As I attempt to implement procedures to safeguard our HANA Data, I have run into a challenge in which I need to prevent ad-hoc logins to HANA using the SAP Data Owner (SAPSID) account. This is the only account in the database with privileges that allow for the modification of SAP application data. From an auditing perspective it should only be used by the SAP application. I find no way to enforce such a safeguard.
I do not see any means of restricting connections to a whitelist of sources (hostname/address/application_name/etc).
Nor do I see any means of denying connections from a blacklist of sources (hostname/address/application_name/etc).
Worst of all, I cannot produce an audit trail of any activity done in such an ad-hoc session. (Auditing SAPSID is of course out of the question).
Logon Triggers get a bad rap, but one would be very handy given the lack of built-in functionality here.
Has anyone had success in implementing such safeguards?
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.