Hello,
from the security guide,
http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf
'The database owner concept stipulates that when a database user is deleted, all objects created by that user
and privileges granted to others by that user are also deleted. If the owner of a schema is deleted, all objects in
the schema are also deleted even if they are owned by a different user. All privileges on these objects are also
deleted.'
we learned, whenever a user is deleted all grants performed by this user are also deleted.
We tested and this is, and it is even the case when you delete a user using restrict.
From an audit perspective we cannot use one generic user that performs central security management.
We are an enterprise company and got a central SAP security department,
which is supposed to cover HANA security handing as far as possible and it must be traceable who performed which grant.
They will create roles, assign privileges and other roles to these and assign these roles to our HANA users and
right now they use their personal HANA DB user for this purpose, which perfectly logs who was the granter.
From testing and reading the security guide we learned that when one of the group members leaves the security department,
and the related HANA account is deleted, all the work performed with his/her user ID is being lost.
So we see two options right now, which are both not perfect.
a.) never delete a user of this team on HANA, just deactivate the account.
b.) create a generic account and have the entire team work with this account to perform all grants.
Right now we will prefer option a.)
Does anyone see a different option...and/or how do you handle these 'stipulates'?
Regards
Florian