SAP HANA 2.0 Security Guide - Part 3

SAP HANA 2.0 Security Guide - Part 3

User Groups

User groups enable you to manage users together. Group administrator is assigned to manage individual user groups.Dedicated group administrator can be assigned to manage individual user groups

Every user group can have its own dedicated administrator(s). In this way, user management tasks can be delegated to several people independently of each other.

User Groups are designed to provide separation of duties for user management. You cannot use User Groups to control data access (Authorizations).

Group Creation and Administration Mode
A global user administrator (that is, a user with system privilege USER ADMIN) creates user groups using the CREATE USERGROUP statement. The user administrator can then designate one or more group administrators by granting the object privilege USERGROUP OPERATOR on the user group to the relevant user.
A user can be the group administrator of more than one group.

Statements:
CREATE USERGROUP <usergroupname>
Group administrators and user administrators (default if authorization mode is not explicitly specified)

CREATE USERGROUP <usergroupname> DISABLE USER ADMIN
Group administrators only (exclusive administration)

ALTER USERGROUP <usergroupname> DISABLE USER ADMIN
Group administrators only (exclusive administration)

ALTER USERGROUP <usergroupname> ENABLE USER ADMIN
Group administrators and user administrators

Example:
User administrator creates a new user group requiring its own exclusive administrator:
CREATE USERGROUP sale DISABLE USER ADMIN;

User administrator assigns the group administrator:
GRANT USERGROUP OPERATOR ON USERGROUP sale TO Michael;

Group administrator (Michael) adds new user to the group:
CREATE USER Steve PASSWORD Welcome1 SET USERGROUP sale;

Group Membership
User administrators and/or group administrators add new or existing users to a user group with the SET USERGROUP option of the CREATE | ALTER USER statements.

Statements:
CREATE USER <username> PASSWORD <password> SET USERGROUP <usergroupname>
Creates new user in a user group

ALTER USER <username> SET USERGROUP <usergroupname>
Adds an existing user to a user group

ALTER USER <username> UNSET USERGROUP
Removes a user from a user group

A user can be belong to just one user group, but a user does not have to be a member of any group. Users who are not in any group are managed as normal by user administrators.

To move a user from one user group to another group
Statement:
ALTER USER <username> SET USERGROUP <usergroupname>
This automatically removes the user from the original user group.

Group Membership - Example
CREATE USER Alice PASSWORD Welcome1 SET USERGROUP sale
ALTER USER Jackson SET USERGROUP sale
ALTER USER Alice UNSET USERGROUP
ALTER USER Jackson SET USERGROUP XYZ

User Groups List
You can find information about User Groups in the USERGROUPS system view.
Execute Below statement in SQL console to list the groups
SELECT * from USERGROUPS;