Users and Roles available in SAP HANA
In this document, i will tell you about the USERS and ROLES available in SAP HANA by default
Lets start with OS Level Users available in HANA :
In SAP HANA, two OS Users are available :
1. root – superuser in any Unix/Linux based system
2. [SID]adm – here SID stands for System ID
Suppose if our System has ID as RC5 then our user will be RC5adm
Both these users are protected using SLES Authentication method( PAM ) and hashed passwords.
Here SLES stands for Suse Linux Enterprise Server and PAM stands for Pluggable Authentication Modules.
To know more about these visit : http://wiki.novell.com/index.php/SUSE_Manager/Authentication
OS authenticaion allows HANA to pass control of user authentication to the Operating System.
When we try to connect to our HANA server we pass the OS Username and password and if the OS Username is recognized and the OS Username and password are correct, we are able to connect to the HANA database Server otherwise the connection is rejected.
It is recommended to disable direct root access and use sudo command for root level access
sudo command allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers file.
sudo determines who is an authorized user by referring to the /etc/sudoers file.
[SID]adm user has rwx permissions to Grouped and Owned
rwx – stands for read write and execute
It has ownership and group membership on file systems, files and execution environments of :
a. SAP HANA
b. SAP Sybase Replication Server and Components
c. SAP Load Controller
d. SAP Host Agent
Groups – dba, sapsys and sapadm
OS Users password are stored in files /etc/passwd and /etc/shadow
To know more about Users and Groups visit : https://wiki.archlinux.org/index.php/Users_and_Groups
For knowing how SAP is installed using SUSE Linux, visit : https://www.suse.com/documentation/sles_for_sap/singlehtml/sles_for_sap_guide/sles_for_sap_guide.html
To know more about SAP on SUSE Linux visit : http://www.novell.com/docrep/2011/04/sap_on_sles11_simple_stack.pdf
Now lets move on to Users available in Sybase Replication Server :
1. sa – Superuser for Replication Server and Replication Agent
2. [RS ServerName]HANARS1_RSSD_prim – User for Replcation Server’s eRSSD
eRSSD – stands for Embedded Replication Server System Database
3. For ECDA, we have to use HANA’s Administrative User SYSTEM
ECDA – stands for Enterprise Connect Data Access
To learn more about eRSSD visit :
to learn more about ECDA visit :
For SAP HANA Load Controller and SAP HANA Host Agent, we need access to :
[SID]adm User – it acts both as a OS User and Application Administrative User
SAP Host Agent handles the login authentication between source system and target system.
SAP Load Controller starts the initial load of source system data to the SAP HANA database in SAP HANA, and communicates with the Sybase Replication Server to coordinate the start of the delta replication.
To learn more about SPA HANA Load Controller visit : http://help.sap.com/businessobject/product_guides/HAN01SP4/en/hana_sps4_master_en.pdf
Now lets move on to Users available in SAP HANA Studio :
SYSTEM – superuser or Administrator of SAP HANA
It has access to all privileges present in SAP HANA.
It is used to create Users for specific tasks such as :
a. System Administrative tasks( e.g.: operate and maintain the ICE and users using HANA Studio )
b. Modeling tasks( e.g.: Create Models and reports using HANA Studio )
c. End User Tasks ( e.g.: Consuming reports using Client tools like Excel )
d. Power User Tasks( e.g.: Need to work on few Administrative and few Modeling tasks )
e. Replication Tasks( e.g.: to perform Data Replication from Source ERP System to HANA System )
Finally lets move onto Roles available in SAP HANA :
First let me explain what is role?
A Role is nothing but a collection of privileges.
Role can be either assigned to a User or to another Role.
They are reusable objects.
What is Privilege?
A privilege is used to impose restrictions on operations( such as INSERT, SELECT, DELETE ) carried out on certain objects( such as TABLE, VIEWS, SCHEMA )
Following are the predelivered roles available in SAP HANA Studio :
1. PUBLIC – This role has the minimum privileges required to work with a database and this role is granted implicitly whenever a user is granted
2. MODELER : This role has a lots of privileges and it enables a user to :
a. Create and activate Information Models
b. Create and activate Analytic Privileges
3. MONITORING : This role has full read only access to all metadata, monitoring and statistics.
4. CONTENT_ADMIN : This role has most vital privileges. It has :
a. SQL Privileges on Schema _SYS_BIC with GRANT OPTION
b. SQL Privileges on Schema _SYS_BI with GRANT OPTION
To learn more about HANA User Administration, please visit : http://help.sap.com/hana/hana_admin_en.pdf
There are couple of predefined roles for Information Composer also :
But first let me tell you what is SAP HANA Information Composer?
SAP HANA Information Composer is a Web application that allows you to upload and manipulate data on the SAP HANA database.
It uses the SAP NetWeaver Core Engine for Partners 1.0 (LJS 1.0), which interacts with the SAP HANA database.
The LJS 1.0 communicates with the SAP HANA Information Composer client via HTTP or HTTPS. The following ports are used by default:
HTTP port 8080
HTTPS port 8443
If HTTPS is used, the SSL certification must be configured by the administrator.
LJS – stands for Lean Java Server( the actual Server in Netweaver Cloud )
Available roles for Information Composer are :
5. IC_PUBLIC : This role allows a User to see the shared physical tables and calculation views.
6. IC_MODELER : This role allows a User to upload new content in the SAP HANA Databse and to create physical tables and calculation views.
To learn more about Information Composer visit : http://help.sap.com/hana/H1_SP3_info_comp_en.pdf
Thanks for reading my document.
This is my first document so any feedback will be appreciated by me.