Professional Documents
Culture Documents
Public
Document history, references, and glossary
Document history
Version Release Change description Contact
Date
References
• SAP HANA Developer Guide: Explains how to build applications using SAP HANA, including how to
model data, how to write procedures, and how to build application logic in SAP HANA Extended Ap-
plication Services, classic model.
• SAP HANA XSA Developer Guide: Explains how to build applications using SAP HANA, including
how to model persistent and analytic data, how to write procedures, and how to build application
logic in SAP HANA Extended Application Services advanced model.
• SAP Web IDE for SAP HANA - Installation and Upgrade Guide: Provides the installation, post-instal-
lation, and upgrade instructions for SAP Web IDE for SAP HANA.
• SAP WEB IDE for SAP HANA Installation Troubleshooting Guide: Aims to assist you with the trou-
bleshooting of issues related to SAP Web IDE installation.
• Common errors and fix – XSA Web IDE for HANA developments
• SAP HANA Security Guide: Is the entry point for all information relating to the secure operation and
configuration of SAP HANA.
• SAP HANA Security Checklist: Offers recommendations and information about optimizing your se-
curity configuration to help you run your SAP HANA securely.
Public
Document history, references, and glossary
Glossary
Following abbreviations will be used throughout the document:
Acronym Meaning
Public
Preface
Dear reader,
thanks for being our customer! We love having people in our community like you and value
your partnership every single day.
We know that the best way to understand our products and how to improve them is to hear
from the people who use them every single day - people like you!
Since we are always curious, we want to know your experience. So, what did you think about
the guide?
Your comments and suggestions are the most useful to help us make this guide the best it
can be. Please feel free to contact us via askSAPHANA@sap.com and share any criticism or
praise you may have.
Thank you for reading our guide!
Public
Table of contents
TABLE OF CONTENTS
Document history ............................................................................................................................. 2
References ........................................................................................................................................ 2
Glossary............................................................................................................................................ 3
1. PROJECT INTRODUCTION ................................................................................................ 7
1.1 Guiding principles in designing the roles ........................................................................ 7
1.2 Roles best practices.......................................................................................................... 7
1.3 Prerequisites ..................................................................................................................... 8
2. PROJECT SETUP ............................................................................................................... 9
2.1 Create a new MTA project ................................................................................................. 9
2.2 Create an HDB module for the project ........................................................................... 10
2.3 Adjust the HDI namespace configuration ...................................................................... 11
3. CREATE A UPS TO EQUIP HDI CONTAINER .................................................................. 12
3.1 Using a UPS with a procedure grantor ........................................................................... 12
3.2 Bound the UPS to the HDB module ................................................................................ 13
3.3 Create the .hdbgrants file ............................................................................................... 13
3.4 Grant privileges to #OO user .......................................................................................... 14
3.5 Using a UPS with a procedure grantor ........................................................................... 14
4. CREATE DESIGN-TIME OBJECTS IN MDC...................................................................... 15
4.1 Synonyms ........................................................................................................................ 16
4.2 Roles ................................................................................................................................ 16
4.2.1. Granular roles.................................................................................................................. 16
4.2.1.1. Z_GRANULAR_SELECT__SYS_STATISTICS .............................................................. 17
4.2.1.2. Z_GRANULAR_CONFIGURE__SYS_STATISTICS....................................................... 17
4.2.2. Administration roles........................................................................................................ 17
4.2.2.1. Z_BASIS_ADMIN_BACKUP .......................................................................................... 17
4.2.2.2. Z_BASIS_BACKUP_OPERATOR.................................................................................. 17
4.2.2.3. Z_BASIS_ADMIN_BASIC.............................................................................................. 18
4.2.2.4. Z_BASIS_ADMIN_DATA ............................................................................................... 18
4.2.2.5. Z_BASIS_MONITORING............................................................................................... 19
4.2.2.6. Z_BASIS_ADMIN_PERSISTENCE................................................................................ 19
4.2.2.7. Z_BASIS_ADMIN_EXTENDED ..................................................................................... 19
4.2.3. Security roles .................................................................................................................. 20
4.2.3.1. Z_SECURITY_AUDIT_READ ........................................................................................ 20
4.2.3.2. Z_SECURITY_ADMIN_AUDIT ...................................................................................... 20
4.2.3.3. Z_SECURITY_ADMIN_BASIC ...................................................................................... 20
4.2.3.4. Z_SECURITY_ADMIN_CERTIFICATES........................................................................ 20
4.2.3.5. Z_SECURITY_ADMIN_DISK_ENCRYPTION ................................................................ 21
4.2.3.6. Z_SECURITY_ADMIN_TROUBLESHOOTING .............................................................. 21
4.2.3.7. Z_SECURITY_ADMIN................................................................................................... 21
4.2.3.8. Z_SECURITY_ADMIN_EXTENDED .............................................................................. 21
4.2.4. Support role..................................................................................................................... 22
4.2.5. User roles ........................................................................................................................ 22
4.2.5.1. Z_MANAGEMENT_CONTAINER_ROLE_ADMIN.......................................................... 22
4.2.5.2. Z_MANAGEMENT_USER_ADMIN ................................................................................ 22
4.3 Procedures ...................................................................................................................... 23
5. CREATE DESIGN-TIME OBJECTS IN SYSTEMDB .......................................................... 24
Public
Table of contents
Public
Project introduction
1. PROJECT INTRODUCTION
The roles described in the following sections are considered templates. That is, that customers can use them
as a base to create their own version of the roles to cover their needs.
Public
Project introduction
1.3 Prerequisites
Starting from SAP HANA 2.0 SPS 03 (rev. 34) and the latest XSA revision, it is possible to choose the loca-
tion of the XSA platform data during installation. As of SAP HANA SPS05, XSA is now installed in the default
tenant database by default.
Consider that keeping the XSA in the SYSTEMDB has its disadvantages. So, if you want to backup and re-
store XSA content, you always must back up the entire system (refer to SAP note 2596466 #8).
It is recommended to do the initial setup at HDB level with SYSTEM user as this user already holds all the
required privileges with GRANT/ADMIN option. Be aware that the SYSTEM user is not intended for day-to-
day activities - especially in production environments. Therefore, once all bootstrapping is properly done it is
recommended to deactivate the SYSTEM user (refer to SAP note 2493657).
If XSA has already been installed in an MDC and the rollout of the roles is also necessary in the
SYSTEMDB, then the following steps are necessary:
• Create the target HDI container on the SYSTEMDB,
• Create a technical deployer user with sufficient privileges on that HDI container,
• Create an UPS (additional to the granting UPS of the system privileges) with the credentials
of the deployer user and the manually created HDI container as "schema" and
• Add this additional UPS to the mta.yaml file.
Public
Project setup
2. PROJECT SETUP
Provide a description and select a space where you want to run the MTA project as well.
Public
Project setup
In the step of the wizard, set only a preferred schema name and select the currently used HDB ver-
sion.
Now go to project settings (right click on your project > project > project settings > space) and in-
stall the builder by selecting your space.
Public
Project setup
Public
Create a UPS to equip HDI container
The procedure grantor mechanism is supported as of version 3.4.1 of the @sap/hdi-deploy component in
XSA.
Open the XS client and execute the following command in the XSA space where we are the project
is running.
A new instance can be seen in the XSA if the creation was successful. Of course, the UPS can
also be created directly via the button new instance there.
Credentials {
"schema": "SYS",
"password": "Change_it_immidiately!2021",
"procedure_schema": "SYSTEM",
"procedure": "Z_GRANT",
"type": "procedure",
"user": "GRANTING_PROCEDURE_GRANTOR_USER",
"tags": [
"hana"
]
}
Table 1: Z_GRANTING_SERVICE
Public
Create a UPS to equip HDI container
Now the mta.yaml file contains one module named “db-roles-db” of type “hdb” which reflects an
HDI container. The HDB module is bound to two additional resources from the project:
• “db-roles-db-hdi-container” is for the HDI container that is created when we deploy the pro-
ject. It has a configuration to set the schema name of the HDI container to “DB_ROLES”.
• “db-roles-db-privileges” is for the UPS named “Z_GRANTING_SERVICE” on the XSA
space.
The .hdbgrants file privileges should be reviewed by the authorization team. Furthermore, note that once a
privilege is removed from the .hdbgrants, it is not revoked from #OO.
