Sunteți pe pagina 1din 48

SAP HANA SPS 09 - Whats New?

Security
(Delta from SPS 08 to SPS 09)
Andrea Kristen, SAP HANA Product Management

2014 SAP AG or an SAP affiliate company. All rights reserved.

November, 2014

Agenda
Authentication
User/role management
Authorization
Encryption
Audit logging
Antivirus software support
Support for multitenant database containers

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Authentication

Whats New in SAP HANA SPS09: Security


Changed emergency reset mechanism for the of SYSTEM user password
The new mechanism for resetting the SYSTEM user password uses the index server in
emergency mode
This password reset mechanism should only be used if the SYSTEM user password was lost.
Emergency reset of the SYSTEM user password
Prerequisite: Credentials of the operating system administrator <sid>adm, access to the master index server
1. As <sid>adm, log on to the server on which the master index server is running
2. On the command line, shut down the SAP HANA system, then start the name, compile and index servers
3. Use the following command to reset the password
/usr/sap/<SID>/HDB<instance>/exe/hdbindexserver resetUserSystem
Afterwards, the index server is automatically stopped
4. End the name and compile server processes
5. On the command line, start the SAP HANA system
Note: In a system with multitenant database containers, you can reset the passwords of the SYSTEM users in the
same way by starting the name server (for the system database) or index server (for tenant databases) in
emergency mode
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Whats New in SAP HANA SPS09: Security


System view showing authentication method for connected users
The system view M_CONNECTIONS now
contains additional information about the
authentication method
Per default, users can only query information about
themselves
Viewing information for all connected users
Prerequisite: system privilege CATALOG READ
1. In SAP HANA Studio, open the SQL editor
2. Enter the following SQL statement:
SELECT USER_NAME, AUTHENTICATION_METHOD
FROM M_CONNECTIONS

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

User/role management

Whats New in SAP HANA SPS09: Security


Repository role editor (I)
A graphical editor for repository roles is now available as part of the SAP HANA Web-based
Development Workbench (Web IDE)
In earlier versions, only a text editor in SAP HANA studio was available.
There are two types of roles in SAP HANA: catalog roles and repository roles. For most use cases it is
recommended to use repository roles. Compared to catalog roles, they offer several advantages, e.g.
Versioning
Integration with standard transport mechanisms
Decoupling of role creation from role granting/revoking
Support for standard DEV QA PROD landscapes
Separation of duties

Role lifecycle
1. A developer/role designer creates the role in the repository of the development system and tests it
2. The role is transported to the production system, e.g. using HALM or CTS+
3. In the production system, a user administrator grants the role to end users
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Whats New in SAP HANA SPS09: Security


Repository role editor (II)
Design time

Runtime
User
administrators

Developers/
role designers

Studio

Web IDE

Studio
New

Repository
package1
subpackage1
.hdbroles

DEV

Database

Repository

Export/import:
Delivery Unit (DU)

Transport:
HANA Application
Lifecycle Manager,
CTS+, ...

2014 SAP SE or an SAP affiliate company. All rights reserved.

package1
subpackage1
.hdbroles

Activation
via
_SYS_REPO
role

Grant/revoke

PROD
Public

Whats New in SAP HANA SPS09: Security


Repository role editor (III)
Creating a new repository role
Prerequisites
o sap.hana.xs.ide.roles::EditorDeveloper role
o Package privileges on the required packages

1. Open the Editor of the Web IDE in your web browser:


http://<database_server>:80<instance_no>/sap/hana/xs/ide/editor

2. In the Content tree, right-click on the folder where you


want to create the new role and choose New Role
3. Enter a role name and choose Create
4. Select the roles and privileges that you want to
include in the new role
5. Save the role using
(Save)
Note: The role will be saved and activated in one step. If
you want to only save the role, choose
(Settings) and
select Enable inactive save. An additional icon will be
displayed in the toolbar:
(Save without Activating)
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Whats New in SAP HANA SPS09: Security


