Security: Users, Privileges, Authentication, Auditing & Encryption

Can privileges be denied in SAP HANA, and what happens once a needed privilege is found during an authorization check?

How does a restricted SAP HANA user differ from a standard user, and how is one created?

What is cross-database access in SAP HANA, and what is its key limitation regarding direction and privileges?

Which roles must be granted to a restricted SAP HANA user to enable ODBC or JDBC access?

What is the SAP HANA maximum_password_lifetime default, and what do the two unused-password-lifetime parameters default to?

Why is the SAP HANA root key backup critical, and what is required in a disaster recovery?

What is the purpose of SAP HANA user groups, and what can be configured at group level?

Which SAP HANA system privilege is required for user creation, modification, and deletion, and which for creating/dropping roles?

As of SAP HANA 2.0 SPS03, how can you get details about an 'insufficient privilege' error using its GUID?

How is encryption handled across an SAP HANA system replication setup?

What is the SQL sequence to rotate an SAP HANA data-volume encryption root key?

What ALTER USER statements force a password change, exempt a user from the password lifetime, and unlock a locked SAP HANA user?

What are the five SAP HANA audit levels?

What does the SAP HANA password_lock_for_system_user parameter do, and what is its default?

What rules govern object ownership in SAP HANA?

What is the SAP HANA MandatoryAuditPolicy, and what does it always audit?

Where is the SAP HANA default password policy stored, and which views show the effective policy?

How do you enable cross-database access between two SAP HANA tenants, and how is a remote identity created?

What is the future of SAP HANA application privileges?

What does granting an object privilege on a schema (rather than a single object) achieve in SAP HANA?

Which SAP HANA system privilege is needed to run ALTER USER, and which ALTER USER actions are exempt?

When does SAP HANA encryption become active after you enable it, and why isn't the database fully protected immediately?

Which SAP HANA system privileges can only be granted in the system database (not a tenant)?

What is an audit policy in SAP HANA, and what must it specify?

What are the two SAP HANA secure store implementations for protecting root keys, and which is the default?

What is the SAP HANA PUBLIC role, and when is it not granted?

What is the SAP HANA ATTACH DEBUGGER privilege (a privilege on users)?

What is the SAP HANA _SYS_REPO internal user, and can you log on with it?

What audit trail targets does SAP HANA support?

What is the difference between the SAP HANA BACKUP ADMIN and BACKUP OPERATOR system privileges?

Where is the SAP HANA password blacklist stored, and what are its three fields?

What encryption algorithm does SAP HANA use for data-at-rest encryption?

After enabling high isolation, how do you assign a tenant database to its dedicated OS user and group in SAP HANA?

How are SAP HANA security corrections delivered?

What rights does a standard SAP HANA database user get by default, and how is one created?

What is the syntax to grant a system privilege in SAP HANA, and what does WITH ADMIN OPTION add?

How do you reset a lost SAP HANA SYSTEM-user password for a tenant database via SQL from the system database?

How do you reset the SYSTEM-user password of the SAP HANA system database when no equivalent user is available?

What happens to existing connections when an SAP HANA user is deactivated or locked?

How do you remove a GRANT or ADMIN option that was granted by mistake in SAP HANA?

In the SAP HANA password policy, what are the defaults for maximum_invalid_connect_attempts and password_lock_time?

Which Python script and parameter switch an SAP HANA system to high-isolation mode?

Which SAP HANA system view column indicates whether a local user has remote identities in other databases?

How can a user in SAP HANA read a table's contents without holding SELECT on the table itself?

What is an internal personal security environment (PSE) in SAP HANA certificate management?

What is the default audit trail target for an SAP HANA tenant database, and why?

What do analytic privileges control in SAP HANA, and at what granularity?

What is the purpose of auditing in SAP HANA, and which types of actions are typically worth auditing?

Which SAP HANA tool helps troubleshoot authorization errors on object dependencies (e.g., views), and what does it show?

Which SAP HANA system view holds all privileges granted to a user directly or indirectly through roles?

What does the SAP HANA system PKI SSFS protect?

What does high-isolation mode provide in an SAP HANA multitenant system, and what is shared in low isolation?

What is the SAP HANA `_SYS` technical database user?

What are the RESTRICT and CASCADE options when dropping an SAP HANA user, and which is the default?

In a SAML 2.0 SSO setup, what roles do SAP HANA / SAP S/4HANA play, and what is the identity provider?

How should the SAP HANA SYSTEM user be handled after installation, and how is it deactivated/reactivated?

Why does SAP recommend a technical user (not a personal user) own an application's data dictionary in SAP HANA?

What three default user groups does SAP recommend setting up in SAP HANA?

What happens to local password authentication when an SAP HANA user is configured for LDAP authentication?

Where can the SAP HANA audit-trail retention period be set, and what is its minimum?

What is the SAP HANA secure user store (hdbuserstore), and where does it store connection data?

What do the SAP HANA AUDIT ADMIN, AUDIT OPERATOR, and AUDIT READ system privileges each allow?

What is the advantage of SAP HANA certificate collections over storing certificates in the file system?

What are the two types of SAP HANA analytic privilege, and which does SAP recommend?

What is the default SAP HANA minimum password length and password layout, and what is the layout's notation?

How is internal vs. external SAP HANA network communication encrypted, and which parameter enables internal TLS?

What does the SAP HANA CATALOG READ system privilege grant?

What are the six privilege types in SAP HANA?

Which SAP HANA system privilege grants LOAD, UNLOAD, and MERGE operations on tables?

Why can't Kerberos/SPNego SSO typically be used for internet-facing SAP HANA deployments?

When is SAP's monthly security patch day, and what is shared on it?

What is the role of the SAP HANA _SYS_STATISTICS internal user?

Which SAP HANA parameters set the default encryption for newly created tenant databases, and what are their defaults?

Which three ALTER USER statements convert a restricted SAP HANA user into a standard user?

How do package privileges work in the SAP HANA repository, and what is the root package?

What authentication mechanisms does SAP HANA support?

What is the difference between native catalog objects and repository catalog objects in SAP HANA?

How is recursive revocation handled in SAP HANA when a privilege was granted WITH GRANT OPTION down a chain?

Which system views expose SAP HANA audit entries written to the internal table, and which privilege is required?

Why do repository roles and privileges in SAP HANA avoid the side effects of the GRANT/ADMIN option?

What three checks does SAP HANA perform when a user connects, after authenticating the credential?

What is the difference between a CA-signed and a self-signed X.509 certificate for SAP HANA SSO?

Which three layers of data at rest can SAP HANA encrypt?

What are the three types of SAP HANA database user?

What is the difference between a catalog (runtime) role and a repository (design-time) role in SAP HANA?

Which SAP HANA system privilege is needed to create or drop catalog roles, and how are repository roles granted?

Why should you change the SAP HANA instance SSFS and system PKI SSFS master keys after a preinstalled handover?

What is the SAP HANA <sid>adm operating system user used for?

What does the SAP HANA secure store hold?

How do you enable auditing in an SAP HANA tenant database vs. the system database via SQL?

What is the syntax to create a key in the SAP HANA secure user store, including for a tenant database?

Which SAP HANA parameter controls the enabled authentication methods, and where is it set?

In SAP HANA, who can revoke a privilege, and what is the consequence when the same privilege was granted by multiple grantors?

How should the predelivered standard catalog roles (e.g., MONITORING, CONTENT_ADMIN) be used in SAP HANA?

What is the difference between static and dynamic attribute restrictions in an SAP HANA analytic privilege?

Which trace component and level are used to capture a missing-authorization (authorization) trace in SAP HANA?

What are SAP's best-practice recommendations to limit the performance and volume impact of SAP HANA auditing?