17.4    Disabling the SYSTEM Account

After the system has been set up and a security model is established, we recommend that organizations disable the SYSTEM account. This account should only be enabled under extreme circumstances. When enabled, its actions should be fully audited by a member of the security team. Disabling the SYSTEM account is important for the following reasons:

• The account has almost complete access to all aspects of the system, which is risky because of its default capabilities.

• The SYSTEM account is a well-known administrative account often exploited by hackers inside and outside the organization. If disabled, then the account can’t be exploited.

• The SAP HANA auditing mechanism can’t always identify the actual user executing actions as the SYSTEM account. Therefore, little or no accountability is expected when this account is used.

• The account offers no division of duties.

To disable the SYSTEM account, execute the following SQL code while logged in as a different user:

ALTER USER SYSTEM DEACTIVATE;

To validate that the SYSTEM account has been disabled, execute the following SQL code:

SELECT * FROM USERS
WHERE USER_NAME = 'SYSTEM'
AND USER_DEACTIVATED = 'TRUE';

If a record is returned containing the SYSTEM account details, the account has been disabled. If you need to reactivate the SYSTEM account, execute the following SQL code:

ALTER USER SYSTEM ACTIVATE;