cancel
Showing results for 
Search instead for 
Did you mean: 

Is it recommended modifying _SYS_*, technical users

Former Member
0 Kudos
660

Hi,

On SAP HANA 2.0 SPS03, Is it recommended doing any modification like deactivating login permissions, disabling password lifetime check for _SYS_* or _SYS_STATISTICS technical users.

Regards,

Raghavendra.

Accepted Solutions (0)

Answers (3)

Answers (3)

lbreddemann
Active Contributor
0 Kudos

I can't answer why the _SYS_STATISTICS user is not disabled, but altering its password or disabling it altogether is not possible.

If you try to alter the user you get

Could not modify user '_SYS_STATISTICS'. SAP DBTech JDBC: [258]: insufficient privilege: Alter of internal user is not allowed: line 1 col 12 (at pos 11)

With that. no user can just change the password and logon as _SYS_STATISTICS.

Former Member
0 Kudos

Thanks Florian
Yes, All the techical users are deactivted by default on SAP HANA 2.0 SPS03 but the _SYS_STATISTICS techical user is not deactivated by default.


Here is the ouput of sql quary on SAP HANA 2.0 SPS03


hdbsql SYSTEMDB=> SELECT USER_NAME,USER_DEACTIVATED from "PUBLIC"."USERS" WHERE LOWER(SUBSTRING(USER_NAME,1,4)) = '_sys' or LOWER(USER_NAME)='sys';

USER_NAME,USER_DEACTIVATED
"SYS","TRUE"
"_SYS_STATISTICS","FALSE" < ---------------------------------
"_SYS_EPM","TRUE"
"_SYS_REPO","TRUE"
"_SYS_SQL_ANALYZER","TRUE"
"_SYS_TASK","TRUE"
"_SYS_AFL","TRUE"
"_SYS_WORKLOAD_REPLAY","TRUE"
"_SYS_XB","TRUE"
lines 1-10/10 (END)


Regards,
Raghavendra.

pfefferf
Active Contributor
0 Kudos

All pre-defined technical users like SYS, _SYS_* should already be deactivated by default for logon (like described here). You should check the recommendations for database users, roles, privileges + all other recommendations in the HANA security guide (for instance the recommendations related to user SYSTEM).

Regards,
Florian