What´s New? SAP HANA SPS 07
Security
(Delta from SPS 06 to SPS 07)
SAP HANA Product Management

November, 2013
Agenda
Authentication
User/role management
Authorization

Encryption
Audit logging
Documentation

© 2013 SAP AG. All right...
Authentication
What’s New in SAP HANA SPS 07: Security
SPNEGO support for SAP HANA XS
SPNEGO (Kerberos with Simple and Protected GSSAPI N...
What’s New in SAP HANA SPS 07: Security
SAP Logon Ticket and SAP Assertion Ticket support
SAP Logon Tickets and SAP Assert...
What’s New in SAP HANA SPS 07: Security
Password policy changes/additions (I)
The mandatory periodic password change can n...
What’s New in SAP HANA SPS 07: Security
Password policy changes/additions (II)
Option to set configuration parameter passw...
User/role management
What’s New in SAP HANA SPS 07: Security
Set validity period for user in SAP HANA studio
You can now set the validity perio...
What’s New in SAP HANA SPS 07: Security
Copy user
You can now create a new user by copying an
existing user. The roles gra...
Authorization
What’s New in SAP HANA SPS 07: Security
New system privileges for repository change management
New system privileges for r...
What’s New in SAP HANA SPS 07: Security
New privilege for debugging SQLScript code
You can now allow other users to debug
...
What’s New in SAP HANA SPS 07: Security
SAP HANA studio: Support for smart data access privilege assignment
SQL privileges...
Encryption
What’s New in SAP HANA SPS 07: Security
Support for SAP’s new cryptographic library CommonCryptoLib
SAP HANA now supports ...
What’s New in SAP HANA SPS 07: Security
SAP HANA studio: Configure data volume encryption (I)
Data volume encryption on di...
What’s New in SAP HANA SPS 07: Security
SAP HANA studio: Configure data volume encryption (II)
Prerequisites
 System priv...
What’s New in SAP HANA SPS 07: Security
SSFS: Change master key (I)
SSFS master key

SAP HANA now provides the ability to ...
What’s New in SAP HANA SPS 07: Security
SSFS: Change master key (II)
Prerequisites
 Credentials of the operating system u...
What’s New in SAP HANA SPS 07: Security
SSFS: Data volume encryption root key included in backup
If storage snapshots are ...
What’s New in SAP HANA SPS 07: Security
SSFS: Alert if SSFS is missing
An alert is triggered if the SSFS is missing
SSFS i...
What’s New in SAP HANA SPS 07: Security
Communication encryption: Force SSL for client SQL connections
There is a new conf...
What’s New in SAP HANA SPS 07: Security
Communication encryption: SSL support for system replication scenarios
The Secure ...
Audit Logging
What’s New in SAP HANA SPS 07: Security
Mandatory audit actions
If auditing is active, certain actions are always audited ...
What’s New in SAP HANA SPS 07: Security
Database table as audit trail target (I)
As an alternative to syslog, SAP HANA can...
What’s New in SAP HANA SPS 07: Security
Database table as audit trail target (II)
Prerequisites
 System privilege AUDIT A...
What’s New in SAP HANA SPS 07: Security
Database table as audit trail target (III)
Prerequisites
 System privilege AUDIT ...
What’s New in SAP HANA SPS 07: Security
Database table as audit trail target (IV)
Prerequisites
 System privilege AUDIT A...
What’s New in SAP HANA SPS 07: Security
New audit actions
Two additional data definition (DDL) actions
can now be audited:...
What’s New in SAP HANA SPS 07: Security
Firefighter logging
You can log all actions performed by a specific
user
This cove...
What’s New in SAP HANA SPS 07: Security
Exempt user from audit policy
You can now exempt individual users from an
audit po...
What’s New in SAP HANA SPS 07: Security
SAP HANA studio: Improved audit action configuration
The dialog for selecting audi...
Documentation
What’s New in SAP HANA SPS 07: Security
Context-sensitive help in SAP HANA studio
SAP HANA studio now provides contextsens...
More Information
What’s New in SAP HANA SPS 07: Security
More Information
SAP HANA documentation
Available on the SAP Help Portal
 SAP HAN...
Disclaimer
This presentation outlines our general product direction and should not be relied on in making
a purchase decis...
Thank you
Contact information
Andrea Kristen
SAP HANA Product Management
AskSAPHANA@sap.com
To get the best overview of wh...
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any pu...
© 2013 SAP AG. Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu...
Upcoming SlideShare
Loading in …5
×

