Creating SAP HANA Cloud User Accounts

In this lesson, you'll learn about creating SAP HANA Cloud users and groups.

As a database administrator, you want to create SAP HANA Cloud user accounts and groups to easily manage them.

User groups support a separation of user management tasks, allowing you to manage related users together. User groups are an efficient way to manage users. User groups can have:

• One or more dedicated group administrators

  Every user group has at least one dedicated group administrator. This makes it possible to delegate user management tasks to several users independently of each other. Only the designated group administrators can manage the users in the group. This could be useful, for example, to protect highly privileged users or technical users from accidental deletion or manipulation.

• A group-specific configuration, such as password policy settings or client connect restrictions.

Group administrators can add new users to a user group with the CREATE USER statement as follows:

CREATE USER <username> SET USERGROUP <usergroupname>;

To move a user from one group to another, a user authorized for both user groups adds the user to the new user group with the ALTER SYSTEM system as follows:

ALTER USER <username> SET USERGROUP <usergroupname>.

The move operation automatically removes the user from the original user group.

In addition to grouping users into meaningful categories, user groups also allow you to mass manage certain user settings and parameters. In this way, you can configure all users in a user group not only quickly but differently to users in other groups. Groups can be configured using the SAP HANA Cloud Cockpit, as shown above, or the CREATE | ALTER USERGROUP statement.

Use the ENABLE | DISABLE CLIENT CONNECT option to control whether or not the users in a user group can connect to SAP HANA, for example to stop users temporarily from connecting during updates or troubleshooting activities.

The users of different user groups may have different requirements when it comes to passwords. For example, you may want the passwords of technical users to be very complex. A group administrator can configure group-specific values for the individual parameters of the password policy.

There are two steps to configuring a group-specific password policy:

• Configuring the group-specific values of password policy parameters (SET PARAMETER)
• Enabling the parameter set ( ENABLE PARAMETER SET 'password policy')

If a group-specific value isn't explicitly set for a parameter, the value configured in the password policy of the database appears as the user group value in USERGROUP_PARAMETERS.

Every user who wants to work with the SAP HANA database must have a database user.

In the SAP HANA cockpit, you can create and manage standard database users and restricted database users.

Standard users correspond to users created with the CREATE USER statement. By default they can create objects in their own schema and read data in system views. Read access to system views is granted by the PUBLIC role, which is granted to every standard user.

Restricted users, which are created with the CREATE RESTRICTED USER statement, initially have no privileges. Restricted users are intended for provisioning users who access SAP HANA through client applications and who aren't intended to have full SQL access via an SQL console. If the privileges required to use the application are encapsulated within an application-specific role, then it's necessary to grant the user only this role. In this way, it can be ensured that users have only those privileges that are essential to their work. By default, restricted users can only connect to the database using HTTP or HTTPS protocols.

In the SAP HANA database, there are several predefined (or internal) database users, such as SYSTEM, SYS, _SYS_STATISTICS and so on.

The most powerful database user, called SYSTEM is reserved for use by SAP. The corresponding customer administration user is called DBADMIN. This user isn't intended for routine use and after using it to create other administration users, we recommend disabling it.

When creating a user in SAP HANA Cloud, you need to specify how the user can be authenticated. The following authentication methods are available.

• User name and password (Local or LDAP)

  The user can be authenticated by a password stored locally in the SAP HANA database or remotely in a directory server.

• SAML

  The SAML identity provider must already exist and you must be authorized to assign it.

• X.509

  X.509 certificate makes use of a Public Key Infrastructure (PKI) to securely authenticate users. After users receive their X.509 certificates from a certificate issuing Certification Authority (CA), they can use them to securely access SAP HANA.

• JWT (JSON Web Token)

  The JWT identity provider must already exist and you must be authorized to assign it.

To create the user, select the Save button. The user is created and appears in the list of users on the left. A new schema is created for the user in the catalog. It has the same name as the user.