Web-based administration and development tools
Web-based administration and development tools
As part of the general SAP UI strategy, administration and development functions are being made
available in web-based tools such as SAP HANA Cockpit and SAP HANA Web-based Development
Workbench (Web IDE).
One of the prerequisites for using these functions is a web browser with SAPUI5 support.
Information on web browsers with SAPUI5 support
SAP Note 1716423 - SAPUI5 Browser Support
PAM for SAPUI5: https://websmp130.sapag.de/sap(bD1lbiZjPTAwMQ==)/support/pam/pam.html?smpsrv=https%3A%2F%2Fwebsmp105.sapag.de#pvnr=01200314690900004969&pt=t%7CWBRPFM&ainstnr=01200314694900015214&ts=0

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

10

Whats New in SAP HANA SPS09: Security


Accessing the web-based user and catalog role editors in Web IDE
The SAP HANA Web IDE contains a user editor
and a catalog role editor for scenarios where
only web-based tools are available
Access from Web IDE
Prerequisites:
o USER ADMIN or ROLE ADMIN system privilege
o sap.hana.xs.ide.roles::SecurityAdmin role

1. Log on to Web IDE (http://<host>:<port>/sap/hana/xs/ide)


2. Click on the Security tile

Access from SAP HANA Cockpit


Prerequisites (in addition to above):
o sap.hana.admin.roles::Monitoring

1. Log on to SAP HANA Cockpit


(http://<host>:<port>/sap/hana/admin/cockpit)
2. Click on the Manage Roles and Users tile
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

11

Whats New in SAP HANA SPS09: Security


Maintaining user parameters in SAP HANA Studio
You can now maintain user parameters in SAP
HANA Studio
Users can change their own parameters.
Maintaining user parameters for other users
Prerequisites: USER ADMIN system privilege
1. In the Systems view, double-click the user under
Security Users and open the User Parameters tab
2. Choose the user parameter and enter a value
3. Save by choosing the
(Deploy) button
User parameter

Description

EMAIL ADDRESS

E-mail address

LOCALE

Locale

PRIORITY

The priority with which the thread scheduler handles statements executed by the user

MEMORY STATEMENT LIMIT The maximum memory (in GB) that can be used by a statement executed by the user (if feature enabled globally)
TIME ZONE

Time zone

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

12

Whats New in SAP HANA SPS09: Security


New alert: Support role granted to users
Alert notifies administrators when a user is granted the SAP_HANA_INTERNAL_SUPPORT role
The support role contains privileges that allow access to certain low-level internal system views
needed by SAP HANA development support in support situations, which otherwise would only be
accessible to the SYSTEM user. All access is read only, and the role does not allow access to any
customer data. The low-level internal system views are not part of the stable end-user interface and
might change from revision to revision. To avoid users accidentally accessing these internal system
views in applications or scripts, this role is subject to usage restrictions.
Configuring the alert thresholds
Prerequisite: system privilege INIFILE ADMIN
1. In the Administration editor in SAP HANA Studio, open the Alerts tab and choose the (Configure...) button.
2. Open the Configure Check Thresholds tab and choose check 63.
3. Specify the threshold values. Default: 1 user, alert priority low

Switching off the alert


See SAP Note 1991615
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

13

Whats New in SAP HANA SPS09: Security


New built-in procedures to check compliance with password policy
Application developers can use the new procedures to verify that a new user name and
password are compliant before actually creating the user
Some restrictions apply to the characters that may be used in user names. Passwords need to adhere
to the password policy that has been configured for the system.
Procedures:
SYS.IS_VALID_USER_NAME
SYS.IS_VALID_PASSWORD

Syntax
Prerequisite: EXECUTE privilege on the procedures
IS_VALID_USER_NAME (IN user_name NVARCHAR(256), OUT error_code INT, OUT
error_message NVARCHAR(5000))
IS_VALID_PASSWORD(IN password NVARCHAR(256), OUT error_code INT, OUT error_message
NVARCHAR(5000))

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

14

Whats New in SAP HANA SPS09: Security


Web-based user self-services (I)
SAP HANA now provides web-based user selfservices for resetting your own password and
for requesting a new user account
The user self-services are part of the
HANA_XS_BASE delivery unit (autocontent).
When enabled, they are available on the SAP
HANA logon screen. They are disabled by default.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

