SAP Knowledge Base Article

2159014 - FAQ: SAP HANA Security

Component: HAN-DB-SEC (SAP HANA > SAP HANA Database > SAP HANA Security & User Management),
Version: 80, Released On: 24.11.2024

Symptom
You are interested in topics related to SAP HANA security.

Environment
SAP HANA

Cause
1. Where do I find information about security topics in SAP HANA environments?
2. Which indications exist for SAP HANA security issues?
3. Which tools exist to analyze security topics?
4. Which SAP HANA privileges are required for the SAP ABAP database user?
5. How can I make sure that only administrative users can work on SAP HANA?
6. What is the effect of the CATALOG READ privilege?
7. Which security checks are performed by standard SAP services?
8. Which SAP component addresses SAP HANA security topics?
9. Where do I find a reference for SQL statements related to SAP HANA security?
10. Which configuration is required for the SAP HANA database user of transaction DBACOCKPIT?
11. How can tracing be activated for security topics like authorization, authentication and login?
12. Which errors indicate authorization issues?
13. Can granted permissions disappear?
14. What kind of privileges are required for SAP consultants when processing SAP incidents or delivering SAP services?
15. Are there templates to define roles for SAP HANA?
16. How can single sign-on based on Kerberos be implemented?
17. What is the performance impact of enabling volume encryption?
18. Why is it recommended to enable data volume encryption directly after installation instead of enabling it at a later time?
19. What happens if data volume encryption or decryption is interrupted by a SAP HANA crash?
20. Which crypto library is recommended for data volume encryption?
21. Is there anything special I need to be aware of when using data volume encryption?
22. What can I do if I have forgotten the password of the SYSTEM user?
23. How can I determine the authentication types used by connections to SAP HANA?
24. How can I check for security related SAP Notes for SAP HANA?
25. How can a user be copied including roles and privileges?
26. How can the SAP HANA internal network be configured in a secure manner?
27. Is there something specific to consider related to GRANT and REVOKE of privileges and roles in SAP HANA
environments?
28. What is the purpose of the RESOURCE ADMIN privilege?
29. How can SSL be activated and deactivated?
30. Do I need the root user for performing SAP HANA administration tasks?
31. Can I configure encrypted communication from a SAP ABAP system to SAP HANA?
32. How can I get a security check from SAP for a specific system?
33. How can I configure the retention of audit data?
34. Where can I find more information for LDAP?
35. Where can I find more information about using SAP HANA auditing?
36. Is SSL communication useful within a single data center?

Resolution

1. Where do I find information about security topics in SAP HANA environments?
See the SAP HANA Security Guide for more information.
SAP Note 2089797 provides information about delivered SAP HANA content and related security aspects.
The whitepaper SAP HANA Security provides general information about security aspects in SAP HANA environments.
2. Which indications exist for SAP HANA security issues?
The following SAP HANA alerts indicate problems in the security area:

Al Name Description
er
t

57 Secure store fil Determines if the secure storage file system (SSFS) is consistent regarding the database.
e system (SSFS
) consistency

62 Expiration of d Identifies database users whose password is due to expire in line with the configured password policy. If the p
atabase user pa assword expires, the user will be locked. If the user in question is a technical user, this may impact application
sswords availability. It is recommended that you disable the password lifetime check of technical users so that their pas
sword never expires (ALTER USER <username> DISABLE PASSWORD LIFETIME).

63 Granting of SA Determines if the internal support role (SAP_INTERNAL_HANA_SUPPORT) is currently granted to any data
P_INTERNAL base users.
_HANA_SUPP
ORT role

64 Total memory Determines what percentage of the effective allocation limit is being consumed by the database table used for t
usage of table-b able-based audit logging.
ased audit log

12 LDAP Enabled Checks for the vulnerability where users may be enabled for LDAP Authentication but SSL is not enabled
8 Users without
SSL

12 Check trusted c Determines if there are any trusted certificates that will expire soon or have already expired
9 ertificate expira
tion date

13 Check own cert Determines if there are any own or chained certificates that will expire soon or have already expired
0 ificate expiratio
n date

SQL: "HANA_Configuration_MiniChecks" (SAP Notes 1969700, 1999993) returns a potentially critical issue (C = 'X') for one
of the following individual checks:

Check ID Details

M1310 Secure store (SSFS) status

M1312 Inconsistent secure store

M1330 Number of users with expiration date

M1333 Certificates with previous or upcoming expiry

M1335 Number of SAP users with password expiration

M1340 CATALOG READ privilege granted to current user

M1360 Size of audit log table (GB)

M1362 Active DML audit policies

SQL: "HANA_TraceFiles_MiniChecks" (SAP Notes 1969700, 2380176) returns one of the following check IDs:

Check ID Details

T0586 Poll timeout during SSL communication

T0587 SSL/TLS record of unknown type received

T0588 SSL/TLS record MAC cannot be verified

T0589 SSL renegotiation attempt refused

T0900 Error reading from SAP Logon TrustStore

 T0905 Error obtaining analytic privileges

T0910 Error obtaining analytic privileges

T0913 Connection attempt outside of validity period

T0914 Missing privilege

T0915 Insufficient privileges

T0916 Authorization error

T0917 No authorization

T0918 User temporarily locked

T0919 Authentication failure

T0920 Problem with XS engine authentication

T0921 Invalid object found during authorization check

T0922 Password change required for user

T0925 Inconsistent secure store (SSFS)

T0930 Authentication error due to clock skew

T0931 Authentication error due to unsupported mechanism

T0935 Inconsistent SSL configuration

T0936 SSL handshake failed

T0937 Authorization check failure due to invalid view

T0938 Internal SSL error

T0939 Empty Kerberos service principal name

T0940 Failure during LDAP search

T0941 SAML provider configuration not established

T0942 Auditing not possible due to missing OID

T0943 User permanently locked

SQL: "HANA_Threads_Callstacks_MiniChecks" (SAP Notes 1969700, 2313619) reports one of the following check IDs:

Check ID Details

C0900 LDAP authentication

C0910 OS syslog audit trail write

C0911 Table audit trail write

C0920 Dependent object retrieval

C0930 Authorization check

SQL: "HANA_Security_MiniChecks" (SAP Note 1969700) returns potentially critical issues (C = 'X').
You receive one of the following errors:

10: authentication failed

3. Which tools exist to analyze security topics?

The following analysis commands are available in SAP Note 1969700:

SQL statement Details

SQL: "HANA_Security_AuditPolicies" Overview of existing audit policies

 SQL: "HANA_Security_Certificates" Certificates and PSEs

SQL: "HANA_Security_CopyPrivileges Generates GRANT commands to copy privileges and roles from one grantee to another
AndRoles_CommandGenerator"

SQL: "HANA_Security_Encryption" Encryption information

SQL: "HANA_Security_GrantedRolesA Displays roles and privileges granted to roles and users (either directly or indirectly via rol
ndPrivileges" es)

SQL: "HANA_Security_MiniChecks" This command executes a subset of checks provided in the SAP HANA Security Check List
and marks deviations from the expectation as potentially critical (C = 'X').

SQL: "HANA_Security_Roles" Overview of defined SAP HANA roles

SQL: "HANA_Security_SecureStore" Secure store information

SQL: "HANA_Security_Users" Overview of SAP HANA users and schemas

The following monitoring views and dictionary tables provide information about security related topics:
EFFECTIVE_APPLICATION_PRIVILEGES
EFFECTIVE_PRIVILEGES
EFFECTIVE_PRIVILEGE_GRANTEES (SAP HANA >= SPS 12)
EFFECTIVE_ROLES
EFFECTIVE_STRUCTURED_PRIVILEGES
ENCRYPTION_OVERVIEW
GRANTED_PRIVILEGES
GRANTED_ROLES
M_SECURESTORE
PRIVILEGES
PSE_CERTIFICATES
PSES
ROLES
STRUCTURED_PRIVILEGES
USERS

4. Which SAP HANA privileges are required for the SAP ABAP database user?
SAP Note 2101316 lists the required SAP HANA privileges for the SAP ABAP database user.
Normally the required privileges are automatically granted.

