SAP HANA’s Dynamic Data Masking: The Smarter Way
SAP HANA – a high-performance in-memory database – accelerates data-driven, real-time decision-making and practice. It supports all workloads with the most extensive advanced analytics on multi-model data, both on-premise and in the cloud.
SAP HANA offers a robust security system to help safeguard your data. Apart from the authentication/single sign-on, user/role and authorization management, audit logging, and encryption functionality that already existed, SAP HANA also offers native dynamic data masking functionality.
Authorization is the primary means of controlling access. The privilege framework of SAP HANA is based on standard SQL privileges allowing for fine-granular control, with extensions for different use cases such as dashboards or reporting. Roles allow for efficient separation of duties.
The functionality of native data masking alters how data appears in views without modifying the underlying data. Since the underlying data remains unchanged, calculations on the masked data can still be carried out by the database. This introduces an additional access control layer that can be added to views in order to secure sensitive or confidential data from power users having broad view access. For example, if you need to secure a column that displays employee social security numbers from users that might have SELECT rights on a view or schema but should not be able to access sensitive data, you can apply dynamic data masking.
Imagine you’ve got a view called “Employee Information” and you’ve got two users having access to this view that includes the fields: Surname, First Name, and SSN. Both of them have SELECT rights on the “Employee Information” view; this being a requirement for accessing the data regardless of whether the data is masked. The SSN field is masked so that the plain text data can only be accessed by the user with unmasked read access.
How to Configure Masking?
Within your SAP HANA program, if you want to use dynamic data masking, the configuration takes place directly in the view specification. The masked expression you are using is up to you; you can choose a static value or utilize an embedded function or stored procedure of your choice. You should not, however, modify the data type and original data length.
If the data is masked, the UNMASKED right can be granted initially only by the owner of a given schema or view. When a view is dependent on another view, the dependent-view owner’s rights are always taken into account – definer mode applies.
The SAP HANA security guide contains extensive documentation on the configuration of the new data masking feature. Here you’ll find some fantastic examples of how to configure the different types of masking.
In addition to configuring masking directly through SQL commands as defined in the SAP HANA Security Guide, SAP also provides tooling support for configuring masking through the SAP HANA WebIDE.
Configuring Data Masking in the SAP HANA WebIDE Putting it briefly, after you have selected the column you want to mask, the data masking expression can be specified for the column you have selected. You have the choice of defining a simple static masking function or invoking built-in functions. All users who need to access the plain text data would need to be assigned the object privilege UNMASKED.