Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert


We are using below standard SAP integration solutions

SAP Data Intelligence Cloud,

Integration and Data Management,

SAP Data services.

Enterprise Data Management Solutions

SAP HANA Smart Data Integration(SDI)

To integrate data from diverse systems (data integration) data orchestration services… etc

We are using HANA Cloud Database Technical User for few integration scenarios


What is Technical User

A Technical User should not represent real persons.Technical User is one focused on non-functional support of a system

For example Database Technical User can be used for

  • Recurring schedules,

  • Reports,

  • Integration systems

  • Automated data transmission

  • Monitoring purposes

  • ..


We were facing connectivity errors due to HANA Technical Communication User locked may be due to failed Login attempts & eventually to the locking of the user

Error Screenshot :  HANA Database User Authentication Failed due to failed Login attempts



Few common Reasons for a HANA User Lockout

  • In general  Technical user locked due to expiration date

  • Old or wrong password cached

  • May be Real users ,developers accidentally locked Technical User due to mistype password several times

  • Programs , SAP CPI/CI Iflows , scheduled jobs attempting to run multiple times to connection using the old or outdated password and locking the user but password would be changed by Admin & forgot to update in other systems.

HANA has powerful Cloud Security policies, which are used by administrators to lock out an account when unsuccessful login attempts



One option to resolve "User Locked" issue is HANA Database Admin can reset password either using HANA Database Explorer or SQL

If the user was locked/deactivated ,you may need to reset the password & provide new Password

 ALTER USER <user_name> PASSWORD "<new_password>"


If HANA Database User Locked then you need to Unlock from User Management Application as shown below ->

How to Unlock the User in HANA (Every Time)


Click Unlock Button at the top right of the User from User Management Application


However we realize that it was painful due to frequent lock of technical user , we need to  Unlock manually ,reset password repeatedly.


Then we decide to work an option to prevent locking of technical user permanently so that integration ,connectivity issues won’t happen again


In HANA Cloud , User groups support a separation of user management tasks, allowing you to manage related users together for example Admin Users Group, Technical User Group , Unlockable User Group, Real Users Group (Login via SSO)

You can read more about User Groups

In HANA Cloud ,  passwords of database users are subject to certain rules, which are defined in password policies. You can change the default password policy of the database and maintain user group-specific password policies in line with your organization’s security requirements.


There is Property in “Number of Allowed Failed Logon Attempts” in  password policies should be set to “No Limit” on the Password Policy. This will make sure the User Account is not locked irrespective of failed Login attempts.  But “No Limit” option not available in due to SAP HANA Password Policies due to security reasons i.e avoid any exploit, Security vulnerabilities


Here trick to Prevent Technical user locked is you can adjust below Password policies in User Group Settings & assign User Group to Technical User


Let’s start configuration


Procedure to avoid Technical User Lockout permanently


Via HANA Database Explorer


Explanation : The number of minutes for which a user is locked after the maximum number of failed logon attempts is 0 minutes . If you enter the value 0, the user is unlocked immediately. This disables the functionality of parameter Number of Allowed Failed Logon Attempts ( maximum_invalid_connect_attempts )


If you set User Lock Time parameter to 0 then no need to change "Number of Allowed Failed Logon Attempts" as it is disables the functionality of parameter "Number of Allowed Failed Logon Attempts" .

However if you have different value set in User Lock Time parameter then you can play with “Number of Allowed Failed Logon Attempts” .I entered “Number of Allowed Failed Logon Attempts” value as maximum 2,147,483,647

This configuration ensures that accounts won't be locked i.e "Configure the Account lockout threshold policy settings

This settings not recommended for High Privileged Technical User because it may lead to exploit, Security vulnerabilities. Please read below recommendations.



When user locked for existing technical user ,Initially you set value 0 so that you can maintain ,reuse old password.,helps to avoid developers to update password in Integration tools I,e where ever this tech user consumed

After Assigning User Group &  you can maintain same Password

For Safety , you can change  “Number of Last Used Passwords That Cannot Be Reused” may be 5 or any value to not repeat same password




1. Open  SAP BTP and navigate to your Subaccount, and then your Space
2. Chose "SAP HANA Cloud" on the left menu (big cloud icon)
3. Identify your instance, click on "Action", and pick "Open in SAP HANA Cockpit (To Monitor & administer")
4. In SAP HANA cockpit, select the "Security and User Management" menu item on the top left-hand side of the screen.

You can see below screenshots


Open UserGroupManagment Application from Security Section



Create New User Group & Edit Password policies as shown below


⚠️ Enter User Lock Time  = 0 minutes as shown below


Assign Your HANA Database Technical user to User Group


Next From User Management Application ,Chose Your Technical User & Disable two properties

Disable Password Expiry Lifetime,

Disable Password Change on Next Logon


Next Use the SAP HANA Database Explorer --->  "Role Assignment" APP, "Privileges Assignment" APP , to grant only necessary privileges or recommended privileges and roles to Technical user



Congratulations! 🎉  , You have learned how to disable technical user lockout ⚠️


via HANA SQL  ⚠️

'password_lock_time' = '0',
'last_used_passwords' = '0',
'maximum_invalid_connect_attempts' = '2147483647',
'minimal_password_length' ='8',
'password_layout' = 'A1a!'
ENABLE PARAMETER SET 'password policy';

Note: If you set 'password_lock_time'  parameter to 0 then no need to change 'maximum_invalid_connect_attempts' as it is disables the functionality of parameter "Number of Allowed Failed Logon Attempts" .
In above example i set both parameters just to demonstrate how to create User Group via SQL & update parameters


-- After this Create Technical user or use any existing Technical User
-- Then assign “NoLockTechuser” group to Technical User


The following example creates a new user called MyProj_Tech_USER with password Password123. Please provide any strong password for MyProj_Tech_USER instead of Password123



Good To Know : If you are enjoying reading  this blog post , few additional information for your reference .

-- 1) How to know about HANA Cloud effective password policy settings.

-- Execute below SQL Statement
select * from M_PASSWORD_POLICY
-- M_PASSWORD_POLICY System View Provides information about password policy parameters for database users
-- 2) How to check password policy of User

select * from users where USER_NAME ='MYPROJ_TECH_User'

-- To check if the maximum password lifetime is disable or not, you can check the field PASSWORD_CHANGE_TIME under system view USERS.

-- To check if the Password lifetime enabled or not you can check the field
IS_PASSWORD_LIFETIME_CHECK_ENABLED should be false, then try below

-- 3) How to Disable Password Expiry for a user in HANA Cloud
-- You can disable the password lifetime for the technical users using command:

-- However, this is recommended only for technical users only, not database users that correspond to real people, DBADMIN.System

-- A user administrator can re-enable the password lifetime check for a user with the following SQL statement:


Reference : M_PASSWORD_POLICY System View

Recommendations ⚠️ 


I will recommend above configuration should be chosen only if

  • The Strong password policy setting requires i.e all users to have complex passwords.

  • Rotate Password of Technical user frequently & inform actual stakeholders ,Programs who consume this technical user so that it can be updated.

  • Do not disable the password lifetime check for database users that correspond to real people. only technical user accounts for the database connection of the application server should have a password with an unlimited lifetime.

  • Don’t configure easy security polies for Real Users, DBADMIN, System Users or Powerful Technical Users to avoid any security vulnerabilities, Database exploit

  •  Dont use DBADMIN, SYSTEM users as these users are reserved for use by BTP.They are required to manage the database.

  • You should not let your DB ADMIN, SYSTEM user unattended! Everyone knows it exists. So anyone finding your instance IP, could potentially try to connect and ultimately lock it.

  • HANA Team recommends to create a "copy" of the system user or DBADMIN with a distinct name so that no one can find it ,deactivate

  • By default, the lock will remain for 1440 minutes(24h) unless you permanently locked it.

  • HANA Technical users should have a clearly identified purpose and the minimum authorization required in SAP HANA Database

  • Configure audit mechanism to alert administrators when too many failed log-ins occurs in the HANA Cloud environment.

  • Create an audit policy to log activity in the INVALID_CONNECT_ATTEMPTS system view. For example, create an audit policy that logs data query and manipulation statements executed on this view.

These measures help in avoiding security attacks (DoS attack that intentionally attempts to lock accounts, Brute force password attacks)

Please read more about HANA Database User Password Policies


Thank you for reading this blog post. If you find this material useful, please leave your feedback in the comments section below.

Feel free to also 'Like' ,'Share' , 'Follow' me to get new updates.