Table of Contents

Open all
Close all
Preface
19
Purpose
19
Who Should Read This Book?
19
Structure of This Book
20
Introduction
20
Chapter 1: Managing Security with the SAP HANA Cockpit
20
Chapter 2: Introduction to SAP HANA Privileges
20
Chapter 3: Catalog Objects
20
Chapter 4: User Accounts
21
Chapter 5: Database Roles
21
Chapter 6: Repository Roles
21
Chapter 7: System Privileges
22
Chapter 8: Object Privileges
22
Chapter 9: Package Privileges
22
Chapter 10: Analytic Privileges
22
Chapter 11: Application Privileges
23
Chapter 12: Authentication
23
Chapter 13: Certificate Management and Encryption
23
Chapter 14: Security Lifecycle Management
24
Chapter 15: Auditing
24
Chapter 16: Security Tracing and Troubleshooting
24
Chapter 17: Security Recommendations
24
Chapter 18: SAP HANA XSA Security
25
Acknowledgments
25
Introduction
27
Overview of SAP HANA
27
Software Layers and Features
28
Hardware Layers and Features
29
SAP HANA Versions
32
SAP HANA Architecture
32
Introduction to SAP HANA Security
35
Importance of Securing Your SAP HANA System
36
Summary
37
1 Managing Security with the SAP HANA Cockpit
39
1.1 What Is the SAP HANA Cockpit?
40
1.1.1 SAP HANA Cockpit Architecture
40
1.1.2 Getting Started with the SAP HANA Cockpit
41
1.1.3 Navigating SAP HANA Cockpit
51
1.2 Security Areas in SAP HANA Cockpit
54
1.2.1 User & Role Management Area
55
1.2.2 Data Encryption
56
1.2.3 Authentication
57
1.2.4 Security Related Links
58
1.2.5 Anonymization Report
59
1.2.6 Auditing
60
1.3 SAP HANA Database Explorer and SQL Console
61
1.4 Summary
64
2 Introduction to SAP HANA Privileges
65
2.1 Privileges within SAP HANA
66
2.1.1 System Privileges
66
2.1.2 Object Privileges
67
2.1.3 Analytic Privileges
69
2.1.4 Package Privileges
71
2.1.5 Application Privileges
72
2.2 Privilege Validation and Assignment
72
2.2.1 Assigning Privileges
72
2.2.2 Validating Privileges
73
2.3 Summary
76
3 Catalog Objects
77
3.1 What Are SAP HANA Catalog Objects?
77
3.2 Creating and Managing Native Catalog Objects
79
3.2.1 Creating Schemas
80
3.2.2 Creating Catalog Tables
82
3.2.3 Creating Other Catalog Objects
83
3.3 Creating and Managing Repository Catalog Objects
84
3.3.1 Creating Repository Schemas
85
3.3.2 Creating Repository Tables
87
3.4 Deploying Repository Objects
90
3.5 Case Study
96
3.6 Summary
101
4 User Accounts
103
4.1 What Are User Accounts?
103
4.1.1 Standard User Accounts
104
4.1.2 Technical User Accounts
105
4.1.3 Restricted User Accounts
106
4.1.4 LDAP User Accounts
109
4.2 Creating and Managing User Accounts
110
4.2.1 Creating and Managing Users with SQL Statements
110
4.2.2 Creating and Managing Users in the SAP HANA Cockpit
112
4.2.3 Creating and Managing Users with the SAP HANA Web-Based Development Workbench
114
4.2.4 User Account System Views
117
4.2.5 Deleting User Accounts
120
4.3 Granting and Revoking Privileges
123
4.3.1 Granting and Revoking Privileges with SQL
123
4.3.2 Granting and Revoking Privileges with the SAP HANA Cockpit
131
4.3.3 Granting and Revoking Privileges with the SAP HANA Web-Based Development Workbench
138
4.3.4 Effective Privileges System View
143
4.4 Managing User Role Assignments
143
4.4.1 Granting and Revoking Roles with SQL
144
4.4.2 Granting and Revoking Roles with the SAP HANA Cockpit
146
4.4.3 Granting and Revoking Roles with the SAP HANA Web-Based Development Workbench
148
4.4.4 Effective Roles System View
149
4.5 Case Study: Provisioning Users with SQL Scripts and Stored Procedures
150
4.5.1 Creating a Repository Schema
150
4.5.2 Creating a Repository Table
152
4.5.3 Importing a CSV File into a Table
153
4.5.4 Creating a Repository Role to Access the Table
154
4.5.5 Creating Repository Stored Procedures
155
4.5.6 Executing the Repository Stored Procedure
159
4.6 Summary
160
5 Database Roles
161
5.1 What Are Roles?
161
5.2 Creating and Managing Roles
165
5.2.1 Creating and Deleting Roles with SQL Statements
165
