PUBLIC

Document Version: 2022.12 – 2022-06-01

Security Guide
© 2022 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN

Content

1 SAP Data Warehouse Cloud Security Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 Cloud Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Identity Provider Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Application Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Database Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5 Authorizations and Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Data Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.6 Audit Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.7 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Personal Data Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.8 Compliance Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Security Guide
2 PUBLIC Content
1 SAP Data Warehouse Cloud Security
Guide

The SAP Data Warehouse Cloud Security Guide is the entry point for all information relating to the secure
operation and configuration of SAP Data Warehouse Cloud.

Security has always been an important element for the complete product life cycle of all SAP products,
including product development, planning, and quality assurance. Like the other SAP products, SAP Data
Warehouse Cloud was designed to fulfill the highest security standards which guarantee the safety of your data
both from web attacks and from attacks in the cloud.

Some of the most important security focus areas are listed in the following interactive image:

● Authorizations and Roles [page 9]

● User Management [page 5]
● Data Protection and Privacy [page 10]
● Identity Provider Settings [page 4]
● Cloud Network and Communication Security [page 4]

Security Guide
SAP Data Warehouse Cloud Security Guide PUBLIC 3
SAP provides capabilities to support you in implementing your requirements and concepts of security and data
protection within the SAP Data Warehouse Cloud system landscape. On your side, you need to make sure to:

● Create and assign appropriate roles to your users. See Managing Roles and Privileges.
● Set up a secure data integration to the systems to which you connect to access data. See Integrating Data
via Connections.

1.1 Cloud Network and Communication Security

SAP Data Warehouse Cloud supports encrypted communication for network communication channels.

We recommend using encrypted channels in all cases where your network isn't protected by other security
measures against attacks such as eavesdropping, for example, when your network is accessed from public
networks.

The following network communication channels are used by SAP Data Warehouse Cloud:

● Secure communication with SAP HANA using a client supporting JDBC/ODBC.

This is limited to one use case: full access to an open SQL schema of the space.
Separate users are available in Space Management for every open SQL schema. These users are
considered "technical users". There is exactly one user for every open SQL schema.
Basic authentication is supported for these technical users. Unencrypted connections to the database are
not accepted.
● A channel used for modeling and administration via the SAP Data Warehouse Cloud web UI as well as for
doing analytics using SAP Analytics Cloud (for SAP Data Warehouse Cloud tenants that were initially
provisioned prior to version 2021.03). This channel is used by business users and administrators who
authenticate against an identity provider.
● Secure communication between SAP Data Warehouse Cloud and its command line interface, dwc.
The command line interface, dwc, communicates with the SAP Data Warehouse Cloud tenant through
https. Connections are protected using TLS/SSL and the user must supply a single-use passcode for each
command issued via dwc.

1.2 Identity Provider Settings

One identity provider for both SAP Data Warehouse Cloud and SAP Analytics Cloud.

SAP Data Warehouse Cloud and SAP Analytics Cloud share the same authentication mechanism. In your
tenant, choose  My Products , go to Analytics and then change the identity provider settings there. Once
changed, you can use that identity provider to logon to SAP Data Warehouse Cloud as well.

 Note

Any tasks (for instance, remote table replication or view persistency tasks) scheduled before you change
the IdP configuration might fail to start. For more information about the issue and how to solve it, refer to
the SAP Note 3089828

Security Guide
4 PUBLIC SAP Data Warehouse Cloud Security Guide
For more information on the identity provider settings, please see Enabling a Custom SAML Identity Provider in
the SAP Analytics Cloud Help documentation.

For further information on using your SAP Cloud Platform Identity Authentication service tenant as an identity
provider or a proxy to your own identity provider to host your business users take a look at Manually Establish
Trust and Federation Between UAA and SAP Cloud Platform Identity Authentication Service in the SAP Cloud
Platform documentation.

1.3 Password Policy

The passwords of database users are subject to certain rules. These rules are defined in the password policy.

Required role to configure the password policy: DW Administrator.

The password policy is configured in the Configuration page under Security and applied to your database user
by either editing an exiting user or when creating a new user.

Database Password Policy

Configuration Parameter Additional Information

Password Expiration The number of days for which the initial password or any
password set by a user administrator for a user is valid.

To see how to configure the expiration date for database

users take a look at Set a Password Policy for Database
Users.

1.4 User Management

It is often necessary to specify different security policies for different types of users.

In SAP Data Warehouse Cloud, we differentiate between an application users that can access the SAP Data
Warehouse Cloud web user interface (UI) and database users that can access the underlying SAP HANA
database.

