Provisioning and Administration with SAP HANA Cloud

Creating SAP HANA Cloud Users

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Create SAP HANA Cloud Users

Creating User Groups and Users

Lesson Overview

In this lesson, you will learn about creating SAP HANA Cloud users and groups.

Business Case

As a database administrator, you want to create SAP HANA Cloud user accounts and groups to easily manage them.

SAP HANA Cloud User Groups

User groups support a separation of user management tasks, allowing you to manage related users together. User groups are an efficient way to manage users. User groups can have:

  • One or more dedicated group administrators

    Every user group has at least one dedicated group administrator. This makes it possible to delegate user management tasks to several users independently of each other. Only the designated group administrator(s) can manage the users in the group. This could be useful, for example, to protect highly-privileged users or technical users from accidental deletion or manipulation.

  • A group-specific configuration, such as password policy settings or client connect restrictions.

Caution

User groups do not control data access. A user's authorizations (roles and privileges) control data access.

Creating User Groups

A user with the system privilege CREATE USERGROUP can create user groups. The database administrator DBADMIN initially has this privilege. By granting CREATE USERGROUP to a user, the database administrator can enable other users to create user groups.

These user group administrators can then designate one or more dedicated administrators for individual user groups by granting the object privilege USERGROUP OPERATOR on the user group, for example:

GRANT USERGROUP OPERATOR ON USERGROUP TechnicalUsers TO TechnicalUsersAdmin WITH GRANT OPTION;

User Group Membership

Group administrators can add new users to a user group with the CREATE USER statement as follows:

CREATE USER <username> SET USERGROUP <usergroupname>;

To move a user from one group to another, a user authorized for both user groups adds the user to the new user group with the ALTER SYSTEM system as follows:

ALTER USER <username> SET USERGROUP <usergroupname>.

The move operation automatically removes the user from the original user group.

Hint
A user can belong to only one user group.
User Group Configuration

In addition to grouping users into meaningful categories, user groups also allow you to mass manage certain user settings and parameters. In this way, you can configure all users in a user group not only quickly but differently to users in other groups. Groups can be configured using the SAP HANA Cloud Cockpit, as shown above, or the CREATE | ALTER USERGROUP statement.

Group Setting: Client Connect Restrictions

Use the ENABLE | DISABLE CLIENT CONNECT option to control whether or not the users in a user group can connect to SAP HANA, for example to stop users temporarily from connecting during updates or troubleshooting activities.

Parameter Set: Password Policy

The users of different user groups may have different requirements when it comes to passwords. For example, you may want the passwords of technical users to be very complex. A group administrator can configure group-specific values for the individual parameters of the password policy.

Note
The password policy of a new user group is by default the password policy of the database.

There are two steps to configuring a group-specific password policy:

  • Configuring the group-specific values of password policy parameters (SET PARAMETER)
  • Enabling the parameter set ( ENABLE PARAMETER SET 'password policy')

If a group-specific value is not explicitly set for a parameter, the value configured in the password policy of the database appears as the user group value in USERGROUP_PARAMETERS.

Create SAP HANA Cloud User

Every user who wants to work with the SAP HANA database must have a database user.

Predefined Database Users

In the SAP HANA database there are several predefined (or internal) database users, such as SYSTEM, SYS, _SYS_STATISTICS and so on.

The most powerful database user, called SYSTEM is reserved for use by SAP. The corresponding customer administration user is called DBADMIN. This user is not intended for routine use and after using it to create other administration users, we recommend disabling it.

SAP HANA Cloud Authentication Methods

To create the user press the save button. The user is created and appears in the list of users on the left. A new schema is created for the user in the catalog. It has the same name as the user.

Create SAP HANA Cloud User Group

Create User in SAP HANA Cloud

Assign User to Group

Save progress to your learning plan by logging in or creating an account