5.2.2 Creating and Deleting Roles with the SAP HANA Cockpit
167
5.2.3 Creating and Deleting Roles with the SAP HANA Web-Based Development Workbench
168
5.3 Granting and Revoking Privileges
170
5.3.1 Methodologies for Granting Privileges to Roles
171
5.3.2 Granting and Revoking Privileges with SQL
173
5.3.3 Granting and Revoking Privileges with the SAP HANA Cockpit
181
5.3.4 Granting and Revoking Privileges with the SAP HANA Web-Based Development Workbench
187
5.4 Managing Nested Roles
192
5.4.1 Granting and Revoking Roles with SQL
192
5.4.2 Granting and Revoking Roles with the SAP HANA Cockpit
194
5.4.3 Granting and Revoking Roles with the SAP HANA Web-Based Development Workbench
196
5.5 Mapping LDAP Groups to Roles
196
5.5.1 Mapping Roles with SQL
197
5.5.2 Mapping Roles with the SAP HANA Cockpit
197
5.6 Summary
199
6 Repository Roles
201
6.1 What Are Repository Roles?
201
6.1.1 User Account _SYS_REPO and Repository Roles
202
6.1.2 Grantors and Privileges
204
6.1.3 Grantors and Roles
205
6.1.4 Why Use Repository Roles?
205
6.2 Managing Repository Roles with Design-Time Scripts
207
6.2.1 Creating a Repository Package
208
6.2.2 Creating Repository Roles within a Package
210
6.2.3 Defining the Role Name Tag
211
6.2.4 Extending Roles
211
6.2.5 Assigning Privileges
212
6.2.6 Save and Activate
213
6.2.7 Runtime Repository Roles
213
6.3 Granting and Revoking Privileges in Design-Time Scripts
213
6.3.1 System Privileges
214
6.3.2 Schema Privileges
215
6.3.3 Object Privileges
216
6.3.4 Structured Privileges
218
6.3.5 Remote Source Privileges
219
6.3.6 Analytic Privileges
219
6.3.7 Application Privileges
220
6.3.8 Package Privileges
220
6.4 Managing Repository Roles with the SAP HANA Web-Based Development Workbench
221
6.4.1 Accessing and Navigating the SAP HANA Web-Based Development Workbench Editor
221
6.4.2 System Privileges
223
6.4.3 Object Privileges
224
6.4.4 Analytic Privileges
227
6.4.5 Package Privileges
228
6.4.6 Application Privileges
230
6.5 Granting Repository Roles to Users
232
6.5.1 Granting and Revoking Repository Roles with Stored Procedures
232
6.5.2 Granting and Revoking Repository Roles with SAP HANA Cockpit
233
6.5.3 Granting and Revoking Repository Roles with the SAP HANA Web-Based Development Workbench
233
6.6 Case Study: Creating Basic Repository Roles
234
6.6.1 Consumer Repository Role
235
6.6.2 Power User Repository Role
236
6.6.3 Developer Repository Role
237
6.6.4 Security Administrator Repository Role
239
6.7 Summary
240
7 System Privileges
241
7.1 What Are System Privileges?
241
7.2 Default System Privileges
242
7.2.1 Developer-Related System Privileges
242
7.2.2 Security Admin-Related System Privileges
243
7.2.3 System Admin-Related System Privileges
246
7.2.4 Environment Monitoring-Related System Privileges
252
7.2.5 Environment Performance-Related System Privileges
253
7.3 Granting System Privileges
253
7.3.1 Granting System Privileges with SQL
254
7.3.2 Granting System Privileges with the SAP HANA Cockpit
255
7.3.3 Granting System Privileges with the SAP HANA Web-Based Development Workbench
257
7.3.4 Granting System Privileges with Repository Roles
258
7.4 Case Study: Security Administrator System Privileges
262
7.4.1 User Management Role
263
7.4.2 Role Management Role
264
7.4.3 Data and Communication Encryption Role
266
7.4.4 System Auditing Role
267
7.5 Summary
267
8 Object Privileges
269
8.1 What Are Object Privileges?
269
8.1.1 Catalog Object Privileges
270
8.1.2 Security Considerations for Catalog Objects
276
8.2 Granting Object Privileges with SQL
280
8.2.1 Securing Schemas with SQL
280
8.2.2 Securing Individual Catalog Objects with SQL
283
8.3 Granting Object Privileges with the SAP HANA Cockpit
285
8.4 Granting Object Privileges with the SAP HANA Web-Based Development Workbench
287
8.5 Granting Object Privileges with Repository Roles
289
8.5.1 Script-Based Repository Roles
289
8.5.2 SAP HANA Web-Based Development Workbench GUI
292
8.6 Case Study: Updating Repository Roles to Access Information Views
295
8.6.1 Consumer
296
8.6.2 Power User
297
8.6.3 Developer
298
8.7 Summary
299
9 Package Privileges
301
9.1 What Is the SAP HANA Development Repository?
301
9.1.1 Structure of the Development Repository
302
9.1.2 Creating Packages and Subpackages
303
9.1.3 Overview of Delivery Units
303
9.2 What Are Package Privileges?
304
9.3 Granting Package Privileges
307
9.3.1 Granting Package Privileges with SQL
307
9.3.2 Granting Package Privileges with the SAP HANA Cockpit
307
9.3.3 Granting Package Privileges with the SAP HANA Web-Based Development Workbench
309
9.3.4 Granting Package Privileges within Repository-Based Roles
311
9.4 Case Study: Preventing Content Developers from Elevating Their Privileges
315
9.4.1 Assessing the Current Configuration
315
9.4.2 Recommendations
316
9.5 Summary
319
10 Analytic Privileges
321
10.1 What Are SAP HANA Information Views?
322
10.1.1 Attribute Views
322
10.1.2 Analytic Views
323
10.1.3 Calculation Views
324
10.2 What Are Analytic Privileges?
324
10.2.1 XML-Based Analytic Privileges
325
10.2.2 SQL-Based Analytic Privileges
328
10.3 _SYS_BI_CP_ALL: A System-Generated Analytic Privilege
330
10.4 Managing Static Analytic Privileges
331
10.4.1 Creating Static XML-Based Analytic Privileges
331
10.4.2 Creating Static SQL-Based Analytic Privileges
335
10.5 Managing Dynamic Analytic Privileges
336
10.5.1 Dynamic XML-Based Analytic Privileges
337
10.5.2 Dynamic SQL-Based Analytic Privileges
339
10.6 Managing Dynamic Expression-Based SQL Analytic Privileges
346
10.7 Troubleshooting Effective Analytic Privileges and Filter Conditions
350
10.8 Granting Analytic Privileges
351
10.8.1 Granting Analytic Privileges with SQL
351
10.8.2 Granting Analytic Privileges with the SAP HANA Cockpit
352
10.8.3 Granting Analytic Privileges with the SAP HANA Web-Based Development Workbench
354
10.8.4 Granting Analytic Privileges with Repository Roles
355
10.9 Summary
359
11 Application Privileges
361
11.1 What Are Application Privileges?
361
11.2 Creating Application Privileges
362
11.3 Granting Application Privileges
364
11.3.1 Granting Application Privileges with SQL
364
11.3.2 Granting Application Privileges with the SAP HANA Cockpit
365
11.3.3 Granting Application Privileges with the SAP HANA Web-Based Development Workbench Security Manager
367
11.3.4 Granting Application Privileges within Repository Roles
368
11.4 Privileges on Users
372
11.4.1 Granting Privileges on Users with the SAP HANA Cockpit
373
11.4.2 Granting Privileges on Users with SQL
374
11.5 Summary
375
12 Authentication
377
12.1 SAP HANA Internal Authentication Mechanism
378
12.1.1 Protecting SAP HANA Passwords with Encryption
379
12.1.2 Configuring the Internal Authentication Password Policy
379
12.1.3 Managing Password Policy Settings with SQL
386
12.1.4 Managing Password Policy Settings in GUIs
387
12.2 SAP HANA and LDAP Authentication
393
12.3 Supported Third-Party Authentication Providers
396
12.3.1 Kerberos Authentication
396
12.3.2 SAML Authentication
399
12.3.3 X.509 Authentication
402
12.3.4 SAP Logon Tickets
403
12.3.5 SAP Assertion Tickets
405
12.3.6 JWT Identity Providers
406
12.4 Case Study: Adding SAML Identity User Accounts
406
12.5 Summary
409
13 Certificate Management and Encryption
411
13.1 SSL Certificates
411
13.1.1 In-Database Certificate Management
412
13.1.2 External SAP HANA PSE File and Certificate Management
419
13.2 Client Encryption Settings
423
13.2.1 SAP HANA Studio
423
13.2.2 XS Engine Web-Based Applications
425
13.2.3 JDBC and ODBC Drivers
427
13.2.4 SAP HANA Cockpit
430
13.3 Encrypting Data
431
13.3.1 Server-Side Data Encryption
432
13.3.2 Managing Root Keys within the SSFS
433
13.3.3 Encrypting the Data Volume
437
13.3.4 Encrypting the Log Volume
438
13.3.5 Encryption the Backup Media
439
13.4 Summary
440
14 Security Lifecycle Management
441
14.1 Maintaining a Consistent Security Model
441
14.1.1 Best Practices
442
14.1.2 Testing Security Model Changes
444
14.1.3 Keeping Repository Roles in Sync
446
14.2 Creating Delivery Units for Security-Related Packages
448
14.2.1 Creating a Delivery Unit with SAP HANA Studio
449
14.2.2 Creating a Delivery Unit with SAP HANA Application Lifecycle Management
452
14.2.3 Importing and Exporting Delivery Units with SAP HANA Application Lifecycle Management
456
14.3 Transporting Security Packages to Other SAP HANA Systems
457
14.3.1 Transporting a Delivery Unit with SAP HANA Application Lifecycle Management
457
14.3.2 Exporting a Delivery Unit to a File
462
14.3.3 Importing a Delivery Unit from a File
464
14.4 Additional Options in SAP HANA Application Lifecycle Management
466
14.4.1 Change Recording
467
14.4.2 Using the Change and Transport System
467
14.5 Summary
468
15 Auditing
469
15.1 Why Do You Need Auditing?
469
15.2 Configuring Auditing
471
15.2.1 Enable Auditing with the SAP HANA Cockpit
471
15.2.2 Audit Log Targets and Options in the SAP HANA Cockpit
472
15.2.3 Viewing Audit Logs in the SAP HANA Cockpit
475
15.2.4 Enabling Auditing with the SAP HANA Web-Based Development Workbench
476
15.2.5 Enabling Auditing with SQL
477
15.3 Creating Audit Policies
479
15.3.1 Components of the Audit Policy
480
15.3.2 Managing Policies with the SAP HANA Web-Based Development Workbench
486
15.3.3 Managing Audit Policies with SQL
488
15.3.4 Creating Policies with the SAP HANA Cockpit
490
15.4 Querying Audit Data
494
15.5 Case Study: Defining Audit Policies
496
15.5.1 Proactive Event Monitoring
496
15.5.2 Audit Reporting
496
15.5.3 Authentication Auditing
497
15.5.4 Unauthorized Action Auditing
498
15.5.5 System Change Auditing
499
15.5.6 Security Management Task Auditing
499
15.5.7 Super User Event Auditing
502
15.6 Summary
503
16 Security Tracing and Troubleshooting
505
16.1 Authorization Tracing
505
16.1.1 Enabling Tracing with the SAP HANA Cockpit
506
16.1.2 Enabling Tracing with SQL
509
16.1.3 Viewing the Trace File in the SAP HANA Cockpit
511
16.2 Querying the System to Review Effective Privileges
513
16.2.1 Granted Privileges
513
16.2.2 Granted Roles
514
16.2.3 Accessible Views
515
16.2.4 Effective Privilege Grantees
516
16.2.5 Effective Structured Privileges
517
16.2.6 Effective Privileges
519
16.2.7 Effective Role Grantees
520
16.2.8 Effective Roles
521
16.3 Case Study: Identifying Deficiencies in Information View Access
522
16.3.1 Troubleshooting the Problem
522
16.3.2 Reviewing the Results
523
16.3.3 Reviewing the Solution
524
16.4 Summary
524
17 Security Recommendations
525
17.1 Password Authentication Settings
525
17.1.1 Standard User Password Policies
525
17.1.2 Service Accounts
528
17.2 Encryption Settings
529
17.3 Identifying Users with Elevated Privileges
529
17.3.1 System Privileges
530
17.3.2 Root Package Privileges
532
17.3.3 Bypass Analytic Privileges
534
17.3.4 Default Standard Roles
536
17.3.5 WITH GRANT or WITH ADMIN
537
17.3.6 Trace, Dump File, and Debug Access
538
17.4 Disabling the SYSTEM Account
539
17.5 Identifying Privilege Escalation Vulnerabilities
540
17.6 Handover from Hardware Vendors
541
17.7 Creating Audit Policies
541
17.8 Summary
542
18 SAP HANA XSA Security
543
18.1 Overview of SAP HANA XSA
543
18.2 Managing Space Access, Users, and Roles Collections in SAP HANA XSA
546
18.2.1 Accessing Applications
547
18.2.2 Managing SAP HANA XSA Users
550
18.2.3 Managing SAP HANA XSA Role Collections
551
18.2.4 Managing Organization and Space Access
554
18.3 Working with SAP Web IDE for SAP HANA
556
18.3.1 SAP Web IDE for SAP HANA Overview
556
18.3.2 SAP HANA Database Explorer in SAP Web IDE for SAP HANA
558
18.4 HDI Containers and Security
559
18.4.1 Security Architecture of the HDI Container
560
18.4.2 HDI Container Roles
564
18.4.3 Granting the HDI Container Access to External Objects
576
18.5 Summary
594
The Author
595
Index
597