HANA SPS07 Security

2,298 views

Published on

What´s New? SAP HANA SPS 07 - Security

Published in: Technology, Travel
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,298
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
115
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • XS Administration Tool: Web-based tool that enables you to configure and maintain the basic administration-related elements of the application-development process and environment
  • User mapping is not supported.
  • In SPS 6, this functionality was only available as an SQL command.
  • The design-time objects that are stored in the SAP HANA database repository can be transported to other SAP HANA database repository installations and delivered to customers. The transport granularity is the delivery unit (DU). Every repository object belongs to a package. A package can contain an arbitrary number of objects of different types. A package can be assigned to a DU.
  • Use case: development of SAP HANA applications, e.g. if something works for everyone else, but not in your sessionExample: Developer Bob wants to authorize developer Alice to debug a procedure in Bob’s session
  • SAP HANA smart data access can be used, for example, in SAP Business Warehouse installations running on SAP HANA to integrate data from remote sources. Note: There are also system privileges required for Smart Data access, but they have been available in SAP HANA studio in SAP HANA SPS 6 already and are therefore not listed here.
  • Data volume encryption was introduced with SPS 5, but could only be configured using SQL until now. Data volume encryption uses the AEC-256-CBC algorithm. During database start-up, administrator interaction is not required. The data volume root key is stored using the SAP NetWeaver secure storage in the file system (SSFS) functionality and is automatically retrieved from there.
  • For access to the SAP HANA database via XS, SSL encryption could already be enforced for client connections in SPS 6For internal communication between nodes in a scale-out instance, communication automatically uses SSL if this has been configured
  • System replication is a mechanism for ensuring the high availability of SAP HANA systems. Through the continuous replication of data from a primary to a secondary system, including in-memory loading, system replication facilitates rapid failover in the event of a disaster. Productive operations can be resumed with minimal downtime.For more information (e.g. for scenarios involving more than two systems), see the SAP HANA Security Guide
  • Auditing allows you to monitor and record selected actions performed in your system. In other words, it provides you with visibility on who did what (or tried to do what) and when. The following actions are typically audited:Changes to user authorizationCreation or deletion of database objectsAuthentication of usersChanges to system configurationAccess to or changing of sensitive information
  • Note:For test purposes in non-production systems, you can also use a CSV text file as the audit trail. A separate CSV file is created for every service that executes SQL
  • Note: Users must exist before they can be specified in an audit policy
  • HANA SPS07 Security

