Post on 21-Mar-2020
transcript
Browse the BookIn this chapter, you’ll assume the role of the security architect. You’ll see how security is managed by SAP HANA, from authenticating and autho-rizing users to masking, anonymizing, and encrypting data. You’ll finish with a look into auditing and additional security considerations.
Denys van Kempen
SAP HANA 2.0: An Introduction440 pages, 2019, $79.95 ISBN 978-1-4932-1838-7
www.sap-press.com/4884
First-hand knowledge.
“Security”
Contents
Index
The Authors
247
6
Chapter 6
Security
Reports that say that something hasn’t happened are always interest-
ing to me, because as we know, there are known knowns; there are
things we know we know. We also know there are known unknowns;
that is to say we know there are some things we do not know. But
there are also unknown unknowns—the ones we don’t know we don’t
know.
—Donald H. Rumsfeld
Security concerns us all. A common understanding of the most important SAP HANA
security concepts can greatly contribute to a secure computing environment. For
this reason, the information in this chapter is relevant not only for the security archi-
tect but also to anyone involved with SAP HANA.
In theory, the objective of security is simple. All data is stored safely and is always
accessible when needed, but only to users that have been authorized. However, often,
the difference between theory and practice is bigger in practice than in theory. In
practice, computer or information security is complex, with an ever-increasing num-
ber of potential threats and countermeasures.
Stored safely? Data breaches are common news headlines. Victims include govern-
ment, retail, but also finance, and, in particular, high-tech. In fact, the Internet giants
themselves have been among the worst hit. Yahoo! is number one with 3 billion
records hacked. Adobe, Facebook, LinkedIn, and more—all have been affected.
Always accessible? That’s part of the problem. Today, more people own cell phones
than toothbrushes. The modern citizen is always online and expects the same from
enterprises and the government. To comply with this demand, companies and gov-
ernment alike have embraced cloud computing. Who can afford not to?
Let’s start with cyberattacks and consider another common news headline: “Bank
XYZ suffers DoS attack.” Today, denial of service (DoS) attacks are even offered “as-a-
service” (just search for “RUDY,” which stand for “R-U-Dead-Yet”).
6 Security
248
What has made these vulnerabilities worse is that the main assets underpinning the
most valued companies today is no longer physical: it is data. With big data and the
Internet of Things (IoT), access points and attack surfaces have only grown. To protect
the interests of its citizens, governments increasingly scrutinize how data privacy
and security are handled by businesses, which has resulted in a growing number of
rules, regulations, and serious fines for noncompliance. As a result, not only does
your company need to protect its data, but you’ll also need to prove that your com-
pany is protecting its data properly with an audit trail that holds up in court.
In this context, an entrepreneur may be tempted to unplug and hide his or her assets
in Fort Knox. While this approach worked well in the past with gold, in the digital era,
however, data needs to move. Data is the new oil, according to some—it needs to
flow, which poses a challenge. The enterprise platform needs to secure but not
restrict.
In this chapter, we’ll describe how security is handled by the SAP HANA platform.
We’ll start with the security architect persona and then proceed through key security
topics: user management, data privacy, data protection, and auditing. We’ll then con-
tinue this chapter with SAP HANA extended application services (SAP HANA XS) to
manage security services, concluding with some general recommendations.
6.1 Roles and Tools
What are the responsibilities of the SAP HANA security architect persona, and what
tools does he or she have to do the job? In this section, we’ll briefly describe the job
role of the security architect.
6.1.1 The SAP HANA Security Architect
The SAP HANA security architect is, literally, the chief security builder. The security
architect designs the security concept, oversees its construction, and oversees its
implementation. As an architect, they will be the person in charge of secure opera-
tions and secure configurations. They will need to be intimately familiar with all
security aspects of SAP HANA and how this relates to the overall IT system landscape.
One important consideration is to distinguish between network encryption (data in
transit) and storage encryption, including backups (data at rest).
249
6.1 Roles and Tools
6
The security architect needs to make sure that all access points are known and under
control, ensuring that the operating systems running SAP HANA and all hardware
involved are hardened. Of course, part of the job is also to stay up to date with the lat-
est best practices and security standards, anticipate threats, identify possible weak-
nesses, and react appropriately to discovered security vulnerabilities for any of the
components involved. The security architect can advise developers, administrators,
data provisioners, data scientists, and other stakeholders involved with the SAP
HANA project on all security topics and promote overall security awareness.
The function of the SAP HANA security architect is typically part of a wider security
responsibility, although we’ve started to see job profiles on the market for full-time
SAP HANA security consultants and developers. Typically, knowledge of SAP security
in general and SAP applications like governance, risk, and compliance (GRC) might be
required when a function leans to the compliance side. On the operational side,
familiarity with cloud architecture and expertise in securing data centers could be
part of the profile.
6.1.2 Tools
No dedicated SAP HANA tools are provided for security, but the relevant functional-
ity has been included in the available administration and development tools.
For operations, the SAP HANA cockpit includes functionality for the following secu-
rity topics, as shown in Figure 6.1:
� Auditing
� Data Encryption
� User & Role Management
� Authentication
� Certificate Management
� Single Sign-on
� Anonymization Report
Most of the screenshots found in this chapter are taken from the SAP HANA cockpit.
For development of SAP HANA XS Advanced applications, as described in Chapter 4,
Section 4.4, the SAP Web IDE for SAP HANA is the tool you’ll use.
6 Security
250
Figure 6.1 SAP HANA Cockpit: System Overview, Security
For the earlier SAP HANA 1.0 release, you can use SAP HANA studio with its adminis-
tration, modeling, and development perspectives. The Security view shown in Figure
6.2 brings together some of the security functionality listed earlier (user and role
management, password policy, auditing, identity providers [IdPs], data volume
encryption) but not all. Security groups, for example, were introduced with SAP
HANA 2.0 and are not included in the SAP HANA studio interface; instead, you’ll need
to use SQL and the SQL console.
Learn More
SAP HANA security concepts are documented in the Security Guide. Activities are doc-
umented in the SAP HANA Administration Guide. In addition, you can consult the SAP
HANA Security Checklists and Recommendations guide. All SAP HANA guides are
available on the SAP Help Portal for the SAP HANA platform.
251
6.2 User Management
6
Extensive as all this material may be, this documentation is not complete. You
should also consider hardware, operating system, and network. Because SAP HANA
runs on Linux, guides like the Operating System Security Hardening Guide for SAP
HANA for SUSE Linux Enterprise Server also provide highly relevant material.
Figure 6.2 Security in SAP HANA Studio
6.2 User Management
In Chapter 2, we described different SAP HANA use cases: as a data mart, as a database
in a three-tier architecture, and as a database and application server combined for
native SAP HANA XS applications. How SAP HANA is implemented impacts the secu-
rity model for user management. How you create your users and define their roles
also will depend on other factors. Do you wish to implement SSO, Security Assertion
Markup Language (SAML), or Kerberos? Different options for both authentication
(tell me who you are) and authorization (and I’ll tell you what you can do) are present.
This section describes user management essentials for SAP HANA.
6 Security
252
6.2.1 Implementation Scenarios
How SAP HANA is implemented affects user management. The following three main
implementation models can be set up:
� SAP HANA as a data mart
Figure 6.3 shows connectivity for the data mart scenario, which typically involves
multiple tenant databases and multiple source systems and likely multiple client
types. Each user connecting with the SAP HANA client may need a database user
account with the appropriate privileges. Alternatively, users could connect
through an intermediary like an SAP BusinessObjects Business Intelligence (SAP
BusinessObjects BI) server. In this case, the connection could be established with a
shared database user account, with personal accounts, or with a combination of
both.
Figure 6.3 SAP HANA as a Data Mart
� SAP HANA in a three-tier architecture
In a three-tier architecture, as shown in Figure 6.4, user security is typically man-
aged at the application server layer. You’ll see only a single technical user connect-
ing to the database on behalf of the many application end users, which is the case,
for example, with SAP S/4HANA and SAP Business Warehouse (SAP BW). User
SAP HANA ClientODBC/JDBC
Python/ADO.NETNode.js/Ruby/Go
SAP HANA
SystemDatabase
Tenant Database A
BI ClientExcel
SAP HANA Client
SAP BusinessObjectsBusiness Intelligence
ODBC/JDBC
SAP HANA ClientODBC/ODBO
Source System
253
6.2 User Management
6
management in such cases will be mainly a concern for the Basis administrator,
not the SAP HANA database administrator. However, some overlap may exist.
ABAP shared business authorizations enable the use of authorizations, defined at
the application level, for the database (see Section 6.2.4). As a result, a data scientist
connecting with the Python database application programming interface (API)
(for example, using ODBC) directly to the database will get the same view of the
data in terms of authorizations as he or she would connecting with SAP S/4HANA.
The three-tier architecture is described in detail in Chapter 2.
Figure 6.4 SAP HANA in a Three-Tier Architecture
� SAP HANA with SAP HANA XS/SAP HANA XS Advanced
The third type of architecture involves connectivity when using the SAP HANA XS
and/or SAP HANA XS Advanced application servers, as shown in Figure 6.5. You
connect with a browser over HTTP(S) directly to the web application hosted by
either SAP HANA XS or SAP HANA XS Advanced. With SAP HANA XS Advanced,
you can use an external IdP for user authentication. Otherwise, the SAP HANA
database is used for this purpose, in which case database user accounts must be
created. For the classic SAP HANA XS model, database user accounts will always be
required. The SAP HANA XS and SAP HANA XS Advanced architectures are
described in Chapter 4, Section 4.4.
SAP HANA
SystemDatabase
Tenant Database A
SAP Client
SAP NetWeaver AS ABAP
SAP HANA ClientODBC/SQLDBC
6 Security
254
Figure 6.5 SAP HANA with SAP HANA XS/SAP HANA XS Advanced
6.2.2 User Types and User Groups
Although conceptually you can distinguish “real” database users from technical
users, from the point of view of the SAP HANA database, both users are the same. SAP
HANA only distinguishes between users and restricted users. The latter can be, for
example, our SAP S/4HANA business users. These users can only connect to the data-
base through the application server. They cannot create their own tables and won’t
need to view the object catalog.
Figure 6.6 shows the User Management screen of the SAP HANA cockpit. By selecting
No for the Creation of Objects in Own Schema radio button and selecting No for the
PUBLIC Role radio button, you’ll turn your regular database user into a restricted user
(and vice versa). Typically, for a restricted user, Yes for the Disable ODBC/JDBC Access
will also be selected, although doing so is not a requirement.
Depending on which implementation architecture is used, you’ll either connect
directly to the SAP HANA database with your own personal database user account or
through some intermediary, like an application server. In the second case, the appli-
cation server will connect to the database on your behalf (and on behalf of all your
colleagues). Because the application server database user does not correspond to a
“real” user, this type of account is called a technical database. Besides application
servers, IoT devices, for example, may also connect using a (shared) technical user.
From the point of the view of the SAP HANA database server, however, no differences
exist between your database user account and the user account for SAP NetWeaver.
The difference is only conceptual. Still, technical database users have their own
characteristics. For example, whereas a common best practice has been to prompt
SAP HANA
SystemDatabase
BrowserHTTP(S)
Tenant Database
SAP HANA XS
SAP HANAXS AdvancedApp A App B
IdentityProvider
BrowserHTTP(S)
255
6.2 User Management
6
database users to change passwords every 3 months, for technical users, such a
prompt would be undesirable. The technical user would stubbornly enter the old
password until it gets locked out. The database administrator thus needs to manage
these users differently, and user groups are a good way to differentiate between these
types of users.
Figure 6.6 User Management in the SAP HANA Cockpit
6 Security
256
You can use user groups to distinguish technical accounts from regular accounts, but
other scenarios are possible as well. With user groups, you can separate employees
from partners or temporary workers, or you can create a group for training purposes.
User groups can have their own dedicated administrators. As a result, you can pre-
vent a crucial technical account from being deleted accidentally. In addition, you can
assign different password policies to a user group, requiring complex passwords that
don’t need to be changed often for technical accounts but following a more relaxed
approach on password complexity for accounts used by human users. You can create
user groups with the SAP HANA cockpit in the User Groups interface, as shown in
Figure 6.7.
Figure 6.7 SAP HANA Cockpit: User Groups
6.2.3 Authentication
If you’ve ever stood before a border security officer at an airport, you know what
authorization is. Before letting you go through, the officer must validate that you =
you. Are you the same person as stated on your passport? This validation is exactly
what the SAP HANA database does with each access request. For this task, SAP HANA
can use its own authentication mechanism or delegate the task to an external
authentication provider. The built-in mechanism performs basic authentication
based on user name and password.
The User Management screen in the SAP HANA cockpit (as shown earlier in Figure
6.6) provides access to the available authentication mechanisms, which we’ll walk
through in the following sections.
Basic Authentication
Every operating system, database, or application server needs some type of built-in
authentication mechanism, and SAP HANA is no exception. The SAP HANA database
257
6.2 User Management
6
authentication component only understands SQL, so typically the client tool will
present you with a logon screen where you can enter a user name and password.
Regardless of how the client requests credentials, the authentication component will
receive this information as SQL and will check if the name is in the internal SYS.USERStable and if the password matches the stored value. Passwords are stored encrypted,
but you can use SQL or your favorite tool to query the users table, as shown in Figure
6.8. Together with user names, the table also stores additional metadata, like a valid-
ity period and whether the account is active or not. For example, when new hires
arrive on the first day of the month, you wouldn’t want to call your database admin-
istrator and find out that he or she has a day off today. Instead, the database admin-
istrator should have created the users in advance with the VALID_FROM attribute set.
Similarly, for temporary employees with contracts expiring, the attribute VALID_TO
should be active. In total, the users table has 35 attributes including one for com-
ments.
Figure 6.8 Users Table
When a user enters a bad user name/password combination to the database, the user
can try again. How often depends on the password policy defined. You can try at least
6 Security
258
once as the value of 0 means indefinitely. Once you pass the number of allowed failed
attempts, your account will be locked, USER_DEACTIVATED=TRUE, and you’ll need to con-
tact the database administrator to unlock your account, although maybe the app or
logon web page may have a self-service mechanism for this task.
The password policy editor, shown in Figure 6.9, contains a number of variables, as
follows:
� Password Length and Composition
Apart from rules and regulations around what to do with passwords, the password
policy also defines what a password should look like. The minimum length is
8 characters by default. Required character types are lowercase, uppercase, and
digit, the same as for many other SAP systems and applications. “Welcome1”, “Ini-
tial1”, “Password1”, and “Individual1” are well-known examples. Special characters
are not enforced by default, but when enabled, any Unicode characters may be
used.
