Module 15: Security and Authorization
Implement comprehensive security measures for SLT replication environments.
1. Security Architecture
graph TD
A[User] -->|Authentication| B[SAP Logon]
B -->|Authorization| C[SLT Authorization]
C -->|Encrypted| D[Source System]
C -->|Encrypted| E[Target System]
D -->|Data Masking| F[Sensitive Data]
E -->|Encryption| G[Storage]
2. User Authorization
Authorization Objects
Transaction: SU21 (Maintain Authorization Objects)
Key Objects for SLT:
├── S_DMC_CONF: Configuration maintenance
├── S_DMC_MON: Monitoring access
├── S_DMC_OPER: Operational tasks
└── S_TABU_NAM: Table access control
Authorization Roles
Transaction: PFCG (Role Maintenance)
Role: Z_SLT_ADMIN
├── Description: SLT Administrator
├── Menu: Full SLT transactions
└── Authorizations:
├── S_DMC_CONF: Activity = 01,02,03 (Create, Change, Display)
├── S_DMC_MON: All monitoring
├── S_TABU_NAM: All tables
└── S_RFC: Full RFC access
Role: Z_SLT_OPERATOR
├── Description: SLT Operator
├── Menu: Limited transactions
└── Authorizations:
├── S_DMC_CONF: Activity = 03 (Display only)
├── S_DMC_MON: All monitoring
├── S_DMC_OPER: Start/stop replication
└── S_RFC: Display only
Role: Z_SLT_MONITOR
├── Description: SLT Monitor
├── Menu: Monitoring only
└── Authorizations:
├── S_DMC_CONF: Activity = 03 (Display only)
├── S_DMC_MON: All monitoring
└── Read-only access
3. Network Security
Secure Network Communication (SNC)
Configuration: SLT → Advanced Settings → Security
Enable SNC:
☑ Use Secure Network Communication
Quality of Protection: ● Maximum
Crypto Library: /usr/sap/SLT/SYS/exe/run/sapcrypto.so
My Name: p:CN=slt-server, O=Company, C=US
Partner Name: p:CN=erp-source, O=Company, C=US
SSL/TLS Configuration
# Generate SSL certificate
cd /usr/sap/SLT/DVEBMGS00/sec
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# Configure HANA to use SSL
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM')
SET ('communication', 'ssl') = 'on',
('ssl', 'sslkeystore') = '/usr/sap/HDB/SYS/sec/sslkeystore.pse',
('ssl', 'ssltruststore') = '/usr/sap/HDB/SYS/sec/ssltruststore.pse'
WITH RECONFIGURE;
# Test SSL connection
hdbsql -n hana-server:30013 -e -sslprovider commoncrypto -ssltruststore /path/to/truststore.pse
4. Data Encryption
Encryption at Rest
-- Enable HANA data volume encryption
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM')
SET ('persistence', 'encryption') = 'on',
('encryption', 'encryption_key_name') = 'SLT_ENCRYPTION_KEY'
WITH RECONFIGURE;
-- Create encryption key
CREATE ENCRYPTION ROOT KEY 'MyRootKey' ENCRYPTED WITH 'MyPassphrase123!';
-- Enable column encryption for sensitive data
ALTER TABLE SLTREPL.KNA1
ALTER (CUSTOMER_SSN NVARCHAR(11) ENCRYPTED WITH AES256);
Encryption in Transit
All Connections Use TLS 1.2+:
├── ERP → SLT: RFC with SNC
├── SLT → HANA: JDBC with SSL
├── HANA → Analytics: HTTPS/ODBC with SSL
└── Cloud Connector: TLS 1.3
