hana_sec_en

PUBLIC

SAP HANA Appliance Software SPS 05Document Version: 1.1 - 2013-03-01

SAP HANA Security Guide

Table of Contents

1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1 Target Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.1 SAP HANA Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93.3 Additional Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4 SAP HANA Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5 SAP HANA Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5.1.1 Securing Data Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.1.2 Communication Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

6 SAP HANA User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196.1 User Administration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206.2 User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216.3 Standard Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7 SAP HANA Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247.1 Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

7.1.1 Password Policy Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247.2 Password Blacklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277.3 Resetting the SYSTEM User Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287.4 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297.5 Authentication Using SAML Bearer Token. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

7.5.1 User Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

8 SAP HANA Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328.1 Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

8.1.1 Analytic Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348.1.2 Creation and Management of Analytic Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

8.2 Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358.2.1 Standard Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

8.3 Authorization in the Repository of the SAP HANA Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2

P U B L I C© 2013 SAP AG or an SAP affiliate company. All rights reserved.

SAP HANA Security GuideTable of Contents

8.3.1 User Authorization for the Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388.3.2 _SYS_REPO Authorization in the Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.3.3 Granting and Revoking Privileges on Activated Repository Objects. . . . . . . . . . . . . . . . . . . . .39

9 Secure Communication in the SAP HANA Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419.1 Configuring HTTPS Between SAP HANA Database and SAP HANA Studio. . . . . . . . . . . . . . . . . . . . . . .41

9.1.1 Setup on Server-Side. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419.1.2 Setup on Client-Side (SQLDBC-Based Connections). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439.1.3 Setup on Client-Side (JDBC-Based Connections). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449.1.4 Setup of SAP HANA Studio Connections (JDBC-Based-Connections). . . . . . . . . . . . . . . . . . 45

9.2 Configuring SSL for SAP HANA Database Internal Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . 469.3 Configuring HTTPS (SSL) for Client Application Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

10 SAP HANA Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5010.1 Data Protection on File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5010.2 Data Volume Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

10.2.1 Implications of Persistence Encryption for Backup and Recovery. . . . . . . . . . . . . . . . . . . . . . 5110.2.2 Periodic Administration Tasks for Persistence Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . 51

10.3 Secure Data Storage for SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5110.4 Secure User Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

11 Auditing Activity in SAP HANA Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5411.1 Audit Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5411.2 Audit Trail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5611.3 Auditing Configuration and Audit Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

12 SAP HANA Additional Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6012.1 SAP HANA Information Composer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6012.2 Lifecycle Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6112.3 Unified Installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6112.4 SAP HANA UI Toolkit for Info Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6112.5 SAP HANA UI Integration Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6212.6 Application Function Library (AFL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6312.7 SAP HANA Extended Application Services (SAP HANA XS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6412.8 R Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

13 Security for SAP HANA Replication Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

14 Security Reference Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6914.1 SAP HANA Port and Connection Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

14.1.1 SAP HANA Database Internal Communication Ports and Connections. . . . . . . . . . . . . . . . . . 6914.1.2 SAP HANA Database Client Access Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . 6914.1.3 SAP HANA Extended Application Services Ports and Connections. . . . . . . . . . . . . . . . . . . . . 7014.1.4 SAP HANA Administrative Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70


P U B L I C© 2013 SAP AG or an SAP affiliate company. All

rights reserved. 3

14.1.5 Remote Support Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7114.1.6 Additional Scenarios Ports and Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

14.2 SAP HANA Replication Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7214.2.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7214.2.2 Trigger-Based Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7414.2.3 ETL-Based Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7514.2.4 SAP HANA Direct Extractor Connection (DXC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7714.2.5 Comparison of Replication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4



1 Document History

The document history includes all versions of the document that have been published.

Version Date SAP HANA Revision Description

1.1 21 Dec 2012 47 Content has been added to the following sections:

● Section 2.2, About this Document

● Section 12.5, SAP HANA UI Integration Services

1.2 01 Mar 2013 50 The following sections have been updated:

● Section 7.5 Authentication Using SAML Bearer Token

● Section 11.2 Audit Trail

SAP HANA Security GuideDocument History


rights reserved. 5

2 Introduction

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

2.1 Target Audience

● Technology consultants● Security consultants● System administrators

This document is not included as part of the installation guides, configuration guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software lifecycle, whereas security guides provide information that is relevant for all lifecycle phases.

2.2 About this Document

The SAP HANA Security Guide provides an overview of the security-relevant information that applies to the SAP HANA appliance software, including the SAP HANA database.The SAP HANA Security Guide comprises the following main sections:

● Before You StartThis section contains references to the most important SAP Notes that apply to the security of the SAP HANA appliance software and further helpful resources.

● SAP HANA Technical System LandscapeThis section provides an overview of the technical components, including a technical system landscape diagram.

● SAP HANA Network SecurityThis section provides an overview of the network security concepts for the SAP HANA appliance software. To restrict access at the network level, it also includes recommendations for the network topology.

● SAP HANA User ManagementThis section provides an overview of the following:

○ Concepts related to user management in SAP HANA○ Tools for user administration○ Types of users in SAP HANA○ Standard users delivered with SAP HANA

● SAP HANA Authentication

6


SAP HANA Security GuideIntroduction

This section provides an overview of the authentication mechanisms supported by SAP HANA, including integration into single sign-on environments.

● SAP HANA AuthorizationThis section provides an overview of the authorization concept of SAP HANA (privileges and roles), including authorization in the SAP HANA repository.

● Secure Communication in the SAP HANA LandscapeThis section provides an overview of the applicable communication paths used by SAP HANA and the security mechanisms.

● SAP HANA Data Storage SecurityThis section provides an overview of applicable critical data that is used by the SAP HANA database and the security mechanisms, including a subsection about data volume encryption.

● Auditing Activity in SAP HANA SystemsThis section provides an overview of the auditing feature of the SAP HANA database.

● SAP HANA Additional ComponentsIn addition to the SAP HANA database, the following components are part of the SAP HANA landscape and are documented in this guide:

○ SAP HANA Information ComposerThis topic provides security-relevant information about the SAP HANA information composer, which is a Web application that allows you to upload data to and manipulate data on the SAP HANA database.

○ Lifecycle Management ToolsThis topic provides security-relevant information about Lifecycle Management Tools such as the Software Update Manager (SUM).

○ Unified InstallerThis topic provides security-relevant information for the Unified Installer, which is a tool for installing the SAP HANA appliance software in a single, unified, and predefined way.

○ SAP HANA UI Toolkit for Info AccessThis topic provides security-relevant information about the SAP HANA UI Toolkit for Info Access, which provides HTML5 UI building blocks for developing search-based applications on SAP HANA.

○ SAP HANA UI Integration ServicesThis topic provides security-related information about SAP HANA UI Integration Services, which enable you to integrate standalone SAP HANA client applications into web user interfaces to support end-to-end business scenarios.

○ Application Function Library (AFL)SAP HANA provides several techniques to move application logic into the database, and one of the most important is the use of application functions. This topic provides security-relevant information about the Application Function Library (AFL).

○ SAP HANA Extended Application Services (SAP HANA XS)This topic provides security-related information about SAP HANA Extended Application Services (SAP HANA XS), which enables you to define access to each individual application package that you want to develop and deploy.

○ R IntegrationThis topic provides security-related information about R, an open source programming language and software environment for statistical computing and graphics.

● Security for SAP HANA Replication TechnologiesThis section provides an overview of the security aspects of the various replication technologies.

Note



rights reserved. 7

For more detailed information about the security of the SAP HANA replication technologies, see the security guides for these technologies at SAP HANA Appliance Software – SAP Help Portal.

● Security Reference Information

○ SAP HANA Port and Connection TablesThis section provides tables of the SAP HANA port and connection types for configuring firewalls and networks.

○ SAP HANA Replication TechnologiesThis section provides general information about the replication technologies that may be used with SAP HANA, as well as a comparison of the replication methods.

8



http://help.sap.com/hana_appliance

3 Before You Start

3.1 SAP HANA Guides

For more information about SAP HANA landscape, security, installation, and administration, see the resources listed below:

Topic Location Quick Link

SAP HANA landscape, deployment, and installation

SAP HANA Knowledge Center on SAP Service Marketplace

https://service.sap.com/hana:

● SAP HANA Master Guide● SAP HANA Installation Guide with SAP HANA

Unified Installer● SAP HANA Master Update Guide● SAP HANA Automated Update Guide

SAP HANA administration and security

SAP HANA Knowledge Center on the SAP Help Portal

http://help.sap.com/hana_appliance:

● SAP HANA Technical Operations Manual● SAP HANA Security Guide

3.2 Important SAP Notes

Important SAP Notes that apply to SAP HANA appliance software and SAP HANA database security are shown in the table below.

NoteSAP supports that customers install additional tools on the SAP HANA appliance within defined boundaries. It is the responsibility of the customer to ensure that the network channels used by those tools are appropriately protected. For detailed information, see the SAP Notes listed below.

In addition, you can find a list of security-relevant SAP Notes on the SAP Service Marketplace at https://service.sap.com/securitynotes.

SAP Note Title

1598623 SAP HANA appliance: Security

1514967 SAP HANA appliance: Central Note

1730928 Using external software in an SAP HANA appliance

1730929 Using external tools in an SAP HANA appliance

SAP HANA Security GuideBefore You Start


rights reserved. 9

https://service.sap.com/hana

https://service.sap.com/~sapidb/011000358700000604552011





http://help.sap.com/hana_appliance

http://help.sap.com/hana/hana_tom_en.pdf

http://help.sap.com/hana/hana_sec_en.pdf

https://service.sap.com/securitynotes


https://service.sap.com/sap/support/notes/1598623




SAP Note Title

1730930 Using antivirus software in an SAP HANA appliance

1730932 Using backup tools with Backint for SAP HANA

1730996 Nonrecommended external software and software versions

1730997 Nonrecommended versions of antivirus software

1730998 Nonrecommended versions of backup tools

1730999 Configuration changes in SAP HANA appliance

1731000 Nonrecommended configuration changes

3.3 Additional Information

For more information about specific topics, see the Quick Links in the table below.

Content Quick Link on the SAP Service Marketplace or SDN

Security https://sdn.sap.com/irj/sdn/security

Security Guides https://service.sap.com/securityguide

Related SAP Notes https://service.sap.com/noteshttps://service.sap.com/securitynotes

Released platforms https://service.sap.com/pam

Network security https://service.sap.com/securityguide

SAP Solution Manager https://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

In-Memory Computing http://www.sdn.sap.com/irj/sdn/in-memory

10


SAP HANA Security GuideBefore You Start








https://sdn.sap.com/irj/sdn/security

https://service.sap.com/securityguide

https://service.sap.com/notes


https://service.sap.com/pam

https://service.sap.com/securityguide

https://service.sap.com/solutionmanager

http://sdn.sap.com/irj/sdn/netweaver

http://www.sdn.sap.com/irj/sdn/in-memory

4 SAP HANA Technical System Landscape

The diagram below shows an overview of the technical system landscape for the SAP HANA appliance software and its related components. The related components include the SAP HANA studio and other applications, such as the SAP HANA information composer.

NoteThe diagram below shows a sample configuration with one SAP HANA appliance and three SAP HANA hosts, as well as some optional components that must be purchased separately.

SAP HANA Security GuideSAP HANA Technical System Landscape


rights reserved. 11

12


SAP HANA Security GuideSAP HANA Technical System Landscape

5 SAP HANA Network Security

This topic provides you with the information about the different network channels of your SAP HANA system, the required access for different scenarios, as well as configuration options provided by SAP HANA. There are different network channels that are required for communication between different parts of an SAP HANA landscape, as shown in the topic SAP HANA Technical System Landscape.It is recommended security practice to have a well-defined network topology to control and restrict network access to the SAP HANA system to only the communication channels required for your respective scenario and to apply appropriate additional security measures, such as encryption, where necessary. This can be achieved by using different means such as separate network zones, network firewalls, or through configuration options, such as encryption, provided by SAP HANA. The detailed setup is dependent on the specific customer environment, the SAP HANA scenarios, and the security requirements or policies of the customer. Based on the information in this chapter, customers can decide how SAP HANA can be securely integrated in their respective network environment.

NoteFor information about configuring network parameters in a distributed system, see the section Network Security in SAP HANA Administration Guide.

When using SAP HANA appliance software, we recommend operating different components of the solution in separate network segments. In order to prevent any unauthorized access to the SAP HANA appliance and the SAP HANA database through the network, we recommend controlling the network traffic between the different network segments by using a firewall or a packet filter. For more information about additional security mechanisms using encrypted communication, see Secure Communication in the SAP HANA Landscape.The system landscape gives an overview of the different network segments that, depending on the individual configuration, are available. The detailed setup is dependent on the specific application scenario and customer network infrastructure.The SAP HANA appliance should be operated in a protected data center environment. Only dedicated authorized network traffic should be allowed from other network zones (for example, user access from client network zone):

● Client access (that is, all access to external standard database functionality, for example, SQL) only requires access to the client access port.

NoteIn distributed scenarios, clients must be able to access every node of the distributed SAP HANA appliance.

● Client HTTP access (for example, browser) in scenarios that use the HTTP access feature of SAP HANA Extended Application Services (SAP HANA XS), for example, ETL-based Data Acquisition by SAP HANA Direct Extractor Connection and SAP HANA UI Toolkit for Info Access.

● For some administrative functions (for example, starting and stopping the SAP HANA instance), access to the administrative ports is additionally required.

● Database internal communication is only used for communication within the database or in a distributed scenario, for the communication between hosts.

○ In a single blade scenario (one instance of SAP HANA on one blade), access to those ports from other network hosts must be blocked.

SAP HANA Security GuideSAP HANA Network Security


rights reserved. 13

http://help.sap.com/hana/hana_admin_en.pdf

○ In a distributed scenario of SAP HANA (one instance of SAP HANA on multiple blades), we recommend operating all blades in a dedicated subnet. We further recommend to ensure that communication on the internal communication channels is restricted to communication between authorized hosts of an instance.

CautionThe internal communication must be strictly separated from the external or client communication paths. Access from hosts that are not part of an instance of the SAP HANA appliance should be blocked.If your setup does not allow having the internal communication in a dedicated subnet, we recommend protecting the internal communication using encryption. For more information, see Secure Communication in the SAP HANA Landscape.

Additional network configurations may be required for specific replication scenarios. For more information about SAP HANA replication technologies, see Security Considerations for SAP HANA Replication Technologies.Also see the SAP Library on SAP Help Portal at http://help.sap.com under SAP NetWeaver SAP NetWeaver 7.3 System Administration Security Guide SAP NetWeaver Security Guide .Related LinksSecurity Considerations for SAP HANA Replication Technologies [page 67]Secure Communication in the SAP HANA Landscape [page 41]SAP HANA Technical System Landscape [page 11]SAP NetWeaver 7.3 Network and Communication SecuritySAP NetWeaver 7.3 Security Guides for Connectivity and Interoperability TechnologiesSAP HANA Administration Guide

5.1 Communication Channel Security

The network communication channels in a SAP HANA landscape can be separated into different groups:

● SAP HANA database client accessThese are the network channels which are used for client access to the database or SAP HANA-based applications. There are two scenarios:

○ SAP HANA database clients to access the SQL interface of the SAP HANA database. The client in this case can be application servers that use SAP HANA as a database, direct end-user clients such as Microsoft Excel® that access the database directly via the provided database clients or access with the SAP HANA studio, such as for modeling.