5. How can I make sure that only administrative users can work on SAP HANA?
SAP Note 1986645 provides a tool set that can be used to prevent business users from connecting to the SAP HANA database.
This can be useful for certain maintenance activities.

6. What is the effect of the CATALOG READ privilege?

CATALOG READ controls to what extent a user can access data in SAP HANA dictionary tables (e.g. TABLE_COLUMNS or
INDEXES). If CATALOG READ is granted, all information is visible. If CATALOG READ isn't granted, only the information
for own objects is shown. At the same time the performance of these dictionary queries can be worse due to the required
security checks.
Unlike on other databases a missing CATALOG READ right doesn't result in an error, it just restricts the result set of
dictionary queries.

7. Which security checks are performed by standard SAP services?

SAP Note 863362 describes the security related checks that are executed by SAP services like Early Watch (EW), Early Watch
Alert (EWA) or Going Live sessions (GL).
Additionally a specific security service exists. See "How can I get a security check from SAP for a specific system?" below for
more information.

8. Which SAP component addresses SAP HANA security topics?

The central SAP HANA security component is HAN-DB-SEC. So you can check for SAP Notes or open SAP incidents on this
component when you have security related issues. Be aware that there can be security-relevant SAP Notes also for specific
SAP HANA components security SAP Notes can also be created on other components.

9. Where do I find a reference for SQL statements related to SAP HANA security?
Security related SQL statements can be found in the SAP HANA SQL reference at "SQL statements" -> "Access control
statements".
10. Which configuration is required for the SAP HANA database user of transaction DBACOCKPIT?
See SAP Note 1640741 for more information. Among others it suggests to define a role called DBA_COCKPIT with the
appropriate privileges for DBACOCKPIT operations.

11. How can tracing be activated for security topics like authorization, authentication and login?
Starting with SAP HANA 2.0 SPS 08 the internal view AUTHENTICATION_ERROR_DETAILS exists that provides
information about authentication errors (SAP Note 3543492). You can use SQL: "HANA_Security_AuthenticationErrors"
(SAP Note 1969700) to evaluate the content of this view.
Starting with SAP HANA 2.0 SPS 04 you can retrieve details for "insufficient privileges" errors by using the
GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS function. As a prerequisite to call this function the EXECUTE
privilege needs to be granted to the user:

GRANT EXECUTE ON GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS to <db_user>

Example:

SELECT * FROM _SYS_AUDIT.CS_AUDIT_LOG_

--> [258]: insufficient privilege: Detailed info for this error can be found with guid 'C36A34EF6B
586C4FBB392B23FE7D2CE9'

CALL GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS('C36A34EF6B586C4FBB392B23FE7D2CE9', ?)

--------------------------------------------------------------------------------------------------
----------------------------
|GUID |CREATE_TIME |CONNECTION_ID|PRIVILEGE|SCHEMA_NAM
E|OBJECT_NAME |OBJECT_TYPE|
--------------------------------------------------------------------------------------------------
----------------------------
|C36A34EF6B586C4FBB392B23FE7D2CE9|2019-11-13 18:19:25.044000000|142451 |SELECT |_SYS_AUDIT
|CS_AUDIT_LOG_|TABLE |
--------------------------------------------------------------------------------------------------
----------------------------

The availability of this information can be configured with the following SAP HANA parameter settings:

Parameter Defa Uni Details

ult t

true Activation / deactivation of collecting "insuffi

global.ini -> [authorization] -> enable_insufficient_privi
lege_error_details_procedure cient privileges" data