Cipher Suites (Recommended):
├── TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
├── TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
└── TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
5. Data Masking
Sensitive Data Identification
-- Identify PII columns
SELECT
TABLE_NAME,
COLUMN_NAME,
DATA_TYPE_NAME
FROM TABLE_COLUMNS
WHERE SCHEMA_NAME = 'SLTREPL'
AND (COLUMN_NAME LIKE '%SSN%'
OR COLUMN_NAME LIKE '%CREDIT_CARD%'
OR COLUMN_NAME LIKE '%EMAIL%'
OR COLUMN_NAME LIKE '%PHONE%');
Masking Techniques
Technique 1: Static Masking (Post-Replication)
-- Create masked view
CREATE VIEW SLTREPL_MASKED.KNA1 AS
SELECT
KUNNR,
NAME1,
-- Mask email: john@example.com → j***@example.com
SUBSTRING(EMAIL, 1, 1) || '***@' || SUBSTRING_AFTER(EMAIL, '@') as EMAIL,
-- Mask phone: 555-1234 → ***-1234
'***-' || RIGHT(PHONE, 4) as PHONE,
-- Mask SSN: 123-45-6789 → ***-**-6789
'***-**-' || RIGHT(SSN, 4) as SSN,
-- Keep other fields
STREET, CITY, COUNTRY
FROM SLTREPL.KNA1;
-- Grant access to masked view only
GRANT SELECT ON SLTREPL_MASKED.KNA1 TO ANALYTICS_USER;
REVOKE SELECT ON SLTREPL.KNA1 FROM ANALYTICS_USER;
Technique 2: Dynamic Masking (SLT Transformation)
Transaction: LTRC → Transformations
Table: KNA1
Field: SSN
Transformation Type: ● ABAP Routine
ABAP Code:
RESULT = CONDENSE(SOURCE).
IF RESULT IS NOT INITIAL.
" Mask all but last 4 digits
DATA(lv_len) = STRLEN(RESULT).
IF lv_len > 4.
RESULT = REPEAT('*', lv_len - 4) && SUBSTRING(RESULT, lv_len - 3, 4).
ENDIF.
ENDIF.
Technique 3: Tokenization
-- Create token mapping table
CREATE COLUMN TABLE SECURITY.TOKEN_MAP (
ORIGINAL_VALUE NVARCHAR(255),
TOKEN_VALUE NVARCHAR(255),
VALUE_TYPE NVARCHAR(20),
CREATED_AT TIMESTAMP,
PRIMARY KEY (ORIGINAL_VALUE, VALUE_TYPE)
);
-- Tokenization procedure
CREATE PROCEDURE TOKENIZE_SSN(IN p_ssn NVARCHAR(11), OUT p_token NVARCHAR(255))
AS
BEGIN
-- Check if token exists
SELECT TOKEN_VALUE INTO p_token
FROM SECURITY.TOKEN_MAP
WHERE ORIGINAL_VALUE = :p_ssn
AND VALUE_TYPE = 'SSN';
-- Generate new token if not exists
IF p_token IS NULL THEN
p_token = 'TKN' || TO_VARCHAR(SYSUUID);
INSERT INTO SECURITY.TOKEN_MAP VALUES (
:p_ssn, :p_token, 'SSN', CURRENT_TIMESTAMP
);
END IF;
END;
-- Apply tokenization
UPDATE SLTREPL.KNA1
SET SSN_TOKEN = (SELECT TOKENIZE_SSN(SSN) FROM DUMMY);
6. Audit Logging
Enable Audit Trail
-- Enable HANA audit policy
CREATE AUDIT POLICY SLT_AUDIT_POLICY
AUDITING SUCCESSFUL
SELECT ON SCHEMA SLTREPL,
INSERT ON SCHEMA SLTREPL,
UPDATE ON SCHEMA SLTREPL,
DELETE ON SCHEMA SLTREPL
LEVEL CRITICAL;
-- Activate policy
ALTER AUDIT POLICY SLT_AUDIT_POLICY ACTIVATE;
-- View audit log
SELECT
TIMESTAMP,
USER_NAME,
SCHEMA_NAME,
OBJECT_NAME,
ACTION_NAME,
CLIENT_IP,
APPLICATION_NAME
FROM SYS.AUDIT_LOG
WHERE SCHEMA_NAME = 'SLTREPL'
AND TIMESTAMP >= ADD_DAYS(CURRENT_TIMESTAMP, -7)
ORDER BY TIMESTAMP DESC;
SLT Change Logging
-- Log all SLT configuration changes
SELECT
TIMESTAMP,
USER_NAME,
MT_ID,
ACTION,
TABLE_NAME,
CHANGE_DETAILS
FROM /DMIS/LOG_CONFIG
WHERE TIMESTAMP >= ADD_DAYS(CURRENT_DATE, -30)
ORDER BY TIMESTAMP DESC;
-- Monitor unauthorized access attempts
SELECT
TIMESTAMP,
USER_NAME,
MT_ID,
ERROR_MESSAGE
FROM /DMIS/LOG_SECURITY
WHERE ERROR_MESSAGE LIKE '%authorization%'
ORDER BY TIMESTAMP DESC;
7. Compliance
GDPR Compliance
-- Right to Access
CREATE PROCEDURE GET_CUSTOMER_DATA(IN p_customer_id NVARCHAR(10))
AS
BEGIN
SELECT * FROM SLTREPL.KNA1 WHERE KUNNR = :p_customer_id;
SELECT * FROM SLTREPL.VBAK WHERE KUNNR = :p_customer_id;
SELECT * FROM SLTREPL.VBAP WHERE VBELN IN (
SELECT VBELN FROM SLTREPL.VBAK WHERE KUNNR = :p_customer_id
);
END;
-- Right to Erasure
CREATE PROCEDURE DELETE_CUSTOMER_DATA(IN p_customer_id NVARCHAR(10))
AS
BEGIN
-- Log deletion request
INSERT INTO SECURITY.GDPR_LOG VALUES (
:p_customer_id, 'DELETE_REQUEST', CURRENT_USER, CURRENT_TIMESTAMP
);
-- Anonymize instead of delete (preserve referential integrity)
UPDATE SLTREPL.KNA1
SET NAME1 = 'ANONYMIZED',
EMAIL = NULL,
PHONE = NULL,
SSN = NULL
WHERE KUNNR = :p_customer_id;
-- Log completion
INSERT INTO SECURITY.GDPR_LOG VALUES (
:p_customer_id, 'DELETE_COMPLETED', CURRENT_USER, CURRENT_TIMESTAMP
);
END;
Data Retention Policies
-- Create retention policy table
CREATE TABLE SECURITY.RETENTION_POLICY (
TABLE_NAME NVARCHAR(30),
RETENTION_DAYS INT,
ARCHIVE_LOCATION NVARCHAR(255),
PRIMARY KEY (TABLE_NAME)
);
-- Define policies
INSERT INTO SECURITY.RETENTION_POLICY VALUES ('VBAK', 2555, '/archive/sales'); -- 7 years
INSERT INTO SECURITY.RETENTION_POLICY VALUES ('BSEG', 3650, '/archive/finance'); -- 10 years
INSERT INTO SECURITY.RETENTION_POLICY VALUES ('LOG_TABLE', 90, '/archive/logs'); -- 90 days
-- Automatic archival procedure
CREATE PROCEDURE ARCHIVE_OLD_DATA()
AS
BEGIN
DECLARE v_table NVARCHAR(30);
DECLARE v_retention INT;
DECLARE v_archive_path NVARCHAR(255);
FOR v AS (SELECT * FROM SECURITY.RETENTION_POLICY) DO
v_table = v.TABLE_NAME;
v_retention = v.RETENTION_DAYS;
v_archive_path = v.ARCHIVE_LOCATION;
-- Export old data
EXPORT :v_table AS CSV INTO :v_archive_path
WITH CREDENTIALS 'archive_credentials'
WHERE ERDAT < ADD_DAYS(CURRENT_DATE, -:v_retention);
-- Delete archived data
DELETE FROM :v_table
WHERE ERDAT < ADD_DAYS(CURRENT_DATE, -:v_retention);
END FOR;
END;
-- Schedule: Run monthly
8. Access Control
Row-Level Security
-- Create analytic privilege
CREATE ANALYTIC PRIVILEGE AP_SALES_BY_REGION
FOR SCHEMA SLTREPL
RESTRICTION ON _SYS_BI_CP_KNA1 (
DIMENSION LAND1:
'US' FOR USER us_sales_team,
'DE' FOR USER de_sales_team,
'CN' FOR USER cn_sales_team
);
-- Grant privilege
GRANT SELECT ON SLTREPL.KNA1 TO us_sales_team
WITH STRUCTURED PRIVILEGE FILTER AP_SALES_BY_REGION;
-- Result: us_sales_team only sees US customers
Column-Level Security
-- Create SQL analytic privilege