○ Access to functionality provided by SAP HANA Extended Application Services (SAP HANA XS) via HTTP. Examples for this are applications based on SAP HANA Extended Application Services which are accessed using a web browser or mobile devices.

● Administrative accessThere are additional network channels which are used for specific remote administrative task such as starting or stopping the SAP HANA instances, updating the SAP HANA appliance software, and so on. Some administrative functions require access to the database SQL interface or the HTTP interface.

● SAP HANA database internal communication

14



http://help.sap.com

http://help.sap.com/saphelp_nw73/helpdata/en/fe/a7b5386f64b555e10000009b38f8cf/frameset.htm

http://help.sap.com/saphelp_nw73/helpdata/en/4a/6d81b7c952619fe10000000a421937/frameset.htm


Those network channels are only used internally in the SAP HANA database to communicate between the different components of the SAP HANA database or for communication between the different hosts in a distributed SAP HANA instance.

Communication Ports for Outbound Communication

NoteThe Software Update Manager (SUM) connects to the SAP Service Marketplace to check if new updates for the SAP HANA software are available. In order to do so, the outbound communication channel from the SUM to SAP Service Marketplace must be enabled by the customer’s network setup.

Network ZonesSAP recommends the application of network firewall technology to create different network zones for the different components and restrictively apply filtering of the traffic between those zones implementing a “minimum required communication” approach. It is strongly recommended that you apply the measures in this document to protect the access to the SAP HANA database internal communication channels to mitigate the risk of unauthorized access to those services.

TipBlock all access to other ports in the firewall that are not used by the SAP HANA database in your scenario.

CautionThe internal communication must be strictly separated from the external or client communication paths. Access from hosts that are not part of an instance of the SAP HANA appliance should be blocked. If your setup does not allow having the internal communication in a dedicated subnet, we recommend protecting the internal communication using encryption.

Communication EncryptionAs shown in the table below, SAP HANA supports encrypted communication for the client-to-server communication. We recommend using encrypted channels in all cases where network attacks such as eavesdropping are not protected by other network security measures, for example, access from end-user networks. As an alternative, VPN tunnels can be used for the transfer of encrypted information.

NoteFor more information about encrypted communication, see Secure Communication in the SAP HANA Landscape.

NoteFor communication within the SAP HANA database, explicit security measures are recommended. See SAP HANA Network Security.

The table below shows the most relevant communication channels used by SAP HANA, the protocol used for the connection and the type of data transferred.



rights reserved. 15

https://service.sap.com

Table

Communication Path Protocol Used Typ of Data Transferred Data Requiring Special Protection

Client Access (for example, replication, application server, end-user client, modeling, SAP HANA studio)

SAP HANA database to data providers

ODBC/JDBC over TCP(SSL supported)

All application data All application data

SAP HANA database to admin client


User data, configuration data, trace filesFor modeling: Data models

User data, configuration data, trace filesFor modeling: Data models

SAP HANA database to end-user clients


All application data All application data

SAP HANA Extended Application Services (SAP HANA XS)

HTTP All application data All application data

Administrative Access

SAP Start Service HTTP/HTTPS Configuration data, trace files

Configuration data, trace files

Software Update Manager (SUM) with SAP HANA studio

HTTP/HTTPS Configuration data

SUM with SAP host agent HTTPS Configuration data

SUM with Service Marketplace

HTTPS Configuration data

Operating system access SSH Operating system commands, and so on.

Operating system commands, and so on.

Database Internal Communication

SAP HANA database internal communication and communication between SAP HANA database instances in distributed installations

TCP (SSL supported) All application dataConfiguration data

All application dataConfiguration data

Related LinksSAP HANA Port and Connection Tables [page 69]Tables of all listening TCP / IP network ports that are used by SAP HANA.

5.1.1 Securing Data CommunicationAs shown in the table above, SAP HANA supports encrypted communication for client-to-server and internal communication.

16



We recommend using encrypted channels in all cases where network attacks such as eavesdropping are not protected by other network security measures (for example, access from end-user networks). For more information about encrypted communication, see Secure Communication in the SAP HANA Landscape.For communication within the SAP HANA database, for performance reasons, explicit security measures are recommended. For more information, see SAP HANA Network Security.

5.1.2 Communication PortsThe table below lists the ports that are used by SAP HANA. We recommend controlling the network traffic between the different network segments by using a firewall or a packet filter.

TipBlock all access to other ports in the firewall that are not used by the SAP HANA database.

NoteIn certain scenarios, additional communication channels, for example, for remote operating system access may be required.

The notation of the ports is as follows: n <instance> xy, where <n> is either 3 or 5 (see table below), <instance> is a two-digit number representing the instance number of the SAP HANA appliance, and <xy> represents a consecutive number.

Communication Ports for Inbound Communication Port Number Used for

Client Access

3<instance>15 Standard SQL communication for client access. This is the only port required for client access.

80<instance>/43<instance> SAP HANA XS (HTTP/HTTPS).Only enabled in scenarios that use SAP HANA XS (for example, ETL-based Data Acquisition by SAP HANA Direct Extractor Connection).

Administrative Access

5<instance>135<instance>14(SSL)

System administration (for example, startup and shutdown) and communication between SUM and SAP Start Service on different hosts.For more information about the SAP Start Service, see the SAP Library on SAP Help Portal at http://help.sap.com under SAP NetWeaver SAP NetWeaver 7.3 Functional View SAP NetWeaver by Functional Areas Application Server Application Server Infrastructure Architecture of the SAP NetWeaver Application Server SAP Start Service .

Note



rights reserved. 17

http://help.sap.com

http://help.sap.com

Port Number Used for

For SAP HANA appliance software, the SAP Start Service is only used to start and stop an instance of the SAP HANA database and to monitor an instance of the SAP HANA database.

8080/8443 Software Update Manager (SUM) access (HTTP/HTTPS)

Database Internal Communication

3<instance>00 Used for database internal communication only. These ports should only be accessible from other hosts of the SAP HANA appliance.

3<instance>01

3<instance>02

3<instance>03

3<instance>05

3<instance>07

Communication Ports for Outbound CommunicationThe SUM connects to the SAP Service Marketplace to check if new updates for the SAP HANA software are available. In order to do so, the outbound communication channel from the SUM to the SAP Service Marketplace’s address https://service.sap.com must be enabled by the customer’s network setup.Related LinksSAP HANA Port and Connection Tables [page 69]Tables of all listening TCP / IP network ports that are used by SAP HANA.

18



https://service.sap.com

6 SAP HANA User Management

Every user who wants to work with the SAP HANA database must have a database user. The identity of a database user accessing the database is verified through a process called authentication. The SAP HANA database supports internal authentication based on a username-password combination and authentication using external user repositories.

NoteA user who connects to the database using an external authentication provider must have a database user known to the database.

Once their identity has been verified, database users can perform database operations on database objects. Whether or not a user is authorized to perform operations on objects in the database is determined by their privileges. The database user must have privileges to perform the operation and to access the object (for example, a table) to which the operation applies. Privileges can be granted to database users either directly, or indirectly through roles that they have been granted.All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorization check on the user, the user's roles, and directly granted privileges. It is not possible to explicitly deny privileges. This means that the system does not need to check all the user's roles. As soon as all requested privileges have been found, the system aborts the check and grants access.Although privileges can be granted directly to users, roles are the standard mechanism of granting privileges as they allow you to implement both fine-grained and coarse-grained reusable hierarchies of user access that can be modeled on business roles. Several standard roles are delivered with the SAP HANA database (for example, MODELING, MONITORING). You can use these as templates for creating your own roles.The relationship between the entities involved in user management can therefore be summarized as follows:

● A principal is either a role or a user.● A known user can log on to the database. A user can be the owner of database objects.● A role is a collection of privileges and can be granted to either a user or another role (nesting).● A privilege is used to grant authorization to carry out operations on database objects, such as schemas,

tables, and views.

This relationship is depicted in the following figure:

SAP HANA Security GuideSAP HANA User Management


rights reserved. 19

6.1 User Administration Tools

You can create and manage SAP HANA database users with several different tools. The following table lists the available tools and the administration tasks that you can perform with each.

Tool User Administration Tasks Possible

SAP HANA studio You can use the SAP HANA studio for the following tasks related to user and role administration:

● Creating database users● Deleting, deactivating, and reactivating database users● Modeling and activating analytic privileges● Creating roles and role hierarchies

Note

20



Tool User Administration Tasks Possible

You can create roles in runtime on the basis of SQL statements or as design-time objects in the repository of the SAP HANA database. However, it is recommended that you create roles in the repository as they offer more flexibility (for example, they can be transported between systems).

● Assigning roles and privileges to users● Verifying which privileges individual users have

Command line interface (hdbsql or other SQL tool)

You can perform all user administration tasks from the command line using SQL requests. This is useful when using scripts for automated processing.

SAP NetWeaver Identity Management

SAP NetWeaver Identity Management 7.2 Support Package Stack 3 and higher contains a connector to the SAP HANA database. With SAP NetWeaver Identity Management you can perform the following user administration tasks in the SAP HANA database:

● Creating and deleting user accounts● Assigning roles● Setting passwords for users

SAP HANA On-Site Configuration tool

You can use the SAP HANA On-Site Configuration tool to perform post-installation steps including changing user passwords.

Related LinksSAP HANA Installation Guide with Unified InstallerSAP HANA Administration GuideSAP HANA Developer GuideSAP NetWeaver Identity Management (SAP IdM)

6.2 User Types

It is often necessary to specify different security policies for different types of database user. In the SAP HANA database, we differentiate between the following user types:

● Database users that correspond to real peopleThe database administrator creates a database user for every person who needs to work in the SAP HANA database. Database users that correspond to real people are dropped when the person leaves the organization. This means that database objects that they own are also automatically dropped, and privileges that they granted are automatically revoked.

● Technical database usersTechnical database users do not correspond to real people. They are therefore not dropped if a person leaves the organization. This means that they should be used for administrative tasks such as creating objects and granting privileges for a particular application.Some technical users are available as standard, for example, the users SYS, _SYS_STATISTICS, and _SYS_REPO. It is not possible to log on to the database with these users.



rights reserved. 21

https://service.sap.com/%7Esapidb/011000358700000604562011


http://help.sap.com/hana/hana_dev_en.pdf

http://scn.sap.com/community/netweaver-idm

Other technical database users are application specific. For example, an application server may log on to the SAP HANA database using a dedicated technical database user.

Technically, these user types are the same – authentication and authorization are the same for both. The only difference between them is conceptual.

6.3 Standard Users

Certain users are required for installing, upgrading, and operating the SAP HANA database. The following table lists the standard users that are available.

User Description Password Specification

SYSTEM The SYSTEM database user is the initial user that is created during the installation of the SAP HANA database. SYSTEM is a powerful database user – it has irrevocable system privileges, such as the ability to create other database users, access system tables, and so on.

CautionDo not use the SYSTEM user for day-to-day activities. Instead, use this user to create dedicated database users for administrative tasks and to assign privileges to these users.

You specify the initial password during installation.

<sid>adm where sid is the ID of the database system

The <sid>adm user is an operating system user and is also referred to as the operating system administrator.This operating system user has unlimited access to all local resources related to SAP systems.This user is not a database user but a user at the operating system level.

You specify the initial password during installation.

SYS The SYS is a technical database user. It is the owner of system objects such as system tables and monitoring views.

Not applicableThis is a technical database user. It is not possible to log on with this user.

_SYS_STATISTICS _SYS_STATISTICS is a technical database user used by the statistics

Not applicable

22



User Description Password Specification

server of the SAP HANA database. The statistics server is the main component of the monitoring infrastructure of the SAP HANA database. It collects information about status, performance, and resource usage from all components of the database and issues alerts if necessary.

This is a technical database user. It is not possible to log on with this user.

_SYS_REPO _SYS_REPO is a technical database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions.

Not applicableThis is a technical database user. It is not possible to log on with this user.



rights reserved. 23

7 SAP HANA Authentication

The identity of every database user accessing the database is verified through a process called authentication. The SAP HANA database supports internal authentication based on a username-password combination and authentication using external user repositories.

● Internal authenticationUsers are created in SAP HANA database only. Their identity is verified by means of a username-password combination.

NoteFor some administrative operations (such as start-up, shutdown, and database recovery), the credentials of the SAP operating system user (<sapsid>adm) are also required.

● Authentication using external user repositories based on the following mechanisms:

○ Kerberos (third-party authentication provider) for integration into single sign-on environments○ Security Assertion Markup Language (SAML) bearer token

NoteA user who connects to the database using an external authentication provider must also have a database user known to the database.

7.1 Password Policy

Passwords for internal authentication of database users are subject to certain security rules. These are configured using the parameters in the password policy section of the system properties file indexserver.ini.You can view and change the parameters of system properties files in the Administration editor of the SAP HANA studio.The following monitoring views are also available in which you can view the parameters and their current values:

● M_INIFILE_CONTENTS● M_PASSWORD_POLICY

Related LinksSAP HANA Administration GuideSAP HANA System Tables and Monitoring Views Reference

7.1.1 Password Policy ParametersThe table below contains the password policy parameters and their default values, and explains the function of each parameter.

24


SAP HANA Security GuideSAP HANA Authentication


http://help.sap.com/hana/html/monitor_views.html

Parameter Default Value Description

minimal_password_length 8 Defines the minimum password length. The accepted value range is 6 to 64 characters. The allowed character classes are described directly below in the following table row.

password_layout A1a Defines the character types that must be used in the creation of a password.

● Uppercase letter: A-Z● Lowercase letter: a-z● Numbers: 0-9● Special characters: Underscore (_), hyphen (-),

and so on. Any character that is not an uppercase letter, a lowercase letter, or a number is considered to be a special character.According to the example provided in the Default Value column, passwords would be required to contain at least one uppercase letter, at least one number, and at least one lowercase letter, with special characters being optional. However, you can use any specific letters and numbers and special characters to define the password_layout parameter, and the characters can be in any order. For example, the default value example could also have been represented by a1A, hQ5, or 9fG. If you want to enforce the use of at least one of each character type including special characters, you could use A1a_ or 2Bg?.

TipWhen a password is enclosed in double quotes (") during user creation, any Unicode characters may be used.

CautionThe use of passwords enclosed in double quotes (") may cause logon issues, depending on the client used. The SAP HANA studio, for example, supports passwords enclosed in double quotes ("), while the hdbsql command line tool does not.

force_first_password_change

true Defines whether users have to change their initial passwords at first logon.Logging on with the initial password is still possible but only the ALTER USER <current_user> PASSWORD <password> command can be executed. All other



rights reserved. 25


statements give the error message user is forced to change password.Administrators can force a user to change the password at any time with the following SQL command:

ALTER USER <user_name> FORCE PASSWORD CHANGE

maximum_invalid_connect_attempts

6 Defines how many invalid logon attempts are allowed before the user account is locked.Administrators can reset the number of invalid logon attempts with the following SQL command:

ALTER USER <user_name> RESET CONNECT ATTEMPTS

With the first successful logon after an invalid logon attempt, an entry is made into the INVALID_CONNECT_ATTEMPTS view showing:

● The number of invalid logon attempts since the last successful logon

● The time of the last successful logon

Administrators and users can delete the information of invalid logon attempts with the following SQL command:

ALTER USER <user_name> DROP CONNECT ATTEMPTS

password_lock_time 1440 Defines the duration in minutes that a user account is locked after a defined number of failed logon attempts.The default value is set to 1,440 minutes (= 24 hours).Administrators can reset the number of invalid logon attempts and unlock the user account with the following SQL command:

ALTER USER <user_name> RESET CONNECT ATTEMPTS

last_used_passwords 5 Defines the number of last used passwords that the user is not allowed to use when changing the current password.

maximum_password_lifetime

182 Defines the duration in days that a password is valid.After the expiry of this validity period, users have to change their password at the next logon.

