Lesson Overview
In this lesson, you'll learn about creating SAP HANA Cloud users and groups.
Business Case
As a database administrator, you want to create SAP HANA Cloud user accounts and groups to easily manage them.
SAP HANA Cloud User Groups
User groups support a separation of user management tasks, allowing you to manage related users together. User groups are an efficient way to manage users. User groups can have:
One or more dedicated group administrators
Every user group has at least one dedicated group administrator. This makes it possible to delegate user management tasks to several users independently of each other. Only the designated group administrators can manage the users in the group. This could be useful, for example, to protect highly privileged users or technical users from accidental deletion or manipulation.
A group-specific configuration, such as password policy settings or client connect restrictions.
Caution
User groups don't control data access. A user's authorizations (roles and privileges) control data access.
Creating User Groups
A user with the system privilege CREATE USERGROUP can create user groups. The database administrator DBADMIN initially has this privilege. By granting CREATE USERGROUP to a user, the database administrator can enable other users to create user groups.
These user group administrators can then designate one or more dedicated administrators for individual user groups by granting the object privilege USERGROUP OPERATOR on the user group, for example:
GRANT USERGROUP OPERATOR ON USERGROUP TechnicalUsers TO TechnicalUsersAdmin WITH GRANT OPTION;
User Group Membership
Group administrators can add new users to a user group with the CREATE USER statement as follows:
CREATE USER <username> SET USERGROUP <usergroupname>;
To move a user from one group to another, a user authorized for both user groups adds the user to the new user group with the ALTER SYSTEM system as follows:
ALTER USER <username> SET USERGROUP <usergroupname>.
The move operation automatically removes the user from the original user group.
Hint
A user can belong to only one user group.User Group Configuration
In addition to grouping users into meaningful categories, user groups also allow you to mass manage certain user settings and parameters. In this way, you can configure all users in a user group not only quickly but differently to users in other groups. Groups can be configured using the SAP HANA Cloud Cockpit, as shown above, or the CREATE | ALTER USERGROUP statement.
Group Setting: Client Connect Restrictions
Use the ENABLE | DISABLE CLIENT CONNECT option to control whether or not the users in a user group can connect to SAP HANA, for example to stop users temporarily from connecting during updates or troubleshooting activities.
Parameter Set: Password Policy
The users of different user groups may have different requirements when it comes to passwords. For example, you may want the passwords of technical users to be very complex. A group administrator can configure group-specific values for the individual parameters of the password policy.
Note
The password policy of a new user group is by default the password policy of the database.There are two steps to configuring a group-specific password policy:
- Configuring the group-specific values of password policy parameters (SET PARAMETER)
- Enabling the parameter set ( ENABLE PARAMETER SET 'password policy')
If a group-specific value isn't explicitly set for a parameter, the value configured in the password policy of the database appears as the user group value in USERGROUP_PARAMETERS.
Create SAP HANA Cloud User
Every user who wants to work with the SAP HANA database must have a database user.
In the SAP HANA cockpit, you can create and manage standard database users and restricted database users.
Standard users correspond to users created with the CREATE USER statement. By default they can create objects in their own schema and read data in system views. Read access to system views is granted by the PUBLIC role, which is granted to every standard user.
Restricted users, which are created with the CREATE RESTRICTED USER statement, initially have no privileges. Restricted users are intended for provisioning users who access SAP HANA through client applications and who aren't intended to have full SQL access via an SQL console. If the privileges required to use the application are encapsulated within an application-specific role, then it's necessary to grant the user only this role. In this way, it can be ensured that users have only those privileges that are essential to their work. By default, restricted users can only connect to the database using HTTP or HTTPS protocols.
Predefined Database Users
In the SAP HANA database, there are several predefined (or internal) database users, such as SYSTEM, SYS, _SYS_STATISTICS and so on.
The most powerful database user, called SYSTEM is reserved for use by SAP. The corresponding customer administration user is called DBADMIN. This user isn't intended for routine use and after using it to create other administration users, we recommend disabling it.
SAP HANA Cloud Authentication Methods
When creating a user in SAP HANA Cloud, you need to specify how the user can be authenticated. The following authentication methods are available.
- User name and password (Local or LDAP)
The user can be authenticated by a password stored locally in the SAP HANA database or remotely in a directory server.
- SAML
The SAML identity provider must already exist and you must be authorized to assign it.
- X.509
X.509 certificate makes use of a Public Key Infrastructure (PKI) to securely authenticate users. After users receive their X.509 certificates from a certificate issuing Certification Authority (CA), they can use them to securely access SAP HANA.
- JWT (JSON Web Token)
The JWT identity provider must already exist and you must be authorized to assign it.
To create the user, select the Save button. The user is created and appears in the list of users on the left. A new schema is created for the user in the catalog. It has the same name as the user.