144 hou Retention time of "insufficient privileges" dat

global.ini -> [authorization] -> insufficient_privilege_er
ror_details_retain_duration rs a

1000 Maximum amount of "insufficient privileges"

global.ini -> [authorization] -> insufficient_privilege_er
ror_details_retain_records 0 records

With earlier SAP HANA Revisions an authorization trace can be (temporarily) activated with the following parameter:

<service>.ini -> [trace] -> authorization = info

As a consequence further authorization information will be written to the normal service trace files. See SAP Note 2119087 for
more information related to the database and user-specific trace.
See SAP Note 1809199 for more details about debugging authorization errors.
In order to trace connection issues it may be sufficient to temporarily set the parameter

<service>.ini -> [password policy] -> detailed_error_on_connect = true

to get more precise information about authentication errors (e.g. "10: authentication failed"). As per SAP Note 2216869 this
should not be activated permanently for security reasons.
SAP Note 2083682 describes which database trace options can be activated in order to collect information about
authentication and login procedures.
The Troubleshooting SAP HANA Authorization Issues blog provides some more insight in tracing authorization issues.

12. Which errors indicate authorization issues?

Among others, the following errors are symptoms for authorization issues:

transaction rolled back by an internal error: insufficient privilege: Not authorized

search table error: [2950] user is not authorized
Error during Plan execution of model _SYS_BIC:onep.Queries.qnoverview/CV_QMT_OVERVIEW (-1), reaso
n: user is not authorized
pop1 (rc 2950, user is not authorized)
insufficient privilege: search table error: [2950] user is not authorized
Could not execute 'SELECT * FROM"_SYS_BIC"."<table>"' SAP DBTech JDBC: [258]: insufficient privile
ge: Not authorized.SAP DBTech JDBC: [258]: insufficient privilege: Not authorized

13. Can granted permissions disappear?

In general granted privileges and roles remain until they are revoked. The following exceptions exist:
A bug on SAP HANA 110.07 and 122.04 can result in lost analytic privileges and "insufficient privileges" errors (SAP
Note 2400798).
Grants of the SAP_INTERNAL_HANA_SUPPORT role are revoked during SAP HANA upgrades for security reasons.

1 4. What kind of privileges are required for SAP consultants when processing SAP incidents or delivering
SAP services?
SAP Note 1747042 provides recommendations about the roles and privileges required for SAP support consultants.

15. Are there templates to define roles for SAP HANA?

If you use the XSA development environment, SAP HANA template roles can be found in the document Developing Roles in
SAP HANA (theoretical) and Developing Roles in SAP HANA (example). If you still use the deprecated XSC (SAP Note
2465027), you can find the template roles in the document How to Define Standard Roles for Administrators and Developers
in SAP HANA.

16. How can single sign-on based on Kerberos be implemented?

SAP Note 1837331 provides an how-to guide for Kerberos, SPNEGO and Active Directory. SAP Note 1813724 provides tools
for configuring and checking Kerberos in SAP HANA environments.

17. What is the performance impact of enabling volume encryption?

Data volume encryption only incurs an overhead when data is decrypted during read from disk and encrypted when writing to
disk. Data in memory is always decrypted and therefore there is no performance penalty associated with access to in-memory
data.
Scenarios that involve access to data volumes and therefore have a performance impact are:

Area SAP Note

Column loads 2127458

Savepoints and database snapshots 2100009

Data backups 1642148

Merges 2057046

Hybrid LOBs 1994962

These scenarios are dominated by I/O and the encryption related CPU overhead is minor. Usually the overall performance
impact isn't higher than a medium single-digit percentage.
Log volume encryption can impact the I/O writes to the log volumes and so COMMIT operations can be slower (SAP Note
2000000).

