Creating a copy of user SYSTEM in SAP HANA
In the SAP HANA Security Guide SAP recommends to use user SYSTEM only at the beginning. After various users, e. g. for backup and monitoring purposes, had been created user SYSTEM shall be deactivated. Following you’ll find some of my experiences I made when trying to copy user SYSTEM.
Trying to copy user SYSTEM to another user shows the upcoming diffculties. The new user only receives role PUBLIC, no package, no privilege object that already had been assigned to user SYSTEM is copied to the new user. Only repository roles will be copied. Unfortunately currently there’s no way to create an sql script automatically that contains all objects, packages and roles assigned to user SYSTEM. All objects assigned to user SYSTEM have to be assigned manually to the new user. The reason is that user SYSTEM in some cases isn’t allowed to grant the respective object, package or role. Therefore no object, package or role is copied from user SYSTEM to the new one.
The copy process is purely an UI functionality, and thus cannot be automated. There’s no sql command “COPY USER”. Only the sql command “CREATE USER” is available.
User SYSTEM automatically receives the rights for new objects and packages created in the HANA system. The new user will not receive theses automatically. They have to be assigned one by one manually.
The password of the new user can be altered with the sql statement “ALTER USER newuser DISABLE PASSWORD LIFETIME;”. By this the given password hasn’t to be changed during the first logon.
User SYSTEM can be deactivated with the sql statement “ALTER USER SYSTEM DEACTIVATE USER NOW”.
If you need to reset the password of user SYSTEM please follow the description given in note 1925267.
If you like to exclude user SYSTEM from the current password policy please follow note 2251556. Please bear in mind that this procedure isn’t recommended by SAP AGS.