6.

1 User Types
It is often necessary to specify different security policies for different types of
database user. In the SAP HANA database, we differentiate between database users
that correspond to real people and technical database users.
Technically, database users that correspond to real people and technical database
users are the same. The only difference between them is conceptual.Database Users
that Correspond to Real People
For every person who needs to work with SAP HANA, the user administrator creates a
database user.
Database users that correspond to real people are dropped when the person leaves
the organization. This means that any database objects that they own are also
automatically dropped, and any privileges that they granted are automatically
revoked.
Database users are created with either the CREATE USER or CREATE RESTRICTED USER
statement.Standard Users
Standard users are created with the CREATE USER statement. By default they can
create objects in their own schema and read data in system views. Read access to
system views is granted by the PUBLIC role, which is granted to every standard
user.Restricted Users
Restricted users, created with the CREATE RESTRICTED USER statement, initially have
no privileges. Restricted users are intended for provisioning users who access SAP
HANA through client applications and who are not intended to have full SQL access
via an SQL console. If the privileges required to use the application are
encapsulated within an application-specific role, then it is necessary to grant the
user only this role. In this way, it can be ensured that users have only those
privileges that are essential to their work.
Compared to standard database users, restricted users are initially limited in the
following ways:?
They cannot create objects in the database as they are not authorized to create
objects in their own database schema.?
They cannot view any data in the database as they are not granted (and cannot be
granted) the standard PUBLIC role.?
They are only able to connect to the database using HTTP/HTTPS.
For restricted users to connect via ODBC or JDBC, access for client connections
must be enabled by executing the SQL statement ALTER USER <user_name> ENABLE CLIENT
CONNECT or enabling the corresponding option in the Restricted User editor of the
SAP HANA studio.
For full access to ODBC or JDBC functionality, users also require the predefined
role RESTRICTED_USER_ODBC_ACCESS or RESTRICTED_USER_JDBC_ACCESS

Technical Database Users

Technical database users do not correspond to real people. They are therefore not
dropped if a person leaves the organization. This means that they should be used
for administrative tasks such as creating objects and granting privileges for a
particular application.
Some technical users are available as standard, for example, the users SYS and
_SYS_REPO.
Other technical database users are created for application-specific purposes. For
example, an application server may log on to the SAP HANA database using a
dedicated technical database user.
Technical users are standard users created with the CREATE USER statement.

User Administration Tools

Depending on your organization and its user provisioning strategy, people with
different job functions may be involved in the process of user administration.
Different tools are used for different tasks.
The recommended process for provisioning users in SAP HANA is as follows:1.
Define and create roles.2.
Create users.3.
Grant roles to users.
Further administration tasks include:?
Deleting users when they leave the organization?
Reactivating users after too many failed logon attempts?
Deactivating users if a security violation has been detected?
Resetting user passwords

SAP HANA Lifecycle Management Tool hdblcm(gui)

You can use the SAP HANA lifecycle management tools to perform post-installation
steps including changing the passwords of database user SYSTEM and operating system
administrator <sid>adm as part of system rename. For more information, see Changing
System Identifiers in the SAP HANA Administration Guide.