Skip to content

SAP HANA 2.0 SPS 03 What’s New: Security – by the SAP HANA Academy

Introduction

In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 03.

The topic of this blog is SAP HANA Database Security.

For the previous versions of this blog, see

For the full SAP HANA 2.0 SPS 03 blog list, see

For the blogs from Product Management on the topic, see

For an update about the documentation, see

What’s New?

SAP HANA Security Playlist

On the SAP HANA Academy, there is a full playlist covering all aspects of security

SAP HANA Cockpit

SAP HANA cockpit support package 06 has a number of new and enhanced features for user and role management and auditing.

For more information, see

Data Anonymization

As of SPS 03, SAP HANA provides native support for data anonymization. This allows you to gain statistically valid insights from data containing personal or sensitive information while protecting the privacy of individuals.

For the documentation, see

Shared Business Authorizations in SAP HANA

SAP S/4 HANA and other ABAP-based SAP applications use authorization objects to control access.  As of SPS 03, you can now create analytic privileges in SAP HANA that leverage these ABAP authorization objects.

The new built-in procedure SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION connects both worlds. PFCG is the role maintenance transaction for the Profile Generator.

CALL SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION( 
'A_TEST_SCHEMA',
'CHECKID1',
'{"data":
    {
        "CHECKID1":
        {
            "authobj":"OBJ1",
            "filter":[{"key":"ACTVT","valueList":["03"]}],
            "mappings":[{"fieldName":"SACMTSOID", "mappedName":"SO_ID"},
        {"fieldName":"SACMTSOLCS", "mappedName":"LIFECYCLE_STATUS"}]
        }
    }
}',
?)

For the documentation, see

User Group-Specific Password Policies

User groups were introduced in the previous release, SPS 02, see

As of SPS 03 this concept has been further enhanced and you can now configure a customized password policy for user groups.

For the documentation, see

LDAP Authentication with Automatic User Creation

As of SPS 03, SAP HANA can now automatically create database accounts for LDAP users and map their LDAP roles. This can significantly reduce complexity and cost for maintaining users and authorizations in larger system landscapes.

For this to work, the LDAP provider needs to be enabled for user creation and the user needs to be a member of at least one LDAP/HANA mapped group.

CREATE LDAP PROVIDER my_ldap_provider [...]
 ENABLE USER CREATION FOR LDAP
 [USER TYPE { STANDARD | RESTRICTED }]

For the documentation, see

Data Encryption

Password hash algorithm

Database user passwords are now stored in hashed and salted form using PBKDF2 (Password-Based Key Derivation Function 2) using the SHA-256 secure hash algorithm and 15,000 iterations.

If you are not at home in the jargon of cryptography, you might find this article helpful

Encryption configuration in tenant databases

The default status of data-at-rest encryption services in tenant databases is no longer inherited from the system database but is now controlled in the system database with parameters in the new database_initial_encryption section of the global.ini configuration file.

For the documentation, see

Client-side Data Encryption

With client-side data encryption, you can encrypt columns using an encryption key accessible only by the client, which means that column data is encrypted and decrypted only on the client.

New privileges and SQL statements have been added to support client-side encryption.

For the documentation, see

Data Masking

In addition to views, you can now also mask data in tables.

For the documentation, see

Auditing

Auditing for XSA

Auditing for XS advanced has been integrated into the SAP HANA auditing framework.

The XSA Audit Log viewer now displays a deprecation message.

The XSA_AUDIT_LOG view in the Database Explorer.

For the documentation, see

New Auditing Actions

The following new auditing actions have been added:

  • CREATE | DROP AGENT GROUP
  • PERSONAL DATA ACCESS
  • PERSONAL DATA MODIFICATION
  • CONFIGURATION CHANGE
  • SECURITY EVENT

For the documentation, see

Authorization

Any user with the system privilege ROLE ADMIN can now revoke catalog roles granted by another user.

For the recommendations, see

A user can now grant all currently available privileges on a schema by granting the ALL PRIVILEGES object privilege.

For the documentation, see

References

SAP Help Portal

SAP Notes

Thank you for watching

The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.

For the full library, see SAP HANA Academy Library – by the SAP HANA Academy

For the full list of blogs, see Blog Posts – by the SAP HANA Academy

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: