Skip to Content

SAP HANA XSA: ALTER USER ***** DISABLE CLIENT CONNECT --> User is not able to access the app

Hi Experts,

I try to disable the client connection (ODBC/JDBC access) of our business users as described by Denys van Kempen in this blog:

https://blogs.sap.com/2015/06/25/sap-hana-sps-10-whats-new-security-by-the-sap-hana-academy/

In my mind, should the business user still be able to access an app (via http) after disabling the client connection (ODBC/JDBC access). But it doesn't work as expected.

I tried to change the client connection more times and came always to the same behaviour:

ALTER USER **** DISABLE CLIENT CONNECT --> user cannot access the app anymore

ALTER USER **** ENABLE CLIENT CONNECT --> user is able to access the app

BR, Dirk

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Nov 28, 2018 at 09:50 PM

    That's not quite what the setting does.

    As the documentation puts it:

    "<client_connect_option>
    Enables or disables the client from connecting at all. In case of disabled client connect, only connecting via an XS application is allowed."

    XS and XSA applications connect very differently to the HANA database. XS classic uses a proprietary HANA internal connect mechanism while XSA apps simply use the HANA JDBC driver.

    That means, by disabling a user client connection, you disable the connection for XSA apps as well.

    The main reason for using this setting with XSc is that the user management for the application uses the same pool of users as the database users. For every XSc application user there needs to be a database user, even if the application itself just uses a technical user to connect to the database.

    Now, with XSA the user management is decoupled from the database that contains the application data. All XSA application user information is stored with the user authorisation service (usually saves data in the SystemDB but as of SP03 this can also be put into a tenant DB).

    If your application connects via a technical user, you can still implement a model similar to XSc, where application users cannot logon to the application database, but still use the application.

    Add comment
    10|10000 characters needed characters exceeded

    • Thanks for your great explanation!

      Ok, I thought I could restrict our "normal" created users on this easy way.

      Maybe I need to go another way and will change the "normal" user to a XSA application user (restricted user)

      CREATE RESTRICTED USER PASSWORD ***** SET PARAMETER EMAIL ADDRESS = '' ;
      GRANT RESTRICTED_USER_JDBC_ACCESS TO USER;
      ALTER USER USER SET PARAMETER XS_RC_XS_USER_PUBLIC = 'XS_USER_PUBLIC';
      <br>

      Thanks!