15

Whats New in SAP HANA SPS09: Security


Web-based user self-services (II)
Configuring user self-services
Prerequisites:
o See the SAP HANA Administration Guide

1. Configure the XSSQLCC technical user which is used


by the user self-services
2. Configure the user self-service parameters in the
xsengine.ini file
3. Configure the SMTP server that SAP HANA XS
applications can use to send mails
4. Configure dedicated administrators for the user selfservice administration tool. These administrators
process user requests and manage blacklists and
whitelists

2014 SAP SE or an SAP affiliate company. All rights reserved.

Parameter

Description

Default

automatic_user_creation

Defines whether a user creation


request needs approval

forgot_password

Defines whether the password reset false


self-service is enabled

request_new_user

Defines whether the new user


account self-service is enabled

false

reset_locked_user

Defines whether password reset for


a locked user is enabled

false

sender_email

Mail address for sending out the


registration mails/tokens

token_expiry_time

Duration (in s) for which a generated 3600


token is valid

user_creation_request_count Number of times a user with the

false

same mail address can request an


account before being added to the
blacklist

Public

16

Whats New in SAP HANA SPS09: Security


Web-based user self-services (III)
Resetting your password
Prerequisite:
o User self-service is enabled in the SAP
HANA system

1. On the SAP HANA logon page, choose


Forgot your password?
2. Enter your user name
3. A mail is sent to your mail address with
a link to reset the password
4. Enter a new password and answer the
security question that you specified
when you initially set up your account

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

17

Whats New in SAP HANA SPS09: Security


Web-based user self-services (IV)
Requesting a new account
Prerequisite:
o User self-service is enabled in the SAP
HANA system

1. On the SAP HANA logon screen, choose


Request account
2. Choose a user name and enter your mail
address
3. A verification link is sent to your mail
address
4. After clicking the verification link, choose
a password and a security question
5. Your request is sent to the system
administrator for approval
6. After approval, your account is activated
and you get notified by mail
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

18

Whats New in SAP HANA SPS09: Security


Web-based user self-services (V)
Approving new account requests
Prerequisites:
o User self-service is enabled in the SAP HANA system
o sap.hana.xs.selfService.admin.roles::USSAdministrator
role

1. Log on to the user self-service administration tool:


http://<host>:<port>/sap/hana/xs/selfService/admin

2. Review the pending requests


o Approve/reject request
o Assign application roles if required
Note: To assign roles, you can use the Web IDE user and
role editor
o Add domain/mail address/IP range to blacklist if required

3. After you have approved a request, a notification mail


is sent to the user.

Account is requested
for this XS application

Open user and role


editor in Web IDE
User is activated
and notified

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

19

Authorization

Whats New in SAP HANA SPS09: Security


Extension of SQL-based analytic privileges
SQL-based analytic privileges can now also be used with SQL views
In earlier versions, SQL-based analytic privileges could only be applied to analytic views.
Analytic privileges allow row-based access control to views. They filter query results according to the
attributes of the session user.
Comparison between XML-based and SQL-based analytic privileges
XML-based analytic privileges

SQL-based analytic privileges

More difficult to use due to complex XML format


Limited expressiveness with regard to filtering
capabilities
Only analytic views are supported
Design time available

CREATE STRUCTURED PRIVILEGE


<xml_definition>

CREATE STRUCTURED PRIVILEGE <name> FOR


SELECT ON <view> WHERE a=10

2014 SAP SE or an SAP affiliate company. All rights reserved.

Intuitive specification using SQL syntax


Flexible combination of filters
Sub-queries as filters
Analytic and SQL views are supported
No design time support yet

Public

21

Whats New in SAP HANA SPS09: Security


New system privilege: TABLE ADMIN
A new system privilege for administrators has been introduced
The new system privilege TABLE ADMIN authorizes the following administrative actions that are
related to the management of tables:
LOAD
Load specified column store tables from disk into memory (otherwise they will be loaded into memory on first
access)
UNLOAD
Unload specified column store tables from memory to disk (e.g. to free up memory; the tables will be loaded into
memory again on next access)
MERGE DELTA
Merge the column store tables delta storage to the tables main storage

