickets Prerequisites: User Configuration
● Clients that connect to SAP HANA through the SAP HANA XS advanced server
Note:
To avoid replay attacks, we recommend that you set up secure communication
between the individual components of the SAP HANA database and client
connections using the Transport Layer Security (TLS) protocol when
implementing JWT authentication.
SAP HANA validates tokens according to the Internet Engineering Task Force (IETF)
standard, with the following restrictions and requirements.
The header part of the token claims the hashing algorithm used to generate the signature
(must be RS256):
{
"alg": "RS256",
"typ": "JWT"
}
SAP HANA evaluates the following claims in the payload part of the token:
● "iss" (issuer): Is required to map the token to an identity provider configured in the SAP
HANA database.
● "user_name" (user name): Is required for mapping the database user to an external user
name.
● "nbf" (not before) and "exp" (expiration time): Define the validity period of the token:
{
●
"iss": "http://localhost:8080/uaa/oauth/token",
"user_name": "testuser",
"nbf": 1489571999,
"exp": 1489572899,
}
The configuration for the "user_name" claim is defined in the IDP when it is created in SAP
HANA:
CREATE JWT PROVIDER my_jwt_provider WITH ISSUER 'http://example.com:
8080/uaa/
oauth/token' CLAIM 'testuser' AS EXTERNAL IDENTITY;
1. On the Database Overview page, with the Security and User Management or All view
selected, navigate to Security Related Links and choose JWT Identity Providers.
● Enter the issuer URL - this is used to map the token to an identity provider. It
corresponds to the name provided in the "iss" claim of the JWT tokens issued by this
JWT provider.
● Enter the JWT identity claim - this is the claim in the JWT token used for mapping the
SAP HANA user to an external user name.
● Choose Add.
The IDP can now be mapped to individual database users. You map the IDP when you create
the database user. Alternatively, if the database user already exists, you can change the
user's authentication details.
LESSON SUMMARY
You should now be able to:
● Describe the different authentication mechanisms availablein SAP HANA
Learning Assessment
X A Kerberos
X C SAML
X True
X False
X A Kerberos
X C SAML
This is correct. Kerberos, SAML, SAP logon and assertion tickets, and basic authentication
are all supported in SAP HANA.
X True
X False
This is correct. All the authentication mechanisms are enabled by default in SAP HANA
Lesson 1
Describing Cross-Database Authorizations in Tenant Databases 151
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Describe Cross-Database Authorizations in Tenant Databases
A SAP HANA multitenant database system specifies that every tenant database is self-
contained with its own isolated set of database users and isolated database catalog by
default. This ensures that data in one database cannot be accessed by another database.
However, to support, for example, cross-application reporting, cross-database SELECT
queries are possible. This means that database objects, such as, tables and views, can be
local to one database but read by users from other databases in the same system.
Read-only queries between tenant databases are possible through the association of the
requesting user with a remote identity on the remote database(s). Cross-database access is
not enabled by default and must be configured before such user mappings can be set up.
A user in one database can run a query that references objects in another database if the user
is associated with a sufficiently privileged user in the remote database. This associated user is
called a remote identity. This is the user who executes the query (or part of the query) in the
remote database and therefore the user whose authorization is checked.
Note:
To enable cross-database access, you need the INIFILE ADMIN system privilege.
USER2 in DB2 wants to query the table SCHEMA1.TABLE1 in DB1, for example,
SELECT * FROM DB1.SCHEMA1.TABLE1
1. On the Database Overview page of the system database in the SAP HANA cockpit, open
the Manage Database Configuration app.
3. Enable communication from one tenant database to one or more other tenant databases
by executing the following statement in the system database:
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') set
('cross_database_access', 'targets_for_DB2')='DB1' WITH RECONFIGURE;
4. The administrator of DB1 creates a user in DB1 with a remote identity in DB2
(alternatively, they define a remote database identification for an existing user).
CREATE USER USER1 WITH REMOTE IDENTITY USER2 AT DATABASE DB2
ALTER USER USER1 ADD REMOTE IDENTITY USER2 AT DATABASE DB2
5. The administrator of DB1 grants USER1 the privileges required to read the table
SCHEMA1.TABLE1.