    1. 1. What´s New? SAP HANA SPS 07 Security (Delta from SPS 06 to SPS 07) SAP HANA Product Management November, 2013
    2. 2. Agenda Authentication User/role management Authorization Encryption Audit logging Documentation © 2013 SAP AG. All rights reserved. Public 2
    3. 3. Authentication
    4. 4. What’s New in SAP HANA SPS 07: Security SPNEGO support for SAP HANA XS SPNEGO (Kerberos with Simple and Protected GSSAPI Negotiation Mechanism) is now available as an authentication option for SAP HANA XS Configuration 1. In Microsoft Active Directory, for each host and alias register new service principal names and map them to the (potentially already existing) SAP HANA service user 2. On the SAP HANA server, add the keys for the new service principal names to the keytab 3. In SAP HANA, configure the Kerberos user mapping for the user Note: If the user mapping has already been set up for Kerberos authentication for SQL access, you do not have to change anything here 4. Using the SAP HANA XS Administration Tool (http://<host>:80<sysno>/sap/hana/xs/admin/), select SPNEGO as authentication method for the user © 2013 SAP AG. All rights reserved. Public 4
    5. 5. What’s New in SAP HANA SPS 07: Security SAP Logon Ticket and SAP Assertion Ticket support SAP Logon Tickets and SAP Assertion Tickets are now supported for both SQL and XS access Prerequisites  A separate trust store for SAP Logon and Assertion tickets has been configured  System privilege USER ADMIN Configuration 1. In the Systems view in SAP HANA studio, choose Security 2. Create a new user by right-clicking on Users and choosing New User 3. Select the authentication method(s) and choose the (Deploy) button Notes  Prior to SPS 07, SAP HANA implicitly selected both user name/password and SAP Logon Tickets as authentication methods for new users. Now you have to explicitly set authentication options for new users  To re-enable the old behavior for SAP Logon Tickets, a new configuration parameter has been introduced (Indexserver.ini -> authentication -> SapLogonTicketEnabledForNewUsers). See also SAP Note 1927949 © 2013 SAP AG. All rights reserved. Public 5
    6. 6. What’s New in SAP HANA SPS 07: Security Password policy changes/additions (I) The mandatory periodic password change can now be re-enabled using SQL  In some situations it may be required to exclude specific users from the mandatory periodic password change, for example the technical user that is used by an application server to connect to the database  Prerequisites: System privilege USER ADMIN  Syntax: ALTER USER <user_name> DISABLE PASSWORD LIFETIME ALTER USER <user_name> ENABLE PASSWORD LIFETIME Changed default for maximum_unused_initial_password_lifetime  This parameter specifies the number of days for which initial user passwords are valid. If a user has not logged on within this period of time, the password becomes invalid; the user administrator can reset it if still needed.  New default: 7 days (formerly 28 days)  Prerequisites: System privilege USER ADMIN  To change this parameter, in the Systems view of SAP HANA studio choose Security -> Password Policy -> Lifetime of Initial Password © 2013 SAP AG. All rights reserved. Public 6
    7. 7. What’s New in SAP HANA SPS 07: Security Password policy changes/additions (II) Option to set configuration parameter password_lock_time to infinity Time for which a user is locked after having exhausted the maximum number of failed logon attempts Prerequisites:  System privilege USER ADMIN Configuration – In the Systems view in SAP HANA studio, choose Security -> Password Policy and in the User Lock Settings select Lock indefinitely – When setting the parameter using SQL, use the value -1 © 2013 SAP AG. All rights reserved. Public 7
    8. 8. User/role management
    9. 9. What’s New in SAP HANA SPS 07: Security Set validity period for user in SAP HANA studio You can now set the validity period for a user in SAP HANA studio Prerequisites  System privilege USER ADMIN Configuration 1. In the Systems view in SAP HANA studio, choose Security 2. Expand Users and double-click on the user for which you want to set the validity period, or create a new user by right-clicking on Users and choosing New User 3. Enter the validity period and choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 9
    10. 10. What’s New in SAP HANA SPS 07: Security Copy user You can now create a new user by copying an existing user. The roles granted to the existing user are automatically granted to the new user Prerequisites  System privilege USER ADMIN, SQL privilege EXECUTE on procedure GRANT_ACTIVATED_ROLE Restrictions  Only roles created as design-time roles are copied  Only available in SAP HANA studio Procedure 1. In the Systems view in SAP HANA studio, choose Security -> Users, right-click the user to be copied and choose Copy User 2. Enter the details for the new user 3. Choose the (Deploy) button to create the user © 2013 SAP AG. All rights reserved. Public 10
    11. 11. Authorization
    12. 12. What’s New in SAP HANA SPS 07: Security New system privileges for repository change management New system privileges for repository change management are available Repository change management provides the infrastructure for tracked development. If enabled, the activation of a repository object prompts the developer to assign it to a container or “Change”. A developer must then approve and release his changes in order for the objects in his change to be marked as released. This enables the creation of a delivery unit (DU) that is composed of only released objects. Releasing a change does not trigger any automatic semantic checks but is a manual assurance by the developer that the objects are consistent and ready for transport. Prerequisites  System privilege USER ADMIN Granting system privileges 1. In the Systems view in SAP HANA studio, double-click on the user 2. On the System Privileges tab, add the required system privileges: o REPO.CONFIGURE, REPO.MODIFY_CHANGE, REPO.MODIFY_FOREIGN_CONTRIBUTION, REPO.MODIFY_OWN_C ONTRIBUTION, 3. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 12
