链接：https://pan.baidu.com/s/16ksooishDYMTvIP4ICfsJg 

提取码：wsn8

2 SAP HANA Database

Checklists and recommendations to help you operate and configure the SAP HANA database securely

 Tip

SAP Note 1969700 contains collections of useful SQL statements for monitoring and analyzing the SAP 

HANA database. The statements contained in the file HANA_Security_MiniChecks.txt perform all of 

the SQL-based checks listed in this document.

Recommendations for Database Users, Roles, and Privileges [page 7]

Recommendations for securing access to SAP HANA.

Recommendations for Network &onfigurDtLon [page 15]

Recommendations for integrating SAP HANA securely into your network environment.

Recommendations for Data Encryption [page 18]

Recommendations for data encryption and encryption key management

Recommendations for File System and Operating System [page 21]

Recommendations for secure operating system access and data storage in the file system

Recommendations for Auditing [page 23]

Recommendations for audit configurDtLon

Recommendations for Trace and Dump Files [page 25]

Recommendations for handling trace and dump files

Recommendations for Tenant Database Management [page 27]

Recommendations for securely configurLng tenant databases

Related Information

SAP Note 1969700

6 P U B L I C

SAP HANA Security Checklists and Recommendations

SAP HANA Database

2.1 Recommendations for Database Users, Roles, and 

Privileges

Recommendations for securing access to SAP HANA.

SYSTEM User

Default The database user SYSTEM is the most powerful database user with irrevocable system priv￾ileges. The SYSTEM user is active after database creation.

Recommendation Use SYSTEM to create database users with the minimum privilege set required for their du￾ties (for example, user administration, system administration). Then deactivate SYSTEM. 

You may however temporarily reactivate the SYSTEM user for emergency or bootstrapping 

tasks. See Deactivate the SYSTEM User in the SAP HANA Security Guide.  Note

The SYSTEM user is not required to update the SAP HANA database system; a lesser￾privileged user can be created for this purpose. However, to upgrade SAP support pack￾age stacks, SAP enhancement packages and SAP systems using the Software Update 

Manager (SUM) and to install, migrate, and provision SAP systems using the Software 

Provisioning Manager (SWPM), the SYSTEM user is required and needs to be tempora￾rily reactivated for the duration of the upgrade, installation, migration or provisioning.

How to Verify In the system view USERS, check the values in columns USER_DEACTIVATED, 

DEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT for the user SYSTEM.

Related Alert No

More Information See the sections on predefined users and deactivating the SYSTEM user in the SAP HANA 

Security Guide.

Password Lifetime of Database Users

Default With the exception of internal technical users (_SYS_* users), the default password policy 

limits the lifetime of user passwords to 182 days (6 months).

SAP HANA Security Checklists and Recommendations

SAP HANA Database P U B L I C 7

Recommendation Do not disable the password lifetime check for database users that correspond to real peo￾ple.

In 3-tier scenarios with an application server, only technical user accounts for the database 

connection of the application server should have a password with an unlimited lifetime (for 

example, SAP<sid> or DBACOCKPIT).

 Note

Such technical users should have a clearly LdentLfied purpose and the minimum authori￾zation required in SAP HANA.

How to Verify In the USERS system view, check the value in the column 

IS_PASSWORD_LIFETIME_CHECK_ENABLED. If it is FALSE, the password lifetime check is 

disabled.

The time of the last password change is indicated in the column 

LAST_PASSWORD_CHANGE_TIME.

Related Alert No

More Information See the section on the password policy in the SAP HANA Security Guide.

System Privileges

Default System privileges authorize database-wide administration commands. The users SYSTEM 

and _SYS_REPO users have all these privileges by default.

8 P U B L I C

SAP HANA Security Checklists and Recommendations

SAP HANA Database

Recommendation System privileges should only ever be granted to users actually need them.

In addition, several system privileges grant powerful permissions, for example, the ability to 

delete data and to view data unfiltered and should be granted with extra care as follows:

Only administrative or support users should have the following system privileges in a production database:

● CATALOG READ

● TRACE ADMIN

In a database of any usage type, the following system privileges should be granted only to 

administrative users who actually need them:

● ADAPTER ADMIN

● AGENT ADMIN

● AUDIT ADMIN

● AUDIT OPERATOR

● BACKUP ADMIN

● BACKUP OPERATOR

● CERTIFICATE ADMIN

● CREATE REMOTE SOURCE

● CREDENTIAL ADMIN

● ENCRYPTION ROOT KEY ADMIN

● EXTENDED STORAGE ADMIN

● INIFILE ADMIN

● LDAP ADMIN

● LICENSE ADMIN

● LOG ADMIN

● MONITOR ADMIN

● OPTIMIZER ADMIN

● RESOURCE ADMIN

● SAVEPOINT ADMIN

● SERVICE ADMIN

● SESSION ADMIN

● SSL ADMIN

● TABLE ADMIN

● TRUST ADMIN

● VERSION ADMIN

● WORKLOAD ADMIN

● WORKLOAD * ADMIN