CREATE STRUCTURED PRIVILEGE FILTER SPF_SENSITIVE_COLUMNS
FOR SCHEMA SLTREPL
ON TABLE KNA1:
RESTRICT COLUMN (SSN, CREDIT_CARD)
TO USER security_admin;
-- Regular users cannot see SSN/CREDIT_CARD columns
GRANT SELECT ON SLTREPL.KNA1 TO business_user
WITH STRUCTURED PRIVILEGE FILTER SPF_SENSITIVE_COLUMNS;
9. Security Monitoring
Real-Time Alerts
# Python security monitoring script
import pyodbc
import smtplib
from email.mime.text import MIMEText
def check_failed_logins():
conn = pyodbc.connect('DSN=HANA_SLT')
cursor = conn.cursor()
cursor.execute("""
SELECT USER_NAME, COUNT(*) as FAILED_COUNT
FROM SYS.AUDIT_LOG
WHERE ACTION_NAME = 'CONNECT'
AND STATEMENT_STRING LIKE '%failed%'
AND TIMESTAMP >= ADD_MINUTES(CURRENT_TIMESTAMP, -15)
GROUP BY USER_NAME
HAVING COUNT(*) >= 3
""")
suspicious_users = cursor.fetchall()
if suspicious_users:
send_alert('Failed Login Attempts', suspicious_users)
def check_unauthorized_access():
cursor.execute("""
SELECT USER_NAME, SCHEMA_NAME, OBJECT_NAME
FROM SYS.AUDIT_LOG
WHERE ACTION_NAME IN ('SELECT', 'UPDATE', 'DELETE')
AND COMMENT LIKE '%authorization%failed%'
AND TIMESTAMP >= ADD_MINUTES(CURRENT_TIMESTAMP, -15)
""")
violations = cursor.fetchall()
if violations:
send_alert('Unauthorized Access Attempts', violations)
def send_alert(subject, data):
msg = MIMEText(str(data))
msg['Subject'] = f'SLT Security Alert: {subject}'
msg['From'] = 'slt-monitor@company.com'
msg['To'] = 'security-team@company.com'
smtp = smtplib.SMTP('smtp.company.com')
smtp.send_message(msg)
smtp.quit()
# Run checks every 15 minutes
if __name__ == '__main__':
check_failed_logins()
check_unauthorized_access()
10. Security Best Practices
Checklist
- Implement role-based access control (RBAC)
- Enable SNC for RFC connections
- Use SSL/TLS for all database connections
- Enable data encryption at rest
- Mask/tokenize sensitive data
- Enable comprehensive audit logging
- Implement GDPR compliance procedures
- Set up data retention policies
- Configure row/column-level security
- Monitor security events in real-time
- Regular security audits (quarterly)
- Penetration testing (annually)
- Security awareness training (all users)
Security Hardening
1. Change default passwords immediately
2. Disable unused RFC destinations
3. Remove unnecessary authorizations
4. Enable password complexity rules
5. Enforce MFA for administrators
6. Regular patching (monthly)
7. Network segmentation (DMZ for SLT)
8. Firewall rules (whitelist only)
9. Log retention (minimum 90 days)
10. Incident response plan documented
Summary
✅ User authorization and roles ✅ Network security (SNC, SSL/TLS) ✅ Data encryption (at rest and in transit) ✅ Data masking and tokenization ✅ Comprehensive audit logging ✅ GDPR and compliance procedures ✅ Row and column-level security ✅ Real-time security monitoring ✅ Security best practices ✅ Hardening checklist
Next: Module 16 - Backup and Disaster Recovery