Professional Documents
Culture Documents
1 User Types
It is often necessary to specify different security policies for different types of
database user. In the SAP HANA database, we differentiate between database users
that correspond to real people and technical database users.
Technically, database users that correspond to real people and technical database
users are the same. The only difference between them is conceptual.Database Users
that Correspond to Real People
For every person who needs to work with SAP HANA, the user administrator creates a
database user.
Database users that correspond to real people are dropped when the person leaves
the organization. This means that any database objects that they own are also
automatically dropped, and any privileges that they granted are automatically
revoked.
Database users are created with either the CREATE USER or CREATE RESTRICTED USER
statement.Standard Users
Standard users are created with the CREATE USER statement. By default they can
create objects in their own schema and read data in system views. Read access to
system views is granted by the PUBLIC role, which is granted to every standard
user.Restricted Users
Restricted users, created with the CREATE RESTRICTED USER statement, initially have
no privileges. Restricted users are intended for provisioning users who access SAP
HANA through client applications and who are not intended to have full SQL access
via an SQL console. If the privileges required to use the application are
encapsulated within an application-specific role, then it is necessary to grant the
user only this role. In this way, it can be ensured that users have only those
privileges that are essential to their work.
Compared to standard database users, restricted users are initially limited in the
following ways:?
They cannot create objects in the database as they are not authorized to create
objects in their own database schema.?
They cannot view any data in the database as they are not granted (and cannot be
granted) the standard PUBLIC role.?
They are only able to connect to the database using HTTP/HTTPS.
For restricted users to connect via ODBC or JDBC, access for client connections
must be enabled by executing the SQL statement ALTER USER <user_name> ENABLE CLIENT
CONNECT or enabling the corresponding option in the Restricted User editor of the
SAP HANA studio.
For full access to ODBC or JDBC functionality, users also require the predefined
role RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCESS