Browse the BookIn this chapter, you’ll assume the role of the security architect. You’ll see how security is managed by SAP HANA, from authenticating and autho-rizing users to masking, anonymizing, and encrypting data. You’ll finish with a look into auditing and additional security considerations.

Denys van Kempen

SAP HANA 2.0: An Introduction440 pages, 2019, $79.95 ISBN 978-1-4932-1838-7

www.sap-press.com/4884

First-hand knowledge.

“Security”

Contents

Index

The Authors

247

6

Chapter 6

Security

Reports that say that something hasn’t happened are always interest-

ing to me, because as we know, there are known knowns; there are

things we know we know. We also know there are known unknowns;

that is to say we know there are some things we do not know. But

there are also unknown unknowns—the ones we don’t know we don’t

know.

—Donald H. Rumsfeld

Security concerns us all. A common understanding of the most important SAP HANA

security concepts can greatly contribute to a secure computing environment. For

this reason, the information in this chapter is relevant not only for the security archi-

tect but also to anyone involved with SAP HANA.

In theory, the objective of security is simple. All data is stored safely and is always

accessible when needed, but only to users that have been authorized. However, often,

the difference between theory and practice is bigger in practice than in theory. In

practice, computer or information security is complex, with an ever-increasing num-

ber of potential threats and countermeasures.

Stored safely? Data breaches are common news headlines. Victims include govern-

ment, retail, but also finance, and, in particular, high-tech. In fact, the Internet giants

themselves have been among the worst hit. Yahoo! is number one with 3 billion

records hacked. Adobe, Facebook, LinkedIn, and more—all have been affected.

Always accessible? That’s part of the problem. Today, more people own cell phones

than toothbrushes. The modern citizen is always online and expects the same from

enterprises and the government. To comply with this demand, companies and gov-

ernment alike have embraced cloud computing. Who can afford not to?

Let’s start with cyberattacks and consider another common news headline: “Bank

XYZ suffers DoS attack.” Today, denial of service (DoS) attacks are even offered “as-a-

service” (just search for “RUDY,” which stand for “R-U-Dead-Yet”).

6 Security

248

What has made these vulnerabilities worse is that the main assets underpinning the

most valued companies today is no longer physical: it is data. With big data and the

Internet of Things (IoT), access points and attack surfaces have only grown. To protect

the interests of its citizens, governments increasingly scrutinize how data privacy

and security are handled by businesses, which has resulted in a growing number of

rules, regulations, and serious fines for noncompliance. As a result, not only does

your company need to protect its data, but you’ll also need to prove that your com-

pany is protecting its data properly with an audit trail that holds up in court.

In this context, an entrepreneur may be tempted to unplug and hide his or her assets

in Fort Knox. While this approach worked well in the past with gold, in the digital era,

however, data needs to move. Data is the new oil, according to some—it needs to

flow, which poses a challenge. The enterprise platform needs to secure but not

restrict.

In this chapter, we’ll describe how security is handled by the SAP HANA platform.

We’ll start with the security architect persona and then proceed through key security

topics: user management, data privacy, data protection, and auditing. We’ll then con-

tinue this chapter with SAP HANA extended application services (SAP HANA XS) to

manage security services, concluding with some general recommendations.

6.1 Roles and Tools

What are the responsibilities of the SAP HANA security architect persona, and what

tools does he or she have to do the job? In this section, we’ll briefly describe the job

role of the security architect.

6.1.1 The SAP HANA Security Architect

The SAP HANA security architect is, literally, the chief security builder. The security

architect designs the security concept, oversees its construction, and oversees its

implementation. As an architect, they will be the person in charge of secure opera-

tions and secure configurations. They will need to be intimately familiar with all

security aspects of SAP HANA and how this relates to the overall IT system landscape.

One important consideration is to distinguish between network encryption (data in

transit) and storage encryption, including backups (data at rest).

249

6.1 Roles and Tools

6

The security architect needs to make sure that all access points are known and under

control, ensuring that the operating systems running SAP HANA and all hardware

involved are hardened. Of course, part of the job is also to stay up to date with the lat-

est best practices and security standards, anticipate threats, identify possible weak-

nesses, and react appropriately to discovered security vulnerabilities for any of the

components involved. The security architect can advise developers, administrators,

data provisioners, data scientists, and other stakeholders involved with the SAP

HANA project on all security topics and promote overall security awareness.

The function of the SAP HANA security architect is typically part of a wider security

responsibility, although we’ve started to see job profiles on the market for full-time

SAP HANA security consultants and developers. Typically, knowledge of SAP security

in general and SAP applications like governance, risk, and compliance (GRC) might be

required when a function leans to the compliance side. On the operational side,

familiarity with cloud architecture and expertise in securing data centers could be

part of the profile.

6.1.2 Tools

No dedicated SAP HANA tools are provided for security, but the relevant functional-

ity has been included in the available administration and development tools.

For operations, the SAP HANA cockpit includes functionality for the following secu-

rity topics, as shown in Figure 6.1:

� Auditing

� Data Encryption

� User & Role Management

� Authentication

� Certificate Management

� Single Sign-on

� Anonymization Report

Most of the screenshots found in this chapter are taken from the SAP HANA cockpit.

For development of SAP HANA XS Advanced applications, as described in Chapter 4,

Section 4.4, the SAP Web IDE for SAP HANA is the tool you’ll use.

6 Security

250

Figure 6.1 SAP HANA Cockpit: System Overview, Security

For the earlier SAP HANA 1.0 release, you can use SAP HANA studio with its adminis-

tration, modeling, and development perspectives. The Security view shown in Figure

6.2 brings together some of the security functionality listed earlier (user and role

management, password policy, auditing, identity providers [IdPs], data volume

encryption) but not all. Security groups, for example, were introduced with SAP

HANA 2.0 and are not included in the SAP HANA studio interface; instead, you’ll need

to use SQL and the SQL console.

Learn More

SAP HANA security concepts are documented in the Security Guide. Activities are doc-

umented in the SAP HANA Administration Guide. In addition, you can consult the SAP

HANA Security Checklists and Recommendations guide. All SAP HANA guides are

available on the SAP Help Portal for the SAP HANA platform.

251

6.2 User Management

6

Extensive as all this material may be, this documentation is not complete. You

should also consider hardware, operating system, and network. Because SAP HANA

runs on Linux, guides like the Operating System Security Hardening Guide for SAP

HANA for SUSE Linux Enterprise Server also provide highly relevant material.

Figure 6.2 Security in SAP HANA Studio

6.2 User Management

In Chapter 2, we described different SAP HANA use cases: as a data mart, as a database

in a three-tier architecture, and as a database and application server combined for

native SAP HANA XS applications. How SAP HANA is implemented impacts the secu-

rity model for user management. How you create your users and define their roles

also will depend on other factors. Do you wish to implement SSO, Security Assertion

Markup Language (SAML), or Kerberos? Different options for both authentication

(tell me who you are) and authorization (and I’ll tell you what you can do) are present.

This section describes user management essentials for SAP HANA.

6 Security

252

6.2.1 Implementation Scenarios

How SAP HANA is implemented affects user management. The following three main

implementation models can be set up:

� SAP HANA as a data mart

Figure 6.3 shows connectivity for the data mart scenario, which typically involves

multiple tenant databases and multiple source systems and likely multiple client

types. Each user connecting with the SAP HANA client may need a database user

account with the appropriate privileges. Alternatively, users could connect

through an intermediary like an SAP BusinessObjects Business Intelligence (SAP

BusinessObjects BI) server. In this case, the connection could be established with a

shared database user account, with personal accounts, or with a combination of

both.

Figure 6.3 SAP HANA as a Data Mart

� SAP HANA in a three-tier architecture

In a three-tier architecture, as shown in Figure 6.4, user security is typically man-

aged at the application server layer. You’ll see only a single technical user connect-

ing to the database on behalf of the many application end users, which is the case,

for example, with SAP S/4HANA and SAP Business Warehouse (SAP BW). User

SAP HANA ClientODBC/JDBC

Python/ADO.NETNode.js/Ruby/Go

SAP HANA

SystemDatabase

Tenant Database A

BI ClientExcel

SAP HANA Client

SAP BusinessObjectsBusiness Intelligence

ODBC/JDBC

SAP HANA ClientODBC/ODBO

Source System

253

6.2 User Management

6

management in such cases will be mainly a concern for the Basis administrator,

not the SAP HANA database administrator. However, some overlap may exist.

ABAP shared business authorizations enable the use of authorizations, defined at

the application level, for the database (see Section 6.2.4). As a result, a data scientist

connecting with the Python database application programming interface (API)

(for example, using ODBC) directly to the database will get the same view of the

data in terms of authorizations as he or she would connecting with SAP S/4HANA.

The three-tier architecture is described in detail in Chapter 2.

Figure 6.4 SAP HANA in a Three-Tier Architecture

� SAP HANA with SAP HANA XS/SAP HANA XS Advanced

The third type of architecture involves connectivity when using the SAP HANA XS

and/or SAP HANA XS Advanced application servers, as shown in Figure 6.5. You

connect with a browser over HTTP(S) directly to the web application hosted by

either SAP HANA XS or SAP HANA XS Advanced. With SAP HANA XS Advanced,

you can use an external IdP for user authentication. Otherwise, the SAP HANA

database is used for this purpose, in which case database user accounts must be

created. For the classic SAP HANA XS model, database user accounts will always be

required. The SAP HANA XS and SAP HANA XS Advanced architectures are

described in Chapter 4, Section 4.4.

SAP HANA

SystemDatabase

Tenant Database A

SAP Client

SAP NetWeaver AS ABAP

SAP HANA ClientODBC/SQLDBC

6 Security

254

Figure 6.5 SAP HANA with SAP HANA XS/SAP HANA XS Advanced

6.2.2 User Types and User Groups

Although conceptually you can distinguish “real” database users from technical

users, from the point of view of the SAP HANA database, both users are the same. SAP

HANA only distinguishes between users and restricted users. The latter can be, for

example, our SAP S/4HANA business users. These users can only connect to the data-

base through the application server. They cannot create their own tables and won’t

need to view the object catalog.

Figure 6.6 shows the User Management screen of the SAP HANA cockpit. By selecting

No for the Creation of Objects in Own Schema radio button and selecting No for the

PUBLIC Role radio button, you’ll turn your regular database user into a restricted user

(and vice versa). Typically, for a restricted user, Yes for the Disable ODBC/JDBC Access

will also be selected, although doing so is not a requirement.

Depending on which implementation architecture is used, you’ll either connect

directly to the SAP HANA database with your own personal database user account or

through some intermediary, like an application server. In the second case, the appli-

cation server will connect to the database on your behalf (and on behalf of all your

colleagues). Because the application server database user does not correspond to a

“real” user, this type of account is called a technical database. Besides application

servers, IoT devices, for example, may also connect using a (shared) technical user.

From the point of the view of the SAP HANA database server, however, no differences

exist between your database user account and the user account for SAP NetWeaver.

The difference is only conceptual. Still, technical database users have their own

characteristics. For example, whereas a common best practice has been to prompt

SAP HANA

SystemDatabase

BrowserHTTP(S)

Tenant Database

SAP HANA XS

SAP HANAXS AdvancedApp A App B

IdentityProvider

BrowserHTTP(S)

255

6.2 User Management

6

database users to change passwords every 3 months, for technical users, such a

prompt would be undesirable. The technical user would stubbornly enter the old

password until it gets locked out. The database administrator thus needs to manage

these users differently, and user groups are a good way to differentiate between these

types of users.

Figure 6.6 User Management in the SAP HANA Cockpit

6 Security

256

You can use user groups to distinguish technical accounts from regular accounts, but

other scenarios are possible as well. With user groups, you can separate employees

from partners or temporary workers, or you can create a group for training purposes.

User groups can have their own dedicated administrators. As a result, you can pre-

vent a crucial technical account from being deleted accidentally. In addition, you can

assign different password policies to a user group, requiring complex passwords that

don’t need to be changed often for technical accounts but following a more relaxed

approach on password complexity for accounts used by human users. You can create

user groups with the SAP HANA cockpit in the User Groups interface, as shown in

Figure 6.7.

Figure 6.7 SAP HANA Cockpit: User Groups

6.2.3 Authentication

If you’ve ever stood before a border security officer at an airport, you know what

authorization is. Before letting you go through, the officer must validate that you =

you. Are you the same person as stated on your passport? This validation is exactly

what the SAP HANA database does with each access request. For this task, SAP HANA

can use its own authentication mechanism or delegate the task to an external

authentication provider. The built-in mechanism performs basic authentication

based on user name and password.

The User Management screen in the SAP HANA cockpit (as shown earlier in Figure

6.6) provides access to the available authentication mechanisms, which we’ll walk

through in the following sections.

Basic Authentication

Every operating system, database, or application server needs some type of built-in

authentication mechanism, and SAP HANA is no exception. The SAP HANA database

257

6.2 User Management

6

authentication component only understands SQL, so typically the client tool will

present you with a logon screen where you can enter a user name and password.

Regardless of how the client requests credentials, the authentication component will

receive this information as SQL and will check if the name is in the internal SYS.USERStable and if the password matches the stored value. Passwords are stored encrypted,

but you can use SQL or your favorite tool to query the users table, as shown in Figure

6.8. Together with user names, the table also stores additional metadata, like a valid-

ity period and whether the account is active or not. For example, when new hires

arrive on the first day of the month, you wouldn’t want to call your database admin-

istrator and find out that he or she has a day off today. Instead, the database admin-

istrator should have created the users in advance with the VALID_FROM attribute set.

Similarly, for temporary employees with contracts expiring, the attribute VALID_TO

should be active. In total, the users table has 35 attributes including one for com-

ments.

Figure 6.8 Users Table

When a user enters a bad user name/password combination to the database, the user

can try again. How often depends on the password policy defined. You can try at least

6 Security

258

once as the value of 0 means indefinitely. Once you pass the number of allowed failed

attempts, your account will be locked, USER_DEACTIVATED=TRUE, and you’ll need to con-

tact the database administrator to unlock your account, although maybe the app or

logon web page may have a self-service mechanism for this task.

The password policy editor, shown in Figure 6.9, contains a number of variables, as

follows:

� Password Length and Composition

Apart from rules and regulations around what to do with passwords, the password

policy also defines what a password should look like. The minimum length is

8 characters by default. Required character types are lowercase, uppercase, and

digit, the same as for many other SAP systems and applications. “Welcome1”, “Ini-

tial1”, “Password1”, and “Individual1” are well-known examples. Special characters

are not enforced by default, but when enabled, any Unicode characters may be

used.

� User Lock Settings

The policy also defines how long you’re punished for entering a bad password. The

user lock could only last one minute, or it may be indefinite. You can also specify

whether you want the SYSTEM user to be exempted from locking.

� Password Lifetime

You can define the minimum and maximum lifetime of passwords. Set the life-

time of the initial password, typically provided by the database administrator or

by a logon script, and whether you need to change the password at first logon. For

real-life people, requiring a password at first logon is typically a good idea, which is

why this setting is activated by default. But if the connection comes from a techni-

cal user, you’ll usually disable this setting, which is also the case for notifications

about passwords expiring.

� Miscellaneous

In this section, you can define the Number of Allowed Failed Logon Attempts,

which defaults to 6, and the number of last used passwords, for example.

A chain is only as strong as its weakest link. To protect your system and all its users

against a single user choosing an easy-to-guess password, a password blacklist can be

maintained. You can add complete passwords to the list or just partial ones, for

example “pass” will exclude any password containing those four characters sequen-

tially. In addition, you can indicate if passwords are case sensitive. Even some seem-

ingly cryptic passwords are quite common and easy to guess like “!@#$%^&*” and

259

6.2 User Management

6

“1q2w3e4r5t.” Adding the most common passwords to the blacklist is a simple but

effective way to make your system more secure.

Figure 6.9 Password Policy and Blacklist in the SAP HANA Cockpit

External Authentication

Besides built-in mechanisms, the SAP HANA database also supports external authen-

tication methods. A great advantage these external mechanisms have over basic

authentication is that they can be used to enable SSO, which allows users to log on

once and then navigate from (web) application to application without the need to log

on every time.

The following external authentication methods are available:

� Kerberos

Kerberos is typically used in environments where the client (which could be the

application server) runs on the Microsoft Windows platform. Kerberos allows you

to connect with SAP Crystal Reports or any other SAP BusinessObjects application

directly in the SAP HANA database, for example.

6 Security

260

Technology Background

Kerberos might not sound familiar, but Microsoft Windows surely does. Kerberos is

the default authentication protocol for the operating system since Windows 2000.

The protocol has been around quite some time and was designed initially for a cli-

ent/server architecture to securely connect computers over a potentially insecure

network. Because it does this quite well, Kerberos is still widely used. You’ll find Ker-

beros included with other operating systems, in particular, if that system needs to

collaborate nicely in a Microsoft Windows environment. For this reason, Kerberos is

one of the available authentication mechanisms for SAP HANA as well.

� SAML and JWT

SAP HANA supports both SAML and JSON web tokens (JWT) as external authentica-

tion mechanisms (OAuth). Like Kerberos, SAML and JWT are typically used in an

enterprise environment for web client SSO.

Technology Background

SAML is an open standard to exchange authentication and authorization informa-

tion. Open standard means that the technology is not related to any specific vendor.

In fact, SAML is part of the XML family, like HTML, both open standards as well. SAML

goes back to the early 2000s, when web technologies overtook client/server architec-

tures. SAML works with a service provider (SP) and an IdP with you, or rather the

browser, in the middle. SAML also addresses authorization, which makes it a bit more

complex.

Due to the way the IdP directs the client back to the SP (HTTP redirect and HTTP Post),

using SAML in mobile phone environments is challenging. For this reason, from the

labs of companies like Twitter and Google, another framework was developed,

known as OAuth. In fact, when you use your Twitter, Google, or Facebook account to

log on to the website of your favorite newspaper or web shop, OAuth is what you’re

using. OAuth only does authentication. Not to be confusing, but the token used in

OAuth can be in SAML format, and other formats are possible as well. Another for-

mat is the JSON (JavaScript Object Notation) format, which gives you a JSON web

token, JWT in short (pronounced “jot”).

� Logon tickets and assertion tickets

Logon tickets and assertion tickets in SAP are mainly used in SAP NetWeaver appli-

cation server for ABAP and Java environments. Logon tickets are used for end-user

261

6.2 User Management

6

authentication and SSO. Assertion tickets are typically used for authentication

between systems and work similarly to Kerberos and SAML.

� X.509 client certificates

Finally, you can also authenticate SAP HANA XS application users with X.509 client

certificates (both SAP HANA XS and SAP HANA XS Advanced). Despite its cryptic

name, X.509 certificates are quite common. For example, they are used to secure

web traffic with HTTPS. The certificate contains a public key and identity in Light-

weight Directory Access Protocol (LDAP) format signed by a certificate authority.

With Kerberos for Microsoft networks, logon tickets and assertion tickets for SAP sys-

tems, SAML for multivendor enterprise environments, and JWT or X.509 for the latest

and greatest web applications, SAP HANA provides support for the most common

authentication requirements.

6.2.4 Authorization

At this point, you’ve managed to get into the system as an authenticated user. Next,

SAP HANA needs to check your authorizations. What are you allowed to do? What

system privileges do you have? What are you allowed to see, and what can you

change? For the overall security of your SAP HANA system, getting your authoriza-

tions right is as important as proper authentication. Typically, for database authori-

zation, the built-in mechanism is used, although SAP HANA also supports LDAP as an

external authorization provider.

In this section, we’ll cover uses and roles, predefined users, and the different types of

privileges.

Users and Roles

You can grant system and object privileges directly to users, which is easy to do but

typically not the best approach. Getting authorizations right can be complex and

requires care because needing to start all over again if/when a user leaves the com-

pany or takes on another job function requiring other privileges would be a waste of

time.

For this reason, normally you would grant privileges to roles and then grant those

roles to users, which has two advantages:

� First, you can now build a hierarchy of privileges modeled on business roles. For

example, you can create a role for the TENANT ADMIN system privilege, which allows

6 Security

262

you to start and stop tenant databases, and a role for the SERVICE ADMIN system

privilege, which allows you to perform those operations on the system services.

You can then grant both roles to a new role, the system administrator, which

allows you to stop and start services for both the system database and the tenant

databases.

� Second, should your user requirements change, no problem. You can simply

revoke the old role(s) and grant a new one(s).

Now, you have a reusable authorization concept, which allows you to implement

complex requirements matching actual business functions. The governing thought

behind this functionality is the principle of least privilege (PoLP), a security best prac-

tice that advocates giving users only those privileges essential to doing the job. No

more, no less.

Predefined Database Users

The SYSTEM database user has all system privileges by default. For this reason, the SYS-TEM user should be used only to create lesser-privileged users for particular purposes

after which the SYSTEM user account should be disabled.

To update SAP HANA, in most cases, the SYSTEM user is not required, and a lesser-

privileged user can be used, which addresses a classic security loophole: SYSTEMaccess during upgrades. A carefully crafted PoLP implementation would be sus-

pended temporarily if you needed to enable the SYSTEM super user for upgrades,

which introduces a vulnerability. Note that the SYSTEM database user does not have

access to objects created in other schemas (without explicit grants) nor can it grant

itself access. However, as a USER ADMIN, you can easily change user passwords and

connect and grant schema access.

Other predefined database users like SYS, _SYS_REPO, or _SYS_STATISTICS are technical

users. These users are either object owners or support specific functionalities. You

cannot connect to the database with these accounts.

Predefined Catalog Roles

By default, every SAP HANA system also includes a number of predefined catalog

roles. Like the SYSTEM user, some of these roles are contain a lot of privileges and

should only be used as templates for creating more restricted roles. Examples

include CONTENT_ADMIN and MODELING. Other roles are used for specific purposes, like

263

6.2 User Management

6

the AFL_SYS_AFL_AFLPAL_EXECUTE role for the Application Function Library (AFL) and

the Predictive Analysis Library (PAL). These roles should not be extended, neither

adding additional privileges nor restrictions.

Every user will have the PUBLIC role, which enables filtered, read-only access to the

system views. When you revoke the PUBLIC role from a user (and revoke CREATE ANY ONOWN SCHEMA and DISABLE CLIENT CONNECT), you create a restricted user. Restricted users

have no privileges, can only access SAP HANA through client applications, and do not

require full SQL access. To fine-tune restricted users, you can grant the RESTRICTED_USER_JDBC_ACCESS and the RESTRICTED_USER_ODBC_ACCESS roles, which only grant access

to the JDBC or the ODBC interfaces, respectively.

Another role worth mentioning is the SAP_INTERNAL_HANA_SUPPORT role, which has

read-only access to all metadata (but not customer data). Because this role is quite

powerful, restrictions apply (limited to one user, cannot be granted to SYSTEM or

another role), and an information alert is issued every hour when the role is granted.

System Privileges

System privileges authorize users to perform system administration tasks. By

default, an SAP HANA system can involve 50 different system privileges. When you

install optional components, like SAP HANA dynamic tiering, additional system priv-

ileges will be added.

Some privileges are related but distinct. For example, BACKUP ADMIN and BACKUP OPERA-TOR are different: An admin can perform all backup and recovery activities, including

catalog configuration, while an operator can only start backups. The same distinction

exists for the AUDIT system privilege and for IMPORT and EXPORT privileges.

Some privileges are powerful. INFILE ADMIN, for example, allows you to make changes

to all system settings. The SAP HANA Security Checklists and Recommendations guide

lists critical combinations that should not be granted together, for example USERADMIN and ROLE ADMIN, or AUDIT ADMIN and AUDIT OPERATOR.

Managing system privileges is performed in the SAP HANA cockpit, as shown in

Figure 6.10, where you’ll select the different privileges you want to grant to specific

users and roles.

6 Security

264

Figure 6.10 Select System Privileges, Manage Roles in the SAP HANA Cockpit

Object Privileges

Database objects are schemas (the containers), tables, views, functions/procedures,

and sequences, to name the most common ones. To access or change any of these

objects, you’ll need the required SQL privilege. For example, to view data, you’ll need

the SELECT privilege on a table or view. To put new rows into a table, you’ll need the

INSERT privilege. To change existing rows, you’ll need the UPDATE privilege, and to

remove rows, the DELETE privilege. Even if you have the IMPORT system privilege, you’ll

still need the right object privilege for the import to be successful.

What we’ve just mentioned are examples of data manipulation language (DML) com-

mand types. Data definition language (DDL) command types are also available, like

CREATE, ALTER, DROP, or EXECUTE on SQLScript functions. Other object privileges govern

remote sources (CREATE VIRTUAL TABLE), development (DEBUG), or security features

(UNMASKED and USERGROUP OPERATOR).

Figure 6.11 shows the Assign Privileges window in the SAP HANA cockpit. By default, a

database user receives the CREATE ANY object privilege on her SCHEMA from SYS, which

enables the user to create tables, views, and so on. This user also has received this

object privilege WITH ADMIN OPTION (Grantable to Others), so he or she can directly grant

265

6.2 User Management

6

other users (or roles) the privilege to create objects in his or her schema. No need for

SYS to intervene; JANEDOE is queen of the castle.

Figure 6.11 Assign Privileges, Object Privileges in the SAP HANA Cockpit

Analytical Privileges

With analytical privileges, you can fine-tune data access requirements. As the name

implies, object privileges control object access: yes or no. If the SALARY column is part

of the EMPLOYEES table, and you have access to the table, you can view the salaries.

Analytical privileges allow for a more fine-grained, row-level access control. For

example, only HR_MANAGER can view this column, or to be even more specific, you can

allow HR_MANAGER_US to access only the rows in this column for his or her region.

You can create analytical privileges using SQL with the CREATE STRUCTURED PRIVILEGE<name> FOR <action> ON <object> statement, where <action> resembles a typical SQL

WHERE clause and <object> references the table or view. However, more commonly,

you would use SAP HANA studio for the classic SAP HANA XS environment or use the

SAP Web IDE for the SAP HANA XS Advanced environment and create your privileges

as design-time artifacts in a development environment to be deployed as catalog

(runtime) objects on your actual production system. See Chapter 4, Section 4.1.2, for

the difference between runtime database objects and design-time development arti-

facts.

Shared Business Authorizations

You can also use analytical privileges for, what are called shared business authoriza-

tions. For ABAP-based SAP applications like SAP S/4HANA, access control is defined

6 Security

266

through authorization objects. You can leverage these ABAP authorization objects in

SAP HANA, which helps you implement (and maintain) scenarios where new SAP

HANA XS Advanced applications and existing ABAP-based SAP applications should

use the same authorization model. Shared business authorizations were introduced

in SAP HANA 2.0 SPS 03.

Additional Privileges

For SAP HANA XS applications, additional privileges can be defined. Package privi-

leges authorize you to read, edit, activate, or maintain both native and imported

repository packages. Application privileges define specific usage rights, for example

View or Admin roles. These types of privileges do not apply to SAP HANA XS Advanced

applications, however, which uses an external source code repository and imple-

ments application-level authorization with scopes and attributes.

Another additional privilege type is the ATTACH DEBUGGER user privilege, which enables

a user to debug SQLScript code in another user’s session, and is the only user privilege

currently available.

Code Clinic

You can grant privileges with the GRANT and REVOKE statements either directly using

SQL or by using client tools like the SAP HANA cockpit and SAP HANA studio. The fol-

lowing is an example GRANT statement:

[GRANT CREATE ANY ON SCHEMA tony TO maria]

While the SAP HANA cockpit and the SAP HANA studio providing easy-to-use inter-

faces for the most common functionalities, you’ll often have to open the SQL console

and perform actions in code.

When granting a privilege WITH ADMIN OPTION, this privilege can then be granted

again by the specified user or by the users with the specified role. Otherwise, only the

object owner can grant the privilege.

If you delete an object or schema owner, all objects and (admin) object grants are

deleted as well. Object ownership can be transferred.

Troubleshooting Authorization Issues

Troubleshooting authorization issues for catalog (runtime) objects can be compli-

cated. As of SAP HANA 2.0 SPS 03, the database engine includes a global unique ID

267

6.2 User Management

6

with the error [258]: insufficient privilege: Detailed info for this error can befound with guid ‘<guid>’.

As an administrator, you can then run the procedure get_insufficient_privilege_error_details (‘<guid>', ?) to find the cause of this error.

For earlier SAP HANA versions, you can enable an authorization trace in SAP HANA

studio together with the system views EFFECTIVE_PRIVILEGES and STRUCTURED_PRIVI-LEGES. SAP Support’s Guided Answers (http://s-prs.co/v488426) for SAP HANA

Troubleshooting, shown in Figure 6.12, can help you get started.