� User Lock Settings
The policy also defines how long you’re punished for entering a bad password. The
user lock could only last one minute, or it may be indefinite. You can also specify
whether you want the SYSTEM user to be exempted from locking.
� Password Lifetime
You can define the minimum and maximum lifetime of passwords. Set the life-
time of the initial password, typically provided by the database administrator or
by a logon script, and whether you need to change the password at first logon. For
real-life people, requiring a password at first logon is typically a good idea, which is
why this setting is activated by default. But if the connection comes from a techni-
cal user, you’ll usually disable this setting, which is also the case for notifications
about passwords expiring.
� Miscellaneous
In this section, you can define the Number of Allowed Failed Logon Attempts,
which defaults to 6, and the number of last used passwords, for example.
A chain is only as strong as its weakest link. To protect your system and all its users
against a single user choosing an easy-to-guess password, a password blacklist can be
maintained. You can add complete passwords to the list or just partial ones, for
example “pass” will exclude any password containing those four characters sequen-
tially. In addition, you can indicate if passwords are case sensitive. Even some seem-
ingly cryptic passwords are quite common and easy to guess like “!@#$%^&*” and
259
6.2 User Management
6
“1q2w3e4r5t.” Adding the most common passwords to the blacklist is a simple but
effective way to make your system more secure.
Figure 6.9 Password Policy and Blacklist in the SAP HANA Cockpit
External Authentication
Besides built-in mechanisms, the SAP HANA database also supports external authen-
tication methods. A great advantage these external mechanisms have over basic
authentication is that they can be used to enable SSO, which allows users to log on
once and then navigate from (web) application to application without the need to log
on every time.
The following external authentication methods are available:
� Kerberos
Kerberos is typically used in environments where the client (which could be the
application server) runs on the Microsoft Windows platform. Kerberos allows you
to connect with SAP Crystal Reports or any other SAP BusinessObjects application
directly in the SAP HANA database, for example.
6 Security
260
Technology Background
Kerberos might not sound familiar, but Microsoft Windows surely does. Kerberos is
the default authentication protocol for the operating system since Windows 2000.
The protocol has been around quite some time and was designed initially for a cli-
ent/server architecture to securely connect computers over a potentially insecure
network. Because it does this quite well, Kerberos is still widely used. You’ll find Ker-
beros included with other operating systems, in particular, if that system needs to
collaborate nicely in a Microsoft Windows environment. For this reason, Kerberos is
one of the available authentication mechanisms for SAP HANA as well.
� SAML and JWT
SAP HANA supports both SAML and JSON web tokens (JWT) as external authentica-
tion mechanisms (OAuth). Like Kerberos, SAML and JWT are typically used in an
enterprise environment for web client SSO.
Technology Background
SAML is an open standard to exchange authentication and authorization informa-
tion. Open standard means that the technology is not related to any specific vendor.
In fact, SAML is part of the XML family, like HTML, both open standards as well. SAML
goes back to the early 2000s, when web technologies overtook client/server architec-
tures. SAML works with a service provider (SP) and an IdP with you, or rather the
browser, in the middle. SAML also addresses authorization, which makes it a bit more
complex.
Due to the way the IdP directs the client back to the SP (HTTP redirect and HTTP Post),
using SAML in mobile phone environments is challenging. For this reason, from the
labs of companies like Twitter and Google, another framework was developed,
known as OAuth. In fact, when you use your Twitter, Google, or Facebook account to
log on to the website of your favorite newspaper or web shop, OAuth is what you’re
using. OAuth only does authentication. Not to be confusing, but the token used in
OAuth can be in SAML format, and other formats are possible as well. Another for-
mat is the JSON (JavaScript Object Notation) format, which gives you a JSON web
token, JWT in short (pronounced “jot”).
� Logon tickets and assertion tickets
Logon tickets and assertion tickets in SAP are mainly used in SAP NetWeaver appli-
cation server for ABAP and Java environments. Logon tickets are used for end-user
261
6.2 User Management
6
authentication and SSO. Assertion tickets are typically used for authentication
between systems and work similarly to Kerberos and SAML.
� X.509 client certificates
Finally, you can also authenticate SAP HANA XS application users with X.509 client
certificates (both SAP HANA XS and SAP HANA XS Advanced). Despite its cryptic
name, X.509 certificates are quite common. For example, they are used to secure
web traffic with HTTPS. The certificate contains a public key and identity in Light-
weight Directory Access Protocol (LDAP) format signed by a certificate authority.
With Kerberos for Microsoft networks, logon tickets and assertion tickets for SAP sys-
tems, SAML for multivendor enterprise environments, and JWT or X.509 for the latest
and greatest web applications, SAP HANA provides support for the most common
authentication requirements.
6.2.4 Authorization
At this point, you’ve managed to get into the system as an authenticated user. Next,
SAP HANA needs to check your authorizations. What are you allowed to do? What
system privileges do you have? What are you allowed to see, and what can you
change? For the overall security of your SAP HANA system, getting your authoriza-
tions right is as important as proper authentication. Typically, for database authori-
zation, the built-in mechanism is used, although SAP HANA also supports LDAP as an
external authorization provider.
In this section, we’ll cover uses and roles, predefined users, and the different types of
privileges.
Users and Roles
You can grant system and object privileges directly to users, which is easy to do but
typically not the best approach. Getting authorizations right can be complex and
requires care because needing to start all over again if/when a user leaves the com-
pany or takes on another job function requiring other privileges would be a waste of
time.
For this reason, normally you would grant privileges to roles and then grant those
roles to users, which has two advantages:
� First, you can now build a hierarchy of privileges modeled on business roles. For
example, you can create a role for the TENANT ADMIN system privilege, which allows
6 Security
262
you to start and stop tenant databases, and a role for the SERVICE ADMIN system
privilege, which allows you to perform those operations on the system services.
You can then grant both roles to a new role, the system administrator, which
allows you to stop and start services for both the system database and the tenant
databases.
� Second, should your user requirements change, no problem. You can simply
revoke the old role(s) and grant a new one(s).
Now, you have a reusable authorization concept, which allows you to implement
complex requirements matching actual business functions. The governing thought
behind this functionality is the principle of least privilege (PoLP), a security best prac-
tice that advocates giving users only those privileges essential to doing the job. No
more, no less.
Predefined Database Users
The SYSTEM database user has all system privileges by default. For this reason, the SYS-TEM user should be used only to create lesser-privileged users for particular purposes
after which the SYSTEM user account should be disabled.
To update SAP HANA, in most cases, the SYSTEM user is not required, and a lesser-
privileged user can be used, which addresses a classic security loophole: SYSTEMaccess during upgrades. A carefully crafted PoLP implementation would be sus-
pended temporarily if you needed to enable the SYSTEM super user for upgrades,
which introduces a vulnerability. Note that the SYSTEM database user does not have
access to objects created in other schemas (without explicit grants) nor can it grant
itself access. However, as a USER ADMIN, you can easily change user passwords and
connect and grant schema access.
Other predefined database users like SYS, _SYS_REPO, or _SYS_STATISTICS are technical
users. These users are either object owners or support specific functionalities. You
cannot connect to the database with these accounts.
Predefined Catalog Roles
By default, every SAP HANA system also includes a number of predefined catalog
roles. Like the SYSTEM user, some of these roles are contain a lot of privileges and
should only be used as templates for creating more restricted roles. Examples
include CONTENT_ADMIN and MODELING. Other roles are used for specific purposes, like
263
6.2 User Management
6
the AFL_SYS_AFL_AFLPAL_EXECUTE role for the Application Function Library (AFL) and
the Predictive Analysis Library (PAL). These roles should not be extended, neither
adding additional privileges nor restrictions.
Every user will have the PUBLIC role, which enables filtered, read-only access to the
system views. When you revoke the PUBLIC role from a user (and revoke CREATE ANY ONOWN SCHEMA and DISABLE CLIENT CONNECT), you create a restricted user. Restricted users
have no privileges, can only access SAP HANA through client applications, and do not
require full SQL access. To fine-tune restricted users, you can grant the RESTRICTED_USER_JDBC_ACCESS and the RESTRICTED_USER_ODBC_ACCESS roles, which only grant access
to the JDBC or the ODBC interfaces, respectively.
Another role worth mentioning is the SAP_INTERNAL_HANA_SUPPORT role, which has
read-only access to all metadata (but not customer data). Because this role is quite
powerful, restrictions apply (limited to one user, cannot be granted to SYSTEM or
another role), and an information alert is issued every hour when the role is granted.
System Privileges
System privileges authorize users to perform system administration tasks. By
default, an SAP HANA system can involve 50 different system privileges. When you
install optional components, like SAP HANA dynamic tiering, additional system priv-
ileges will be added.
Some privileges are related but distinct. For example, BACKUP ADMIN and BACKUP OPERA-TOR are different: An admin can perform all backup and recovery activities, including
catalog configuration, while an operator can only start backups. The same distinction
exists for the AUDIT system privilege and for IMPORT and EXPORT privileges.
Some privileges are powerful. INFILE ADMIN, for example, allows you to make changes
to all system settings. The SAP HANA Security Checklists and Recommendations guide
lists critical combinations that should not be granted together, for example USERADMIN and ROLE ADMIN, or AUDIT ADMIN and AUDIT OPERATOR.
Managing system privileges is performed in the SAP HANA cockpit, as shown in
Figure 6.10, where you’ll select the different privileges you want to grant to specific
users and roles.
6 Security
264
Figure 6.10 Select System Privileges, Manage Roles in the SAP HANA Cockpit
Object Privileges
Database objects are schemas (the containers), tables, views, functions/procedures,
and sequences, to name the most common ones. To access or change any of these
objects, you’ll need the required SQL privilege. For example, to view data, you’ll need
the SELECT privilege on a table or view. To put new rows into a table, you’ll need the
INSERT privilege. To change existing rows, you’ll need the UPDATE privilege, and to
remove rows, the DELETE privilege. Even if you have the IMPORT system privilege, you’ll
still need the right object privilege for the import to be successful.
What we’ve just mentioned are examples of data manipulation language (DML) com-
mand types. Data definition language (DDL) command types are also available, like
CREATE, ALTER, DROP, or EXECUTE on SQLScript functions. Other object privileges govern
remote sources (CREATE VIRTUAL TABLE), development (DEBUG), or security features
(UNMASKED and USERGROUP OPERATOR).
Figure 6.11 shows the Assign Privileges window in the SAP HANA cockpit. By default, a
database user receives the CREATE ANY object privilege on her SCHEMA from SYS, which
enables the user to create tables, views, and so on. This user also has received this
object privilege WITH ADMIN OPTION (Grantable to Others), so he or she can directly grant
265
6.2 User Management
6
other users (or roles) the privilege to create objects in his or her schema. No need for
SYS to intervene; JANEDOE is queen of the castle.
Figure 6.11 Assign Privileges, Object Privileges in the SAP HANA Cockpit
Analytical Privileges
With analytical privileges, you can fine-tune data access requirements. As the name
implies, object privileges control object access: yes or no. If the SALARY column is part
of the EMPLOYEES table, and you have access to the table, you can view the salaries.
Analytical privileges allow for a more fine-grained, row-level access control. For
example, only HR_MANAGER can view this column, or to be even more specific, you can
allow HR_MANAGER_US to access only the rows in this column for his or her region.
You can create analytical privileges using SQL with the CREATE STRUCTURED PRIVILEGE<name> FOR <action> ON <object> statement, where <action> resembles a typical SQL
WHERE clause and <object> references the table or view. However, more commonly,
you would use SAP HANA studio for the classic SAP HANA XS environment or use the
SAP Web IDE for the SAP HANA XS Advanced environment and create your privileges
as design-time artifacts in a development environment to be deployed as catalog
(runtime) objects on your actual production system. See Chapter 4, Section 4.1.2, for
the difference between runtime database objects and design-time development arti-
facts.
Shared Business Authorizations
You can also use analytical privileges for, what are called shared business authoriza-
tions. For ABAP-based SAP applications like SAP S/4HANA, access control is defined
6 Security
266
through authorization objects. You can leverage these ABAP authorization objects in
SAP HANA, which helps you implement (and maintain) scenarios where new SAP
HANA XS Advanced applications and existing ABAP-based SAP applications should
use the same authorization model. Shared business authorizations were introduced
in SAP HANA 2.0 SPS 03.
Additional Privileges
For SAP HANA XS applications, additional privileges can be defined. Package privi-
leges authorize you to read, edit, activate, or maintain both native and imported
repository packages. Application privileges define specific usage rights, for example
View or Admin roles. These types of privileges do not apply to SAP HANA XS Advanced
applications, however, which uses an external source code repository and imple-
ments application-level authorization with scopes and attributes.
Another additional privilege type is the ATTACH DEBUGGER user privilege, which enables
a user to debug SQLScript code in another user’s session, and is the only user privilege
currently available.
Code Clinic
You can grant privileges with the GRANT and REVOKE statements either directly using
SQL or by using client tools like the SAP HANA cockpit and SAP HANA studio. The fol-
lowing is an example GRANT statement:
[GRANT CREATE ANY ON SCHEMA tony TO maria]
While the SAP HANA cockpit and the SAP HANA studio providing easy-to-use inter-
faces for the most common functionalities, you’ll often have to open the SQL console
and perform actions in code.
When granting a privilege WITH ADMIN OPTION, this privilege can then be granted
again by the specified user or by the users with the specified role. Otherwise, only the
object owner can grant the privilege.
If you delete an object or schema owner, all objects and (admin) object grants are
deleted as well. Object ownership can be transferred.
Troubleshooting Authorization Issues
Troubleshooting authorization issues for catalog (runtime) objects can be compli-
cated. As of SAP HANA 2.0 SPS 03, the database engine includes a global unique ID
267
6.2 User Management
6
with the error [258]: insufficient privilege: Detailed info for this error can befound with guid ‘<guid>’.
As an administrator, you can then run the procedure get_insufficient_privilege_error_details (‘<guid>', ?) to find the cause of this error.
For earlier SAP HANA versions, you can enable an authorization trace in SAP HANA
studio together with the system views EFFECTIVE_PRIVILEGES and STRUCTURED_PRIVI-LEGES. SAP Support’s Guided Answers (http://s-prs.co/v488426) for SAP HANA
Troubleshooting, shown in Figure 6.12, can help you get started.
Figure 6.12 SAP Support, Guided Answers: SAP HANA Troubleshooting
6 Security
268
SAP Notes
For more information, see SAP Note 1809199 – SAP HANA DB: Debugging user autho-
rization errors.
LDAP Users and Groups
LDAP is, together with HTTP and TCP/IP, an Internet pioneer. Today, the LDAP server
is typically used in an enterprise to provide a central place to store user names and
passwords. The most well-known LDAP implementation is Microsoft Active Direc-
tory, but many more are available, even open source LDAP implementations. Sup-
port for LDAP authorization was introduced in SAP HANA 2.0 for users accessing the
database with ODBC/JDBC clients. You can even automatically create new users in the
SAP HANA database based on LDAP user group membership.
6.3 Data Privacy and Protection
In this section, we’ll describe some additional features to safeguard data privacy: data
masking and real-time anonymization. We’ll also address how unauthorized access is
made, if not impossible, then at least extremely unlikely with encryption of data at
rest and data in transit.
6.3.1 Data Masking
Data masking is a special type of object privilege that behaves like an analytical priv-
ilege. As we’ve seen, object privileges are coarse-grained. You either have access or
you don’t. And if you don’t, you get an error.
To obtain a more fine-grained type of access control, analytical privileges can be used.
However, this type of privilege must be designed and created. Before you can restrict
your sales manager to viewing the data only for his or her region, you’ll need a table
with sales data and regions first. Once you have this table and the analytical privilege,
you can assign it to a user.
Consider a table with sensitive data (from a privacy point of view), which could be sal-
ary information in an employee table, credit card numbers in a customer table, or
medical records. The access policy for this data is “no access, except.” In other words,
access is denied for everyone, and only users with explicit access grants can view the
269
6.3 Data Privacy and Protection
6
data. You could use object privileges to implement this policy, but this policy would
only work if the sensitive data is isolated in a dedicated table. However, for perfor-
mance reasons or other table design reasons, keeping the one sensitive column in the
table with other data might be essential. In this case, you could use an analytical priv-
ilege to implement this policy, but now, you’ll need to make sure the privilege not to
see the data is assigned to all users, except for some users, which may be cumber-
some.
Data masking provides a more elegant solution and allows for more flexibility. With
data masking, when the wrong user accesses the data, that user would not get an
error. The data would be hidden from that user. If you consider a table with credit
card data, for example, you can create a mask that completely obscures the column
with the card numbers, so all that the user sees are x’s. However, you could also
define that mask such that only the first or last four digits are visible. This would
enable customer service representatives to use the card number to verify caller iden-
tify without revealing too much information.
How data masking is implemented is flexible, and you can use a simple template or
write a complex function. Using a function also allows you to separate the table or
view object owner from the mask object owner.
Code Clinic
The mask can be a simple template:
CREATE VIEW credit_view AS SELECT name, numberFROM cards WITH MASK(NAME USING 'AAAA', CREDIT_CARD USING 'XXXX');
The mask can be implemented as a function, as shown in Listing 6.1.
CREATE FUNCTION mask_owner.credit_mask(INPUT VARCHAR(19))RETURNS OUTPUT VARCHAR(19) LANGUAGE SQLSCRIPT AStemp VARCHAR(19);BEGIN
SELECT LEFT(INPUT,4) || '-XXXX-XXXX-' || RIGHT(INPUT,4)INTO temp FROM SYS.DUMMY;OUTPUT := temp;
END;
Listing 6.1 Create Function
6 Security
270
This function enables separation of ownership between the view and mask owner:
CREATE VIEW data_owner.credit_view AS SELECT * FROM cardsWITH MASK(CREDIT_CARD USING mask_owner.credit_mask(credit_card));
To view the data without the mask, you’ll need the UNMASKED object privilege on the
table or view:
GRANT UNMASKED ON credit_view TO super_user;
6.3.2 Data Anonymization
Data anonymization solves the puzzle of what’s called statistical disclosure control:
revealing accurate statistics about a population while preserving the privacy of indi-
viduals. Data anonymization in SAP HANA is implemented through calculation
views (see Chapter 4, Section 4.3) and supports the methods K-anonymity and differ-
ential privacy. Both approaches are well-known standards in the field.
Technology Background
Differential privacy was first defined in 2003 by Cynthia Dwork. This approach
enables the gathering of useful information from a group of people while at the
same time learning nothing about an individual.
Social sciences in the precomputer age used a similar approach to collect statistical
information about embarrassing or illegal behavior: flipping a coin. If tails, respond
truthfully (yes or no); if heads, flip another coin and respond “Yes” for heads and
“No” for tails, resulting in a 50% chance of the truth with plausible deniability of any
outcome. If repeated often enough, you’ll gather statistically viable information from
the group, while knowing nothing for sure about the individuals.
The data controller—the person responsible for data privacy—defines the calculation
view and configures the parameters of the selected method. To access the view, you can
use a standard SAP HANA object authorization. You can configure the K-anonymity for
a calculation view using the SAP Web IDE for SAP HANA.
In addition, for compliance reporting purposes, a list is made available in the SAP
HANA cockpit for easy access to where a method is used in the Anonymization Views
screen shown in Figure 6.13.
271
6.3 Data Privacy and Protection
6
Figure 6.13 SAP HANA Cockpit: Anonymization Views
6.3.3 Encryption
Encryption protects both data in transit and data at rest. During an eavesdropping
attack, if the data is not encrypted, you don’t need a sophisticated network sniffer
tool to capture user name and password combinations traveling over the Internet in
clear text (HTTP). Nor is it rocket science to extract valuable data from database files.
However, once the data is encrypted, making any sense out of raw data is almost
impossible. All data at rest can be encrypted, for example, the database files on the
data volume, the redo log files on the log volume, and any data or log file backup
stored on the file system. In addition, all data in transit can be encrypted as well. In
fact, most data in transit is encrypted automatically.
In this section, we’ll address both types of encryption and explain how encryption
can be configured.
Technology Background
In the SAP HANA documentation, the protocol used for network encryption is
described as Transport Layer Security (TLS)/Secure Sockets Layer (SSL). SSL is a rela-
tively well-known Internet protocol for providing the secure “S” of HTTPS and the
green lock icon in the browser. This protocol goes all the way back to the early days of
the World Wide Web and the Netscape Navigator web browser.
6 Security
272
Today, SSL is almost obsolete, and typically TLS is used to encrypt traffic and authen-
ticate computers. However, because TLS is less well known, it is often referenced
together with SSL (as in TLS/SSL) or even simply called SSL. Regarding SAP HANA,
when reading about SSL, TLS, SSL/TLS, or TLS/SSL, note that we are referring to one
thing: the TLS protocol.
Network Encryption
The communication between SAP HANA components is encrypted by default using
TLS. Communication includes traffic between the different processes (hdbdaemon, hdb-nameserver, hdbindexserver, etc.) and with optional server components, like SAP
HANA dynamic tiering with its extended storage. In addition, communication can be
encrypted at the database tenant level, for multihost (distributed) environments and
between system replication sites, but these require explicit activation (global.ini,
[communicatation] ssl = systemPKI) and some additional steps.
Network Zones
The SAP HANA network is further protected with different zones, as shown in Figure
6.14.
Figure 6.14 SAP HANA Network Zones
Client Zone
SAP HANA Client
Browser
Internal Zone
SAP HANAXS Advanced
SAP HANAXS Advanced
SAP HANA
SystemDatabase
Tenant Tenant
XS Advanced
Storage Zone
Storage Zone
Internal Zone
SAP HANAXS Advanced
SAP HANAXS Advanced
SAP HANA
SystemDatabase
Tenant Tenant
XS Advanced
273
6.3 Data Privacy and Protection
6
A dedicated internal network zone for the SAP HANA processes on each host and
between hosts in a distributed system is also used for system replication. In addition,
a separate storage network zone controls network access between the SAP HANA sys-
tem and the storage area network (SAN) or network attached storage (NAS) device.
This zone is also used by the enterprise backup tools. Finally, any other type of access
occurs in the client zone. Each zone can be configured to use its own network adapter
(hence the different IP addresses), which enables you to physically separate internal
communication from outside access channels. We’ll discuss this separation further
in Chapter 9, Section 9.11.1.
From a security point of view, the zone that requires most attention is the client zone.
In this zone, you’ll find the following connections:
� Connections for administration purposes, for example, the SAP HANA cockpit or
SAP HANA studio
� SQL client connections for business users, for example, SAP BusinessObjects BI cli-
ents using ODBC/JDBC or from Microsoft Excel (also supporting multidimen-
sional expressions [MDX]) but also from the SAP S/4HANA and SAP BW
application server
� HTTP/S client connections for business users, like the SAP HANA XS Advanced web
client or the SAP HANA XS command line tool
� Connections for data provisioning, for example, SAP Data Services, SAP Replica-
tion Server, or SAP HANA streaming analytics
� Outbound connections, for example, the Solution Manager Diagnostic (SMD)
agent to SAP Solution Manager, the R client to an external R server, or the SAP
HANA Lifecycle Management tool to connect to Software Downloads on the SAP
ONE Support Launchpad
Careful configuration of the firewall between the SAP HANA system and the outside
world is important. For example, for administration access, you should only allow
traffic from specific IP ranges. You could consider adding additional network protec-
tion using network address translation (NAT) or virtual private networks (VPNs) with
IPsec. With NAT, you can map the public IP address to an internal IP address using
either software or additional hardware, while a VPN creates a private connection
between one for more computers allowing you to simulate local area network (LAN)
connections. Highly recommended, as well, is to configure network encryption (TLS)
for all client connections. These are just some examples, many others exist, and we
recommend checking with your network administrator for advice on specific imple-
mentations.
6 Security
274
System PKI and SSFS
A dedicated public key infrastructure (PKI) with an X.509 certificate can be set up
during the SAP HANA installation to support network encryption and is automati-
cally extended whenever you create a new tenant database or add a SAP HANA XS
Advanced host to the landscape. The PKI consists of a public and private key pair for
each host and tenant database and a public key certificate for their mutual authenti-
cation. The certificate authority is the SAP HANA instance itself, which signs all certif-
icates. The public keys are stored in a personal security environment (PSE) together
with the private key.
PKI and X.509 are common security technologies, but PSE and the associated SSFS
(secure store in the file system) are specific to SAP as is the CommonCryptoLib cryp-
tographic library used to encrypt the traffic. In the past, SAP used different cryptogra-
phy libraries for network encryption and digital signatures. Since 2013, these separate
libraries have been bundled into a shared library, the CommonCryptoLib. This
default library is used for all your cryptography needs with SAP HANA. SSFS is a tech-
nology shared with SAP NetWeaver systems; think of it as a safe to hold key files.
If you’re receiving SAP HANA as an appliance from a hardware partner or powering
up an SAP HANA instance in the cloud, you should generate a new master key for the
PKI SSFS.
Learn More
The process for changing these keys is documented in “Change the SSFS Master
Keys” in the SAP Administration Guide on the SAP Help Portal.
Tenant Database Isolation
To enhance the protection of tenant databases, you can configure SAP HANA to run
in high isolation mode. In this mode, each tenant database will run in the context of
a dedicated operating system user and group, and not under the shared <sid>adm:sapsys account.
Tenant databases are self-contained already, with separate users and object catalogs.
High isolation mode further strengthens this separation. Consider, for example, file
permissions on backups. In high isolation mode, a separate PKI is configured for
tenant database processes to ensure that only they can communicate with each other
(hdbindexserver with scriptserver, for example). You’ll need to explicitly enable
275
6.3 Data Privacy and Protection
6
cross-database communication to allow one tenant to access data in another data.
This access is read-only and one-way (although bidirectional traffic is configurable).
Learn More
The process for changing the isolation level is documented in “Increase the System
Isolation Level” in the SAP Administration Guide on the SAP Help Portal.
Data at Rest and Backup Encryption
Knowing that network traffic can be protected is great, but what about stored data?
No surprises here, as you can encrypt data at rest as well. In fact, for the SAP Cloud
Platform, SAP HANA service, the in-memory database in the cloud, storage encryp-
tion is enabled by default and cannot be switched off.
For SAP HANA on-premise, you have a choice: You can enable data volume encryp-
tion, log volume encryption, and/or backup encryption. Backup encryption will typi-
cally be active when using any of the third-party enterprise backup solutions
supported by SAP HANA. Data volume encryption can also be activated with little
overhead as the in-memory database holds most data in-memory during operation
and data is only written to persistence by a background process during savepoints
every 5 minutes.
Tables stored on encrypted data files will take more time to load during system
startup, but this time is unlikely to be of significance as, again, most of the load will
happen in the background while the database is already open for business. For redo
log encryption, a performance impact might be noticeable as each commit will have
to wait for a write confirmation. On encrypted storage, this process will include some
extra CPU cycles. Your business users may not notice a difference, but the difference
may appear in comparative performance reports (around 5% difference is reason-
able).
The encryption root keys for data, redo log and backup encryption are also stored in
an SSFS. As in the case for the System PKI SSFS (which we discussed earlier in this sec-
tion), when you receive SAP HANA as an appliance from a hardware partner, you
should generate a new master key for the instance SSFS together with new root keys
for each service (data, log, and backup).
6 Security
276
Figure 6.15 shows how you can enable encryption by flipping a switch. The encryption
algorithm is listed (AES-256-CBC) as well as the time stamp of the last key change, in
this case the Advanced Encryption Standard (AES), using a 256-bit key in Cipher Block
Chaining (CBC) mode.
Figure 6.15 SAP HANA Cockpit: Data Encryption Configuration
Figure 6.16 shows the location and time stamp of the system PKI and instance SSFS
plus the active version of the service root keys. Change Root Keys will start the Man-
age Keys wizard to guide you through the process, which involves the following
steps:
1. Setting a root key backup password (not to be confused with the backup root key).
2. Selecting the encryption root keys to change (data volume, redo log, backup, and/
or encryption service).
3. Saving the password-protected root keys to an external location.
4. Acknowledging that you’ve indeed saved the root keys; will never forget the pass-
word; and fully understand that, without these root keys and its password, you
cannot recover the database.
