There are many instances where an end user needs to do the following:
Ask for a SAP HANA user name and password
Reset their SAP HANA password
Update their profile settings
Originally, these above processes were executed during one of the following:
After initial setup of their user name and password by security administrator
Request for password reset, which resulted in manual steps or SQL statement executed
Internal help desk tickets opened up to create new user
Now, with the SAP HANA User Self Service functionality that SAP has created, many of these workflows can now be automated. I still believe there are improvements that can be made but I wanted to explain the capabilities that everyone can leverage and what they mean. I hope that this can be used in parallel with the SAP help pages that exist that discuss these pages and the necessary configuration that is required. I wasn't able to find a lot of information out there from visualizations and how things worked so I wanted to publish something that could be helpful to everyone.
HANA Self Service How-To
Upgrade to minimum SAP HANA SP9 (I would recommend going to Revision 96). After this is done, we will have some simple configuration that needs to be done.
SAP HANA Password Reset
The following steps is how the end user will be able to interact and leverage the functionality:
Within the following page, you can execute the following password reset or request a new account. If they already have a user name and password, I wouldn’t expect them to go to this page but if they login, they will be able to change their profile settings, which we will talk about shortly.
The end user will be redirected to the following page:
The end user will enter their user name that they log into SAP HANA with and click on Submit. Please note that their profile must be set up with an email address. I will show later, how this is done via HANA studio and via the web solution.
Enter user name and hit submit
The following screen will be displayed after you hit submit
Click on the link and the user will be sent to the following screen:
Please note***within my profile, I set up a question so I was able to set up the additional validation / authorization. This will be discussed later in the profile section.
Enter your new password and answer the questions that you have set up
You will be automatically logged in
Please note***We will need to update the security password policy for the Minimum Password Lifetime to 0 so a user can then update as many times during a day. This doesn’t have to be set up but if they change their password 1 time during the day, they will not be able to again through this web method until the next day. Below screen shot on how the password lifetime is set to 1.
I would recommend that the link for the SAP HANA login screen or password reset screen is added to the BI Launchpad as a link that everyone can see, view and click on. This will limit the IT Department involvement and allow us to maintain all requests.
Standalone Password Reset URL
If you don’t want end users to go to the login screen, you can also create the following link within the BI Launchpad, which will be used just for password resets:
There are 2 ways to configure the new user account:
Automatically create SAP HANA user account – this still requires roles to be assigned to the end user
Manual creation of the SAP HANA user account by the approver – This allows the assigned technical user to approve each request, create and then assign the user roles.
Automatic creation of SAP HANA User account
This is set up with the following configuration parameter set up for the user_self_service with the HANA XS Engine ini:
You can see the default value is set to ‘false’ but the current state is ‘true’ so the user will automatically be created.
Click on ‘Request Account’
Enter user name and email address
Please note***this means that the user must enter the correct user name (Windows AD user name) which may cause complications for the end user. This is not a huge deal because they still need to be approved, SAML set up, etc…by the technical approver so there are areas to resolve discrepancies
There will be 2 emails that are generated:
End User that requested this will receive the first email
The technical approver will receive the secondary email which will look the following:
If you review the end users within HANA Studio or the Web IDE, you should see the new user created:
If you review the roles that are assigned, you will not see any.
In addition, you will see that this is a restricted user, so depending on your method that you set up your users internally, this may or may not be a viable solution for you. If you do not like to set up your users as restricted, then you must use the manual effort. In addition, you will see that this user is currently set to Deactivated until the user validates their email account and creates a password / question for their profile.
End user validation of account
The end user must click on the link that was sent to them via their email and the following will be displayed:
Enter user name and password and the associated question/answer
Click on Save
The technical user can now view the same user in HANA Studio or Web IDE and you will notice that the end user deactivation is removed:
Technical User Approval and Setup
Click on the first link within the email that was sent out to be brought directly to this end user within the Web IDE
Please note that the Web IDE needs to be set up properly and the necessary roles assigned to the technical user as well
Assign the authorizations to the end user and then activate / save
Technical user review and maintain requests
As the technical user the monitors and maintains user requests, you also have the access to the admin user request page, which is the second link in the email
Click on the second link within the email
If I choose activate and notify, the following email will be sent to the end user:
Manual creation of SAP HANA User account
Update the configuration to false from true
You can see that the configuration is leveraging the default value of false
Please note***You can only have 1 user name for 1 email address so there shouldn’t be confusion with email addresses for a user and multiple if this method is used. If you manually setup the email address within the profiles, then there can be multiple users for 1 email address because that validation does not occur.
The end user will execute the steps to set up password and question but this will not activate the end user.
Please note***Even with the manual effort, the end user is still set up as a restricted user. The only difference between the automated and manual request new user efforts is that the user won’t be activated after the end user validates their user name and password.
Technical security approver must maintain the user requests within the admin screen
Review within HANA Studio or Web IDE for this user and validate they are activated
Updating your profile
Every user has a few profile settings, which they can maintain or the technical security approver can initially maintain during the end user creation. For all current users and the email addresses were not set up, this should be done (which can be done by the security officer or the end user).
Have the end user log in via the SAP HANA login page: