Preface

19

Purpose

19

Who Should Read This Book?

19

Structure of This Book

20

Introduction

20

Chapter 1: Managing Security with the SAP HANA Cockpit

20

Chapter 2: Introduction to SAP HANA Privileges

20

Chapter 3: Catalog Objects

20

Chapter 4: User Accounts

21

Chapter 5: Database Roles

21

Chapter 6: Repository Roles

21

Chapter 7: System Privileges

22

Chapter 8: Object Privileges

22

Chapter 9: Package Privileges

22

Chapter 10: Analytic Privileges

22

Chapter 11: Application Privileges

23

Chapter 12: Authentication

23

Chapter 13: Certificate Management and Encryption

23

Chapter 14: Security Lifecycle Management

24

Chapter 15: Auditing

24

Chapter 16: Security Tracing and Troubleshooting

24

Chapter 17: Security Recommendations

24

Chapter 18: SAP HANA XSA Security

25

Acknowledgments

25

Introduction

27

Overview of SAP HANA

27

Software Layers and Features

28

Hardware Layers and Features

29

SAP HANA Versions

32

SAP HANA Architecture

32

Introduction to SAP HANA Security

35

Importance of Securing Your SAP HANA System

36

Summary

37

1 Managing Security with the SAP HANA Cockpit

39

1.1 What Is the SAP HANA Cockpit?

40

1.1.1 SAP HANA Cockpit Architecture

40

1.1.2 Getting Started with the SAP HANA Cockpit

41

1.1.3 Navigating SAP HANA Cockpit

51

1.2 Security Areas in SAP HANA Cockpit

54

1.2.1 User & Role Management Area

55

1.2.2 Data Encryption

56

1.2.3 Authentication

57

1.2.4 Security Related Links

58

1.2.5 Anonymization Report

59

1.2.6 Auditing

60

1.3 SAP HANA Database Explorer and SQL Console

61

1.4 Summary

64

2 Introduction to SAP HANA Privileges

65

2.1 Privileges within SAP HANA

66

2.1.1 System Privileges

66

2.1.2 Object Privileges

67

2.1.3 Analytic Privileges

69

2.1.4 Package Privileges

71

2.1.5 Application Privileges

72

2.2 Privilege Validation and Assignment

72

2.2.1 Assigning Privileges

72

2.2.2 Validating Privileges

73

2.3 Summary

76

3 Catalog Objects

77

3.1 What Are SAP HANA Catalog Objects?

77

3.2 Creating and Managing Native Catalog Objects

79

3.2.1 Creating Schemas

80

3.2.2 Creating Catalog Tables

82

3.2.3 Creating Other Catalog Objects

83

3.3 Creating and Managing Repository Catalog Objects

84

3.3.1 Creating Repository Schemas

85

3.3.2 Creating Repository Tables

87

3.4 Deploying Repository Objects

90

3.5 Case Study

96

3.6 Summary

101

4 User Accounts

103

4.1 What Are User Accounts?

103

4.1.1 Standard User Accounts

104

4.1.2 Technical User Accounts

105

4.1.3 Restricted User Accounts

106

4.1.4 LDAP User Accounts

109

4.2 Creating and Managing User Accounts

110

4.2.1 Creating and Managing Users with SQL Statements

110

4.2.2 Creating and Managing Users in the SAP HANA Cockpit

112

4.2.3 Creating and Managing Users with the SAP HANA Web-Based Development Workbench

114

4.2.4 User Account System Views

117

4.2.5 Deleting User Accounts

120

4.3 Granting and Revoking Privileges

123

4.3.1 Granting and Revoking Privileges with SQL

123

4.3.2 Granting and Revoking Privileges with the SAP HANA Cockpit

131

4.3.3 Granting and Revoking Privileges with the SAP HANA Web-Based Development Workbench

138

4.3.4 Effective Privileges System View

143

4.4 Managing User Role Assignments

143

4.4.1 Granting and Revoking Roles with SQL

144

4.4.2 Granting and Revoking Roles with the SAP HANA Cockpit

146

4.4.3 Granting and Revoking Roles with the SAP HANA Web-Based Development Workbench

148

4.4.4 Effective Roles System View

149

4.5 Case Study: Provisioning Users with SQL Scripts and Stored Procedures

150

4.5.1 Creating a Repository Schema

150

4.5.2 Creating a Repository Table

152

4.5.3 Importing a CSV File into a Table

153

4.5.4 Creating a Repository Role to Access the Table

154

4.5.5 Creating Repository Stored Procedures

155

4.5.6 Executing the Repository Stored Procedure

159

4.6 Summary

160

5 Database Roles

161

5.1 What Are Roles?

161

5.2 Creating and Managing Roles

165

5.2.1 Creating and Deleting Roles with SQL Statements

165

