In this lesson, you will learn about the SAP HANA Cloud user management concept.
As a database administrator, you want to understand the SAP HANA Cloud user management concept.
User Administration Tools
Depending on your organization and its user provisioning strategy, people with different job functions may be involved in the process of user administration. Different tools are used for different tasks.
- Define and create user and user groups
- Define and create roles and assign privileges
- Assign roles to users
After setting up the initial user and authorization concept, you need to make sure that the users and roles keep up to date with all the changes happening in your organisation. To maintain the user and authorisation structure the following additional administration tasks are required to be performed:
- Changing users authorisations due to job and role changes inside the company
- Deleting users when they leave the organization
- Reactivating users after too many failed logon attempts
- Deactivating users if a security violation has been detected
- Resetting user passwords
Database Users that Correspond to Real People
Every person who needs to work with SAP HANA must have a database user. Depending on your system configuration and scenario, database users can be created by:
- User administrators
- User group administrators
Database users are created with either the
CREATE USER or
CREATE RESTRICTED USER statement, or using the SAP HANA cockpit.
When database users that correspond to real people leave the organization, the user administrator must intervene to delete these users from the database. When a database user is deleted, this means that any database objects that were owned by that user are also automatically dropped, and any privileges granted by that user are automatically revoked.
Standard users correspond to users created with the
CREATE USER statement. By default they can create objects in their own schema and read data in system views. Read access to system views is granted by the PUBLIC role, which is granted to every standard user.
Restricted users, which are created with the
CREATE RESTRICTED USER statement, initially have no privileges. Restricted users are intended for provisioning users who access SAP HANA through client applications and who are not intended to have full SQL access via an SQL console. If the privileges required to use the application are encapsulated within an application-specific role, then it is necessary to grant the user only this role. In this way, it can be ensured that users have only those privileges that are essential to their work.
Compared to standard database users, restricted users are initially limited in the following ways:
- They cannot create objects in the database as they are not authorized to create objects in their own database schema.
- They cannot view any data in the database as they are not granted the standard PUBLIC role.
- They are only able to connect to the database using HTTP/HTTPS.
For restricted users to connect via ODBC or JDBC, access for client connections must be enabled by executing the SQL statement
ALTER USER <user_name> ENABLE CLIENT CONNECTor enabling the corresponding option for the user in the SAP HANA cockpit.
Authorization in SAP HANA Cloud
When users access the SAP HANA database using a client interface, their ability to perform operations on database objects is determined by the privileges that they have.
All the privileges granted to a user, either directly or indirectly through roles, are combined. This means that whenever a user tries to access an object, the system performs an authorization check on the user, the user's roles, and directly granted privileges.
Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable authorization concepts that can be modeled on business roles.
It is not possible to explicitly deny privileges. This means that the system does not need to check all the user's privileges. As soon as all requested privileges have been found, the system skips further checks and grants access.
Standard database users by default have the following features:
- They are authorized to create objects in their own database schema.
- They have the PUBLIC role that contains privileges for filtered read-only access to the system views. Only objects for which the users have access rights are visible. By default, this role is granted to every user, except restricted users.
- They have access to the database over ODBC or JDBC and are able to connect to the database using HTTP/HTTPS.