restrict a HANA accout from logging directly into they database

All,

We are about to have an outside audit company that is about to come in and has had some questions about logging/reviewing account log-ins directly into the HANA Application or DB tenants.

Is there a way in HANA to restrict a user as you would in the ABAP environment to be designated as a "SYSTEM" account which would allow the account to be used by outside applications to access as needed but restrict any "direct" log on by a users like it was a dialog account.

I have looked and thought maybe the "ALTER USER" Statement of:

<client_connect_option>

but I am not sure if that would stop the application of the service account from access the system then.

Any help would be appriciated.

Michael