● Application Users [page 6]

● Database Users [page 6]

Security Guide
SAP Data Warehouse Cloud Security Guide PUBLIC 5
1.4.1 Application Users

The application user represents an actual user in SAP Data Warehouse Cloud and can be assigned as a
member to a space.

User Type Description Additional Information

Application User Role required to create the user: DW ● Managing SAP Data Warehouse
Administrator Cloud Users
● Managing Roles and Privileges
Role required to assign the user to a
space: DW Space Administrator

Created through the user interface un­

der  Security →  Users.

The user is added as a member within a

space.

Each user can be assigned with pre-de­

fined roles or assigned to custom roles.

1.4.2 Database Users

The database user is a technical user in SAP Data Warehouse Cloud that can access the underlying SAP HANA
database.

SAP Data Warehouse Cloud provides two different database user types.

Security Guide
6 PUBLIC SAP Data Warehouse Cloud Security Guide
Database User on Space-Level

User Type Description Additional Information

Database User Required role to create: DW Space Ad­ ● For more information on the public
ministrator role, see Predefined Database
(Catalog) Roles.
Created and edited through the user in­
● Create a Database User
terface under Space Management →
● Exchanging Data with SAP SQL
<Space Name> → Database Access →
Data Warehousing HDI Containers
Database Users.

Different privileges can be assigned and

combined when creating this user:

● Write on Open SQL schema

Creates an open SQL schema and
the user is granted the public
role.
The database user is the owner
and has read and write privileges
on this schema.
Possible use-case: Connects exter­
nal tools and pulls data
The credentials of this user are
shown in the UI when creating the
schema and are not stored in SAP
Data Warehouse Cloud. Resetting
the password is possible by using
the UI to edit the database user.
● Read on space schema
The user can read the data that
has been exposed.
Possible use-case: Connects exter­
nal tools and pushes data
An option is provided to allow this
user to additionally grant the
select privilege to other users.
Connects to an HDI container (in­
gesting or exposing to an HDI con­
tainer).

Security Guide
SAP Data Warehouse Cloud Security Guide PUBLIC 7
Database User on Tentant-Level (Extended Capabillities)

User Type Description Additional Information

Database Analysis User Required role to create: DW Administra­ Database Analysis User
tor
Read access on the underlying SAP
HANA database Created and edited through the user in­
terface under Configuration→ Database
Access → Database Analysis User.

Connects to the SAP HANA Cloud data­

base to analyze, diagnose and solve da­
tabase issues.

Can be set to expire automatically mak­

ing the user inactive.

Can read all space data, SAP HANA

monitoring views, traces, reproduce is­
sues and use explain plan.

Database User Group Administrator Required role to create: DW Administra­ Creating Database User Groups
tor
Read and write access on the underly­
ing SAP HANA database Created and edited through the user in­
terface under Configuration→ Database
Access → Database User Group.

Isolated environments that offer addi­

tional capabilities to work on the SAP
HANA Cloud database without compro­
mising on security. The administrator of
the group is automatically generated
when creating the user group.

Creates SQL users, creates schemas,

performs DDL, DML and uses SQL with
additional capabilities.

Can be launched via SAP HANA data­

base explorer.

Security Guide
8 PUBLIC SAP Data Warehouse Cloud Security Guide
1.5 Authorizations and Roles

SAP Data Warehouse Cloud uses the space concept to ensure data governance.

Authorizations on Data-Level

Authorization is managed through the space concept meaning artifacts such as tables, views or stories as well
as data in a particular space are only visible for users assigned to that space. On the other side, users assigned
to a particular space have access to all artifacts and data of that space.

Spaces partition data into areas of responsibility and authority. This combined nature of data residence and
data responsibility needs to be taken into account when creating an authorization concept.

Authorizations and Roles on Application-Level

Application-level authorizations for business users and administrators are maintained in Security Roles
and assigned to users in Security Users . The roles determine which parts of the UI the assigned users
are allowed to access and what the users are allowed to do in SAP Data Warehouse Cloud.

Related Information

Managing SAP Data Warehouse Cloud Users

Managing Roles and Privileges

1.5.1 Data Access Control

Data access controls allow you to apply row-level security to your objects. When a data access control is
applied to a data layer view or a business layer object, the rows of data contained in the object are filtered
based on the specified criteria.

Your criteria are defined in a table or view that lists SAP Data Warehouse Cloud user IDs (in the form required
by your identity provider) and assigns them to one or more criteria.

For more information on creating and applying Data Access Controls see Securing Data with Data Access
Controls.