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

22

Encryption

Whats New in SAP HANA SPS09: Security


XS encryption service for applications
XS applications can now store values in encrypted form
Application developers can use the XS API $.security.Store to define a secure store for
encrypted name-value pairs for their XS application.
Options
Application-wide data visibility
All users of the XS application have access to one secure store
All users share the same data and can decrypt or encrypt data
Example: passwords for a remote system
User-specific data visibility
Each user of the XS application has a separate container to securely store encrypted data
Only the owner of the secure store and the respective user can decrypt the data
Examples: credit card numbers or personal-information-number (PIN) codes

More information
SAP HANA Developer Guide
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

24

Whats New in SAP HANA SPS09: Security


CommonCryptoLib part of standard delivery
CommonCryptoLib is now part of the SAP HANA standard delivery.
Up to now, customers were required to download CommonCryptoLib from SAP Marketplace.
SAP CommonCryptoLib is the successor of SAPCRYPTOLIB and is the default cryptographic library
for SAP HANA. It is used for operations that require cryptography, for example data volume encryption
and SSL communication encryption.
CommonCryptoLib is installed as part of SAP HANA server installation at the default location for library
lookup: /usr/sap/<SID>/SYS/exe/hdb/libsapcrypto.so
Note: The OpenSSL library is also installed as part of the operating system installation. For most use
cases it is also possible to use OpenSSL instead of CommonCryptoLib. However, there are already
some features in SAP HANA that are only supported by CommonCryptoLib, and future features might
also only be supported by CommonCryptoLib.
For information on the migration process from OpenSSL to CommonCryptoLib, see SAP Note
2093286.
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

25

Audit logging

Whats New in SAP HANA SPS09: Security


Specify schema when creating audit policy on database objects
You can now specify a schema if you want to
audit all database objects belonging to the
schema
Creating an audit policy for a schema
Prerequisites: System privilege AUDIT ADMIN
1. In the Systems view, double-click on Security and
open the Auditing tab
2. In the Audit Policies area, choose Create New Policy
3. Enter the policy name
4. In Audited Actions, select an audit action that applies
to database objects, e.g. DELETE
5. As Target Object, select the schema
6. Choose the
(Deploy) button

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

27

Whats New in SAP HANA SPS09: Security


More granular audit trail target definition (I)
You can now specify the audit trail target per audit policy
Options for the audit trail target
System-wide default: Audit entries are written to the audit trail target(s) configured for the system if no other
trail target has been configured per audit level
Audit level (optional): Audit entries from audit policies with the audit level EMERGENCY, CRITICAL, or ALERT
are written to the specified audit trail target(s). If no audit trail target is configured, entries are written to the audit
trail target configured for the system.
New Audit policy (optional): Audit entries from a particular policy are written to the specified audit trail
target(s). If no audit trail target is configured for an audit policy, entries are written to the audit trail target for the
audit level if configured, or the audit trail target configured for the system. Several audit trail targets are
configurable for each individual policy.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

29

Whats New in SAP HANA SPS09: Security


More granular audit trail target definition (II)
Specifying multiple audit trail targets
Prerequisites: system privilege AUDIT ADMIN, auditing
has been enabled
1. In the Systems view, double-click on Security and
open the Auditing tab
2. In the Audit Trail Target section of the audit policy,
select the audit trail targets
3. Choose the
(Deploy) button.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

30

Whats New in SAP HANA SPS09: Security


Audit entries of prepared statements show parameter values
Parameter values in prepared statements are
now recorded in the audit trail
Up to now, only ? was displayed in the audit trail.
Example
1. Create and deploy a new audit policy for INSERT
actions on your test table
2. Insert a value into the test table using a prepared
SQL statement
3. Check the STATEMENT_STRING field in the audit
trail

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

31

Whats New in SAP HANA SPS09: Security


New audit actions for data volume encryption
Changes to the data volume encryption can
now be recorded in the audit trail
When you include ALTER PERSISTENCE
ENCRYPTION in an audit policy, the following
actions will be recorded in the audit trail:
Switching the data volume encryption on/off
Creating a new encryption key
Re-encrypting old encrypted data with the current key

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

32

Antivirus software support

Whats New in SAP HANA SPS09: Security


XS antivirus interface
XS applications can now integrate antivirus tools to check uploaded data
Application developers can use the XS API $.security.Antivirus to integrate an antivirus engine
with their XS applications.
Note: For production systems, only certified antivirus engines should be used.
More information:
SAP HANA Developer Guide
Supported antivirus engines/certification: SAP Note 786179

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

34

Support for multitenant


database containers

Whats New in SAP HANA SPS09: Security


Multitenant database containers: Overview
Multitenant database containers are a new way
to run multiple applications/scenarios on one
SAP HANA system
1 system database and multiple tenant databases
Shared installation of database system software
Strong isolation features, the system database and
each of the tenant databases have their own:
Database users, database catalog, repository,
persistence, backups, traces and diagnosis files
Distinction between tasks performed at system level
and those performed at database level
Integration with data center operation procedures

Application 1

Application 2

Tenant
database 1*

Tenant
database 2

System
database

SAP HANA system


*tenant database = database container
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

36

Whats New in SAP HANA SPS09: Security


Security aspects of multitenant database containers (I)
http - Virtual host names per XS

Clients connect via dedicated ports to


individual databases
Security-relevant features are
configurable per database
Only controlled access between
databases
Tenant databases are created and
managed from the system database
o But: No direct access to tenant database
table content from the system database

Host 1

Web Dispatcher
SQL Port
3XX13

XS

System database
SQL Port
3XX45

Metadata
Landscape info
SQL Port
3XX41

XS

XS

XS

Tenant DB1

Tenant DB2

Tenant DB3

Metadata
Tables

Metadata
Tables

Metadata
Tables

SQL Port
3XX49

SAP HANA System


2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

37

Whats New in SAP HANA SPS09: Security


Security aspects of multitenant database containers (II)
Unlike a single database system in which system and database are a single unit and
administered as one, an MDC system has 2 levels of administration.
Administration tasks performed in the system database include:

Starting and stopping the whole system


Monitoring the system
Configuring parameters at system level
Managing tenant databases: Creating/dropping databases, configuring database-specific parameters, adding
services to databases for scalability, backing up databases, recovering databases

Administration tasks performed in tenant databases include:

Monitoring the database


Provisioning database users
Creating and deleting schemas, tables, and indexes in the database
Backing up the database
Configuring database-specific parameters

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

38

Whats New in SAP HANA SPS09: Security


Security aspects of multitenant database containers (III)
Function

Details

Authentication

User name and password (incl. password policy), Kerberos/SPNEGO, SAML, SAP logon and assertion tickets, X.509 (XS
access only)

Note: For details on the available configuration options (system-wide/per database), please refer to the documentation.

Isolation of users and roles between the system database and all of the tenant databases

SYSTEM user in system database and SYSTEM user in each tenant database

Standard privilege concept

Additional system privilege DATABASE ADMIN in the system database for tenant database administration

Read-only cross-database queries supported (disabled by default)

Option to disable specific administration functions in tenant databases, e.g. export/import

Encryption

Communication encryption (SSL), data volume encryption (per database, separate root keys), backup encryption via 3rd
party backup tools

Audit logging

Standard audit logging concept; audit trail written to Linux syslog or to SAP HANA database table

Audit trail configuration via system database, audit policy configuration per database

SAP HANA Studio, XS Administration Tool, SQL interface (command line tool hdbsql)

Users and roles


Authorization

Security
administration

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

39

Whats New in SAP HANA SPS09: Security


Restricted features in tenant databases (I)
Certain security-relevant features can be enabled/disabled in tenant databases
Not all features are required/desirable in all environments, e.g. features that provide direct access to
the file system, the network, or other critical resources.
The system view M_CUSTOMIZABLE_FUNCTIONALITIES provides information about such restricted features
that can be disabled in tenant databases. This view exists in both the SYS schema of every database, where it
contains database-specific information, and in the SYS_DATABASES schema of the system database, where it
contains information about the enablement of features in all databases.
You disable/enable restricted features in tenant databases via the global.ini file of the system database.
All restricted features are enabled in the system database and cannot be disabled there.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

