SAP HANA 2.0 SPS 03 What’s New: Security – by the ...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
In the upcoming weeks, we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced in SAP HANA 2.0 Support Package Stack (SPS) 03.
The topic of this blog is SAP HANA Database Security.
As of SPS 03, SAP HANA provides native support for data anonymization. This allows you to gain statistically valid insights from data containing personal or sensitive information while protecting the privacy of individuals.
SAP S/4 HANA and other ABAP-based SAP applications use authorization objects to control access. As of SPS 03, you can now create analytic privileges in SAP HANA that leverage these ABAP authorization objects.
The new built-in procedure SYS.GENERATE_STRUCTURED_PRIVILEGE_PFCG_CONDITION connects both worlds. PFCG is the role maintenance transaction for the Profile Generator.
As of SPS 03, SAP HANA can now automatically create database accounts for LDAP users and map their LDAP roles. This can significantly reduce complexity and cost for maintaining users and authorizations in larger system landscapes.
For this to work, the LDAP provider needs to be enabled for user creation and the user needs to be a member of at least one LDAP/HANA mapped group.
CREATE LDAP PROVIDER my_ldap_provider [...]
ENABLE USER CREATION FOR LDAP
[USER TYPE { STANDARD | RESTRICTED }]
Database user passwords are now stored in hashed and salted form using PBKDF2 (Password-Based Key Derivation Function 2) using the SHA-256 secure hash algorithm and 15,000 iterations.
If you are not at home in the jargon of cryptography, you might find this article helpful
The default status of data-at-rest encryption services in tenant databases is no longer inherited from the system database but is now controlled in the system database with parameters in the new database_initial_encryption section of the global.ini configuration file.
With client-side data encryption, you can encrypt columns using an encryption key accessible only by the client, which means that column data is encrypted and decrypted only on the client.
There is a full playlist on the topic on the Academy, explaining Setup, Configuration, Export/Import, DML/DDL.
The SAP HANA Academy provides technical enablement, implementation and adoption support for customers and partners with 1000’s of free tutorial videos.