Security Guide
SAP Data Warehouse Cloud Security Guide PUBLIC 9
1.6 Audit Logging

Audit logs are records of read or change actions performed in the database. They allow you to see who did what
and when.

Space Administrators can enable audit logs for read or change actions in their space. For more information, see
Enable Audit Logging.

Administrators can then get an overview of space audit logs and delete them if needed (for example to free up
disk space). You analyze audit logs by assigning the audit views to a space and then work with them in a view in
the Data Builder. For more information, see Monitor Database Operations with Audit Logs.

1.7 Data Protection and Privacy

Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data protection and privacy acts, it is necessary to consider compliance with industry-
specific legislation in different countries.

SAP provides specific features and functions to support compliance with regard to relevant legal requirements,
including data protection. SAP does not give any advice on whether these features and functions are the best
method to support company, industry, regional, or country-specific requirements. Furthermore, this
information should not be taken as advice or a recommendation regarding additional features that would be
required in specific IT environments. Decisions related to data protection must be made on a case-by-case
basis, taking into consideration the given system landscape and the applicable legal requirements.

 Note

SAP does not provide legal advice in any form. SAP software supports data protection compliance by
providing security features and specific data protection-relevant functions, such as simplified blocking and
deletion of personal data. In many cases, compliance with applicable data protection and privacy laws will
not be covered by a product feature. Definitions and other terms used in this document are not taken from
a particular legal source.

 Caution

The extent to which data protection is supported by technical means depends on secure system operation.
Network security, security note implementation, adequate logging of system changes, and appropriate
usage of the system are the basic technical requirements for compliance with data privacy legislation and
other legislation.

Data Protection and Privacy when Using Data Marketplace

Currently, Data Marketplace does not provide the technical features to compliantly include personal data into
your data products. For the moment, SAP requires you to not use personal data in your products or to
anonymize personal data before transferring it to third parties.

Security Guide
10 PUBLIC SAP Data Warehouse Cloud Security Guide
Personal data covers any information relating to an identified or identifiable natural person (“data subject”). An
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural
person. Natural persons can be identified directly based on, for example, names, phone numbers, e-mail
addresses, postal addresses, user IDs, tax and social insurance numbers or indirectly through a combination of
any other information.

1.7.1 Glossary

The following terms are general to SAP products. Not all terms may be relevant for this SAP product.

Term Definition

Blocking A method of restricting access to data for which the primary

business purpose has ended.

Business purpose The legal, contractual, or in other form justified reason for
the processing of personal data to complete an end-to-end
business process. The personal data used to complete the
process is predefined in a purpose, which is defined by the
data controller. The process must be defined before the per­
sonal data required to fulfill the purpose can be determined.

Consent The action of the data subject confirming that the usage of
his or her personal data shall be allowed for a given purpose.
A consent functionality allows the storage of a consent re­
cord in relation to a specific purpose and shows if a data
subject has granted, withdrawn, or denied consent.

Data subject Any information relating to an identified or identifiable natu­

ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification
number, location data, an online identifier, or to one or more
factors specific to the physical, physiological, genetic, men­
tal, economic, cultural, or social identity of that natural per­
son.

Deletion Deletion of personal data so that the data is no longer avail­

able.

End of business Defines the end of active business and the start of residence
time and retention period.

Security Guide
SAP Data Warehouse Cloud Security Guide PUBLIC 11
Term Definition

End of purpose (EoP) The point in time when the processing of a set of personal
data is no longer required for the primary business purpose,
for example, when a contract is fulfilled. After the EoP has
been reached, the data is blocked and can only be accessed
by users with special authorizations (for example, tax audi­
tors).

End of purpose (EoP) check A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization, for example, tax auditors.

Personal data Any information relating to an identified or identifiable natu­

ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification
number, location data, an online identifier, or to one or more
factors specific to the physical, physiological, genetic, men­
tal, economic, cultural, or social identity of that natural per­
son.

Purpose The information that specifies the reason and the goal for
the processing of a specific set of personal data. As a rule,
the purpose references the relevant legal basis for the proc­
essing of personal data.

Residence period The period of time between the end of business and the end
of purpose (EoP) for a data set during which the data re­
mains in the database and can be used in case of subse­
quent processes related to the original purpose. At the end
of the longest configured residence period, the data is
blocked or deleted. The residence period is part of the over­
all retention period.

Retention period The period of time between the end of the last business ac­
tivity involving a specific object (for example, a business
partner) and the deletion of the corresponding data, subject
to applicable laws. The retention period is a combination of
the residence period and the blocking period.

