PUBLIC ‘SAP HANA Platform 2.0 SPS 08 Document Version: 1.0 - 2024-11-20 SAP HANA Security Guide for SAP HANA PlatformContent 43 4a 6 62 63 64 65 ‘SAP HANA Security Guide. ‘Security Information by Guide. 9 ‘SAP HANA Security Patches. ‘SAP HANA Overview. . ‘The SAP HANA Database. 15 ‘SAP HANA XS and Development Infrastructure, 16 ‘SAP HANA XS, Advanced Model... . . . 16 SAP HANA XS, Classic Model v Technical System Landscape. 18 Overview of SAP HANA Security Functions. 19 Database Isolation, 23 Security Considerations After Updating a Single-Container System, 25 ‘SAP HANA Implementation Scenarios. 26 SAP HANA as a Data Mart. 26 SAP HANA in a Classic 24ier Architecture. 28 SAP HANA as Technical Infrastructure for Native Application Development. 20 ‘SAP HANA Network and Communication Security. Communication Channels, Network Security 36 ‘Securing Data Communication. . . . 40 ‘Secure Communication Between SAP HANA and JDBC/ODBC Clie 42 ‘Secure Communication Between SAP HANA and an LDAP Directory Server. 59 ‘Secure Communication Between SAP HANA XS Classic and HTTP Clients, 62 Secure Internal Communication, ... 63 ‘SAP HANA User Management. 73 User Types. . . 73 User Groups, 76 Connect Restrictions. 80 ‘SQL Statements and Authorization for User Group Administration (Reference), 83 User Administration Tools... . 86 Predefined Database Users, 89 Deactivate the SYSTEM User. a7 Predefined Operating System Users, 98nm 22 23 4 75 76 7 82 83 84 85 86 sa 92 ‘SAP HANA Authentication and Single Sign-On. User Authentication Mechanisms. Logon Checks. ‘Troubleshooting Authentication Problems. Password Policy. Password Policy Configuration Options. Password Exclude List. _-SYS_PASSWORD_BLACKLIST. Single Sign-On Integration, Single Sign-On Using Kerberos. Single Sign-On Using SAML 2.0. ‘Single Sign-On Using SAP Logon and Assertion Tickets. . coe . --122 ‘Single Sign-On Using JSON Web Tokens. 123 X.503 Certiticate-Based User Authentication, coe cecee ee 27 LDAP User Authentication. coe . ceeeeee ee B80 ‘SAP HANA Authorization. : Privileges, System Privileges, Object Privileges, Analytic Privileges. Package Privileges Application Privileges Prerequisites for Granting and Revoking Privileges and Roles, 178 Database Roles, . 182 Predetined Database Catalog) Roles... . : 183 Catalog Roles and Design-Time Roles Compared. . cee 188 SAP HANA DI Roles. bese cee . eee dS Repository Roles, 194 ‘Authorization in the Repository of the SAP HANA Database. ..... seve 199 Developer Authorization in the Repository. - . 200 _SYS_REPO Authorization in the Repository. - 201 Granting and Revoking Privileges on Activated Repository Objects. 202 Cross-Database Authorization in Tenant Databases. 204 LDAP Group Authorization, cee : eee 208 LDAP Group Authorization for Existing Users -- =» - we 207 ‘Shared Business Authorizations in SAP HANA. 210 GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION (SYS), 212 SAP HANA Data Masking. ....0eeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeees Masking Definition. . 27 ‘Authorization in Masked Tables and Views, . cee 21893 94 95 96 97 ul m2 ug ma yl 2 3 4 ya 2 Analysis of Effective Mask Expressions. 224 Example: Masking Data with DEFAULT Mask Mode. 224 Example: Masking Data in Object Hierarchy with SESSION USER Mask Mode 225 Example: Masking Data in a View with Structured Privilege Check. 227 Example: Masking Data in View Hierarchy with Structured Privilege Check. . 228 SAP HANA Data Anonymization. .......06000ccceeeeeeeeeeeeeeeeeeeeeeeeeeeeees 231 Data Storage Security in SAP HANA. . 233 Data Security in the File System. 233 Server-Side Data Encryption Services, .... . 224 Server-Side Secure Stores. ..... coe . 235 Encryption Key Management. 238 Data and Log Volume Eneryption 240 Backup Eneryption, . . . 242 Encryption Configuration Control 246 Internal Application Eneryption Service. feces : 247 Root Key Backup. 250 Local Secure Store (LSS), 251 Client-Side Data Security 270 Client-Side Data Encryption, an Protection of Data in SAP HANA Studio Workspaces 272 Cryptographic Service Provider. .... o . 273 Auditing Activity in SAP HANA... 0.00000 c ec eeeeeeeeeeeeeeeeeeeeeeee eee e eee 275, Aust Policies. 76 Audit Policies for Tenant Databases, 280 Actions Audited by Default Audit Policy. 281 Audit Tals. coe 282 Aue Tell Layout for Tal Terget CSV end SYSLOG. 285 Audit Trail Layout for Trail Target Database Table. . 288 ‘Auditing Configuration and Audit Policy Management. . . 292 ‘System Properties for Configuring Auditing. 298 Best Practices and Recommendations for Creating Audit Policies. 296 Certificate Management in SAP HANA. .... fetes ese e ee eeeeeeeeeeeee BOL Certificate Management in the Database. 301 In-Database Certificate Management Workflow... . o + 303 Client Certificates. . . . 304 Cettificate Collections. +305 SQL Statements and Authorization fr in Database Certificate Management (Reference)... 209 Certificate Management in the File System, . 316 Data Protection and Privacy in SAP HANA............+ seeeeewi 161 162 163 164 165 v va v2 ma ws 76 Ww Deletion of Personal Data, 222 ‘Security Risks of Trace, Dump, and Captured Workload Files. 324. Security of Further SAP HANA Components and Capabilities. ..... 00. sseeeeeeee +326, Security Aspects of SAP HANA Platform Lifecycle Management. 327 Security of SAP HANA Content. cee . . 228 ‘Security Aspects of SAP HANA Smart Data Access. 229 ‘Security Aspects of SAP HANA R Integration, 330 ‘Security for SAP HANA Replication Technologies. .. . . 231 ‘Security for SAP HANA Extended Application Services, Advanced Model. ...... +... «.334 Technical System Landscape of SAP HANA XS Advanced... 236 Application Server Components. 239 Users and Clients. 241 User Administration and Authentication in SAP HANA XS Advanced, eee 342, User Management, . 342 Predefined XS Advanced Users. .. . . . 245 Predefined Database Roles for XS Advance. . bese 251 User Authentication, 254 User Administration Tools, . . . 21 385 ‘Authorization in SAP HANA XS Advanced. 355 Organizations and Spaces... . : - . 356 ‘Scopes, Attributes, and Role Collections. 262 Controller Role Model. . . 365 Authorization Management Tools 369 Network and Communication Security with SAP HANA XS Advanced. .. cece 272 Security Areas, 372 Public Endpoints, - . m3 Single-Host Scenario... . cee wo 75 Multiple-Host Scenario. 276 XS Advanced Certificate Management. 278 Data Storage Security. 380 System Component Storage. 381 Application Storage. . . 382 Security-Relevant Logging and Tracing. 283 ‘Audited Operations. 283 Audit Tails... . re . 383 Application Auditing. 284 Data Protection and Privacy in SAP HANA XS Advanced. cee 285 Processing of Personal Data in Platform-Controlled Artifacts 288 Processing of Personal Data in Standard XS Advanced Applications and Services. . 392