1 8. Why is it recommended to enable data volume encryption directly after installation instead of enabling it
at a later time?
Due to use of shadow paging in the data volume persistence of SAP HANA there are typically multiple copies of a single data
page stored in the persistence at a given time. If data volume encryption is enabled, newly modified pages will be encrypted in
context of the savepoint (SAP Note 2100009). Other data pages will be encrypted in background over time. See SAP
Note 2400005 -> "Is it possible to encrypt the persistence level?" for details.

19. What happens if data volume encryption or decryption is interrupted by a SAP HANA crash?
In case of a SAP HANA crash the encryption / decryption will continue after the restart. The persistence layer remains in a
consistent state.

20. Which crypto library is recommended for data volume encryption?

The preferred option is the SAP CommonCryptoLib (CCL). For data volume encryption support you should make sure to use
CCL version 8.4.32 or higher, as previous versions are missing performance optimizations vital for HANA data volume
encryption.

21. Is there anything special I need to be aware of when using data volume encryption?
With more and more encryption functionality in SAP HANA being used it is vital that you make sure to properly handle the
Secure Store FS (SSFS) file in case you are cloning systems at the file system level. While the SSFS is properly updated during
regular database recovery it is the administrator's responsibility to copy the SSFS file along with data / log volumes during a
file system-based system copy. With SAP HANA SPS 09 tighter checks were introduced to detect a mismatch between data
persistence and the SSFS file.
See SAP Note 2054883 for information about activating data volume encryption in a running system.
Encryption may not be replicated to the secondary system replication site. SAP Note 2396438 describes more details how to
check and resolve it.

22. What can I do if I have forgotten the password of the SYSTEM user?
See section "Reset the SYSTEM User Password" in the SAP HANA Administration Guide.

23. How can I determine the authentication types used by connections to SAP HANA?
The authentication method used by a connection can be determined via column AUTHENTICATION_METHOD of
monitoring view M_CONNECTIONS.

24. How can I check for security related SAP Notes for SAP HANA?
You can connect your SAP HANA with SAP Solution Manager and run the System Recommendations Application in Change
Management Workcenter in regular íntervals. Based on the available Landscape Information the relevant Security Notes will
be displayed.
Alternatively you can check for relevant notes online at http://service.sap.com/securitynotes . In order to find SAP HANA
related Security Notes, you can filter by ‘HAN*’ and ’BC-XS-SEC’. Note, that the actual list of components may change over
time. You find the complete list of relevant application components in the latest SAP HANA Master Guide.

25. How can a user be copied including roles and privileges?

It is not easily possible to copy a user with the related catalog roles. The procedure to copy a user including repository roles is
described in the section "Copy a User Based on SAP HANA Repository Roles" of the SAP HANA Administration Guide.
(Direct Link: Copy a User Based on SAP HANA Repository Roles (Updated: 08/22/2017))

26. How can the SAP HANA internal network be configured in a secure manner?
SAP Note 2183363 provides recommendations for a secure configuration of the SAP HANA internal network.

 7. Is there something specific to consider related to GRANT and REVOKE of privileges and roles in SAP
2
HANA environments?
In SAP HANA, privileges and roles can be granted to a user (grantee) by different users (grantors). Each grant, if successful, is
persisted in the database catalog and uniquely identified by grantor, grantee, and the role or the privilege. This leads to
following behavior during the revoke of the role or privilege:
When a role or privilege is revoked from a user, this user can still have the same role or privilege if granted by other
users.
A REVOKE statement executes successfully, even if the executing user (revoker) did not grant any role or privilege to the
user, from whom the statement tries to revoke the role or privilege. See SAP Note 2210758 for more details.

