Solved: Deactivate SYSTEM User with minimum privileges

reinhard-sanz · ‎10-07-2022

Hey quick question,

as it is recommended to deactivate the system user by default and only reactivate it when needed, i want to create another user that can do exactly that.

I already know this can be achieved by granting the system privilege "USER ADMIN" to the new user, but this seems to be too broad in my opinion. This does also allow creating and dropping all other users.

Is there a way to grant privileges to a user so that it can realy only activate and deactivate the system user (and only the system user) and nothing more?

Cocquerel · ‎10-07-2022

I think you could create a user group and assign SYSTEM user to it. Then, users having USERGROUP OPERATOR privilege on this user group will be able to activate/desactivate SYSTEM user without USER ADMIN privilege. You could even set the DISABLE USER ADMIN option for this group. This will prevent people having USER ADMIN privilege to be able to activate SYSTEM user.

CREATE USERGROUP HIGHPRIVILEGESUSERS DISABLE USER ADMIN;

ALTER USER SYSTEM SET USERGROUP HIGHPRIVILEGESUSERS;

GRANT OPERATOR ON USERGROUP HIGHPRIVILEGESUSERS TO <authorized_user>;

See https://help.sap.com/docs/SAP_HANA_PLATFORM/4fe29514fd584807ac9f2a04f6754767/9869125ea93548009820702...

mamartins · ‎10-07-2022

A "PRIVILEGE" is the smallest security atribute configured on SAP HANA. A "ROLE" is a collection of one or more PRIVILEGES.

USER_ADMIN is a PRIVILEGE, so I think that you are asking is not possible.

Deactivate SYSTEM User with minimum privileges

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Re: SAP CAP - Hana deployment error: Fail to open ...

Log for RAP Table Maintenance Generator

Can we achieve two scrollbars in an SAC table one ...

Opening Fiori Launchpad with Transaction Code /UI2...

Custom MDK Client build fails