Figure 6.12 SAP Support, Guided Answers: SAP HANA Troubleshooting

6 Security

268

SAP Notes

For more information, see SAP Note 1809199 – SAP HANA DB: Debugging user autho-

rization errors.

LDAP Users and Groups

LDAP is, together with HTTP and TCP/IP, an Internet pioneer. Today, the LDAP server

is typically used in an enterprise to provide a central place to store user names and

passwords. The most well-known LDAP implementation is Microsoft Active Direc-

tory, but many more are available, even open source LDAP implementations. Sup-

port for LDAP authorization was introduced in SAP HANA 2.0 for users accessing the

database with ODBC/JDBC clients. You can even automatically create new users in the

SAP HANA database based on LDAP user group membership.

6.3 Data Privacy and Protection

In this section, we’ll describe some additional features to safeguard data privacy: data

masking and real-time anonymization. We’ll also address how unauthorized access is

made, if not impossible, then at least extremely unlikely with encryption of data at

rest and data in transit.

6.3.1 Data Masking

Data masking is a special type of object privilege that behaves like an analytical priv-

ilege. As we’ve seen, object privileges are coarse-grained. You either have access or

you don’t. And if you don’t, you get an error.

To obtain a more fine-grained type of access control, analytical privileges can be used.

However, this type of privilege must be designed and created. Before you can restrict

your sales manager to viewing the data only for his or her region, you’ll need a table

with sales data and regions first. Once you have this table and the analytical privilege,

you can assign it to a user.

Consider a table with sensitive data (from a privacy point of view), which could be sal-

ary information in an employee table, credit card numbers in a customer table, or

medical records. The access policy for this data is “no access, except.” In other words,

access is denied for everyone, and only users with explicit access grants can view the

269

6.3 Data Privacy and Protection

6

data. You could use object privileges to implement this policy, but this policy would

only work if the sensitive data is isolated in a dedicated table. However, for perfor-

mance reasons or other table design reasons, keeping the one sensitive column in the

table with other data might be essential. In this case, you could use an analytical priv-

ilege to implement this policy, but now, you’ll need to make sure the privilege not to

see the data is assigned to all users, except for some users, which may be cumber-

some.

Data masking provides a more elegant solution and allows for more flexibility. With

data masking, when the wrong user accesses the data, that user would not get an

error. The data would be hidden from that user. If you consider a table with credit

card data, for example, you can create a mask that completely obscures the column

with the card numbers, so all that the user sees are x’s. However, you could also

define that mask such that only the first or last four digits are visible. This would

enable customer service representatives to use the card number to verify caller iden-

tify without revealing too much information.

How data masking is implemented is flexible, and you can use a simple template or

write a complex function. Using a function also allows you to separate the table or

view object owner from the mask object owner.

Code Clinic

The mask can be a simple template:

CREATE VIEW credit_view AS SELECT name, numberFROM cards WITH MASK(NAME USING 'AAAA', CREDIT_CARD USING 'XXXX');

The mask can be implemented as a function, as shown in Listing 6.1.

CREATE FUNCTION mask_owner.credit_mask(INPUT VARCHAR(19))RETURNS OUTPUT VARCHAR(19) LANGUAGE SQLSCRIPT AStemp VARCHAR(19);BEGIN

SELECT LEFT(INPUT,4) || '-XXXX-XXXX-' || RIGHT(INPUT,4)INTO temp FROM SYS.DUMMY;OUTPUT := temp;

END;

Listing 6.1 Create Function

6 Security

270

This function enables separation of ownership between the view and mask owner:

CREATE VIEW data_owner.credit_view AS SELECT * FROM cardsWITH MASK(CREDIT_CARD USING mask_owner.credit_mask(credit_card));

To view the data without the mask, you’ll need the UNMASKED object privilege on the

table or view:

GRANT UNMASKED ON credit_view TO super_user;

6.3.2 Data Anonymization

Data anonymization solves the puzzle of what’s called statistical disclosure control:

revealing accurate statistics about a population while preserving the privacy of indi-

viduals. Data anonymization in SAP HANA is implemented through calculation

views (see Chapter 4, Section 4.3) and supports the methods K-anonymity and differ-

ential privacy. Both approaches are well-known standards in the field.

Technology Background

Differential privacy was first defined in 2003 by Cynthia Dwork. This approach

enables the gathering of useful information from a group of people while at the

same time learning nothing about an individual.

Social sciences in the precomputer age used a similar approach to collect statistical

information about embarrassing or illegal behavior: flipping a coin. If tails, respond

truthfully (yes or no); if heads, flip another coin and respond “Yes” for heads and

“No” for tails, resulting in a 50% chance of the truth with plausible deniability of any

outcome. If repeated often enough, you’ll gather statistically viable information from

the group, while knowing nothing for sure about the individuals.

The data controller—the person responsible for data privacy—defines the calculation

view and configures the parameters of the selected method. To access the view, you can

use a standard SAP HANA object authorization. You can configure the K-anonymity for

a calculation view using the SAP Web IDE for SAP HANA.

In addition, for compliance reporting purposes, a list is made available in the SAP

HANA cockpit for easy access to where a method is used in the Anonymization Views

screen shown in Figure 6.13.

271

6.3 Data Privacy and Protection

6

Figure 6.13 SAP HANA Cockpit: Anonymization Views

6.3.3 Encryption

Encryption protects both data in transit and data at rest. During an eavesdropping

attack, if the data is not encrypted, you don’t need a sophisticated network sniffer

tool to capture user name and password combinations traveling over the Internet in

clear text (HTTP). Nor is it rocket science to extract valuable data from database files.

However, once the data is encrypted, making any sense out of raw data is almost

impossible. All data at rest can be encrypted, for example, the database files on the

data volume, the redo log files on the log volume, and any data or log file backup

stored on the file system. In addition, all data in transit can be encrypted as well. In

fact, most data in transit is encrypted automatically.

In this section, we’ll address both types of encryption and explain how encryption

can be configured.

Technology Background

In the SAP HANA documentation, the protocol used for network encryption is

described as Transport Layer Security (TLS)/Secure Sockets Layer (SSL). SSL is a rela-

tively well-known Internet protocol for providing the secure “S” of HTTPS and the

green lock icon in the browser. This protocol goes all the way back to the early days of

the World Wide Web and the Netscape Navigator web browser.

6 Security

272

Today, SSL is almost obsolete, and typically TLS is used to encrypt traffic and authen-

ticate computers. However, because TLS is less well known, it is often referenced

together with SSL (as in TLS/SSL) or even simply called SSL. Regarding SAP HANA,

when reading about SSL, TLS, SSL/TLS, or TLS/SSL, note that we are referring to one

thing: the TLS protocol.

Network Encryption

The communication between SAP HANA components is encrypted by default using

TLS. Communication includes traffic between the different processes (hdbdaemon, hdb-nameserver, hdbindexserver, etc.) and with optional server components, like SAP

HANA dynamic tiering with its extended storage. In addition, communication can be

encrypted at the database tenant level, for multihost (distributed) environments and

between system replication sites, but these require explicit activation (global.ini,

[communicatation] ssl = systemPKI) and some additional steps.

Network Zones

The SAP HANA network is further protected with different zones, as shown in Figure

6.14.

Figure 6.14 SAP HANA Network Zones

Client Zone

SAP HANA Client

Browser

Internal Zone

SAP HANAXS Advanced

SAP HANAXS Advanced

SAP HANA

SystemDatabase

Tenant Tenant

XS Advanced

Storage Zone

Storage Zone

Internal Zone

SAP HANAXS Advanced

SAP HANAXS Advanced

SAP HANA

SystemDatabase

Tenant Tenant

XS Advanced

273

6.3 Data Privacy and Protection

6

A dedicated internal network zone for the SAP HANA processes on each host and

between hosts in a distributed system is also used for system replication. In addition,

a separate storage network zone controls network access between the SAP HANA sys-

tem and the storage area network (SAN) or network attached storage (NAS) device.

This zone is also used by the enterprise backup tools. Finally, any other type of access

occurs in the client zone. Each zone can be configured to use its own network adapter

(hence the different IP addresses), which enables you to physically separate internal

communication from outside access channels. We’ll discuss this separation further

in Chapter 9, Section 9.11.1.

From a security point of view, the zone that requires most attention is the client zone.

In this zone, you’ll find the following connections:

� Connections for administration purposes, for example, the SAP HANA cockpit or

SAP HANA studio

� SQL client connections for business users, for example, SAP BusinessObjects BI cli-

ents using ODBC/JDBC or from Microsoft Excel (also supporting multidimen-

sional expressions [MDX]) but also from the SAP S/4HANA and SAP BW

application server

� HTTP/S client connections for business users, like the SAP HANA XS Advanced web

client or the SAP HANA XS command line tool

� Connections for data provisioning, for example, SAP Data Services, SAP Replica-

tion Server, or SAP HANA streaming analytics

� Outbound connections, for example, the Solution Manager Diagnostic (SMD)

agent to SAP Solution Manager, the R client to an external R server, or the SAP

HANA Lifecycle Management tool to connect to Software Downloads on the SAP

ONE Support Launchpad

Careful configuration of the firewall between the SAP HANA system and the outside

world is important. For example, for administration access, you should only allow

traffic from specific IP ranges. You could consider adding additional network protec-

tion using network address translation (NAT) or virtual private networks (VPNs) with

IPsec. With NAT, you can map the public IP address to an internal IP address using

either software or additional hardware, while a VPN creates a private connection

between one for more computers allowing you to simulate local area network (LAN)

connections. Highly recommended, as well, is to configure network encryption (TLS)

for all client connections. These are just some examples, many others exist, and we

recommend checking with your network administrator for advice on specific imple-

mentations.

6 Security

274

System PKI and SSFS

A dedicated public key infrastructure (PKI) with an X.509 certificate can be set up

during the SAP HANA installation to support network encryption and is automati-

cally extended whenever you create a new tenant database or add a SAP HANA XS

Advanced host to the landscape. The PKI consists of a public and private key pair for

each host and tenant database and a public key certificate for their mutual authenti-

cation. The certificate authority is the SAP HANA instance itself, which signs all certif-

icates. The public keys are stored in a personal security environment (PSE) together

with the private key.

PKI and X.509 are common security technologies, but PSE and the associated SSFS

(secure store in the file system) are specific to SAP as is the CommonCryptoLib cryp-

tographic library used to encrypt the traffic. In the past, SAP used different cryptogra-

phy libraries for network encryption and digital signatures. Since 2013, these separate

libraries have been bundled into a shared library, the CommonCryptoLib. This

default library is used for all your cryptography needs with SAP HANA. SSFS is a tech-

nology shared with SAP NetWeaver systems; think of it as a safe to hold key files.

If you’re receiving SAP HANA as an appliance from a hardware partner or powering

up an SAP HANA instance in the cloud, you should generate a new master key for the

PKI SSFS.

Learn More

The process for changing these keys is documented in “Change the SSFS Master

Keys” in the SAP Administration Guide on the SAP Help Portal.

Tenant Database Isolation

To enhance the protection of tenant databases, you can configure SAP HANA to run

in high isolation mode. In this mode, each tenant database will run in the context of

a dedicated operating system user and group, and not under the shared <sid>adm:sapsys account.

Tenant databases are self-contained already, with separate users and object catalogs.

High isolation mode further strengthens this separation. Consider, for example, file

permissions on backups. In high isolation mode, a separate PKI is configured for

tenant database processes to ensure that only they can communicate with each other

(hdbindexserver with scriptserver, for example). You’ll need to explicitly enable

275

6.3 Data Privacy and Protection

6

cross-database communication to allow one tenant to access data in another data.

This access is read-only and one-way (although bidirectional traffic is configurable).

Learn More

The process for changing the isolation level is documented in “Increase the System

Isolation Level” in the SAP Administration Guide on the SAP Help Portal.

Data at Rest and Backup Encryption

Knowing that network traffic can be protected is great, but what about stored data?

No surprises here, as you can encrypt data at rest as well. In fact, for the SAP Cloud

Platform, SAP HANA service, the in-memory database in the cloud, storage encryp-

tion is enabled by default and cannot be switched off.

For SAP HANA on-premise, you have a choice: You can enable data volume encryp-

tion, log volume encryption, and/or backup encryption. Backup encryption will typi-

cally be active when using any of the third-party enterprise backup solutions

supported by SAP HANA. Data volume encryption can also be activated with little

overhead as the in-memory database holds most data in-memory during operation

and data is only written to persistence by a background process during savepoints

every 5 minutes.

Tables stored on encrypted data files will take more time to load during system

startup, but this time is unlikely to be of significance as, again, most of the load will

happen in the background while the database is already open for business. For redo

log encryption, a performance impact might be noticeable as each commit will have

to wait for a write confirmation. On encrypted storage, this process will include some

extra CPU cycles. Your business users may not notice a difference, but the difference

may appear in comparative performance reports (around 5% difference is reason-

able).

The encryption root keys for data, redo log and backup encryption are also stored in

an SSFS. As in the case for the System PKI SSFS (which we discussed earlier in this sec-

tion), when you receive SAP HANA as an appliance from a hardware partner, you

should generate a new master key for the instance SSFS together with new root keys

for each service (data, log, and backup).

6 Security

276

Figure 6.15 shows how you can enable encryption by flipping a switch. The encryption

algorithm is listed (AES-256-CBC) as well as the time stamp of the last key change, in

this case the Advanced Encryption Standard (AES), using a 256-bit key in Cipher Block

Chaining (CBC) mode.

Figure 6.15 SAP HANA Cockpit: Data Encryption Configuration

Figure 6.16 shows the location and time stamp of the system PKI and instance SSFS

plus the active version of the service root keys. Change Root Keys will start the Man-

age Keys wizard to guide you through the process, which involves the following

steps:

1. Setting a root key backup password (not to be confused with the backup root key).

2. Selecting the encryption root keys to change (data volume, redo log, backup, and/

or encryption service).

3. Saving the password-protected root keys to an external location.

4. Acknowledging that you’ve indeed saved the root keys; will never forget the pass-

word; and fully understand that, without these root keys and its password, you

cannot recover the database.

277

6.3 Data Privacy and Protection

6

Figure 6.16 SAP HANA Cockpit: Manage Keys

Application Encryption Service

The application encryption service can be used by SAP HANA XS and SAP HANA XS

Advanced applications to securely store encrypted values in the database, for exam-

ple, for a Java application to store encrypted credit card numbers. Both storage and

retrieval can only be performed using stored procedures owned by SYS, the object

owner of all system tables, procedures, and views, but without ability to log on. The

same service is also used by SAP HANA internally to store credentials required for

outbound connections, via SAP HANA smart data access (SDA), and to store the pri-

vate keys of the SAP HANA server as database collection, which is the equivalent of

the SSFS PSE except that the PSE is stored in the database and not in the file system.