Note:
Only step 4 from the above listing must be done with SQL. All other steps can
be performed with the SAP HANA Cockpit.
Generally, users receive the "Not authorized" error if they attempt a cross-database operation
that is not supported by the current configuration. However, if your configuration follows the
official documentation, then the error is caused by a missing restart of the SAP HANA system.
Note:
For more information, see SAP Note: 3048024 - Executing a Cross-Database
Access Query Fails with Error SAP DBTech JDBC: [258]: insufficient privilege: Not
authorized.
Note:
LDAP group authorization is not supported for cross-database queries between
tenant databases. The remote identity of a user must be authorized using the
standard mechanism.
SYS.M_INIFILE_CONTENTS
This system view in the system database, shows whether the cross_database_access -
enabled parameter in the global.ini file contains the TRUE or FALSE value. It also displays
the communication direction between the source and the target database (if configured).
SELECT * FROM SYS.M_INIFILE_CONTENTS WHERE SECTION =
'cross_database_access' AND FILE_NAME = 'global.ini'
SYS.USERS
The HAS_REMOTE_USERS column indicates whether or not a particular user in the local
database has remote identities in other databases.
SELECT USER_NAME, HAS_REMOTE_USERS FROM SYS.USERS WHERE
HAS_REMOTE_USERS = 'TRUE'
SYS.REMOTE_USERS
This system view shows which local users can be used by users on other databases for
cross-database query execution.
SELECT * FROM REMOTE_USERS
Note:
The system views EFFECTIVE_PRIVILEGES and ACCESSIBLE_VIEWS do not
include privileges that a user has through a remote identity.
1. You are creating views, procedures, or synonyms to access objects on other tenant
databases in the same system. After dropping and re-creating an object on a remote
tenant database, you can no longer access the view or procedure on the local tenant
database. You get error messages, such as, invalidated view or invalidated
procedure. You also notice that the IS_VALID column in the system views VIEWS and
PROCEDURES do not accurately reflect the fact that the view or procedure is invalid. In
addition, there are entries missing in the OBJECT_DEPENDENCIES system view for the
affected views, procedures, or synonyms.
Cross-database access only supports read-only operations. Changes to an object on one
tenant database cannot therefore be reflected accurately on other tenant databases that
contain objects dependent on the changed object. This affects the validity flag in the
relevant system views, as well as the object dependencies. Remote objects may stay valid
if they retain their internal object identifier during re-creation and are re-created in an
compatible way, but they will become invalid if their internal object identifier changes.
Re-create the dependent object in the local tenant database in order for it to become valid
again.
2. You are querying an SQL view or a calculation view on a remote tenant database and the
view itself accesses objects on a third tenant database (multi-level cross-database
access). You are getting error messages, such as, insufficient privilege: not
authorized. Analytic privileges on the third tenant database may be evaluated based on
the wrong database user.
Cross-database queries do not support multiple tenant database levels as part of a view
hierarchy, even if communication between databases is enabled (including the required
authorized remote users).
Note:
For more information see:
● SAP Note 2426335 - Cross Database access within Multitenant DB's returns
error Insufficient privilege: Not authorized.
● SAP Note 3048024 - Executing a Cross-Database Access Query Fails with
Error SAP DBTech JDBC: [258]: insufficient privilege: Not authorized.
● Troubleshooting Error Situations Related to Cross-Database Access section in
the SAP HANA Administration Guide for SAP HANA Platform.
LESSON SUMMARY
You should now be able to:
● Describe Cross-Database Authorizations in Tenant Databases
Learning Assessment
1. In a SAP HANA system, the SYSTEM user is shared across all the tenant databases to
allow shared system administration.
Determine whether this statement is true or false.
X True
X False
X A SELECT
X B INSERT
X C UPDATE
X D DELETE
1. In a SAP HANA system, the SYSTEM user is shared across all the tenant databases to
allow shared system administration.