277
6.3 Data Privacy and Protection
6
Figure 6.16 SAP HANA Cockpit: Manage Keys
Application Encryption Service
The application encryption service can be used by SAP HANA XS and SAP HANA XS
Advanced applications to securely store encrypted values in the database, for exam-
ple, for a Java application to store encrypted credit card numbers. Both storage and
retrieval can only be performed using stored procedures owned by SYS, the object
owner of all system tables, procedures, and views, but without ability to log on. The
same service is also used by SAP HANA internally to store credentials required for
outbound connections, via SAP HANA smart data access (SDA), and to store the pri-
vate keys of the SAP HANA server as database collection, which is the equivalent of
the SSFS PSE except that the PSE is stored in the database and not in the file system.
6 Security
278
This PSE or database collection is used for secure client-server communication, for
example, between a JDBC client (SAP HANA studio) and the SAP HANA system.
6.4 Auditing
An audit (literally, “a hearing”) is an account of events. In our case, for the SAP HANA
database and SAP HANA XS application server, an audit is a chronological, time
stamped record of selected actions or events. The audit trail or audit log tells you
what happened, who did what, and when (or attempted to). Such a record may be
required for compliance reasons or serve as evidence that your sensitive data has not
been accessed.
Like a surveillance camera, auditing per se does not protect your system; it merely
records what happened. You’ll need to turn auditing on, and not everything will be in
scope. For example, the procedure to reset the SYSTEM user password (system shut-
down followed by starting nameserver with -resetUserSystem flag) runs outside of
the scope of the database engine.
For commands executed at the operation system level, which includes system shut-
down and startup, you would consult the Linux syslog, which holds operating system
audit data. This limitation is also true for actions performed by the SAP host agent
like system updates or adding components. For this reason, configuring auditing to
use syslog as audit trail target (not internal database tables) might be practical and
may also make it easier to integrate SAP HANA auditing with other auditing tools. For
privacy reasons, however, tenant audit events are written to the internal tables
(which are configurable). Designing a proper audit policy requires some careful
thought.
The SAP HANA audit policy defines the actions to be logged. You can define multiple
policies and enable or disable them when needed. Typical candidates for auditing
include the following actions:
� Authentications: Who accessed the system and when (outside office hours)
� Authorizations: Who granted access to whom, who accessed sensitive data
� Object changes or deletions: Unexpected in production systems outside mainte-
nance scopes
� System parameter changes: To avoid future blame games
279
6.4 Auditing
6
When you create a new audit policy, you’ll first need to indicate whether you want to
audit successful actions, unsuccessful ones, or both. Next, you’ll select the type of
action and for which user. You can audit all actions, and you can audit all users but
not both (all actions by all users). All action policies are tagged as “firefighter” policies
and are flagged. The amount of data generated will be so massive that you may have
created for yourself a needle-in-the-haystack problem. Typically, you’ll want each
policy to capture specific actions, like defining specific objects, for example, tables
with sensitive data. Or, you might specify specific object actions. For each policy,
you’ll indicate the level (info, warning, alert, critical, or emergency) and the audit trail
target (database table or syslog). This flexibility enables you to log critical and emer-
gency entries to the syslog for direct processing, while keeping info entries in the
database for reporting, for example.
Several best practices to keep in mind with regard to auditing include the following:
� Create as few audit policies as possible (better a single complex policy than several
simple ones).
� Avoid DML, which impacts performance more than DDL.
� Do not create policies for actions that are already audited by default (clear audit
log).
� Do not create objects that do not allow direct access (SYS.P_USER_PASSWORD).
Figure 6.17 shows the Auditing page in the SAP HANA cockpit where you can create
and enable audit policies, configure the audit trail (database or log), and view audit
trail records.
Under the Audit Trail tab, you’ll see audit entries for both the SAP HANA database and
the SAP HANA XS Advanced application server. Figure 6.18 shows the combined All
Logs view with the SQL statement included.
Learn More
See the chapter “Auditing Activity in SAP HANA Systems” in the SAP HANA Security
Guide for more detail and further references.
6 Security
280
Figure 6.17 Audit Policies in Auditing, SAP HANA Cockpit
Figure 6.18 Audit Trail in Auditing, SAP HANA Cockpit
281
6.6 Additional Security Considerations and Concerns
6
6.5 SAP HANA XS Security
The SAP HANA XS (both the classic and advanced model) application servers are part
of the platform and share many security features with the database. Network encryp-
tion, for example, is configured at the system level. The same <sid>adm operating sys-
tem account owns both the database and application server software. In case of SAP
HANA XS Advanced, the default IdP (authentication service) for the application
server is the SAP HANA database. However, as we described in Chapter 2, Section 2.2.5,
the SAP HANA XS, classic model and SAP HANA XS advanced model application serv-
ers are also quite distinct, which impacts security aspects.
Authentication and authorization work have been implemented differently—not
just different when comparing SAP HANA XS, classic model with SAP HANA XS,
advanced model, but also different when comparing each application server with the
SAP HANA database. To avoid three sections on authentication and another three on
authorization, which would result in much confusion and little clarity, we’ve chosen
to address the application servers in Chapter 4, Section 4.4, where we discuss security
in the context of application development.
6.6 Additional Security Considerations and Concerns
In this chapter so far, we’ve described the most important security topics for the SAP
HANA platform with a focus on the database. While database security is a good place
to start, your security considerations should not end there. To install or update SAP
HANA components (SAP HANA server, SAP HANA client, SAP HANA cockpit, SAP
HANA XS Advanced, AFL, and so on), you’ll use a single tool: SAP HANA Lifecycle
Management (see Chapter 3, Section 3.3). This tool includes its own security features,
like software authenticity verification and using lesser-privileged users for updates
(leaving the SYSTEM user disabled). This tool also introduces new security consider-
ations as you may require root user access to the operating system and new ports to
open in the firewall.
With a single SAP HANA cockpit system, you can manage an entire SAP HANA land-
scape. But what privileges should your SAP HANA cockpit users have? And how
should you configure the technical user to connect to the managed resources?
Should you enable SSO, and even enforce it? The SAP HANA cockpit also comes with
its own security requirements and considerations, as does the database explorer.
6 Security
282
Although integrated into the SAP HANA cockpit and the SAP Web IDE for SAP HANA,
this application has its own security considerations regarding authentication, autho-
rization, and securing connections. Note also that you could use SDA for federation
or user replication technologies like SAP Data Services and SAP Landscape Transfor-
mation Replication Server, R and Hadoop integration with the SAP HANA landscape
and SAP HANA data warehousing foundation—the list goes on.
In addition, the responsibilities of the SAP HANA security architect don’t stop at the
platform with its associated options and edition components. In this chapter, we
haven’t really mentioned topics like the security implications of running SAP
S/4HANA or SAP BW on SAP HANA, SAP BusinessObjects integration and the EPM-
MDS plugin, or access between cloud applications like SAP Analytics Cloud and on-
premise SAP HANA systems.
Nor have we discussed how SAP HANA relates to other SAP products in the cyberse-
curity and GRC spaces. Once you go beyond the introductory level, you’ll need to
address integration with products like SAP Access Control or SAP Identity Manage-
ment; with services like SAP EarlyWatch Alert, part of the security optimization ser-
vices; or with organizations as user groups for security, data protection, and privacy.
Security is complex, and we’ve only scratched the surface.
Learn More
SAP HANA product management maintains a microsite with information about
security for an IT expert audience (our security architect persona). For more informa-
tion, visit http://s-prs.co/v488427.
SAP Notes
For additional information, search the knowledge base for articles about SAP HANA
security. A good place to start is SAP Note 2159014 – FAQ: SAP HANA Security. The
component for the SAP HANA security topic is HAN-DB-SEC.
6.7 Summary
In this chapter, we covered the most important SAP HANA security concepts with a
focus on the database. We introduced the SAP HANA security architect as a persona
by looking at the job role and the most relevant tools. We provided a quick scan of the
283
6.7 Summary
6
SAP HANA user management implementation with the available options for authen-
tication, both built-in through user name and password policies and from external
mechanisms like Kerberos, SAML, and JWT. Similarly, we investigated various
options for authorization, including hybrids like ABAP-shared business authoriza-
tions and using LDAP as both authorization and authentication provider. After the
topic of secure access, we addressed data privacy and protection with data masking
and data anonymization as interesting new features. Then, we looked at data encryp-
tion at rest and in transit using TLS/SSL, PKI, SSFS, root keys and master keys. And to
comply with regulations, we did a quick tour of the audit functionality.
In the next chapter, we’ll meet the persona responsible for connecting our SAP HANA
systems with the outside world, replicating data from source systems, integrating
with big data, or virtualizing remote data sources using SDA. Time to introduce you
to the SAP HANA data integration architect.
7
Contents
Preface ..................................................................................................................................................... 17
1 Introduction 27
1.1 What Is SAP HANA? ............................................................................................................ 27
1.2 Key Capabilities .................................................................................................................... 30
1.2.1 Application Development .................................................................................. 30
1.2.2 Advanced Analytical Processing ...................................................................... 31
1.2.3 Data Management ............................................................................................... 33
1.2.4 Database Management ...................................................................................... 33
1.3 Key Benefits ........................................................................................................................... 34
1.3.1 Reduce Complexity .............................................................................................. 35
1.3.2 Run Anywhere ....................................................................................................... 36
1.3.3 Real Results ............................................................................................................. 38
1.4 Finding Customer Stories and Use Cases .................................................................. 39
1.5 Industry Analysts ................................................................................................................. 41
1.5.1 Gartner and the Magic Quadrant ................................................................... 41
1.5.2 Forrester Wave and IDC MarketScapes ......................................................... 42
1.6 The Road Ahead .................................................................................................................... 43
1.7 Licensing and Maintenance ............................................................................................ 46
1.7.1 Licensing .................................................................................................................. 46
1.7.2 Software Maintenance ....................................................................................... 47
1.8 Summary ................................................................................................................................. 49
2 Technology Overview 51
2.1 In-Memory Database Concepts ..................................................................................... 52
2.1.1 Database History in a Nutshell ........................................................................ 52
2.1.2 SanssouciDB ........................................................................................................... 54
Contents
8
2.2 System Architecture Overview ..................................................................................... 57
2.2.1 Implementation Scenarios ............................................................................... 57
2.2.2 Services and Processes ....................................................................................... 58
2.2.3 Memory and Persistence ................................................................................... 62
2.2.4 Single-Host and Distributed Systems ........................................................... 63
2.2.5 Database and Application Server ................................................................... 65
2.2.6 Data Tiering ........................................................................................................... 66
2.3 Editions .................................................................................................................................... 67
2.3.1 SAP HANA, Platform Edition ............................................................................. 67
2.3.2 SAP HANA, Express Edition ............................................................................... 67
2.3.3 SAP HANA, Cloud Edition ................................................................................... 68
2.3.4 Licensing, Options, and the Feature Scope Description .......................... 68
2.4 What’s New: Support Package Stacks and Revisions ......................................... 70
2.4.1 SAP HANA Platform Edition 1.0 ....................................................................... 72
2.4.2 SAP HANA Platform Edition 2.0 ....................................................................... 78
2.5 Deployment Options ......................................................................................................... 84
2.5.1 On-Premise ............................................................................................................. 85
2.5.2 Cloud Deployments ............................................................................................. 85
2.6 Summary ................................................................................................................................. 93
3 Administration 95
3.1 Role and Tools ....................................................................................................................... 96
3.1.1 The SAP HANA Administrator .......................................................................... 96
3.1.2 Tools ......................................................................................................................... 97
3.2 System Administration ..................................................................................................... 105
3.2.1 System Configuration ......................................................................................... 105
3.2.2 Performance Monitoring and Analysis ......................................................... 108
3.2.3 Resource Management ...................................................................................... 118
3.2.4 Security .................................................................................................................... 123
3.2.5 Backup and Recovery .......................................................................................... 124
3.2.6 Additional Responsibilities ............................................................................... 129
9
Contents
3.3 SAP HANA Lifecycle Management ............................................................................... 130
3.3.1 Platform Lifecycle Management ..................................................................... 131
3.3.2 Product Availability Matrix ............................................................................... 133
3.3.3 Installation and Update ..................................................................................... 135
3.3.4 Application Lifecycle Management ................................................................ 139
3.4 Application Server Administration .............................................................................. 141
3.4.1 SAP HANA XS Admin Tool .................................................................................. 142
3.4.2 Deploying SAP HANA XS Advanced Applications ...................................... 142
3.5 Summary ................................................................................................................................. 145
4 Development 147
4.1 Role and Tools ....................................................................................................................... 148
4.1.1 The SAP HANA Developer .................................................................................. 148
4.1.2 Tools .......................................................................................................................... 150
4.2 SQL and SQLScript ................................................................................................................ 154
4.2.1 SQL ............................................................................................................................. 154
4.2.2 SQLScript ................................................................................................................. 156
4.2.3 ABAP Managed Database Procedures ........................................................... 158
4.3 Analytic Modeling ............................................................................................................... 160
4.4 SAP HANA Extended Application Services ............................................................... 163
4.4.1 SAP HANA XS .......................................................................................................... 164
4.4.2 SAP HANA XS Advanced ..................................................................................... 165
4.5 Core Data Services ............................................................................................................... 169
4.6 SAP HANA Deployment Infrastructure ...................................................................... 171
4.7 Application Lifecycle Management ............................................................................. 173
4.8 JSON Document Store ....................................................................................................... 174
4.9 SAP Cloud Platform ............................................................................................................. 177
4.9.1 Cloud Foundry and Neo ...................................................................................... 178
4.9.2 SAP Cloud Application Programming Model ............................................... 179
4.9.3 SAP Cloud Platform, SAP HANA Service ........................................................ 180
Contents
10
4.10 Client Interfaces ................................................................................................................... 181
4.10.1 SAP HANA Client Installation ........................................................................... 181
4.10.2 SQLDBC .................................................................................................................... 183
4.10.3 JDBC .......................................................................................................................... 183
4.10.4 ODBC ........................................................................................................................ 184
4.10.5 ODBO ........................................................................................................................ 187
4.10.6 Python ...................................................................................................................... 188
4.10.7 Node.js ..................................................................................................................... 190
4.10.8 Go .............................................................................................................................. 192
4.10.9 ADO.NET .................................................................................................................. 193
4.10.10 Ruby .......................................................................................................................... 194
4.11 Web-Based Data Access ................................................................................................... 195
4.11.1 OData ....................................................................................................................... 196
4.11.2 Information Access .............................................................................................. 198
4.11.3 XMLA ........................................................................................................................ 200
4.12 SAP HANA, Express Edition ............................................................................................. 201
4.12.1 Deployment Options .......................................................................................... 202
4.12.2 Getting Started ..................................................................................................... 204
4.13 SAP HANA Interactive Education ................................................................................. 206
4.13.1 Deployment Options .......................................................................................... 207
4.13.2 Getting Started ..................................................................................................... 208
4.14 Summary ................................................................................................................................. 210
5 Advanced Analytics 213
5.1 Roles and Tools ..................................................................................................................... 215
5.1.1 The SAP HANA Data Scientist .......................................................................... 215
5.1.2 Tools ......................................................................................................................... 215
5.2 Predictive Analytics and Machine Learning ............................................................ 218
5.2.1 Application Function Library ............................................................................ 220
5.2.2 Predictive Analysis Library ................................................................................. 220
5.2.3 R Integration .......................................................................................................... 222
5.2.4 External Machine Learning Library ................................................................ 225
5.2.5 Automated Predictive Library .......................................................................... 227
11
Contents
5.3 Spatial Data Processing .................................................................................................... 228
5.4 Graph Data Processing ...................................................................................................... 232
5.5 Series Data Processing ....................................................................................................... 235
5.6 Text Analytics and Search ................................................................................................ 237
5.6.1 Search ....................................................................................................................... 238
5.6.2 Text Analysis .......................................................................................................... 240
5.6.3 Text Mining ............................................................................................................ 242
5.7 SAP HANA Streaming Analytics .................................................................................... 243
5.8 Summary ................................................................................................................................. 246
6 Security 247
6.1 Roles and Tools ..................................................................................................................... 248
6.1.1 The SAP HANA Security Architect ................................................................... 248
6.1.2 Tools .......................................................................................................................... 249
6.2 User Management .............................................................................................................. 251
6.2.1 Implementation Scenarios ................................................................................ 252
6.2.2 User Types and User Groups ............................................................................. 254
6.2.3 Authentication ...................................................................................................... 256
6.2.4 Authorization ......................................................................................................... 261
6.3 Data Privacy and Protection ........................................................................................... 268
6.3.1 Data Masking ......................................................................................................... 268
6.3.2 Data Anonymization ........................................................................................... 270
6.3.3 Encryption ............................................................................................................... 271
6.4 Auditing ................................................................................................................................... 278
6.5 SAP HANA XS Security ....................................................................................................... 281
6.6 Additional Security Considerations and Concerns ............................................... 281
6.7 Summary ................................................................................................................................. 282
Contents
12
7 Data Integration 285
7.1 Roles and Tools ..................................................................................................................... 286
7.1.1 The SAP HANA Data Integration Architect .................................................. 286
7.1.2 Tools ......................................................................................................................... 287
7.2 SAP HANA Data Management Suite ........................................................................... 287
7.2.1 SAP Data Hub ........................................................................................................ 288
7.2.2 SAP Enterprise Architecture Designer ........................................................... 291
7.2.3 SAP Cloud Platform Big Data Services .......................................................... 291
7.3 Enterprise Information Management ........................................................................ 291
7.3.1 SAP HANA Smart Data Integration and SAP HANA Smart
Data Quality ........................................................................................................... 292
7.3.2 SAP Data Services ................................................................................................. 295
7.3.3 SAP Agile Data Preparation .............................................................................. 296
7.4 Data Federation with SAP HANA Smart Data Access .......................................... 297
7.5 Remote Data Synchronization ...................................................................................... 298
7.6 Data Replication .................................................................................................................. 300
7.6.1 SAP Landscape Transformation Replication Server .................................. 300
7.6.2 SAP Replication Server ........................................................................................ 302
7.7 Big Data ................................................................................................................................... 303
7.7.1 SAP Vora .................................................................................................................. 304
7.7.2 SAP HANA Hadoop Integration ....................................................................... 305
7.8 Summary ................................................................................................................................. 306
8 Data Architecture 309
8.1 Roles and Tools ..................................................................................................................... 310
8.1.1 The SAP HANA Data Architect ......................................................................... 310
8.1.2 Tools ......................................................................................................................... 310
8.2 SAP Enterprise Architecture Designer ........................................................................ 311
8.3 Scaling SAP HANA ............................................................................................................... 314
8.3.1 Distributed Systems ............................................................................................ 315
13
Contents
8.3.2 Scale-Up ................................................................................................................... 316
8.3.3 Scale-Out ................................................................................................................. 317
8.3.4 Configuring Scale-Out Systems ....................................................................... 318
8.3.5 Scale-Out for SAP HANA XS Advanced .......................................................... 319
8.4 Data Tiering ............................................................................................................................ 320
8.4.1 Persistent Memory ............................................................................................... 321
8.4.2 SAP HANA Native Storage Extension ............................................................. 321
8.4.3 SAP HANA Extension Nodes .............................................................................. 322
8.4.4 SAP HANA Dynamic Tiering .............................................................................. 323
8.4.5 SAP Data Hub and the Spark Controller ....................................................... 325
8.5 Data Distribution ................................................................................................................. 326
8.5.1 Table Partitioning ................................................................................................. 326
8.5.2 Table Placement and Distribution .................................................................. 329
8.5.3 Table Replication .................................................................................................. 330
8.6 SAP HANA Data Warehousing Foundation .............................................................. 331
8.6.1 Data Distribution Optimizer ............................................................................. 332
8.6.2 Data Lifecycle Manager ...................................................................................... 333
8.6.3 Native Datastore Objects ................................................................................... 333
8.7 Summary ................................................................................................................................. 335
9 Data Center Architecture 337
9.1 Roles and Tools ..................................................................................................................... 338
9.1.1 The SAP HANA Data Center Architect ........................................................... 338
9.1.2 Tools .......................................................................................................................... 339
9.2 Implementation Overview .............................................................................................. 340
9.2.1 Sizing SAP HANA ................................................................................................... 340
9.2.2 Implementation Partners .................................................................................. 342
9.3 Deployment Options .......................................................................................................... 344
9.3.1 Hybrid and Multicloud ........................................................................................ 344
9.3.2 Single-Host and Distributed Systems ............................................................ 344
9.3.3 Technical Deployments (MCOS and MCOD) ............................................... 345
9.3.4 Tenant Databases ................................................................................................ 347
9.3.5 Virtualization ......................................................................................................... 348
Contents
14
9.4 On-Premise SAP HANA ..................................................................................................... 350
9.4.1 Appliance ................................................................................................................ 350
9.4.2 Tailored Data Center Integration ................................................................... 351
9.5 Hardware Technologies ................................................................................................... 352
9.5.1 Intel Optane Persistent Memory .................................................................... 353
9.5.2 IBM Power Systems ............................................................................................. 355
9.6 Operating System Platforms .......................................................................................... 356
9.6.1 SUSE .......................................................................................................................... 357
9.6.2 Red Hat .................................................................................................................... 358
9.7 Infrastructure-as-a-Service Providers ........................................................................ 360
9.7.1 Amazon Web Services ........................................................................................ 360
9.7.2 Microsoft Azure .................................................................................................... 362
9.7.3 Google Cloud Platform ....................................................................................... 362
9.7.4 Public Cloud Providers ........................................................................................ 364
9.8 Migration ................................................................................................................................ 364
9.8.1 AnyDB to SAP HANA ............................................................................................ 365
9.8.2 Software Update Manager Database Migration Option ........................ 366
9.8.3 Custom Applications ........................................................................................... 367
9.8.4 Third-Party Applications .................................................................................... 368
9.9 High Availability and Disaster Recovery ................................................................... 368
9.10 System Replication ............................................................................................................. 371
9.10.1 Configuration ........................................................................................................ 371
9.10.2 Multitier and Multitarget .................................................................................. 372
9.10.3 Active/Active Read-Enabled System Replication ....................................... 373
9.11 Network Administration and Landscape Management .................................... 374
9.11.1 Network Administration ................................................................................... 375
9.11.2 SAP Landscape Management ........................................................................... 376
9.11.3 SAP Solution Manager ........................................................................................ 378
9.12 Summary ................................................................................................................................. 379
15
Contents
10 Training and Support 381
10.1 Training .................................................................................................................................... 381
10.1.1 SAP Education ........................................................................................................ 382
10.1.2 openHPI and openSAP ........................................................................................ 391
10.1.3 SAP HANA Academy ............................................................................................ 396
10.1.4 SAP Developer Center ......................................................................................... 399
10.2 SAP Services and Support ................................................................................................. 400
10.2.1 SAP Digital Business Services ........................................................................... 401
10.2.2 SAP Support ............................................................................................................ 401
10.2.3 SAP Help Portal ...................................................................................................... 405
10.2.4 SAP ONE Support Launchpad ........................................................................... 408
10.3 SAP Community .................................................................................................................... 411
10.4 SAP Events .............................................................................................................................. 413
10.4.1 SAPPHIRE NOW ..................................................................................................... 413
10.4.2 SAP TechEd .............................................................................................................. 413
10.4.3 CodeJams and SAP Inside Track ....................................................................... 415
10.4.4 SAP HANA Operation Expert and Developer Summit .............................. 415
10.5 User Groups, Alliances, and More ................................................................................ 416
10.5.1 SAP User Groups ................................................................................................... 416
10.5.2 Customer Engagement Initiatives .................................................................. 417
10.5.3 SAP University Alliances and SAP HANA Database Campus .................. 417
10.5.4 HanaHaus and the Innovation Center Network ........................................ 418
10.5.5 SAPinsider Magazine and Conferences ......................................................... 418
10.6 Summary ................................................................................................................................. 419
The Author ............................................................................................................................................. 421
Index ........................................................................................................................................................ 423
423
Index
@OData.publish .................................................... 196
A
ABAP ................................................................ 158, 301
ABAP Managed Database Procedures
(AMDP) ................................................................. 158
background ........................................................ 158
call SQLScript ..................................................... 158
Access point ............................................................ 249
Acclaim ..................................................................... 391
ACID compliance .................................................. 174
Active/active read-enabled .................................. 68
background ........................................................... 78
system replication ........................................... 373
ActiveRecord ........................................................... 195
ActiveX Data Objects (ADO) ............................. 194
Administration ......................................................... 95
additional responsibilities ............................ 129
application ......................................................... 129
application server ............................................ 141
backup and recovery ...................................... 124
performance monitoring .............................. 108
resource management ................................... 118
security ................................................................. 123
system ................................................................... 105
system configuration ..................................... 105
tools .......................................................................... 97
Administrator .................................................... 62, 96
Admission control ................................................ 122
ADO.NET ................................................................... 193
background ........................................................ 194
Advanced analytical processing ........................ 31
Advanced analytics .................................... 213, 214
tools ....................................................................... 215
Advanced datastore objects (ADSO) .............. 333
Aggregated health ................................................ 114
Aggregates ........................................................... 33, 54
Agility ........................................................................... 82
Alerts app ................................................................. 121
Alibaba Cloud .................................................. 85, 364
Amazon Web Services (AWS) .................... 85, 360
Analysis .................................................................... 213
Analytic modeling ................................................ 160
Analytical privileges ......................... 162, 265, 268
Analytical processing engine .............................. 36
Analytics .................................................................. 213
Analytics adapter .................................................. 199
Analyze Memory History app ......................... 120
AnyDB ....................................................................... 104
migration ............................................................ 365
AP HANA Database Lifecycle Manager,
background ........................................................... 73
Apache Spark .......................................................... 304
background ........................................................ 305
Appliance .......................................................... 37, 350
Application development .................................... 30
Application encryption service ...................... 277
Application function ....................................... 32, 35
Application Function Library (AFL) ............... 220
background ........................................................... 74
Application Function Modeler (AFM) .......... 216
background ........................................................... 75
Application lifecycle management ..... 103, 130,
139, 173
background ........................................................... 73
Application privilege ........................................... 266
Application server ..................................... 28, 30, 65
administration .................................................. 141
implementation .................................................. 58
user management .................................. 252, 254
Application services ............................................... 35
Architecture ............................................................... 30
application server ............................................... 65
data ....................................................................... 309
data center ......................................................... 337
data tiering ............................................................ 66
memory .................................................................. 62
overview ................................................................. 57
persistence ............................................................. 62
services .................................................................... 58
three-tier ................................................................. 65
Artifact ................................................... 152, 171, 312
Artificial intelligence (AI) ........... 32, 80, 219, 288
Index
424
Assertion ticket ..................................................... 260
Associate certification ........................................ 390
Association algorithm ........................................ 221
Asynchronous replication ................................ 330
Attribute ................................................................... 162
Audit .......................................................................... 278
trails ...................................................................... 279
Audit policy ............................................................ 278
create .................................................................... 279
Auditing ................................................................... 278
best practices ..................................................... 279
Authentication ...................................................... 256
basic ...................................................................... 256
external ................................................................ 259
tile .......................................................................... 123
Authorization ........................................................ 261
additional privileges ....................................... 266
analytical privileges ....................................... 265
concept ................................................................. 262
object privileges ............................................... 264
predefined catalog roles ............................... 262
predefined users ............................................... 262
shared ................................................................... 265
system privileges .............................................. 263
trace ...................................................................... 267
troubleshooting ................................................ 266
users and roles .................................................. 261
Automated Predictive Library (APL) ............. 227
Automation Studio .............................................. 376
B
Background job ..................................................... 112
BACKINT SDK for SAP HANA .................... 74, 126
Backup ................................................... 124, 125, 370
automate ............................................................ 125
diagnostic tool .................................................. 127
encryption .......................................................... 275
replication .......................................................... 300
third-party tools ............................................... 128
Backup scheduler ................................................. 125
Benefits ........................................................................ 34
agility ...................................................................... 36
lower TCO ............................................................... 36
real results ............................................................. 38
reduce complexity .............................................. 35
Benefits (Cont.)
run anywhere ....................................................... 36
Big data ............................................................... 33, 303
security ................................................................. 248
Blocked transaction ............................................. 110
Bring your own license (BYOL) ................... 37, 46
Buffer cache ............................................................. 322
Buildpack .................................................................. 166
Business continuity ............................................... 63
Business function ................................................... 35
Business Function Library (BFL) ...................... 220
Business logic processing .................................... 35
Business rule processing ...................................... 35
C
C_HANATEC_15 exam ........................................ 388
Calculation engine ................................................ 160
Calculation view .......................................... 160, 161
background ......................................................... 160
K-anonymity ...................................................... 270
search .................................................................... 239
Capabilities ................................................................ 30
advanced analytical processing ................... 31
application development ................................ 30
data management ............................................. 33
database management .................................... 33
Capture and replay ............................................... 115
comparison report ........................................... 116
Cascade Lake ............................................................. 34
Catalog browser ..................................................... 102
Catalog role .............................................................. 262
CCLScript .................................................................. 244
Certification ............................................................ 388
exams .................................................................... 390
Change and Transport System (CTS+) ........... 174
Characteristics .......................................................... 29
Classification algorithm ..................................... 221
Client .......................................................................... 375
install ..................................................................... 181
Client interface ....................................................... 181
Client zone ............................................................... 273
Client/server model ............................................... 65
Client-side encryption .......................................... 80
Cloud deployment .................................... 28, 37, 85
platform lifecycle management ................. 131
425
Index
Cloud deployment (Cont.)