40

Whats New in SAP HANA SPS09: Security


Restricted features in tenant databases (II)
Enabling/disabling features in tenant databases
Prerequisites: User in the system database with
CATALOG READ and INIFILE ADMIN privileges
1. In the Administration editor in SAP HANA Studio,
open the Configuration tab
2. In the global.ini file
customizable_functionalities section,
double-click on the feature to be disabled
3. Select Database as the layer and set the value to
FALSE. Note: Features are hierarchically structured. If
you enable a feature with sub-features, these are also
enabled.
4. Restart the tenant database.
ALTER SYSTEM STOP DATABASE <tenant_db>;
ALTER SYSTEM START DATABASE <tenant_db>;
Prerequisite: DATABASE ADMIN privilege
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

41

Whats New in SAP HANA SPS09: Security


Cross-database queries (I)
In multiple-container systems, read-only
queries across database containers are
supported but not enabled by default
If enabled, a user from one tenant database can
execute queries in another tenant database if this
user is mapped to a user with remote identity
there.
A user in the target database can only be associated
with one user in the source database
The association is unidirectional
Only the SELECT privileges of the user in the target
database are considered during a cross-database
query, all other privileges of the remote user are
ignored.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Tenant database TN1


(source)

Tenant database TN2


(target)

SELECT *
FROM TABLE_A

User_1

User_2 with
remote identity
Table_A
SAP HANA system

Public

42

Whats New in SAP HANA SPS09: Security


Cross-database queries (II)
Configuring cross-database queries
Prerequisite: DATABASE ADMIN system privilege in the
system database
1. In the Administration editor, open the Configuration tab
2. In global.ini cross_database_access
system layer, set the property enable to true
3. Add a new parameter
targets_for_<source_db_name> and define the
target databases as a comma-separated list
Prerequisite: USER ADMIN system privilege in the target
database
1. In the target database, add a remote identity to a user
(= map this user to a user in the source database):
ALTER USER <target_user> ADD REMOTE
IDENTITY <source_user> AT DATABASE
<source_db>
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

43

More Information

More information
SAP HANA information
SAP Help Portal: Security Guide, Master Guide (network
topics), Developer Guide, SQL Reference Guide
SAP HANA Security Whitepaper
How to Define Standard Roles for SAP HANA Systems

Important SAP notes

1598623: SAP HANA appliance: Security


1514967: SAP HANA appliance
1730928: Using external software in a HANA appliance
1730929: Using external tools in an SAP HANA appliance
1730930: Using antivirus software in an SAP HANA appliance
786179: Supported antivirus engines/certification
784391: SAP support terms and 3rd-party Linux kernel drivers
1730999: Configuration changes in HANA appliance
863362: Security checks with SAP EarlyWatch Alert

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

45

SAP HANA security patches


Operating system security patches
Support operating systems: SUSE Linux Enterprise and RedHat Enterprise
Operating system security patches are provided and published by the operating system vendors

SAP HANA security patches


SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes)
Security notes for all SAP products are available at: http://service.sap.com/securitynotes
For SAP HANA, filter for component HAN*
Patches are delivered as SAP HANA revisions
More information:
FAQ SAP Security Notes
FAQ SAP Security Patch Process

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

46

SAP security approach


Security is an important and integral part of every step of the SAP Development Lifecycle which
applies to all products. This includes security testing as well as a defined and established process to
report and deal with potential security issues.
SAP security solutions
http://www.sap.com/security
SAP security approach and vulnerability reporting
http://www.sap.com/pc/tech/application-foundation-security/software/security-at-sap/index.html

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

47

Thank you
Contact information
Andrea Kristen
SAP HANA Product Management
AskSAPHANA@sap.com
2014 SAP SE or an SAP affiliate company. All rights reserved.

2014 SAP SE or an SAP affiliate company. All rights reserved.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services
are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

49