28. What is the purpose of the RESOURCE ADMIN privilege?

RESOURCE ADMIN is required for administration tasks like resetting SAP HANA monitoring views (ALTER SYSTEM
RESET MONITORING VIEW) or creating a runtime dump (SAP Note 1813020). Originally this privilege wasn't granted to
the DBA_COCKPIT role but as of 2016 it will be included. If required you can manually grant this privilege to the
DBA_COCKPIT role:

GRANT RESOURCE ADMIN TO DBA_COCKPIT

29. How can SSL be activated and deactivated?
The following SAP HANA parameters can be used to activate and deactivate SSL:

Parameter Default SAP Details

Not
e

off (<= 2.0 SPS 05 3015 If set to 'on', certificates are managed within the database and earlie
global.ini -> [communicatio
n] -> sslclientpki or after upgrade to 354 r custom PSEs can no longer be used
>= 2.0 SPS 06)
on (new installatio
n on >= 2.0 SPS 0
6)

off 225 If set to 'on', the SAP HANA internal communication uses SSL.
global.ini -> [communicatio
n] -> ssl 609
1

off 225 If set to 'on', the SAP HANA system replication communication uses
global.ini -> [system_repli
cation_communication] -> en 609 SSL.
able_ssl 1

global.ini -> [system_repli

identical to enable This setting selectively controls if SSL is used when communicating
cation_communication] -> en _ssl setting with the system replication site ID <target_site_id>. It allows you t
able_ssl[<target_site_id>] o use SSL only selectively in multi-tier system replication setups.

On SAP ABAP side you can deactivate encryption with the following parameter setting:

dbs/hdb/connect_property = ENCRYPT=FALSE

Be aware that further actions are required to actually use SSL (e.g. installation of crypto library and configuration of
certificates).
SSL can sometimes cause trouble, e.g.:
Indexserver crash with SAP HANA Rev. 1.00.102.04 (SAP Note 2342846)
Inconsistent session due to network package loss when a runtime dump is triggered (SAP Note 2338828)
In these situations it can be useful to temporarily disable SSL.
For more information related to SSL see SAP Note 2487639. SAP Note 2913117 provides instructions how to collect data
required to analyze and resolve SSL issues. SAP Note 2475246 explains how SSL can be activated for ABAP application
servers. SAP Note 2891130 provides information about SSL in context of sapinst / SPWM / SUM.

30. Do I need the root user for performing SAP HANA administration tasks?
Local hdblcm activities can be executed via sudo, so no explicit root password is required.
Remote administration activities in scale-out scenarios can be realized via saphostagent without having to use the root user.
See section "Centralized Execution of Platform LCM Tasks" in the SAP HANA Administration Guide for details.

31. Can I configure encrypted communication from a SAP ABAP system to SAP HANA?
Yes, encryption and single-sign-on (SSO) can be configured either system wide or for specific database connections. You can
define additional connect properties like ENCRYPT=TRUE either in DBSL (for all connections to any SAP HANA, SAP Note
1761693) or for a specific database connection (SAP Note 2005856 and 1983389). For additional details see also section
Secure Communication Between SAP HANA and JDBC/ODBC Clients in the SAP HANA Security Guide. See SAP Note
2472944 for typical scenarios of SSO errors.

32. How can I get a security check from SAP for a specific system?
Like for ABAP and JAVA systems SAP offers a Security Optimization Service for SAP HANA (see also the SAP Security
Optimization Services Portfolio). During the Service an SAP Support Engineer performs a set of standardized checks and
provides a report that is walked-through and discussed in a wrap-up call.
Checks on the following topics are included:
Maintenance of SAP code
Configuration parameters
Encryption master keys
Auditing
Diagnosis files
 Users and authorizations
The standard service is delivered in a 1 day remote analysis. If required for your scenario the scope of checks can be extended
based on a custom-tailored offering.

33. How can I configure the retention of audit data?

Retention for audit data in the auditing table CS_AUDIT_LOG_ can be defined on policy level starting with SAP HANA 2.0
SPS 04:

ALTER AUDIT POLICY <policy> SET RETENTION <days>

Per default the retention is forever. It can be reactivated via:

ALTER AUDIT POLICY <policy> RESET RETENTION

The following SAP HANA parameter is used to control the minimum retention time that overrules policy specific settings
(default: 7 days):

global.ini -> [auditing configuration] -> minimal_retention_period = <days>

34. Where can I find more information for LDAP?

See SAP Note 2975780 for more information related to LDAP based authorization and authentication in SAP HANA
environments.

