cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to prevent adhoc logons to SAP HANA using SAPSID

david_j_hays
Explorer

on ‎2022 Dec 09 3:30 PM

0 Kudos
835

As I attempt to implement procedures to safeguard our HANA Data, I have run into a challenge in which I need to prevent ad-hoc logins to HANA using the SAP Data Owner (SAPSID) account. This is the only account in the database with privileges that allow for the modification of SAP application data. From an auditing perspective it should only be used by the SAP application. I find no way to enforce such a safeguard.

I do not see any means of restricting connections to a whitelist of sources (hostname/address/application_name/etc).
Nor do I see any means of denying connections from a blacklist of sources (hostname/address/application_name/etc).

Worst of all, I cannot produce an audit trail of any activity done in such an ad-hoc session. (Auditing SAPSID is of course out of the question).

Logon Triggers get a bad rap, but one would be very handy given the lack of built-in functionality here.

Has anyone had success in implementing such safeguards?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

david_j_hays
Explorer
‎2023 Jan 30 4:29 PM
0 Kudos

This is really an interesting idea! - It would require a lot of testing to make sure that it works / without any unexpected impact. I am going to attempt to do some testing in a sandbox environment and update here.

Show replies
Show replies
Cocquerel
Active Contributor
‎2022 Dec 09 4:51 PM
0 Kudos

An idea, that may work but I haven't try, would by to use workload class.

You would create 2 workload classes:

- one with "no limit"

- one with "strong limit" that any statement will fail. For example by setting ADMISSION CONTROL REJECT MEMORY THRESHOLD to 1% only.

Then, you would create 2 mapping:

- one mapping for the "no limit" workload class to identify statement coming from ABAP stack. You may use the following attribute for this: APPLICATION NAME='ABAP:<SID>' and USER NAME='SAP<SID>'

- one other mapping for the "strong limit" workload class to identify statement coming from other clients. In this case, just USER NAME='SAP<SID>' would be used.

The class with the most specific match is mapped to the database client.

Show replies
Show replies
mamartins
Active Contributor
‎2022 Dec 09 3:41 PM
0 Kudos

The best recommendation that can be given is to put the HANA server on VLAN behind a firewall and put ACL on the firewall to restrict connections to the HANA management interface.

Show replies
Show replies
Ask a Question