releases .................................................................... 47
Cloud Foundry ................... 68, 143, 166, 178, 180
containers ........................................................... 178
Cloud provider .......................................................... 85
Cloud-enablement .................................................. 76
Cloud-first approach ........................................ 44, 47
CloudHook .............................................................. 226
Cluster ......................................................... 63, 64, 316
Clustering algorithm ........................................... 220
Code pushdown ............................. 31, 55, 157, 158
CodeJam ................................................................... 415
Cold data ............................................................ 66, 325
Cold store ................................................................. 321
Collection ................................................................. 175
Columnar storage ............................................. 33, 55
history ...................................................................... 55
limitations .......................................................... 327
Command line ....................................................... 131
Command line installer ..................................... 137
Command line interface (CLI) ................ 103, 167
cf ............................................................................. 144
xs ................................................................... 140, 144
CommonCryptoLib .............................................. 181
background ........................................................... 75
encryption ........................................................... 274
Comoponent .......................................................... 135
compileserver ........................................................... 60
Complex event processing (CEP) ............. 32, 243
computeserver .......................................................... 61
Conceptual data model (CDM) ........................ 312
Configuration ......................................................... 105
compare ............................................................... 107
templates ............................................................. 107
Configuration manager ..................................... 108
Connection adapter ............................................. 293
Container group .................................................... 144
Continuous Computation Language
(CCL) ............................................................ 217, 244
Core Data and Services ............................. 170, 179
Core data services (CDS) ..................................... 169
background .......................................... 74, 81, 170
file extension ...................................................... 171
persistence data model .................................. 172
table definition ................................................. 170
Customer Center of Expertise
(Customer COE) ................................................ 403
Customer Influence ............................................. 417
Customer story ......................................................... 39
find ............................................................................ 40
D
Daemon ....................................................................... 59
Data aging ................................................................... 66
administration .................................................. 129
Data anonymization .................................... 80, 270
Data architect ...................................... 309, 310, 339
Data architecture .................................................. 309
tools ....................................................................... 310
Data at rest .............................................................. 275
Data breach ............................................................. 247
Data center .............................................................. 344
administration .................................................. 129
Data center architect ........................................... 338
Data center architecture .................................... 337
tools ....................................................................... 339
Data controller ....................................................... 270
Data definition language (DDL) ............. 169, 264
Data distribution ........................................... 63, 326
Data Distribution Optimizer (DDO) ................ 66,
310, 332
Data federation ...................................................... 297
background ........................................................... 74
Data foundation .................................................... 150
Data governance ................................................... 287
Data integration ............................................. 33, 285
Data integration architect ................................. 286
Data lake ............................................................... 33, 66
Data Lifecycle Manager ......... 181, 310, 311, 319,
324, 333
Data management ........................................ 33, 287
tools ....................................................................... 292
Data manipulation language (DML) ............. 264
Data mart ................................................. 57, 252, 300
replication .......................................................... 302
Data masking .................................................. 79, 268
functions ............................................................. 269
implement .......................................................... 269
templates ............................................................ 269
Data modeling ....................................................... 148
Index
426
Data orchestration ...................................... 287, 289
Data partitioning .................................................. 315
Data Pipelines app ............................................... 290
Data privacy ............................................................ 268
Data protection ..................................................... 268
Data provisioning ......................................... 33, 285
Data Provisioning Adapter ............................... 293
Data Provisioning Agent ................................... 293
Data replication ..................................................... 300
Data scientist ................................................. 213, 215
Data source ............................................................. 185
Data source name (DSN) .................................... 185
Data storage ............................................................... 62
Data stream ................................................................ 33
Data tiering ...................................... 33, 66, 315, 320
administration ................................................. 129
persistent memory .......................................... 353
Data virtualization .................................................. 33
Data volume snapshot ....................................... 126
Data warehouse ........................................................ 54
Database explorer ....................................... 102, 216
cloud ........................................................................ 88
graphs .................................................................. 234
security ................................................................ 281
trace files ............................................................. 117
Database history ...................................................... 52
hardware access times ..................................... 53
SanssouciDB ......................................................... 54
Database isolation ................................................ 347
Database management ......................................... 33
Database Migration Factory ............................. 368
Database Migration Option (DMO) ............... 366
Database object ..................................................... 264
Database user ......................................................... 261
restricted ............................................................. 263
system .................................................................. 262
Database-stored procedure ................................. 35
Datastore .................................................................... 30
DBA Cockpit ................................ 101, 104, 365, 378
DBSCAN .................................................................... 231
Delivery unit .......................................................... 174
Deployment ............................................................... 28
appliance ............................................... 37, 85, 350
best practices ........................................................ 48
business scenarios .............................................. 48
cloud ........................................................................ 85
Deployment (Cont.)
data centers ........................................................ 344
decision factors ................................................... 48
distributed system ........................................... 344
licensing ................................................................. 46
multicloud ........................................................... 344
on-premise ............................................ 71, 85, 350
options ............................................................. 37, 84
TDI ................................................................... 37, 351
technical ............................................................... 345
Design-time container (DTC) .................. 144, 172
Developer ....................................................... 147, 148
Development .......................................................... 147
administration .................................................. 130
artifacts ................................................................ 171
client interfaces ................................................. 181
MTA ........................................................................ 149
native .................................................................... 163
tools ....................................................................... 150
web-based data access ................................... 195
Development perspective ................................. 142
Differential privacy .............................................. 270
Disaster recovery ........................................ 368, 369
features ................................................................. 370
diserver .............................................................. 61, 172
Distributed database ............................................ 316
Distributed system ................................................. 63
advantages ......................................................... 317
background .................................................. 64, 315
configure .............................................................. 318
deployment ......................................................... 344
nameserver ........................................................... 60
SAP HANA XS Advanced ................................ 319
scaling ................................................................... 315
system health ..................................................... 114
Docker ........................................................................ 203
docstore ............................................................. 61, 175
Document ...................................................... 174, 175
Documentation ..................................................... 405
dpserver ...................................................................... 61
Dynamic partition pruning .............................. 328
Dynamic random-access memory
(DRAM) ................................................ 62, 321, 353
Dynamic tiering ....................................................... 66
Dynamic-link library (DLL) ................................ 184
427
Index
E
E-Academy ............................................................... 384
Eclipse ........................................................................... 99
IDE .......................................................................... 150
Editions ........................................................................ 67
cloud ......................................................................... 68
express .............................................................. 67, 87
platform ........................................................... 67, 87
standard ................................................................. 69
Efficiency ..................................................................... 82
Encryption ..................................................... 249, 271
algorithm ............................................................ 276
background ........................................................ 271
backup .................................................................. 275
client-side ............................................................... 80
enable ................................................................... 276
network ................................................................ 272
network zones ................................................... 272
Enterprise data warehouse (EDW) ................. 310
build ...................................................................... 331
Enterprise information management
(EIM) ............................................ 33, 286, 291, 292
Enterprise Semantic Services (ESS) ................ 296
Entity extraction ................................................... 241
EPM-MDS ................................................................. 198
esserver ........................................................................ 61
Event .......................................................................... 243
Event stream processing ............................ 32, 243
Event-driven architecture (EDA) .................... 243
Exact search ............................................................ 239
Execution agent .................................................... 167
Expensive statement trace ............................... 117
Expensive Statements app ............. 111, 117, 156
Extensibility .................................................. 177, 318
Extension node ............................................ 321, 322
configure ............................................................. 322
External Machine Learning Library (EML)
architecture ........................................................ 225
code snippets ..................................................... 226
External Machine Learning library (EML) ... 225
Extract, transform, and load (ETL) ..... 33, 54, 295
Extraction ................................................................ 240
F
Fact extraction ....................................................... 241
Failback ..................................................................... 372
Fast restart option ................................................ 119
Fault resiliency ...................................................... 368
Fault tolerant .......................................................... 368
Feature Scope Description .................. 68, 70, 408
Federated database .............................................. 316
Fencing ..................................................................... 319
File system layout ................................................ 138
Flowgraph ............................................. 217, 293, 312
Forrester Wave ................................................... 41, 42
Function library ....................................................... 61
Fuzzy search .................................................. 239, 240
G
Geocoding ............................................................... 231
Geographic information system (GIS) ......... 228
Getting Started Guide .................................. 72, 406
GitHub ............................................ 77, 153, 207, 398
Go ................................................................................ 192
background ........................................................ 192
Go driver .................................................................. 192
Google BigQuery ................................................... 295
Google Cloud Platform (GCP) ................... 85, 362
SAP HANA guides ............................................ 363
Governance, risk, and compliance (GRC) .... 249
Graph algorithm ................................................... 233
Graph database ...................................................... 232
Graph engine .......................................................... 233
Graph processing ........................... 32, 83, 214, 232
background ........................................................... 78
Graph workspace viewer .......................... 216, 234
Graphical calculation view ............................... 161
GraphScript ............................................................. 233
Grid ............................................................................. 231
Guided Answers ................................. 118, 403, 409
topics .................................................................... 409
troubleshooting ................................................ 267
H
Hadoop ..................................................................... 245
background ................................................. 76, 304
Index
428
Hadoop (Cont.)
integration ................................................ 305, 306
Hadoop distributed file system
(HDFS) ......................................................... 304, 325
HanaHaus ................................................................ 418
Hardware configuration check ....................... 351
Hash partitioning ................................................. 328
Hasso Plattner ................................................ 56, 391
Hasso Plattner Institute (HPI) .................. 54, 391
HDB command ......................................................... 97
hdbalm ................................................... 103, 140, 174
hdbbackupcheck .......................................... 127, 128
hdbdaemon ............................................................ 369
hdblcm ... 103, 131, 139, 181, 310, 311, 319, 324
background ........................................................... 73
hdbsql ................................................................. 99, 182
hdbuserstore .......................................... 99, 182, 186
HDI container ............................................... 144, 172
create .................................................................... 172
HERE .......................................................................... 230
Hexagon ................................................................... 231
High availability ........................................... 317, 368
elements .............................................................. 369
Hint ............................................................................ 156
Hive ............................................................................ 305
Horizontal aggregation ...................................... 236
Horizontal scalability ......................................... 314
Host auto-failover ......................... 60, 74, 318, 369
Hot data ....................................................................... 66
Hot store .................................................................. 320
HTTP .......................................................................... 149
Huawei ...................................................................... 364
Hybrid database ....................................................... 33
Hybrid deployment ............................... 37, 48, 344
Hybrid operational/analytical
processing (HOAP) ............................................. 42
Hybrid transaction/analytical
processing (HTAP) .................................... 41, 160
Hype cycle ........................................................ 41, 219
Hyper-converged infrastructure (HCI) ........... 82
Hyperscaler ................................................................ 85
I
IBM ............................................................................. 355
IBM Cloud ................................................................ 364
IBM Power Systems .............................................. 355
background ........................................................... 77
IBM System R ............................................................ 52
Implementation ...................................................... 57
application server .............................................. 58
data mart ............................................................... 58
greenfield ............................................................. 341
native development ........................................... 58
overview ............................................................... 340
partners ................................................................ 342
scenarios ................................................................ 57
sidecar ..................................................................... 73
sizing ..................................................................... 340
user management ............................................ 252
Incident ..................................................................... 409
In-database processing ......................................... 31
Index ..................................................................... 53, 55
full-text ................................................................. 239
search .................................................................... 238
indexserver ......................................................... 60, 61
background ........................................................... 60
Industry analyst ....................................................... 41
Information Access (InA) ......................... 195, 198
expose ................................................................... 199
Information view .................................................. 160
Infrastructure-as-a-service (IaaS) ............... 37, 86
providers .............................................................. 360
INI file ......................................................................... 105
In-memory database ............................... 31, 35, 54
concepts ................................................................. 52
Innovations ............................................................... 43
Installation ..................................................... 135, 201
Integrated business environment (IDE) ...... 150
Integration ............................................................... 285
flows ....................................................................... 287
Hadoop ....................................................... 305, 306
tools ....................................................................... 287
Integration services ................................................ 28
Intel Optane ...................................................... 62, 353
capacity ................................................................ 353
Intel Xeon Platinum 8280 processor ............... 34
Intelligence ................................................................ 82
Intelligent enterprise ...................................... 35, 80
International Data Corporation (IDC) ............. 42
429
Index
Internet of Things (IoT) ............................... 32, 291
security ................................................................. 248
Invisible takeover .......................................... 81, 372
J
Java ............................................................................. 149
background ........................................................ 163
Java Archive (JAR) file .......................................... 183
Java Database Connectivity (JDBC) ......... 99, 183
background ................................................. 80, 184
JavaScript ................................................................. 149
background ........................................................ 163
JavaScript Object Notation (JSON) ................. 175
JSON document store .......................................... 174
background ........................................................... 79
SQL ......................................................................... 176
JSON web tokens (JWT) ....................................... 260
Jupyter notebook .................................................. 189
K
K-anonymity .......................................................... 270
Kerberos ................................................................... 259
background ........................................................ 260
Kernel profiler ........................................................ 117
Key performance indicator (KPI) .................... 108
K-means .................................................................... 231
K-nearest neighbors (KNN) ............................... 242
Knowledge base articles ..................................... 408
Kubernetes .............................................................. 304
L
Landscape management .................................... 374
Learning journey .................................................. 382
SAP HANA ........................................................... 382
Licensing .............................................................. 46, 68
enterprise ............................................................... 68
runtime ................................................................... 68
standard ................................................................. 68
Lightweight Directory Access Protocol
(LDAP) ................................................................... 268
authentication .................................................. 155
background ........................................................... 79
Linguistic search ................................................... 239
Linked database ..................................................... 297
Linux .......................................................... 98, 132, 356
command line ...................................................... 97
Live intelligence ....................................................... 44
Log replication task ............................................. 371
Logon ticket ............................................................ 260
M
Machine learning ................ 32, 80, 214, 218, 288
SAP Support ....................................................... 402
Maintenance ...................................................... 46, 47
cycles ........................................................................ 47
releases .................................................................... 47
MarketScapes ............................................................ 42
Massive online open courseware
(MOOCs) .............................................................. 382
Master data table .................................................. 330
Matrix ........................................................................ 225
Measure .................................................................... 162
Memory access ......................................................... 53
Memory management .......................................... 96
Memory Usage app .............................................. 119
Microsoft Azure .............................................. 85, 362
Microsoft Excel ...................................................... 187
Middle tier .................................................................. 30
Migration ................................................................. 364
AnyDB to SAP HANA ...................................... 365
custom applications ....................................... 367
SUM DMO ........................................................... 366
third-party applications ................................ 368
Miscellaneous algorithm ................................... 222
Modeling perspective ......................................... 150
Monitor Landscape dashboard ....................... 114
Monitor Performance app ................................ 120
Monitor Statements app ................................... 110
Monitoring
performance ...................................................... 108
proactive ............................................................. 122
Mount point ........................................................... 138
Multicloud environment .................................. 344
Multicontainer database (MDC) system ........ 60
Multidimensional database ............................. 187
Multidimensional expressions
(MDX) .......................................................... 160, 201
Multidimensional services (MDS) ................. 198
Index
430
Multinode system ................................................... 64
Multiple components in one database
(MCOD) ................................................................ 345
Multiple components in one system
(MCOS) ................................................................. 345
Multistore table ..................................................... 323
Multitarget application (MTA) ............... 103, 149
Multitarget system replication .......................... 81
Multitenant database container (MDC)
background ........................................................... 76
Multitier environment ....................................... 372
N
nameserver ................................................................ 60
Native application ................................................ 149
Native datastore object (NDSO) ...................... 333
flowgraphs .......................................................... 333
Native development .................................... 58, 170
Native SAP HANA transport ............................. 174
Natural language processing (NLP) ...... 238, 241
Near-zero downtime maintenance
(nZDM) ................................................................. 371
Neo ............................................ 68, 88, 178, 180, 347
Network .................................................................... 374
Network address translation (NAT) ............... 273
Network administration ........................... 374, 375
web-based access ............................................. 375
Network attached storage (NAS) ........... 273, 350
Network encryption ............................................ 248
Network zone ......................................................... 272
client ..................................................................... 375
scale-out .............................................................. 319
security ................................................................ 273
ngdbc.jar .................................................................. 183
Node .............................................................................. 32
Node.js ...................................................................... 190
background ........................................................ 191
client ..................................................................... 191
Non-volatile memory (NVM) .............................. 62
Non-volatile random-access memory
(NVRAM) .................................................... 321, 353
NoSQL
database .............................................................. 174
diagrams ............................................................. 312
O
Object privilege ...................................................... 264
OData ......................................................................... 196
background ......................................................... 196
consume ............................................................... 196
define metadata service ................................ 197
libraries ................................................................. 196
services ................................................................. 195
OLE DB for OLAP (ODBO) ................................... 187
background ......................................................... 188
Online analytical processing (OLAP) ............... 28
Online transactional processing (OLTP) ........ 28
On-premise deployment ...................................... 28
Open Database Connectivity (ODBC) ............ 184
background .................................................. 80, 186
configure .................................................... 185, 186
define data sources .......................................... 185
driver manager .................................................. 185
Open SQL .................................................................. 158
openCypher ............................................................. 234
openHPI .................................................................... 391
openSAP .......................................................... 382, 392
courses ........................................................ 387, 393
digital badge ...................................................... 396
introduction to SAP HANA ............................. 56
Operating system platforms ............................ 356
Optimization ........................................................... 108
Options ........................................................................ 68
add-on products .................................................. 70
P
Package ...................................................................... 174
Parallelized ............................................................... 327
Partition .................................................................... 326
pruning ................................................................. 328
Password ................................................................... 257
blacklist ................................................................ 258
lifetime .................................................................. 258
Password policy ..................................................... 257
failed logon ......................................................... 258
length and composition ................................ 258
lifetime .................................................................. 258
user lock ............................................................... 258
Persistence ................................................................. 62
431
Index
Persistent memory .................... 62, 119, 321, 353
background ........................................................ 353
implement ........................................................... 354
syntax example ................................................ 354
Persistent staging areas (PSA) .......................... 333
Personal security environment (PSE) ........... 274
Plan Visualizer ....................................................... 156
Planned downtime ............................................... 371
Platform lifecycle management ............. 97, 103,
130, 131
install .................................................................... 135
interfaces ............................................................. 131
SAP HANA XS Advanced ............................... 141
Platform-as-a-service (PaaS) ...................... 86, 177
Plugin ........................................................................ 150
Powered by SAP HANA ................................... 58, 73
PowerShell .................................................................. 97
Predictive algorithms ............................................ 32
Predictive Analysis Library (PAL) .............. 32, 83,
216, 220
algorithms .......................................................... 220
Predictive analytics ............................. 32, 214, 218
background ........................................................ 219
Preprocessing algorithm ................................... 221
Preprocessor .............................................................. 61
Pricing ....................................................................... 318
Principle of least privilege (PoLP) ......... 123, 262
Private cloud ....................................................... 85, 87
Privileges .................................................................. 261
additional ............................................................ 266
analytic ................................................................... 81
analytical .................................................. 265, 268
grant ...................................................................... 266
manage ................................................................ 263
object .................................................................... 264
select ...................................................................... 264
system ................................................................... 263
Process map ............................................................ 313
Product Availability Matrix (PAM) ......... 47, 133
Product installer .................................................... 140
Professional certification .................................. 390
Provisioning ........................................................... 285
Public cloud ......................................................... 85, 87
providers .............................................................. 364
Public key infrastructure (PKI) ........................ 274
Publish-subscribe model ................................... 303
PuTTY ........................................................................... 97
Python ....................................................................... 188
background ........................................................ 190
install .................................................................... 189
PITR ....................................................................... 127
uses ........................................................................ 190
Q
Query optimizer .................................................... 329
Quick Sizer ............................................................... 341
R
R
background ........................................................ 223
integration ................................................ 222, 223
server .................................................................... 222
Range partitioning ............................................... 328
Rapid Development Environment (RDE) ....... 76
Real-time analytics ................................................. 35
Recommender systems ..................................... 221
recoverSys.py ......................................................... 127
Recovery .......................................................... 124, 126
considerations .................................................. 126
example ............................................................... 127
Recovery period objective (RPO) .................... 369
Recovery time objective (RTO) ............... 300, 369
Red Hat ..................................................................... 358
background ........................................................ 360
Red Hat Enterprise Linux (RHEL) ............ 98, 358
background ........................................................... 75
software components .................................... 359
Redo log encryption ............................................ 275
Regression algorithm ......................................... 221
Relational database management
system (RDBMS) ............................... 52, 154, 232
Release theme ........................................................... 51
Releases ....................................................................... 71
Remote data source ............................................. 297
Remote data synchronization ................ 298, 316
client ..................................................................... 299
Replication .............................................................. 300
bidirectional ....................................................... 303
network administration ................................ 375
system ..................................................................... 34
Index
432
Replication (Cont.)
table ...................................................................... 330
technologies .......................................................... 33
types ...................................................................... 331
Repository ............................................ 142, 152, 171
Representational State Transfer (REST) ....... 196
Resource management ...................................... 118
Restricted user .............................................. 254, 263
RISC architecture .................................................. 355
River Definition Language (RDL) ....................... 76
RLANG ....................................................................... 223
Roadmap ..................................................................... 43
sections ................................................................... 43
themes ..................................................................... 44
Role ............................................................................ 261
public .................................................................... 263
support ................................................................. 263
Round-robin partitioning ................................. 328
Row storage ............................................................... 55
Ruby ........................................................................... 194
background ........................................................ 195
Ruby on Rails .......................................................... 194
RubyGems ............................................................... 194
Runtime container (RTC) .......................... 144, 172
S
SanssouciDB ............................................. 54, 55, 391
SAP ActiveEmbedded .......................................... 400
SAP Adaptive Server Enterprise (SAP ASE) .... 57
SAP Advanced SQL Migration ......................... 367
data sources ....................................................... 367
SAP Agile Data Preparation ..................... 292, 296
interface .............................................................. 297
SAP Application Performance Standard
(SAPS) .................................................................... 342
SAP Business Warehouse (SAP BW) ...... 322, 333
SAP BW/4HANA ............................................. 55, 322
SAP certification ................................................... 388
SAP Certified Solutions Directory .................. 128
SAP Cloud Appliance Library ........... 91, 202, 334
Azure ..................................................................... 362
solutions ................................................................. 92
SAP Cloud Application Programming
Model ........................................................... 170, 179
SAP Cloud Platform .............................................. 177
background ........................................................... 88
development ....................................................... 149
integration ............................................................ 65
use cases ............................................................... 177
SAP Cloud Platform Big Data Services ........... 79,
288, 291
background ......................................................... 291
SAP Cloud Platform cockpit ................ 88, 90, 346
SAP Cloud Platform, SAP HANA
service ................... 47, 68, 71, 88, 149, 180, 346
Azure ..................................................................... 362
develop apps ....................................................... 180
platform lifecycle management ................. 131
releases ................................................................... 44
SAP Community .................................................... 411
SAP CoPilot .............................................................. 402
SAP corporate fact sheet ....................................... 38
SAP Data Hub ...................................... 287, 288, 325
advantages ......................................................... 326
background ........................................................... 77
capabilities .......................................................... 289
cold data tiering ............................................... 325
launchpad ........................................................... 289
SAP Data Intelligence .......................................... 288
SAP Data Services .............................. 237, 292, 295
background ......................................................... 296
designer ................................................................ 295
SAP DB Control Center ................................. 76, 101
SAP Developer Center ......................................... 399
tutorials ................................................................ 399
SAP Digital Business Services ................ 342, 351,
400, 401
SAP Download Manager ..................................... 204
SAP Early Adopter Care ......................................... 72
SAP EarlyWatch Alert ........................................... 122
SAP Education .............................................. 381, 382
certifications ...................................................... 388
courses .................................................................. 385
SAP HANA ............................................................ 387
SAP Enterprise Architecture
Designer ........................ 288, 291, 310, 311, 339
background .................................................. 79, 314
diagrams .............................................................. 312
homepage ............................................................ 312
reverse engineer ................................................ 313
433
Index
SAP Event Stream Processor ............................ 243
background ........................................................... 75
SAP HANA 1.0 ............................................................ 72
SPS 03 ....................................................................... 72
SPS 04 ...................................................................... 73
SPS 05 ....................................................................... 73
SPS 06 ...................................................................... 74
SPS 07 ....................................................................... 75
SPS 08 ...................................................................... 75
SPS 09 ...................................................................... 76
SPS 10 ....................................................................... 77
SPS 11 ........................................................................ 77
SPS 12 ........................................................................ 78
SAP HANA 2.0 ............................................................ 78
develop apps ...................................................... 180
native development ........................................ 164
PAM ....................................................................... 133
SAP HANA cockpit ........................................... 101
SPS 01 ....................................................................... 79
SPS 02 ....................................................................... 80
SPS 03 ....................................................................... 80
SPS 04 ...................................................................... 81
SAP HANA Academy ............................................ 396
GitHub repositories ......................................... 398
YouTube playlists ............................................. 397
SAP HANA Accelerator for SAP ASE .................. 57
SAP HANA Administration Guide ........... 72, 406
SAP HANA application lifecycle
management ........................ 103, 139, 140, 173
SAP HANA client ................................................... 149
SAP HANA Cloud Services ................... 37, 45, 288
SAP HANA clusters .................................................. 64
SAP HANA cockpit ......................................... 97, 101
alerts ..................................................................... 121
anonymization views ..................................... 270
auditing ............................................................... 279
authentication .................................................. 123
background ............................................ 76, 77, 79
backup scheduler ............................................. 126
backups ................................................................ 125
cloud ......................................................................... 88
data architecture ............................................. 311
editions .................................................................... 68
encryption ........................................................... 276
home ..................................................................... 115
manage keys ...................................................... 277
SAP HANA cockpit (Cont.)
manage landscape .......................................... 107
memory analysis .............................................. 120
memory resource management ................ 119
offline administration ................................... 101
privileges .................................................... 263, 264
replay monitor .................................................. 116
replication .......................................................... 302
security .............................................. 124, 249, 281
streaming analytics ........................................ 245
system configuration ..................................... 106
system overview ............................................... 108
system replication ........................................... 371
table redistribution ......................................... 329
trace files ............................................................. 117
updates ................................................................ 102
user groups ......................................................... 256
user management ........................................... 254
workload analysis ........................................... 112
SAP HANA Data Management Suite ............. 287
SAP HANA data warehousing
foundation ................................................ 310, 331
trial version ........................................................ 334
SAP HANA database interactive terminal ..... 99
SAP HANA Deployment Infrastructure
(HDI) ...................................................................... 171
administration .................................................. 144
application lifecycle management ........... 174
CDS ........................................................................ 171
diserver ................................................................... 61
versus repository .............................................. 172
SAP HANA dynamic tiering ....................... 66, 323
architecture ........................................................ 323
background ................................................. 76, 324
esserver ................................................................... 61
history ..................................................................... 55
SAP HANA Enterprise Cloud ............................... 87
background ........................................................... 88
SAP HANA Finder .................................................... 39
SAP HANA hardware directory ................... 36, 77
SAP HANA Interactive Education
(SHINE) ................................................................. 206
background ........................................................... 75
dashboard .................................................. 208, 209
deployment options ........................................ 207
getting started .................................................. 208
Index
434
SAP HANA interactive terminal ..................... 182
SAP HANA Lifecycle Management ............... 130,
281, 318
SAP HANA Master Guide ...................................... 27
SAP HANA native storage extension ..... 66, 321
SAP HANA One ............................................... 86, 360
SAP HANA Operation Expert and
Developer Summit .......................................... 415
SAP HANA platform lifecycle
management tool ............................................ 103
SAP HANA runtime tools .................................. 102
SAP HANA Security Checklists and
Recommendations .......................................... 263
SAP HANA service broker .................................. 180
SAP HANA smart data access (SDA) ...... 33, 277,
297, 316
background .................................................... 74, 77
data source ......................................................... 297
SAP HANA smart data integration
(SDI) ................................................................ 33, 292
background ........................................................... 76
connection adapters ....................................... 293
dpserver .................................................................. 61
SAP HANA smart data quality (SDQ) ........... 231,
292, 294
background ........................................................... 76
SAP HANA spatial services ....................... 228, 231
background ........................................................... 75
SAP HANA streaming analytics .............. 32, 214,
217, 243
architecture ........................................................ 244
background ................................................. 76, 243
streaming server ................................................. 61
studio .................................................................... 245
SAP HANA studio .......................................... 99, 150
data architecture ............................................. 311
deprecation ............................................... 100, 151
install .................................................................... 100
modeler perspective ........................................ 151
privileges ............................................................. 265
replication .......................................................... 302
security ................................................................ 250
system configuration ..................................... 106
trace files ............................................................. 117
SAP HANA transport for ABAP (HTA) ........... 174
SAP HANA Web-Based Development
Workbench ................................................ 152, 164
background ........................................................... 74
SAP HANA XS ............................................ 28, 65, 164
administration .................................................. 104
artifacts ................................................................ 164
background ........................................... 74, 80, 165
CLI ........................................................................... 144
deprecation ......................................................... 164
encryption ........................................................... 277
network administration ................................ 375
packages .............................................................. 174
privileges .............................................................. 266
runtime roles ...................................................... 165
security ................................................................. 281
user management ............................................ 253
SAP HANA XS Admin tool ....................... 142, 164
SAP HANA XS Advanced ............. 65, 77, 163, 165
administration ........................................ 102, 104
application lifecycle management ... 139, 174
background .................................................. 80, 166
CLI ........................................................................... 167
Cloud Foundry ................................................... 179
configure .............................................................. 168
diserver ................................................................... 61
encryption ........................................................... 277
install ..................................................................... 137
network administration ................................ 375
platform lifecycle management ................. 141
roles ........................................................................ 165
routing .................................................................. 167
runtime engines ................................................ 166
runtime versions ............................................... 166
scale-out ............................................................... 319
security ................................................................. 281
user management ............................................ 253
SAP HANA XS Advanced Admin tool ............ 104
SAP HANA XS Advanced cockpit ........... 104, 143
advantages ......................................................... 168
SAP HANA XS Advanced Migration
Guide ..................................................................... 208
SAP HANA, enterprise edition ........................... 46
SAP HANA, express edition .................. 46, 67, 87,
102, 201
background ........................................................... 78
cloud ...................................................................... 202
435
Index
SAP HANA, express edition (Cont.)
