cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP HANA XSA: ALTER USER ***** DISABLE CLIENT CONNECT --> User is not able to access the app

Go to solution
draschke
Active Contributor

on ‎11-28-2018 10:11 AM

0 Kudos

Hi Experts,

I try to disable the client connection (ODBC/JDBC access) of our business users as described by Denys van Kempen in this blog:

https://blogs.sap.com/2015/06/25/sap-hana-sps-10-whats-new-security-by-the-sap-hana-academy/

In my mind, should the business user still be able to access an app (via http) after disabling the client connection (ODBC/JDBC access). But it doesn't work as expected.

I tried to change the client connection more times and came always to the same behaviour:

ALTER USER **** DISABLE CLIENT CONNECT --> user cannot access the app anymore

ALTER USER **** ENABLE CLIENT CONNECT --> user is able to access the app

BR, Dirk

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

lbreddemann
Active Contributor
‎11-28-2018 9:50 PM

That's not quite what the setting does.

As the documentation puts it:

"<client_connect_option>
Enables or disables the client from connecting at all. In case of disabled client connect, only connecting via an XS application is allowed."

XS and XSA applications connect very differently to the HANA database. XS classic uses a proprietary HANA internal connect mechanism while XSA apps simply use the HANA JDBC driver.

That means, by disabling a user client connection, you disable the connection for XSA apps as well.

The main reason for using this setting with XSc is that the user management for the application uses the same pool of users as the database users. For every XSc application user there needs to be a database user, even if the application itself just uses a technical user to connect to the database.

Now, with XSA the user management is decoupled from the database that contains the application data. All XSA application user information is stored with the user authorisation service (usually saves data in the SystemDB but as of SP03 this can also be put into a tenant DB).

If your application connects via a technical user, you can still implement a model similar to XSc, where application users cannot logon to the application database, but still use the application.

Show replies
Show replies
draschke
Active Contributor
‎11-29-2018 12:12 PM

Thanks for your great explanation!

Ok, I thought I could restrict our "normal" created users on this easy way.

Maybe I need to go another way and will change the "normal" user to a XSA application user (restricted user)

CREATE RESTRICTED USER PASSWORD ***** SET PARAMETER EMAIL ADDRESS = '' ;
GRANT RESTRICTED_USER_JDBC_ACCESS TO USER;
ALTER USER USER SET PARAMETER XS_RC_XS_USER_PUBLIC = 'XS_USER_PUBLIC';
<br>

Thanks!

Answers (0)

Ask a Question