SAP HANA Security

1. Where do I find information about security topics in SAP HANA environments?

See the SAP HANA Security Guide for more information.
SAP Note 2089797 provides information about delivered SAP HANA content and related security aspects.
The whitepaper SAP HANA Security – An Overview provides general information about security aspects in SAP HANA environments.

2. Which indications exist for SAP HANA security issues?

The following SAP HANA alerts indicate problems in the security area:

Alert Name SAP Note  Description
57 Secure store file system (SSFS) consistency 1977221 Determines if the secure storage file system (SSFS) is consistent regarding the database.
62 Expiration of database user passwords 2082406 Identifies database users whose password is due to expire in line with the configured password policy. If the password expires, the user will be locked. If the user in question is a technical user, this may impact application availability. It is recommended that you disable the password lifetime check of technical users so that their password never expires (ALTER USER <username> DISABLE PASSWORD LIFETIME).
63 Granting of SAP_INTERNAL_HANA_SUPPORT role 2081857 Determines if the internal support role (SAP_INTERNAL_HANA_SUPPORT) is currently granted to any database users.
64 Total memory usage of table-based audit log 2081869 Determines what percentage of the effective allocation limit is being consumed by the database table used for table-based audit logging.

SQL: “HANA_Configuration_MiniChecks” (SAP Notes 1969700, 1999993) returns a potentially critical issue (C = ‘X’) for one of the following individual checks:

Check ID Details
1310 Secure store (SSFS) status
1330 Number of users with expiration date
1335 Number of SAP users with password expiration
1340 CATALOG READ privilege granted to current user
1342 Users with SAP_INTERNAL_HANA_SUPPORT role
1345 DATA ADMIN privilege granted to users or roles
1350 SQL trace including results configured
1360 Size of audit log table (GB)

3. Which tools exist to analyze security topics?

The following analysis commands are available in SAP Note 1969700:

SQL statement Details
SQL: “HANA_Security_CopyPrivilegesAndRoles_CommandGenerator” Generates GRANT commands to copy privileges and roles from one grantee to another
SQL: “HANA_Security_GrantedRolesAndPrivileges” Displays roles and privileges granted to roles and users (either directly or indirectly via roles)
SQL: “HANA_Security_Roles” Overview of defined SAP HANA roles
SQL: “HANA_Security_Users” Overview of SAP HANA users and schemas

The following monitoring views and dictionary tables provide information about security related topics:


4. Which SAP HANA privileges are required for the SAP ABAP database user?

SAP Note 2101316 lists the required SAP HANA privileges for the SAP ABAP database user.
Normally the required privileges are automatically granted.

5. How can I make sure that only administrative users can work on SAP HANA?

SAP Note 1986645 provides a tool set that can be used to prevent business users from connecting to the SAP HANA database. This can be useful for certain maintenance activities.

6. What is the effect of the CATALOG READ privilege?

CATALOG READ controls to what extent a user can access data in SAP HANA dictionary tables (e.g. TABLE_COLUMNS or INDEXES). If CATALOG READ is granted, all information is visible. If CATALOG READ isn’t granted, only the information for own objects is shown. At the same time the performance of these dictionary queries can be worse due to the required security checks.
Unlike on other databases a missing CATALOG READ right doesn’t result in an error, it just restricts the result set of dictionary queries.

7. Which security checks are performed by standard SAP services?

SAP Note 863362 describes the security related checks that are executed by SAP services like Early Watch (EW), Early Watch Alert (EWA) or Going Live sessions (GL).

8. Which SAP component addresses SAP HANA security topics?

SAP HANA security topics are addressed by component HAN-DB-SEC. So you can check for SAP Notes or open SAP incidents on this component when you have security related issues.

9. Where do I find a reference for SQL statements related to SAP HANA security?

Security related SQL statements can be found in the SAP HANA SQL reference at “SQL statements” -> “Access control statements”.

