Security Features of the SAP HANA Database:
| Security Feature | Description |
|---|---|
| User and Role Management | Each tenant database has its own database users and roles, including a tenant-specific superuser SYSTEM. Depending on system isolation, there may be one OS user (default <sid>adm) or separate OS users for each tenant database. |
| Authentication and SSO | Supports multiple authentication mechanisms, including database user/password, SAML bearer tokens, JSON Web Tokens (JWT), Kerberos, and LDAP. Configuration depends on the mechanism: • Database user/password authentication is database-specific. • Kerberos authentication requires all databases to map users to the same Key Distribution Center. • SAML and JWT authentication allow per-database configurations with different trust stores and certificates. • LDAP authentication supports per-database configurations with different LDAP providers and secured connections. Note: LDAP authentication requires disabling local SAP HANA password authentication. • Database-specific trust stores cannot be configured for SAP HANA XS classic model. |
| Authorization | Standard authorization is applied at the database level with additional features: • DATABASE ADMIN privilege in the system database allows system administrators to manage tenant databases. • Cross-database authorization enables read-only queries between tenant databases via user mapping, which is disabled by default and must be configured by an administrator. |
| Encryption of Data Communication | Secure communication via TLS/SSL can be configured separately for external communication between databases and JDBC/ODBC clients. Unique key and trust stores should be configured for each database, preferably stored in the database rather than the file system. Per-database TLS/SSL keys and certificates can also be set for HTTP clients. |
| Data-at-Rest Encryption | Data and log volume encryption, along with backup encryption, can be enabled for both system and tenant databases. This ensures that unauthorized access to disk-level data and logs does not reveal actual information. Backup encryption further protects backup data from unauthorized access. |
| Masking and Anonymization | Data masking provides an additional layer of access control, hiding sensitive information by partially masking or transforming data. Anonymization enables privacy protection while allowing meaningful statistical analysis. Masking and anonymization are both applied at the database level. |
| Auditing | Actions performed in each tenant and system database can be audited individually. By default, tenant database audit trails are stored in local database tables, ensuring privacy. Tenant administrators cannot change audit trail targets, but system administrators can (though not recommended). If audit trails are sent to syslog, database names are included to differentiate audit entries. |
.%20The%20image%20fe.webp)
,%20Quality%20Assurance%20(QA),%20and%20Production%20(PROD).%20The%20diagram%20.webp){kind=spacer}
,%20Quality%20Assurance%20(QA),%20and%20Production%20(PROD).%20The%20diagram%20.webp){kind=spacer}
Posts
No comments:
Post a Comment