User Experience Insights
DBAdmin User Locked?
My name is Man-Ted Chan and I’m from the SAP HANA Development team. I’m writing this piece due to an increase of requests where SAP HANA Cloud users are finding their DBADMIN user needing to be unlocked.
The DBADMIN user becomes locked after several consecutive failed logon attempts. This situation regularly occurs after a password change and there are old apps or scheduled jobs attempting to run multiple times using the old password and locking the user.
First, it should be discussed what exactly is the DBADMIN user. The DBADMIN user is a super user that has all the privileges to make major changes to a database. It is suggested that the DBADMIN user only be used to do your initial administrative tasks. Having the DBADMIN user do everything renders auditing and most security tracking useless.
So, what should you do???
Rather than using the DBADMIN user to do daily tasks, create new users/groups to do specific tasks. Though this adds some extra steps before you can start using SAP HANA Cloud, it’ll save you from production down time when the DBADMIN user gets locked ☹
In the SAP BTP Cockpit, go to your SAP HANA Database Instances
Click on the ‘Actions’ button and select ‘Open in SAP HANA Cockpit’
Enter in the login information
The SAP HANA Cockpit will look like this
From the SAP HANA Cockpit, under the ‘User & Role Management’, we can create and edit users, groups, roles, and privileges.
We’ll cover creating a user first
After choosing the user options is done press the save button at the bottom
User Group Management
In BTP cockpit we could assign users to a group allowing admins to maintain user permissions as one group rather than individually (designer group, debugging group, admin group, etc).
Below are the steps to create a new group and add our “TEST” user to the new group, “TESTGROUP”
You can access the User Group via the BTC cockpit
or in the upper left-hand area next to the back button and SAP log
Once in the User Group Management page
and you press the “New User Group” button the following popup appears
Once created we can open the group and add our TEST user
A role is a collection of privileges that can be granted to either a user, user group, or another role.
The following screens show the ‘Role Management’ page and the steps to create a Role
In the Role Management page press the ‘+’ button
You will be prompted to create a role
Once created, press the edit button to add your desired privileges
In ‘Role Management’ role groups can be made
When pressing the add button a popup of available roles appears
In role assignment you will assign your roles to your user
When ‘Assign roles to a user’ is selected you will enter in a username and assign that user with your desired roles. In the below example we will be using our “TEST” user
Press the ‘Edit’ button
Then press ‘Add’ and the following popup will appear which allows you to select your desired roles
In the following example we will select ‘MODELING’ then press ‘Select’
‘MODELING’ will now appear as an assigned role for the ‘Test’ user
Press the ‘Save’ button when done.
Assign A Role To Multiple Users
If you select ‘Assign a role to multiple users’ in the search you would enter in a role, such as ‘PUBLIC’ and that would display all the users who are assigned ‘PUBLIC’
Press ‘Edit’ and this allows you to added or remove users
In ‘Privilege Management’ enter in your object of choice to add privileges to, in the below example we are displaying the privileges of the DBADMIN user.
Disable the DBADMIN user
Once you have setup your required users and groups it is best-practice that the DBADMIN user is deactivated to avoid anyone logging in as a user with super user privileges. To do this, the user is needs to have object privilege OPERATOR for the DEFAULT user group. Below are screen shots on assigning the privileges to the above user and then deactivating DBADMIN user.
Now that the permissions are assigned to the TEST user, login as the TEST user and return to the ‘User Management’ page and select the DBADMIN user
Please note the DBADMIN user cannot be deleted and if attempted, the following message would appear
Thanks you for the hint
If DBADMIN is deactivated, will its password expires ? I see that in HANA Cloud EU, the password expires after 180 days. So if one deactivates DBADMIN after set up, do we have to keep in mind to change its password every six month ?