How To Prevent DBAdmin Account From Getting Locked

Hello all!

My name is Man-Ted Chan and I’m from the SAP HANA Development team. I’m writing this piece due to an increase of requests where SAP HANA Cloud users are finding their DBADMIN user needing to be unlocked.

The DBADMIN user becomes locked after several consecutive failed logon attempts. This situation regularly occurs after a password change and there are old apps or scheduled jobs attempting to run multiple times using the old password and locking the user.

First, it should be discussed what exactly is the DBADMIN user. The DBADMIN user is a super user that has all the privileges to make major changes to a database. It is suggested that the DBADMIN user only be used to do your initial administrative tasks. Having the DBADMIN user do everything renders auditing and most security tracking useless.

So, what should you do???

Rather than using the DBADMIN user to do daily tasks, create new users/groups to do specific tasks. Though this adds some extra steps before you can start using SAP HANA Cloud, it’ll save you from production down time when the DBADMIN user gets locked ☹

In the SAP BTP Cockpit, go to your SAP HANA Database Instances

db%20instances

Click on the ‘Actions’ button and select ‘Open in SAP HANA Cockpit’

open%20hana%20cockpit

Enter in the login information

login

The SAP HANA Cockpit will look like this

hanacockpic

From the SAP HANA Cockpit, under the ‘User & Role Management’, we can create and edit users, groups, roles, and privileges.

We’ll cover creating a user first

usermgmtpageusercreate%20user

After choosing the user options is done press the save button at the bottom

save

In BTP cockpit we could assign users to a group allowing admins to maintain user permissions as one group rather than individually (designer group, debugging group, admin group, etc).

Below are the steps to create a new group and add our “TEST” user to the new group, “TESTGROUP”

You can access the User Group via the BTC cockpit

btc%20user%20group

or in the upper left-hand area next to the back button and SAP log

upper%20hand%20menu

Once in the User Group Management page

and you press the “New User Group” button the following popup appears

new%20user%20group

Once created we can open the group and add our TEST user

A role is a collection of privileges that can be granted to either a user, user group, or another role.

The following screens show the ‘Role Management’ page and the steps to create a Role

In the Role Management page press the ‘+’ button

Role%20Management

You will be prompted to create a role

Create%20Role

Once created, press the edit button to add your desired privileges

In ‘Role Management’ role groups can be made

When pressing the add button a popup of available roles appears

Roles

In role assignment you will assign your roles to your user

role%20assignment

When ‘Assign roles to a user’ is selected you will enter in a username and assign that user with your desired roles. In the below example we will be using our “TEST” user

Press the ‘Edit’ button

Then press ‘Add’ and the following popup will appear which allows you to select your desired roles

available%20roles

In the following example we will select ‘MODELING’ then press ‘Select’

‘MODELING’ will now appear as an assigned role for the ‘Test’ user

Press the ‘Save’ button when done.

If you select ‘Assign a role to multiple users’ in the search you would enter in a role, such as ‘PUBLIC’ and that would display all the users who are assigned ‘PUBLIC’

Press ‘Edit’ and this allows you to added or remove users

In ‘Privilege Management’ enter in your object of choice to add privileges to, in the below example we are displaying the privileges of the DBADMIN user.

Once you have setup your required users and groups it is best-practice that the DBADMIN user is deactivated to avoid anyone logging in as a user with super user privileges. To do this, the user is needs to have object privilege OPERATOR for the DEFAULT user group.  Below are screen shots on assigning the privileges to the above user and then deactivating DBADMIN user.

Now that the permissions are assigned to the TEST user, login as the TEST user and return to the ‘User Management’ page and select the DBADMIN user

Please note the DBADMIN user cannot be deleted and if attempted, the following message would appear