10. Which configuration is required for the SAP HANA database user of transaction DBACOCKPIT?

See SAP Note 1640741 for more information. Among others it suggests to define a role called DBA_COCKPIT with the appropriate privileges for DBACOCKPIT operations.

11. How can tracing be activated for security topics like authentication and login?

SAP Note 2083682 describes which database trace options can be activated in order to collect information about authentication and login procedures.

12. Which errors indicate authorization issues?

Among others, the following errors are symptoms for authorization issues:

transaction rolled back by an internal error: insufficient privilege: Not authorized
search table error: [2950] user is not authorized

13. How can authorization errors be analyzed in SAP HANA environments?

SAP Note 1809199 describes how to perform a root cause analysis in case of authorization issues.

14. What kind of privileges are required for SAP consultants when processing SAP incidents or delivering SAP services?

SAP Note 1747042 provides recommendations about the roles and privileges required for SAP support consultants.

15. Are there best practices to define standard roles for SAP HANA?

The document How to Define Standard Roles for SAP HANA Systems provides best practices for defining standard roles for SAP HANA.

16. How can single sign-on based on Kerberos be implemented?

SAP Note 1837331 provides an how-to guide for Kerberos, SPNEGO and Active Directory. SAP Note1813724 provides tools for configuring and checking Kerberos in SAP HANA environments.

17. What is the performance impact of enabling data volume encryption?

Data volume encryption only incurs an overhead when data is decrypted during read from disk and encrypted when writing to disk. Data in memory is always decrypted and therefore there is no performance penalty associated with access to in-memory data.
Scenarios that involve access to data volumes and therefore have a performance impact are:

Area SAP Note
Column loads 2127458
Savepoints and database snapshots 2100009
Data backups 1642148
Hybrid LOBs 1994962

These scenarios are dominated by I/O and the encryption related CPU overhead is minor. Usually the overall performance impact isn’t higher than a medium single-digit percentage.

18. What can I do if I have forgotten the password of the SYSTEM user?

SAP Note 1925267 and the section “Reset the SYSTEM User’s Password” in the SAP HANA Administration Guide.
describes the necessary steps to define a new password for the SYSTEM.

19. How can I determine the authentication types used by connections to SAP HANA?

The authentication method used by a connection can be determined via column AUTHENTICATION_METHOD of monitoring view M_CONNECTIONS.

20. How can I check for security related SAP Notes for SAP HANA?

At you can find SAP Notes relevant for security. In order to find SAP HANA related security SAP Notes, you can filter by ‘HAN*’.

21. How can a user be copied including roles and privileges?

It is not easily possible to copy a user with the related catalog roles. The procedure to copy a user including repository roles is described in the section “Copy a User Based on SAP HANA Repository Roles” of the SAP HANA Administration Guide.

22. How can the SAP HANA internal network be configured in a secure manner?

SAP Note 2183363 provides recommendations for a secure configuration of the SAP HANA internal network.

23. Is there something specific to consider related to GRANT and REVOKE of privileges and roles in SAP HANA environments?

In SAP HANA, privileges and roles can be granted to a user (grantee) by different users (grantors). Each grant, if successful, is persisted in the database catalog and uniquely identified by grantor, grantee, and the role or the privilege. This leads to following behavior during the revoke of the role or privilege:

  • When a role or privilege is revoked from a user, this user can still have the same role or privilege if granted by other users.
  • A REVOKE statement executes successfully, even if the executing user (revoker) did not grant any role or privilege to the user, from whom the statement tries to revoke the role or privilege. See SAP Note 2210758 for more details.

24. What is the purpose of the RESOURCE ADMIN privilege?

RESOURCE ADMIN is required for administration tasks like resetting SAP HANA monitoring views (ALTER SYSTEM RESET MONITORING VIEW) or creating a runtime dump (SAP Note 1813020). Originally this privilege wasn’t granted to the DBA_COCKPIT role but as of 2016 it will be included. If required you can manually grant this privilege to the DBA_COCKPIT role:


Leave a Reply