deployment options ........................................ 202
Docker ................................................................... 203
download manager ......................................... 205
GCP ........................................................................ 203
getting started ................................................... 204
install .................................................................... 202
master password .............................................. 205
server-only .......................................................... 202
virtual machine ................................................ 202
SAP HANA, platform edition ............................... 67
SAP HANA, runtime edition ................................ 47
SAP HANA, standard edition ............................... 46
SAP Help Portal ............................................ 405, 407
administration .................................................. 406
development ...................................................... 406
Feature Scope Description ............................ 408
installation and upgrade .............................. 405
reference .............................................................. 406
security ................................................................. 406
what's new .......................................................... 405
SAP Information Lifecycle Management .... 292
SAP Information Steward .................................. 292
SAP Innovation Center Network .......... 417, 418
SAP Inside Track .................................................... 415
SAP Landscape Management ......... 79, 105, 339,
371, 374, 376
dashboard ........................................................... 377
SAP Landscape Transformation
Replication Server ........................... 33, 300, 331
background ........................................................ 300
configure ............................................................. 301
SAP Learning Hub ................................................. 384
SAP Master Data Governance (SAP MDG) .... 292
SAP MaxDB ................................................................. 56
SAP NetWeaver ......................................................... 58
distributed system .............................................. 64
SAP News Center ...................................................... 82
SAP Note ................................................................... 405
SAP ONE Support Launchpad ................ 401, 408
expert chat .......................................................... 402
SAP Partner Finder ............................................... 342
SAP PartnerEdge portal ...................................... 342
SAP PowerDesigner .............................................. 314
SAP Predictive Analytics .................................... 227
background ........................................................ 227
SAP Replication Server ................................ 33, 302
background ........................................................ 303
SAP S/4HANA .................................................. 55, 366
SAP Solution Manager ... 105, 174, 339, 374, 378
background ........................................................... 77
SAP SQL Anywhere ............................................... 298
background ........................................................ 298
SAP Streaming Analytics ................................... 243
SAP Support ................................................... 400, 401
SAP Support Portal ............................................... 403
product support ............................................... 403
SAP TechEd .............................................................. 413
SAP University Alliances ................................... 417
SAP User Experience Community ................. 417
SAP user groups .................................................... 416
SAP Vora .......................................................... 289, 304
background ........................................................... 77
SAP Web Dispatcher ................................... 142, 165
SAP Web IDE ........................................................... 152
background .................................................... 76, 78
CDS ........................................................................ 171
data architecture ............................................. 311
editions ................................................................... 68
features ................................................................ 152
full-stack .............................................................. 179
SHINE .................................................................... 207
SAP Web IDE for SAP HANA .................... 102, 152
analytics .............................................................. 217
calculation view ............................................... 161
enable features ................................................. 218
features ................................................................ 153
integration ......................................................... 287
privileges ............................................................. 265
streaming analytics ........................................ 245
SAPinsider ............................................................... 418
SAPPHIRE NOW .............................................. 38, 413
keynote ................................................................... 38
roadmap ................................................................. 43
SAPUI5 ............................................................... 74, 149
Scale-out ................................................... 63, 314, 344
administration .................................................. 129
advantages ......................................................... 317
configure ............................................................. 318
Scale-up .................................................................... 314
advantages ......................................................... 316
persistent memory .......................................... 354
Index
436
Scaling .............................................................. 309, 314
persistent memory .......................................... 353
scriptserver ................................................................ 61
Search ............................................................... 237, 238
functions ............................................................. 239
types ...................................................................... 239
Secondary time travel ................................. 81, 372
Secure Shell (SSH) .................................................... 97
Secure Sockets Layer (SSL) ................................ 271
Security .............................................................. 83, 247
administration ................................................. 123
auditing ............................................................... 278
considerations .................................................. 281
data privacy ....................................................... 268
SAP HANA XS ..................................................... 281
SAP HANA XS Advanced ............................... 281
tools ...................................................................... 249
user management ........................................... 251
Security architect .............................. 247, 248, 282
Security Assertion Markup Language (SAML)
background ........................................................ 260
Security Checklists and
Recommendations Guide ............................ 406
Security group ....................................................... 250
Security Guide ....................................................... 406
Segmentation ........................................................ 240
SELECT * ....................................................................... 30
Semantics ................................................................ 150
Series data ...................................................... 214, 235
aggregate ............................................................ 236
scenarios ............................................................. 235
table syntax ....................................................... 216
Series data function ............................................. 156
Server-side JavaScript (XSJS) ............................ 163
Service auto-restart ............................................. 369
Service-level agreement (SLA)
recovery ............................................................... 127
Session ...................................................................... 110
Sessions app ........................................................... 110
Shared business authorizations ..................... 265
Single data copy ....................................................... 35
Single database system ...................................... 345
Single points-of-failure (SPOFs) ...................... 368
Single sign-on ........................................................ 249
Single-container database ................................... 60
Single-host system ............................................... 344
Sizing .......................................................................... 340
Social network analysis ...................................... 221
Software Download Center ............................... 134
background ......................................................... 135
Software downloads ............................................. 410
Software Update Manager (SUM) ................... 366
Solid-state drive (SSD) ......................................... 119
Solution brief ............................................................ 45
Spark Controller ........................................... 305, 325
background ........................................................... 79
Spatial clustering ................................................... 231
Spatial data .............................................................. 228
manipulate ......................................................... 229
methods ............................................................... 230
types ...................................................................... 229
Spatial engine ........................................................... 31
Spatial processing ................................ 83, 214, 228
SpiderMonkey ........................................................ 165
SQL Analyzer ................................................. 113, 156
SQL console ............................................ 99, 176, 311
SQL Database Connectivity
(SQLDBC) .................................................... 182, 183
background .................................................. 84, 183
library .................................................................... 183
SQL parser ................................................................ 156
SQL plan cache ........................................................ 111
SQL prompt ......................................... 102, 216, 311
SQL statement
issues ..................................................................... 113
top .......................................................................... 112
SQL trace ................................................................... 117
SQL Trace Analyzer ............................................... 156
SQLScript ................................................. 35, 154, 156
AMDP .................................................................... 158
best practices ..................................................... 157
graph ..................................................................... 233
reference ................................................................. 83
SQLScript debugger .............................................. 157
SSFS ................................................................... 274, 275
Standard analytics .................................................. 36
Standby configuration ........................................ 318
Static partition pruning ...................................... 328
Statistical disclosure control ............................ 270
Statistics algorithm .............................................. 221
statisticsserver ......................................................... 61
Stemming ....................................................... 238, 240
437
Index
Storage area network (SAN) .................... 273, 350
Storage encryption ............................................... 248
Storage replication ..................................... 331, 370
Stream processing ................................................ 243
Streaming server ................................................... 243
streamingserver ....................................................... 61
Structured data ...................................................... 237
Structured Query Language (SQL) .... 28, 98, 154
background ........................................................ 154
data architecture ............................................. 311
document store ................................................. 176
dynamic ............................................................... 157
functions .............................................................. 156
interface ............................................................... 155
performance ....................................................... 156
privileges ............................................................. 162
statements ................................................ 155, 215
views ...................................................................... 155
Subject matter expert exam ............................. 390
Super user account ............................................... 123
Supervisor ................................................................ 349
Support ..................................................................... 381
support pack (SP) .................................................. 135
Support package stack (SPS) ............... 48, 71, 135
background ........................................................... 71
SUSE ........................................................................... 357
advantages ......................................................... 358
background ........................................................ 358
SUSE Linux Enterprise Server (SLES) ...... 98, 357
Sybase IQ .............................................................. 55, 66
Synchronous in memory .................................. 371
Synchronous on disk ........................................... 371
Synchronous replication ................................... 330
System Health app ............................................... 114
System identifier (SID) ........................................... 59
System management ............................................. 82
System privilege .................................................... 263
System properties ................................................ 105
System replication ..................... 83, 331, 370, 371
active/active read-enabled .......................... 373
background ........................................................... 74
configure ............................................................. 371
multitarget ......................................................... 373
multitier ............................................................... 372
T
Table partitioning .............................. 315, 326, 327
syntax example ................................................ 328
Table placement .................................................... 329
syntax example ................................................ 330
Table redistribution ............................................. 329
Table replication .......................................... 330, 331
syntax example ................................................ 331
Tagging ..................................................................... 240
Tailored data center integration (TDI) ........... 37,
85, 351
advantages ......................................................... 351
background ........................................................... 74
Takeover ................................................................... 372
Technical database ............................................... 254
Technical deployment ........................................ 345
types ...................................................................... 346
Technical user ........................................................ 254
Technologies ............................................................. 51
hardware ............................................................. 352
Tenant database .................................... 60, 346, 347
document store ................................................. 175
isolation ............................................................... 274
Tensor ....................................................................... 225
TensorFlow ................................................................. 32
integrate ....................................................... 80, 225
TensorFlow ModelServer ................................... 225
Text analytics ...................................... 214, 237, 240
background ........................................................ 238
configurations .................................................. 240
Text mining ............................................................ 242
functions ............................................................. 242
Text Retrieval and Information
Extraction (TREX) engine .................. 55, 60, 64
Thread ....................................................................... 109
Threads app ............................................................. 109
Three-tier data model .................. 30, 65, 156, 252
Time series .............................................................. 214
algorithms .......................................................... 221
Token ......................................................................... 240
Tokenization .......................................................... 240
Total cost of ownership (TCO) ............................ 36
Trace files ................................................................. 156
Tracing ...................................................................... 117
Index
438
Training .................................................................... 381
classroom ............................................................ 384
courses ................................................................. 385
e-learning ............................................................ 384
Translytical database ................................... 42, 160
Transport Layer Security (TLS) ............... 224, 271
Tutorial ..................................................................... 399
U
UltraLite database ................................................ 299
Unified installer ....................................................... 73
Unplanned downtime ........................................ 371
Unstructured data ................................................ 237
Update .............................................................. 135, 138
Use case ....................................................................... 39
map tool ................................................................. 40
User Account and Authentication (UAA) ... 166
User group ...................................................... 254, 256
User lock ................................................................... 258
User management ............................................... 251
implementation ............................................... 252
User type .................................................................. 254
Users table ............................................................... 257
V
Vector ........................................................................ 225
Vertical aggregation ............................................ 236
Vertical scalability ................................................ 314
Very large database (VLDB) .............................. 119
Virtual machine .................................................... 202
Virtual private networks (VPN) ....................... 273
Virtual table ............................................................ 298
Virtualization ................................................ 346, 348
background ......................................................... 349
Vishal Sikka ................................................ 56, 70, 393
VMware ..................................................................... 349
background ........................................................... 77
W
Warehouse architect ............................................ 332
Warm data .................................................................. 66
store ....................................................................... 320
Web interface .......................................................... 132
Web-based data access ........................................ 195
WhatsApp Product Support .............................. 403
Wire protocol .......................................................... 325
Workload Analyzer tool ...................................... 111
Workload management ............................... 96, 122
Wrapper .......................................................... 103, 215
EML ........................................................................ 227
X
X.509 client certificate ........................................ 261
XML for Analysis (XMLA) ......................... 160, 200
background ......................................................... 200
POST request ...................................................... 200
XMLA .......................................................................... 195
xscontroller ............................................................. 166
xsengine ..................................................... 61, 73, 164
xsexecagent ............................................................. 167
xsuaaserver ............................................................. 166
X-Windows ............................................................... 131
Y
YouTube playlists .................................................. 397
First-hand knowledge.
We hope you have enjoyed this reading sample. You may recommend or pass it on to others, but only in its entirety, including all pages. This reading sample and all its parts are protected by copyright law. All usa-ge and exploitation rights are reserved by the author and the publisher.
Denys van Kempen is a marketing professional and SAP HANA product expert who has been working with SAP in-memory technologies since 2010. He has created 100s of tutorial videos for the SAP HANA Academy on YouTube and is a frequent contributor to the SAP Community. With his col-leagues from the SAP HANA Academy, Denys also teaches Academy Live! at SAP TechEd and partner events. Previously,
his team pioneered Sports Analytics at SAP under the banner of Experience SAP.
Denys van Kempen
SAP HANA 2.0: An Introduction440 pages, 2019, $79.95 ISBN 978-1-4932-1838-7
www.sap-press.com/4884