Determine whether this statement is true or false.
X True
X False
That is correct. Every tenant database is self-contained with its own isolated set of
database users.
X A SELECT
X B INSERT
X C UPDATE
X D DELETE
Lesson 1
Tracing authorization errors 161
Lesson 2
Viewing Information about Users and Authorizations 167
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Trace authorization errors
When a user is not authorized to perform an operation and receives an "insufficient privilege"
error, it is often difficult to know which privilege or privileges the user is in fact missing. Many
"insufficient privilege" errors therefore also return a GUID that allows you as an administrator
to identify the missing privilege. You can then decide whether to grant the privilege to the
user.
To resolve a missing authorization error, the following process is recommended:
Note:
We recommend deactivating the trace as soon as the issue is reproduced to avoid
any performance impact on the system.
To configure a user-specific tenant database authorization trace: Activate the trace for a
specific database user in the Database Explorers Trace Configuration screen and set the trace
level “Info” for the component Indexserver: Authorization.
1. To configure the authorization tracing in the SAP HANA Database Explorer, right-click on
the database root node and choose Trace Configuration.
2. In the User-Specific Trace area, choose Add to activate the authorization trace for a
specific user.
3. Enter any name for Context Name in the user-specific trace configuration. You will use this
name later to identify the correct trace file for review.
4. In the Database User field, enter the name of the database user you want to monitor.
8. As soon as you want to check the trace information, in the Database Explorer, navigate to
Database Diagnostic Files → [hostname] → indexserver of your tenant database.
9. In the Search TraceHostService field, search for the proper file using the context name you
indicated in the trace configuration.
Note:
Not all "insufficient privilege" errors can be resolved by granting the user a missing
privilege, for example, some operations can only be performed by the SYS user. In
these cases, the error message provides the explanation.
Caution:
In some cases, no GUID is returned. To resolve these errors, you need to perform
an authorization trace.
If the user lacks several privileges, only the first missing privilege that was found during the
authorization check is returned. You can find out what other permissions are missing by
running GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS on the GUID that is returned on
each subsequent error message.
The details of every "insufficient privilege" error due to missing user privileges are stored in an
internal table for 144 hours by default. The number of entries in this table is limited to 10,000.
This configuration is controlled by the following parameters in the authorization section of the
global.ini file:
● insufficient_privilege_error_details_retain_duration
● insufficient_privilege_error_details_retain_records
3. In either the Security and User Management or All view, navigate to the Insufficient
Privilege Details card, specify the GUID and choose Enter.
Note:
The missing privilege is displayed with the session user name and the checked
user name. Optionally, the object name, schema name, and object type are
displayed.
If the missing privilege is contained in one or more roles, the roles are
displayed.
Note:
For more information, see SAP Note: 1809199 - SAP HANA DB: Debugging user
authorization errors.
LESSON SUMMARY
You should now be able to:
● Trace authorization errors
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● View information about users and authorizations
The M_CONNECTIONS system view contains additional information about the authentication
method:
SELECT USER_NAME, AUTHENTICATION_METHOD FROM M_CONNECTIONS
Note:
When selecting from the EFFECTIVE_PRIVILEGES view, you always need the
USER_NAME = 'something' condition in the WHERE clause; otherwise the
query will return with an error.
The EFFECTIVE_ROLES system view displays the roles of the currently logged-on user. It
shows both roles that were granted directly to the user, and roles that were inherited from
other roles.
This system view complements the EFFECTIVE_PRIVILEGES system view.
The SAP HANA Cockpit provides the Authorization Dependency Viewer, to help troubleshoot
authorization errors and to analyze database objects and their dependencies that typically
have complex dependency structures, like stored procedures, tables, and views. You need the
CATALOG READ system privilege.
For more information about resolving authorization errors with the authorization dependency
viewer, see Security and User Management View → User and Role Management → Managing
User Authorization → Resolve Object Authorization Errors in the SAP HANA Administration
with SAP HANA Cockpit Guide.
