SAP HANA Platform 2.0 SPS 07 introduces new and changed features for security.
Auditing (New and Changed)
The audit log table is now configured to use SAP HANA Native Storage Extensions (NSE) by default. You can also choose to load it completely into memory as before.
You can now specify schema names for some DDL based audit actions. The Audit Actions system view has been extended to include this information.
The audit actions IMPORT, IMPORT SCAN, and EXPORT statements can now be tracked by the audit policy.
The audit actions ALTER CREDENTIAL, CREATE CREDENTIAL, and DROP CREDENTIAL statements can now be tracked by the audit policy.
Audit policies now supports the specification of usergroups in addition to users for explicit inclusion or exclusion in the logging of audit events. The AUDIT_POLICIES System View has been modified to reflect this change.
The audit log now displays the name of the authentication method used to authenticate the connection.
Authentication (New and Changed)
It is now possible to configure SAML and JWT identity providers for automatic user creation in conjunction with LDAP group authorization.
This means that if you use an LDAP-compliant directory server to manage users and their access to resources, you can now leverage this infrastructure to provision the database users required for SAML- and JWT-authenticated users.
A database user can be automatically created for a SAML-/JWT-authenticated user if the user exists in your LDAP server and this user is a member of at least one LDAP group mapped to at least one SAP HANA role.
Single Sign-On Using JSON Web Tokens
Configure SAML or JWT Authentication with LDAP-Based User Provisioning
The default value of the parameter issuer (section jwt_identity_provider) does not include the hostname anymore, because that raises an alert in system replication scenarios.
Authorization (New and Changed)
It is no longer necessary to have object privileges on tables to perform some operations. To execute ALTER TABLE statements that do not change the structure of the table and do not allow access to table data either explicitly or implicitly, the TABLE ADMIN system privilege is sufficient.
The procedure GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS now displays SAP passport information to improve authorization error analysis.
The COMMENT ON statement now allows you to add a comment on certificates and public keys.
You can now store X.509 duplicate certificates with different names if a certificate name has been provided.
Communication Security (New and Changed)
An alert occurs if TLS/SSL is not configured. To confirm TLS/SSL configuration see column PURPOSE of the PSES System View.
The SQL statement ALTER SYSTEM RELOAD FILE PSE enforces changes to PSE stores in the file system without requiring a database restart.
TLS1.3 is expected to be rolled out during the lifetime of SAP HANA Platform 2.0 SPS 07. To allow for this rollout, the default for sslMaxProtocolVersion has been changed to TLS12.
Communication Configuration Properties for LDAP
Server-Side TLS/SSL Configuration Properties for External Communication (JDBC/ODBC)
Encryption Configuration and Encryption Key Management (New and Changed)
A round off of SQL statements and hdbnsutil commands relevant for securing and recovering SAP HANA root keys has been done.
Certificate Management (New and Changed)
You can now trigger a reread of file system-based PSEs without restarting your SAP HANA database.