    13. 13. What’s New in SAP HANA SPS 07: Security New privilege for debugging SQLScript code You can now allow other users to debug SQLScript code (e.g. a procedure) that is being executed in your session 1. In the Systems view in SAP HANA studio, expand Security -> Users and double-click the user to whom you want to grant debugging privileges o On the Object Privileges tab, add your procedure and select DEBUG o On the Privileges on Users tab, choose the (Add) button and select ATTACH DEBUGGER (see screenshot) 2. Choose the (Deploy) button Example  BOB grants ALICE debugging privileges Note  It is not possible to grant the ATTACH DEBUGGER privilege on behalf of other users © 2013 SAP AG. All rights reserved. Public 13
    14. 14. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Support for smart data access privilege assignment SQL privileges for Smart Data Access scenarios can now be granted using SAP HANA studio Smart data access is SAP HANA’s capability to connect to remote sources and present data in those remote sources as though they were local SAP HANA tables. In SAP HANA, virtual tables are created that represent the tables in the remote source. Via these virtual tables, joins can be executed between tables in SAP HANA and tables in the remote source. The following SQL privileges can now be granted using SAP HANA studio:  CREATE VIRTUAL TABLE (in selected remote source)  DROP (selected remote source) Prerequisites  Remote source has been created Example  User SYSTEM grants a user the privileges to – Create virtual tables for remote source ASE2 – Drop remote source ASE2 © 2013 SAP AG. All rights reserved. Public 14
    15. 15. Encryption
    16. 16. What’s New in SAP HANA SPS 07: Security Support for SAP’s new cryptographic library CommonCryptoLib SAP HANA now supports SAP’s new cryptographic library CommonCryptoLib for operations that require cryptography, for example data volume encryption and SSL communication encryption CommonCryptoLib is the successor of SAPCRYPTOLIB Notes:  CommonCryptoLib will be made available via SAP Service Marketplace  Because the library includes encryption routines, CommonCryptoLib distribution is subject to and controlled by German export regulations and may not be available to all customers. The library may also be subject to local regulations of your own country that may further restrict the import, use, and (re-)export of cryptographic software. © 2013 SAP AG. All rights reserved. Public 16
    17. 17. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (I) Data volume encryption on disk can now be configured using SAP HANA studio After activating encryption, new data that is saved to disk will be encrypted starting with the next savepoint. Existing data starts being encrypted in the background. Depending on the size of the SAP HANA system, this process can take some time. Only after this process has completed is all your data encrypted. You can monitor the encryption progress in SAP HANA studio. Notes  If you want to use data volume encryption, it is recommended to activate it directly after installing the system  The root key for data volume encryption is automatically created during installation. If you have received SAP HANA as an appliance, we recommend to change this key after handover from the hardware vendor © 2013 SAP AG. All rights reserved. Public 17
    18. 18. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Configure data volume encryption (II) Prerequisites  System privilege RESOURCE ADMIN Activating/deactivating data volume encryption 1. In the Systems view in SAP HANA studio, choose Security 2. Open the Data Volume Encryption tab – To activate encryption, select Activate encryption of data volumes – To deactivate encryption, de-select this option 3. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 18
    19. 19. What’s New in SAP HANA SPS 07: Security SSFS: Change master key (I) SSFS master key SAP HANA now provides the ability to change the SSFS master key SSFS (SAP NetWeaver secure storage in the file system) is used by SAP HANA to store  The root key for the data volume encryption  The root key for the internal data protection API (DPAPI). Note: DPAPI is used by the secure internal credential store, which is needed in some scenarios such as smart data access to securely store additional user credentials (e.g. for access to remote systems) SSFS Data volume encryption (root key) Internal data protection API (root key) The keys stored in SSFS are themselves encrypted using the SSFS master key. It is recommended to periodically change the SSFS master key, re-encrypt the SSFS with the new key, SAP HANA file system and save the new key to a secure location. © 2013 SAP AG. All rights reserved. Data volume encryption (savepoint-specific key) Secure credential store (key) SAP HANA database Public 19
    20. 20. What’s New in SAP HANA SPS 07: Security SSFS: Change master key (II) Prerequisites  Credentials of the operating system user (<sid>adm user) that was created when the system was installed  Database user with system privilege INIFILE ADMIN  In a distributed SAP HANA system, every host must be able to access the key file location Changing the SSFS master key 1. Stop the SAP HANA system 2. Log on to the SAP HANA system host as the operating system user <sid>adm 3. Generate a new master key by entering the following command: rsecssfx generatekey 4. Re-encrypt the SSFS with the new master key and save the key file to a secure location as follows: RSEC_SSFS_DATAPATH=/usr/sap/<SID>/global/hdb/security/ssfs RSEC_SSFS_KEYPATH<PATH TO KEYFILE> rsecssfx changekey <NEWKEY> 5. Configure the specified key file location in the cryptography section of the global.ini configuration file with the parameter ssfs_key_file_path © 2013 SAP AG. All rights reserved. Public 20