Security Guide
12 PUBLIC SAP Data Warehouse Cloud Security Guide
Term Definition

Sensitive personal data A category of personal data that usually includes the follow­
ing type of information:

● Special categories of personal data, such as data reveal­

ing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic
data, biometric data, data concerning health or sex life
or sexual orientation.
● Personal data subject to professional secrecy
● Personal data relating to criminal or administrative of­
fenses
● Personal data concerning insurances and bank or credit
card accounts

Technical and organizational measures (TOM) Some basic requirements that support data protection and
privacy are often referred to as technical and organizational
measures (TOM). The following topics are related to data
protection and privacy and require appropriate TOMs, for ex­
ample:

● Access control: Authentication features

● Authorizations: Authorization concept
● Read access logging
● Transmission control / Communication security
● Input control / Change logging
● Availability control
● Separation by purpose: Is subject to the organizational
model implemented and must be applied as part of the
authorization concept.

1.7.2 Personal Data Record

Data subjects have the right to receive information regarding their personal data undergoing processing.

There are different kinds of data which might contain personal information about a dedicated person or user.

● Transactional- and masterdata as such can contain personal data.

To provide a personal data record, an understanding of the data model and corresponding semantics is
required. As the owner of the data model, the customer is responsible to implement this feature. This can
be done by defining suitable views collecting the personal data of the respective data subjects. These views
can be used as a basis for information reports built with an analytics frontend, such as SAP Analytics
Cloud.
● During creation of data models in SAP Data Warehouse Cloud, the name of the user is persisted (person
responsible for the creation or modification). This personal data can be retrieved from the SAP Data
Warehouse Cloud Repository Explorer.

Security Guide
SAP Data Warehouse Cloud Security Guide PUBLIC 13
1.7.3 Deletion of Personal Data

The handling of personal data is subject to applicable laws related to the deletion of such data at the end of
purpose.

If there is no longer a legitimate purpose that requires the use of personal data, it must be deleted. When
deleting data in a data set, all referenced objects related to that data set must be deleted as well. It is also
necessary to consider industry-specific legislation in different countries in addition to general data protection
laws. After the expiration of the longest retention period, the data must be deleted.

 Note

Note that reporting on an aggregated layer can ease the handling of personal data with respect to deletion.
Aggregated storage of historical data without any references to persons allows you to more easily delete
data in upstream layers.

Being a data warehouse, SAP Data Warehouse Cloud is a secondary persistence receiving data from a leading
system. Consequently, all deletions done for data protection and privacy reasons are also done in the source
system and the deletion can be propagated to SAP Data Warehouse Cloud using a delete-and-reload pattern:
First do the required deletion in the source system, then delete all data in the corresponding SAP Data
Warehouse Cloud tables and replicate from the source system again.

Deleting data is explained in the SAP Data Warehouse Cloud Modeling Guide at Creating a Table (step 10).

1.7.4 Cookies

Cookies management

When log on to SAP Data Warehouse Cloud, session cookies are stored for authentication purpose and are
deleted when the session is closed. Additional persistent cookies might be used to store the most recent
choices for content language and user interface language.

1.8 Compliance Standards

Compliance standards for SAP Data Warehouse Cloud.

SAP Data Warehouse Cloud is compliant with:

● ISO/IEC 27001 Security Management System

For more information, see Information Security Management System
● ISO/IEC 22301 Business Continuity Management System
For more information, see Business Continuity Management System .
● SOC 1 Type 2
For more information, see SAP Business Technology Platform SOC 1 (ISAE3402) Audit Report 2021 H1 .
● SOC 2 Type 2
For more information, see SAP Business Technology Platform SOC 2 Audit Report 2021 H1 .

Security Guide
14 PUBLIC SAP Data Warehouse Cloud Security Guide
● STAR Certification: ISO/IEC 27001:2013
For more information, see STAR Registry Listing for SAP Business Technology Platform .
● CSA STAR, CCM version 3.0.1
For more information, see SAP Business Technology Platform CSA STAR Certificate .
● EU Cloud CoC European Data Protection Code of Conduct for Cloud Service Providers (‘EU Cloud CoC’) in
its version 2.11 (‘v2.11’)
For more information, see SAP Business Technology Platform EU Cloud CoC .

Security Guide
SAP Data Warehouse Cloud Security Guide PUBLIC 15
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.

Security Guide
16 PUBLIC Important Disclaimers and Legal Information
Security Guide
Important Disclaimers and Legal Information PUBLIC 17
www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN