(/)

SAP HANA Security: Complete Tutorial

What is Sap Hana Security?
Instant money SAP HANA Security is protecting important data from
transfers unauthorized access and ensures that the standards
and compliance meet as security standard adopted by
All you need is their
email address the company.

OPEN A FREE ACCOUNT SAP HANA provides a facility i.e. Multitenant database,
in which multiple databases can be created on single
SAP HANA System. It is known as multitenant
database container. So SAP HANA provide all security
related feature for all multitenant database container.

SAP HANA Provide following security-related feature –

User and Role Management

Authorization
Authentication
Encryption of data in Persistence Layer
Encryption of data in Network Layer

SAP HANA User and Role

SAP HANA User and Role management configuration depend on the architecture as below –

1. 3-Tier Architecture.
SAP HANA can be used as a relational database in a 3-Tier Architecture.

In this architecture, security features (authorization, authentication, encryption, and

auditing) are installed on application server layers.

/
 Ad

Veet- Your Home Salon

Buy No
Veet

SAP application (ERP, BW, etc.) connects to database only with the help of a technical user
or database administrator (Basis Person). The end-user cannot directly access to database
or database server.

(/images/sap-

hana/030216_1259_SAPHANASECU1.png)

2. 2-Tier Architecture.
SAP HANA Extended Application Services (SAP HANA XS) is based on 2 –Tier Architecture, in
which Application server, Web Server and Development Environment are embedded in a
single system.

/
 (/images/sap-

hana/030216_1259_SAPHANASECU2.png)

SAP HANA Authentication

Database user identifies who is accessing the SAP HANA Database. It is verified through a
process Named "Authentication." SAP HANA support many authentication methods. Single
Sign-on (SSO) are used to integrate several Authentication method.

SAP HANA supports following authentication method -

Kerberos: It can be used in the following case –

Directly from JDBC and ODBC Client (SAP HANA Studio).
When HTTP is used to access SAP HANA XS.
User Name / Password
When the user enters their database username and password, then SAP HANA Database
authenticate the user.

Security Assertion Markup Language(SAML)

SAML can be used to authenticate SAP HANA User, who is accessing SAP HANA Database
directly through ODBC/JDBC. It is a process of mapping external user identity to the internal
database user, so user can login in sap database with the external user id.

SAP Logon and Assertion Tickets

The user can be authenticated by Logon or Assertion Tickets, which is configured and issued
to the user for creating a ticket.

X.509 Clients Certificates

When SAP HANA XS Access by HTTP, Client certificates signed by a trusted Certification
authority (CA) can be used to authenticate the user. /
SAP HANA Authorization
SAP HANA Authorization is required when a user using client interface (JDBC, ODBC, or HTTP)
to access the SAP HANA database.

Depending on the authorization provided to the user, it can perform database operations on
the database object. This authorization is called, "privileges."

The Privileges can be granted to the user directly or indirectly (through roles). All Privileges
assign to users are combined as a single unit.

When a user tries to access any SAP HANA Database object, HANA System performs
authorization check on the user through user roles and directly grants the privileges.

When requested Privileges found, HANA system skips further checks and grant access to
request database objects.

In SAP HANA following privileges are their -

Privileges Description
Types

System It controls normal system activity.

Privileges
System Privileges are mainly used for –

Creating and Deleting Schema in SAP HANA Database

Managing user and role in SAP HANA Database
Monitoring and tracing of SAP HANA database
Performing data backups
Managing license
Managing version
Managing Audit
Importing and Exporting content
Maintaining Delivery Units

/
 Object Object Privileges are SQL (/sql.html)privileges that are used to give
Privileges authorization to read and modify database objects. To access database objects
user needs object privileges on database objects or on the schema in which
database object exists. Object privileges can be granted to catalog objects
(table, view, etc.) or non-catalog objects (development objects). Object
Privileges are as below –

CREATE ANY
UPDATE, INSERT, SELECT, DELETE, DROP, ALTER, EXECUTE
INDEX, TRIGGER, DEBUG, REFERENCES

Analytic Analytic Privileges are used to allow read access on data of SAP HANA
Privileges Information model (attribute view, Analytic View, calculation View).

This privilege is evaluated during query processing.

Analytic Privileges grants different user access on different part of data in
the
Same information view based on user role.
Analytic Privileges are used in SAP HANA database to provide row level data

Control for individual users to see the data is in the same view.

Package Package Privileges are used to provide authorization for actions on individual
Privileges packages in SAP HANA Repository.

Application Application Privileges are required in In SAP HANA Extended Application

Privileges Services (SAP HANA XS) for access application.

Application privileges are granted and revoked through the

proceduresGRANT_APPLICATION_PRIVILEGE and
REVOKE_APPLICATION_PRIVILEGE procedure in the _SYS_REPO schema.

Privileges It is an SQL Privileges, which can grant by the user on own user.
on User
ATTACH DEBUGGER is the only privilege that can be granted to a user.

SAP HANA User Administration and Role Management

To Access SAP HANA Database, users are required. Depending on the different security policy
there are two types of user in SAP HANA as below –

1. Technical User (DBA User) – It is a user who directly work with SAP HANA database with
necessary privileges. Normally, these users don't get deleted from the database.
/
 These users are created for an administrative task such as creating an object and granting
privileges on database object or on the application.

SAP HANA Database system provides following user by default as standard user–

SYSTEM
SYS
_SYS_REPO

2. Database or Real User: Each user who wants to work on SAP HANA database, need a
database user. Database user are a real person who works on SAP HANA.
There are two types of Database user as below –

User Type Description Role assigned

Standard This user can create objects in an own PUBLIC role is assigned for read
User schema and reads data in system views. system views.
Standard User created with "CREATE
USER" statement.

Restricted Restricted User has no full SQL Access via RESTRICTED_USER_ODBC_ACCESS

User an SQL Console and created with "CREATE or
RESTRICTED USER" statement. If Privileges RESTRICTED_USER_JDBC_ACCESS
required for use of any application, then role required to user for Full Access
they are provided through the role. of ODBC/JDBC functionality

Restricted User cannot create database

objects.
Restricted User cannot view data in the
database.
Restricted User connects to database
through HTTP Only.
ODBC/JDBC access for client connection
must be enabled with SQL statement.

SAP HANA User Administrator have access to the following activity –

1. Create/delete User.
2. Define and Create Role.
3. Grant Role to the user.
4. Resetting user password.
/
5. Re-activate / de-activate user according to requirement.

1. Create User in SAP HANA- only database user with ROLE ADMIN privileges can create user
and role in SAP HANA.
Step 1) To create new user in SAP HANA Studio go to security tab as shown below and follow
the following steps;

1. Go to security node.
2. Select Users (Right Click) -> New User.

(/images/sap-

hana/030216_1259_SAPHANASECU3.png)

Step 2) A user creation screen appear.

1. Enter User Name.

2. Enter Password for the user.
3. These are authentication mechanism, by default User name / password is used for
authentication.

(/images/sap-hana/030216_1259_SAPHANASECU4.png)

By Clicking on the deploy (/images/sap-

hana/030216_1259_SAPHANASECU5.png)Button user will be created.

2. Define and Create Role

/
A role is a collection of privileges that can be granted to other users or role. The role includes
privileges for database object & application and depending on the nature of the job.

It is a standard mechanism to grant privileges. Privileges can be directly granted to the user.
There are many standard roles (e.g. MODELLING, MONITORING, etc.) available in SAP HANA
database.

We can use the standard role as a template for creating a custom role.

A role can contain following privileges –

System Privileges for administrative and development task (CATALOG READ, AUDIT ADMIN,
etc.)
Object Privileges for database objects (SELECT, INSERT, DELETE, etc.)
Analytic Privileges for SAP HANA Information View
Package Privileges on repository packages (REPO.READ, REPO.EDIT_NATIVE_OBJECTS, etc.)
Application Privileges for SAP HANA XS applications.
Privileges on the user (For Debugging of procedure).

Role Creation

Step 1) In this step,

1. Go to Security node in SAP HANA System.

2. Select Role Node (Right Click) and select New Role.

(/images/sap-hana/030216_1259_SAPHANASECU6.png)

Step 2) A role creation screen is displayed.

/
 (/images/sap-hana/030216_1259_SAPHANASECU7.png)

1. Give Role name under New Role Block.

2. Select Granted Role tab, and click "+" Icon to add Standard Role or exiting role.
3. Select Desired role (e.g. MODELLING, MONITORING, etc.)

STEP 3) In this step,

1. Selected Role is added in Granted Roles Tab.

2. Privileges can be assign to the user directly by selecting System Privileges, object Privileges,
Analytic Privileges, Package Privileges, etc.
3. Click on deploy icon to create Role.

(/images/sap-hana/030216_1259_SAPHANASECU8.png)

Tick option "Grantable to other users and roles", if you want to assign this role to other user
and role.

3. Grant Role to User

STEP 1) In this step, we will Assign Role "MODELLING_VIEW" to another user "ABHI_TEST".
/
 1. Go to User sub-node under Security node and double click it. User window will show.
2. Click on Granted roles "+" Icon.
3. A pop-up will appear, Search Role name which will be assign to the user.

