SAP HANA Security: Complete Tutorial

What is Sap Hana Security?

SAP HANA Security is protecting important data from unauthorized access and
ensures that the standards and compliance meet as security standard adopted
by the company.

SAP HANA provides a facility i.e. Multitenant database, in which multiple

databases can be created on single SAP HANA System. It is known as
multitenant database container. So SAP HANA provide all security related
feature for all multitenant database container. 

SAP HANA Provide following security-related feature –

 User and Role Management

 Authorization
 Authentication
 Encryption of data in Persistence Layer
 Encryption of data in Network Layer

SAP HANA User and Role

SAP HANA User and Role management configuration depend on the

architecture as below –

1. 3-Tier Architecture.

SAP HANA can be used as a relational database in a 3-Tier Architecture.

In this architecture, security features (authorization, authentication,

encryption, and auditing) are installed on application server layers.

SAP application (ERP, BW, etc.) connects to database only with the help
of a technical user or database administrator (Basis Person). The end-
user cannot directly access to database or database server.
 2. 2-Tier Architecture.

SAP HANA Extended Application Services (SAP HANA XS) is based

on 2 –Tier Architecture, in which Application server, Web Server and
Development Environment are embedded in a single system.

SAP HANA Authentication

Database user identifies who is accessing the SAP HANA Database. It is
verified through a process Named "Authentication." SAP HANA support many
authentication methods. Single Sign-on (SSO) are used to integrate several
Authentication method.

SAP HANA supports following authentication method -

 Kerberos: It can be used in the following case –

o Directly from JDBC and ODBC Client (SAP HANA Studio).
o When HTTP is used to access SAP HANA XS.
 User Name / Password

When the user enters their database username and password, then SAP
HANA Database authenticate the user.

 Security Assertion Markup Language(SAML)

SAML can be used to authenticate SAP HANA User, who is accessing

SAP HANA Database directly through ODBC/JDBC. It is a process of
mapping external user identity to the internal database user, so user can
login in sap database with the external user id.

 SAP Logon and Assertion Tickets

The user can be authenticated by Logon or Assertion Tickets, which is

configured and issued to the user for creating a ticket.

 X.509 Clients Certificates

When SAP HANA XS Access by HTTP, Client certificates signed by a

trusted Certification authority (CA) can be used to authenticate the user.

SAP HANA Authorization

SAP HANA Authorization is required when a user using client interface (JDBC,
ODBC, or HTTP) to access the SAP HANA database.

Depending on the authorization provided to the user, it can perform database

operations on the database object. This authorization is called, "privileges."

The Privileges can be granted to the user directly or indirectly (through roles).
All Privileges assign to users are combined as a single unit.
When a user tries to access any SAP HANA Database object, HANA System
performs authorization check on the user through user roles and directly grants
the privileges.

When requested Privileges found, HANA system skips further checks and grant
access to request database objects.

In SAP HANA following privileges are their -

Privileges Description
Types

System It controls normal system activity.

Privileges
System Privileges are mainly used for – 

 Creating and Deleting Schema in SAP HANA Database

 Managing user and role in SAP HANA Database
 Monitoring and tracing of SAP HANA database
 Performing data backups
 Managing license
 Managing version
 Managing Audit
 Importing and Exporting content
 Maintaining Delivery Units

Object Object Privileges are SQL privileges that are used to give authorization to read and modify
Privileges database objects. To access database objects user needs object privileges on database objects
on the schema in which database object exists. Object privileges can be granted to catalog
objects (table, view, etc.) or non-catalog objects (development objects). Object Privileges are
below –

 CREATE ANY
 UPDATE, INSERT, SELECT, DELETE, DROP, ALTER, EXECUTE
 INDEX, TRIGGER, DEBUG, REFERENCES
 Analytic Analytic Privileges are used to allow read access on data of SAP HANA Information model
Privileges (attribute view, Analytic View, calculation View). 

 This privilege is evaluated during query processing.

 Analytic Privileges grants different user access on different part of data in the
 Same information view based on user role.
 Analytic Privileges are used in SAP HANA database to provide row level data

Control for individual users to see the data is in the same view.

Package Package Privileges are used to provide authorization for actions on individual packages in SA
Privileges HANA Repository.

Application Application Privileges are required in In SAP HANA Extended Application Services (SAP
Privileges HANA XS) for access application.

Application privileges are granted and revoked through the

proceduresGRANT_APPLICATION_PRIVILEGE and
REVOKE_APPLICATION_PRIVILEGE procedure in the _SYS_REPO schema.

Privileges on It is an SQL Privileges, which can grant by the user on own user.

User
ATTACH DEBUGGER is the only privilege that can be granted to a user.

SAP HANA User Administration and Role Management

To Access SAP HANA Database, users are required. Depending on the
different security policy there are two types of user in SAP HANA as below –

1. Technical User (DBA User) – It is a user who directly work with SAP
HANA database with necessary privileges. Normally, these users don't
get deleted from the database.

These users are created for an administrative task such as creating an

object and granting privileges on database object or on the application.

SAP HANA Database system provides following user by default as

standard user–

 SYSTEM
 SYS
  _SYS_REPO

2. Database or Real User: Each user who wants to work on SAP HANA

database, need a database user. Database user are a real person who
works on SAP HANA.

There are two types of Database user as below –

User Description Role assigned

Type

Standard This user can create objects in an own PUBLIC role is assigned for read system views.
User schema and reads data in system views.
Standard User created with "CREATE
USER" statement.

Restricted Restricted User has no full SQL Access via RESTRICTED_USER_ODBC_ACCESS or

User an SQL Console and created with "CREATE
RESTRICTED USER" statement. If
Privileges required for use of any
application, then they are provided through
the role.
RESTRICTED_USER_JDBC_ACCESS role
required to user for Full Access of ODBC/JDBC
functionality

 Restricted User cannot create

database objects.
 Restricted User cannot view data in
the database.
 Restricted User connects to database
through HTTP Only.
 ODBC/JDBC access for client
connection must be enabled
with SQL statement.

SAP HANA User Administrator have access to the following activity –

1. Create/delete User.
2. Define and Create Role.
3. Grant Role to the user.
 4. Resetting user password.
5. Re-activate / de-activate user according to requirement.

1. Create User in SAP HANA- only database user with ROLE ADMIN

privileges can create user and role in SAP HANA.

Step 1) To create new user in SAP HANA Studio go to security tab as
shown below and follow the following steps;

1. Go to security node.
2. Select Users (Right Click) -> New User.

Step 2) A user creation screen appear.

3. Enter User Name.

4. Enter Password for the user.
5. These are authentication mechanism, by default User name /
password is used for authentication.

By Clicking on the deploy  Button user will be created.

2. Define and Create Role

A role is a collection of privileges that can be granted to other users or role. The
role includes privileges for database object & application and depending on the
nature of the job.

It is a standard mechanism to grant privileges. Privileges can be directly

granted to the user. There are many standard roles (e.g. MODELLING,
MONITORING, etc.) available in SAP HANA database.

We can use the standard role as a template for creating a custom role.

A role can contain following privileges –

 System Privileges for administrative and development task (CATALOG

READ, AUDIT ADMIN, etc.)
 Object Privileges for database objects (SELECT, INSERT, DELETE, etc.)
 Analytic Privileges for SAP HANA Information View
 Package Privileges on repository packages (REPO.READ,
REPO.EDIT_NATIVE_OBJECTS, etc.)
 Application Privileges for SAP HANA XS applications.
 Privileges on the user (For Debugging of procedure).

Role Creation

Step 1) In this step,

1. Go to Security node in SAP HANA System.

2. Select Role Node (Right Click) and select New Role.

Step 2) A role creation screen is displayed.

 1. Give Role name under New Role Block.
2. Select Granted Role tab, and click "+" Icon to add Standard Role or
exiting role.
3. Select Desired role (e.g. MODELLING, MONITORING, etc.)

STEP 3) In this step,

1. Selected Role is added in Granted Roles Tab.

2. Privileges can be assign to the user directly by selecting System
Privileges, object Privileges, Analytic Privileges, Package Privileges, etc.
3. Click on deploy icon to create Role.

Tick option "Grantable to other users and roles", if you want to assign this role
to other user and role.
3. Grant Role to User

STEP 1) In this step, we will Assign Role "MODELLING_VIEW" to another user
"ABHI_TEST".

1. Go to User sub-node under Security node and double click it. User
window will show.
2. Click on Granted roles "+" Icon.
3. A pop-up will appear, Search Role name which will be assign to the user.

STEP 2) In this step, role "MODELLING_VIEW" will be added under Role.

STEP 3) In this step,

1. Click on Deploy Button.

2. A Message " User 'ABHI_TEST" changed is displayed.
4. Resetting User Password

If user password needs to reset, then go to User sub-node under Security node
and double click it. User window will show.

STEP 1) In this step,

1. Enter new password.

2. Enter Confirm password.

STEP 2) In this step,

1. Click on Deploy Button.

2. A message "User 'ABHI_TEST" changed is displayed.

5. Re-Activate/De-activate User

Go to User sub-node under Security node and double click it. User window will
show.

There is De-Activate User icon. Click on it

A confirmation message "Popup" will appear. Click on 'Yes' Button.

A message "User 'ABHI_TEST' deactivated" will be displayed. The De-Activate
icon changes with name "Activate user". Now we can activate user from the
same icon.

SAP HANA License Management

The license key is required to use SAP HANA Database. A license key can be
installed and deleted using SAP HANA Studio, SAP HANA HDBSQL Command
Line tool, and HANA SQL Query editor.

SAP HANA database support two types of license key –

 Permanent License Key: Permanent license keys are valid till expiration

date. We need to request and apply license key before expire. If license
key expires then Temporary License Key are is automatically installed for
28 days.
 Temporary License Key: This is automatically installed with a new SAP
HANA Database Installation. It is valid for 90 days and later can apply for
Permanent key from SAP.

Authorization of License Management

"LICENSE ADMIN" privileges are required for License Management.

SAP HANA Auditing

SAP HANA Auditing features allow you to monitor and record action which is
performed in SAP HANA System. This features should be activated for the
system before creating audit policy.

Authorization for SAP HANA Auditing

"AUDIT ADMIN" System Privileges required for SAP HANA Auditing.

Summary:
In this tutorial, we have learned following topic -

 SAP HANA Security overview.

 SAP HANA Authentication in detail.
 SAP HANA Authorization in detail.
 SAP HANA User Administration method.
 SAP HANA Role Administration method
 SAP HANA license Management process.
 SAP HANA Role Auditing Process