    21. 21. What’s New in SAP HANA SPS 07: Security SSFS: Data volume encryption root key included in backup If storage snapshots are used for data backup, the root key for the data volume encryption is now included in the automatic backup of the SSFS The SSFS is always part of the data backup, but for file system or BACKINT backups it does not include the data volume encryption root key. The root key is only needed in recovery scenarios where a storage snapshot is used as the basis for the recovery. © 2013 SAP AG. All rights reserved. Public 21
    22. 22. What’s New in SAP HANA SPS 07: Security SSFS: Alert if SSFS is missing An alert is triggered if the SSFS is missing SSFS is used by SAP HANA to store  The root key for the data volume encryption  The root key for the internal data protection API New check  Determines whether the secure storage in the file system (SSFS) is accessible to the database  Alert priority: HIGH  Recommended user action: Check and make sure that the secure storage in the file system (SSFS) is accessible to the database © 2013 SAP AG. All rights reserved. Public 22
    23. 23. What’s New in SAP HANA SPS 07: Security Communication encryption: Force SSL for client SQL connections There is a new configuration parameter which enforces SSL encryption for all client SQL connections to the SAP HANA database Prerequisites  SSL has been configured for the SAP HANA database  System privilege INIFILE ADMIN  You have migrated to the new statistics server implementation (see SAP Note 1917938). Do not enforce SSL for client connections otherwise. Configuration 1. 2. 3. 4. In the Administration editor in SAP HANA studio, open the Configuration tab Navigate to the global.ini file and expand the communication section Set the sslEnforce parameter to true (default: false) New SQL connection attempts by clients without SSL will now be rejected by the SAP HANA database. Note though that existing connections will not be terminated, so if you want to enforce SSL for all connections, it is recommended to restart the database. © 2013 SAP AG. All rights reserved. Public 23
    24. 24. What’s New in SAP HANA SPS 07: Security Communication encryption: SSL support for system replication scenarios The Secure Sockets Layer (SSL) protocol can be used to secure network communication between the primary site and secondary site in system replication scenarios Prerequisites  SSL has been configured for both SAP HANA systems (key creation and CA).  System privilege INIFILE ADMIN Configuration 1. For a scenario involving two systems, carry out the following steps in both systems 1. In the Administration editor in SAP HANA studio, open the Configuration tab 2. In the configuration file global.ini -> section system_replication_communication: Set the parameter enable_ssl to on 2. SSL will be used from the next reconnect between primary and secondary. The easiest way to achieve a reconnect is to restart the secondary system. © 2013 SAP AG. All rights reserved. Public 24
    25. 25. Audit Logging
    26. 26. What’s New in SAP HANA SPS 07: Security Mandatory audit actions If auditing is active, certain actions are always audited and are therefore not available for inclusion in user-defined audit policies In the audit trail, these action are labeled with the internal audit policy MandatoryAuditPolicy. Action CREATE AUDIT POLICY Description Creation, modification, or deletion of audit policies ALTER AUDIT POLICY DROP AUDIT POLICY ALTER SYSTEM CLEAR AUDIT LOG UNITL <timestamp> Deletion of audit entries from the audit trail. This only applies if audit entries are written to column store database tables. ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','global_auditing_state' ) = <value> with reconfigure; Changes to auditing configuration, that is: ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','default_audit_trail_type' ) = '<audit_trail_type>' with reconfigure; ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM') set ('auditing configuration','default_audit_trail_path' ) = '<path>' with reconfigure; © 2013 SAP AG. All rights reserved. Enabling or disabling auditing Changing the audit trail target Changing the location of the audit trail target if it is a CSV text file Public 26
    27. 27. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (I) As an alternative to syslog, SAP HANA can now write the audit trail to tables within the database itself When an audit policy is triggered, an audit entry is created in the audit trail Audit trail types for production systems:  syslog (logging system of the Linux operating system) o syslog is a secure storage location for the audit trail because not even the database administrator can access or change it. There are also numerous storage possibilities for the syslog, including storing it on other systems. In addition, syslog is the default log daemon in UNIX systems. syslog therefore provides a high degree of flexibility and security, as well as integration into a larger system landscape.  Database table o Using an SAP HANA database table as the target for the audit trail makes it possible to query and analyze auditing information quickly. It also provides a secure and tamper-proof storage location. o Internal column store table in the _SYS_AUDIT schema of the SAP HANA database o Audit entries are only accessible through the public system view AUDIT_LOG. Only SELECT operations can be performed on this view by users with system privilege AUDIT ADMIN or AUDIT OPERATOR o To avoid the audit table growing too large, it is possible to delete old audit entries © 2013 SAP AG. All rights reserved. Public 27
