Authentication and user management
SAP HANA and SAP HANA Cloud provide unified user and identity management. SAP HANA provides tools for user administration and role assignment, as well as adapters for SAP Identity Management and SAP Access Control, which allow integration into existing user provisioning infrastructures.
In cloud context you make use of state-of-the-art Single-Sign-On authentication mechanisms like SAML, JWT-Tokens, X.509 certificates or SAP logon through Cloud connector. Additionally, you can connect SAP HANA to third party systems via Kerberos. For combining both worlds within your enterprise you could also connect via LDAP directory service.
Authorization and role management
The comprehensive authorization framework of both SAP HANA and SAP HANA Cloud provides highly granular access control. Users can only access the SAP HANA database through defined client interfaces. Their ability to perform operations on database objects is determined by the privileges and roles that they have.
Roles are used to bundle and structure the privileges required for specific user functions or tasks. Privileges are based on standard SQL object privileges and SAP HANA-specific extensions for business applications
SAP HANA provides a broad range of encryption capabilities. For SAP HANA Cloud, communication encryption, data-at-rest encryption as well as backup encryption are always activated and are part of SAP HANA’s core feature set. For on-premise SAP HANA installations, you can configure the same encryption options and more. For both deployment types, the integration with SAP Data Custodian KMS is available, to provide you with full control over your encryption keys.
Preserve privacy and trust while deriving value from data with real-time data anonymization and security. Gain secure and compliant data access in real time without data duplication, keep your data always protected - whether at rest or in motion, lower the risk of security or privacy breaches and simplify compliance with regulations such as GDPR.
Real-time SAP HANA data anonymization happens at the view level, so the data at the table level remains unchanged. SAP HANA offers two different anonymization methods: k-anonymity and differential privacy. Additionally, you can add custom definition of anonymization views, access reporting views, and make use of the integration into our authorization framework.
- Enables customers to utilize personal data without inferring the privacy of individuals
- Makes analytics and machine learning scenarios of anonymized personal data possible
- Enhances customer's ROI by leveraging the value of enterprise data that was previously inaccessible
Native SAP HANA dynamic data masking is available with SAP HANA and SAP HANA Cloud. This functionality protects data at row-level with data masking in tables and views. Data is not replicated but masked on-the-fly if accessed by unauthorized users.
What is the difference between SAP HANA data anonymization and SAP HANA data masking
SAP HANA data anonymization (of data sets)
- Structured approach to protect the privacy of individuals in complex data sets
- Real-time analytics on anonymized data enables insights into data that could not be leveraged beforehand
SAP HANA data masking (of attributes)
- Selectively hide sensitive information from DBAs and power users with broad access
- Display or hide sensitive information depending on the user role - for example for call center employees
Auditing allows you to monitor and record selected actions performed in the SAP HANA Cloud and and SAP HANA Platform, SAP HANA databases. Well-designed audit can help you achieve greater security of your database in various ways like detect security vulnerabilities if too many privileges were granted to certain users, reveal security breach attempts, protect the system owner against accusations of security violations and data misuse or allow the system owner to meet security standards.
SAP HANA offers highly configurable, policy-based audit logging for critical system events, for example, changes to roles or the database configuration. It can also record access to sensitive data: write and read access to objects such as tables or views, as well as the execution of procedures. For situations where a highly privileged user needs temporary access to a critical system, firefighter logging can be enabled. Additionally, for SAP HANA Cloud there is a comprehensive logging for cloud operator actions available.
SAP HANA is developed according to SAP’s secure development lifecycle, which is a comprehensive framework of processes, guidelines, tools and staff training to safeguard the architecture, design and implementation of all SAP solutions. The secure development lifecycle is a threat-based approach, which includes risk and data protection assessments, comprehensive security testing including automated and manual tests as well as penetration testing, and a separate security validation phase.
Keep your deployment of SAP HANA up to date with the latest security updates, which are released on second Tuesday of every month. SAP strongly recommends to visit the Support Portal and apply patches on a priority to protect your SAP landscape.
With the transition to the cloud, the solutions offered by SAP are also changing in terms of the operating model. For HANA as a managed service in the cloud, SAP is responsible for setting up and operating the service. You choose your configuration options via self-services or service requests and are responsible for the whole data layer. This way, SAP helps you to get the most out of your data and meanwhile benefit from a managed and always-running service.
SAP operates its solutions to the highest and most important standards. For more information, visit our SAP Trust Center on the compliance finder page and filter by Business Technology Platform, as SAP HANA is part of this broader solution. There you can find our certifications and attestations like ISO, SOC and EU CCoC.