Ok, you are a newcomer SAP BASIS administrator, but you didn’t get any passwords from the previous SAP guy. Your target is to get access to SAP* in a certain client, but you only have access to the application and database server’s OS. The algorithm of overtaking is:
OS > SYSTEM@SYSTEMDB >SYSTEM@TENANTDB > SAPHANADB@TENANTDB > SAP*
- Taking over SYSTEM user of HANA SYSTEM DB:
su – <hanadb user>HDB stop
hdbenv.sh
hdbnameserver -resetUserSystem
sapcontrol -nr $TINSTANCE -function StartSystem HDB - Taking over SYSTEM user of HANA TENANT DB:
As SYSTEM@SYSTEMDB:ALTER SYSTEM STOP DATABASE <TENANTDB>
ALTER DATABASE<TENANTDB>SYSTEM USER PASSWORD "MY_NEW_PASSWORD";
ALTER SYSTEM START DATABASE<TENANTDB> - Taking over SAPHANADB user in HANA TENANT DB:
As SYSTEM@TENANTDB:ALTER USER SAPHANADB password "MY_NEW_PASSWORD" NO FORCE_FIRST_PASSWORD_CHANGE;
Changing the password in hdbuserstore of application server:
su – <application server user>hdbuserstore -i SET DEFAULT <sap-hanadb-hostname>:3<instance>13@<TENANTDB> SAPHANADB
Unlock and reset connect attempts count:
As SYSTEM@TENANTDB:ALTER USER SAPHANADB1 RESET CONNECT ATTEMPTS;
ALTER USER SAPHANADB1 ACTIVATE USER NOW;
Checking:
su – <application server user>
hdbsql -U DEFAULT
SQL>
SELECT * FROM T000; - Taking over SAP* in the client:
su – <application server user>
Check for the parameter login/no_automatic_user_sapstar = 0 in the SAP application server’s profiles.
As SAPHANADB@TENANTDB:
Check and remove the created SAP* user to remove its override:
select * from USR02 where MANDT = <MANDT> and BNAME=’SAP*’;
delete from USR02 where MANDT = <MANDT> and BNAME=’SAP*’;
Login with SAP* user and default password “pass”.
Do not forget to bring it all back!