There are many instances where an end user needs to do the following:

• Ask for a SAP HANA user name and password
• Reset their SAP HANA password
• Update their profile settings

Originally, these above processes were executed during one of the following:

• After initial setup of their user name and password by security administrator
• Request for password reset, which resulted in manual steps or SQL statement executed
• Internal help desk tickets opened up to create new user

Now, with the SAP HANA User Self Service functionality that SAP has created, many of these workflows can now be automated.  I still believe there are improvements that can be made but I wanted to explain the capabilities that everyone can leverage and what they mean.  I hope that this can be used in parallel with the SAP help pages that exist that discuss these pages and the necessary configuration that is required.  I wasn’t able to find a lot of information out there from visualizations and how things worked so I wanted to publish something that could be helpful to everyone.

HANA Self Service How-To

Prerequisites:

Upgrade to minimum SAP HANA SP9 (I would recommend going to Revision 96).  After this is done, we will have some simple configuration that needs to be done.

SAP HANA Password Reset

The following steps is how the end user will be able to interact and leverage the functionality:

• Log into website at the following URL

http://<WebServerHost>:80<SAPHANAinstance>/sap/hana/xs/formLogin/login.html

• The user will be brought to the following page:

• Click on ‘Forgot your password?’ icon

Within the following page, you can execute the following password reset or request a new account. If they already have a user name and password, I wouldn’t expect them to go to this page but if they login, they will be able to change their profile settings, which we will talk about shortly.

• The end user will be redirected to the following page:

The end user will enter their user name that they log into SAP HANA with and click on Submit. Please note that their profile must be set up with an email address.  I will show later, how this is done via HANA studio and via the web solution.

• Enter user name and hit submit

The following screen will be displayed after you hit submit

• Click on the link and the user will be sent to the following screen:

Please note***within my profile, I set up a question so I was able to set up the additional validation / authorization.  This will be discussed later in the profile section.

• Enter your new password and answer the questions that you have set up
• Click Confirm
• You will be automatically logged in

Please note***We will need to update the security password policy for the Minimum Password Lifetime to 0 so a user can then update as many times during a day.  This doesn’t have to be set up but if they change their password 1 time during the day, they will not be able to again through this web method until the next day.  Below screen shot on how the password lifetime is set to 1.

I would recommend that the link for the SAP HANA login screen or password reset screen is added to the BI Launchpad as a link that everyone can see, view and click on. This will limit the IT Department involvement and allow us to maintain all requests.

Standalone Password Reset URL

If you don’t want end users to go to the login screen, you can also create the following link within the BI Launchpad, which will be used just for password resets:

http://<WebServerHost>:80<SAPHANAinstance>/sap/hana/xs/selfService/user/resetPassword.html

This will bring you to the following screen:

Requesting New User Account

There are 2 ways to configure the new user account:

1. Automatically create SAP HANA user account – this still requires roles to be assigned to the end user
2. Manual creation of the SAP HANA user account by the approver – This allows the assigned technical user to approve each request, create and then assign the user roles.

Automatic creation of SAP HANA User account

This is set up with the following configuration parameter set up for the user_self_service with the HANA XS Engine ini:

You can see the default value is set to ‘false’ but the current state is ‘true’ so the user will automatically be created.

• Click on ‘Request Account’

• Enter user name and email address

Please note***this means that the user must enter the correct user name (Windows AD user name) which may cause complications for the end user.  This is not a huge deal because they still need to be approved, SAML set up, etc…by the technical approver so there are areas to resolve discrepancies

There will be 2 emails that are generated:

• End User that requested this will receive the first email

• The technical approver will receive the secondary email which will look the following:

If you review the end users within HANA Studio or the Web IDE, you should see the new user created:

If you review the roles that are assigned, you will not see any.

In addition, you will see that this is a restricted user, so depending on your method that you set up your users internally, this may or may not be a viable solution for you.  If you do not like to set up your users as restricted, then you must use the manual effort.    In addition, you will see that this user is currently set to Deactivated until the user validates their email account and creates a password / question for their profile.

End user validation of account

• The end user must click on the link that was sent to them via their email and the following will be displayed:

• The technical user can now view the same user in HANA Studio or Web IDE and you will notice that the end user deactivation is removed:

Technical User Approval and Setup

• Click on the first link within the email that was sent out to be brought directly to this end user within the Web IDE

Please note that the Web IDE needs to be set up properly and the necessary roles assigned to the technical user as well

• Assign the authorizations to the end user and then activate / save

Technical user review and maintain requests

As the technical user the monitors and maintains user requests, you also have the access to the admin user request page, which is the second link in the email

• Click on the second link within the email

If I choose activate and notify, the following email will be sent to the end user:

Manual creation of SAP HANA User account

• Update the configuration to false from true

You can see that the configuration is leveraging the default value of false

Please note***You can only have 1 user name for 1 email address so there shouldn’t be confusion with email addresses for a user and multiple if this method is used.  If you manually setup the email address within the profiles, then there can be multiple users for 1 email address because that validation does not occur.

• The end user will execute the steps to set up password and question but this will not activate the end user.

Please note***Even with the manual effort, the end user is still set up as a restricted user.  The only difference between the automated and manual request new user efforts is that the user won’t be activated after the end user validates their user name and password.

• Technical security approver must maintain the user requests within the admin screen

• Review within HANA Studio or Web IDE for this user and validate they are activated

Updating your profile

Every user has a few profile settings, which they can maintain or the technical security approver can initially maintain during the end user creation.  For all current users and the email addresses were not set up, this should be done (which can be done by the security officer or the end user).

EndUser Maintain

• Have the end user log in via the SAP HANA login page:

http://<WebServerHost>:80<SAPHANAinstance>/sap/hana/xs/formLogin/login.html

• End user should add the email address, etc..

Please note***A specific role must be assigned in order for an end user to access this.  This allows further restrictions on what end users can and cannot do.

Maintained by Security / Technical User

This can be done with the following methods:

• Using HANA Studio
• Using Web IDE

Since both are similar but different paths, we will be showing the Web IDE method to updating the email address

• Open up Web IDE and choose the Security option
• Click on the end user that you would like to update and click on User Parameters

• Within the drop down, you have multiple options to choose from.
• For our purposes, choose email address and enter the value
• Please note that there are a few other options that you can research at the following URL:

http://help.sap.com/saphelp_hanaplatform/helpdata/en/cd/81e47ddc1e41a5a56a817fcc7b497f/content.ht