Table of Contents

Open all
Close all
Preface
19
Purpose
19
Who Should Read This Book
19
Structure of This Book
20
Introduction
20
Chapter 1: Managing Security with SAP HANA Studio
20
Chapter 2: Introduction to SAP HANA Privileges
20
Chapter 3: Catalog Objects
21
Chapter 4: User Accounts
21
Chapter 5: Database Roles
21
Chapter 6: Repository Roles
21
Chapter 7: System Privileges
22
Chapter 8: Object Privileges
22
Chapter 9: Package Privileges
22
Chapter 10: Analytic Privileges
22
Chapter 11: Application Privileges
23
Chapter 12: Authentication
23
Chapter 13: Certificate Management and Encryption
23
Chapter 14: Security Lifecycle Management
23
Chapter 15: Auditing
24
Chapter 16: Security Tracing and Troubleshooting
24
Chapter 17: Security Recommendations
24
Chapter 18: SAP HANA 2.0 Security
25
Acknowledgments
25
Introduction
27
Overview of SAP HANA
27
Software Layers and Features
28
Hardware Layers and Features
29
SAP HANA 1.0 SPS 12 and SAP HANA 2.0 SPS 00
32
Introduction to SAP HANA Security
35
Importance of Securing Your SAP HANA System
36
Summary
37
1 Managing Security with SAP HANA Studio
39
1.1 SAP HANA Studio Overview
40
1.1.1 Getting Started with SAP HANA Studio
41
1.1.2 Navigating SAP HANA Studio
47
1.2 The Administration Console
57
1.3 Managing Perspectives in SAP HANA Studio
58
1.3.1 Administration Console Perspective
59
1.3.2 Development Perspective
60
1.3.3 Modeler Perspective
66
1.4 SQL Console
69
1.5 Security Settings in SAP HANA Studio
70
1.5.1 User Management
70
1.5.2 Role Management
71
1.5.3 Security Console
71
1.5.4 Development Perspective
71
1.5.5 SQL Console
71
1.5.6 Configuration Tab
72
1.6 Summary
72
2 Introduction to SAP HANA Privileges
73
2.1 Privileges within SAP HANA
74
2.1.1 System Privileges
74
2.1.2 Object Privileges
75
2.1.3 Analytic Privileges
77
2.1.4 Package Privileges
78
2.1.5 Application Privileges
79
2.2 Privilege Validation and Assignment
79
2.2.1 Assigning Privileges
80
2.2.2 Validating Privileges
81
2.3 Summary
83
3 Catalog Objects
85
3.1 What Are SAP HANA Catalog Objects?
85
3.2 Creating and Managing Native Catalog Objects
87
3.2.1 Creating Schemas
88
3.2.2 Creating Catalog Tables
91
3.2.3 Creating Other Catalog Objects
93
3.3 Creating and Managing Repository Catalog Objects
94
3.3.1 Creating Repository Schemas
95
3.3.2 Creating Repository Tables
98
3.4 Deploying Repository Objects
100
3.5 Case Study
108
3.6 Summary
113
4 User Accounts
115
4.1 What Are User Accounts?
115
4.1.1 Standard User Accounts
116
4.1.2 Technical User Accounts
117
4.1.3 Restricted User Accounts
118
4.2 Creating and Managing User Accounts
119
4.2.1 Creating and Managing Users with SQL Statements
120
4.2.2 Creating and Managing Users in SAP HANA Studio
121
4.2.3 Creating and Managing Users with SAP HANA Web-Based Development Workbench
124
4.2.4 User Account System Views
126
4.2.5 Deleting User Accounts
129
4.3 Granting and Revoking Privileges
133
4.3.1 Granting and Revoking Privileges with SQL
133
4.3.2 Granting and Revoking Privileges with SAP HANA Studio
141
4.3.3 Granting and Revoking Privileges with SAP HANA Web-Based Development Workbench
146
4.3.4 Effective Privileges System View
148
4.4 Managing User Role Assignments
149
4.4.1 Granting and Revoking Roles with SQL
150
4.4.2 Granting and Revoking Roles with SAP HANA Studio
152
4.4.3 Granting and Revoking Roles with SAP HANA Web-Based Development Workbench
154
4.4.4 Effective Roles System View
154
4.5 Case Study: Provisioning Users with SQL Scripts and Stored Procedures
155
4.5.1 Creating a Repository Schema
156
4.5.2 Creating a Repository Table
157
4.5.3 Importing a CSV File into a Table
158
4.5.4 Creating Repository Stored Procedures
161
4.5.5 Executing the Repository Stored Procedure
165
4.6 Summary
166
5 Database Roles
167
5.1 What Are Roles?
167
5.2 Creating and Managing Roles
171
5.2.1 Creating and Deleting Roles with SQL Statements
171
5.2.2 Creating and Deleting Roles with SAP HANA Studio
172
5.2.3 Creating and Deleting Roles with SAP HANA Web-Based Development Workbench
174
5.3 Granting and Revoking Privileges
176
5.3.1 Methodologies for Granting Privileges to Roles
176
5.3.2 Granting and Revoking Privileges with SQL
178
5.3.3 Granting and Revoking Privileges with SAP HANA Studio
187
5.3.4 Granting and Revoking Privileges with SAP HANA Web-Based Development Workbench
192
5.4 Managing Nested Roles
194
5.4.1 Granting and Revoking Roles with SQL
194
5.4.2 Granting and Revoking Roles with SAP HANA Studio
195
5.4.3 Granting and Revoking Roles with SAP HANA Web-Based Development Workbench
196
5.5 Summary
197
6 Repository Roles
199
6.1 What Are Repository Roles?
199
6.1.1 User Account _SYS_REPO and Repository Roles
200
6.1.2 Grantor and Privileges
202
6.1.3 Grantor and Roles
203
6.1.4 Why Use Repository Roles?
203
6.2 Managing Repository Roles with Design-Time Scripts
205
6.2.1 Creating Repository Roles within a Package
206
6.2.2 Defining the Role Name Tag
207
6.2.3 Extending Roles
208
6.2.4 Assigning Privileges
208
6.2.5 Save and Activate
209
6.2.6 Runtime Repository Roles
210
6.3 Granting and Revoking Privileges in Design-Time Scripts
211
6.3.1 System Privileges
211
6.3.2 Schema Privileges
212
6.3.3 Object Privileges
214
6.3.4 Structured Privileges
215
6.3.5 Remote Sources
216
6.3.6 Analytic Privileges
217
6.3.7 Application Privileges
217
6.3.8 Package Privileges
218
6.4 Managing Repository Roles with SAP HANA Web-Based Development Workbench
218
6.4.1 Accessing and Navigating the SAP HANA Web-Based Development Workbench Editor
219
6.4.2 System Privileges
222
6.4.3 Object Privileges
223
6.4.4 Analytic Privileges
226
6.4.5 Package Privileges
227
6.4.6 Application Privileges
229
6.5 Granting Repository Roles to Users
231
6.5.1 Granting and Revoking Repository Roles with Stored Procedures
231
6.5.2 Granting and Revoking Repository Roles with SAP HANA Studio
232
6.5.3 Granting and Revoking Repository Roles with SAP HANA Web-Based Development Workbench
234
6.6 Case Study: Creating Basic Repository Roles
234
6.6.1 Consumer Repository Role
235
6.6.2 Power User Repository Role
236
6.6.3 Developer Repository Role
236
6.6.4 Security Administrator Repository Role
238
6.7 Summary
239
7 System Privileges
241
7.1 What Are System Privileges?
241
7.2 Default System Privileges
242
7.2.1 Developer-Related System Privileges
242
7.2.2 Security Admin-Related System Privileges
243
7.2.3 System Admin-Related System Privileges
246
7.2.4 Environment Monitoring-Related System Privileges
252
7.2.5 Environment Performance-Related System Privileges
252
7.3 Granting System Privileges
253
7.3.1 Granting System Privileges with SQL
253
7.3.2 Granting System Privileges with SAP HANA Studio
254
7.3.3 Granting System Privileges with SAP HANA Web-Based Development Workbench
256
7.3.4 Granting System Privileges with Repository Roles
257
7.4 Case Study: Security Administrator System Privileges
262
7.4.1 User Management Role
262
7.4.2 Role Management Role
264
7.4.3 Data and Communication Encryption Role
265
7.4.4 System Auditing Role
266
7.5 Summary
267
8 Object Privileges
269
8.1 Overview of Object Privileges
269
8.1.1 Catalog Object Privileges
270
8.1.2 Security Considerations for Catalog Objects
275
8.2 Granting Object Privileges with SQL
279
8.2.1 Securing Schemas with SQL
280
8.2.2 Securing Individual Catalog Objects with SQL
282
8.3 Granting Object Privileges with SAP HANA Studio
284
8.4 Granting Object Privileges with Repository Roles
286
8.4.1 Script-Based Repository Roles
287
8.4.2 SAP HANA Web-Based Development Workbench
289
8.5 Case Study: Updating Repository Roles to Access Information Views
292
8.5.1 Consumer
292
8.5.2 Power User
293
8.5.3 Developer
295
8.6 Summary
296
9 Package Privileges
297
9.1 The SAP HANA Development Repository
297
9.1.1 Structure of the Development Repository
297
9.1.2 Creating Packages and Subpackages
298
9.1.3 Overview of Delivery Units
300
9.2 Overview of Package Privileges
301
9.3 Granting Package Privileges
303
9.3.1 Granting Package Privileges with SQL
303
9.3.2 Granting Package Privileges with SAP HANA Studio
304
9.3.3 Granting Package Privileges with SAP HANA Web-Based Development Workbench
305
9.3.4 Granting Package Privileges within Repository-Based Roles
307
9.4 Case Study: Preventing Content Developers from Elevating Their Privileges
311
9.4.1 Assessing the Current Configuration
311
9.4.2 Recommendations
312
9.5 Summary
315
10 Analytic Privileges
317
10.1 Overview of SAP HANA Information Views
317
10.1.1 Attribute Views
318
10.1.2 Analytic Views
318
10.1.3 Calculation Views
319
10.2 Overview of Analytic Privileges
320
10.2.1 XML-Based Analytic Privileges
320
10.2.2 SQL-Based Analytic Privileges
323
10.3 _SYS_BI_CP_ALL: A System-Generated Analytic Privilege
325
10.4 Managing Static Analytic Privileges
326
10.4.1 Creating Static XML-Based Analytic Privileges
326
10.4.2 Creating Static SQL-Based Analytic Privileges
331
10.5 Managing Dynamic Analytic Privileges
334
10.5.1 Dynamic XML-Based Analytic Privileges
334
10.5.2 Dynamic SQL-Based Analytic Privileges
336
10.6 Managing Dynamic Expression-Based SQL Analytic Privileges
344
10.6.1 Creating a Repository-Based Security Table
346
10.6.2 Defining Dynamic Expression-Based SQL Analytic Privileges
348
10.7 Troubleshooting Effective Analytic Privileges and Filter Conditions
351
10.8 Granting Analytic Privileges
352
10.8.1 Granting Analytic Privileges with SQL
352
10.8.2 Granting Analytic Privileges with SAP HANA Studio
353
10.8.3 Granting Analytic Privileges with SAP HANA Web-Based Development Workbench
354
10.8.4 Granting Analytic Privileges within Repository Roles
355
10.9 Summary
359
11 Application Privileges
361
11.1 Application Privileges in SAP HANA
361
11.2 Creating Application Privileges
362
11.3 Granting Application Privileges
364
11.3.1 Granting Application Privileges with SQL
364
11.3.2 Granting Application Privileges with SAP HANA Studio
365
11.3.3 Granting Application Privileges with SAP HANA Web-Based Development Workbench
366
11.3.4 Granting Application Privileges within Repository Roles
367
11.4 Privileges on Users
372
11.4.1 Granting Privileges on Users with SAP HANA Studio
372
11.4.2 Granting Privileges on Users with SQL
373
11.5 Summary
373
12 Authentication
375
12.1 SAP HANA Internal Authentication Mechanism
376
12.1.1 Protecting SAP HANA Passwords with Encryption
376
12.1.2 Configuring the Internal Authentication Password Policy
377
12.1.3 Managing Password Policy Settings with SQL
383
12.1.4 Managing Password Policy Settings in GUIs
384
12.2 Supported Third-Party Authentication Providers
389
12.2.1 Kerberos Authentication
390
12.2.2 SAML Authentication
393
12.2.3 X509 Authentication
396
12.2.4 SAP Logon Ticket
397
12.2.5 SAP Assertion Ticket
399
12.3 Case Study: Adding SAML Identity User Accounts
400
12.4 Summary
402
13 Certificate Management and Encryption
403
13.1 SSL Certificates
403
13.1.1 In-Database Certificate Management
404
13.1.2 External SAP HANA PSE File and Certificate Management
408
13.2 Client Encryption Settings
412
13.2.1 SAP HANA Studio
412
13.2.2 XS Engine Web-Based Applications
414
13.2.3 JDBC and ODBC Drivers
416
13.3 Encrypting Data
419
13.3.1 Server-Side Data Encryption
420
13.3.2 Changing New Root Keys within the SSFS
421
13.3.3 Encrypting the Data Volume
424
13.3.4 Encrypting the Log Volume
425
13.4 Summary
426
14 Security Lifecycle Management
427
14.1 Maintaining a Consistent Security Model
427
14.1.1 Best Practices
428
14.1.2 Testing Security Model Changes
430
14.1.3 Keeping Repository Roles in Sync
432
14.2 Create Delivery Units for Security-Related Packages
434
14.2.1 Creating a Delivery Unit with SAP HANA Studio
435
14.2.2 Creating a DU with SAP HANA Application Lifecycle Management
438
14.3 Transport Security Packages to Other SAP HANA Systems
442
14.3.1 Transport a DU with SAP HANA Application Lifecycle Management
443
14.3.2 Export a DU to a File
448
14.3.3 Import a DU from a File
449
14.4 Additional Options in SAP HANA Application Lifecycle Management
452
14.4.1 Change Recording
452
14.4.2 Using SAP CTS
453
14.5 Summary
453
15 Auditing
455
15.1 Why Do We Need Auditing?
455
15.2 Configuring Auditing
457
15.2.1 Enable Auditing with SAP HANA Studio
457
15.2.2 Enable Auditing with SAP HANA Web-Based Development Workbench
461
15.2.3 Enable Auditing with SQL
463
15.3 Creating Audit Policies
465
15.3.1 Components of the Audit Policy
466
15.3.2 Managing Policies with SAP HANA Web-Based Development Workbench
471
15.3.3 Managing Audit Policies with SQL
473
15.3.4 Creating Policies with SAP HANA Studio
476
15.4 Querying Audit Data
477
15.4.1 AUDIT_ACTIONS
478
15.4.2 AUDIT_LOG
478
15.4.3 AUDIT_POLICIES
478
15.5 Case Study: Defining Audit Policies
479
15.5.1 Proactive Event Monitoring
479
15.5.2 Audit Reporting
480
15.5.3 Authentication Auditing
480
15.5.4 Unauthorized Action Auditing
481
15.5.5 System Change Auditing
482
15.5.6 Security Management Task Auditing
483
15.5.7 Super User Event Auditing
485
15.6 Summary
486
16 Security Tracing and Troubleshooting
487
16.1 Authorization Tracing
487
16.1.1 Enable Tracing with SAP HANA Studio
488
16.1.2 Enable Tracing with SQL
491
16.1.3 Viewing the Trace File in SAP HANA Studio
493
16.2 Query the System to Review Effective Privileges
495
16.2.1 Granted Privileges
495
16.2.2 Granted Roles
496
16.2.3 Accessible Views
497
16.2.4 Effective Privilege Grantees
498
16.2.5 Effective Structured Privileges
499
16.2.6 Effective Privileges
501
16.2.7 Effective Role Grantees
502
16.2.8 Effective Roles
503
16.3 Case Study: Identifying Deficiencies in Information View Access
504
16.3.1 Troubleshooting the Problem
504
16.3.2 Reviewing the Results
505
16.3.3 Reviewing the Solution
506
16.4 Summary
506
17 Security Recommendations
507
17.1 Password Authentication Settings
507
17.1.1 Standard User Password Policies
507
17.1.2 Service Accounts
510
17.2 Encryption Settings
511
17.3 Identifying Users with Elevated Privileges
511
17.3.1 System Privileges
512
17.3.2 Root Package Privileges
514
17.3.3 Bypass Analytic Privileges
515
17.3.4 Default Standard Roles
518
17.3.5 WITH GRANT or WITH ADMIN
519
17.4 Disabling the SYSTEM Account
520
17.5 Identify Privilege Escalation Vulnerabilities
521
17.6 Handover from Hardware Vendors
522
17.7 Create Audit Policies
523
17.8 Summary
523
18 SAP HANA 2.0 Security
525
18.1 Authorizations
525
18.1.1 Granting or Revoking the PUBLIC Role
525
18.1.2 Granting or Revoking Access to a User’s Own Schema
526
18.1.3 Map LDAP Groups to SAP HANA Roles
527
18.2 Encryption
527
18.2.1 Log Volume Encryption
527
18.2.2 Root Key Backup and Password
527
18.2.3 Using SQL to Update All Encryption Keys
528
18.3 XS Engine Applications and Roles
528
18.4 SAP HANA 2.0 Cockpit
529
18.5 Summary
529
Appendices
531
The Author
531
Index
533