26




Administrators can exclude users from this password lifetime check with the following SQL command:

ALTER USER <user_name> DISABLE PASSWORD LIFETIME

NoteIt is recommended to perform this step for technical users only, not for standard database users.

password_expire_warning_time

14 Defines a number of days before password expiration.Starting at the given period before the expiration date, users receive notification when logging on that their password will soon expire.

maximum_unused_initial_password_lifetime

28 Defines the duration in days that an initial password for a user account is valid.If an initial password has not been used for the first time within the given period of time, the password becomes invalid and the password must be reset.

maximum_unused_productive_password_lifetime

365 Defines the duration in days that a user-defined password is valid.If a user-defined password has not been reused within the given period of time, the password becomes invalid and the password must be reset.

minimum_password_lifetime

1 Defines the minimum duration in days that a newly entered user-defined password remains valid before the user can change it again.If the value of this parameter is set to 0, no check is performed.

7.2 Password Blacklist

A password blacklist is a list of words or blacklist terms not being allowed as passwords or parts of passwords.SAP HANA performs a password check when you create or alter a user's password but not when the password is used during logon.

NoteIt is possible that a password exists that does not adhere to the current blacklist rules because it may have been defined before the current state of the blacklist was reached.

The password blacklist allows you to specify the following:



rights reserved. 27

● If the blacklist term check is case sensitive.● If the blacklist term check applies to either whole or partial passwords.

The password blacklist in SAP HANA has been implemented with the following table:

CREATE TABLE _SYS_SECURITY._SYS_PASSWORD_BLACKLIST (BLACKLIST_TERM NVARCHAR(256) NOT NULL, CHECK_PARTIAL_PASSWORD VARCHAR(6) NOT NULL, CHECK_CASE_SENSITIVE VARCHAR(6) NOT NULL, PRIMARY KEY (CHECK_PARTIAL_PASSWORD, CHECK_CASE_SENSITIVE, BLACKLIST_TERM) )

This table is empty when you create a new instance. The _SYS_SECURITY schema and the _SYS_PASSWORD_BLACKLIST table are owned by the SYSTEM user. The SYSTEM user is allowed to select, insert, update, and delete rows in this table and may grant the corresponding privileges to those users who may need them.

CautionFor security reasons even the privilege to select should be handled very carefully to prevent users from being able to view those items not allowed as password or parts of passwords.

The BLACKLIST_TERM column is populated with the blacklist terms. According to the value in the CHECK_CASE_SENSITIVE column, you can determine whether the blacklist term is case sensitive.The columns CHECK_PARTIAL_PASSWORD and CHECK_CASE_SENSITIVE are populated with the values <TRUE> or <FALSE>.

ExampleConsider the following definition of a blacklisted term :

INSERT INTO _SYS_SECURITY._SYS_PASSWORD_BLACKLIST VALUES ('sap', 'TRUE', 'FALSE')

In this example, the passwords "SAP", "my_sap_pwd", and "sap_password" would not be allowed, regardless of how the password layout and minimal password length are defined in the corresponding parameters.

Related LinksSAP HANA Administration Guide

7.3 Resetting the SYSTEM User Password

If the SYSTEM user's password is lost, you can use the SAP operating system user to reset the password. To recover an SAP HANA instance where the SYSTEM user's password is lost, you therefore need to have <sid>adm access to the instance on which the master index server of the SAP HANA database is running.

1. Open a command line interface, and log on to the server on which the instance of the SAP HANA master index server is running.

2. Shut down the instance.3. Start the name server by executing the following commands:

○ /usr/sap/<SID>/HDB<instance>/hdbenv.sh

28




○ /usr/sap/<SID>/HDB<instance>/exe/hdbnameserver4. Start an index server in console mode by executing the following commands:

○ /usr/sap/<SID>/HDB<instance>/hdbenv.sh○ /usr/sap/<SID>/HDB<instance>/exe/hdbindexserver -console

You see the output of a starting index server. When the service has started, you have a console to the SAP HANA instance where you are logged on as the SYSTEM user.

5. You can reset the SYSTEM user's password and store the new password in a secure location with the following SQL command:

ALTER USER SYSTEM password <new password>

The password for the SYSTEM user is reset. As you are logged on as the SYSTEM user in this console, you do not have to change this new password the next time you log on with this user, regardless of what your password policy setting is.

7.4 Integration into Single Sign-On Environments

SAP HANA supports Kerberos version 5 for single sign-on based on Active Directory (Microsoft Windows Server) or Kerberos authentication servers. Both ODBC database clients and JDBC database clients support the Kerberos protocol.For more information about configuring Kerberos for SAP HANA hosts, see the SAP HANA Administration Guide.Related LinksSAP HANA Administration Guide

7.5 Authentication Using SAML Bearer Token

Security Assertion Markup Language (SAML) is an XML-based open standard data format for exchanging authentication and authorization data between an identity provider and a service provider. SAP HANA uses SAML as an authentication mechanism only and not for authorization.It is possible to log on to SAP HANA using SAML bearer assertions using the standard ODBC/JDBC database clients. It is the database clients' responsibility to retrieve the SAML assertion used for the logon process.

Supported SAML FeaturesSAP HANA supports plain SAML 2.0 assertions, as well as unsolicited SAML responses that include an unencrypted SAML assertion. SAML assertions and responses must be signed using XML signatures.The following features of XML signatures are supported:

● SHA1 and MD5 for hash algorithms● RSA-SHA1 as signature algorithm● X509Certificate elements

Note



rights reserved. 29


The XML signature must contain the X.509 certificate of the identity provider within the <X509Certificate> element.

The following SAML assertion features are supported:

● Assertion Subject with NameID● Qualified NameID with SPProvidedID and SPNameQualifier● Validity conditions (NotBefore, NotOnOrAfter)● Audience restrictions

Evaluated Assertion PropertiesThe following properties of a SAML assertion are evaluated:

Property Required Entry

saml:Assertion/@Version 2.0

saml:Subject/saml:NameID Must exist

saml:Subject/saml:NameID/@Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

saml:Subject/saml:NameID/@SPProvidedID Must either match an explicit mapping in the SAP HANA database or a wildcard mapping must have been set for the user

saml:Subject/saml:SubjectConfirmation If it exists, {{"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}

saml:Conditions

● @NotBefore● @NotOnOrAfter● AudienceRestriction

Condition @NotOnOrAfter must be set.

7.5.1 User MappingAn identity provider must be configured as a logon option for each database user. The following types of user mapping are supported:

● SAP HANA-based user mappings:The mapping to an SAP HANA database user is explicitly configured within SAP HANA for each identity provider. The corresponding assertion subject looks like this:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">zgc2VLavgYy4hsohfYPM21</NameID>

● Identity provider-based user mappings:The identity provider maps its users to SAP HANA database users and provides this information using the SPProvidedID attribute. The corresponding assertion subject looks like this:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified" SPProvidedID="BILLG">zgc2VLavgYy4hsohfYPM21</NameID>

Note

30



If an SAP HANA-based user mapping exists for a given identity provider and a conflicting SPProvidedID is sent from the identity provider, an error is returned.

For more information about configuring identity providers, see the SAP HANA Administration Guide.Related LinksSAP HANA Administration Guide



rights reserved. 31


8 SAP HANA Authorization

When a user accesses the SAP HANA database using a client interface (such as ODBC, JDBC, MDX), his or her ability to perform database operations on database objects is determined by the privileges that he or she has been granted.The authorization concept of the SAP HANA database operates at different levels.SQL Authorization

● System privilegesSystem-wide SQL privileges exist to control general system activities and are mainly for administrative purposes, such as creating schemas, creating and changing users, performing data backups, managing licenses, and so on.

● Object privilegesFor each SQL statement type (for example, SELECT, UPDATE, or CALL), a corresponding object privilege exists. If a user wants to execute a particular statement on a database object (for example, table, view, or stored procedure), he or she must have the corresponding object privilege for either the actual object itself or the schema in which the object is located. This is because the schema is an object type that contains other objects. A user who has object privileges for a schema automatically has the same privileges for all objects currently in the schema and any objects created there in the future.Initially, the owner of an object and the owner of the schema in which the object is located are the only users who can access the object and grant object privileges on it to other users.An object can therefore only be accessed by the following users:

○ The owner of the object○ The owner of the schema in which the object is located○ Users to whom the owner of the object has granted privileges○ Users to whom the owner of the parent schema has granted privileges

CautionThe database owner concept stipulates that when a database user is deleted, all objects created by that user and privileges granted to others by that user are also deleted. If the owner of a schema is deleted, all objects in the schema are also deleted even if they are owned by a different user. All privileges on these objects are also deleted.

Row-Level AuthorizationIn addition to SQL authorization at activity and object level, analytic privileges are used to provide row-level authorization on certain kinds of database objects, such as analytic views. Analytic privileges can only be used for read operations and not for write operations. Using analytic privileges, it is possible to allow a user to see specific data in a view. An analytic privilege enables the grantee to see certain view rows that are identified by one or more column values. For example, an analytic privilege could enable the grantee to see only those entries in the SALES view for the years with the values 2006 to 2008.Authorization in the SAP HANA RepositoryIn addition to privileges described above, package privileges provide a further means of allowing access to different design-time objects that are bundled in packages in the repository of the SAP HANA database.

32


SAP HANA Security GuideSAP HANA Authorization

Authorization CheckAll the privileges granted directly or indirectly (through roles) to a user are combined. This means that whenever a user tries to access an object, the system performs an authorization check on the user, the user's roles, and directly granted privileges. It is not possible to explicitly deny privileges. This means that the system does not need to check all the user's privileges. As soon as all requested privileges have been found, the system aborts the check and grants access.

8.1 Privileges

The table below describes the types of privileges used by SAP HANA.

Privilege Type Description

System privilege System privileges are SQL privileges that control general system activities. They are mainly for administrative purposes, such as creating schemas, creating and changing users and roles, performing data backups, managing licenses, and so on.

Object privilege Object privileges are SQL privileges that are used to allow access to and modification of database objects, such as tables and views. Depending on the object type, different actions can be authorized (for example, SELECT, CREATE ANY, ALTER, DROP, and so on).Currently, SELECT, DROP, and DEBUG are the only privileges that can be granted on attribute views, analytic views, and calculation views.

Analytic privilege Analytic privileges are used to allow read access to data in SAP HANA information models (that is analytic views, attribute views, and calculation views) depending on certain values or combinations of values. Analytic privileges are evaluated during query processing.

Package privilege Package privileges are used to allow access to and the ability to work in packages in the repository of the SAP HANA database.Packages contain design time versions of various objects, such as analytic views, attribute views, calculation views, and analytic privileges.

Application privilege Developers of SAP HANA XS applications can create application privileges to authorize user and client access to their application.Application privileges are granted and revoked through the procedures GRANT_APPLICATION_PRIVILEGE and REVOKE_APPLICATION_PRIVILEGE procedure in the _SYS_REPO schema.



rights reserved. 33

Privilege Type Description

It is not possible to grant application privileges to users or roles in the SAP HANA studio. It is recommended that you grant application privileges to roles created in the repository.

Related LinksSAP HANA SQL ReferenceSAP HANA Developer Guide

8.1.1 Analytic PrivilegesSQL privileges implement coarse-grained authorization at object level only. Users either have access to an object, such as a table, view or procedure, or they do not. While this is often sufficient, there are cases when access to data in an object depends on certain values or combinations of values. Analytic privileges are used in the SAP HANA database to provide such fine-grained control of which data individual users can see within the same view.

NoteSales data for all regions are contained within one analytic view. However, regional sales managers should only see the data for their region. In this case, an analytic privilege could be modeled so that they can all query the view, but only the data that each user is authorized to see is returned.

Analytic privileges are intended to control access to SAP HANA information models, that is:

● Attribute views● Analytic views● Calculation views

Therefore, all column views modeled and activated in the SAP HANA modeler automatically enforce an authorization check based on analytic privileges. Column views created using SQL must be explicitly registered for such a check (by passing the parameter REGISTERVIEWFORAPCHECK).

NoteAnalytic privileges do not apply to database tables or views modeled on row-store tables. Access to database tables and row views is controlled entirely by SQL object privileges.

You create and manage analytic privileges in the SAP HANA modeler.

NoteSome advanced features of analytic privileges, namely dynamic value filters, can only be implemented using SQL. The management of such analytic privileges created in SQL also varies to those created in the SAP HANA modeler.

8.1.2 Creation and Management of Analytic Privileges Analytic privileges can be created, dropped, and changed in the SAP HANA modeler and using SQL statements. The SAP HANA modeler should be used in all cases except if you are creating analytic privileges that use dynamic procedure-based value filters.To create analytic privileges, the system privilege CREATE STRUCTURED PRIVILEGE is required. To drop analytic privileges, the system privilege STRUCTUREDPRIVILEGE ADMIN is required.

34



http://help.sap.com/hana/html/sql_grant.html


In the SAP HANA modeler, repository objects are technically created by the technical user _SYS_REPO, which by default has the system privileges for both creating and dropping analytic privileges. To be able to create, activate, drop, and redeploy analytic privileges in the SAP HANA modeler therefore, a database user requires the package privileges REPO.EDIT_NATIVE_OBJECTS and REPO.ACTIVATE_NATIVE_OBJECTS for the relevant package.

Implications of Creating Analytic Privileges Using SQLThe SAP HANA modeler is the recommended method for creating and managing analytic privileges. However, it is necessary to use SQL to implement those features of analytic privileges not available in the modeler, that is, dynamic, procedure-based value filters as attribute restrictions.In the SAP HANA modeler, analytic privileges are created as design-time repository objects owned by the technical user _SYS_REPO. They must be activated to become runtime objects available in the database. Analytic privileges created using SQL statements are activated immediately. However, they are also owned by the database user who executes the SQL statements. This is the main disadvantage of using SQL to create analytic privileges. If the database user who created the analytic privilege is deleted, all objects owned by the user will also be deleted. Therefore, if you are using SQL to create analytic privileges, we recommend that you create a dedicated database user (that is, a technical user) for this purpose to avoid the potential loss of complex modeled privileges.An additional disadvantage of creating analytic privileges using SQL is that these analytic privileges are not in the SAP HANA repository and they cannot be transported between different systems.

Granting and Revoking Analytic PrivilegesAnalytic privileges are granted and revoked as part of user provisioning.If the analytic privilege was created and activated using the SAP HANA modeler, the analytic privilege is owned by the _SYS_REPO user. Therefore, to be able to grant and revoke the analytic privilege, a user needs the privilege EXECUTE on the procedures GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE and REVOKE_ACTIVATED_ANALYTICAL_PRIVILEGE respectively.If the analytic privilege was created using SQL, only the owner (that is, the creator) of the analytic privilege can grant and revoke it.Related LinksSAP HANA Administration GuideSAP HANA Developer Guide

8.2 RolesA role is a collection of privileges that can be granted to either a user or another role in runtime.A role typically contains the privileges required for a particular function or task, for example:

● Business end users reading reports using client tools such as Microsoft Excel● Modelers creating models and reports in the modeler of the SAP HANA studio● Database administrators operating and maintaining the database and users in the Administration editor of the

SAP HANA studio

Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable hierarchies of user access that can be modeled on business roles. Several standard roles are delivered with the SAP HANA database (for example, MODELING, MONITORING). You can use these as templates for creating your own roles.Roles in the SAP HANA database can exist as runtime objects only, or as design-time objects that become runtime objects on activation.



rights reserved. 35



Role StructureA role can contain any number of the following privileges:

● System privileges for administrative tasks (for example, AUDIT ADMIN, BACKUP ADMIN, CATALOG READ)● Object privileges on database objects (for example, SELECT, INSERT, UPDATE)● Package privileges on repository packages (for example, REPO.READ, REPO.EDIT_NATIVE_OBJECTS,

REPO.ACTIVATE_NATIVE_OBJECTS)● Analytic privileges on SAP HANA information models● Application privileges for enabling access to SAP HANA XS applications

NoteApplication privileges cannot be granted to roles in the SAP HANA studio.