6 Security

278

This PSE or database collection is used for secure client-server communication, for

example, between a JDBC client (SAP HANA studio) and the SAP HANA system.

6.4 Auditing

An audit (literally, “a hearing”) is an account of events. In our case, for the SAP HANA

database and SAP HANA XS application server, an audit is a chronological, time

stamped record of selected actions or events. The audit trail or audit log tells you

what happened, who did what, and when (or attempted to). Such a record may be

required for compliance reasons or serve as evidence that your sensitive data has not

been accessed.

Like a surveillance camera, auditing per se does not protect your system; it merely

records what happened. You’ll need to turn auditing on, and not everything will be in

scope. For example, the procedure to reset the SYSTEM user password (system shut-

down followed by starting nameserver with -resetUserSystem flag) runs outside of

the scope of the database engine.

For commands executed at the operation system level, which includes system shut-

down and startup, you would consult the Linux syslog, which holds operating system

audit data. This limitation is also true for actions performed by the SAP host agent

like system updates or adding components. For this reason, configuring auditing to

use syslog as audit trail target (not internal database tables) might be practical and

may also make it easier to integrate SAP HANA auditing with other auditing tools. For

privacy reasons, however, tenant audit events are written to the internal tables

(which are configurable). Designing a proper audit policy requires some careful

thought.

The SAP HANA audit policy defines the actions to be logged. You can define multiple

policies and enable or disable them when needed. Typical candidates for auditing

include the following actions:

� Authentications: Who accessed the system and when (outside office hours)

� Authorizations: Who granted access to whom, who accessed sensitive data

� Object changes or deletions: Unexpected in production systems outside mainte-

nance scopes

� System parameter changes: To avoid future blame games

279

6.4 Auditing

6

When you create a new audit policy, you’ll first need to indicate whether you want to

audit successful actions, unsuccessful ones, or both. Next, you’ll select the type of

action and for which user. You can audit all actions, and you can audit all users but

not both (all actions by all users). All action policies are tagged as “firefighter” policies

and are flagged. The amount of data generated will be so massive that you may have

created for yourself a needle-in-the-haystack problem. Typically, you’ll want each

policy to capture specific actions, like defining specific objects, for example, tables

with sensitive data. Or, you might specify specific object actions. For each policy,

you’ll indicate the level (info, warning, alert, critical, or emergency) and the audit trail

target (database table or syslog). This flexibility enables you to log critical and emer-

gency entries to the syslog for direct processing, while keeping info entries in the

database for reporting, for example.

Several best practices to keep in mind with regard to auditing include the following:

� Create as few audit policies as possible (better a single complex policy than several

simple ones).

� Avoid DML, which impacts performance more than DDL.

� Do not create policies for actions that are already audited by default (clear audit

log).

� Do not create objects that do not allow direct access (SYS.P_USER_PASSWORD).

Figure 6.17 shows the Auditing page in the SAP HANA cockpit where you can create

and enable audit policies, configure the audit trail (database or log), and view audit

trail records.

Under the Audit Trail tab, you’ll see audit entries for both the SAP HANA database and

the SAP HANA XS Advanced application server. Figure 6.18 shows the combined All

Logs view with the SQL statement included.

Learn More

See the chapter “Auditing Activity in SAP HANA Systems” in the SAP HANA Security

Guide for more detail and further references.

6 Security

280

Figure 6.17 Audit Policies in Auditing, SAP HANA Cockpit

Figure 6.18 Audit Trail in Auditing, SAP HANA Cockpit

281

6.6 Additional Security Considerations and Concerns

6

6.5 SAP HANA XS Security

The SAP HANA XS (both the classic and advanced model) application servers are part

of the platform and share many security features with the database. Network encryp-

tion, for example, is configured at the system level. The same <sid>adm operating sys-

tem account owns both the database and application server software. In case of SAP

HANA XS Advanced, the default IdP (authentication service) for the application

server is the SAP HANA database. However, as we described in Chapter 2, Section 2.2.5,

the SAP HANA XS, classic model and SAP HANA XS advanced model application serv-

ers are also quite distinct, which impacts security aspects.

Authentication and authorization work have been implemented differently—not

just different when comparing SAP HANA XS, classic model with SAP HANA XS,

advanced model, but also different when comparing each application server with the

SAP HANA database. To avoid three sections on authentication and another three on

authorization, which would result in much confusion and little clarity, we’ve chosen

to address the application servers in Chapter 4, Section 4.4, where we discuss security

in the context of application development.

6.6 Additional Security Considerations and Concerns

In this chapter so far, we’ve described the most important security topics for the SAP

HANA platform with a focus on the database. While database security is a good place

to start, your security considerations should not end there. To install or update SAP

HANA components (SAP HANA server, SAP HANA client, SAP HANA cockpit, SAP

HANA XS Advanced, AFL, and so on), you’ll use a single tool: SAP HANA Lifecycle

Management (see Chapter 3, Section 3.3). This tool includes its own security features,

like software authenticity verification and using lesser-privileged users for updates

(leaving the SYSTEM user disabled). This tool also introduces new security consider-

ations as you may require root user access to the operating system and new ports to

open in the firewall.

With a single SAP HANA cockpit system, you can manage an entire SAP HANA land-

scape. But what privileges should your SAP HANA cockpit users have? And how

should you configure the technical user to connect to the managed resources?

Should you enable SSO, and even enforce it? The SAP HANA cockpit also comes with

its own security requirements and considerations, as does the database explorer.

6 Security

282

Although integrated into the SAP HANA cockpit and the SAP Web IDE for SAP HANA,

this application has its own security considerations regarding authentication, autho-

rization, and securing connections. Note also that you could use SDA for federation

or user replication technologies like SAP Data Services and SAP Landscape Transfor-

mation Replication Server, R and Hadoop integration with the SAP HANA landscape

and SAP HANA data warehousing foundation—the list goes on.

In addition, the responsibilities of the SAP HANA security architect don’t stop at the

platform with its associated options and edition components. In this chapter, we

haven’t really mentioned topics like the security implications of running SAP

S/4HANA or SAP BW on SAP HANA, SAP BusinessObjects integration and the EPM-

MDS plugin, or access between cloud applications like SAP Analytics Cloud and on-

premise SAP HANA systems.

Nor have we discussed how SAP HANA relates to other SAP products in the cyberse-

curity and GRC spaces. Once you go beyond the introductory level, you’ll need to

address integration with products like SAP Access Control or SAP Identity Manage-

ment; with services like SAP EarlyWatch Alert, part of the security optimization ser-

vices; or with organizations as user groups for security, data protection, and privacy.

Security is complex, and we’ve only scratched the surface.

Learn More

SAP HANA product management maintains a microsite with information about

security for an IT expert audience (our security architect persona). For more informa-

tion, visit http://s-prs.co/v488427.

SAP Notes

For additional information, search the knowledge base for articles about SAP HANA

security. A good place to start is SAP Note 2159014 – FAQ: SAP HANA Security. The

component for the SAP HANA security topic is HAN-DB-SEC.

6.7 Summary

In this chapter, we covered the most important SAP HANA security concepts with a

focus on the database. We introduced the SAP HANA security architect as a persona

by looking at the job role and the most relevant tools. We provided a quick scan of the

283

6.7 Summary

6

SAP HANA user management implementation with the available options for authen-

tication, both built-in through user name and password policies and from external

mechanisms like Kerberos, SAML, and JWT. Similarly, we investigated various

options for authorization, including hybrids like ABAP-shared business authoriza-

tions and using LDAP as both authorization and authentication provider. After the

topic of secure access, we addressed data privacy and protection with data masking

and data anonymization as interesting new features. Then, we looked at data encryp-

tion at rest and in transit using TLS/SSL, PKI, SSFS, root keys and master keys. And to

comply with regulations, we did a quick tour of the audit functionality.

In the next chapter, we’ll meet the persona responsible for connecting our SAP HANA

systems with the outside world, replicating data from source systems, integrating

with big data, or virtualizing remote data sources using SDA. Time to introduce you

to the SAP HANA data integration architect.

7

Contents

Preface ..................................................................................................................................................... 17

1 Introduction 27

1.1 What Is SAP HANA? ............................................................................................................ 27

1.2 Key Capabilities .................................................................................................................... 30

1.2.1 Application Development .................................................................................. 30

1.2.2 Advanced Analytical Processing ...................................................................... 31

1.2.3 Data Management ............................................................................................... 33

1.2.4 Database Management ...................................................................................... 33

1.3 Key Benefits ........................................................................................................................... 34

1.3.1 Reduce Complexity .............................................................................................. 35

1.3.2 Run Anywhere ....................................................................................................... 36

1.3.3 Real Results ............................................................................................................. 38

1.4 Finding Customer Stories and Use Cases .................................................................. 39

1.5 Industry Analysts ................................................................................................................. 41

1.5.1 Gartner and the Magic Quadrant ................................................................... 41

1.5.2 Forrester Wave and IDC MarketScapes ......................................................... 42

1.6 The Road Ahead .................................................................................................................... 43

1.7 Licensing and Maintenance ............................................................................................ 46

1.7.1 Licensing .................................................................................................................. 46

1.7.2 Software Maintenance ....................................................................................... 47

1.8 Summary ................................................................................................................................. 49

2 Technology Overview 51

2.1 In-Memory Database Concepts ..................................................................................... 52

2.1.1 Database History in a Nutshell ........................................................................ 52

2.1.2 SanssouciDB ........................................................................................................... 54

Contents

8

2.2 System Architecture Overview ..................................................................................... 57

2.2.1 Implementation Scenarios ............................................................................... 57

2.2.2 Services and Processes ....................................................................................... 58

2.2.3 Memory and Persistence ................................................................................... 62

2.2.4 Single-Host and Distributed Systems ........................................................... 63

2.2.5 Database and Application Server ................................................................... 65

2.2.6 Data Tiering ........................................................................................................... 66

2.3 Editions .................................................................................................................................... 67

2.3.1 SAP HANA, Platform Edition ............................................................................. 67

2.3.2 SAP HANA, Express Edition ............................................................................... 67

2.3.3 SAP HANA, Cloud Edition ................................................................................... 68

2.3.4 Licensing, Options, and the Feature Scope Description .......................... 68

2.4 What’s New: Support Package Stacks and Revisions ......................................... 70

2.4.1 SAP HANA Platform Edition 1.0 ....................................................................... 72

2.4.2 SAP HANA Platform Edition 2.0 ....................................................................... 78

2.5 Deployment Options ......................................................................................................... 84

2.5.1 On-Premise ............................................................................................................. 85

2.5.2 Cloud Deployments ............................................................................................. 85

2.6 Summary ................................................................................................................................. 93

3 Administration 95

3.1 Role and Tools ....................................................................................................................... 96

3.1.1 The SAP HANA Administrator .......................................................................... 96

3.1.2 Tools ......................................................................................................................... 97

3.2 System Administration ..................................................................................................... 105

3.2.1 System Configuration ......................................................................................... 105

3.2.2 Performance Monitoring and Analysis ......................................................... 108

3.2.3 Resource Management ...................................................................................... 118

3.2.4 Security .................................................................................................................... 123

3.2.5 Backup and Recovery .......................................................................................... 124

3.2.6 Additional Responsibilities ............................................................................... 129

9

Contents

3.3 SAP HANA Lifecycle Management ............................................................................... 130

3.3.1 Platform Lifecycle Management ..................................................................... 131

3.3.2 Product Availability Matrix ............................................................................... 133

3.3.3 Installation and Update ..................................................................................... 135

3.3.4 Application Lifecycle Management ................................................................ 139

3.4 Application Server Administration .............................................................................. 141

3.4.1 SAP HANA XS Admin Tool .................................................................................. 142

3.4.2 Deploying SAP HANA XS Advanced Applications ...................................... 142

3.5 Summary ................................................................................................................................. 145

4 Development 147

4.1 Role and Tools ....................................................................................................................... 148

4.1.1 The SAP HANA Developer .................................................................................. 148

4.1.2 Tools .......................................................................................................................... 150

4.2 SQL and SQLScript ................................................................................................................ 154

4.2.1 SQL ............................................................................................................................. 154

4.2.2 SQLScript ................................................................................................................. 156

4.2.3 ABAP Managed Database Procedures ........................................................... 158

4.3 Analytic Modeling ............................................................................................................... 160

4.4 SAP HANA Extended Application Services ............................................................... 163

4.4.1 SAP HANA XS .......................................................................................................... 164

4.4.2 SAP HANA XS Advanced ..................................................................................... 165

4.5 Core Data Services ............................................................................................................... 169

4.6 SAP HANA Deployment Infrastructure ...................................................................... 171

4.7 Application Lifecycle Management ............................................................................. 173

4.8 JSON Document Store ....................................................................................................... 174

4.9 SAP Cloud Platform ............................................................................................................. 177

4.9.1 Cloud Foundry and Neo ...................................................................................... 178

4.9.2 SAP Cloud Application Programming Model ............................................... 179

4.9.3 SAP Cloud Platform, SAP HANA Service ........................................................ 180

Contents

10

4.10 Client Interfaces ................................................................................................................... 181

4.10.1 SAP HANA Client Installation ........................................................................... 181

4.10.2 SQLDBC .................................................................................................................... 183

4.10.3 JDBC .......................................................................................................................... 183

4.10.4 ODBC ........................................................................................................................ 184

4.10.5 ODBO ........................................................................................................................ 187

4.10.6 Python ...................................................................................................................... 188

4.10.7 Node.js ..................................................................................................................... 190

4.10.8 Go .............................................................................................................................. 192

4.10.9 ADO.NET .................................................................................................................. 193

4.10.10 Ruby .......................................................................................................................... 194

4.11 Web-Based Data Access ................................................................................................... 195

4.11.1 OData ....................................................................................................................... 196

4.11.2 Information Access .............................................................................................. 198

4.11.3 XMLA ........................................................................................................................ 200

4.12 SAP HANA, Express Edition ............................................................................................. 201

4.12.1 Deployment Options .......................................................................................... 202

4.12.2 Getting Started ..................................................................................................... 204

4.13 SAP HANA Interactive Education ................................................................................. 206

4.13.1 Deployment Options .......................................................................................... 207

4.13.2 Getting Started ..................................................................................................... 208

4.14 Summary ................................................................................................................................. 210

5 Advanced Analytics 213

5.1 Roles and Tools ..................................................................................................................... 215

5.1.1 The SAP HANA Data Scientist .......................................................................... 215

5.1.2 Tools ......................................................................................................................... 215

5.2 Predictive Analytics and Machine Learning ............................................................ 218

5.2.1 Application Function Library ............................................................................ 220

5.2.2 Predictive Analysis Library ................................................................................. 220

5.2.3 R Integration .......................................................................................................... 222

5.2.4 External Machine Learning Library ................................................................ 225

5.2.5 Automated Predictive Library .......................................................................... 227

11

Contents

5.3 Spatial Data Processing .................................................................................................... 228

5.4 Graph Data Processing ...................................................................................................... 232

5.5 Series Data Processing ....................................................................................................... 235

5.6 Text Analytics and Search ................................................................................................ 237

5.6.1 Search ....................................................................................................................... 238

5.6.2 Text Analysis .......................................................................................................... 240

5.6.3 Text Mining ............................................................................................................ 242

5.7 SAP HANA Streaming Analytics .................................................................................... 243

5.8 Summary ................................................................................................................................. 246

6 Security 247

6.1 Roles and Tools ..................................................................................................................... 248

6.1.1 The SAP HANA Security Architect ................................................................... 248

6.1.2 Tools .......................................................................................................................... 249

6.2 User Management .............................................................................................................. 251

6.2.1 Implementation Scenarios ................................................................................ 252

6.2.2 User Types and User Groups ............................................................................. 254

6.2.3 Authentication ...................................................................................................... 256

6.2.4 Authorization ......................................................................................................... 261

6.3 Data Privacy and Protection ........................................................................................... 268

6.3.1 Data Masking ......................................................................................................... 268

6.3.2 Data Anonymization ........................................................................................... 270

6.3.3 Encryption ............................................................................................................... 271

6.4 Auditing ................................................................................................................................... 278

6.5 SAP HANA XS Security ....................................................................................................... 281

6.6 Additional Security Considerations and Concerns ............................................... 281

6.7 Summary ................................................................................................................................. 282

Contents

12

7 Data Integration 285

7.1 Roles and Tools ..................................................................................................................... 286

7.1.1 The SAP HANA Data Integration Architect .................................................. 286

7.1.2 Tools ......................................................................................................................... 287

7.2 SAP HANA Data Management Suite ........................................................................... 287

7.2.1 SAP Data Hub ........................................................................................................ 288

7.2.2 SAP Enterprise Architecture Designer ........................................................... 291

7.2.3 SAP Cloud Platform Big Data Services .......................................................... 291

7.3 Enterprise Information Management ........................................................................ 291

7.3.1 SAP HANA Smart Data Integration and SAP HANA Smart

Data Quality ........................................................................................................... 292

7.3.2 SAP Data Services ................................................................................................. 295

7.3.3 SAP Agile Data Preparation .............................................................................. 296

7.4 Data Federation with SAP HANA Smart Data Access .......................................... 297

7.5 Remote Data Synchronization ...................................................................................... 298

7.6 Data Replication .................................................................................................................. 300

7.6.1 SAP Landscape Transformation Replication Server .................................. 300

7.6.2 SAP Replication Server ........................................................................................ 302

7.7 Big Data ................................................................................................................................... 303

7.7.1 SAP Vora .................................................................................................................. 304

7.7.2 SAP HANA Hadoop Integration ....................................................................... 305

7.8 Summary ................................................................................................................................. 306

8 Data Architecture 309

8.1 Roles and Tools ..................................................................................................................... 310

8.1.1 The SAP HANA Data Architect ......................................................................... 310

8.1.2 Tools ......................................................................................................................... 310

8.2 SAP Enterprise Architecture Designer ........................................................................ 311

8.3 Scaling SAP HANA ............................................................................................................... 314

8.3.1 Distributed Systems ............................................................................................ 315

13

Contents

8.3.2 Scale-Up ................................................................................................................... 316

8.3.3 Scale-Out ................................................................................................................. 317

8.3.4 Configuring Scale-Out Systems ....................................................................... 318

8.3.5 Scale-Out for SAP HANA XS Advanced .......................................................... 319

8.4 Data Tiering ............................................................................................................................ 320

8.4.1 Persistent Memory ............................................................................................... 321

8.4.2 SAP HANA Native Storage Extension ............................................................. 321

8.4.3 SAP HANA Extension Nodes .............................................................................. 322

8.4.4 SAP HANA Dynamic Tiering .............................................................................. 323

8.4.5 SAP Data Hub and the Spark Controller ....................................................... 325

8.5 Data Distribution ................................................................................................................. 326

8.5.1 Table Partitioning ................................................................................................. 326

8.5.2 Table Placement and Distribution .................................................................. 329

8.5.3 Table Replication .................................................................................................. 330

8.6 SAP HANA Data Warehousing Foundation .............................................................. 331

8.6.1 Data Distribution Optimizer ............................................................................. 332

8.6.2 Data Lifecycle Manager ...................................................................................... 333

8.6.3 Native Datastore Objects ................................................................................... 333

8.7 Summary ................................................................................................................................. 335

9 Data Center Architecture 337

9.1 Roles and Tools ..................................................................................................................... 338

9.1.1 The SAP HANA Data Center Architect ........................................................... 338

9.1.2 Tools .......................................................................................................................... 339

9.2 Implementation Overview .............................................................................................. 340

9.2.1 Sizing SAP HANA ................................................................................................... 340

9.2.2 Implementation Partners .................................................................................. 342

9.3 Deployment Options .......................................................................................................... 344

9.3.1 Hybrid and Multicloud ........................................................................................ 344

9.3.2 Single-Host and Distributed Systems ............................................................ 344

9.3.3 Technical Deployments (MCOS and MCOD) ............................................... 345

9.3.4 Tenant Databases ................................................................................................ 347

9.3.5 Virtualization ......................................................................................................... 348

Contents

14

9.4 On-Premise SAP HANA ..................................................................................................... 350

9.4.1 Appliance ................................................................................................................ 350

9.4.2 Tailored Data Center Integration ................................................................... 351

9.5 Hardware Technologies ................................................................................................... 352

9.5.1 Intel Optane Persistent Memory .................................................................... 353

9.5.2 IBM Power Systems ............................................................................................. 355

9.6 Operating System Platforms .......................................................................................... 356

9.6.1 SUSE .......................................................................................................................... 357

9.6.2 Red Hat .................................................................................................................... 358

9.7 Infrastructure-as-a-Service Providers ........................................................................ 360

9.7.1 Amazon Web Services ........................................................................................ 360

9.7.2 Microsoft Azure .................................................................................................... 362

9.7.3 Google Cloud Platform ....................................................................................... 362

9.7.4 Public Cloud Providers ........................................................................................ 364

9.8 Migration ................................................................................................................................ 364

9.8.1 AnyDB to SAP HANA ............................................................................................ 365

9.8.2 Software Update Manager Database Migration Option ........................ 366

9.8.3 Custom Applications ........................................................................................... 367

9.8.4 Third-Party Applications .................................................................................... 368

9.9 High Availability and Disaster Recovery ................................................................... 368

9.10 System Replication ............................................................................................................. 371

9.10.1 Configuration ........................................................................................................ 371

9.10.2 Multitier and Multitarget .................................................................................. 372

9.10.3 Active/Active Read-Enabled System Replication ....................................... 373

9.11 Network Administration and Landscape Management .................................... 374

9.11.1 Network Administration ................................................................................... 375

9.11.2 SAP Landscape Management ........................................................................... 376

9.11.3 SAP Solution Manager ........................................................................................ 378

9.12 Summary ................................................................................................................................. 379

15

Contents

10 Training and Support 381

10.1 Training .................................................................................................................................... 381

10.1.1 SAP Education ........................................................................................................ 382

10.1.2 openHPI and openSAP ........................................................................................ 391

10.1.3 SAP HANA Academy ............................................................................................ 396

10.1.4 SAP Developer Center ......................................................................................... 399

10.2 SAP Services and Support ................................................................................................. 400

10.2.1 SAP Digital Business Services ........................................................................... 401

10.2.2 SAP Support ............................................................................................................ 401

10.2.3 SAP Help Portal ...................................................................................................... 405

10.2.4 SAP ONE Support Launchpad ........................................................................... 408

10.3 SAP Community .................................................................................................................... 411

10.4 SAP Events .............................................................................................................................. 413

10.4.1 SAPPHIRE NOW ..................................................................................................... 413

10.4.2 SAP TechEd .............................................................................................................. 413

10.4.3 CodeJams and SAP Inside Track ....................................................................... 415

10.4.4 SAP HANA Operation Expert and Developer Summit .............................. 415

10.5 User Groups, Alliances, and More ................................................................................ 416

10.5.1 SAP User Groups ................................................................................................... 416

10.5.2 Customer Engagement Initiatives .................................................................. 417

10.5.3 SAP University Alliances and SAP HANA Database Campus .................. 417

10.5.4 HanaHaus and the Innovation Center Network ........................................ 418

10.5.5 SAPinsider Magazine and Conferences ......................................................... 418

10.6 Summary ................................................................................................................................. 419

The Author ............................................................................................................................................. 421

Index ........................................................................................................................................................ 423

423

Index

@OData.publish .................................................... 196

A

ABAP ................................................................ 158, 301

ABAP Managed Database Procedures

(AMDP) ................................................................. 158

background ........................................................ 158

call SQLScript ..................................................... 158

Access point ............................................................ 249

Acclaim ..................................................................... 391

ACID compliance .................................................. 174

Active/active read-enabled .................................. 68

background ........................................................... 78

system replication ........................................... 373

ActiveRecord ........................................................... 195

ActiveX Data Objects (ADO) ............................. 194

Administration ......................................................... 95

additional responsibilities ............................ 129

application ......................................................... 129

application server ............................................ 141

backup and recovery ...................................... 124

performance monitoring .............................. 108

resource management ................................... 118

security ................................................................. 123

system ................................................................... 105

system configuration ..................................... 105

tools .......................................................................... 97

Administrator .................................................... 62, 96

Admission control ................................................ 122

ADO.NET ................................................................... 193

background ........................................................ 194

Advanced analytical processing ........................ 31

Advanced analytics .................................... 213, 214

tools ....................................................................... 215

Advanced datastore objects (ADSO) .............. 333

Aggregated health ................................................ 114

Aggregates ........................................................... 33, 54

Agility ........................................................................... 82

Alerts app ................................................................. 121

Alibaba Cloud .................................................. 85, 364

Amazon Web Services (AWS) .................... 85, 360

Analysis .................................................................... 213

Analytic modeling ................................................ 160

Analytical privileges ......................... 162, 265, 268

Analytical processing engine .............................. 36

Analytics .................................................................. 213

Analytics adapter .................................................. 199

Analyze Memory History app ......................... 120

AnyDB ....................................................................... 104

migration ............................................................ 365

AP HANA Database Lifecycle Manager,

background ........................................................... 73

Apache Spark .......................................................... 304

background ........................................................ 305

Appliance .......................................................... 37, 350

Application development .................................... 30

Application encryption service ...................... 277

Application function ....................................... 32, 35

Application Function Library (AFL) ............... 220

background ........................................................... 74

Application Function Modeler (AFM) .......... 216

background ........................................................... 75

Application lifecycle management ..... 103, 130,

139, 173

background ........................................................... 73

Application privilege ........................................... 266

Application server ..................................... 28, 30, 65

administration .................................................. 141

implementation .................................................. 58

user management .................................. 252, 254

Application services ............................................... 35

Architecture ............................................................... 30

application server ............................................... 65

data ....................................................................... 309

data center ......................................................... 337

data tiering ............................................................ 66

memory .................................................................. 62

overview ................................................................. 57

persistence ............................................................. 62

services .................................................................... 58

three-tier ................................................................. 65

Artifact ................................................... 152, 171, 312

Artificial intelligence (AI) ........... 32, 80, 219, 288

Index

424

Assertion ticket ..................................................... 260

Associate certification ........................................ 390

Association algorithm ........................................ 221

Asynchronous replication ................................ 330

Attribute ................................................................... 162

Audit .......................................................................... 278

trails ...................................................................... 279

Audit policy ............................................................ 278

create .................................................................... 279

Auditing ................................................................... 278

best practices ..................................................... 279

Authentication ...................................................... 256

basic ...................................................................... 256

external ................................................................ 259

tile .......................................................................... 123

Authorization ........................................................ 261

additional privileges ....................................... 266

analytical privileges ....................................... 265

concept ................................................................. 262

object privileges ............................................... 264

predefined catalog roles ............................... 262

predefined users ............................................... 262

shared ................................................................... 265

system privileges .............................................. 263

trace ...................................................................... 267

troubleshooting ................................................ 266

users and roles .................................................. 261

Automated Predictive Library (APL) ............. 227

Automation Studio .............................................. 376

B

Background job ..................................................... 112

BACKINT SDK for SAP HANA .................... 74, 126

Backup ................................................... 124, 125, 370

automate ............................................................ 125

diagnostic tool .................................................. 127

encryption .......................................................... 275

replication .......................................................... 300

third-party tools ............................................... 128

Backup scheduler ................................................. 125

Benefits ........................................................................ 34

agility ...................................................................... 36

lower TCO ............................................................... 36

real results ............................................................. 38

reduce complexity .............................................. 35

Benefits (Cont.)

run anywhere ....................................................... 36

Big data ............................................................... 33, 303

security ................................................................. 248

Blocked transaction ............................................. 110

Bring your own license (BYOL) ................... 37, 46

Buffer cache ............................................................. 322

Buildpack .................................................................. 166

Business continuity ............................................... 63

Business function ................................................... 35

Business Function Library (BFL) ...................... 220

Business logic processing .................................... 35

Business rule processing ...................................... 35

C

C_HANATEC_15 exam ........................................ 388

Calculation engine ................................................ 160

Calculation view .......................................... 160, 161

background ......................................................... 160

K-anonymity ...................................................... 270

search .................................................................... 239

Capabilities ................................................................ 30

advanced analytical processing ................... 31

application development ................................ 30

data management ............................................. 33

database management .................................... 33

Capture and replay ............................................... 115

comparison report ........................................... 116

Cascade Lake ............................................................. 34

Catalog browser ..................................................... 102

Catalog role .............................................................. 262

CCLScript .................................................................. 244

Certification ............................................................ 388

exams .................................................................... 390

Change and Transport System (CTS+) ........... 174

Characteristics .......................................................... 29

Classification algorithm ..................................... 221

Client .......................................................................... 375

install ..................................................................... 181

Client interface ....................................................... 181

Client zone ............................................................... 273

Client/server model ............................................... 65

Client-side encryption .......................................... 80

Cloud deployment .................................... 28, 37, 85

platform lifecycle management ................. 131

425

Index

Cloud deployment (Cont.)

releases .................................................................... 47

Cloud Foundry ................... 68, 143, 166, 178, 180

containers ........................................................... 178

Cloud provider .......................................................... 85

Cloud-enablement .................................................. 76

Cloud-first approach ........................................ 44, 47

CloudHook .............................................................. 226

Cluster ......................................................... 63, 64, 316

Clustering algorithm ........................................... 220

Code pushdown ............................. 31, 55, 157, 158

CodeJam ................................................................... 415

Cold data ............................................................ 66, 325

Cold store ................................................................. 321

Collection ................................................................. 175

Columnar storage ............................................. 33, 55

history ...................................................................... 55

limitations .......................................................... 327

Command line ....................................................... 131

Command line installer ..................................... 137

Command line interface (CLI) ................ 103, 167

cf ............................................................................. 144

xs ................................................................... 140, 144

CommonCryptoLib .............................................. 181

background ........................................................... 75

encryption ........................................................... 274

Comoponent .......................................................... 135

compileserver ........................................................... 60

Complex event processing (CEP) ............. 32, 243

computeserver .......................................................... 61

Conceptual data model (CDM) ........................ 312

Configuration ......................................................... 105

compare ............................................................... 107

templates ............................................................. 107

Configuration manager ..................................... 108

Connection adapter ............................................. 293

Container group .................................................... 144

Continuous Computation Language

(CCL) ............................................................ 217, 244

Core Data and Services ............................. 170, 179

Core data services (CDS) ..................................... 169

background .......................................... 74, 81, 170

file extension ...................................................... 171

persistence data model .................................. 172

table definition ................................................. 170

Customer Center of Expertise

(Customer COE) ................................................ 403

Customer Influence ............................................. 417

Customer story ......................................................... 39

find ............................................................................ 40

D

Daemon ....................................................................... 59

Data aging ................................................................... 66

administration .................................................. 129

Data anonymization .................................... 80, 270

Data architect ...................................... 309, 310, 339

Data architecture .................................................. 309

tools ....................................................................... 310

Data at rest .............................................................. 275

Data breach ............................................................. 247

Data center .............................................................. 344

administration .................................................. 129

Data center architect ........................................... 338

Data center architecture .................................... 337

tools ....................................................................... 339

Data controller ....................................................... 270

Data definition language (DDL) ............. 169, 264

Data distribution ........................................... 63, 326

Data Distribution Optimizer (DDO) ................ 66,

310, 332

Data federation ...................................................... 297

background ........................................................... 74

Data foundation .................................................... 150

Data governance ................................................... 287

Data integration ............................................. 33, 285

Data integration architect ................................. 286

Data lake ............................................................... 33, 66

Data Lifecycle Manager ......... 181, 310, 311, 319,

324, 333

Data management ........................................ 33, 287

tools ....................................................................... 292

Data manipulation language (DML) ............. 264

Data mart ................................................. 57, 252, 300

replication .......................................................... 302

Data masking .................................................. 79, 268

functions ............................................................. 269

implement .......................................................... 269

templates ............................................................ 269

Data modeling ....................................................... 148

Index

426

Data orchestration ...................................... 287, 289

Data partitioning .................................................. 315

Data Pipelines app ............................................... 290

Data privacy ............................................................ 268

Data protection ..................................................... 268

Data provisioning ......................................... 33, 285

Data Provisioning Adapter ............................... 293

Data Provisioning Agent ................................... 293

Data replication ..................................................... 300

Data scientist ................................................. 213, 215

Data source ............................................................. 185

Data source name (DSN) .................................... 185

Data storage ............................................................... 62

Data stream ................................................................ 33

Data tiering ...................................... 33, 66, 315, 320

administration ................................................. 129

persistent memory .......................................... 353

Data virtualization .................................................. 33

Data volume snapshot ....................................... 126

Data warehouse ........................................................ 54

Database explorer ....................................... 102, 216

cloud ........................................................................ 88

graphs .................................................................. 234

security ................................................................ 281

trace files ............................................................. 117

Database history ...................................................... 52

hardware access times ..................................... 53

SanssouciDB ......................................................... 54

Database isolation ................................................ 347

Database management ......................................... 33

Database Migration Factory ............................. 368

Database Migration Option (DMO) ............... 366

Database object ..................................................... 264

Database user ......................................................... 261

restricted ............................................................. 263

system .................................................................. 262

Database-stored procedure ................................. 35

Datastore .................................................................... 30

DBA Cockpit ................................ 101, 104, 365, 378

DBSCAN .................................................................... 231

Delivery unit .......................................................... 174

Deployment ............................................................... 28

appliance ............................................... 37, 85, 350

best practices ........................................................ 48

business scenarios .............................................. 48

cloud ........................................................................ 85

Deployment (Cont.)

data centers ........................................................ 344

decision factors ................................................... 48

distributed system ........................................... 344

licensing ................................................................. 46

multicloud ........................................................... 344

on-premise ............................................ 71, 85, 350

options ............................................................. 37, 84

TDI ................................................................... 37, 351

technical ............................................................... 345

Design-time container (DTC) .................. 144, 172

Developer ....................................................... 147, 148

Development .......................................................... 147

administration .................................................. 130

artifacts ................................................................ 171

client interfaces ................................................. 181

MTA ........................................................................ 149

native .................................................................... 163

tools ....................................................................... 150

web-based data access ................................... 195

Development perspective ................................. 142

Differential privacy .............................................. 270

Disaster recovery ........................................ 368, 369

features ................................................................. 370

diserver .............................................................. 61, 172

Distributed database ............................................ 316

Distributed system ................................................. 63

advantages ......................................................... 317

background .................................................. 64, 315

configure .............................................................. 318

deployment ......................................................... 344

nameserver ........................................................... 60

SAP HANA XS Advanced ................................ 319

scaling ................................................................... 315

system health ..................................................... 114

Docker ........................................................................ 203

docstore ............................................................. 61, 175

Document ...................................................... 174, 175

Documentation ..................................................... 405

dpserver ...................................................................... 61

Dynamic partition pruning .............................. 328

Dynamic random-access memory

(DRAM) ................................................ 62, 321, 353

Dynamic tiering ....................................................... 66

Dynamic-link library (DLL) ................................ 184

427

Index

E

E-Academy ............................................................... 384

Eclipse ........................................................................... 99

IDE .......................................................................... 150

Editions ........................................................................ 67

cloud ......................................................................... 68

express .............................................................. 67, 87

platform ........................................................... 67, 87

standard ................................................................. 69

Efficiency ..................................................................... 82

Encryption ..................................................... 249, 271

algorithm ............................................................ 276

background ........................................................ 271

backup .................................................................. 275

client-side ............................................................... 80

enable ................................................................... 276

network ................................................................ 272

network zones ................................................... 272

Enterprise data warehouse (EDW) ................. 310

build ...................................................................... 331

Enterprise information management

(EIM) ............................................ 33, 286, 291, 292

Enterprise Semantic Services (ESS) ................ 296

Entity extraction ................................................... 241

EPM-MDS ................................................................. 198

esserver ........................................................................ 61

Event .......................................................................... 243

Event stream processing ............................ 32, 243

Event-driven architecture (EDA) .................... 243

Exact search ............................................................ 239

Execution agent .................................................... 167

Expensive statement trace ............................... 117

Expensive Statements app ............. 111, 117, 156

Extensibility .................................................. 177, 318

Extension node ............................................ 321, 322

configure ............................................................. 322

External Machine Learning Library (EML)

architecture ........................................................ 225

code snippets ..................................................... 226

External Machine Learning library (EML) ... 225

Extract, transform, and load (ETL) ..... 33, 54, 295

Extraction ................................................................ 240

F

Fact extraction ....................................................... 241

Failback ..................................................................... 372

Fast restart option ................................................ 119

Fault resiliency ...................................................... 368

Fault tolerant .......................................................... 368

Feature Scope Description .................. 68, 70, 408

Federated database .............................................. 316

Fencing ..................................................................... 319

File system layout ................................................ 138

Flowgraph ............................................. 217, 293, 312

Forrester Wave ................................................... 41, 42

Function library ....................................................... 61

Fuzzy search .................................................. 239, 240

G

Geocoding ............................................................... 231

Geographic information system (GIS) ......... 228

Getting Started Guide .................................. 72, 406

GitHub ............................................ 77, 153, 207, 398

Go ................................................................................ 192

background ........................................................ 192

Go driver .................................................................. 192

Google BigQuery ................................................... 295

Google Cloud Platform (GCP) ................... 85, 362

SAP HANA guides ............................................ 363

Governance, risk, and compliance (GRC) .... 249

Graph algorithm ................................................... 233

Graph database ...................................................... 232

Graph engine .......................................................... 233

Graph processing ........................... 32, 83, 214, 232

background ........................................................... 78

Graph workspace viewer .......................... 216, 234

Graphical calculation view ............................... 161

GraphScript ............................................................. 233

Grid ............................................................................. 231

Guided Answers ................................. 118, 403, 409

topics .................................................................... 409

troubleshooting ................................................ 267

H

Hadoop ..................................................................... 245

background ................................................. 76, 304

Index

428

Hadoop (Cont.)

integration ................................................ 305, 306

Hadoop distributed file system

(HDFS) ......................................................... 304, 325

HanaHaus ................................................................ 418

Hardware configuration check ....................... 351

Hash partitioning ................................................. 328

Hasso Plattner ................................................ 56, 391

Hasso Plattner Institute (HPI) .................. 54, 391

HDB command ......................................................... 97

hdbalm ................................................... 103, 140, 174

hdbbackupcheck .......................................... 127, 128

hdbdaemon ............................................................ 369

hdblcm ... 103, 131, 139, 181, 310, 311, 319, 324

background ........................................................... 73

hdbsql ................................................................. 99, 182

hdbuserstore .......................................... 99, 182, 186

HDI container ............................................... 144, 172

create .................................................................... 172

HERE .......................................................................... 230

Hexagon ................................................................... 231

High availability ........................................... 317, 368

elements .............................................................. 369

Hint ............................................................................ 156

Hive ............................................................................ 305

Horizontal aggregation ...................................... 236

Horizontal scalability ......................................... 314

Host auto-failover ......................... 60, 74, 318, 369

Hot data ....................................................................... 66

Hot store .................................................................. 320

HTTP .......................................................................... 149

Huawei ...................................................................... 364

Hybrid database ....................................................... 33

Hybrid deployment ............................... 37, 48, 344

Hybrid operational/analytical

processing (HOAP) ............................................. 42

Hybrid transaction/analytical

processing (HTAP) .................................... 41, 160

Hype cycle ........................................................ 41, 219

Hyper-converged infrastructure (HCI) ........... 82

Hyperscaler ................................................................ 85

I

IBM ............................................................................. 355

IBM Cloud ................................................................ 364

IBM Power Systems .............................................. 355

background ........................................................... 77

IBM System R ............................................................ 52

Implementation ...................................................... 57

application server .............................................. 58

data mart ............................................................... 58

greenfield ............................................................. 341

native development ........................................... 58

overview ............................................................... 340

partners ................................................................ 342

scenarios ................................................................ 57

sidecar ..................................................................... 73

sizing ..................................................................... 340

user management ............................................ 252

Incident ..................................................................... 409

In-database processing ......................................... 31

Index ..................................................................... 53, 55

full-text ................................................................. 239

search .................................................................... 238

indexserver ......................................................... 60, 61

background ........................................................... 60

Industry analyst ....................................................... 41

Information Access (InA) ......................... 195, 198

expose ................................................................... 199

Information view .................................................. 160

Infrastructure-as-a-service (IaaS) ............... 37, 86

providers .............................................................. 360

INI file ......................................................................... 105

In-memory database ............................... 31, 35, 54

concepts ................................................................. 52

Innovations ............................................................... 43

Installation ..................................................... 135, 201

Integrated business environment (IDE) ...... 150

Integration ............................................................... 285

flows ....................................................................... 287

Hadoop ....................................................... 305, 306

tools ....................................................................... 287

Integration services ................................................ 28

Intel Optane ...................................................... 62, 353

capacity ................................................................ 353

Intel Xeon Platinum 8280 processor ............... 34

Intelligence ................................................................ 82

Intelligent enterprise ...................................... 35, 80

International Data Corporation (IDC) ............. 42

429

Index

Internet of Things (IoT) ............................... 32, 291

security ................................................................. 248

Invisible takeover .......................................... 81, 372

J

Java ............................................................................. 149

background ........................................................ 163

Java Archive (JAR) file .......................................... 183

Java Database Connectivity (JDBC) ......... 99, 183

background ................................................. 80, 184

JavaScript ................................................................. 149

background ........................................................ 163

JavaScript Object Notation (JSON) ................. 175

JSON document store .......................................... 174

background ........................................................... 79

SQL ......................................................................... 176

JSON web tokens (JWT) ....................................... 260

Jupyter notebook .................................................. 189

K

K-anonymity .......................................................... 270

Kerberos ................................................................... 259

background ........................................................ 260

Kernel profiler ........................................................ 117

Key performance indicator (KPI) .................... 108

K-means .................................................................... 231

K-nearest neighbors (KNN) ............................... 242

Knowledge base articles ..................................... 408

Kubernetes .............................................................. 304

L

Landscape management .................................... 374

Learning journey .................................................. 382

SAP HANA ........................................................... 382

Licensing .............................................................. 46, 68

enterprise ............................................................... 68

runtime ................................................................... 68

standard ................................................................. 68

Lightweight Directory Access Protocol

(LDAP) ................................................................... 268

authentication .................................................. 155

background ........................................................... 79

Linguistic search ................................................... 239

Linked database ..................................................... 297

Linux .......................................................... 98, 132, 356

command line ...................................................... 97

Live intelligence ....................................................... 44

Log replication task ............................................. 371

Logon ticket ............................................................ 260

M

Machine learning ................ 32, 80, 214, 218, 288

SAP Support ....................................................... 402

Maintenance ...................................................... 46, 47

cycles ........................................................................ 47

releases .................................................................... 47

MarketScapes ............................................................ 42

Massive online open courseware

(MOOCs) .............................................................. 382

Master data table .................................................. 330

Matrix ........................................................................ 225

Measure .................................................................... 162

Memory access ......................................................... 53

Memory management .......................................... 96

Memory Usage app .............................................. 119

Microsoft Azure .............................................. 85, 362

Microsoft Excel ...................................................... 187

Middle tier .................................................................. 30

Migration ................................................................. 364

AnyDB to SAP HANA ...................................... 365

custom applications ....................................... 367

SUM DMO ........................................................... 366

third-party applications ................................ 368

Miscellaneous algorithm ................................... 222

Modeling perspective ......................................... 150

Monitor Landscape dashboard ....................... 114

Monitor Performance app ................................ 120

Monitor Statements app ................................... 110

Monitoring

performance ...................................................... 108

proactive ............................................................. 122

Mount point ........................................................... 138

Multicloud environment .................................. 344

Multicontainer database (MDC) system ........ 60

Multidimensional database ............................. 187

Multidimensional expressions

(MDX) .......................................................... 160, 201

Multidimensional services (MDS) ................. 198

Index

430

Multinode system ................................................... 64

Multiple components in one database

(MCOD) ................................................................ 345

Multiple components in one system

(MCOS) ................................................................. 345

Multistore table ..................................................... 323

Multitarget application (MTA) ............... 103, 149

Multitarget system replication .......................... 81

Multitenant database container (MDC)

background ........................................................... 76

Multitier environment ....................................... 372

N

nameserver ................................................................ 60

Native application ................................................ 149

Native datastore object (NDSO) ...................... 333

flowgraphs .......................................................... 333

Native development .................................... 58, 170

Native SAP HANA transport ............................. 174

Natural language processing (NLP) ...... 238, 241

Near-zero downtime maintenance

(nZDM) ................................................................. 371

Neo ............................................ 68, 88, 178, 180, 347

Network .................................................................... 374

Network address translation (NAT) ............... 273

Network administration ........................... 374, 375

web-based access ............................................. 375

Network attached storage (NAS) ........... 273, 350

Network encryption ............................................ 248

Network zone ......................................................... 272

client ..................................................................... 375

scale-out .............................................................. 319

security ................................................................ 273

ngdbc.jar .................................................................. 183

Node .............................................................................. 32

Node.js ...................................................................... 190

background ........................................................ 191

client ..................................................................... 191

Non-volatile memory (NVM) .............................. 62

Non-volatile random-access memory

(NVRAM) .................................................... 321, 353

NoSQL

database .............................................................. 174

diagrams ............................................................. 312

O

Object privilege ...................................................... 264

OData ......................................................................... 196

background ......................................................... 196

consume ............................................................... 196

define metadata service ................................ 197

libraries ................................................................. 196

services ................................................................. 195

OLE DB for OLAP (ODBO) ................................... 187

background ......................................................... 188

Online analytical processing (OLAP) ............... 28

Online transactional processing (OLTP) ........ 28

On-premise deployment ...................................... 28

Open Database Connectivity (ODBC) ............ 184

background .................................................. 80, 186

configure .................................................... 185, 186

define data sources .......................................... 185

driver manager .................................................. 185

Open SQL .................................................................. 158

openCypher ............................................................. 234

openHPI .................................................................... 391

openSAP .......................................................... 382, 392

courses ........................................................ 387, 393

digital badge ...................................................... 396

introduction to SAP HANA ............................. 56

Operating system platforms ............................ 356

Optimization ........................................................... 108

Options ........................................................................ 68

add-on products .................................................. 70

P

Package ...................................................................... 174

Parallelized ............................................................... 327

Partition .................................................................... 326

pruning ................................................................. 328

Password ................................................................... 257

blacklist ................................................................ 258

lifetime .................................................................. 258

Password policy ..................................................... 257

failed logon ......................................................... 258

length and composition ................................ 258

lifetime .................................................................. 258

user lock ............................................................... 258

Persistence ................................................................. 62

431

Index

Persistent memory .................... 62, 119, 321, 353

background ........................................................ 353

implement ........................................................... 354

syntax example ................................................ 354

Persistent staging areas (PSA) .......................... 333

Personal security environment (PSE) ........... 274

Plan Visualizer ....................................................... 156

Planned downtime ............................................... 371

Platform lifecycle management ............. 97, 103,

130, 131

install .................................................................... 135

interfaces ............................................................. 131

SAP HANA XS Advanced ............................... 141

Platform-as-a-service (PaaS) ...................... 86, 177

Plugin ........................................................................ 150

Powered by SAP HANA ................................... 58, 73

PowerShell .................................................................. 97

Predictive algorithms ............................................ 32

Predictive Analysis Library (PAL) .............. 32, 83,

216, 220

algorithms .......................................................... 220

Predictive analytics ............................. 32, 214, 218

background ........................................................ 219

Preprocessing algorithm ................................... 221

Preprocessor .............................................................. 61

Pricing ....................................................................... 318

Principle of least privilege (PoLP) ......... 123, 262

Private cloud ....................................................... 85, 87

Privileges .................................................................. 261

additional ............................................................ 266

analytic ................................................................... 81

analytical .................................................. 265, 268

grant ...................................................................... 266

manage ................................................................ 263

object .................................................................... 264

select ...................................................................... 264

system ................................................................... 263

Process map ............................................................ 313

Product Availability Matrix (PAM) ......... 47, 133

Product installer .................................................... 140

Professional certification .................................. 390

Provisioning ........................................................... 285

Public cloud ......................................................... 85, 87

providers .............................................................. 364

Public key infrastructure (PKI) ........................ 274

Publish-subscribe model ................................... 303

PuTTY ........................................................................... 97

Python ....................................................................... 188

background ........................................................ 190

install .................................................................... 189

PITR ....................................................................... 127

uses ........................................................................ 190

Q

Query optimizer .................................................... 329

Quick Sizer ............................................................... 341

R

R

background ........................................................ 223

integration ................................................ 222, 223

server .................................................................... 222

Range partitioning ............................................... 328

Rapid Development Environment (RDE) ....... 76

Real-time analytics ................................................. 35

Recommender systems ..................................... 221

recoverSys.py ......................................................... 127

Recovery .......................................................... 124, 126

considerations .................................................. 126

example ............................................................... 127

Recovery period objective (RPO) .................... 369

Recovery time objective (RTO) ............... 300, 369

Red Hat ..................................................................... 358

background ........................................................ 360

Red Hat Enterprise Linux (RHEL) ............ 98, 358

background ........................................................... 75

software components .................................... 359

Redo log encryption ............................................ 275

Regression algorithm ......................................... 221

Relational database management

system (RDBMS) ............................... 52, 154, 232

Release theme ........................................................... 51

Releases ....................................................................... 71

Remote data source ............................................. 297

Remote data synchronization ................ 298, 316

client ..................................................................... 299

Replication .............................................................. 300

bidirectional ....................................................... 303

network administration ................................ 375

system ..................................................................... 34

Index

432

Replication (Cont.)

table ...................................................................... 330

technologies .......................................................... 33

types ...................................................................... 331

Repository ............................................ 142, 152, 171

Representational State Transfer (REST) ....... 196

Resource management ...................................... 118

Restricted user .............................................. 254, 263

RISC architecture .................................................. 355

River Definition Language (RDL) ....................... 76

RLANG ....................................................................... 223

Roadmap ..................................................................... 43

sections ................................................................... 43

themes ..................................................................... 44

Role ............................................................................ 261

public .................................................................... 263

support ................................................................. 263

Round-robin partitioning ................................. 328

Row storage ............................................................... 55

Ruby ........................................................................... 194

background ........................................................ 195

Ruby on Rails .......................................................... 194

RubyGems ............................................................... 194

Runtime container (RTC) .......................... 144, 172

S

SanssouciDB ............................................. 54, 55, 391

SAP ActiveEmbedded .......................................... 400

SAP Adaptive Server Enterprise (SAP ASE) .... 57

SAP Advanced SQL Migration ......................... 367

data sources ....................................................... 367

SAP Agile Data Preparation ..................... 292, 296

interface .............................................................. 297

SAP Application Performance Standard

(SAPS) .................................................................... 342

SAP Business Warehouse (SAP BW) ...... 322, 333

SAP BW/4HANA ............................................. 55, 322

SAP certification ................................................... 388

SAP Certified Solutions Directory .................. 128

SAP Cloud Appliance Library ........... 91, 202, 334

Azure ..................................................................... 362

solutions ................................................................. 92

SAP Cloud Application Programming

Model ........................................................... 170, 179

SAP Cloud Platform .............................................. 177

background ........................................................... 88

development ....................................................... 149

integration ............................................................ 65

use cases ............................................................... 177

SAP Cloud Platform Big Data Services ........... 79,

288, 291

background ......................................................... 291

SAP Cloud Platform cockpit ................ 88, 90, 346

SAP Cloud Platform, SAP HANA

service ................... 47, 68, 71, 88, 149, 180, 346

Azure ..................................................................... 362

develop apps ....................................................... 180

platform lifecycle management ................. 131

releases ................................................................... 44

SAP Community .................................................... 411

SAP CoPilot .............................................................. 402

SAP corporate fact sheet ....................................... 38

SAP Data Hub ...................................... 287, 288, 325

advantages ......................................................... 326

background ........................................................... 77

capabilities .......................................................... 289

cold data tiering ............................................... 325

launchpad ........................................................... 289

SAP Data Intelligence .......................................... 288

SAP Data Services .............................. 237, 292, 295

background ......................................................... 296

designer ................................................................ 295

SAP DB Control Center ................................. 76, 101

SAP Developer Center ......................................... 399

tutorials ................................................................ 399

SAP Digital Business Services ................ 342, 351,

400, 401

SAP Download Manager ..................................... 204

SAP Early Adopter Care ......................................... 72

SAP EarlyWatch Alert ........................................... 122

SAP Education .............................................. 381, 382

certifications ...................................................... 388

courses .................................................................. 385

SAP HANA ............................................................ 387

SAP Enterprise Architecture

Designer ........................ 288, 291, 310, 311, 339

background .................................................. 79, 314

diagrams .............................................................. 312

homepage ............................................................ 312

reverse engineer ................................................ 313

433

Index

SAP Event Stream Processor ............................ 243

background ........................................................... 75

SAP HANA 1.0 ............................................................ 72

SPS 03 ....................................................................... 72

SPS 04 ...................................................................... 73

SPS 05 ....................................................................... 73

SPS 06 ...................................................................... 74

SPS 07 ....................................................................... 75

SPS 08 ...................................................................... 75

SPS 09 ...................................................................... 76

SPS 10 ....................................................................... 77

SPS 11 ........................................................................ 77

SPS 12 ........................................................................ 78

SAP HANA 2.0 ............................................................ 78

develop apps ...................................................... 180

native development ........................................ 164

PAM ....................................................................... 133

SAP HANA cockpit ........................................... 101

SPS 01 ....................................................................... 79

SPS 02 ....................................................................... 80

SPS 03 ....................................................................... 80

SPS 04 ...................................................................... 81

SAP HANA Academy ............................................ 396

GitHub repositories ......................................... 398

YouTube playlists ............................................. 397

SAP HANA Accelerator for SAP ASE .................. 57

SAP HANA Administration Guide ........... 72, 406

SAP HANA application lifecycle

management ........................ 103, 139, 140, 173

SAP HANA client ................................................... 149

SAP HANA Cloud Services ................... 37, 45, 288

SAP HANA clusters .................................................. 64

SAP HANA cockpit ......................................... 97, 101

alerts ..................................................................... 121

anonymization views ..................................... 270

auditing ............................................................... 279

authentication .................................................. 123

background ............................................ 76, 77, 79

backup scheduler ............................................. 126

backups ................................................................ 125

cloud ......................................................................... 88

data architecture ............................................. 311

editions .................................................................... 68

encryption ........................................................... 276

home ..................................................................... 115

manage keys ...................................................... 277

SAP HANA cockpit (Cont.)

manage landscape .......................................... 107

memory analysis .............................................. 120

memory resource management ................ 119

offline administration ................................... 101

privileges .................................................... 263, 264

replay monitor .................................................. 116

replication .......................................................... 302

security .............................................. 124, 249, 281

streaming analytics ........................................ 245

system configuration ..................................... 106

system overview ............................................... 108

system replication ........................................... 371

table redistribution ......................................... 329

trace files ............................................................. 117

updates ................................................................ 102

user groups ......................................................... 256

user management ........................................... 254

workload analysis ........................................... 112

SAP HANA Data Management Suite ............. 287

SAP HANA data warehousing

foundation ................................................ 310, 331

trial version ........................................................ 334

SAP HANA database interactive terminal ..... 99

SAP HANA Deployment Infrastructure

(HDI) ...................................................................... 171

administration .................................................. 144

application lifecycle management ........... 174

CDS ........................................................................ 171

diserver ................................................................... 61

versus repository .............................................. 172

SAP HANA dynamic tiering ....................... 66, 323

architecture ........................................................ 323

background ................................................. 76, 324

esserver ................................................................... 61

history ..................................................................... 55

SAP HANA Enterprise Cloud ............................... 87

background ........................................................... 88

SAP HANA Finder .................................................... 39

SAP HANA hardware directory ................... 36, 77

SAP HANA Interactive Education

(SHINE) ................................................................. 206

background ........................................................... 75

dashboard .................................................. 208, 209

deployment options ........................................ 207

getting started .................................................. 208

Index

434

SAP HANA interactive terminal ..................... 182

SAP HANA Lifecycle Management ............... 130,

281, 318

SAP HANA Master Guide ...................................... 27

SAP HANA native storage extension ..... 66, 321

SAP HANA One ............................................... 86, 360

SAP HANA Operation Expert and

Developer Summit .......................................... 415

SAP HANA platform lifecycle

management tool ............................................ 103

SAP HANA runtime tools .................................. 102

SAP HANA Security Checklists and

Recommendations .......................................... 263

SAP HANA service broker .................................. 180

SAP HANA smart data access (SDA) ...... 33, 277,

297, 316

background .................................................... 74, 77

data source ......................................................... 297

SAP HANA smart data integration

(SDI) ................................................................ 33, 292

background ........................................................... 76

connection adapters ....................................... 293

dpserver .................................................................. 61

SAP HANA smart data quality (SDQ) ........... 231,

292, 294

background ........................................................... 76

SAP HANA spatial services ....................... 228, 231

background ........................................................... 75

SAP HANA streaming analytics .............. 32, 214,

217, 243

architecture ........................................................ 244

background ................................................. 76, 243

streaming server ................................................. 61

studio .................................................................... 245

SAP HANA studio .......................................... 99, 150

data architecture ............................................. 311

deprecation ............................................... 100, 151

install .................................................................... 100

modeler perspective ........................................ 151

privileges ............................................................. 265

replication .......................................................... 302

security ................................................................ 250

system configuration ..................................... 106

trace files ............................................................. 117

SAP HANA transport for ABAP (HTA) ........... 174

SAP HANA Web-Based Development

Workbench ................................................ 152, 164

background ........................................................... 74

SAP HANA XS ............................................ 28, 65, 164

administration .................................................. 104

artifacts ................................................................ 164

background ........................................... 74, 80, 165

CLI ........................................................................... 144

deprecation ......................................................... 164

encryption ........................................................... 277

network administration ................................ 375

packages .............................................................. 174

privileges .............................................................. 266

runtime roles ...................................................... 165

security ................................................................. 281

user management ............................................ 253

SAP HANA XS Admin tool ....................... 142, 164

SAP HANA XS Advanced ............. 65, 77, 163, 165

administration ........................................ 102, 104

application lifecycle management ... 139, 174

background .................................................. 80, 166

CLI ........................................................................... 167

Cloud Foundry ................................................... 179

configure .............................................................. 168

diserver ................................................................... 61

encryption ........................................................... 277

install ..................................................................... 137