Public
Create a UPS to equip HDI container
If the project already contains design-time roles, the deployment will fail throwing a (missing authorization)
error.
Since the schema name was configured as DB_ROLES, the HDI container should be named
DB_ROLES_1 and the object owner user (#OO) should be DB_ROLES_1#OO.
Public
Create design-time objects in MDC
It is recommended to create a structure of folders within the project to organize all the design-time
objects - e.g. like the following one.
Public
Create design-time objects in MDC
4.1 Synonyms
HDB synonyms are created using a synonym definition file (.hdbsynonym) and are needed to refer
to external objects like tables, views, and procedures. Refer to using synonyms in SAP HANA and
SAP HANA SQL Reference Guide for SAP HANA Platform - CREATE SYNONYM statement (data
definition) for further info.
For role development, synonyms are necessary to refer to object privileges. The synonym declara-
tion contains all the definition of the synonyms to reference objects from the SYS and _SYS_SE-
CURITY schema. The following synonyms are defined:
4.2 Roles
The role templates were purposely designed in detail. So, the high granularity supports the crea-
tion of a highly specialized team, and even if the roles may not perfectly fit the needs of a team, it
will be easy to create roles suitable for most circumstances. At the same time, most teams will not
require the offered granularity. Therefore, composite roles are used, which in most cases will work
effectively together.
Public
Create design-time objects in MDC
4.2.1.1. Z_GRANULAR_SELECT__SYS_STATISTICS
Table 3: Z_GRANULAR_SELECT__SYS_STATISTICS
4.2.1.2. Z_GRANULAR_CONFIGURE__SYS_STATISTICS
Table 4: Z_GRANULAR_CONFIGURE__SYS_STATISTICS
4.2.2.1. Z_BASIS_ADMIN_BACKUP
Privilege What does it do?
BACKUP ADMIN Authorizes BACKUP and RECOVERY statements for defining and
initiating backup and recovery procedures. It also authorizes chan-
ging system configuration options with respect to backup and reco-
very.
SELECT, UPDATE, DELETE z_schedules Configure job schedules (backup and recovery).
Table 5: Z_BASIS_ADMIN_BACKUP
4.2.2.2. Z_BASIS_BACKUP_OPERATOR
This role is recommended for batch users only as this prevents backups from being deleted unintentionally.
BACKUP OPERATOR Create and cancel backups, check available space, and query views
Table 6: Z_BASIS_BACKUP_OPERATOR
Public
Create design-time objects in MDC
4.2.2.3. Z_BASIS_ADMIN_BASIC
CATALOG READ Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
VERSION ADMIN Authorizes the use of the ALTER SYSTEM RECLAIM VERSION
SPACE statement of the multi-version concurrency control (MVCC)
feature.
LICENSE ADMIN Authorizes the use of the SET SYSTEM LICENSE statement to in-
stall a new license.
Table 7: Z_BASIS_ADMIN_BASIC
4.2.2.4. Z_BASIS_ADMIN_DATA
This role should only be used in test and development systems, in which developer might need to be able to
create their own data objects for trial purposes.
EXPORT Export catalog objects to the DB server (csv/binary) or to the client machine.
IMPORT Import catalog objects from the DB server (csv/binary) or from the client machine.
Table 8: Z_BASIS_ADMIN_DATA
Public
Create design-time objects in MDC
4.2.2.5. Z_BASIS_MONITORING
CATALOG READ Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
SELECT z_heap Read memory allocator statistics since the last reset.
Table 9: Z_BASIS_MONITORING
4.2.2.6. Z_BASIS_ADMIN_PERSISTENCE
Privilege What does it do?
CATALOG READ Authorizes unfiltered access to the data in the system views that a user has already been
granted the SELECT privilege on.
SAVEPOINT ADMIN Authorizes the execution of a savepoint using the ALTER SYSTEM SAVEPOINT statement.
RESOURCE ADMIN Authorizes statements concerning system resources (for example, the ALTER SYSTEM RE-
CLAIM DATAVOLUME and ALTER SYSTEM RESET MONITORING VIEW statements). It
also authorizes many of the statements available in the Management Console.
LOG ADMIN Authorizes the use of the ALTER SYSTEM LOGGING [ON | OFF] statements to enable or
disable the log flush mechanism.
Table 10: Z_BASIS_ADMIN_PERSISTENCE
4.2.2.7. Z_BASIS_ADMIN_EXTENDED
Privilege
Z_BASIS_ADMIN_BASIC
Z_BASIS_ADMIN_PERSISTENCE
Z_BASIS_ADMIN_BACKUP
Z_GRANULAR_CONFIGURE__SYS_STATISTICS
Table 11: Z_BASIS_ADMIN_EXTENDED
Public
Create design-time objects in MDC
4.2.3.1. Z_SECURITY_AUDIT_READ
AUDIT READ Authorizes read-only access to the rows of the AUDIT_LOG, XSA_AUDIT_LOG, and ALL_AU-
DIT_LOG system views.
4.2.3.2. Z_SECURITY_ADMIN_AUDIT
CATALOG READ Authorizes unfiltered access to the data in the system views that a user has already
been granted the SELECT privilege on.
AUDIT ADMIN Controls the execution of the following auditing-related statements: CREATE AUDIT
POLICY, DROP AUDIT POLICY, and ALTER AUDIT POLICY, as well as changes
to the auditing configuration. It also allows access to the AUDIT_LOG system view.
Table 13: Z_SECURITY_ADMIN_AUDIT
4.2.3.3. Z_SECURITY_ADMIN_BASIC
Privilege What does it do?
CATALOG READ Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
4.2.3.4. Z_SECURITY_ADMIN_CERTIFICATES
CATALOG READ Authorizes unfiltered access to the data in the system views that a user
has already been granted the SELECT privilege on.
SSL ADMIN Authorizes the use of the SET...PURPOSE SSL statement. It also al-
lows access to the PSES system view.
TRUST ADMIN Authorizes the use of statements to update the trust store.
CERTIFICATE ADMIN Authorizes the changing of certificates and certificate collections that
are stored in the database.
Table 15: Z_SECURITY_ADMIN_CERTIFICATES
Public
Create design-time objects in MDC
4.2.3.5. Z_SECURITY_ADMIN_DISK_ENCRYPTION
CATALOG READ Authorizes unfiltered access to the data in the system views that a user
has already been granted the SELECT privilege on.
RESOURCE ADMIN Authorizes statements concerning system resources (for example, the
ALTER SYSTEM RECLAIM DATAVOLUME and ALTER SYSTEM RE-
SET MONITORING VIEW statements). It also authorizes many of the
statements available in the Management Console.
ENCRYPTION ROOT KEY ADMIN Authorizes all statements related to management of root keys. Allows
access to the system views pertaining to encryption (for example, EN-
CRYPTION_ROOT_KEYS, M_ENCRYPTION_OVERVIEW, M_PER-
SISTENCE_ENCRYPTION_STATUS, M_PERSISTENCE_ENCRYP-
TION_KEYS, and so on).
Table 16: Z_SECURITY_ADMIN_DISK_ENCRYPTION
4.2.3.6. Z_SECURITY_ADMIN_TROUBLESHOOTING
CATALOG READ Authorizes unfiltered access to the data in the system views that a user
has already been granted the SELECT privilege on.
TRACE ADMIN Authorizes the use of the ALTER SYSTEM...TRACES statements for
operations on database trace files and authorizes changing trace sys-
tem settings.
Table 17: Z_SECURITY_ADMIN_TROUBLESHOOTING
4.2.3.7. Z_SECURITY_ADMIN
Privilege
Z_SECURITY_ADMIN_BASIC
Z_SECURITY_ADMIN_TROUBLESHOOTING
Table 18: Z_SECURITY_ADMIN
4.2.3.8. Z_SECURITY_ADMIN_EXTENDED
Privilege
Z_SECURITY_ADMIN
Z_SECURITY_ADMIN_AUDIT
Table 19: Z_SECURITY_ADMIN_EXTENDED
Public
Create design-time objects in MDC
Z_BASIS_MONITORING
TRACE ADMIN Authorizes the use of the ALTER SYSTEM...TRACES statements for operations
on database trace files and authorizes changing trace system settings.
Table 20: Z_SUPPORT_ADMIN_TRACE
4.2.5.1. Z_MANAGEMENT_CONTAINER_ROLE_ADMIN
EXECUTE Z_GRANT_ROLE_TO_USER Grant to a database user any HDI role created within the same HDI
schema.
EXECUTE Z_REVOKE_ROLE_TO_USER Revoke from a database user any HDI role created within the same
HDI schema.
Table 21: Z_MANAGEMENT_CONTAINER_ROLE_ADMIN
4.2.5.2. Z_MANAGEMENT_USER_ADMIN
USER_ADMIN Authorizes the creation and modification of users using the CREATE
USER, ALTER USER, and DROP USER commands.
Table 22: Z_MANAGEMENT_USER_ADMIN
Public
Create design-time objects in MDC
4.3 Procedures
These procedures can be used to grant or revoke to a database user any HDI role created within
the same HDI schema. It accepts two parameters:
• role name and
• grantee.
Within the procedure the following conditions are checked, throwing errors if they are violated:
• Grantee must exist (error code 11001),
• Grantee must be different from grantor (error code 11002) and
• Role must exist (error code 11003).
“java.sql.SQLWarning: Not recommended feature: DDL statement is used in Dynamic SQL (current dy-
namic_sql_ddl_error_level = 1)”.
Public
Create design-time objects in SYSTEMDB
The user HDI_ADMIN is responsible for configuring general HDI parameters, creating, and drop-
ping HDI container groups, moving HDI containers between groups, and managing the privileges
of HDI container-group administrators.
The used method contains the largest possible set of privileges that can be granted for a user of
this type. It is also possible to reduce the set of privileges by explicitly specifying the desired set of
privileges and not using _SYS_DI.T_DEFAULT_DI_ADMIN_PRIVILEGES.
Next create a HDI container group SDB as HDI administrator HDI_ADMIN.
CALL _SYS_DI.CREATE_CONTAINER_GROUP('SDB', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
SELECT * FROM _SYS_DI.M_ALL_CONTAINER_GROUPS WHERE CONTAINER_GROUP_NAME = 'SDB';
The HDI container group SDB is used for administrating a set of HDI containers.
Then grant the container-group administrator privileges of SDB to HDI_ADMIN as HDI_ADMIN.
CREATE LOCAL TEMPORARY COLUMN TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;
INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'HDI_ADMIN', PRIVILEGE_NAME, OBJECT_NAME FROM
_SYS_DI.T_DEFAULT_CONTAINER_GROUP_ADMIN_PRIVILEGES;
CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('SDB', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
DROP TABLE #PRIVILEGES;
Create the container SDB_ROLES in the container group SDB and maintain the set of plug-in libraries.
Grant as HDI_ADMIN the development API of the container SDB to the user SDB_ROLES_DEPLOY_USER,
who will be the grantor user for the UPS of the container SDB_ROLES.
Public
Create design-time objects in SYSTEMDB
As user SYSTEM, create a granting procedure (refer to the appendix) and user as shown below.
Next, create a new space in XSA, add the relevant members and enable it.
As a pre step, make yourself familiar with the SQL port of your SYSTEMDB.
Then add two new instances in the UPS of your new space as follows:
Credentials { {
"schema": "SYS", "schema": "SDB_ROLES",
"password": "Change_it_immidiately!2021", "hdi_password": " Change_it_immidiately!2021",
"port": "30013", "port": "30013",
"procedure_schema": "SYSTEM", "host": "hostname",
"host": "hostname", "hdi_user": "SDB_ROLES_DEPLOY_USER",
"procedure": "Z_SDB_GRANT", "tags": [
"type": "procedure", "hana"
"user": "SDB_GRANTING_PROCEDURE_USER", ]
"tags": [ }
"hana"
]
}
Create a new multi-target application project as well as a new HDB module in SAP WEBIDE.
Public
Create design-time objects in SYSTEMDB
Open the mta.yaml file with the code editor and replace its content with the code from the appen-
dix.
Next, install the builder and edit the hdinamespace as we already shown beforehand.
Afterwards, copy paste the folders from the previous project as shown below.
Public
Create design-time objects in SYSTEMDB
DATABASE START Authorizes a user to start any database in the system and to select from the M_DATABASES
view.