A role can also extend other roles.

Role ModelingYou can model roles in the following ways:

● As runtime objects on the basis of SQL statements● As design-time objects in the repository of the SAP HANA database

It is recommended that you model roles as design-time objects for the following reasons.Firstly, unlike roles created in runtime, roles created as design-time objects can be transported between systems. This is important for application development as it means that developers can model roles as part of their application's security concept and then ship these roles or role templates with the application. Being able to transport roles is also advantageous for modelers implementing complex access control on analytic content. They can model roles in a test system and then transport them into a productive system. This avoids unnecessary duplication of effort.Secondly, roles created as design-time objects are not directly associated with a database user. They are created by the technical user _SYS_REPO and granted through the execution of stored procedures. Any user with access to these procedures can grant and revoke a role. Roles created in runtime are granted directly by the database user and can only be revoked by the same user. Additionally, if the database user is deleted, all roles that he or she granted are revoked. As database users correspond to real people, this could impact the implementation of your authorization concept, for example, if an employee leaves the organization or is on vacation.

CautionThe design-time version of a role in the repository and its activated runtime version should always contain the same privileges. In particular, additional privileges should not be granted to the activated runtime version of a role created in the repository. Although there is no mechanism of preventing a user from doing this, the next time the role is activated in the repository, any changes made to the role in runtime will be reverted. It is therefore important that the activated runtime version of a role is not changed in runtime.

8.2.1 Standard RolesPrivileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable hierarchies of user access that can be modeled on business roles. Several standard roles are delivered with the SAP HANA database. You can use these as templates for creating your own roles.

Note

36



The roles listed below are runtime objects. They are not roles created in the repository.

Role Description

MODELING This role contains all the privileges required for using the information modeler in the SAP HANA studio.It therefore provides a modeler with the database authorization required to create all kinds of views and analytic privileges.

CautionThe MODELING role contains the standard analytic privilege _SYS_BI_CP_ALL. This analytic privilege potentially allows a user to access all the data in all activated views, regardless of any other analytic privileges that apply. Although the user must also have the SELECT object privilege on the views to actually be able to access data, the _SYS_BI_CP_ALL analytic privilege should not be granted to users, particularly in productive systems. For this reason, the MODELING role should only be used as a template.

MONITORING This role contains privileges for full read-only access to all metadata, the current system status in system and monitoring views, and the data collected by the statistics server.

PUBLIC This role contains privileges for filtered read-only access to the system views. Only objects for which the users have access rights are visible. By default, this role is granted to every user.

CONTENT_ADMIN This role contains the same privileges as the MODELING role but with additional authorization to grant these privileges to other users. It also contains system privileges for working with imported objects in the SAP HANA repository. You can use this role as a template for creating roles for content administrators.

SUPPORT This role is meant to be used for support cases.This role contains privileges for read-only access to all metadata, the current system status in system and monitoring views, and the data of the statistics server. Additionally, it contains the privileges to access the base information of the system and monitoring views. Without the support role, this base information can be selected only by the SYSTEM user. Only the monitoring views can be selected by everyone.To restrict this role to support usage, the following restrictions apply:

● It cannot be granted to the SYSTEM user.● It cannot be granted to more than one user at a time.● It cannot be granted to another role.● No role can be granted to it.● Only system privileges can be granted to this role.

Note



rights reserved. 37

Role Description

If you need to grant other privileges to the user who will be in the support role, it is recommended to grant these privileges to the user and not to the SUPPORT role.

● With every update of the SAP HANA database software, the privileges in this role are reset.

8.3 Authorization in the Repository of the SAP HANA Database

The following sections explains how the authorization concept is applied in the repository of the SAP HANA database. The following aspects are covered:

● The privileges required by database users to work in the repository● The implications of _SYS_REPO ownership of repository objects● How privileges are granted and revoked on the activated runtime versions of repository objects

Related LinksSAP HANA Developer Guide

8.3.1 User Authorization for the RepositoryThe repository of the SAP HANA database consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. All repository methods that provide read or write access to content are secured with authorization checks. To allow database users to work with packages in the repository, they must have the required package and system privileges.In addition, to be able to access the repository in the SAP HANA studio or another client, users need the EXECUTE privilege on the database procedure SYS.REPOSITORY_REST.The required privileges can be granted to users directly or indirectly through roles in the SAP HANA studio as part of user provisioning.

Package PrivilegesThe SAP HANA database repository is structured hierarchically with packages assigned to other packages as sub-packages. If you grant privileges to a user for a package, the user is automatically also authorized for all corresponding sub-packages.In the SAP HANA database repository, a distinction is made between native and imported packages. Native packages are packages that were created in the current system and should therefore be edited in the current system. Imported packages from another system should not be edited, except by newly imported updates. An imported package should only be manually edited in exceptional cases.The database users of developers should be granted the following privileges for native packages:

● REPO.READThis privilege authorizes read access to packages and design-time objects, including both native and imported objects.

● REPO.EDIT_NATIVE_OBJECTSThis privilege authorizes all kinds of inactive changes to design-time objects in native packages.

38




● REPO.ACTIVATE_NATIVE_OBJECTSThis privilege authorizes the user to activate or reactivate design-time objects in native packages.

● REPO.MAINTAIN_NATIVE_PACKAGESThis privilege authorizes the user to update or delete native packages, or create sub-packages of native packages.

Developers should only be granted the following privileges for imported packages in exceptional cases:

● REPO.EDIT_IMPORTED_OBJECTSThis privilege authorizes all kinds of inactive changes to design-time objects in imported packages.

● REPO.ACTIVATE_IMPORTED_OBJECTSThis privilege authorizes the user to activate or reactivate design-time objects in imported packages.

● REPO.MAINTAIN_IMPORTED_PACKAGESThis privilege authorizes the user to update or delete imported packages, or create sub-packages of imported packages.

System PrivilegesDevelopers require the following system privileges to be able to work in the repository:

● REPO.EXPORTThis privilege authorizes the user to export, for example, delivery units.

● REPO.IMPORTThis privilege authorizes the user to import transport archives.

● REPO.MAINTAIN_DELIVERY_UNITSThis privilege authorizes the user to maintain delivery units (DU, DU vendor and system vendor must be the same).

● REPO.WORK_IN_FOREIGN_WORKSPACEThis privilege authorizes the user to work in a foreign inactive workspace.

8.3.2 _SYS_REPO Authorization in the RepositoryThe repository of the SAP HANA database stores both runtime objects, such as calculation scenarios, and design-time objects, such as models used in analytic scenarios (attribute views, analytic views, calculation views, and analytic privileges). Design-time objects must be activated to become runtime objects so that they can be used by regular users of SAP HANA and the SAP HANA database.Inside the repository, only the technical user _SYS_REPO is used. Therefore, this user is the owner of the objects created in the repository and initially is the only user with privileges on these objects. This includes the following objects:

● All tables in the repository schema (_SYS_REPOSITORY)● All activated objects such as procedures, views, analytic privileges, and roles

Objects in the repository are however modeled on data objects, such as tables. _SYS_REPO does not automatically have authorization to access these objects. _SYS_REPO must therefore be granted the SELECT privilege (with grant option) on all data objects behind all objects modeled in the repository. If this privilege is missing, the activated objects will be invalidated.

8.3.3 Granting and Revoking Privileges on Activated Repository ObjectsOnly the _SYS_REPO user has any privileges on objects in the repository. Therefore, only this user can grant privileges on them. Since no user can log on as _SYS_REPO, another means of granting privileges is used.



rights reserved. 39

This is provided by stored procedures in the _SYS_REPO schema. These procedures can be used to grant and revoke privileges on activated objects or schemas, analytic privileges, and roles. Stored procedures are beneficial because a user is not required to have a privilege in order to grant it.The following procedures exist:

Activated Object Type Procedure for Grant and Revoke

Modeled objects, such as calculation views ● GRANT_PRIVILEGE_ON_ACTIVATED_CONTENT● REVOKE_PRIVILEGE_ON_ACTIVATED_CONTENT

Schema containing modeled objects ● GRANT_SCHEMA_PRIVILEGE_ON_ACTIVATED_CONTENT

● REVOKE_SCHEMA_PRIVILEGE_ON_ACTIVATED_CONTENT

Analytic privilege ● GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE● REVOKE_ACTIVATED_ANALYTICAL_PRIVILEGE

Application privilege ● GRANT_APPLICATION_PRIVILEGE● REVOKE_APPLICATION_PRIVILEGE

Role ● GRANT_ACTIVATED_ ROLE● REVOKE_ACTIVATED_ ROLE

NotePublic synonyms of these procedures exist. Therefore, these procedures can be used without specifying schema _SYS_REPO.

Having the EXECUTE privilege on any of the procedures enables a user to grant or revoke privileges. Using stored procedures and a technical user for privilege management also changes the behavior in terms of how privileges are revoked.With regular SQL, privileges that were granted by a user are revoked when this user is dropped or loses the privilege that was granted. Also, only the granter can revoke privileges with SQL. Both details are not true with this approach. Any user with EXECUTE privilege on the revoke privilege procedure can revoke any privilege that was granted, regardless of the granter. Also, if a user that has granted privileges is dropped, none of the privileges that the user granted is revoked as part of dropping the user.When using the SAP HANA studio for privilege management, this behavior is hidden. If privileges on activated objects or schemas are granted or revoked, the procedures are used automatically.

Critical Combinations

CautionBear in mind that users who can change and activate objects as well as grant privileges on activated objects have access to all SAP HANA content.

40



9 Secure Communication in the SAP HANA Landscape

The SAP HANA appliance uses the secure sockets layer (SSL) protocol to ensure secure communication between the individual components and client connections. Authentication is ensured by using certificates.The communication between the following components can be secured by using SSL:

● Any ODBC-based or JDBC-based connection● The SAP HANA studio and the SAP HANA database (server authentication)

For more information, see Configuring HTTPS Between SAP HANA Database and SAP HANA Studio [page 41].

● The SAP HANA studio and the Software Update Manager for SAP HANAFor more information, see the SAP HANA Automated Update Guide.

● The Software Update Manager for SAP HANA and SAP Service MarketplaceSAP HANA needs an SAP Service Marketplace user (S-user) to access SAP Service Marketplace. These credentials are sent only by encrypted communication channels using an HTTPS connection. For more information about how to configure access to SAP Service Marketplace, see the SAP HANA Automated Update Guide.

● The Software Update Manager for SAP HANA and the SAP Host AgentFor more information about how to configure HTTPS for the SAP Host Agent, see the SAP HANA Automated Update Guide .

● SAP HANA information composer and internet browserFor more information, see SAP HANA Information Composer.

● Internal communication among the different components of a running SAP HANA systemFor more information, see Configuring SSL for SAP HANA Database Internal Communication [page 46].

● Client applications accessing SAP HANA through the SAP Web DispatcherFor more information, see Configuring HTTPS (SSL) for Client Application Access [page 46]

9.1 Configuring HTTPS Between SAP HANA Database and SAP HANA Studio

The SAP HANA appliance software supports the following cryptographic libraries for Linux-based installations:

● OpenSSL (default)● SAP Cryptographic Library

9.1.1 Setup on Server-SideTo protect your data during network transmission, only secure connections should be used. We recommend using the tools provided with OpenSSL to create the certificates required for SSL configuration.

SAP HANA Security GuideSecure Communication in the SAP HANA Landscape


rights reserved. 41






Prerequisites● The server possesses a public and private key pair and public-key certificate.

The SSL protocol uses public-key technology to provide its protection. Therefore, the server must possess a public and private key pair and a corresponding public-key certificate. It must possess one key pair and certificate to identify itself as the server component and another key pair. The key pair and certificate are stored in the server's own personal security environments (PSE), the SSL server PSE, and the SSL client PSE, respectively.

NoteIn case, your server keys are compromised, replace the certificate.

● You have installed a cryptographic provider such as OpenSSL or the SAP Cryptographic Library.

CautionThe distribution of the SAP Cryptographic Library is subject to and controlled by German export regulations and is not available to all customers. In addition, usage of the SAP Cryptographic Library or OpenSSL library may be subject to local regulations of your own country that may further restrict the import, use, and export or reexport of cryptographic software. If you have any further questions about this issue, contact your local SAP office.

FeaturesBy supporting SSL, the SAP HANA appliance software can provide the following:

● Server-side authenticationWith server-side authentication, the server identifies itself to the client when the connection is established. This reduces the risk of using fake servers to gain information from clients.

● Data encryptionIn addition to authenticating the communication partners, the data being transferred between the client and server is encrypted which provides for integrity and privacy protection. An eavesdropper cannot access or manipulate the data.

Client-side authentication and mutual authentication are not currently supported.The following parameters can be used to configure the server connectivity. They are located in the indexserver.ini file, in the communication section.

NoteConfiguration of cryptographic library providers is optional.

The parameters in the following table can be configured for the setup of secure connections.

Table

Property Name Property Value Default Description

sslCryptoProvider {sapcrypto | openssl} 1. sapcrypto (if installed)2. openssl

Cryptographic library provider to use for SSL connectivity.

sslKeyStore <file> $HOME/.ssl/key.pem Path to keystore file.

42




sslTrustStore <file> $HOME/.ssl/trust.pem Path to trust store file.

sslValidateCertificate <bool value> false If set to true, validate the certificate of the communication partner.

sslCreateSelfSignedCertificate

<bool value> false If set to true, create a self-signed certificate if the keystore cannot be found.

No Configuration ProvidedIf no configuration for secure connections has been provided, the system determines which cryptographic library provider should be used as follows:

1. Checks whether the environment variable <SECUDIR> is set.

a. If the environment variable <SECUDIR> is set, it tries to load the sapcrypto library using the regular paths for library lookup. The recommended location of the sapcrypto library is /usr/sap/<SID>/SYS/global/security/lib.

b. If sapcrypto cannot be loaded, it proceeds with the next cryptographic library provider.c. If sapcrypto was loaded, it uses the path names given in sslKeyStore and sslTrustStore to check for a

*.pse store.d. If a PSE store could be found, the system verifies its integrity.e. If no PSE store could be found or the PSE store’s integrity could not be verified, SSL initialization fails and

SSL is not available.2. Checks whether OpenSSL is available.

a. If OpenSSL is available, it checks for key certificates at the path given in sslKeyStore and trusted certificates at the path given in sslTrustStore.

b. If any certificates were found, it checks for the integrity of the certificates.c. If any of the above fails, SSL initialization fails and SSL is not available.

