Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

With this blog series we provide an update with the latest information about SAP HANA 2.0 SPS 05.

For the overview post, see What’s New in SAP HANA 2.0 SPS 05.

Any good? Post a comment, share on social media, and/or give a like. Thanks!

What's New - Security

SAP HANA Platform

The SAP HANA 2.0 SPS 05 release introduces a single new feature:

  1. NEW: We can now connect the local secure store (LSS) to SAP Data Custodian key management service.

  2. CHANGED: We can now use LSS for production.

As documented,

For an overview from product management, see

LSS was introduced last year with SPS 04 (non-production single-host single-tenant scenarios), together with

  • SQL commands to create anonymized views, the procedure GET_ANONYMIZATION_VIEW_STATISTICS, plus l-Diversity and k-Anonymity configuration (see Tutorial Video below)

  • CEK and CKP versioning (see Tutorial Video below)

  • Retention period for auditing, read-only access to the trail, plus audit policies for tenant databases

  • GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS procedure to debug "insufficient privilege" errors, which now all return a GUID; as of SAP HANA cockpit SP11 there is also an app for that

  • Host-specific certificate collections for TLS/SSL and provider-specific certificate collections for single sign-on (SSO) using SAML assertions and JSON Web Tokens (JWT) with optional case sensitivity of user matching

  • Object privilege REMOTE TABLE ADMIN authorizes a user to create a table on a remote source object.

As documented (also includes all new features introduced with SPS 03, 02, 01, and 00)

SAP HANA Cockpit

The list of new features for the SAP HANA cockpit and the SAP HANA database explorer is extensive. Most security-relevant information is listed under User Management and Security Administration.

SP 12 (June 2020)

  • Temporarily deactivating a cockpit user

  • Log in to SAP HANA cockpit using Kerberos SSO

  • Configuration wizard for user group management

  • Configuration wizard for audit policies

SP 11 (Oct 2019)

  • Removal of OS-level access from tenant database administrators, e.g. access to trace files, platform lifecycle management tasks, of full system information dumps (offline)

  • App to debug "insufficient privilege" errors by providing GUID plus new authorization dependency viewer

  • Licenses require usage type

  • Cockpit Manager enhancements for resource groups and technical user

As documented (SP00 - SP12)

Tutorial Videos

Data Masking and Data Anonymization

Data masking was introduced with SAP HANA 2.0 SPS 02 in 2017. For an introduction, read

Data anonymization, "knowing without seeing"  was added to SAP HANA in the same release and further enhanced with SPS 04 last year.

For SAP HANA Cloud, philip.mugglestone recently published several excellent video tutorials. This works exactly the same for the SAP HANA platform (on premises)



Client-Side Encryption

Client-side encryption was introduced with SAP HANA 2.0 SPS 03. We posted a blog on the topic at the time including several tutorial videos how to get started. This information is still accurate and valid.

For the changes added in the SPS 04 release, column encryption key and client key pair versioning, see the guide on the topic.

SAP Data Custodian

Key Management Services (KMS)

SAP Data Custodian key management service provides an independent key management service that is separated from the cloud providers hosting your data to protect data in public, private, hybrid, or multi-cloud environments, simplifying provisioning and control of encryption keys.

For more information, visit the product home page, read the solution brief, or the latest blog


You can use the LSS to store the roots keys used for the encryption of the data volume, redo log,  backups, the application encryption service, password of the root key backup, plus any additional configuration information considered sensitive.

Unlike the Secure Stores in the File Server (SSFS) technology used alternatively, LSS runs as a separate service under an isolated operating system user <sid>crypt allowing for a separation of duties between system and security administration.


How to configure SAP HANA to use SAP Data Custodian is documented in the Security Guide and accompanying note.

Key management configuration is performed using SQL. There is no graphical user interface yet, as common with the newest feature, but typically this is added to SAP HANA cockpit in a subsequent Support Pack (SP).

To get information you can query monitoring view KEY_MANAGEMENT_CONFIGURATIONS.

Share and Connect

Enjoyed the blog? Post a comment, share on social media, and/or give a like. Thanks!

If you would like to receive updates, connect with me on


Denys van Kempen

SAP HANA 2.0 - An Introduction

Just getting started with SAP HANA? Or do have a migration to SAP HANA 2.0 coming up? Need a quick update covering business benefits and technology overview. Understand the role of the system administrator, developer, data integrator, security officer, data scientist, data modeler, project manager, and other SAP HANA stakeholders? My latest book about SAP HANA 2.0 covers everything you need to know.

Get it from SAP Press or Amazon:

SAP HANA 2.0 Certification Guide: Technology Associate Exam

Preparing for your SAP HANA 2.0 technology associate exam? Make the grade with this certification study guide! From installation and configuration to monitoring and troubleshooting, this guide will review the key technical and functional knowledge you need to pass with flying colors. Explore test methodology, key concepts for each area, and practice questions and answers. Your path to SAP HANA 2.0 certification begins here!

Pre-order from SAP Press:

For the others posts, see