5.2.2 Creating and Deleting Roles with the SAP HANA Cockpit

167

5.2.3 Creating and Deleting Roles with the SAP HANA Web-Based Development Workbench

168

5.3 Granting and Revoking Privileges

170

5.3.1 Methodologies for Granting Privileges to Roles

171

5.3.2 Granting and Revoking Privileges with SQL

173

5.3.3 Granting and Revoking Privileges with the SAP HANA Cockpit

181

5.3.4 Granting and Revoking Privileges with the SAP HANA Web-Based Development Workbench

187

5.4 Managing Nested Roles

192

5.4.1 Granting and Revoking Roles with SQL

192

5.4.2 Granting and Revoking Roles with the SAP HANA Cockpit

194

5.4.3 Granting and Revoking Roles with the SAP HANA Web-Based Development Workbench

196

5.5 Mapping LDAP Groups to Roles

196

5.5.1 Mapping Roles with SQL

197

5.5.2 Mapping Roles with the SAP HANA Cockpit

197

5.6 Summary

199

6 Repository Roles

201

6.1 What Are Repository Roles?

201

6.1.1 User Account _SYS_REPO and Repository Roles

202

6.1.2 Grantors and Privileges

204

6.1.3 Grantors and Roles

205

6.1.4 Why Use Repository Roles?

205

6.2 Managing Repository Roles with Design-Time Scripts

207

6.2.1 Creating a Repository Package

208

6.2.2 Creating Repository Roles within a Package

210

6.2.3 Defining the Role Name Tag

211

6.2.4 Extending Roles

211

6.2.5 Assigning Privileges

212

6.2.6 Save and Activate

213

6.2.7 Runtime Repository Roles

213

6.3 Granting and Revoking Privileges in Design-Time Scripts

213

6.3.1 System Privileges

214

6.3.2 Schema Privileges

215

6.3.3 Object Privileges

216

6.3.4 Structured Privileges

218

6.3.5 Remote Source Privileges

219

6.3.6 Analytic Privileges

219

6.3.7 Application Privileges

220

6.3.8 Package Privileges

220

6.4 Managing Repository Roles with the SAP HANA Web-Based Development Workbench

221

6.4.1 Accessing and Navigating the SAP HANA Web-Based Development Workbench Editor

221

6.4.2 System Privileges

223

6.4.3 Object Privileges

224

6.4.4 Analytic Privileges

227

6.4.5 Package Privileges

228

6.4.6 Application Privileges

230

6.5 Granting Repository Roles to Users

232

6.5.1 Granting and Revoking Repository Roles with Stored Procedures

232

6.5.2 Granting and Revoking Repository Roles with SAP HANA Cockpit

233

6.5.3 Granting and Revoking Repository Roles with the SAP HANA Web-Based Development Workbench

233

6.6 Case Study: Creating Basic Repository Roles

234

6.6.1 Consumer Repository Role

235

6.6.2 Power User Repository Role

236

6.6.3 Developer Repository Role

237

6.6.4 Security Administrator Repository Role

239

6.7 Summary

240

7 System Privileges

241

7.1 What Are System Privileges?

241

7.2 Default System Privileges

242

7.2.1 Developer-Related System Privileges

242

7.2.2 Security Admin-Related System Privileges

243

7.2.3 System Admin-Related System Privileges

246

7.2.4 Environment Monitoring-Related System Privileges

252

7.2.5 Environment Performance-Related System Privileges

253

7.3 Granting System Privileges

253

7.3.1 Granting System Privileges with SQL

254

7.3.2 Granting System Privileges with the SAP HANA Cockpit

255

7.3.3 Granting System Privileges with the SAP HANA Web-Based Development Workbench

257

7.3.4 Granting System Privileges with Repository Roles

258

7.4 Case Study: Security Administrator System Privileges

262

7.4.1 User Management Role

263

7.4.2 Role Management Role

264

7.4.3 Data and Communication Encryption Role

266

7.4.4 System Auditing Role

267

7.5 Summary

267

8 Object Privileges

269

8.1 What Are Object Privileges?

269

8.1.1 Catalog Object Privileges

270

8.1.2 Security Considerations for Catalog Objects

276

8.2 Granting Object Privileges with SQL

280

8.2.1 Securing Schemas with SQL

280

8.2.2 Securing Individual Catalog Objects with SQL

283

8.3 Granting Object Privileges with the SAP HANA Cockpit

285

8.4 Granting Object Privileges with the SAP HANA Web-Based Development Workbench

287

8.5 Granting Object Privileges with Repository Roles

289

8.5.1 Script-Based Repository Roles

289

8.5.2 SAP HANA Web-Based Development Workbench GUI

292

8.6 Case Study: Updating Repository Roles to Access Information Views

295

8.6.1 Consumer

296

8.6.2 Power User

297

8.6.3 Developer

298

8.7 Summary

299

9 Package Privileges

301

9.1 What Is the SAP HANA Development Repository?

301

9.1.1 Structure of the Development Repository

302

9.1.2 Creating Packages and Subpackages

303

9.1.3 Overview of Delivery Units

303

9.2 What Are Package Privileges?

304

9.3 Granting Package Privileges

307

9.3.1 Granting Package Privileges with SQL

307

9.3.2 Granting Package Privileges with the SAP HANA Cockpit

307

9.3.3 Granting Package Privileges with the SAP HANA Web-Based Development Workbench

309

9.3.4 Granting Package Privileges within Repository-Based Roles

311

9.4 Case Study: Preventing Content Developers from Elevating Their Privileges

315

9.4.1 Assessing the Current Configuration

315

9.4.2 Recommendations

316

9.5 Summary

319

10 Analytic Privileges

321

10.1 What Are SAP HANA Information Views?

322

10.1.1 Attribute Views

322

10.1.2 Analytic Views

323

10.1.3 Calculation Views

324

10.2 What Are Analytic Privileges?

324

10.2.1 XML-Based Analytic Privileges

325

10.2.2 SQL-Based Analytic Privileges

328

10.3 _SYS_BI_CP_ALL: A System-Generated Analytic Privilege

330

10.4 Managing Static Analytic Privileges

331

10.4.1 Creating Static XML-Based Analytic Privileges

331

10.4.2 Creating Static SQL-Based Analytic Privileges

335

10.5 Managing Dynamic Analytic Privileges

336

10.5.1 Dynamic XML-Based Analytic Privileges

337

10.5.2 Dynamic SQL-Based Analytic Privileges

339

10.6 Managing Dynamic Expression-Based SQL Analytic Privileges

346

10.7 Troubleshooting Effective Analytic Privileges and Filter Conditions

350

10.8 Granting Analytic Privileges

351

10.8.1 Granting Analytic Privileges with SQL

351

10.8.2 Granting Analytic Privileges with the SAP HANA Cockpit

352

10.8.3 Granting Analytic Privileges with the SAP HANA Web-Based Development Workbench

354

10.8.4 Granting Analytic Privileges with Repository Roles

355

10.9 Summary

359

11 Application Privileges

361

11.1 What Are Application Privileges?

361

11.2 Creating Application Privileges

362

11.3 Granting Application Privileges

364

11.3.1 Granting Application Privileges with SQL

364

11.3.2 Granting Application Privileges with the SAP HANA Cockpit

365

11.3.3 Granting Application Privileges with the SAP HANA Web-Based Development Workbench Security Manager

367

11.3.4 Granting Application Privileges within Repository Roles

368

11.4 Privileges on Users

372

11.4.1 Granting Privileges on Users with the SAP HANA Cockpit

373

11.4.2 Granting Privileges on Users with SQL

374

11.5 Summary

375

12 Authentication

377

12.1 SAP HANA Internal Authentication Mechanism

378

12.1.1 Protecting SAP HANA Passwords with Encryption

379

12.1.2 Configuring the Internal Authentication Password Policy

379

12.1.3 Managing Password Policy Settings with SQL

386

12.1.4 Managing Password Policy Settings in GUIs

387

12.2 SAP HANA and LDAP Authentication

393

12.3 Supported Third-Party Authentication Providers

396

12.3.1 Kerberos Authentication

396

12.3.2 SAML Authentication

399

12.3.3 X.509 Authentication

402

12.3.4 SAP Logon Tickets

403

12.3.5 SAP Assertion Tickets

405

12.3.6 JWT Identity Providers

406

12.4 Case Study: Adding SAML Identity User Accounts

406

12.5 Summary

409

13 Certificate Management and Encryption

411

13.1 SSL Certificates

411

13.1.1 In-Database Certificate Management

412

13.1.2 External SAP HANA PSE File and Certificate Management

419

13.2 Client Encryption Settings

423

13.2.1 SAP HANA Studio

423

13.2.2 XS Engine Web-Based Applications

425

13.2.3 JDBC and ODBC Drivers

427

13.2.4 SAP HANA Cockpit

430

13.3 Encrypting Data

431

13.3.1 Server-Side Data Encryption

432

13.3.2 Managing Root Keys within the SSFS

433

13.3.3 Encrypting the Data Volume

437

13.3.4 Encrypting the Log Volume

438

13.3.5 Encryption the Backup Media

439

13.4 Summary

440

14 Security Lifecycle Management