Configuration Provided ● If the value of the sslCryptoProvider parameter is set, the system tries to initialize the given cryptographic

library provider. Any other installed cryptographic library providers are ignored.● If the value of the sslCryptoProvider parameter is set but no paths are given for the sslKeyStore and

sslTrustStore parameters, the system uses the default paths for initialization as if no configuration were provided.

● If the value of the sslKeyStore parameter or the sslTrustStore parameter is set, the system does not check the default paths. In this case, the sslCryptoProvider parameter must be set.

● If the values of both the sslKeyStore parameter and the sslTrustStore parameter are set, a value for the sslCryptoProvider parameter also has to be set; otherwise SSL initialization fails and SSL is not available.

9.1.2 Setup on Client-Side (SQLDBC-Based Connections)Set the parameter values according to the operating system installed on the clients. For SQLDBC-based connectivity (for example ODBC), the parameters and their names are the same as for the server. Additionally, the encrypt parameter is available to initiate an SSL-secured connection.



rights reserved. 43

Table


encrypt <bool value> False Enables or disables SSL encryption.

sslCryptoProvider {sapcrypto | openssl | mscrypto}

1. sapcrypto (if installed)2. openssl/mscrypto

Cryptographic library provider to use for SSL connectivity.

sslKeyStore <file> $HOME/.ssl/key.pem Path to keystore file. Leave empty when using mscrypto.

sslTrustStore <file> $HOME/.ssl/trust.pem Path to trust store file. Leave empty when using mscrypto.

sslValidateCertificate <bool value> true If set to true, validate the certificate of the communication partner.

sslHostNameInCertificate <string value> <empty> Use the given host name for validation.

TipUse this host name when validating the communication partner’s certificate. Wildcards are not allowed. If the given host name is “*” then host name validation is disabled.

sslCreateSelfSignedCertificate

<bool value> false If set to true, create a self-signed certificate if the keystore cannot be found.

9.1.3 Setup on Client-Side (JDBC-Based Connections)For JDBC connections, the parameter names are the same as those for SQLDBC-based connections except for the missing prefix SSL. Additionally, some additional parameters to further characterize the (Java-based) keystore and its password are used. If you use JDBC connections, deploy the certificates to the Java keystore.For JDBC connections, the automatic creation of a self-signed certificate is currently not supported. Therefore, the createSelfSignedCertificate parameter is not available.

44



Table


encrypt <bool value> false Enables or disables SSL encryption.

validateCertificate <bool value> true If set to true, validate the certificate of the communication partner.

hostNameInCertificate <string value> <empty> Use the given host name for validation.

TipUse this host name when validating the communication partner’s certificate. Wildcards are not allowed. If the given host name is “*” then host name validation is disabled.

keyStore <file | store name> <VM default>

keyStoreType <JKS | PKCS12> <VM default>

keyStorePassword <password> <VM default> Password used to access the keystore.

trustStore <file | store name> <VM default>

trustStoreType <JKS> <VM default>

trustStorePassword <password> <VM default> Password used to access the trust store.

If you do not specify any values for the *Store* parameters, the system uses the default values.

9.1.4 Setup of SAP HANA Studio Connections (JDBC-Based-Connections)As a prerequisite for SSL-secured connections to and from SAP HANA studio, the root certificate that was used to sign the server certificate must be available in the Java trust store. SAP HANA studio allows you to use either the system-wide trust store or the default user trust store for certificate validation. For more information about how to import certificates into trust stores, see the Java documentation.



rights reserved. 45

9.2 Configuring SSL for SAP HANA Database Internal Communication

The certificates for internal network communication in the SAP HANA appliance software are specific for each host and different for the client and server side. This is necessary as every host shall be verified with its fully qualified domain name (FQDN). Because the SAP HANA database deals with a set of certificates, we recommend using a dedicated certificate authority (CA) to sign these.

1. Download the SAP Cryptographic Library:The standard installer does not provide the required binaries. You have to download them separately. The SAP Cryptographic Library is available at the SAP Service Marketplace.

2. Create a certificate authority (CA) designated to this installation using external tools, for example, the OpenSSL command line tool.We recommend storing your CA certificate in $DIR_INSTANCE/ca.

3. Create certificates:On every host you have to create the client-side and the server-side certificate. You have to sign these at the CA just created. The common name (CN) has to be the FQDN of the host you get by reverse DNS lookup. The other fields describe your organization. Make sure that the client-side certificate is created without a password. Create a local keystore named SAPSSLC.pse in directory $SECUDIR on every host and import the host’s client certificate into SAPSSLC.pse.

4. Activate secure sockets:Add the section [communication] to the custom layer of the file global.ini. Set the key ssl = on.

9.3 Configuring HTTPS (SSL) for Client Application Access

To improve the security of your SAP HANA landscape, you can configure the SAP Web Dispatcher to use HTTPS (SSL) for incoming requests from UI front ends and applications, for example, SAP HANA applications. The requests are then forwarded to SAP HANA.

The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system. If you want to set up a secure SSL connection (Secure Socket Layer) between client applications and the SAP Web Dispatcher, the following components are prerequisites:

● SAP Cryptographic library SAPCRYPTOLIB (libsapcrypto.so)● SAP Cryptographic tool SAPGENPSE● The SAP root certificate SAPNetCA.cer issued by the SAPNet certificate authority

To configure the SAP Web Dispatcher to use SSL for inbound application requests, perform the following steps:

1. Log on to the SAP HANA server at operating system level with the <SID>adm user.

2. Open the instance profile of your SAP Web Dispatcher.The SAP Web Dispatcher profile can be found in the following location:/usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/wdisp

46



3. Add the following parameters to the profile:

wdisp/shm_attach_mode = 6 wdisp/ssl_encrypt = 0 wdisp/add_client_protocol_header = true ssl/ssl_lib = /usr/sap/<SAPSID>/SYS/global/security/lib/libsapcrypto.so ssl/server_pse = /usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec/SAPSSL.pse icm/HTTPS/verify_client = 0

4. Add the HTTPS port as follows:icm/server_port_1 = PROT=HTTPS,PORT=443,EXTBIND=1

5. Copy the SAP Cryptographic Library (libsapcrypto.so) to the SAP HANA blade.

To enable secure HTTP communication between Web browsers and the SAP Web Dispatcher using SSL (HTTPS), you must copy the SAP Cryptographic Library (libsapcrypto.so) to the SAP HANA blade.

The SAP Cryptographic Library libsapcrypto.so must be located in the directory /usr/sap/<SAPSID>/SYS/global/security/lib/.

6. Install the root certificate SAPNetCA.cer.

Place the root certificate SAPNetCA.cer that you have downloaded from SAP Service Marketplace into the following directory: /usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec .

7. Set the SECUDIR environment variable to point to your instance directory.In a bash shell, execute the following command: export SECUDIR="/usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec"Alternatively, you can add the export command to the .bashrc profile of your <SAPSID>adm user.

NoteThe command you use to set the environment variable (and the .rc file you add it to) depends on the shell you are using. For the c shell, you can use setenv and .cshrc. However, SECUDIR should already have been set automatically during the installation process, for example, in the hdbenv.csh or hdbenv.sh file.

8. Make the sapgenpse file available and executable.

a) Place a copy of the sapgenpse file in the following location: /usr/sap/<SAPSID>/SYS/global/security/lib.

b) Set permissions for the file sapgenpse, for example: chmod 777 sapgenpse.

9. Create an SSL key pair and a certificate request:a) Change to the following directory.

cd /usr/sap/<SAPSID>/SYS/global/security/libb) Add the security directly to your library path.

export LD_LIBRARY_PATH=/usr/sap/<SAPSID>/SYS/global/security/c) Run the SAP Cryptographic tool SAPGENPSE

./sapgenpse get_pse -p SAPSSL.pse -x <PIN> -r SAPSSL.req "CN=<webdisp>, OU=<org_unit>, O=<company>, C=<country>"For <org_unit>, enter your SID. For CN, enter the host name of the NC host (<webdisp>, where the SAP Web dispatcher is installed) in the user LAN, as this is the host that decrypts the SSL. If you do not use the -x parameter, sapgenpse interactively asks for a personal identification number (PIN). The PIN request provides extra security since nobody can read the password from the screen or find it in the command history.The export command creates two files, one in the sec/ directory and one in the current directory. The file SAPSSL.req is an ASCII file whose content must be sent to a CA (certification authority). According to



rights reserved. 47

the rules of the CA, the CA will sign the request and return a file with the signed certificate. SAP offers CA services at http://service.sap.com/Trust, where you can have test certificates signed instantly. There is also a navigation point called “SSL Test Server Certificates” https://websmp106.sap-ag.de/SSLTest.

10. Import the signed certificate.Copy and paste the signed certificate into a file on the server hosting the SAP Web Dispatcher and execute the commands indicated below:a) Paste the text of the signed certificate into SAPSSL.cer, which is located in the directory /usr/sap/

<SAPSID>/HDB<instance_nr>/<hostname>/sec/.b) Copy sapgenpse to the directory /usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec/.c) Place the certificate SAPServerCA.der that you have downloaded from SAP Service Marketplace into

the following directory /usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec.d) Import the certificate using the following command.

./sapgenpse import_own_cert -c SAPSSL.cer -p SAPSSL.pse -x <PIN> -r SAPServerCA.der

Make sure that the date and time settings on the server hosting the SAP Web Dispatcher are correct and synchronized with the certificate authority (CA) that issued the certificate you import, otherwise the certificate might be interpreted as invalid.

11. Create a credentials file for the PSE.The SAP Web Dispatcher requires a password to access the PSE file. Instead of supplying the password in the profile, you must create a credential file, whose owner has access to the PSE. To create the credentials file, run the following command:./sapgenpse seclogin -p SAPSSL.pse -x <PIN> -O <SAPSID>admIf successful, the command creates the file cred_v2 in the directory /usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec. Since this file contains the password for the SAP Web dispatcher, restrict access to the owner by executing the following command in the sec/ directory:chmod 600 cred_v2The contents of the sec/ directory on the SAP Web Dispatcher host should now look similar to the following example output:blade1:sw1adm> ls -la /usr/sap/<SAPSID>/HDB<instance_nr>/<hostname>/sec/ drwxr-xr-x s1wadm sapsys 4096 2007-06-21 11:32 . drwxr-xr-x s1wadm sapsys 4096 2007-06-10 11:12 .. -rw------- s1wadm sapsys 164 2007-06-21 11:32 cred_v2 -rw------- s1wadm sapsys 542 2007-06-21 11:13 dev_sapstart -rw------- s1wadm sapsys 1655 2007-06-21 10:45 SAPSSL.pse

12. Restart the SAP Web Dispatcher.

sapcontrol -nr <instanceNr> -function SendSignal <pid> <signal>

For example, to restart the SAP Web Dispatcher with the process ID 28155, run the following command:

sapcontrol -nr 00 -function SendSignal 28155 2

You can check the functioning of the SAP Web Dispatcher by starting the SAP Web Dispatcher administration console under https://<host_name>/sap/admin. You will require the name and the master password defined for the webadm user during installation of the SAP Web Dispatcher. You can also check the logs in the following directory:usr/sap/<SAPSID>adm/HDB<instance_nr>/work

13. Bind the default SSL port to use.

48



http://service.sap.com/Trust

https://websmp106.sap-ag.de/SSLTest

Since only users with superuser authorization rights can bind ports with a number less that (<) 1024 (well-known ports) on a UNIX system, and the ICM process or the SAP Web Dispatcher should not have these rights (and ICM cannot have them for technical reasons), the port must be bound by an external program and the listen socket then transferred to the calling process. You can use the icmbnd command.

NoteThe installation process creates the file icmbnd.new, which you must rename to icmbnd. In addition, since superuser privileges are required to bind ports with a number lower than 1024, you must change the owner and permissions of the icmbnd command, for example, from <SID>adm to user root.

a) Change the owner of the icmbnd command:

$> chown root:sapsys icmbnd

b) Change the permissions for the icmbnd command:

$> chmod 4750 icmbnd

c) Check the new permissions for the icmbnd command:

$> ls -alrwsr-x 1 root sapsys 1048044 Feb 13 16:19 icmbnd

d) Bind the default SSL port to use.

icmbnd -S <server port> -l <listen port> -p <protocol>

Related LinksSAP Web Dispatcher



rights reserved. 49

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/8fe37933114e6fe10000000a421937/frameset.htm

10 SAP HANA Data Storage Security

The SAP HANA database is stored in the file system (including configuration data). You can configure the base path during installation. For more information about how to create a distributed system, see the SAP HANA Installation Guide with SAP HANA Unified Installer.Related LinksSAP HANA Installation Guide with SAP HANA Unified Installer

10.1 Data Protection on File System

The file permissions of the operating system are strictly configured. Therefore, we recommend that you do not change them after the installation of the SAP HANA database.

10.2 Data Volume Encryption

The SAP HANA database persistence layer ensures that changes made in the row store or column store are durable and that the database can be restored to the most recent committed state after a restart. For this reason, data is stored in persistent disk volumes that are organized in pages.Privacy of data on disk can be ensured globally by enabling SAP HANA data volume encryption. If this is the case, all pages that reside in the data area on disk are encrypted using the AES-256-CBC algorithm. Pages are transparently decrypted as part of the load process. When pages reside in memory they are therefore not encrypted and there is no performance overhead for in-memory page accesses. When changes to data are persisted to disk, the relevant pages are automatically encrypted as part of the Write operation.Pages are encrypted and decrypted using 256-bit persistence encryption page keys. Page keys are valid for a certain range of savepoints and can be changed by executing SQL statements. After switching on persistence encryption, an initial page key is automatically generated. Page keys are never readable in plaintext, but are encrypted themselves using a dedicated persistence encryption root key.During start-up, administrator interaction is not required. The root key is stored using the SAP NetWeaver Secure Store File System (SSFS) functionality and is automatically retrieved from there. SAP HANA uses SAP NetWeaver SSFS to protect the root encryption keys that are used to protect all encryption keys used in the SAP HANA system from unauthorized access.

NoteFor more information about SAP NetWeaver SSFS, seeSystem Security for SAP NetWeaver AS ABAP Only.

Persistence encryption does not include:

● Encryption of database redo log files.

Note

50


SAP HANA Security GuideSAP HANA Data Storage Security


http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bc0fdf85640f1e10000000a42189c/frameset.htm

If the protection of database redo log files is required, we recommend using operating system facilities, such as encryption, at the file system level.

● Backups of the database.

NoteIf encryption of backups is required, we recommend using third-party solutions that integrate with the Backint for SAP HANA functionality for backups.

● Database traces.

NoteFor security reasons, we recommend not running the system with extended tracing for more than short-term analysis, since tracing might expose sensitive data, which would be encrypted by persistence, but not in the trace. Therefore, you should not keep such trace files on disk beyond the respective analysis task.

10.2.1 Implications of Persistence Encryption for Backup and RecoveryThis topic includes backup and recovery recommendations for data volume encryption.An SAP HANA database with an encrypted data area can be backed up just like an unencrypted system. The backup contents are always unencrypted, regardless of the encryption state of the data area of the productive system.For recovery, the target system should already have the persistence encryption feature enabled. All data restored during the data and log recovery phases are then automatically encrypted.

10.2.2 Periodic Administration Tasks for Persistence EncryptionCertain tasks should be performed periodically regarding data encryption.Depending on your security policy, we recommend periodically changing the page keys in order to limit the potential impact of a key being compromised. A new page key will be active for new data as of the next savepoint operation. The SAP HANA database provides system views that allow monitoring of the page keys used for data encryption and their age.An administrator can also trigger a re-encryption of the entire data area using the current page key.

