The SYSTEM user in SAP HANA – What should be considered?

The SYSTEM user in the SAP HANA database is a highly privileged system user that is automatically created during the installation of the SAP HANA database. This user’s permissions are versatile and include:

  • Accessing System Tables
  • Extensive system privileges with SAP HANA DB authorizations (System Privilege)

  • Possibility to create additional database schemas
  • Modification of configuration files (*.ini)
  • Creation of users and roles
  • Setup and configuration of interfaces

Among other things, these extensive and strong permissions are transferred to this user at the time of installation, such as by the technical user SYS or SYSREPO. These authorizations cannot simply be revoked, because a user must exist after installation time to enable the configuration of the SAP HANA database. The authorizations of this user can be compared with the standard profile known from SAP NetWeaver ABAP SAP_ALL. This also means that if the user SYSTEM is also to be authorized to new database artifacts such as tables, schemas, and system views – which were created after the installation time of the SAP HANA database – these authorizations must first be transferred to him by the owner of the database objects. This can be realized e.g., for a schema by means of the following SQL command in this form:

GRANT SELECT on SCHEMA<SCHEMA_NAME> to SYSTEM with GRANT OPTION

This SQL statement grants the user SYSTEM read access to a SCHEMATA. In addition, the SYSTEM user can pass this right to another database user or authorization role.

Consideration of criticality

Although the SAP HANA user, SYSTEM, lacks possible application server permissions to possible schemas, views, procedures or other database artifacts, the SYSTEM user is highly privileged in the administration task field. This can lead to this user being used, among other things, for the daily administration of the SAP HANA database or as a communication user in interfaces. For this reason, it is advisable to create users dedicated with a stand-alone role set for administration, development, support, and business users with the help of the user SYSTEM. The user types of roles that can be granted and created in the SAP HANA database as package privileges are described in the blog post from my colleague Volker Deneke.

If a corresponding authorization concept has been created on the SAP HANA database for administration and daily tasks, it is recommended to deactivate and revoke access to the user SYSTEM.

However, to update SAP support package stacks, SAP enhancement packages, and SAP systems with Software Update Manager (SUM) and to install or migrate SAP systems using Software Provisioning Manager (SWPM), the SYSTEM user is required and must be temporarily re-activated for the duration of the upgrade, installation, or migration. The database administration must grant privileges to a user as a USER ADMIN who has the system privilege.

The SYSTEM user in a multitenant database

Each database (tenant) of an SAP HANA instance has its own set of database users, including the SYSTEM user. When and how the SYSTEM user password is required depends on whether the system has been installed in multi-tenant mode or converted to multitenant mode.

Compared to a tenant (with business data), the SYSTEM user of the system database has additional permissions, that is, the permissions required to manage tenant databases, such as creating and deleting databases, and modifying database configuration files (*.ini), and performing database-specific backups.

Protection and analysis of the SYSTEM user

  1. Define an independent user and authorization concept for the areas of database user administration, development, support, and emergency. If you want to grant business users from the departments access to database artifacts such as tables or views, it is expedient to define and grant roles specific to this purpose. <<Note: Service SAP HANA Database Authorization Concept>>
  2. Assignment of the authorization roles to the previously defined standard users with HANA object privileges
  3. Change the password of the SYSTEM user to a new password which is documented accordingly and stored in a safe place.
  4. Deactivate the SYSTEM user using the SQL console of the SAP HANA Studio or web interface of the SAP HANA XS Application Security using the following SQL statement: ALTER USER SYSTEM DEACTIVATE USER NOW
  5. To ensure that no SAP HANA database user who has the system privilege USER ADMIN activates the previously deactivated SYSTEM user for a purpose other than those shown above, it is recommended to define an AUDIT policy on the SQL statement ALTER USER.
  6. To further ensure that the SYSTEM user has been successfully deactivated or not reactivated in the meantime, the entries in the columns USER_DEACTIVATED, DEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT for the SYSTEM user can be checked regularly in the DATABASE table USER. In the Role Profiler of XAMS, you can use the HANA General status check Report for this purpose:
Risk SYSTEM User – Preventive Measures for Protection

Result

The SYSTEM user is a highly privileged user who exists after the time of installation of an SAP HANA database and must be used for the initial configuration of authorization management. He is the only user who is effectively available on the SAP HANA database after installation.

It is advisable to set up and apply an independent SAP HANA database system authorization concept to separate the tasks such as administration, configuration, development, and any applications (reporting) of the department at the database level. Thus, it can be ensured that there are no unwanted changes. The SYSTEM user should be deactivated after the initial configuration.

Because the SYSTEM user also has non-inheritable, exclusive privileges, this is often also relevant when introducing an emergency user concept. In general, all users in the SAP HANA database should log on with a personal user. For emergency scenarios, however, it is conceivable to establish a formalized process that provides for the reactivation, use, and finally deactivation of the SYSTEM user. In any case, the activities must be sufficiently documented.

As a competent security expert, Xiting offers you support in the field of SAP HANA Security, SAP HANA Studio or SAP HANA Cockpit, and much more to ensure adequate protection of your highly privileged users regarding sustainable user management. In addition to smooth operation, the protection of sensitive data at the database level is more important than ever.

Are you facing current challenges in your SAP HANA system? Contact us via [email protected] to find an individual solution with one of our experts.

Get an overview of our SAP HANA services here.

Christian Weide
Latest posts by Christian Weide (see all)
Contact

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]
Contact
Webinars

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now