35. Where can I find more information about using SAP HANA auditing?
See SAP Notes 3421606 and 3027477 for more information about SAP HANA auditing.
SAP Note 3016478 provides a good overview of audit policy suggestions for S/4HANA systems.
36. Is SSL communication useful within a single data center?
Yes, even if the servers for SAP HANA and the application are located within the same data center it is recommended to
secure the communication with the TLS/SSL protocol to:
Avoid eavesdropping from any other server within that data center
Comply with audit requirements
There are other possibilities, but encrypting the communication with TLS/SSL is recommended because:
Performance impact is negligible
Effort compared to creating a VPN tunnel or firewall is less.

Keywords
SAP HANA security roles privileges users schemas grant revoke permission SSFS authentication login logon authorization
Kerberos encryption crypto library

Attributes
Key Value

Other Components SAP HANA > SAP HANA Database (HAN-DB)

Products
Products

SAP HANA, platform edition all versions

This document refers to

SAP Component Title
Note/KBA

3543492 HAN-DB-SEC How-To: Troubleshoot Authentication Errors Using View AUTHENTICATION_ERROR_DETAILS

From HANA 2.0 SPS08
3027477 HAN-DB-SEC General information about auditing activity in SAP HANA

2913117 HAN-DB-SEC HANA Basic How-To Series - HANA and SSL / TLS - Collecting Support Data for SSL / TLS related
Tickets

2487639 HAN-DB-SEC HANA Basic How-To Series - HANA and SSL / TLS - LEAD KBA

2475246 HAN-DB-SEC How to configure HANA DB connections using SSL from ABAP instance

2472944 HAN-DB-SEC FAQ: Single Sign-On errors using SAML, Kerberos, X.509 and Analysis for Office

2400005 HAN-DB-PER FAQ: SAP HANA Persistence

2380176 HAN-DB FAQ: SAP HANA Database Trace

2313619 HAN-DB-MON How-To: Generating and Evaluating SAP HANA Call Stacks

2127458 HAN-DB FAQ: SAP HANA Loads and Unloads

2119087 HAN-DB How-To: Configuring SAP HANA Traces

2114710 HAN-DB-MON FAQ: SAP HANA Threads and Thread Samples

2100009 HAN-DB-ENG FAQ: SAP HANA Savepoints

2082406 HAN-DB-MON How to handle HANA Alert 62: Expiration of database user passwords

2081869 HAN-DB-MON How to handle HANA Alert 64: 'Total memory usage of table-based audit log'

2081857 HAN-DB-MON Handle HANA Alert 63: Granting of SAP_INTERNAL_HANA_SUPPORT role

2057046 HAN-DB-ENG FAQ: SAP HANA Delta Merges

2000000 HAN-DB-PERF FAQ: SAP HANA Performance Optimization

1994962 HAN-DB How-To: Activation of Hybrid LOBs in SAP HANA

1977221 HAN-DB-MON How to handle HANA Alert 57: 'Secure store file system (SSFS) availability'

1925267

3421606 HAN-DB-SEC FAQ: SAP HANA Auditing Activity

3016478 XX-PROJ- HANA Audit Policies for S/4HANA

CON-SEC

3015354 HAN-DB-SEC Setting the SSL Purpose for a Personal Security Environment (PSE) Store Fails With an Error "* 5657:
PSE purpose blocked by configuration: Set Purpose SSL is blocked by ini file parameter sslclientpki =
on"