NoteFor specific information and procedures about changing the page keys or triggering a re-encryption of the entire data area using the current page key, see SAP HANA Administration Guide.

10.3 Secure Data Storage for SAP HANA

On the SAP HANA database server, passwords are stored as follows:

● System passwords are protected by the methods of the respective operating systems (for example, /etc/password in UNIX).



rights reserved. 51


● All database user passwords are hashed with the secure hash algorithm SHA-256.

On the client side there are two facilities for storing user passwords:

● For connecting client programs to the database without explicitly logging in, logon information can be stored in the secure user store of the SAP HANA client (hdbuserstore, see ch. 5.3.4)

NoteFor more information about hdbuserstore, see Secure User Store.

● When using the SAP HANA studio, the Eclipse secure storage is used to store saved passwords.

10.4 Secure User Store

In the secure user store of the SAP HANA client hdbuserstore, you can securely store the user logon information, including passwords, using the SAP NetWeaver Secure Store File System (SSFS) functionality. This allows client programs to connect to the database without having to manually enter a password. The secure user store is installed with the SAP HANA client package. After installation, it is located in the /usr/sap/hdbclient directory. The secure user store runs on all platforms supported by SAP HANA client interfaces and SAP BASIS 7.20 EXT.The logon information is stored in one of the following directories. If the path does not already exist, it is created by the hdbuserstore command.

● For systems using Microsoft Windows®, the path is defined by <PROGRAMDATA>\.hdb\<COMPUTERNAME><SID>.Where PROGRAMDATA is the path defined by CSIDL_COMMON_APPDATA resp. FOLDERID_PROGRAMDATA and SID is the system ID of the user that uses the stored logon information.

● For systems using other operating systems, the path is defined by <HOME>/.hdb/<COMPUTERNAME>.HOME is the home directory of the user that uses the logon information.

When executing the hdbuserstore script (in the context of the correct operating system user), the user store can be opened using a user key. Only the operating system user owning the corresponding secure password store files can access the secure user store.To edit the stored logon information, you can use the following hdbuserstore commands:

Command Parameter Description

HELP Displays a help message.

LIST <user_key> Lists entries with the key. Passwords are not displayed.

DELETE <user_key> Deletes entries with the key.

SET <user_key> Sets the entry key.

<env> Sets the connection environment (host and port).

<user_name> Sets the user name for the profile.

<password> Sets the password for the profile.

52



Example● Create a user key in the user store and store the password under this user key:

hdbuserstore SET <user_key> <env> <user_name> <password>

For example:

hdbuserstore SET millerj localhost:30115 JohnMiller 2wsx$RFV

● List all available user keys (passwords are not displayed):

hdbuserstore LIST <user_key>

For example:

hdbuserstore LIST millerj

The following information is displayed:KEY: millerjENV: localhost:30115USER: JohnMiller

● Call hdbsql with the user key:

hdbsql -U <user_key>

For example:

hdbsql -U millerj

Encryption KeysAll password information contained in the secure user store is encrypted using an encryption key. The system is provided with a default encryption key. If the encryption key is compromised, you can change the key.

CautionIf the user forgets the stored password, you cannot recover that password because the system does not display passwords in a human-readable form. We recommend changing the encryption key.

Changing the Secure User Store Encryption KeysTo change the secure user store encryption keys:

1. Get the RSECSSFX command from SAP BASIS 7.20 EXT.2. Specify the path based on the platform, as described above. The key path is the same as the data path.3. Define the SAP system name as HDB.4. Use the CHANGEKEY command to change the key.

Related LinksSystem Security for SAP NetWeaver AS ABAP Only



rights reserved. 53

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bc0fdf85640f1e10000000a42189c/frameset.htm

11 Auditing Activity in SAP HANA Systems

The auditing feature of the SAP HANA database allows you to monitor and record selected actions performed in your system. In other words, it provides you with visibility on who did what (or tried to do what) and when. Although auditing does not directly increase your system's security, if wisely designed, it can help you achieve greater security in the following ways:

● Uncover security holes if too many privileges were granted to some user● Show attempts to breach security● Protect the system owner against accusations of security violations and data misuse● Allow the system owner to meet security standards

The following actions are typically audited:

● Changes to user authorization● Creation or deletion of database objects● Authentication of users● Changes to system configuration● Changes to auditing configuration● Access to or changing of sensitive information

ConstraintsOnly actions that take place inside the database engine can be audited. If the database engine is not online when an action occurs, it cannot be detected and therefore cannot be audited.This is important to bear in mind in the following cases:

● Upgrade of a SAP HANA database instanceUpgrade is triggered when the instance is offline. When it becomes available online again, it is not possible to determine which user triggered the upgrade and when.

● Changes to system configuration filesOnly changes that are made using SQL are visible to the database engine. It is also possible to change configuration files when the system is offline.

A further scenario that cannot be meaningfully audited is the activation of roles in the repository of the SAP HANA database. This is important to bear in mind if you are using roles created in the repository to grant privileges to users.

11.1 Audit Policies

Auditing is implemented through the creation and activation of audit polices. An audit policy defines the actions to be audited, as well as the conditions under which the action must be performed to be relevant for auditing. For example, actions in a particular policy are audited only when they are performed by a particular user on a

54


SAP HANA Security GuideAuditing Activity in SAP HANA Systems

particular object. When an action occurs, the audit policy is triggered and an audit event is written to the audit trail.

Audited ActionsAn action corresponds to the execution of an action in the database by SQL statement. For example, you want to track user provisioning in your system, so you create an audit policy that audits the execution of the SQL statements CREATE USER and DROP USER. Although most actions correspond to the execution of a single SQL statement, some actions can cover the execution of multiple SQL statements. For example, the action GRANT ANY will audit the granting of multiple entities on the basis of the SQL statements GRANT PRIVILEGE, GRANT ROLE, GRANT STRUCTURED PRIVILEGE, and GRANT APPLICATION PRIVILEGE.An audit policy can specify any number of actions to be audited, but not all actions can be combined together in the same policy. Actions can be grouped in the following main ways:

● All actionsYou can include all auditable actions in a single policy, but only in conjunction with a specific user. This is useful if you want to audit the actions of a particularly privileged user.

● Data manipulation actionsYou can include any actions that involve data manipulation together in a single policy, for example actions that audit SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements on database objects. A policy that includes these actions requires at least one target object that allows the actions in question. This type of policy is useful if you want to audit a particularly critical or sensitive database object.

● Data definition actionsOther action types, for example actions that involve data definition, can only be combined together in a single policy if they are compatible. For example, the action GRANT PRIVILEGE can be combined with REVOKE PRIVILEGE but not with CREATE USER. The action CREATE USER can be combined with DROP USER.

For more information about auditable actions, see the SAP HANA SQL Reference.

Audit Policy ParametersIn addition to the actions to be audited, an audit policy specifies additional parameters that further narrow the number of events actually audited.

● Audited action statusFor each audit policy, it must be specified when the actions in the policy are to be audited:

○ On successful execution○ On unsuccessful execution○ On both successful and unsuccessful execution

NoteAn unsuccessful attempt to execute an action means that the user was not authorized to execute the action. If another error occurs (for example, misspellings in user or object names and syntax errors), the action is generally not audited. In the case of actions that involve data manipulation (that is, INSERT, SELECT, UPDATE, DELETE, and EXECUTE statements), additional errors (for example, invalidate views) are audited.

● Target object(s)Actions that involve data manipulation require at least one target object. The following target object types are possible:

○ Tables○ Views



rights reserved. 55

○ Procedures

Target objects are specified at the level of audit policy, so if an audit policy contains several data manipulation actions, the target object must be valid for all actions in the policy. In the case of the action EXECUTE, the only valid target object is procedure. In addition, procedure is valid only for this action. This means that the action EXECUTE cannot be combined with any other actions.

NoteAn object must exist before it can be named as the target object of an audit policy. However, if the target object of an audit policy is deleted, the audit policy remains valid. This means that if the object is recreated, that is the same object type with the same name is created, the audit policy will work for this object again.

● Audited user(s)It is possible to specify that the actions in the policy be audited only when performed by a particular user. In the case of a policy that contains all auditable actions, a user must be specified.

NoteUsers must exist before they can be named in an audit policy.

● Audit levelEach audit policy must be assigned one of the following levels:

○ EMERGENCY○ ALERT○ CRITICAL○ WARNING○ INFO

When the audit policy is triggered, an audit entry of the corresponding level is written to the audit trail. This allows tools checking audited actions to find the most important information, for example.

Related LinksSAP HANA SQL Reference

11.2 Audit Trail

When an audit policy is triggered, that is, when an action in the policy occurs under the conditions defined in the policy, an audit entry is created in the audit trail.The logging system of the Linux operating system (syslog) is the only supported audit trail target. The syslog is a secure storage location for the audit trail because not even the database administrator can access or change it. There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, the syslog is the default log daemon in UNIX systems. The syslog therefore provides a high degree of flexibility and security, as well as integration into a larger system landscape. For more information about how to configure syslog, refer to the documentation of your operating system.

Caution

56



http://help.sap.com/hana/html/sqlmain.html

If the syslog daemon cannot write the audit trail to its destination, you will not be informed. To avoid a situation in which audited actions are occurring but audit entries are not being written to the audit trail, ensure that the syslog is properly configured and that the audit trail target is accessible and has sufficient space available.

NoteFor test purposes in non-productive systems, you can use a CSV text file as the audit trail. However, you must not use this for a productive system as it has severe restrictions. Firstly, it is not sufficiently secure. By default, this file is written to the same directory as trace files, so database users with the system privilege DATA ADMIN, CATALOG READ, TRACE ADMIN, or INIFILE ADMIN can access it. At operating system level, any user in the SAPSYS group can access it. Secondly, audit trails are created for each server in a distributed database system. This makes it more difficult to trace audit events that were executed across multiple servers (distributed execution).

For each occurrence of an audited action, one or more audit entries are created.Example:If an action that involves data manipulation was executed implicitly by a procedure, the call to this procedure is audited together with the audited action. If the action does not involve data manipulation, then an implicitly executed procedure is not audited. For example, if there is an active audit policy that audits the action of creating users, the execution of CREATE USER statements within procedures will be audited but not the procedures themselves.Audit entries written to the audit trail have the following fields with the following meaning:

Field Description Sample Value

Event Timestamp Time (UTC) of event occurrence 2012-09-19 15:44:53

Service Name Name of the service where the action occurred

Indexserver

Hostname Name of the host where the action occurred

myhanablade23.customer.corp

SID System ID HAN

Instance Number Instance number 23

Port Number Port number 32303

Client IP Address IP address of the client application 127.0.0.2

Client Name Name of the client machine lu241511

Client Process ID PID of the client process 19504

Clint Port Number Port of the client process 47273

Policy Name Audit policy that was triggered AUDIT_GRANT

Audit Level Severity of audited action CRITICAL

Audit Action Action that was audited and thus triggered the policy

GRANT PRIVILEGE

Active User User who performed the action MYADMIN



rights reserved. 57

Field Description Sample Value

Target Schema Name of the schema where the action occurred, for example, a privilege was granted on a schema, or a statement was executed on object in a schema

PRIVATE

Target Object Name of the object on which an action was performed, for example, a privilege was granted

HAXXOR

Privilege Name Name of the privilege that was granted or revoked

SELECT

Grantable Indication of whether the privilege or role was granted with or without GRANT/ADMIN OPTION

NON GRANTABLE

Role Name Name of the role that was granted or revoked

MONITORING

Target Principal Name of the target user of the action, for example, grantee in a GRANT statement

HAXXOR

Action Status Execution status of the statement SUCCESSFUL

Component Currently not applicable

Section Currently not applicable

Parameter Currently not applicable

Old Value Currently not applicable

New Value Currently not applicable

Comment Currently not applicable

Executed Statement Statement that was executed GRANT SELECT ON SCHEMA PRIVATE TO HAXXOR

Session ID ID of the session in which the statement was executed

400006

In both the syslog and CSV file audit trails, the above fields are separated by ';'.An audit entry therefore looks like this:

<Event Timestamp>;<Service Name>;<Hostname>;<SID>;<Instance Number>;<Port Number>;<Client IP Address>;<Client Name>;<Client Process ID>;<Client Port Number>;<Audit Level>;<Audit Action>;<Active User>;<Target Schema>;<Target Object>;<Privilege Name>;<Grantable>;<Role Name>;<Target Principal>;<Action Status>;<Component>;<Section>;<Parameter>;<Old Value>;<New Value>;<Comment>;<Executed Statement>;<Session Id>;

58



11.3 Auditing Configuration and Audit Policy Management

To be able to audit database activity, the auditing feature must first be activated for the system. It is then possible to create and activate the required audit policies. Audit policies can also be deactivated and reactivated later, or deleted altogether.You configure auditing and manage auditing policies in the Security editor of the SAP HANA studio.Related LinksSAP HANA Administration Guide



rights reserved. 59


12 SAP HANA Additional Components

12.1 SAP HANA Information Composer

The SAP HANA information composer is a Web application that allows you to upload and manipulate data on the SAP HANA database. The SAP HANA information composer uses a Java server which interacts with the SAP HANA database.The Java server communicates with the SAP HANA information composer client via HTTP or HTTPS. The following ports are used by default:

● HTTP port 8080● HTTPS port 8443

If HTTPS is used, the SSL certification must be configured by the administrator.

NoteThe SAP HANA information composer can be configured to use antivirus software.

The SAP HANA information composer client is accessible to users who are assigned the IC_MODELER role. This role allows users to upload new content into the SAP HANA database and to create physical tables and calculation views.When content is marked as shared, it is accessible from users who are assigned the IC_PUBLIC role. By default, the physical tables and calculation views are marked as private. This means that they are only visible to the user who created them. Calculation views are created by the _SYS_REPO user in the _SYS_BIC schema within the Column Views node in the SAP HANA studio.The physical tables and calculation views can be shared with users who are assigned the IC_PUBLIC role. The IC_PUBLIC role is included in the IC_MODELER role.The created calculation view inherits the analytical privileges of the source data that is being used. Objects that are based on user data (spreadsheets) have no analytical privileges.The SAP_IC technical user is created during installation. After completing the installation, SAP_IC is locked.

NoteAs long as the SAP HANA information composer is in use, the SAP_IC user must not be deleted because otherwise, the role assignments created by this user will also be deleted.

Related LinksSAP HANA Information Composer – Installation and Configuration Guide

60


SAP HANA Security GuideSAP HANA Additional Components

https://service.sap.com/%7Esapidb/011000358700000993102011E

12.2 Lifecycle Management Tools

You can access the Lifecycle Management Tools from the Lifecycle Management perspective of the SAP HANA studio. The Software Update Manager (SUM), which is part of the Lifecycle Management Tools, can be used to update the components of your SAP HANA installation.To work properly, the SUM needs credentials for the following users:

● sapadm – used to authenticate to SAP Host Agent● <sid>adm – required by SAP HANA database server update● SAP Service Marketplace user – used to authenticate to SAP Service Marketplace

The SUM for SAP HANA communicates with the following components:

● SAP HANA studio● SAP Service Marketplace● SAP Host Agent

All these channels use encryption via HTTPS. For communication with the SAP HANA studio, the SUM for SAP HANA opens the server ports 8080 and 8443.See the SAP HANA Automated Update Guide at https://service.sap.com/hana for more information about:

● How to set up and update the SUM (section “Configuring HTTPS for SAP HANA Automated Update”).● How to set up and update the Lifecycle Management Perspective (section “Setting Up the SAP HANA

Studio”).

12.3 Unified Installer

The SAP HANA Unified Installer is a tool for installing the SAP HANA appliance software in a single, unified, and predefined way. It is designed to be used by the SAP HANA hardware partners within their factory process.The SAP HANA Unified Installer can be used to change the initial passwords provided by the hardware partner.

NoteAfter you receive the SAP HANA appliance, we recommend changing the initial passwords provided by the partner by using the SAP HANA On-Site Configuration tool. For more information about working with this tool, see the SAP HANA Installation Guide with SAP HANA Unified Installer.

Related LinksSAP HANA Installation Guide with SAP HANA Unified Installer

12.4 SAP HANA UI Toolkit for Info Access

The SAP HANA UI toolkit for Info Access provides HTML5 UI building blocks for developing search-based applications on SAP HANA. Such applications provide real-time information access and faceted search features



rights reserved. 61

https://service.sap.com/hana


on huge volumes of structured and unstructured text data. The UI toolkit is connected to the database through the SAP HANA Info Access service that wraps search and analytic SQL queries and exposes them through an HTTP interface.

NoteThe service runs on SAP HANA XS. For information about activating and deactivating SAP HANA XS, see the section "Starting and Stopping Database Services" in the SAP HANA Administration Guide.

Both the UI toolkit and the HTTP service are part of the default SAP HANA shipment, but they are not installed automatically. They are shipped as separate delivery units that you need to import and activate manually.

NoteFor information about setting up the service and the toolkit and developing search apps, see the section "Building Search Apps" in the SAP HANA Developer Guide.

When activated, the service:

● Is available via the HTTP/S port.● Provides end users access to search data, which requires creating database users and giving them privileges

on certain schemas and views.

Related LinksSAP HANA Administration GuideSAP HANA Developer Guide

12.5 SAP HANA UI Integration Services

Security aspects of SAP HANA UI Integration Services.SAP HANA UI Integration Services is a set of Eclipse-based and browser-based tools, as well as client-side APIs, which enable you to integrate standalone SAP HANA Extended Application Services (XS) client applications into web user interfaces to support end-to-end business scenarios. These user interfaces are referred to as application sites. Pre-built standalone SAP HANA XS client applications that are integrated into application sites are referred to as widgets.The following topics discuss the security aspects of SAP HANA UI Integration Services. Other security aspects, such as those related to network and communication or databases, that are not specific for, but apply to SAP HANA UI Integration Services, are described in the respective sections of the SAP HANA Security Guide.

Roles and Permissions The following roles are predefined in the SAP HANA user management system for SAP HANA UI Integration Services:

Role Description

sap.hana.uis.db::SITE_USER

Runtime usage of application sites. The role's permissions enable authorized users to do the following:

● Read information about the activated sites

62





Role Description

● Write security messages to the audit log

sap.hana.uis.db::SITE_DESIGNER

Design and runtime usage of application sites. The role's permissions enable authorized users to do the following:

● All permissions of SITE_USER● Access the SAP HANA repository● Read a specific table in the UIS schema that contains all the information about the

activated widgets

Security Auditing All security-related events in application sites are saved to the table UIS.sap.hana.uis.db::DEFAULT_AUDIT_TBL. Any authorized SAP HANA user can write to this table using the UIS.sap.hana.uis.db/LOG_AUDIT_MESSAGE stored procedure. No user can read this table without read permissions granted by the system administrator.

Security Considerations for Widget DevelopmentWhen developing widgets with the help of SAP HANA UI Integration Services, take into account the following security considerations :

● Each widget is responsible for its own security so you should take measures to protect its data and resources. However, you can assume that only authenticated SAP HANA users can access application sites at runtime, since logon credentials are requested at start.

● The sap-context feature supports communication between widgets in a site by enabling widgets to publish events or subscribe to events. No out-of-the-box mechanism is supplied to validate a publisher or subscriber of the context, so the published data is not automatically protected.

● The gadgetprefs feature allows any widget to save properties on the application server.

CautionUsing the feature's API, a widget can read and write its own properties only; however, all properties are visible to anyone who has read permissions for an application site in which the widget is running. Therefore we recommend that you avoid storing sensitive data using this feature.

12.6 Application Function Library (AFL)

You can dramatically increase performance by executing complex computations in the database instead of at the application sever level.SAP HANA provides several techniques to move application logic into the database, and one of the most important is the use of application functions. Application functions are like database procedures written in C++ and called from outside to perform data intensive and complex operations. Functions for a particular topic are grouped into an application function library (AFL), such as the Predictive Analytical Library (PAL) or the Business Function Library (BFL).Currently, all AFLs are delivered in one archive (that is, one SAR file with the name AFL<version_string>.SAR).



rights reserved. 63

NoteThe AFL archive is not part of the SAP HANA appliance, and must be installed separately by an administrator. For more information about installing the AFL archive, see the SAP HANA Installation Guide with SAP HANA Unified Installer.

AFL Security

● User and SchemaDuring startup, the system creates the user _SYS_AFL, whose default schema _SYS_AFL.

NoteThe user and its schema _SYS_AFL are created during a new installation or update process if they do not already exist.

All AFL objects, such as areas, packages, functions, and procedures, are created under this user and schema. Therefore, all these objects have fully specified names in the form of _SYS_AFL.<object name>.

● RolesFor each AFL library, there is a role. You must be assigned this role to execute the functions in the library. The role for each library is named: AFL__SYS_AFL_<AREA NAME>_EXECUTE. For example, the role for executing PAL functions is AFL__SYS_AFL_AFLPAL_EXECUTE.

NoteThere are 2 underscores between AFL and SYS.

NoteOnce a role is created, it cannot be dropped. In other words, even when an area with all its objects is dropped and recreated during system startup, the user still keeps the role that was previously granted.

Related LinksSAP HANA Installation Guide with SAP HANA Unified Installer

12.7 SAP HANA Extended Application Services (SAP HANA XS)

SAP HANA Extended Application Services (SAP HANA XS) enables you to define access to each individual application package that you want to develop and deploy.The application access file enables you to specify who or what is authorized to access the content exposed by the application package and what content they are allowed to see. For example, you use the application access file .xsaccess to specify if authentication is to be used to check access to package content, and whether rewrite rules are in place for the exposure of target and source URLs.For security information on the following items related to SAP HANA XS, see the SAP HANA Developer Guide .

● Data Authorization

64





Privileges for users, roles, views, schemas, tables, packages, applications, repository, and so on.● Server-side JavaScript

Scripting best practices for XSS, XSRF, and so on.● Application Access

.xsaccess● ODATA Services

Service definition, service start, URLs● XMLA Services

Service definition, service start, URLs● Table Import

Permission to execute select statements on created tables

SAP HANA XS Ports and ConnectionsFor a table with detailed information about ports and connections for SAP HANA XS, see SAP HANA Extended Application Services Ports and Connections.

Starting and Stopping SAP HANA XS

NoteFor information about activating and deactivating SAP HANA XS, see the section "Starting and Stopping Database Services" in SAP HANA Administration Guide.

Configuring HTTPS (SSL) for SAP HANA XS

NoteFor information about configuring HTTPS (SSL) for SAP HANA XS, see Configuring HTTPS (SSL) for Client Application Access .

Related LinksSAP HANA Developer GuideSAP HANA Administration Guide

12.8 R Integration

R is an open source programming language and software environment for statistical computing and graphics. SAP HANA allows R code to be processed inline as part of a SQLScript procedure.

NoteThe R server is not provided by SAP.

The current implementation has the following security considerations:

● Data channel between SAP HANA and R is unencrypted.



rights reserved. 65




● Rserve can be configured to use authentication based on a password. In this case, the password is stored unencrypted in a configuration file on the SAP HANA server.

● SQLScript R functions can contain code that can harm security on the server where the Rserve is running, such as the following:

○ Access file system (read/write)○ Install new add-on/R packages which can contain binary code (for example, written in C)○ Execute operation system commands○ Open network connections and download files or open connections to other servers

Only authorized database users are allowed to create SQLScript R functions. Because of this, you should grant the CREATE R SCRIPT privilege only to trusted database users who are allowed to create SQLScript R functions. To do so, a user who has this privilege WITH ADMIN OPTION can execute the following SQL command:

GRANT CREATE R SCRIPT TO user [WITH ADMIN OPTION]

Related LinksSAP HANA R Integration Guide

66



http://help.sap.com/hana/hana_dev_r_emb_en.pdf

13 Security for SAP HANA Replication Technologies

This topic describes the security considerations of the supported SAP HANA replication technologies.

NoteFor more details about the specific replication technologies and a table comparing them, see SAP HANA Replication Technologies.

SAP HANA Extraction-Transformation-Load (ETL) Data ServicesThe SAP HANA Extraction-Transformation-Load (ETL) data replication technology uses SAP BusinessObjects Data Services (hereafter referred to as Data Services) to load the relevant business data from the SAP ERP source system and replicate it to the target SAP HANA database. This method allows you to read the required business data on the application layer level. You deploy this method by defining data flows in Data Services and scheduling the replication jobs.Since this method uses batch processing, it also enables data checks, transformations, synchronizing with additional data providers, and the merging of data streams. The main components are the Data Services Designer, where you model the data flow, and the Data Services Job Server for the execution of the replication jobs. An additional repository is used to store the metadata and the job definitions.Data Services relies on the Central Management Server (CMS) for authentication and security features. For complete information about the security features provided by the CMS, see the SAP BusinessObjects Enterprise Administrator's Guide or the SAP BusinessObjects Information Platform Services Administrator's Guide at SAP HANA Appliance Software.To ensure security for your Data Services environment, use a firewall to prevent unintended remote access to administrative functions. In a distributed installation, you need to configure your firewall so that the Data Services components are able to communicate with each other as needed. For information about configuring ports on your firewall, see your firewall documentation.For more information about ETL data replication technology using the SAP BusinessObjects Data Services database, see the Security section in the SAP BusinessObjects Data Services Administrator’s Guide.

SAP HANA Direct Extractor Connection (DXC)By default, the SAP HANA Direct Extractor Connection technology is switched off. For more information about how to switch it on, see the SAP HANA Direct Extractor Connection Implementation Guide at SAP HANA Appliance Software.For secure communication, the SAP HANA Direct Extractor Connection technology uses the SSL protocol (HTTPS) based on the Internet Communication Manager (ICM). For more information about ICM and SSL configuration, see the SAP Library on SAP Help Portal at http://help.sap.com under SAP NetWeaver SAP NetWeaver 7.3 SAP NetWeaver Library: Function-Oriented View Application Server Application Server Infrastructure Internet Communication Manager (ICM) .

SAP HANA Security GuideSecurity for SAP HANA Replication Technologies


rights reserved. 67

http://help.sap.com/hana_appliance/


http://help.sap.com/businessobject/product_guides/boexir4/en/xi4_ds_admin_en.pdf



http://help.sap.com

Trigger-Based Data Replication using SAP LT (Landscape Transformation) Replication Server (SLT)SAP Landscape Transformation replication server is a replication technology to provide data from SAP systems in an SAP HANA environment. It acts as a key enabler for SAP HANA customers to supply their SAP HANA environment with relevant data.When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to the trigger-based data replication using the SAP LT (Landscape Transformation) replication server.The SAP LT replication server and the SAP source system use the user management and authentication mechanisms provided by the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide [SAP Library] � Application Server ABAP Security Guide also apply to the SAP LT Replication Server and an SAP source system.The SAP LT replication server and the SAP source system use the authorization concept provided by the SAP NetWeaver AS ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to the SAP LT replication server. In SAP NetWeaver, authorizations are assigned to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP. For more information about how to create roles, see Role Administration (SAP Library).Related LinksSAP BusinessObjects Data Services Administrator’s GuideSAP HANA Replication Technologies [page 72]

SAP HANA Security Guide - Trigger-Based Replication (SLT)

68


SAP HANA Security GuideSecurity for SAP HANA Replication Technologies

http://help.sap.com/businessobject/product_guides/boexir4/en/xi4_ds_admin_en.pdf

http://help.sap.com/hana/hana_slt_repli_sec_en.pdf

14 Security Reference Information

14.1 SAP HANA Port and Connection Tables

Tables of all listening TCP / IP network ports that are used by SAP HANA.

The port and connection tables for SAP HANA are listed in the subsections below:

● SAP HANA Database Internal Communication Ports and Connections● SAP HANA Database Client Access Ports and Connections● SAP HANA Extended Application Services (SAP HANA XS) Ports and Connections● SAP HANA Administrative Ports and Connections● Remote Support Ports and Connections● Additional Scenarios Ports and Connections

14.1.1 SAP HANA Database Internal Communication Ports and ConnectionsThis topic includes port and connection information for SAP HANA database internal communication.

TipIn SAP HANA, most network ports depend on the two-digit instance number of the installation. In the following, the <inst> needs to be replaced with the actual instance number of the installation, for example:The instance number 00 should be 3<inst>00 = 30000

Table

Communication Type Listening TCP / IP Comment

Communication channels are used only to communicate internally between different components of an SAP HANA database instance, such as the different hosts in a distributed installation.

3<inst>00 SAP HANA database internal (local only)

3<inst>01 SAP HANA database internal






14.1.2 SAP HANA Database Client Access Ports and ConnectionsThis topic includes port and connection information for SAP HANA database client access.

Tip

SAP HANA Security GuideSecurity Reference Information


rights reserved. 69

In SAP HANA, most network ports depend on the two-digit instance number of the installation. In the following the <inst> needs to be replaced with the actual instance number of the installation, for example:Instance number 00 should be 3<inst>00 = 30000

Table


SQL / MDX access port for standard database access. Access to these ports needs to be enabled for all database clients.

NoteThis access is also required for some administrative functions.

3<inst>15 External SQL interface. Access port for all database access by applications/application servers, end-user clients or SAP HANA studio, such as for modeling or database administration.

14.1.3 SAP HANA Extended Application Services Ports and ConnectionsThis topic includes port and connection information for SAP HANA Extended Application Services (SAP HANA XS).

TipIn SAP HANA, most network ports depend on the two-digit instance number of the installation. In the following the <inst> needs to be replaced with the actual instance number of the installation, for example:Instance number 00 should be 3<inst>00 = 30000

Table


SAP HANA XS HTTP access 80<inst> HTTP access to applications based on SAP HANA XS.

SAP HANA XS HTTPs access 43<inst> HTTPs access to applications based on SAP HANA XS.

14.1.4 SAP HANA Administrative Ports and ConnectionsThis topic includes port and connection information for SAP HANA administration.


70



Table

Communication Type Listening TCP / IP

Instance Agent: SAP Start administrative channel for low-level access to the SAP HANA instance to allow features such as starting or stopping of the SAP HANA database.

5<inst>135<inst>14 (SSL)

Host Agent: SAP Start administrative channel for low-level access to the SAP HANA appliance system.

11281129 (SSL)

Software Update Manager: Access to trigger actions of the SUM such as updating the SAP HANA database software.

80808443 (SSL)

Software Update Manager: Connection to SAP Service Marketplace to check for updates.

Outgoing to service.sap.com:443

14.1.5 Remote Support Ports and ConnectionsThis topic includes port and connection information for remote support.


Table


SAP Solution Manager: via SMD agent

Outgoing connection All connections from the SMD agent to the Solution Manager are outgoing connections which are opened by the SMD agent.