The Authorization Dependency Viewer is a graphical tool that shows the object dependency
chains of stored procedures and calculation views together with the SQL authorization status
of the object owner. The Authorization Dependency Viewer shows you which privileges are
missing. This can be a first step to resolving issues with authorizations, invalid objects for
stored procedures, or calculation views with complex dependency structures, that are
preventing operations from being performed.
To open the Authorization Dependency Viewer app, in the Database Overview screen, go to the
User & Role Management card, then choose the Authorization Dependency Viewer link.
You can use the Authorization Dependency Viewer to analyze the following object types:
● NOT AUTHORIZED (258)
● INVALIDATED VIEW (391)
● INVALIDATED PROCEDURE (430)
Authorization or invalid object errors occur if the object owner does not have all the required
privileges on all underlying objects on which the object depends. The object owner must have
both the appropriate SQL object privilege (for example, EXECUTE, SELECT) and the
authorization to grant the object privilege to others (that is, WITH GRANT OPTION is set to
TRUE).
Hint:
Use the Authorization Dependency Viewer only with procedures that have the
DEFINER security mode. Procedures with the INVOKER security mode are not
validated correctly.
LESSON SUMMARY
You should now be able to:
● View information about users and authorizations
Learning Assessment
X A USER ADMIN
X B ROLE ADMIN
X C TRACE ADMIN
X D RESOURCE ADMIN
2. Information about users and authorizations is stored in database views that are accessible
for reporting.
Determine whether this statement is true or false.
X True
X False
3. SAP HANA cockpit provides a graphical feature to help troubleshoot authorization errors.
Determine whether this statement is true or false.
X True
X False
X A USER ADMIN
X B ROLE ADMIN
X C TRACE ADMIN
X D RESOURCE ADMIN
This is correct. The TRACE ADMIN privilege allows you to manage authorization traces.
2. Information about users and authorizations is stored in database views that are accessible
for reporting.
Determine whether this statement is true or false.
X True
X False
This is correct. Information about users and authorizations is stored in database views
that are accessible for reporting.
3. SAP HANA cockpit provides a graphical feature to help troubleshoot authorization errors.
Determine whether this statement is true or false.
X True
X False
This is correct. SAP HANA cockpit provides a graphical feature to help troubleshoot
authorization errors.
Lesson 1
Using Audit Logging 175
Lesson 2
Managing Audit Logging 185
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Use audit logging
Although auditing does not directly increase your database's security, if wisely designed, it
can help you achieve greater security in the following ways:
● Uncover security vulnerabilities if too many privileges were granted to certain users
● Show attempts to breach security
● Protect the system owner against accusations of security violations and data misuse
● Allow the system owner to meet security standards
Auditing is implemented through the creation and activation of audit polices. An audit policy
defines the actions to be audited, as well as the conditions under which the action must be
performed to be relevant for auditing. For example, actions in a particular policy are audited
only when they are performed by a particular user on a particular object. When an action
occurs, the audit policy is triggered and an audit event is written to the audit trail.
To use the audit logging, it must first be activated for the database. It is then possible to
create and activate the required audit policies.
You can use the SAP HANA cockpit or SQL commands to enable auditing, configure audit trail
targets, and create audit policies.
Audit Policies
An audit policy defines the actions to be audited, as well as the conditions under which the
action must be performed to be relevant for auditing. When an action occurs, the policy is
triggered and an audit event is written to the audit trail. Audit policies are database specific.
Audit Actions
An audit action is an action executed in the database by an SQL statement. For example, to
track user provisioning in your system, you create an audit policy that audits the execution of
the CREATE USER and DROP USER SQL statements.
Although most actions correspond to the execution of a single SQL statement, some actions
can cover the execution of multiple SQL statements. For example, the action GRANT ANY
audits the granting of multiple entities on the basis of the SQL statements GRANT PRIVILEGE,
GRANT ROLE, GRANT STRUCTURED PRIVILEGE, and GRANT APPLICATION PRIVILEGE.
- SELECT
- INSERT
- UPDATE
- DELETE
- EXECUTE
Note:
Both successful and unsuccessful actions can be recorded.
