Skip to Content
avatar image
Dirk Raschke

SAP HANA XSA: ALTER USER ***** DISABLE CLIENT CONNECT --> User is not able to access the app

Nov 28, 2018 at 10:11 AM | 119 Views | Last edit Nov 28, 2018 at 10:19 AM 2 rev.

Hi Experts,

I try to disable the client connection (ODBC/JDBC access) of our business users as described by Denys van Kempen in this blog:

https://blogs.sap.com/2015/06/25/sap-hana-sps-10-whats-new-security-by-the-sap-hana-academy/

In my mind, should the business user still be able to access an app (via http) after disabling the client connection (ODBC/JDBC access). But it doesn't work as expected.

I tried to change the client connection more times and came always to the same behaviour:

ALTER USER **** DISABLE CLIENT CONNECT --> user cannot access the app anymore

ALTER USER **** ENABLE CLIENT CONNECT --> user is able to access the app

BR, Dirk

SAP HANA | SAP HANA, platform edition | SAP Web IDE | SAP HANA, express edition | Node.js | user access
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Lars Breddemann
    Nov 28, 2018 at 09:50 PM

    That's not quite what the setting does.

    As the documentation puts it:

    "<client_connect_option>
    Enables or disables the client from connecting at all. In case of disabled client connect, only connecting via an XS application is allowed."

    XS and XSA applications connect very differently to the HANA database. XS classic uses a proprietary HANA internal connect mechanism while XSA apps simply use the HANA JDBC driver.

    That means, by disabling a user client connection, you disable the connection for XSA apps as well.

    The main reason for using this setting with XSc is that the user management for the application uses the same pool of users as the database users. For every XSc application user there needs to be a database user, even if the application itself just uses a technical user to connect to the database.

    Now, with XSA the user management is decoupled from the database that contains the application data. All XSA application user information is stored with the user authorisation service (usually saves data in the SystemDB but as of SP03 this can also be put into a tenant DB).

    If your application connects via a technical user, you can still implement a model similar to XSc, where application users cannot logon to the application database, but still use the application.

    Add comment
    10|10000 characters needed characters exceeded

    • Dirk Raschke
      Nov 29, 2018 at 12:12 PM

      Thanks for your great explanation!

      Ok, I thought I could restrict our "normal" created users on this easy way.

      Maybe I need to go another way and will change the "normal" user to a XSA application user (restricted user)

      CREATE RESTRICTED USER PASSWORD ***** SET PARAMETER EMAIL ADDRESS = '' ;
GRANT RESTRICTED_USER_JDBC_ACCESS TO USER;
ALTER USER USER SET PARAMETER XS_RC_XS_USER_PUBLIC = 'XS_USER_PUBLIC';
<br>

      Thanks!