SAP Router Access: development support access

3<inst>09 Not active by default and required in only certain support cases. For more details see "Opening a Support Connection" in SAP HANA Administration Guide.

Related LinksSAP HANA Administration Guide

14.1.6 Additional Scenarios Ports and ConnectionsThis topic includes port and communication information for additional scenarios.




rights reserved. 71


Table


R Integration: Communication between SAP HANA and R environment (separate server).

Outgoing connection Only required for scenarios which use the R integration supported by SAP HANA. For more information, see SAP HANA R Integration Guide.

14.2 SAP HANA Replication Technologies

14.2.1 IntroductionIn-memory reporting and analyzing of business data requires the replication of the data from a source system to the SAP HANA database. This section provides an overview of the possible replication methods that are available for the SAP HANA appliance. It also describes the application fields and lists the main components required for each method.

The figure above focuses on the task of loading business data from an SAP ERP system to the SAP HANA database.The methods for performing data replication are shown in the figure below. The main components involved in all replication scenarios are:

72



http://help.sap.com/hana/hana_dev_r_emb_en.pdf

● SAP HANA appliance, consisting of the SAP HANA database and SAP HANA studio, which is used to administer the appliance. User interfaces, such as SAP BusinessObjects Dashboards or Web Intelligence, are not part of the appliance software.

● Source system, such as SAP ERP● Software components supporting the data replication

The software components that support different methods of data replication are described in the following replication scenarios.

The figure above gives an overview of the alternative methods for data replication from a source system to the SAP HANA database. Each method handles the required data replication differently, and consequently each method has different strengths. It depends on your specific application field and the existing system landscape as to which of the methods best serves your needs.

● Trigger-Based ReplicationTrigger-Based Data Replication Using SAP Landscape Transformation (LT) Replication Server is based on capturing database changes at a high level of abstraction in the source ERP system. This method of replication benefits from being database-independent, and can also parallelize database changes on multiple tables or by segmenting large table changes.

● ETL-Based ReplicationExtraction-Transformation-Load (ETL) Based Data Replication uses SAP Data Services to specify and load the relevant business data in defined periods of time from an ERP system into the SAP HANA database. You can reuse the ERP application logic by reading extractors or utilizing SAP function modules. In addition, the ETL-based method offers options for the integration of third-party data providers.

● Extractor-Based Data Acquisition



rights reserved. 73

The SAP HANA Direct Extractor Connection (DXC) is a means for providing out-of-the-box foundational data models to SAP HANA, which are based on SAP Business Suite entities. DXC is also a data acquisition method. The rationale for DXC is essentially simple, low TCO data acquisition for SAP HANA leveraging existing delivered data models.

Related LinksProduct Availability Matrix (PAM) (search for SAP HANA)

14.2.2 Trigger-Based ReplicationThe Trigger-Based Replication method uses the SAP Landscape Transformation (LT) Replication Server component to pass data from the source system to the SAP HANA database target system.

Initial Load and Simultaneous Delta ReplicationThe initial load of business data is initiated using the SAP HANA studio. The initial load message is sent from the SAP HANA system to the SLT system, which in turn passes the initialization message to the ERP system. Furthermore, the SLT system initiates the set-up of replication log tables in the database of the ERP system for each table to be replicated. After the transaction tables are completed, the SLT system begins a multi-threaded replication of data to the target system, which enables high speed data transfer.The initial load of data can be executed while the source system is active. The system load that this process causes can be controlled by adjusting the number of worker threads performing the initial replication.In parallel to the initial load, by means of database-specific triggers, the SLT system begins detecting any data changes that occur while the initial load process is running. These changes are already recorded in logging tables during the initial load phase and are propagated during the replication phase to the target SAP HANA system after the initial load has been completed. The multi-version concurrency control (MVCC) of the SAP HANA database prevents issues that might be caused by the overlapping of the initial load process and new database transactionsContinuous Delta Replication After Initial Load

74




After the initial load process has completed, the SLT system continues to monitor the transaction tables in the ERP system, and replicates data changes in the source system to the SAP HANA system in near real time.Required Software ComponentsThis replication method requires the following component:

● SAP Landscape Transformation: this controls the entire replication process by triggering the initial load and coordinating the delta replication.

Installation considerationsThe SLT system can be installed in the ways shown below. You can select between these options depending on your current system landscape and the software versions in your landscape:

● Installation on your ERP system● Installation on a standalone SAP system (recommended setup)

Related LinksSAP HANA Installation Guide – Trigger-Based Replication

14.2.3 ETL-Based ReplicationExtraction-Transformation-Load (ETL) based data replication uses SAP Data Services (referred to as Data Services from now on) to load the relevant business data from the source system, SAP ERP, and replicate it to the target, SAP HANA database. This method enables you to read the required business data on the level of the application layer. You deploy this method by defining data flows in Data Services and scheduling the replication jobs.Since this method uses batch processing, it also permits data checks, transformations, synchronizing with additional data providers, and the merging of data streams.



rights reserved. 75

https://service.sap.com/~sapidb/011000358700000604912011D

The figure above gives an overview of the ETL-based replication method. Here, data replication is operated by Data Services. Its main components are the Data Services Designer, where you model the data flow, and the Data Services Job Server for the execution of the replication jobs. An additional repository is used to store the metadata and the job definitions.For information about installing ETL-based replication, see SAP HANA Installation Guide with SAP HANA Unified Installer.Data FlowAs for any replication scenario you have to define a series of parameters for the two systems involved. Utilizing Data Services you have to set up datastores to define such parameters. You use the Designer to set up datastores.Datastore SetupSetting up a datastore for the source system SAP ERP, choose SAP Applications for the type of datastore, and specify the address of the system, the user name and password allowing Data Services to access the system. Additional settings depend on the type of SAP ERP objects to be read.For the target system of the replication, the SAP HANA database, you have to set up a separate datastore as done for the source system.Data Flow ModelingOnce datastores are set up, Data Services can connect to the source system by RFC. Based on the metadata imported from the ABAP Data Dictionary to Data Services, you can determine the business data to be replicated. Data Services offers replication functions for a variety of data source types. However, for the replication of SAP ERP data to SAP HANA database, we recommend you to use extractors.

Note● You must apply SAP Note 1522554 to fully benefit from the extractor support.● In the source system, the extractors must be released for the replication access by Data Services. In

addition, you have to indicate the primary key, such as the GUID, to enable the correct replication.● The extractors must support delta handling.

Choose the extractors that are relevant for the replication job.Model the data flow for each extractor you have selected: indicate the source for the data flow, which is the extractor. For the target of the replication, choose a template table, which is then used in the SAP HANA database to store the replaced data.Data Flow for Initial Load and UpdateBoth the initial load of business data from the source system into SAP HANA database as well as updating the replicated data (delta handling) is done using SAP Data Services. The initial load can be set up modeling a simple data flow from source to target. For the update, in most cases, the data flow is enhanced by a delta handling element, such as Map_CDC_Operation or Table_Comparison Transform. It depends on the environment and the requested setup of the target tables which data flow design best serves your requirements.Although we recommend you to use delta supporting extractors, you can also use SAP ABAP tables.Replication Job ScheduleSince you can schedule the replication jobs when using Data Services, this method is suitable where the source system must be protected from additional load during the main business hours. In this way, you can shift the replication workload, for example, to the night. As a result, the data that is available for reporting always represents the state reached by the time when the latest replication job was started.Use the Management Console, which comes with Data Services, to schedule replication jobs. You can choose from different tools and methods for the scheduling. You can also use the Management Console to monitor the replication process.Required Software ComponentsThis replication method requires the following main components:

76






● SAP HANA database● SAP BusinessObjects Enterprise● BusinessObjects Enterprise Central Management Server (CMS), which is a part of SAP BusinessObjects

Enterprise● SAP Data Services XI 4.0

Related LinksProduct Availability Matrix (PAM) (search for SAP HANA)

14.2.4 SAP HANA Direct Extractor Connection (DXC)The SAP HANA Direct Extractor Connection (DXC) is a means for providing out-of-the-box foundational data models to SAP HANA, which are based on SAP Business Suite entities. DXC is also a data acquisition method for SAP HANA. The rationale for DXC is essentially simple, low TCO data acquisition for SAP HANA leveraging existing delivered data models.Customer projects may face significant complexity in modeling entities in SAP Business Suite systems. In many cases, data from different areas in SAP Business Suite systems requires application logic to appropriately represent the state of business documents. SAP Business Content DataSource Extractors have been available for many years as a basis for data modeling and data acquisition for SAP Business Warehouse; now with DXC, these SAP Business Content DataSource Extractors are available to deliver data directly to SAP HANA.DXC is a batch-driven data acquisition technique; it should be considered as a form of extraction, transformation and load although its transformation capabilities are limited to user exit for extraction.A key point about DXC is that in many use cases, batch-driven data acquisition at certain intervals is sufficient (for example, every 15 minutes).

Overview of the DXC Rationale● Leverage pre-existing foundational data models of SAP Business Suite entities for use in SAP HANA data mart

scenarios:

○ Significantly reduces complexity of data modeling tasks in SAP HANA○ Speeds up timelines for SAP HANA implementation projects

● Provide semantically rich data from SAP Business Suite to SAP HANA:

○ Ensures that data appropriately represents the state of business documents from ERP○ Application logic to give the data the appropriate contextual meaning is already built into many extractors

● Simplicity/Low TCO:

○ Re-uses existing proprietary extraction, transformation, and load mechanism built into SAP Business Suite systems over a simple http(s) connection to SAP HANA

○ No additional server or application needed in system landscape● Change data capture (delta handling):

○ Efficient data acquisition – only bring new or changed data into SAP HANA○ DXC provides a mechanism to properly handle data from all delta processing types

Default DXC Configuration for SAP Business SuiteDXC is available in different configurations based on the SAP Business Suite system:

● The default configuration is available for SAP Business Suite systems based on SAP NetWeaver 7.0 or higher – such as ECC 6.0.

● The alternative configuration is available for SAP Business Suite systems based on releases lower than SAP NetWeaver 7.0 – such as SAP ERP 4.6, for example.



rights reserved. 77


An SAP Business Suite system is based on SAP NetWeaver. As of SAP NetWeaver version 7.0, SAP Business Warehouse (BW) is part of SAP NetWeaver itself, which means a BW system exists inside SAP Business Suite systems such as ERP (ECC 6.0 or higher). This BW system is referred to as an “embedded BW system”. Typically, this embedded BW system inside SAP Business Suite systems is actually not utilized, since most customers who run BW have it installed on a separate server, and they rely on that one. With the default DXC configuration, we utilize the scheduling and monitoring features of this embedded BW system, but do not utilize its other aspects such as storing data, data warehousing, or reporting / BI. DXC extraction processing essentially bypasses the normal dataflow, and instead sends data to SAP HANA. The following illustration depicts the default configuration of DXC.

An In-Memory DataStore Object (IMDSO) is generated in SAP HANA, which directly corresponds to the structure of the DataSource you are working with. This IMDSO consists of several tables and an activation mechanism. The active data table of the IMDSO can be utilized as a basis for building data models in SAP HANA (attribute views, analytical views, and calculation views).Data is transferred from the source SAP Business Suite system using an HTTP connection. Generally, the extraction and load process is virtually the same as when extracting and loading SAP Business Warehouse – you rely on InfoPackage scheduling, the data load monitor, process chains, etc. – which are all well-known from operating SAP Business Warehouse.

78



NoteDXC does not require BW on SAP HANA. Also with DXC, data is not loaded into the embedded BW system. Instead, data is redirected into SAP HANA.

Related LinksSAP HANA Direct Extractor Connection Implementation GuideEditing DataSources and Application Component HierarchiesEnhancing DataSources

14.2.5 Comparison of Replication MethodsThis table compares the key features of each replication method.

Capability Trigger-Based Replication(SLT Replication)

ETL-Based Replication(Data Services 4.0 – SP2)

Extractor-based Data Acquisition(DXC)

Release coverage SAP R/3 4.6C - SAP ERP 6.0 (EHP06)All other ABAP-based SAP Applications (Basis 4.6C-NW7.02)

ERP 4.6c - SAP ERP 6.0 SAP Business Suite systems based on NetWeaver ABAP 4.6C or higher

Unicode/Non-Unicode Yes Yes Yes

MDMP Partial (If table contains only ASCII characters or language key is included)

Partial (1) Yes – via How to Guide

Transparent Tables Yes Yes Yes- via generic Data Source

Cluster & Pool Tables Yes Yes Yes- via generic Data Source

Non-SAP Sources Yes (for SAP supported DBs only: Informix on project base)

Yes No

Compressed Values DB Table

Yes Yes Yes- via generic Data Source

Row Compression DB Table

Yes Yes Yes- via generic Data Source

DB Support (Source side) All SAP supported DBs, incl. ASE

All SAP supported DBs, incl. ASE, and others: see PAM for full list(no MaxDB support)

All SAP supported DBs

OS Support (Source side) All SAP supported OS All OS supported under ERP (NO impact of source OS on Data Services)

All OS supported under SAP Business Suite systems

Transactional Integrity No No Yes



rights reserved. 79

https://service.sap.com/~sapidb/011000358700000421852012E

http://help.sap.com/saphelp_nw04/helpdata/en/49/ae67401d4988448036b180dc9ec1e6/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/en/6e/fe6e420f00d242e10000000a1550b0/content.htm

Capability Trigger-Based Replication(SLT Replication)

ETL-Based Replication(Data Services 4.0 – SP2)

Extractor-based Data Acquisition(DXC)

Multi-System Support Multiple source systems to multiple SAP HANA instances

Multiple source systems Multiple source systems

Workload balancing (parallelization of replication)

Yes Yes Yes

Real-time and/or scheduled replication

Real-time and scheduled (on table level)

Scheduled Scheduled or Event driven

Initial Load & Delta replication

Initial load, initial load + delta replication for relevant tables

Initial load + delta replication (for table based needs delta information through timestamp column or through delta enabled extractors)Not recommended for use with DataSource extractors with delta processing types AIM, AIE, AIED, AIMD, ADD, ADDD, and CUBE

Initial load + delta replication, for all delta processing types including AIM, AIE, AIED, AIMD, ADD, ADDD, CUBE etc.

Transformation capabilities

Capabilities for filtering and transforming data, as well as data scrambling. Data filtering can be done either via selective triggers or via replication configuration settings

Complete ETL engine from simple functions to very complex transformations

Limited for extraction, via user exits

Access to performance statistics

Support dashboard Via Data Services own Management Console or through the integration with SAP Solution Manager

Via Monitoring details Tr: RSMO and via Table View: “M_Extractors” in SAP HANA studio

Access to trouble shooting feature

Yes Via Data Services own Management Console or through the integration with SAP Solution Manager

Yes, Via Monitoring details Tr: RSMO, via Table View: “M_Extractors” in SAP HANA studio, and alerts which can be set in statistics server configuration

(1) SAP Data Services will need a fixed code page for each run. In order to process MDMP, the same job will need to get executed multiple times, each time with a different code page and with a WHERE clause on the language key. This would only be manageable for a limited number of code pages.

80



www.sap.com/contactsap

© 2013 SAP AG or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

http://www.sap.com/contactsap

http://www.sap.com/corporate-en/legal/copyright/index.epx

http://www.sap.com/corporate-en/legal/copyright/index.epx

hana_sec_en

Documents

sap hana authorization

sap hana port

sap hana landscape

sap hana systems5411

sap hana guides

sap hana user management196

sap ag

sap hana administrative