2975780 HAN-DB-SEC FAQ: SAP HANA LDAP Based Authentication and Authorization

2891130 HAN-LM-INS- Handling of SAP HANA Encryption Parameters in SWPM and SUM
SAP

2465027 HAN-DB Deprecation of SAP HANA extended application services, classic model and SAP HANA Repository

1969700 HAN-DB SQL Statement Collection for SAP HANA

How to Define Standard Roles for Administrators and Developers in SAP HANA

SAP HANA Security Checklist

SAP HANA Security Guide

Securing Data Communication

SAP HANA Security

Developing Roles in SAP HANA (example)

Security SAP Notes

SAP HANA Administration Guide

Developing Roles in SAP HANA

SAP HANA Audit Trail - Best Practice

This document is referenced by

SAP Component Title
Note/KBA

2800030 FAQ: SAP HANA Kernel Profiler

3205281 HAN-DB-SEC How to maintain HANA database audit log by retention period?

3125732 HAN-DB-DI Cannot assign missing XXX object privilege on HDI container, the privilege you want to assign is not in
the accepted value list

2800020 HAN-DB FAQ: SAP HANA Triggers

2980489 HAN-DB-SEC "insufficient privilege" Error while performing tasks on SAP HANA Database

3027477 HAN-DB-SEC General information about auditing activity in SAP HANA

2989333 HAN-DB-SEC Error: Could not grant privilege. You are not authorized. Could not execute. Insufficient privilege.

2313619 HAN-DB- How-To: Generating and Evaluating SAP HANA Call Stacks
MON

2958036 HAN-DB-SEC SAP HANA Platform: Disable encryption

1999998 HAN-DB- FAQ: SAP HANA Lock Analysis

PERF

2388483 HAN-DB How-To: Data Management for Technical Tables

2786382 SV-SMG-INS SAP Solution Manager and HANA Persistence Encryption

2699939 HAN-DB SAP HANA Emergency Suitcase

2100040 HAN-DB- FAQ: SAP HANA CPU

PERF

2600030 HAN-DB Parameter Recommendations in SAP HANA Environments

2655029 HAN-DB-SEC Deactivate the SYSTEM user

2399990 HAN-DB How-To: Analyzing ABAP Short Dumps in SAP HANA Environments

2000000 HAN-DB- FAQ: SAP HANA Performance Optimization

PERF

2222321 HAN-DB How-To: Pinning SAP HANA SQL Plans

2399996 HAN-DB- How-To: Configuring automatic SAP HANA Cleanup with SAP HANACleaner
MON

1999993 HAN-DB- How-To: Interpreting SAP HANA Mini Check Results

MON

2535951 HAN-DB-SEC FAQ: SAP HANA Users and Schemas

1999997 HAN-DB FAQ: SAP HANA Memory

2393013 HAN-DB FAQ: SAP HANA Clients

2380176 HAN-DB FAQ: SAP HANA Database Trace

2000002 HAN-DB- FAQ: SAP HANA SQL Optimization

PERF

2119087 HAN-DB How-To: Configuring SAP HANA Traces

2114710 HAN-DB- FAQ: SAP HANA Threads and Thread Samples

MON

1969700 HAN-DB SQL Statement Collection for SAP HANA

3015354 HAN-DB-SEC Setting the SSL Purpose for a Personal Security Environment (PSE) Store Fails With an Error "* 5657:
PSE purpose blocked by configuration: Set Purpose SSL is blocked by ini file parameter sslclientpki =
on"

1747042 HAN-DB-SEC Provide to SAP Support a Database User Having the Necessary Authorizations for Error Analysis

2097613 HAN-DB-SEC SAP HANA Database is Running with Inconsistent Instance SSFS (Secure Storage File System)

2737005 HAN-DB-CLI Connecting to SAP HANA With ODBC Client and SSL Enabled Fails With Error "failed to create SSL
engine: The target principal name is incorrect"

2729786 HAN-DB-SDA Join Between Local Tables and Virtual Tables Using SDA is Always Executed in Local SAP HANA
System Regardless of Execution Cost Estimation