    28. 28. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (II) Prerequisites  System privilege AUDIT ADMIN or INIFILE ADMIN Configuring the audit trail 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the System Settings for Auditing area, set the auditing status to Enabled 3. Configure the target of the audit trail by choosing Database Table 4. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 28
    29. 29. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (III) Prerequisites  System privilege AUDIT ADMIN or AUDIT OPERATOR Viewing the audit trail  In the Systems view of SAP HANA studio, expand the catalog and display the system view AUDIT_LOG  Alternatively, display the system view using SQL commands: SELECT * FROM "PUBLIC"."AUDIT_LOG" © 2013 SAP AG. All rights reserved. Public 29
    30. 30. What’s New in SAP HANA SPS 07: Security Database table as audit trail target (IV) Prerequisites  System privilege AUDIT ADMIN or AUDIT OPERATOR Truncating the audit trail 1. In the Systems view, double-click on Security and open the Auditing tab 2. Choose the (Truncate) button 3. Specify a date/time and click OK Caution: All information in the audit trail that is older will be immediately deleted © 2013 SAP AG. All rights reserved. Public 30
    31. 31. What’s New in SAP HANA SPS 07: Security New audit actions Two additional data definition (DDL) actions can now be audited: CREATE TABLE and ALTER TABLE Prerequisites  System privilege AUDIT ADMIN Creating an audit policy 1. In the Systems view, double-click on Security and open the Auditing tab 2. In the Audit Policies area, choose Create New Policy 3. Enter the policy name 4. Specify the audit actions and further options if required 5. Choose the (Deploy) button © 2013 SAP AG. All rights reserved. Public 31
    32. 32. What’s New in SAP HANA SPS 07: Security Firefighter logging You can log all actions performed by a specific user This covers not only all actions that can be audited individually, but also actions that cannot otherwise be audited. Such a policy is useful if you want to audit the actions of a particularly privileged user. Note  Some actions cannot be audited using database auditing even with a policy that includes all actions, in particular, system restart and system recovery Caution  Firefighter logging may generate a lot of audit entries, so only enable it if required © 2013 SAP AG. All rights reserved. Public 32
    33. 33. What’s New in SAP HANA SPS 07: Security Exempt user from audit policy You can now exempt individual users from an audit policy This can be useful, for example, if you want to exclude the technical user account used by an application server for connections to the SAP HANA database Prerequisites  System privilege AUDIT ADMIN Exempting a user from an audit policy  When creating the audit policy, choose in the Users column  Select the users to be excluded from the audit policy © 2013 SAP AG. All rights reserved. Public 33
    34. 34. What’s New in SAP HANA SPS 07: Security SAP HANA studio: Improved audit action configuration The dialog for selecting audit actions for an audit policy has been improved Not all actions can be combined together in the same policy, therefore compatible audit actions have been grouped together When you select an action, those actions that are not compatible with the selected action become unavailable for selection If you need to two audit incompatible audit actions, you need to create two separate audit policies © 2013 SAP AG. All rights reserved. Public 34
    35. 35. Documentation
    36. 36. What’s New in SAP HANA SPS 07: Security Context-sensitive help in SAP HANA studio SAP HANA studio now provides contextsensitive help for many topic areas, including security To open the context-sensitive help, press F1, or choose Help -> Dynamic Help © 2013 SAP AG. All rights reserved. Public 36
    37. 37. More Information
    38. 38. What’s New in SAP HANA SPS 07: Security More Information SAP HANA documentation Available on the SAP Help Portal  SAP HANA Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide (privilege details) Important SAP notes       1598623: SAP HANA appliance: Security (Central Security Note) 1514967: SAP HANA appliance (Central Appliance Note) 1730928: Using external software in a HANA appliance 1730929: Using external tools in an SAP HANA appliance 1730930: Using antivirus software in an SAP HANA appliance 1730999: Configuration changes in HANA appliance Security whitepaper  http://www.saphana.com/docs/DOC-3751 © 2013 SAP AG. All rights reserved. Public 38
    39. 39. Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP’s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. © 2013 SAP AG. All rights reserved. Public 39
    40. 40. Thank you Contact information Andrea Kristen SAP HANA Product Management AskSAPHANA@sap.com To get the best overview of what’s new in SAP HANA SPS 07, read this blog.
    41. 41. © 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. © 2013 SAP AG. All rights reserved. Public 41
    42. 42. © 2013 SAP AG. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietäre Softwarekomponenten anderer Softwareanbieter. Produkte können länderspezifische Unterschiede aufweisen. Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen („SAP-Konzern“) bereitgestellt und dienen ausschließlich zu Informationszwecken. Der SAP-Konzern übernimmt keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Der SAP-Konzern steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren. SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum Markenrecht finden Sie unter http://www.sap.com/corporateen/legal/copyright/index.epx#trademark. © 2013 SAP AG. All rights reserved. Public 42

    ×