In this lesson, you will learn about creating SAP HANA Cloud users and groups.
As a database administrator, you want to create SAP HANA Cloud user accounts and groups to easily manage them.
SAP HANA Cloud User Groups
User groups support a separation of user management tasks, allowing you to manage related users together. User groups are an efficient way to manage users. User groups can have:
One or more dedicated group administrators
Every user group has at least one dedicated group administrator. This makes it possible to delegate user management tasks to several users independently of each other. Only the designated group administrator(s) can manage the users in the group. This could be useful, for example, to protect highly-privileged users or technical users from accidental deletion or manipulation.
A group-specific configuration, such as password policy settings or client connect restrictions.
User groups do not control data access. A user's authorizations (roles and privileges) control data access.
Creating User Groups
A user with the system privilege CREATE USERGROUP can create user groups. The database administrator DBADMIN initially has this privilege. By granting CREATE USERGROUP to a user, the database administrator can enable other users to create user groups.
These user group administrators can then designate one or more dedicated administrators for individual user groups by granting the object privilege USERGROUP OPERATOR on the user group, for example:
GRANT USERGROUP OPERATOR ON USERGROUP TechnicalUsers TO TechnicalUsersAdmin WITH GRANT OPTION;
Group administrators can add new users to a user group with the CREATE USER statement as follows:
CREATE USER <username> SET USERGROUP <usergroupname>;
To move a user from one group to another, a user authorized for both user groups adds the user to the new user group with the ALTER SYSTEM system as follows:
ALTER USER <username> SET USERGROUP <usergroupname>.
The move operation automatically removes the user from the original user group.
In addition to grouping users into meaningful categories, user groups also allow you to mass manage certain user settings and parameters. In this way, you can configure all users in a user group not only quickly but differently to users in other groups. Groups can be configured using the SAP HANA Cloud Cockpit, as shown above, or the
CREATE | ALTER USERGROUP statement.
ENABLE | DISABLE CLIENT CONNECT option to control whether or not the users in a user group can connect to SAP HANA, for example to stop users temporarily from connecting during updates or troubleshooting activities.
The users of different user groups may have different requirements when it comes to passwords. For example, you may want the passwords of technical users to be very complex. A group administrator can configure group-specific values for the individual parameters of the password policy.
There are two steps to configuring a group-specific password policy:
- Configuring the group-specific values of password policy parameters (
- Enabling the parameter set (
ENABLE PARAMETER SET 'password policy')
If a group-specific value is not explicitly set for a parameter, the value configured in the password policy of the database appears as the user group value in USERGROUP_PARAMETERS.
Create SAP HANA Cloud User
Every user who wants to work with the SAP HANA database must have a database user.Predefined Database Users
In the SAP HANA database there are several predefined (or internal) database users, such as SYSTEM, SYS, _SYS_STATISTICS and so on.
The most powerful database user, called SYSTEM is reserved for use by SAP. The corresponding customer administration user is called DBADMIN. This user is not intended for routine use and after using it to create other administration users, we recommend disabling it.
SAP HANA Cloud Authentication Methods
To create the user press the save button. The user is created and appears in the list of users on the left. A new schema is created for the user in the catalog. It has the same name as the user.