I see that the documentation should be clearer here.
From what I can see, the deactivation through password-expiry is actually not tracked at all.
Current versions of SAP HANA studio simply seem to check for whether the password lifetime had been exceeded or not.
The user technically is not locked as such, but could log on after a password change.
The LOCKED information in the USERS table shows - as you correctly mentioned - that an account had been actively locked and needs to be specifically unlocked again to be used. The password lifetime doesn't change that.
PASSWORD_CHANGE_NEEDED just means: the current password had been set by the admin and the password rules say that it needs to be changed by the user before anything else.
Now for the monitoring purpose to find out which users can currently effectively access the database, you may use a statement similar to those used by SAP HANA studio:
SELECT user_name,
MAX(CASE WHEN U.ADMIN_GIVEN_PASSWORD = 'TRUE'
AND PP.PROPERTY = 'maximum_unused_inital_password_lifetime'
AND ADD_DAYS(GREATEST(IFNULL (U.LAST_SUCCESSFUL_CONNECT, U.CREATE_TIME), U.PASSWORD_CHANGE_TIME), PP.VALUE) < CURRENT_TIMESTAMP
THEN 1
WHEN U.ADMIN_GIVEN_PASSWORD = 'FALSE'
AND PP.PROPERTY = 'maximum_unused_productive_password_lifetime'
AND ADD_DAYS(IFNULL (U.LAST_SUCCESSFUL_CONNECT, U.CREATE_TIME), PP.VALUE) < CURRENT_TIMESTAMP
THEN 2
ELSE 0
END) LOCK_REASON
FROM SYS.USERS U,
SYS.M_PASSWORD_POLICY PP
WHERE
pp.property in ('maximum_unused_inital_password_lifetime', 'maximum_unused_productive_password_lifetime')
group by user_name
This would return 1 when the user account still has the initial password but the max. lifetime for initial passwords has passed.
It returns 2 if the password wasn't the initial anymore but the account hasn't been used for longer than <maximum_unused_productive_password_lifetime> days.
If none of the conditions apply, then a zero is returned.
As you can tell this query doesn't cover INVALID_CONNECT_ATTEMPTS - so you may work this in, too.
My view on this is that the USERS table contains rather static information on activation/deactivation while the more dynamic aspects (password lifetime, invalid connection attempts, etc. ) need to be evaluated dynamically.
And that makes sense as you could change the parameters and then the formerly "locked" users would be able to be used again.
- Lars
- Lars