Solved: Deactivate SYSTEM User with minimum privileges

reinhard-sanz · ‎2022 Oct 07

Hey quick question,

as it is recommended to deactivate the system user by default and only reactivate it when needed, i want to create another user that can do exactly that.

I already know this can be achieved by granting the system privilege "USER ADMIN" to the new user, but this seems to be too broad in my opinion. This does also allow creating and dropping all other users.

Is there a way to grant privileges to a user so that it can realy only activate and deactivate the system user (and only the system user) and nothing more?

Cocquerel · ‎2022 Oct 07

I think you could create a user group and assign SYSTEM user to it. Then, users having USERGROUP OPERATOR privilege on this user group will be able to activate/desactivate SYSTEM user without USER ADMIN privilege. You could even set the DISABLE USER ADMIN option for this group. This will prevent people having USER ADMIN privilege to be able to activate SYSTEM user.

CREATE USERGROUP HIGHPRIVILEGESUSERS DISABLE USER ADMIN;

ALTER USER SYSTEM SET USERGROUP HIGHPRIVILEGESUSERS;

GRANT OPERATOR ON USERGROUP HIGHPRIVILEGESUSERS TO <authorized_user>;

See https://help.sap.com/docs/SAP_HANA_PLATFORM/4fe29514fd584807ac9f2a04f6754767/9869125ea93548009820702...

mamartins · ‎2022 Oct 07

A "PRIVILEGE" is the smallest security atribute configured on SAP HANA. A "ROLE" is a collection of one or more PRIVILEGES.

USER_ADMIN is a PRIVILEGE, so I think that you are asking is not possible.

Deactivate SYSTEM User with minimum privileges

Know the answer?

Need more details?

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Re: Upgrade still running: Logon not possible

Report layout not being used in batch email

SAP CIDS Certification / Study Material

Re: Tables and Fields for Stock - Multiple Materia...

Re: In Integration Center, need help in filtering ...