DATABASE STOP Authorizes a user to stop any database in the system and to select from the M_DATABASES
view.
Z_BASIS_ADMIN_MDC
Privilege What does it do?
DATABASE ADMIN Authorizes all statements related to tenant databases, such as CREATE, DROP, ALTER, RE-
NAME, BACKUP, and RECOVERY.
Z_BASIS_MONITORING_MDC
Privilege What does it do?
CATALOG READ Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
SELECT z_sdb_heap Read memory allocator statistics since the last reset.
Table 27: Z_BASIS_MONITORING_MDC
Public
Appendix
After the successful deployment you will see the new HDI schema and all the HDI roles in the
HDB.
The system view EFFECTIVE_PRIVILEGES is useful for checking the privileges of a specific user.
It includes information about all privileges granted to a specific user (both directly and indirectly
through roles), as well as how the privileges were obtained (GRANTOR and GRANTOR_TYPE
column).
To avoid the need to search through the indexserver trace files to analyze insufficient privilege er-
rors, a procedure is available which you can use to quickly find out details of missing privileges:
GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS().
If you want an advanced error screen when building roles, modify the package.json as follows:
As you have now the basics to create roles successfully, adjust and/or create new ones, feel free to share
your feedback at askSAPHANA@sap.com.
APPENDIX
Appendix 1: mta.yaml
ID: db_roles
_schema-version: '2.0'
description: MDC role templates
Public
Appendix
version: 0.0.1
modules:
- name: db-roles-db
type: hdb
path: db
requires:
- name: db-roles-db-hdi-container
properties:
TARGET_CONTAINER: ~{service-name}
- name: db-roles-db-privileges
resources:
- name: db-roles-db-hdi-container
type: com.sap.xs.hdi-container
properties:
service-name: ${service-name}
parameters:
config:
schema: DB_ROLES
- name: db-roles-db-privileges
type: org.cloudfoundry.existing-service
parameters:
service-name: Z_GRANTING_SERVICE
Appendix 2: Z_GRANTING_SERVICE.hdbgrants
{
"Z_GRANTING_SERVICE": {
"object_owner": {
"schema_privileges": [
{
"schema": "_SYS_STATISTICS",
"privileges_with_grant_option": ["INSERT", "UPDATE", "DELETE",
"EXECUTE"]
}
],
"roles": [
{
"roles_with_admin_option": [
"MONITORING"
]
}
],
"object_privileges": [
{
"schema": "_SYS_SECURITY",
"name": "_SYS_PASSWORD_BLACKLIST",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "INSERT", "UPDATE",
"DELETE"]
},
{
"schema": "_SYS_XS",
"name": "JOB_SCHEDULES",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "UPDATE","DELETE"]
},
{
"schema": "_SYS_XS",
"name": "JOBS",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "UPDATE","DELETE"]
}
],
"system_privileges": [
{
"privileges_with_admin_option": [
"ADAPTER ADMIN",
"AGENT ADMIN",
"ALTER CLIENTSIDE ENCRYPTION KEYPAIR",
"ATTACH DEBUGGER",
Public
Appendix
"AUDIT ADMIN",
"AUDIT OPERATOR",
"AUDIT READ",
"BACKUP ADMIN",
"BACKUP ADMIN",
"BACKUP OPERATOR",
"CATALOG READ",
"CERTIFICATE ADMIN",
"CLIENT PARAMETER ADMIN",
"CREATE CLIENTSIDE ENCRYPTION KEYPAIR",
"CREATE R SCRIPT",
"CREATE REMOTE SOURCE",
"CREATE SCENARIO",