network administration ................................ 375

platform lifecycle management ................. 141

roles ........................................................................ 165

routing .................................................................. 167

runtime engines ................................................ 166

runtime versions ............................................... 166

scale-out ............................................................... 319

security ................................................................. 281

user management ............................................ 253

SAP HANA XS Advanced Admin tool ............ 104

SAP HANA XS Advanced cockpit ........... 104, 143

advantages ......................................................... 168

SAP HANA XS Advanced Migration

Guide ..................................................................... 208

SAP HANA, enterprise edition ........................... 46

SAP HANA, express edition .................. 46, 67, 87,

102, 201

background ........................................................... 78

cloud ...................................................................... 202

435

Index

SAP HANA, express edition (Cont.)

deployment options ........................................ 202

Docker ................................................................... 203

download manager ......................................... 205

GCP ........................................................................ 203

getting started ................................................... 204

install .................................................................... 202

master password .............................................. 205

server-only .......................................................... 202

virtual machine ................................................ 202

SAP HANA, platform edition ............................... 67

SAP HANA, runtime edition ................................ 47

SAP HANA, standard edition ............................... 46

SAP Help Portal ............................................ 405, 407

administration .................................................. 406

development ...................................................... 406

Feature Scope Description ............................ 408

installation and upgrade .............................. 405

reference .............................................................. 406

security ................................................................. 406

what's new .......................................................... 405

SAP Information Lifecycle Management .... 292

SAP Information Steward .................................. 292

SAP Innovation Center Network .......... 417, 418

SAP Inside Track .................................................... 415

SAP Landscape Management ......... 79, 105, 339,

371, 374, 376

dashboard ........................................................... 377

SAP Landscape Transformation

Replication Server ........................... 33, 300, 331

background ........................................................ 300

configure ............................................................. 301

SAP Learning Hub ................................................. 384

SAP Master Data Governance (SAP MDG) .... 292

SAP MaxDB ................................................................. 56

SAP NetWeaver ......................................................... 58

distributed system .............................................. 64

SAP News Center ...................................................... 82

SAP Note ................................................................... 405

SAP ONE Support Launchpad ................ 401, 408

expert chat .......................................................... 402

SAP Partner Finder ............................................... 342

SAP PartnerEdge portal ...................................... 342

SAP PowerDesigner .............................................. 314

SAP Predictive Analytics .................................... 227

background ........................................................ 227

SAP Replication Server ................................ 33, 302

background ........................................................ 303

SAP S/4HANA .................................................. 55, 366

SAP Solution Manager ... 105, 174, 339, 374, 378

background ........................................................... 77

SAP SQL Anywhere ............................................... 298

background ........................................................ 298

SAP Streaming Analytics ................................... 243

SAP Support ................................................... 400, 401

SAP Support Portal ............................................... 403

product support ............................................... 403

SAP TechEd .............................................................. 413

SAP University Alliances ................................... 417

SAP User Experience Community ................. 417

SAP user groups .................................................... 416

SAP Vora .......................................................... 289, 304

background ........................................................... 77

SAP Web Dispatcher ................................... 142, 165

SAP Web IDE ........................................................... 152

background .................................................... 76, 78

CDS ........................................................................ 171

data architecture ............................................. 311

editions ................................................................... 68

features ................................................................ 152

full-stack .............................................................. 179

SHINE .................................................................... 207

SAP Web IDE for SAP HANA .................... 102, 152

analytics .............................................................. 217

calculation view ............................................... 161

enable features ................................................. 218

features ................................................................ 153

integration ......................................................... 287

privileges ............................................................. 265

streaming analytics ........................................ 245

SAPinsider ............................................................... 418

SAPPHIRE NOW .............................................. 38, 413

keynote ................................................................... 38

roadmap ................................................................. 43

SAPUI5 ............................................................... 74, 149

Scale-out ................................................... 63, 314, 344

administration .................................................. 129

advantages ......................................................... 317

configure ............................................................. 318

Scale-up .................................................................... 314

advantages ......................................................... 316

persistent memory .......................................... 354

Index

436

Scaling .............................................................. 309, 314

persistent memory .......................................... 353

scriptserver ................................................................ 61

Search ............................................................... 237, 238

functions ............................................................. 239

types ...................................................................... 239

Secondary time travel ................................. 81, 372

Secure Shell (SSH) .................................................... 97

Secure Sockets Layer (SSL) ................................ 271

Security .............................................................. 83, 247

administration ................................................. 123

auditing ............................................................... 278

considerations .................................................. 281

data privacy ....................................................... 268

SAP HANA XS ..................................................... 281

SAP HANA XS Advanced ............................... 281

tools ...................................................................... 249

user management ........................................... 251

Security architect .............................. 247, 248, 282

Security Assertion Markup Language (SAML)

background ........................................................ 260

Security Checklists and

Recommendations Guide ............................ 406

Security group ....................................................... 250

Security Guide ....................................................... 406

Segmentation ........................................................ 240

SELECT * ....................................................................... 30

Semantics ................................................................ 150

Series data ...................................................... 214, 235

aggregate ............................................................ 236

scenarios ............................................................. 235

table syntax ....................................................... 216

Series data function ............................................. 156

Server-side JavaScript (XSJS) ............................ 163

Service auto-restart ............................................. 369

Service-level agreement (SLA)

recovery ............................................................... 127

Session ...................................................................... 110

Sessions app ........................................................... 110

Shared business authorizations ..................... 265

Single data copy ....................................................... 35

Single database system ...................................... 345

Single points-of-failure (SPOFs) ...................... 368

Single sign-on ........................................................ 249

Single-container database ................................... 60

Single-host system ............................................... 344

Sizing .......................................................................... 340

Social network analysis ...................................... 221

Software Download Center ............................... 134

background ......................................................... 135

Software downloads ............................................. 410

Software Update Manager (SUM) ................... 366

Solid-state drive (SSD) ......................................... 119

Solution brief ............................................................ 45

Spark Controller ........................................... 305, 325

background ........................................................... 79

Spatial clustering ................................................... 231

Spatial data .............................................................. 228

manipulate ......................................................... 229

methods ............................................................... 230

types ...................................................................... 229

Spatial engine ........................................................... 31

Spatial processing ................................ 83, 214, 228

SpiderMonkey ........................................................ 165

SQL Analyzer ................................................. 113, 156

SQL console ............................................ 99, 176, 311

SQL Database Connectivity

(SQLDBC) .................................................... 182, 183

background .................................................. 84, 183

library .................................................................... 183

SQL parser ................................................................ 156

SQL plan cache ........................................................ 111

SQL prompt ......................................... 102, 216, 311

SQL statement

issues ..................................................................... 113

top .......................................................................... 112

SQL trace ................................................................... 117

SQL Trace Analyzer ............................................... 156

SQLScript ................................................. 35, 154, 156

AMDP .................................................................... 158

best practices ..................................................... 157

graph ..................................................................... 233

reference ................................................................. 83

SQLScript debugger .............................................. 157

SSFS ................................................................... 274, 275

Standard analytics .................................................. 36

Standby configuration ........................................ 318

Static partition pruning ...................................... 328

Statistical disclosure control ............................ 270

Statistics algorithm .............................................. 221

statisticsserver ......................................................... 61

Stemming ....................................................... 238, 240

437

Index

Storage area network (SAN) .................... 273, 350

Storage encryption ............................................... 248

Storage replication ..................................... 331, 370

Stream processing ................................................ 243

Streaming server ................................................... 243

streamingserver ....................................................... 61

Structured data ...................................................... 237

Structured Query Language (SQL) .... 28, 98, 154

background ........................................................ 154

data architecture ............................................. 311

document store ................................................. 176

dynamic ............................................................... 157

functions .............................................................. 156

interface ............................................................... 155

performance ....................................................... 156

privileges ............................................................. 162

statements ................................................ 155, 215

views ...................................................................... 155

Subject matter expert exam ............................. 390

Super user account ............................................... 123

Supervisor ................................................................ 349

Support ..................................................................... 381

support pack (SP) .................................................. 135

Support package stack (SPS) ............... 48, 71, 135

background ........................................................... 71

SUSE ........................................................................... 357

advantages ......................................................... 358

background ........................................................ 358

SUSE Linux Enterprise Server (SLES) ...... 98, 357

Sybase IQ .............................................................. 55, 66

Synchronous in memory .................................. 371

Synchronous on disk ........................................... 371

Synchronous replication ................................... 330

System Health app ............................................... 114

System identifier (SID) ........................................... 59

System management ............................................. 82

System privilege .................................................... 263

System properties ................................................ 105

System replication ..................... 83, 331, 370, 371

active/active read-enabled .......................... 373

background ........................................................... 74

configure ............................................................. 371

multitarget ......................................................... 373

multitier ............................................................... 372

T

Table partitioning .............................. 315, 326, 327

syntax example ................................................ 328

Table placement .................................................... 329

syntax example ................................................ 330

Table redistribution ............................................. 329

Table replication .......................................... 330, 331

syntax example ................................................ 331

Tagging ..................................................................... 240

Tailored data center integration (TDI) ........... 37,

85, 351

advantages ......................................................... 351

background ........................................................... 74

Takeover ................................................................... 372

Technical database ............................................... 254

Technical deployment ........................................ 345

types ...................................................................... 346

Technical user ........................................................ 254

Technologies ............................................................. 51

hardware ............................................................. 352

Tenant database .................................... 60, 346, 347

document store ................................................. 175

isolation ............................................................... 274

Tensor ....................................................................... 225

TensorFlow ................................................................. 32

integrate ....................................................... 80, 225

TensorFlow ModelServer ................................... 225

Text analytics ...................................... 214, 237, 240

background ........................................................ 238

configurations .................................................. 240

Text mining ............................................................ 242

functions ............................................................. 242

Text Retrieval and Information

Extraction (TREX) engine .................. 55, 60, 64

Thread ....................................................................... 109

Threads app ............................................................. 109

Three-tier data model .................. 30, 65, 156, 252

Time series .............................................................. 214

algorithms .......................................................... 221

Token ......................................................................... 240

Tokenization .......................................................... 240

Total cost of ownership (TCO) ............................ 36

Trace files ................................................................. 156

Tracing ...................................................................... 117

Index

438

Training .................................................................... 381

classroom ............................................................ 384

courses ................................................................. 385

e-learning ............................................................ 384

Translytical database ................................... 42, 160

Transport Layer Security (TLS) ............... 224, 271

Tutorial ..................................................................... 399

U

UltraLite database ................................................ 299

Unified installer ....................................................... 73

Unplanned downtime ........................................ 371

Unstructured data ................................................ 237

Update .............................................................. 135, 138

Use case ....................................................................... 39

map tool ................................................................. 40

User Account and Authentication (UAA) ... 166

User group ...................................................... 254, 256

User lock ................................................................... 258

User management ............................................... 251

implementation ............................................... 252

User type .................................................................. 254

Users table ............................................................... 257

V

Vector ........................................................................ 225

Vertical aggregation ............................................ 236

Vertical scalability ................................................ 314

Very large database (VLDB) .............................. 119

Virtual machine .................................................... 202

Virtual private networks (VPN) ....................... 273

Virtual table ............................................................ 298

Virtualization ................................................ 346, 348

background ......................................................... 349

Vishal Sikka ................................................ 56, 70, 393

VMware ..................................................................... 349

background ........................................................... 77

W

Warehouse architect ............................................ 332

Warm data .................................................................. 66

store ....................................................................... 320

Web interface .......................................................... 132

Web-based data access ........................................ 195

WhatsApp Product Support .............................. 403

Wire protocol .......................................................... 325

Workload Analyzer tool ...................................... 111

Workload management ............................... 96, 122

Wrapper .......................................................... 103, 215

EML ........................................................................ 227

X

X.509 client certificate ........................................ 261

XML for Analysis (XMLA) ......................... 160, 200

background ......................................................... 200

POST request ...................................................... 200

XMLA .......................................................................... 195

xscontroller ............................................................. 166

xsengine ..................................................... 61, 73, 164

xsexecagent ............................................................. 167

xsuaaserver ............................................................. 166

X-Windows ............................................................... 131

Y

YouTube playlists .................................................. 397

First-hand knowledge.

We hope you have enjoyed this reading sample. You may recommend or pass it on to others, but only in its entirety, including all pages. This reading sample and all its parts are protected by copyright law. All usa-ge and exploitation rights are reserved by the author and the publisher.

Denys van Kempen is a marketing professional and SAP HANA product expert who has been working with SAP in-memory technologies since 2010. He has created 100s of tutorial videos for the SAP HANA Academy on YouTube and is a frequent contributor to the SAP Community. With his col-leagues from the SAP HANA Academy, Denys also teaches Academy Live! at SAP TechEd and partner events. Previously,

his team pioneered Sports Analytics at SAP under the banner of Experience SAP.

Denys van Kempen

SAP HANA 2.0: An Introduction440 pages, 2019, $79.95 ISBN 978-1-4932-1838-7

www.sap-press.com/4884