For a full list of all actions that can be audited, see the documentation for SQL access control
statement CREATE AUDIT POLICY in the SAP HANA SQL Reference Guide for SAP HANA
Platform.
Hint:
You can only audit actions that occur inside the database engine. If the database
engine is not online when an action occurs, it cannot be detected and, therefore,
cannot be audited. These actions include, for example, an upgrade of an SAP
HANA database instance, or direct changes to system configuration files using
operating system commands.
An audit policy can specify any number of actions to be audited, but not all actions can be
combined together in the same policy. Actions can be grouped in the following main ways:
● All auditable actions
You can include all actions performed by a specific user in a single policy. This covers all
actions that can be audited individually, but also actions that cannot otherwise be audited.
This type of policy is referred to as a firefighter policy and is useful if you want to audit the
actions of a particularly privileged user.
● Data manipulation actions (DML)
You can include any actions that involve data manipulation together in a single policy, for
example, actions that audit SELECT, INSERT, UPDATE, DELETE, and EXECUTE
statements on database objects. A policy that includes these actions requires at least one
target object that allows the actions in question. This type of policy is useful if you want to
audit a particularly critical or sensitive database object.
● Data definition actions (DDL)
Other action types, for example, actions that involve data definition, can only be combined
together in a single policy if they are compatible. For example, the action GRANT
PRIVILEGE can be combined with REVOKE PRIVILEGE but not with CREATE USER. The
action CREATE USER can be combined with DROP USER.
Caution:
The actions that are audited are limited to those that take place inside the
database engine while it is running. Therefore, system restart and system
recovery will not be audited.
Caution:
Create a firefighter policy only in exceptional circumstances, for example, to
check whether a certain user is being used for everyday work or if a support user
has been given access to the system. Firefighter policies may create large
amounts of audit data and significantly impact performance if they are used for
high-load users.
Note:
If an audited action that involves data manipulation was executed implicitly by a
procedure, the call to this procedure is audited together with the audited action. If
the action does not involve data manipulation, then an implicitly executed
procedure is not audited. For example, if there is an active audit policy that audits
the action of creating users, the execution of CREATE USER statements within
procedures will be audited but not the procedures themselves.
Retention Period
For audit policies that are explicitly configured to write audit entries to an internal database
table, you can specify an audit retention period in days. Once the retention period has elapsed
for an audit entry, the audit entry is deleted. If you add a retention period to an existing audit
policy, all existing audit entries that exceed the retention period are deleted.
Note:
A retention period can only be specified for audit policies that explicitly use the
database table audit trail target. You cannot specify a retention period for audit
policies that use the default audit trail targets, even if the default audit trail target
is set to database table.
Audit policies created in the system database for a tenant database are visible in the tenant
database through the AUDIT_POLICIES system view. The column IS_DATABASE_LOCAL
identifies where the audit policy was created, either locally in the tenant database or in the
system database. In the system database, it is possible to see all audit policies created in the
system database (for both the system database and all tenant databases) through the
AUDIT_POLICIES view of the SYS_DATABASES schema.
Administration users in the tenant database cannot change or delete audit policies created in
the system database for the tenant database, nor can they access the audit trail. Events
audited by these policies are written to the audit trail defined in the system database.
Audit Trails
When an audit policy is triggered, that is, when an action in the policy occurs under the
conditions defined in the policy, an audit entry is created in one or more audit trails.
The following audit trail targets are supported for production systems:
SELECT operations can be performed on this view by users with the AUDIT OPERATOR,
AUDIT ADMIN, or AUDIT READ system privilege.
If a database table is explicitly configured as the audit trail target of an audit policy, you can
define a retention period in the audit policy after which audit entries are automatically
deleted. It is also possible to delete old audit entries by truncating the table. You can do this in
the SAP HANA Cockpit or with the ALTER SYSTEM CLEAR AUDIT LOG SQL statement. The
system monitors the size of the table with respect to the overall memory allocation limit of the
system and issues an alert when it reaches defined values (by default 5%, 7%, 9%, and 11% of
the allocation limit). This behavior can be configured with check 64 ("Total memory usage of
table-based audit log"). Only users with the AUDIT OPERATOR system privilege can truncate
the audit table.