"CREATE SCHEMA",
"CREATE STRUCTURED PRIVILEGE",
"CREDENTIAL ADMIN",
"DATA ADMIN",
"DROP CLIENTSIDE ENCRYPTION KEYPAIR",
"ENCRYPTION ROOT KEY ADMIN",
"EXPORT",
"EXTENDED STORAGE ADMIN",
"IMPORT",
"INIFILE ADMIN",
"LDAP ADMIN",
"LICENSE ADMIN",
"LOG ADMIN",
"MONITOR ADMIN",
"OPTIMIZER ADMIN",
"RESOURCE ADMIN",
"SAVEPOINT ADMIN",
"SCENARIO ADMIN",
"SERVICE ADMIN",
"SESSION ADMIN",
"SSL ADMIN",
"STRUCTUREDPRIVILEGE ADMIN",
"SYSTEM REPLICATION ADMIN",
"TABLE ADMIN",
"TRACE ADMIN",
"TRUST ADMIN",
"USER ADMIN",
"VERSION ADMIN",
"WORKLOAD ADMIN",
"WORKLOAD ANALYZE ADMIN",
"WORKLOAD CAPTURE ADMIN",
"WORKLOAD REPLAY ADMIN"
]
}
]
}
}
}
Public
Appendix
Public
Appendix
Public
Appendix
Appendix 4: Z_SYS.hdbsynonym
{
"z_blacklist": {
"target": {
"object": "_SYS_PASSWORD_BLACKLIST",
"schema": "_SYS_SECURITY"
}
},
"z_users": {
"target": {
"object": "USERS",
"schema": "SYS"
}
},
"z_roles": {
"target": {
"object": "ROLES",
"schema": "SYS"
}
},
"z_services": {
"target": {
"object": "M_SERVICES",
"schema": "SYS"
}
},
"z_memory": {
"target": {
"object": "M_SERVICE_MEMORY",
"schema": "SYS"
}
},
"z_heap": {
"target": {
"object": "M_HEAP_MEMORY_RESET",
"schema": "SYS"
}
},
"z_statistics": {
"target": {
"object": "M_SERVICE_STATISTICS",
"schema": "SYS"
}
},
"z_dummy": {
"target": {
"object": "DUMMY",
"schema": "SYS"
}
},
"z_schedules": {
"target": {
"object": "JOB_SCHEDULES",
"schema": "_SYS_XS"
}
},
"z_jobs": {
"target": {
"object": "JOBS",
"schema": "_SYS_XS"
}
}
}
Public
Appendix
Appendix 5: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbroleconfig
{
"Z_GRANULAR_SELECT__SYS_STATISTICS": {
"_SYS_STATISTICS_schema": {
"schema": "_SYS_STATISTICS"
}
}
}
Appendix 6: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbrole
{
"role": {
"name": "Z_GRANULAR_SELECT__SYS_STATISTICS",
"schema_privileges": [
{
"reference": "_SYS_STATISTICS_schema",
"privileges": ["SELECT"]
}
]
}
}
Appendix 7: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbroleconfig
{
"Z_GRANULAR_CONFIGURE__SYS_STATISTICS": {
"_SYS_STATISTICS_schema": {
"schema": "_SYS_STATISTICS"
}
}
}
Appendix 8: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbrole
{
"role": {
"name": "Z_GRANULAR_CONFIGURE__SYS_STATISTICS",
"schema_privileges": [
{
"reference": "_SYS_STATISTICS_schema",
"privileges": [
"INSERT",
"EXECUTE",
"DELETE",
"UPDATE"
]
}
]
}
}
Public
Appendix
Appendix 9: Z_BASIS_ADMIN_BACKUP.hdbrole
{
"role": {
"name": "Z_BASIS_ADMIN_BACKUP",
"object_privileges": [
{
"name": "z_schedules",
"type": "TABLE",
"privileges": [
"SELECT",
"DELETE",
"UPDATE"
]
},
{
"name": "z_jobs",
"type": "TABLE",
"privileges": [
"DELETE",
"SELECT",
"UPDATE"
]
}
],
"system_privileges": [
"BACKUP ADMIN"
]
}
}
"system_privileges": [
"CATALOG READ",
"SERVICE ADMIN",
"INIFILE ADMIN",
"TRACE ADMIN",
"SESSION ADMIN",
"VERSION ADMIN",
"LICENSE ADMIN"
]
}
}
Public
Appendix
"system_privileges": [
"CATALOG READ"
],
"schema_roles":[
{
"names": [
"Z_GRANULAR_SELECT__SYS_STATISTICS"
]
}
],
"object_privileges": [
{
"name": "z_services",
"type": "TABLE",
"privileges": ["SELECT"]
},
{
"name": "z_memory",
"type": "TABLE",
"privileges": ["SELECT"]
},
{
"name": "z_statistics",
"type": "TABLE",
"privileges": ["SELECT"]
},
{
"name": "z_heap",
"type": "TABLE",
"privileges": ["SELECT"]
}
]
}
}
Public
Appendix
Public
Appendix
Public
Appendix
"system_privileges": [
"USER ADMIN"
]
}
}
Public
Appendix
Public
Appendix
Public
Appendix
modules:
- name: sdb
type: hdb
path: sdb
requires:
- name: hdi-HDI_ROLES
properties:
TARGET_CONTAINER: ~{service-name}
- name: hdi-SDB_ROLES
resources:
- name: hdi-HDI_ROLES
type: org.cloudfoundry.existing-service
properties:
service-name: ${service-name}
parameters:
service-name: Z_HDI_GRANTING_SERVICE
- name: hdi-SDB_ROLES
type: org.cloudfoundry.existing-service
parameters:
service-name: Z_SDB_GRANTING_SERVICE
Public
Appendix
"ADAPTER ADMIN",
"AGENT ADMIN",
"ALTER CLIENTSIDE ENCRYPTION KEYPAIR",
"ATTACH DEBUGGER",
"AUDIT ADMIN",
"AUDIT OPERATOR",
"AUDIT READ",
"BACKUP ADMIN",
"BACKUP ADMIN",
"BACKUP OPERATOR",
"CATALOG READ",
"CERTIFICATE ADMIN",
"CLIENT PARAMETER ADMIN",
"CREATE CLIENTSIDE ENCRYPTION KEYPAIR",
"CREATE R SCRIPT",
"CREATE REMOTE SOURCE",
"CREATE SCENARIO",
"CREATE SCHEMA",
"CREATE STRUCTURED PRIVILEGE",
"CREDENTIAL ADMIN",
"DATA ADMIN",
"DATABASE ADMIN",
"DATABASE START",
"DATABASE STOP",
"DROP CLIENTSIDE ENCRYPTION KEYPAIR",
"ENCRYPTION ROOT KEY ADMIN",
"EXPORT",
"EXTENDED STORAGE ADMIN",
"IMPORT",
"INIFILE ADMIN",
"LDAP ADMIN",
"LICENSE ADMIN",
"LOG ADMIN",
"MONITOR ADMIN",
"OPTIMIZER ADMIN",
"RESOURCE ADMIN",
"SAVEPOINT ADMIN",
"SCENARIO ADMIN",
"SERVICE ADMIN",
"SESSION ADMIN",
"SSL ADMIN",
"STRUCTUREDPRIVILEGE ADMIN",
"SYSTEM REPLICATION ADMIN",
"TABLE ADMIN",
"TRACE ADMIN",
"TRUST ADMIN",
"USER ADMIN",
"VERSION ADMIN",
"WORKLOAD ADMIN",
"WORKLOAD ANALYZE ADMIN",
"WORKLOAD CAPTURE ADMIN",
"WORKLOAD REPLAY ADMIN"
]
}
]
}
}
}
Public
Appendix
Public
Appendix
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON SCHEMA "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for PRIVILEGE_TYPE: '
|| PRIVILEGE.PRIVILEGE_TYPE;
END IF;
END FOR;
END;
Public
Appendix
},
"z_sdb_heap": {
"target": {
"object": "M_HEAP_MEMORY_RESET",
"schema": "SYS_DATABASES"
}
},
"z_sdb_statistics": {
"target": {
"object": "M_SERVICE_STATISTICS",
"schema": "SYS_DATABASES"
}
},
"z_dummy": {
"target": {
"object": "DUMMY",
"schema": "SYS"
}
},
"z_schedules": {
"target": {
"object": "JOB_SCHEDULES",
"schema": "_SYS_XS"
}
},
"z_jobs": {
"target": {
"object": "JOBS",
"schema": "_SYS_XS"
}
}
}
Public
Appendix
Public
Appendix
www.sap.com/contactsap
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary softwar e components of other software vendors. National
product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subjec t to change and may
be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functional-
ity. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from e xpectations. Readers are cautioned not to place undue reliance on these forward-
looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other
product and service names mentioned are the trademarks of their respective companies. See www.sap.com/trademark for additional trademark information and notices.
Public