Skip to Content

restrict a HANA accout from logging directly into they database

All,


We are about to have an outside audit company that is about to come in and has had some questions about logging/reviewing account log-ins directly into the HANA Application or DB tenants.

Is there a way in HANA to restrict a user as you would in the ABAP environment to be designated as a "SYSTEM" account which would allow the account to be used by outside applications to access as needed but restrict any "direct" log on by a users like it was a dialog account.

I have looked and thought maybe the "ALTER USER" Statement of:

<client_connect_option>


but I am not sure if that would stop the application of the service account from access the system then.

Any help would be appriciated.

Michael

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Posted on May 28 at 07:16 PM

    Hi Michael,

    I don't know if I got you right but you can check out the 'restricted user' function. All Alter / create user commands are well documented by SAP. Just have a look.

    'Restricted users, which are created with the CREATE RESTRICTED USER statement, initially have no privileges. Restricted users are intended for provisioning users who access SAP HANA through client applications and who are not intended to have full SQL access via an SQL console. If the privileges required to use the application are encapsulated within an application-specific role, then it is necessary to grant the user only this role. In this way, it can be ensured that users have only those privileges that are essential to their work.'

    Regards,

    Jens

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 30 at 09:48 PM

    I would first ask, why are these users logging in? Do they need to be logging in? if not, delete the user, if they need to then there shouldn't be an issue with audit? Are the users accessing views in the DB? If so then you should just create the views on the application, expose it there.

    Add a comment
    10|10000 characters needed characters exceeded

    • If you're trying to de-risk the password leaking, why not use SSO for the users? X.509, SAML, Kerberos, plenty to work with there.

      You could create a user with an X.509 cert auth identity. A simple SQL statement would do the trick:

      CREATE USER "XXXX" PASSWORD "Password" WITH IDENTITY 'C=US, ST=CA, L=DUBLIN, O=sap.com, CN =XXXX ISSUER '

      C=US, ST=CA, L=DUBLIN, O=sap.com, CN=Root CA' FOR X509;

  • Posted on Oct 17 at 09:22 PM

    If you're trying to de-risk the password leaking, why not use SSO for the users? X.509, SAML, Kerberos, plenty to work with there.

    You could create a user with an X.509 cert auth identity. A simple SQL statement would do the trick:

    CREATE USER "XXXX" PASSWORD "Password" WITH IDENTITY 'C=US, ST=CA, L=DUBLIN, O=sap.com, CN =XXXX ISSUER 'C=US, ST=CA, L=DUBLIN, O=sap.com, CN=Root CA' FOR X509;

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Oct 12 at 03:42 AM
    -2

    Hi Michael ,

    Integrate SAP HANA into single sign-on environments using Kerberos, SAML 2.0, JSON web tokens, and logon and assertion tickets etc. each mechanism has ts own advantages, you cab choose and implement depends on scenario.

    By default all supported authentication mechanisms are enabled, but it is possible and recommended to disable those that are not used in your environment. You do this by configuring the parameter [authentication] authentication_methods in the global.ini configuration file. The value of this parameter specifies all enabled methods as a comma-separated list.

    The default value is pbkdf2,password,kerberos,spnego,saml,saplogon,x509xs,jwt,sessioncookie,ldap.

    Thanks, Sankar



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.