Caution:
If the syslog daemon cannot write the audit trail to its destination, you will not be
notified. To avoid a situation in which audited actions are occurring, but audit
entries are not being written to the audit trail, ensure that the syslog is properly
configured and that the audit trail target is accessible and has sufficient space
available.
Note:
Additionally, the option exists to write the audit trail to a kernel trace file (*.ltc)
in the trace directory (/usr/sap/<sid>/<instance>/<host>/trace).
The kernel trace output is not human-readable. It must be converted into a CSV
file using the command-line tool hdbltracediag and then loaded into relational
tables for SQL analysis.
hdbltracediag is available on the SAP HANA server at /usr/sap/<sid>/
HDB<instance>/exe.
Audit entries from audit policies with the audit level EMERGENCY, CRITICAL, or ALERT are
written to the audit trail target(s) specified for the audit level in question. If no audit trail target
is configured for an audit level, entries are written to the audit trail target configured for the
database.
Audit policy-specific targets are also possible in the system database. In this case, audit
entries from a particular policy are written to the specified audit trail target(s). If no audit trail
target is configured for an audit policy, entries are written to the audit trail target for the audit
level if configured, or the audit trail target configured for the database. Several audit trail
targets can be configured for each individual policy.
You can optionally configure one or more policy-specific audit trail targets. If you do not
configure a policy-specific audit trail target, audit entries generated by the policy are written
to the audit trail target for the audit level of the policy if configured, or the audit trail target
configured for the system.
Note:
If an action is audited by multiple audit polices and these audit policies have
different audit trail targets, the audit entry is written to all trail targets.
Caution:
To ensure the privacy of tenant database audit trails, it is recommended that you
do not change the default audit trail target (internal database table) of tenant
databases.
LESSON SUMMARY
You should now be able to:
● Use audit logging
LESSON OBJECTIVES
After completing this lesson, you will be able to:
● Activate and Configure Auditing
Note:
The base setup does not guarantee that the configuration is optimal for your
particular system. To optimize the configuration, it may be advisable to manually
configure specific settings.
Audit Policies
An audit policy defines the actions to be audited, as well as the conditions under which the
action must be performed to be relevant for auditing. When an action occurs, the policy is
triggered and an audit event is written to the audit trail. Audit policies are database specific.
You can create audit policies on the Auditing page of the SAP HANA cockpit.
You can specify any number of actions to audit in an audit policy. Not all actions can be
combined together in the same policy; therefore, compatible audit actions are grouped
together. When you select an action, any actions that are incompatible with the selected
action are unavailable for selection.
If you want to select two incompatible audit actions, you need to create two separate audit
policies.
In addition to the actions to be audited, an audit policy also specifies additional parameters
that further narrow the number of events actually audited, as follows:
● Audited action status
- On successful execution
- On unsuccessful execution
- On both successful and unsuccessful execution
● Target object or objects
- Tables
- Views
- Procedures
● Audited user or users
- Individual users can be included or excluded from an audit policy.
● Audit level
- EMERGENCY
- ALERT
- CRITICAL
- WARNING
- INFO
When an audit policy is triggered (that is, when an action in the policy occurs under the
conditions defined in the policy) an audit entry is created in the audit trail.
Firefighter logging logs all actions performed by a specific user. This covers all actions that
can be audited individually, as well as actions that cannot otherwise be audited. This type of
policy is useful if you want to audit the actions of a particularly privileged user.
Create Audit Policies for Tenant Databases from the System Database
You can audit specific tenant database activities from the system database.
In general, audit policies in a tenant database are created from within the tenant database. In
some scenarios like hosting you might want to centrally monitor activities in tenant
databases.
Audit policies created in the system database for a tenant database are visible in the tenant
database but cannot be changed from there.
Note:
The layout of audit entries varies depending on the audit trail type.
You can configure the audit trail view by clicking the Settings icon.
When a database table is the trail target, audit entries are accessible through the public
AUDIT_LOG and XSA_AUDIT_LOG system views, as well as the union of these views:
ALL_AUDIT_LOG. The table below describes the layout of the full audit trail: ALL_AUDIT_LOG.
Figure 132: Viewing the Audit Trail from the Database Table
Note:
Only SELECT operations can be performed on these views by users with the
AUDIT OPERATOR, AUDIT READ, or AUDIT ADMIN system privilege. AUDIT READ
also allows access to the AUDIT LOG table.
Caution:
If the syslog daemon cannot write the audit trail to its destination, you will not be
notified. To avoid a situation in which audited actions are occurring, but audit
entries are not being written to the audit trail, ensure that the syslog is properly
configured and that the audit trail target is accessible and has sufficient space
available.
Note:
This alert only applies if you select a database table as an audit trail target (not for
syslog).
Caution:
If the table has grown so large that there is not enough memory to delete old
entries, use the following SQL command to empty the table completely: ALTER
SYSTEM CLEAR AUDIT LOG ALL. However, even if you archived the audit table
beforehand (recommended), any new entries written between the time of
archiving and the time of clearing may be lost.
You can use the SAP HANA cockpit to delete audit entries created up until a certain time from
the audit table.
For audit policies that are explicitly configured to write audit entries to an internal database
table, you can specify an audit retention period in days. Once the retention period has elapsed
for an audit entry, the audit entry is deleted. If you add a retention period to an existing audit
policy, all existing audit entries that exceed the retention period are deleted.
The minimum default retention period is seven days.
Note:
A retention period can only be specified for audit policies that explicitly use the
database table audit trail target. You cannot specify a retention period for audit
policies that use the default audit trail targets, even if the default audit trail target
is set to database table.
Note:
If you add a retention period to an existing audit policy, all existing audit log entries
that exceed the retention period will be deleted.
Note:
Prior to SAP HANA 2.0 SPS04, you could only delete all audit entries that were
older than a specified date. By specifying retention periods per audit policy, you
can now fine-tune your retention management.
Note:
P_USER_PASSWORD is an internal database table that cannot be accessed by
any user, not even the SYSTEM. Changes in this table are carried out by
internal mechanisms, and not by DML operations. Do not include these tables
in an audit policy. Instead create an audit policy for changes to users (ALTER
USER action) instead.
● Create a firefighter policy (that is, a policy that audits all actions for a user) only in
exceptional circumstances, for example, to check whether a certain user is being used for
everyday work or if a support user has been given access to the system. Firefighter policies
may create large amounts of audit data and significantly impact performance if they are
used for high-load users.
● Changes to users.
Audit actions: CREATE USER, ALTER USER, DROP USER .
● Changes to authorization.
Caution:
SAP HANA audit policies are defined at the database level and cannot cover all
requirements for data protection and privacy. The business semantics of data
are part of the application definition and implementation. It is therefore the
application that "knows", for example, which tables in the database contain
sensitive personal data, or how business level objects, such as, sales orders, are
mapped to technical objects in the database.
LESSON SUMMARY
You should now be able to:
● Activate and Configure Auditing
Learning Assessment
2. The auditing feature of the SAP HANA database allows you to solve authorization
problems.
Determine whether this statement is true or false.
X True
X False
3. When the audit trail is written to an internal SAP HANA table, the entries are automatically
deleted by default when they are one year old.
Determine whether this statement is true or false.
X True
X False
This is correct. The following actions are audited by default: deletion of audit entries from
the audit trail, and the creation, modification, or deletion of audit policies.
2. The auditing feature of the SAP HANA database allows you to solve authorization
problems.
Determine whether this statement is true or false.
X True
X False
This is correct. The auditing feature of the SAP HANA database does not allow you to
solve authorization problems.
3. When the audit trail is written to an internal SAP HANA table, the entries are automatically
deleted by default when they are one year old.
Determine whether this statement is true or false.
X True
X False
This is correct. When the audit trail is written to an internal SAP HANA table, the entries
are automatically deleted by default when they are one year old.