(/images/sap-

hana/030216_1259_SAPHANASECU9.png)

STEP 2) In this step, role "MODELLING_VIEW" will be added under Role.

(/images/sap-hana/030216_1259_SAPHANASECU10.png)

STEP 3) In this step,

1. Click on Deploy Button.

2. A Message " User 'ABHI_TEST" changed is displayed.

(/images/sap-hana/030216_1259_SAPHANASECU11.png)

4. Resetting User Password

/
If user password needs to reset, then go to User sub-node under Security node and double click
it. User window will show.

STEP 1) In this step,

1. Enter new password.

2. Enter Confirm password.

(/images/sap-hana/030216_1259_SAPHANASECU12.png)

STEP 2) In this step,

1. Click on Deploy Button.

2. A message "User 'ABHI_TEST" changed is displayed.

(/images/sap-hana/030216_1259_SAPHANASECU13.png)

5. Re-Activate/De-activate User

Go to User sub-node under Security node and double click it. User window will show.

There is De-Activate User icon. Click on it

/
 (/images/sap-hana/030216_1259_SAPHANASECU14.png)

A confirmation message "Popup" will appear. Click on 'Yes' Button.

(/images/sap-

hana/030216_1259_SAPHANASECU15.png)

A message "User 'ABHI_TEST' deactivated" will be displayed. The De-Activate icon changes
with name "Activate user". Now we can activate user from the same icon.

SAP HANA License Management

The license key is required to use SAP HANA Database. A license key can be installed and
deleted using SAP HANA Studio, SAP HANA HDBSQL Command Line tool, and HANA SQL Query
editor.

SAP HANA database support two types of license key –

Permanent License Key: Permanent license keys are valid till expiration date. We need to
request and apply license key before expire. If license key expires then Temporary License
Key are is automatically installed for 28 days.
Temporary License Key: This is automatically installed with a new SAP HANA Database
Installation. It is valid for 90 days and later can apply for Permanent key from SAP.

Authorization of License Management

"LICENSE ADMIN" privileges are required for License Management.

SAP HANA Auditing

SAP HANA Auditing features allow you to monitor and record action which is performed in SAP
HANA System. This features should be activated for the system before creating audit policy.

Authorization for SAP HANA Auditing

/
"AUDIT ADMIN" System Privileges required for SAP HANA Auditing.

Summary:

In this tutorial, we have learned following topic -

SAP HANA Security overview.

SAP HANA Authentication in detail.
SAP HANA Authorization in detail.
SAP HANA User Administration method.
SAP HANA Role Administration method
SAP HANA license Management process.
SAP HANA Role Auditing Process.

 Prev (/sap-hana-import-and-export.html) Report a Bug

Next  (/sap-hana-reporting.html)

YOU MIGHT LIKE:

/
SAP HANA Tutorials
5) Data Type & Identifiers (/sap-hana-data-type.html)

25) Information Composer (/sap-hana-information-composer.html)

6) Operator (/sap-hana-operator.html)

26) Import and Export (/sap-hana-import-and-export.html)

7) SQL Function (/sap-hana-sql-functions.html)

27) SAP HANA Security (/sap-hana-security.html)

8) SQL Expression (/sap-hana-sql-expressions.html)

28) SAP HANA Reporting (/sap-hana-reporting.html)

29) SAP HANA Interview Questions (/sap-hana-interview-questions.html)

9) SQL Stored Procedure (/sap-hana-sql-stored-procedure.html)

10) Create Sequence (/sap-hana-create-sequence.html)

 (https://www.facebook.com/guru99com/)
 (https://twitter.com/guru99com) 
(https://www.linkedin.com/company/guru99/)

(https://www.youtube.com/channel/UC19i1XD6k88KqHlET8atqFQ)

(https://forms.aweber.com/form/46/724807646.htm)

About
About Us (/about-us.html)
Advertise with Us (/advertise-us.html)
Write For Us (/become-an-instructor.html)
Contact Us (/contact-us.html)

Career Suggestion
SAP Career Suggestion Tool (/best-sap-module.html)
Software Testing as a Career (/software-testing-career-
/
complete-guide.html)

Interesting
eBook (/ebook-pdf.html)
Blog (/blog/)
Quiz (/tests.html)
SAP eBook (/sap-ebook-pdf.html)

Execute online
Execute Java Online (/try-java-editor.html)
Execute Javascript (/execute-javascript-online.html)
Execute HTML (/execute-html-online.html)
Execute Python (/execute-python-online.html)

© Copyright - Guru99 2020

        Privacy Policy (/privacy-policy.html)  |  Affiliate
Disclaimer (/affiliate-earning-disclaimer.html)  |  ToS
(/terms-of-service.html)