Friday, 27 May 2022

Do you know, What trace levels are possible in HANA Database trace ?

The higher the trace level, the more detailed the information recorded by the trace. The following trace levels exist:

NONE (0)

FATAL (1)

ERROR (2)

WARNING (3)

INFO (4)

DEBUG (5)


To set the trace level we can use the following statement like to set the trace level of the authentication component to DEBUG:


ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') SET ('trace', 'authentication') = 'DEBUG' WITH RECONFIGURE


Thanks 

Rupesh Chavan

Note: For more information about which trace component to use for which situation, see SAP Note 2380176.

What happens when the allocation limit is reached?

Memory is a fixed resource. Once the allocation limit has been reached means the resource uses all available memory ( Allocated memory) and the pool is exhausted,

Then the memory manager only allocates memory for internal operations after first giving up something else. Buffers and caches are released, and column store tables are unloaded, column by column, based on a least-recently-used order, up to a preset lower limit. When tables are partitioned over several hosts, it's managed on a host-by-host basis; that is, column partitions are unloaded only on hosts with an acute memory shortage.

Avoid table (column or partition) unloading since it leads to performance degradation later when the table is queried and the data has to be reloaded. You can identify pool exhaustion by examining the M_CS_UNLOADS system view.

However, it’s still possible that the memory manager needs more memory than is available leading to an out-of-memory failure. This may happen, for example, when too many concurrent transactions use up all memory, or when a complex query performs a cross join on large tables and creates a huge intermediate result that exceeds the available memory.


For more details click on the below link 

HANA Admin book

Wednesday, 4 May 2022

Recommendations for Database Users, Roles, and Privileges

 Recommendations for securing access to SAP HANA.

SYSTEM User

DefaultThe database user SYSTEM is the most powerful database user with irrevocable system privileges. The SYSTEM user is active after database creation.
RecommendationUse SYSTEM to create database users with the minimum privilege set required for their duties (for example, user administration, system administration). Then deactivate SYSTEM.
How to VerifyIn the system view USERS, check the values in columns USER_DEACTIVATEDDEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT for the user SYSTEM.
Related AlertNo
More InformationSee the sections on predefined users and deactivating the SYSTEM user in the SAP HANA Security Guide.

Password Lifetime of Database Users

DefaultWith the exception of internal technical users (_SYS_* users), the default password policy limits the lifetime of user passwords to 182 days (6 months).
RecommendationDo not disable the password lifetime check for database users that correspond to real people.

In 3-tier scenarios with an application server, only technical user accounts for the database connection of the application server should have a password with an unlimited lifetime (for example, SAP<sid> or DBACOCKPIT).

How to VerifyIn the USERS system view, check the value in the column IS_PASSWORD_LIFETIME_CHECK_ENABLED. If it is FALSE, the password lifetime check is disabled.

The time of the last password change is indicated in the column LAST_PASSWORD_CHANGE_TIME.

Related AlertNo
More InformationSee the section on the password policy in the SAP HANA Security Guide.

System Privileges

DefaultSystem privileges authorize database-wide administration commands. The users SYSTEM and _SYS_REPO users have all these privileges by default.
RecommendationSystem privileges should only ever be granted to users actually need them.

In addition, several system privileges grant powerful permissions, for example, the ability to delete data and to view data unfiltered and should be granted with extra care as follows:

Only administrative or support users should have the following system privileges in a production database:

  • CATALOG READ
  • TRACE ADMIN

In a database of any usage type, the following system privileges should be granted only to administrative users who actually need them:

  • ADAPTER ADMIN
  • AGENT ADMIN
  • AUDIT ADMIN
  • AUDIT OPERATOR
  • BACKUP ADMIN
  • BACKUP OPERATOR
  • CERTIFICATE ADMIN
  • CREATE REMOTE SOURCE
  • CREDENTIAL ADMIN
  • ENCRYPTION ROOT KEY ADMIN
  • EXTENDED STORAGE ADMIN
  • INIFILE ADMIN
  • LDAP ADMIN
  • LICENSE ADMIN
  • LOG ADMIN
  • MONITOR ADMIN
  • OPTIMIZER ADMIN
  • RESOURCE ADMIN
  • SAVEPOINT ADMIN
  • SERVICE ADMIN
  • SESSION ADMIN
  • SSL ADMIN
  • TABLE ADMIN
  • TRUST ADMIN
  • VERSION ADMIN
  • WORKLOAD ADMIN
  • WORKLOAD * ADMIN
How to VerifyTo check which user has a particular system privilege, query the EFFECTIVE_PRIVILEGE_GRANTEES system view, for example:

SELECT * FROM EFFECTIVE_PRIVILEGE_GRANTEES WHERE OBJECT_TYPE = 'SYSTEMPRIVILEGE' AND PRIVILEGE = 'SSL ADMIN' AND GRANTEE NOT IN ('SYSTEM','_SYS_REPO');

Related AlertNo
More InformationSee the section on system privileges in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

System Privileges: Critical Combinations

DefaultThe users SYSTEM and _SYS_REPO users have all system privileges by default.
RecommendationCritical combinations of system privileges should not be granted together, for example:
  • USER ADMIN and ROLE ADMIN
  • CREATE SCENARIO and SCENARIO ADMIN
  • AUDIT ADMIN and AUDIT OPERATOR
  • CREATE STRUCTURED PRIVILEGE and STRUCTUREDPRIVILEGE ADMIN
How to VerifyTo check a user's privileges query the EFFECTIVE_PRIVILEGES system view, for example:

SELECT * FROM "PUBLIC"."EFFECTIVE_PRIVILEGES" WHERE USER_NAME = '<USER_NAME>';

Related AlertNo
More InformationSee the section on system privileges in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

System Privilege: DATA ADMIN

DefaultThe system privilege DATA ADMIN is a powerful privilege. It authorizes a user to read all data in system views, as well as to execute all data definition language (DDL) commands in the SAP HANA database. Only the users SYSTEM and _SYS_REPO users have this privilege by default.
RecommendationNo user or role in a production database should have this privilege.
How to VerifyYou can verify whether a user or role has the DATA ADMIN privilege by executing the statement:

SELECT * FROM EFFECTIVE_PRIVILEGE_GRANTEES WHERE OBJECT_TYPE = 'SYSTEMPRIVILEGE' AND PRIVILEGE = 'DATA ADMIN' AND GRANTEE NOT IN ('SYSTEM','_SYS_REPO');

Related AlertNo
More InformationSee the section on system privileges in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

System Privilege: DEVELOPMENT

DefaultThe system privilege DEVELOPMENT authorizes some internal ALTER SYSTEM commands. Only the users SYSTEM and _SYS_REPO users have this privilege by default.
RecommendationNo user or role in a production database should have this privilege.
How to VerifyYou can verify whether a user or role has the DEVELOPMENT privilege by executing the statement:

SELECT * FROM EFFECTIVE_PRIVILEGE_GRANTEES WHERE OBJECT_TYPE = 'SYSTEMPRIVILEGE' AND PRIVILEGE = 'DEVELOPMENT' AND GRANTEE NOT IN ('SYSTEM','_SYS_REPO');

Related AlertNo
More InformationSee the section on system privileges in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

Analytic Privilege: _SYS_BI_CP_ALL

DefaultThe predefined analytic privilege _SYS_BI_CP_ALL potentially allows a user to access all the data in activated views that are protected by XML-based analytic privileges, regardless of any other XML-based analytic privileges that apply.

Only the predefined roles CONTENT ADMIN and MODELING have the analytic privilege _SYS_BI_CP_ALL by default, and only the user SYSTEM has these roles by default.

RecommendationDo not grant this privilege to any user or role in a production database.
How to VerifyYou can verify whether a user or role has the _SYS_BI_CP_ALL privilege by executing the statement:

SELECT * FROM EFFECTIVE_PRIVILEGE_GRANTEES WHERE OBJECT_TYPE = 'ANALYTICALPRIVILEGE' AND OBJECT_NAME = '_SYS_BI_CP_ALL' AND PRIVILEGE = 'EXECUTE' AND GRANTEE NOT IN ('SYSTEM','MODELING', 'CONTENT_ADMIN');

Related AlertNo
More InformationSee the sections on privileges and predefined database roles in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

Debug Privileges

DefaultNo user has debug privileges
RecommendationThe privileges DEBUG and ATTACH DEBUGGER should not be assigned to any user for any object in production systems.
How to VerifyYou can verify whether a user or role has debug privileges by executing the statements:

SELECT * FROM GRANTED_PRIVILEGES WHERE PRIVILEGE='DEBUG' OR PRIVILEGE='ATTACH DEBUGGER';

Related AlertNo
More InformationSee the section on privileges in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

Predefined Catalog Role CONTENT_ADMIN

DefaultThe role CONTENT_ADMIN contains all privileges required for working with information models in the repository of the SAP HANA database.

The user SYSTEM has the role CONTENT_ADMIN by default.

RecommendationOnly the database user used to perform system updates should have the role CONTENT_ADMIN. Otherwise do not grant this role to users, particularly in production databases. It should be used as a role template only.
How to VerifyYou can verify whether a user or role has the CONTENT_ADMIN role by executing the statement:

SELECT * FROM GRANTED_ROLES WHERE ROLE_NAME = 'CONTENT_ADMIN' AND GRANTEE NOT IN ('SYSTEM');

Related AlertNo
More InformationSee the section on predefined database roles in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

Predefined Catalog Role MODELING

DefaultThe role MODELING contains the predefined analytic privilege _SYS_BI_CP_ALL, which potentially allows a user to access all the data in activated views that are protected by XML-based analytic privileges, regardless of any other XML-based analytic privileges that apply.

The user SYSTEM has the role MODELING by default.

RecommendationDo not grant this role to users, particularly in production databases. It should be used as a role template only.
How to VerifyYou can verify whether a user or role has the MODELING role by executing the statement:

SELECT * FROM GRANTED_ROLES WHERE ROLE_NAME ='MODELING' AND GRANTEE NOT IN ('SYSTEM');

Related AlertNo
More InformationSee the section on predefined database roles in the SAP HANA Security Guide and the secton on system views for verifying user authorization in the SAP HANA Administration Guide.

Predefined Catalog Role SAP_INTERNAL_HANA_SUPPORT

DefaultThe role SAP_INTERNAL_HANA_SUPPORT contains system privileges and object privileges that allow access to certain low-level internal system views needed by SAP HANA development support in support situations.

No user has the role SAP_INTERNAL_HANA_SUPPORT by default.

RecommendationThis role should only be granted to SAP HANA development support users for their support activities.
How to VerifyYou can verify whether a user or role has the SAP_INTERNAL_HANA_SUPPORT role by executing the statement:

SELECT * FROM EFFECTIVE_ROLE_GRANTEES WHERE ROLE_NAME = 'SAP_INTERNAL_HANA_SUPPORT';

Related AlertID 63 (Granting of SAP_INTERNAL_HANA_SUPPORT role)
More InformationSee the section on predefined database roles in the SAP HANA Security Guide and the section on system views for verifying user authorization in the SAP HANA Administration Guide.

Predefined Roles for Application Function Libraries (AFL)

DefaultFor each AFL area two roles exists. For PAL and BFL the roles are:
  • AFL__SYS_AFL_AFLPAL_EXECUTE
  • AFL__SYS_AFL_AFLPAL_EXECUTE_WITH_GRANT_OPTION
  • AFL__SYS_AFL_AFLBFL_EXECUTE
  • AFL__SYS_AFL_AFLBFL_EXECUTE_WITH_GRANT_OPTION

User _SYS_AFL is the creator and owner of these roles. User SYSTEM has the privileges to grant these roles to users. User _SYS_REPO has the respective role with grant option granted automatically.

RecommendationGrant these roles only to users who need to execute PAL and BFL procedures.
How to VerifyYou can verify whether a user or role has any predefined AFL roles by querying the EFFECTIVE_ROLE_GRANTEES system view.

SELECT * FROM EFFECTIVE_ROLE_GRANTEES WHERE ROLE_NAME IN ('AFL__SYS_AFL_AFLPAL_EXECUTE', 'AFL__SYS_AFL_AFLPAL_EXECUTE_WITH_GRANT_OPTION', 'AFL__SYS_AFL_AFLBFL_EXECUTE', 'AFL__SYS_AFL_AFLBFL_EXECUTE_WITH_GRANT_OPTION');

Related AlertNo
More InformationSee the SAP HANA Predictive Analysis Library (PAL) reference and SAP HANA Business Function Library (BFL) reference.

Predefined Repository Roles

DefaultSAP HANA is delivered with a set of preinstalled software components implemented as SAP HANA Web applications, libraries, and configuration data. The privileges required to use these components are contained within repository roles delivered with the component itself.

The standard user _SYS_REPO automatically has all of these roles. Some may also be granted automatically to the standard user SYSTEM to enable tools such as the SAP HANA cockpit to be used immediately after installation.

RecommendationApplication-specific repository roles should only be granted to application users.
How to VerifyYou can verify whether a user or role has a particular role by executing the following statement, for example:

SELECT * FROM EFFECTIVE_ROLE_GRANTEES WHERE ROLE_NAME ='sap.hana.security.cockpit.roles::MaintainDataVolumeEncryption';

Related AlertNo
More InformationFor a list of all roles delivered with each component, see the section on components delivered as SAP HANA content in the reference section of the SAP HANA Security Guide.