441

14.1 Maintaining a Consistent Security Model

441

14.1.1 Best Practices

442

14.1.2 Testing Security Model Changes

444

14.1.3 Keeping Repository Roles in Sync

446

14.2 Creating Delivery Units for Security-Related Packages

448

14.2.1 Creating a Delivery Unit with SAP HANA Studio

449

14.2.2 Creating a Delivery Unit with SAP HANA Application Lifecycle Management

452

14.2.3 Importing and Exporting Delivery Units with SAP HANA Application Lifecycle Management

456

14.3 Transporting Security Packages to Other SAP HANA Systems

457

14.3.1 Transporting a Delivery Unit with SAP HANA Application Lifecycle Management

457

14.3.2 Exporting a Delivery Unit to a File

462

14.3.3 Importing a Delivery Unit from a File

464

14.4 Additional Options in SAP HANA Application Lifecycle Management

466

14.4.1 Change Recording

467

14.4.2 Using the Change and Transport System

467

14.5 Summary

468

15 Auditing

469

15.1 Why Do You Need Auditing?

469

15.2 Configuring Auditing

471

15.2.1 Enable Auditing with the SAP HANA Cockpit

471

15.2.2 Audit Log Targets and Options in the SAP HANA Cockpit

472

15.2.3 Viewing Audit Logs in the SAP HANA Cockpit

475

15.2.4 Enabling Auditing with the SAP HANA Web-Based Development Workbench

476

15.2.5 Enabling Auditing with SQL

477

15.3 Creating Audit Policies

479

15.3.1 Components of the Audit Policy

480

15.3.2 Managing Policies with the SAP HANA Web-Based Development Workbench

486

15.3.3 Managing Audit Policies with SQL

488

15.3.4 Creating Policies with the SAP HANA Cockpit

490

15.4 Querying Audit Data

494

15.5 Case Study: Defining Audit Policies

496

15.5.1 Proactive Event Monitoring

496

15.5.2 Audit Reporting

496

15.5.3 Authentication Auditing

497

15.5.4 Unauthorized Action Auditing

498

15.5.5 System Change Auditing

499

15.5.6 Security Management Task Auditing

499

15.5.7 Super User Event Auditing

502

15.6 Summary

503

16 Security Tracing and Troubleshooting

505

16.1 Authorization Tracing

505

16.1.1 Enabling Tracing with the SAP HANA Cockpit

506

16.1.2 Enabling Tracing with SQL

509

16.1.3 Viewing the Trace File in the SAP HANA Cockpit

511

16.2 Querying the System to Review Effective Privileges

513

16.2.1 Granted Privileges

513

16.2.2 Granted Roles

514

16.2.3 Accessible Views

515

16.2.4 Effective Privilege Grantees

516

16.2.5 Effective Structured Privileges

517

16.2.6 Effective Privileges

519

16.2.7 Effective Role Grantees

520

16.2.8 Effective Roles

521

16.3 Case Study: Identifying Deficiencies in Information View Access

522

16.3.1 Troubleshooting the Problem

522

16.3.2 Reviewing the Results

523

16.3.3 Reviewing the Solution

524

16.4 Summary

524

17 Security Recommendations

525

17.1 Password Authentication Settings

525

17.1.1 Standard User Password Policies

525

17.1.2 Service Accounts

528

17.2 Encryption Settings

529

17.3 Identifying Users with Elevated Privileges

529

17.3.1 System Privileges

530

17.3.2 Root Package Privileges

532

17.3.3 Bypass Analytic Privileges

534

17.3.4 Default Standard Roles

536

17.3.5 WITH GRANT or WITH ADMIN

537

17.3.6 Trace, Dump File, and Debug Access

538

17.4 Disabling the SYSTEM Account

539

17.5 Identifying Privilege Escalation Vulnerabilities

540

17.6 Handover from Hardware Vendors

541

17.7 Creating Audit Policies

541

17.8 Summary

542

18 SAP HANA XSA Security

543

18.1 Overview of SAP HANA XSA

543

18.2 Managing Space Access, Users, and Roles Collections in SAP HANA XSA

546

18.2.1 Accessing Applications

547

18.2.2 Managing SAP HANA XSA Users

550

18.2.3 Managing SAP HANA XSA Role Collections

551

18.2.4 Managing Organization and Space Access

554

18.3 Working with SAP Web IDE for SAP HANA

556

18.3.1 SAP Web IDE for SAP HANA Overview

556

18.3.2 SAP HANA Database Explorer in SAP Web IDE for SAP HANA

558

18.4 HDI Containers and Security

559

18.4.1 Security Architecture of the HDI Container

560

18.4.2 HDI Container Roles

564

18.4.3 Granting the HDI Container Access to External Objects

576

18.5 Summary

594