Wednesday, 18 May 2016

SAP HANA SPS 12 What's New: Security - by the SAP HANA Academy

In the upcoming weeks we will be posting new videos to the SAP HANA Academy to show new features and functionality introduced with SAP HANA Support Package Stack (SPS) 12.

For Security for the SPS 11 release, see SAP HANA SPS 11 What's New: Security - by the SAP HANA Academy

Overview Video

SAP HANA Security - SPS 12 - YouTube

What's New?

Security Administration with SAP HANA Cockpit

The tile catalog SAP HANA Security Overview has a new tile: Authentication, which lists the status of the password policy and any SSO configuration. The tile opens the Password Policy and Blacklist app.


The new Password Policy and Blacklist app allows you to view and edit password policy and blacklist of the SAP HANA database. In previous versions, SAP HANA studio was required for these tasks.


The Auditing tile now allows you to configure auditing: enable/disable, audit trail targets and create/change/delete audit policies. In previous versions, SAP HANA studio was required for these tasks.


The Data Volume Encryption app now allows you to change the root key used for data volume encryption. Alternatively, the root key can be changed using SQL (see below). In previous versions, the command line tool hdbnsutil was required to perform this task.


You can also see a history of root key changes using the view M_PERSISTENCE_ENCRYPTION_KEYS.

Authorization

Two new system views are available for analysing user authorisations:
  • EFFECTIVE_PRIVILEGE_GRANTEES
  • EFFECTIVE_ROLE_GRANTEES



Two new roles are available to support users administrating SAP HANA using SAP Solution Manager and SAP NetWeaver tools:
  • sap.hana.admin.roles::SolutionMangagerMonitor
  • sap.hana.admin.roles::RestrictedUserDBSLAccess

Authentication

You can now disable authentication mechanisms that are not used in your environment.


SAP HANA smart data access now supports SSO with Kerberos and Microsoft Active Directory for connections to SAP HANA remote sources.

Encryption

You can change the root key for data volume encryption using either SAP HANA cockpit or SQL (note that no native UI for HANA studio has been included).
SQL> ALTER SYSTEM PERSISTENCE ENCRYPTION CREATE NEW ROOT KEY

SAP HANA studio now support client certification validation for the SAP HANA database connection


The SAP HANA user store (hdbuserstore) now also supports JDBC connections and multitenant databases.

Auditing

Several new user actions in the SAP HANA database can now be audited:
  • CREATE | ALTER | DROP PSE
  • CREATE | DROP CERTIFICATES
  • CREATE | DROP SCHEMA

Cross-database queries in SAP HANA multitenant database containers are now audited in the tenant database in which the query is executed.

The maximum length of a statement can set set using the system parameter audit_statement_length in section [auditing configuration] of global.ini.

Security Checklists and Recommendations

A new guide has been added to the SAP HANA documentation set: SAP HANA Security Checklists and Recommendations. This guide extends and replaces the Security Configuration Checklist paragraph from the SAP HANA Security Guide.


Security for SAP HANA Extended Application Services, Advanced Model

A new paragraph has been added to the SAP HANA Security Guide on the topic of Extended Application Services:

Source: scn.sap.com