Perfil de los entrevistados

When you install the SAP HANA database, a database user, called SYSTEM, is created by default. The database user SYSTEM has irrevocable system privileges, such as the ability to create other database users, access system tables, and so on.

Caution

For security reasons, it is highly recommended that you do not use the SYSTEM database user for day-to-day activities. Use SYSTEM to create database users with the minimum privilege set required for their duties, and use those users for day-to-day administrative activities. It is recommended that you then deactivate the SYSTEM user.

Several technical database users (that is, database users that do not correspond to real people) are also created, for example, SYS and _SYS_REPO.

Related Information

Deactivating the SYSTEM User [page 188]

As the most powerful database user, SYSTEM is not intended for use in production systems. Use it to create lesser privileged users for particular purposes and then deactivate it.

3.1.2 Operating System User <sid>adm

The <sid>adm user is not a database user but a user at the operating system level. Also referred to as the operating system administrator, this user has unlimited access to all local resources related to SAP systems.

In addition to the SAP HANA database user SYSTEM, the installation process also creates an external operating system user (<sid>adm, for example, sp1adm or xyzadm).

This operating system user, also referred to as the operating system administrator, simply exists to provide an operating system context. From the operating system perspective, the operating system administrator is the user that owns all SAP HANA files and all related operating system processes. Within the SAP HANA studio, the operating system user's credentials are required, for example, to start or stop database processes or to execute a recovery.

Tip

As a database administrator, you can securely store the credentials of the operating system user for a system in the SAP HANA studio. To do so, open the system's properties and choose the SAP System Logon page.

The operating system user is not an SAP HANA database user.

3.1.3 Deactivating the SYSTEM User

As the most powerful database user, SYSTEM is not intended for use in production systems. Use it to create lesser privileged users for particular purposes and then deactivate it.

Prerequisites

You have the system privilege USER ADMIN.

Context

SYSTEM is the database superuser. It has irrevocable system privileges, such as the ability to create other database users, access system tables, and so on. It is highly recommended that you do not use SYSTEM for day-to-day activities in production systems. Instead, use it to create database users with the minimum privilege set required for their duties (for example, user administration, system administration). Then deactivate SYSTEM.

Procedure

Execute the following statement, for example, in the SQL console of the SAP HANA studio:

ALTER USER SYSTEM DEACTIVATE USER NOW

Results

The SYSTEM user is deactivated and can no longer connect to the SAP HANA database.

You can verify that this is the case in the USERS system view. For user SYSTEM, check the values in the columns USER_DEACTIVATED, DEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT.

Note

You can still use the SYSTEM user as an emergency user even if it has been deactivated. Any user with the system privilege USER ADMIN can reactivate SYSTEM with the statement ALTER USER SYSTEM ACTIVATE USER NOW. To ensure that an administrator does not do this surreptitiously, it is recommended that you create an audit policy monitoring ALTER USER statements.

3.1.4 Resetting the SYSTEM User's Password

If the SYSTEM user's password is lost, you can reset it using the operating system user.

Procedure

1. Log on to the server on which the of the SAP HANA master index server is running as the operating system user (that is, <sid>adm user).

2. Open a command line interface.

3. Shut down the instance by executing the following command:

/usr/sap/<SID>/HDB<instance>/exe/sapcontrol -nr <instance> -function StopSystem HDB 4. Start the name server by executing the following commands:

○ /usr/sap/<SID>/HDB<instance>/hdbenv.sh

○ /usr/sap/<SID>/HDB<instance>/exe/hdbnameserver 5. Start the compile server by executing the following commands:

○ /usr/sap/<SID>/HDB<instance>/hdbenv.sh

○ /usr/sap/<SID>/HDB<instance>/exe/hdbcompileserver 6. Start an index server in console mode by executing the following commands:

○ /usr/sap/<SID>/HDB<instance>/hdbenv.sh

○ /usr/sap/<SID>/HDB<instance>/exe/hdbindexserver -console

You see the output of a starting index server. When the service has started, you have a console to the SAP HANA instance where you are logged on as the SYSTEM user.

7. You can reset the SYSTEM user's password and store the new password in a secure location with the following SQL command:

ALTER USER SYSTEM password <new password>

Results

The password for the SYSTEM user is reset. As you are logged on as the SYSTEM user in this console, you do not have to change this new password the next time you log on with this user regardless of your password policy configuration.

3.1.5 User Authentication and Single-Sign On

The identity of every database user accessing SAP HANA is verified through a process called authentication. SAP HANA supports several authentication mechanisms, several of which can be used for the integration of SAP HANA into single sign-on environments (SSO).