Best Practices and Examples For Developing Roles in SAP HANA - Example Project

PUBLIC
Developing roles in SAP HANA – Example project

Document version 1.2 2021-07
Public
Document history, references, and glossary
Document history
Version Release Change description Contact
Date
1.0 April 2018 Document creation askSAPHANA@sap.com
1.1 November Minor updates: latest recommendations, re-

2018 wording of some paragraphs, footnotes, and
correction of typos.
1.2 July 2021 Updates: Split, code fixes, improvements as

well as news, recommendations, paragraphs,
figures, correction of typos, links, and layout
(design).
References
• SAP HANA Developer Guide: Explains how to build applications using SAP HANA, including how to
model data, how to write procedures, and how to build application logic in SAP HANA Extended Ap-
plication Services, classic model.
• SAP HANA XSA Developer Guide: Explains how to build applications using SAP HANA, including
how to model persistent and analytic data, how to write procedures, and how to build application
logic in SAP HANA Extended Application Services advanced model.
• SAP Web IDE for SAP HANA - Installation and Upgrade Guide: Provides the installation, post-instal-
lation, and upgrade instructions for SAP Web IDE for SAP HANA.
• SAP WEB IDE for SAP HANA Installation Troubleshooting Guide: Aims to assist you with the trou-
bleshooting of issues related to SAP Web IDE installation.
• Common errors and fix – XSA Web IDE for HANA developments
• SAP HANA Administration with SAP HANA Cockpit
• SAP HANA Security Guide: Is the entry point for all information relating to the secure operation and
configuration of SAP HANA.
• SAP HANA Security Checklist: Offers recommendations and information about optimizing your se-
curity configuration to help you run your SAP HANA securely.
Public
Document history, references, and glossary
Glossary
Following abbreviations will be used throughout the document:
Acronym Meaning
HDB SAP HANA database
HDI SAP HANA deployment infrastructure
MDC Multi database container
MTA Multi target application
UPS User provided service
XSA SAP HANA extended application services, advanced model
Public
Preface
Dear reader,
thanks for being our customer! We love having people in our community like you and value
your partnership every single day.
We know that the best way to understand our products and how to improve them is to hear
from the people who use them every single day - people like you!
Since we are always curious, we want to know your experience. So, what did you think about
the guide?
Your comments and suggestions are the most useful to help us make this guide the best it
can be. Please feel free to contact us via askSAPHANA@sap.com and share any criticism or
praise you may have.
Thank you for reading our guide!
Public
Table of contents
TABLE OF CONTENTS
Document history ............................................................................................................................. 2
References ........................................................................................................................................ 2
Glossary............................................................................................................................................ 3
1. PROJECT INTRODUCTION ................................................................................................ 7
1.1 Guiding principles in designing the roles ........................................................................ 7
1.2 Roles best practices.......................................................................................................... 7
1.3 Prerequisites ..................................................................................................................... 8
2. PROJECT SETUP ............................................................................................................... 9
2.1 Create a new MTA project ................................................................................................. 9
2.2 Create an HDB module for the project ........................................................................... 10
2.3 Adjust the HDI namespace configuration ...................................................................... 11
3. CREATE A UPS TO EQUIP HDI CONTAINER .................................................................. 12
3.1 Using a UPS with a procedure grantor ........................................................................... 12
3.2 Bound the UPS to the HDB module ................................................................................ 13
3.3 Create the .hdbgrants file ............................................................................................... 13
3.4 Grant privileges to #OO user .......................................................................................... 14
3.5 Using a UPS with a procedure grantor ........................................................................... 14
4. CREATE DESIGN-TIME OBJECTS IN MDC...................................................................... 15
4.1 Synonyms ........................................................................................................................ 16
4.2 Roles ................................................................................................................................ 16
4.2.1. Granular roles.................................................................................................................. 16
4.2.1.1. Z_GRANULAR_SELECT__SYS_STATISTICS .............................................................. 17
4.2.1.2. Z_GRANULAR_CONFIGURE__SYS_STATISTICS....................................................... 17
4.2.2. Administration roles........................................................................................................ 17
4.2.2.1. Z_BASIS_ADMIN_BACKUP .......................................................................................... 17
4.2.2.2. Z_BASIS_BACKUP_OPERATOR.................................................................................. 17
4.2.2.3. Z_BASIS_ADMIN_BASIC.............................................................................................. 18
4.2.2.4. Z_BASIS_ADMIN_DATA ............................................................................................... 18
4.2.2.5. Z_BASIS_MONITORING............................................................................................... 19
4.2.2.6. Z_BASIS_ADMIN_PERSISTENCE................................................................................ 19
4.2.2.7. Z_BASIS_ADMIN_EXTENDED ..................................................................................... 19
4.2.3. Security roles .................................................................................................................. 20
4.2.3.1. Z_SECURITY_AUDIT_READ ........................................................................................ 20
4.2.3.2. Z_SECURITY_ADMIN_AUDIT ...................................................................................... 20
4.2.3.3. Z_SECURITY_ADMIN_BASIC ...................................................................................... 20
4.2.3.4. Z_SECURITY_ADMIN_CERTIFICATES........................................................................ 20
4.2.3.5. Z_SECURITY_ADMIN_DISK_ENCRYPTION ................................................................ 21
4.2.3.6. Z_SECURITY_ADMIN_TROUBLESHOOTING .............................................................. 21
4.2.3.7. Z_SECURITY_ADMIN................................................................................................... 21
4.2.3.8. Z_SECURITY_ADMIN_EXTENDED .............................................................................. 21
4.2.4. Support role..................................................................................................................... 22
4.2.5. User roles ........................................................................................................................ 22
4.2.5.1. Z_MANAGEMENT_CONTAINER_ROLE_ADMIN.......................................................... 22
4.2.5.2. Z_MANAGEMENT_USER_ADMIN ................................................................................ 22
4.3 Procedures ...................................................................................................................... 23
5. CREATE DESIGN-TIME OBJECTS IN SYSTEMDB .......................................................... 24
Public
Table of contents
5.1 Preparation in the SYSTEMDB........................................................................................ 24

5.2 Extra synonyms for SYSTEMDB..................................................................................... 26
5.3 Administrating MDC through the SYSTEMDB ............................................................... 27
Z_BASIS_MDC_START_STOP ....................................................................................................... 27
Z_BASIS_ADMIN_MDC ................................................................................................................... 27
Z_BASIS_MONITORING_MDC........................................................................................................ 27
6. DEPLOYMENT AND TROUBLESHOOTING ..................................................................... 28
APPENDIX ........................................................................................................................................ 28
Appendix 1: mta.yaml..................................................................................................................... 28
Appendix 2: Z_GRANTING_SERVICE.hdbgrants .......................................................................... 29
Appendix 3: Using a UPS with a procedure grantor ..................................................................... 31
Appendix 3.1: SYSTEM.Z_GRANT ................................................................................................. 31
Appendix 3.2: GRANTING_PROCEDURE_GRANTOR_USER ....................................................... 32
Appendix 4: Z_SYS.hdbsynonym .................................................................................................. 33
Appendix 5: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbroleconfig ................................... 34
Appendix 6: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbrole.............................................. 34
Appendix 7: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbroleconfig ............................ 34
Appendix 8: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbrole ...................................... 34
Appendix 9: Z_BASIS_ADMIN_BACKUP.hdbrole ......................................................................... 35
Appendix 10: Z_BASIS_BACKUP_OPERATOR.hdbrole ............................................................... 35
Appendix 11: Z_BASIS_ADMIN_BASIC.hdbrole ........................................................................... 35
Appendix 12: Z_BASIS_ADMIN_DATA.hdbrole............................................................................. 36
Appendix 13: Z_BASIS_MONITORING.hdbrole ............................................................................. 36
Appendix 14: Z_BASIS_ADMIN_PERSISTENCE.hdbrole.............................................................. 36
Appendix 15: Z_BASIS_ADMIN_EXTENDED.hdbrole ................................................................... 37
Appendix 16: Z_SECURITY_AUDIT_READ.hdbrole ...................................................................... 37
Appendix 17: Z_SECURITY_ADMIN_AUDIT.hdbrole ..................................................................... 37
Appendix 18: Z_SECURITY_ADMIN_BASIC.hdbrole .................................................................... 37
Appendix 19: Z_SECURITY_ADMIN_CERTIFICATES.hdbrole ...................................................... 38
Appendix 20: Z_SECURITY_ADMIN_DISK_ENCRYPTION.hdbrole .............................................. 38
Appendix 21: Z_SECURITY_ADMIN_TROUBLESHOOTING.hdbrole ............................................ 38
Appendix 22: Z_SECURITY_ADMIN.hdbrole ................................................................................. 38
Appendix 23: Z_SECURITY_ADMIN_EXTENDED.hdbrole ............................................................ 39
Appendix 24: Z_SUPPORT_ADMIN_TRACE.hdbrole .................................................................... 39
Appendix 25: Z_MANAGEMENT_CONTAINER_ROLE_ADMIN.hdbrole ....................................... 39
Appendix 26: Z_MANAGEMENT_USER_ADMIN.hdbrole .............................................................. 39
Appendix 27: Z_GRANT_ROLE_TO_USER.hdbprocedure ........................................................... 40
Appendix 28: Z_REVOKE_ROLE_FROM_USER.hdbprocedure ................................................... 41
Appendix 29: mta.yaml (SYSTEMDB) ............................................................................................ 42
Appendix 30: Z_SDB_GRANTING_SERVICE.hdbgrants ............................................................... 42
Appendix 31: SYSTEM.Z_SDB_GRANT ......................................................................................... 44
Appendix 32: Z_SDB_SYS.hdbsynonym ....................................................................................... 45
Appendix 33: Z_BASIS_MDC_START_STOP.hdbrole ................................................................... 47
Appendix 34: Z_BASIS_ADMIN_MDC.hdbrole .............................................................................. 47
Appendix 35: Z_BASIS_MONITORING_MDC.hdbrole ................................................................... 47
Public
Project introduction
1. PROJECT INTRODUCTION
The roles described in the following sections are considered templates. That is, that customers can use them
as a base to create their own version of the roles to cover their needs.
1.1 Guiding principles in designing the roles

When designing the roles described in this document, the following guiding principles were fol-
lowed:
• strong security requirements,
• granular structure,
• user management is strictly separated from role assignment,
• strong control over granting of roles to users (e.g. only allow granting of end-user roles that
have been designed by the security team and deployed into SAP HANA using the same
HDI container),
• case for granting roles to roles at SAP HANA level is not permitted - this should be done via
HDI,
• only work actively with HDI roles,
• only HDI roles are created newly,
• only HDI roles may be granted to users and
• “ROLE ADMIN” privilege is not granted to any role or user.
1.2 Roles best practices

For best performance of role operations granting and revoking, keep the following basic rules in
mind:
• Create roles with the smallest possible set of privileges for the smallest possible group of
users who can share a role (principle of least privilege).
• Avoid granting object privileges at the schema level to a role if only a few objects in the
schema are relevant for intended users.
• Avoid creating and maintaining all roles as a single user. Use several role administrator us-
ers instead.
Public
Project introduction
1.3 Prerequisites
Starting from SAP HANA 2.0 SPS 03 (rev. 34) and the latest XSA revision, it is possible to choose the loca-
tion of the XSA platform data during installation. As of SAP HANA SPS05, XSA is now installed in the default
tenant database by default.
Consider that keeping the XSA in the SYSTEMDB has its disadvantages. So, if you want to backup and re-
store XSA content, you always must back up the entire system (refer to SAP note 2596466 #8).
To implement the role templates, the following prerequisites are needed:

• Setup and prepare XSA and SAP Web IDE application in the development system – refer
to SAP Web IDE for SAP HANA - Installation and upgrade guide (post-installation admin-
istration tasks).
• Setup an XSA space for the role building scenario.
• Map the XSA space to HDB where the roles will be deployed.
• Grant the following privileges to the developer user account in XSA:
o XSA space developer rights and
o SAP Web IDE development permissions.
• Credentials of the SYSTEM user.
It is recommended to do the initial setup at HDB level with SYSTEM user as this user already holds all the
required privileges with GRANT/ADMIN option. Be aware that the SYSTEM user is not intended for day-to-
day activities - especially in production environments. Therefore, once all bootstrapping is properly done it is
recommended to deactivate the SYSTEM user (refer to SAP note 2493657).
If XSA has already been installed in an MDC and the rollout of the roles is also necessary in the
SYSTEMDB, then the following steps are necessary:
• Create the target HDI container on the SYSTEMDB,
• Create a technical deployer user with sufficient privileges on that HDI container,
• Create an UPS (additional to the granting UPS of the system privileges) with the credentials
of the deployer user and the manually created HDI container as "schema" and
• Add this additional UPS to the mta.yaml file.
Public
Project setup
2. PROJECT SETUP
2.1 Create a new MTA project

Create a new MTA project as shown below.
Provide a description and select a space where you want to run the MTA project as well.
Public
Project setup
2.2 Create an HDB module for the project

Create an HDB module for the project (right click on your project > new > SAP HANA database
module) and set a module name.
In the step of the wizard, set only a preferred schema name and select the currently used HDB ver-
sion.
Now go to project settings (right click on your project > project > project settings > space) and in-
stall the builder by selecting your space.
Public
Project setup
2.3 Adjust the HDI namespace configuration

The role templates do not use the namespace for the name of the objects in runtime. Thus, modify
the HDI namespace configuration that is created by default when creating an HDB module. For
this, adjust the .hdinamespace file as shown below.
The .hdinamespace file is hidden by default. Therefore, select the option “show hidden files” in the
“view” menu.
Then change the value of name to “” and in subfolder to “ignore”.
Public
Create a UPS to equip HDI container
3. CREATE A UPS TO EQUIP HDI CONTAINER

The next step is to create a UPS called Z_GRANTING_SERVICE. This service will be used during
the deployment of the project to grant all the required privileges to the #OO user. The list of privi-
leges granted to the #OO needs to be defined in a .hdbgrants file.
3.1 Using a UPS with a procedure grantor
The procedure grantor mechanism is supported as of version 3.4.1 of the @sap/hdi-deploy component in
XSA.
Open the XS client and execute the following command in the XSA space where we are the project
is running.
xs ds Z_GRANTING_SERVICE -f && xs cups Z_GRANTING_SERVICE

-p '{"user":"GRANTING_PROCEDURE_GRANTOR_USER","password":"Change_it_immidiately!2021",
"schema":"SYS","type":"procedure", "procedure":"Z_GRANT",
"procedure_schema":"SYSTEM","tags":["hana"] }'
A new instance can be seen in the XSA if the creation was successful. Of course, the UPS can
also be created directly via the button new instance there.
Instance name Z_GRANTING_SERVICE
Credentials {
"schema": "SYS",
"password": "Change_it_immidiately!2021",
"procedure_schema": "SYSTEM",
"procedure": "Z_GRANT",
"type": "procedure",
"user": "GRANTING_PROCEDURE_GRANTOR_USER",
"tags": [
"hana"
]
}
Table 1: Z_GRANTING_SERVICE
Public
3.2 Bound the UPS to the HDB module

Bound the UPS named Z_GRANTING_SERVICE to the HDB module by modifying the MTA devel-
opment descriptor file (mta.yaml) of the project.
Therefore, open the mta.yaml file with the code editor and replace its content with the code from
the appendix.
Now the mta.yaml file contains one module named “db-roles-db” of type “hdb” which reflects an
HDI container. The HDB module is bound to two additional resources from the project:
• “db-roles-db-hdi-container” is for the HDI container that is created when we deploy the pro-
ject. It has a configuration to set the schema name of the HDI container to “DB_ROLES”.
• “db-roles-db-privileges” is for the UPS named “Z_GRANTING_SERVICE” on the XSA
space.
3.3 Create the .hdbgrants file

To assign privileges automatically to the object owner and/or the application binding users, the HDI
deployer provides .hdbgrants files, which use a syntax that is like the .hdbrole artifact.
As a developer, use the .hdbgrants file to automatically grant privilege to the HDI container before
the content is deployed.
Therefore, create the file Z_GRANTING_SERVICE.hdbgrants at the recommended path in
“/db_roles/db/cfg/grants/”.
Open Z_GRANTING_SERVICE.hdbgrants with the code editor and copy the code from the appen-
dix two.
Now the Z_GRANTING_SERVICE.hdbgrants file specifies that the UPS named “Z_GRANT-
ING_SERVICE” should be used to grant to the #OO user the specified privileges.
The .hdbgrants file privileges should be reviewed by the authorization team. Furthermore, note that once a
privilege is removed from the .hdbgrants, it is not revoked from #OO.
Public
3.4 Grant privileges to #OO user

The #OO user is created for the first time when the project is built and the HDI container is created
in the HDB. Thus, we need to build the folder “db” at least one time to create the #OO user.
If the project already contains design-time roles, the deployment will fail throwing a (missing authorization)
error.
Since the schema name was configured as DB_ROLES, the HDI container should be named
DB_ROLES_1 and the object owner user (#OO) should be DB_ROLES_1#OO.
3.5 Using a UPS with a procedure grantor

Create the HDB procedure named Z_GRANT - which will be used by the UPS.
For this, we need to execute the attached scripts from appendix as user SYSTEM.
Public
Create design-time objects in MDC
4. CREATE DESIGN-TIME OBJECTS IN MDC

In the following section, we will find the description and the definitions of all the design-time objects
needed for the deployment and management of the template roles in HDB. These objects are:
• synonyms,
• procedures and
• roles.
It is recommended to create a structure of folders within the project to organize all the design-time
objects - e.g. like the following one.
Public
4.1 Synonyms
HDB synonyms are created using a synonym definition file (.hdbsynonym) and are needed to refer
to external objects like tables, views, and procedures. Refer to using synonyms in SAP HANA and
SAP HANA SQL Reference Guide for SAP HANA Platform - CREATE SYNONYM statement (data
definition) for further info.
For role development, synonyms are necessary to refer to object privileges. The synonym declara-
tion contains all the definition of the synonyms to reference objects from the SYS and _SYS_SE-
CURITY schema. The following synonyms are defined:
Privileg Object Schema name
z_blacklist _SYS_PASSWORD_BLACKLIST _SYS_SECURITY
z_users USERS SYS
z_roles ROLES SYS
z_dummy DUMMY SYS
z_services M_SERVICES SYS
z_memory M_SERVICES_MEMORY SYS
z_statistics M_SERVICES_STATISTICS SYS
z_heap M_HEAP_MEMORY_RESET SYS

Table 2: Synonyms
4.2 Roles
The role templates were purposely designed in detail. So, the high granularity supports the crea-
tion of a highly specialized team, and even if the roles may not perfectly fit the needs of a team, it
will be easy to create roles suitable for most circumstances. At the same time, most teams will not
require the offered granularity. Therefore, composite roles are used, which in most cases will work
effectively together.
4.2.1. Granular roles

The following granular roles are created to group privileges needed in multiple end-user roles and
for simplification of the maintenance. Granular roles are not designed to be granted to end-users
but to be included in end-user roles. Refer to the appendix regards the sample codes of the follow-
ing roles.
Public
4.2.1.1. Z_GRANULAR_SELECT__SYS_STATISTICS
Privileg What does it do?
SELECT _SYS_STATISTICS View alerts from the statistics server.
Table 3: Z_GRANULAR_SELECT__SYS_STATISTICS
4.2.1.2. Z_GRANULAR_CONFIGURE__SYS_STATISTICS
Privileg What does it do?
INSERT, EXECUTE, DELETE, UPDATE _SYS_STATISTICS Configure alerts.
Table 4: Z_GRANULAR_CONFIGURE__SYS_STATISTICS
4.2.2. Administration roles
4.2.2.1. Z_BASIS_ADMIN_BACKUP
Privilege What does it do?
BACKUP ADMIN Authorizes BACKUP and RECOVERY statements for defining and
initiating backup and recovery procedures. It also authorizes chan-
ging system configuration options with respect to backup and reco-
very.
SELECT, UPDATE, DELETE z_schedules Configure job schedules (backup and recovery).
SELECT, UPDATE, DELETE z_jobs Configure jobs (backup and recovery).
Table 5: Z_BASIS_ADMIN_BACKUP
4.2.2.2. Z_BASIS_BACKUP_OPERATOR
This role is recommended for batch users only as this prevents backups from being deleted unintentionally.
BACKUP OPERATOR Create and cancel backups, check available space, and query views
Table 6: Z_BASIS_BACKUP_OPERATOR
Public
4.2.2.3. Z_BASIS_ADMIN_BASIC
Z_GRANULAR_SELECT__SYS_STATISTICS View alerts from the statistics server.
CATALOG READ Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
SERVICE ADMIN Authorizes the ALTER SYSTEM [START|CANCEL|RECONFIG-

URE] statements for administering system services of the database.
INIFILE ADMIN Authorizes making changes to system settings.
TRACE ADMIN Authorizes the use of the ALTER SYSTEM...TRACES statements

for operations on database trace files and authorizes changing trace
system settings.
SESSION ADMIN Authorizes the ALTER SYSTEM commands concerning sessions to

stop or disconnect a user session or to change session variables.
VERSION ADMIN Authorizes the use of the ALTER SYSTEM RECLAIM VERSION
SPACE statement of the multi-version concurrency control (MVCC)
feature.
LICENSE ADMIN Authorizes the use of the SET SYSTEM LICENSE statement to in-
stall a new license.
Table 7: Z_BASIS_ADMIN_BASIC
4.2.2.4. Z_BASIS_ADMIN_DATA
This role should only be used in test and development systems, in which developer might need to be able to
create their own data objects for trial purposes.
CREATE SCHEMA Create new schemas directly in the database catalog.
EXPORT Export catalog objects to the DB server (csv/binary) or to the client machine.
IMPORT Import catalog objects from the DB server (csv/binary) or from the client machine.
Table 8: Z_BASIS_ADMIN_DATA
Public
4.2.2.5. Z_BASIS_MONITORING
Z_GRANULAR_SELECT__SYS_STATISTICS View alerts from the statistics server.
SELECT z_services Read the status of all services.
SELECT z_memory Read detailed information on memory utilization by services.
SELECT z_statistics Read statistics on active services.
SELECT z_heap Read memory allocator statistics since the last reset.
Table 9: Z_BASIS_MONITORING
4.2.2.6. Z_BASIS_ADMIN_PERSISTENCE
CATALOG READ Authorizes unfiltered access to the data in the system views that a user has already been
granted the SELECT privilege on.
SAVEPOINT ADMIN Authorizes the execution of a savepoint using the ALTER SYSTEM SAVEPOINT statement.
RESOURCE ADMIN Authorizes statements concerning system resources (for example, the ALTER SYSTEM RE-
CLAIM DATAVOLUME and ALTER SYSTEM RESET MONITORING VIEW statements). It
also authorizes many of the statements available in the Management Console.
LOG ADMIN Authorizes the use of the ALTER SYSTEM LOGGING [ON | OFF] statements to enable or
disable the log flush mechanism.
Table 10: Z_BASIS_ADMIN_PERSISTENCE
4.2.2.7. Z_BASIS_ADMIN_EXTENDED
Privilege
Z_BASIS_ADMIN_BASIC
Z_BASIS_ADMIN_PERSISTENCE
Z_BASIS_ADMIN_BACKUP
Z_GRANULAR_CONFIGURE__SYS_STATISTICS
Table 11: Z_BASIS_ADMIN_EXTENDED
Public
4.2.3. Security roles
4.2.3.1. Z_SECURITY_AUDIT_READ
AUDIT READ Authorizes read-only access to the rows of the AUDIT_LOG, XSA_AUDIT_LOG, and ALL_AU-
DIT_LOG system views.
Table 12: Z_SECURITY_AUDIT_READ
4.2.3.2. Z_SECURITY_ADMIN_AUDIT
CATALOG READ Authorizes unfiltered access to the data in the system views that a user has already
been granted the SELECT privilege on.
AUDIT ADMIN Controls the execution of the following auditing-related statements: CREATE AUDIT
POLICY, DROP AUDIT POLICY, and ALTER AUDIT POLICY, as well as changes
to the auditing configuration. It also allows access to the AUDIT_LOG system view.
Table 13: Z_SECURITY_ADMIN_AUDIT
4.2.3.3. Z_SECURITY_ADMIN_BASIC
INIFILE ADMIN Authorizes making changes to system settings.
SELECT, INSERT, UPDATE and DELETE Modify the password blacklist.

_sys_security__sys_password_blacklist
Table 14: Z_SECURITY_ADMIN_BASIC
4.2.3.4. Z_SECURITY_ADMIN_CERTIFICATES
CATALOG READ Authorizes unfiltered access to the data in the system views that a user
has already been granted the SELECT privilege on.
SSL ADMIN Authorizes the use of the SET...PURPOSE SSL statement. It also al-
lows access to the PSES system view.
TRUST ADMIN Authorizes the use of statements to update the trust store.
CERTIFICATE ADMIN Authorizes the changing of certificates and certificate collections that
are stored in the database.
Table 15: Z_SECURITY_ADMIN_CERTIFICATES
Public
4.2.3.5. Z_SECURITY_ADMIN_DISK_ENCRYPTION
RESOURCE ADMIN Authorizes statements concerning system resources (for example, the
ALTER SYSTEM RECLAIM DATAVOLUME and ALTER SYSTEM RE-
SET MONITORING VIEW statements). It also authorizes many of the
statements available in the Management Console.
ENCRYPTION ROOT KEY ADMIN Authorizes all statements related to management of root keys. Allows
access to the system views pertaining to encryption (for example, EN-
CRYPTION_ROOT_KEYS, M_ENCRYPTION_OVERVIEW, M_PER-
SISTENCE_ENCRYPTION_STATUS, M_PERSISTENCE_ENCRYP-
TION_KEYS, and so on).
Table 16: Z_SECURITY_ADMIN_DISK_ENCRYPTION
4.2.3.6. Z_SECURITY_ADMIN_TROUBLESHOOTING
TRACE ADMIN Authorizes the use of the ALTER SYSTEM...TRACES statements for
operations on database trace files and authorizes changing trace sys-
tem settings.
Table 17: Z_SECURITY_ADMIN_TROUBLESHOOTING
4.2.3.7. Z_SECURITY_ADMIN
Privilege
Z_SECURITY_ADMIN_BASIC
Z_SECURITY_ADMIN_TROUBLESHOOTING
Table 18: Z_SECURITY_ADMIN
4.2.3.8. Z_SECURITY_ADMIN_EXTENDED
Privilege
Z_SECURITY_ADMIN
Z_SECURITY_ADMIN_AUDIT
Table 19: Z_SECURITY_ADMIN_EXTENDED
Public
4.2.4. Support role
Z_BASIS_MONITORING
TRACE ADMIN Authorizes the use of the ALTER SYSTEM...TRACES statements for operations
on database trace files and authorizes changing trace system settings.
Table 20: Z_SUPPORT_ADMIN_TRACE
4.2.5. User roles
4.2.5.1. Z_MANAGEMENT_CONTAINER_ROLE_ADMIN
EXECUTE Z_GRANT_ROLE_TO_USER Grant to a database user any HDI role created within the same HDI
schema.
EXECUTE Z_REVOKE_ROLE_TO_USER Revoke from a database user any HDI role created within the same
HDI schema.
Table 21: Z_MANAGEMENT_CONTAINER_ROLE_ADMIN
4.2.5.2. Z_MANAGEMENT_USER_ADMIN
USER_ADMIN Authorizes the creation and modification of users using the CREATE
USER, ALTER USER, and DROP USER commands.
Table 22: Z_MANAGEMENT_USER_ADMIN
Public
4.3 Procedures
These procedures can be used to grant or revoke to a database user any HDI role created within
the same HDI schema. It accepts two parameters:
• role name and
• grantee.
Within the procedure the following conditions are checked, throwing errors if they are violated:
• Grantee must exist (error code 11001),
• Grantee must be different from grantor (error code 11002) and
• Role must exist (error code 11003).
The EXECUTE privilege for these roles is included in role Z_MANAGE-

MENT_GRANT_ROLE_TO_USER and Z_MANAGEMENT_REVOKE_ROLE_TO_USER.
The following message can be ignored:
“java.sql.SQLWarning: Not recommended feature: DDL statement is used in Dynamic SQL (current dy-
namic_sql_ddl_error_level = 1)”.
Invocation of the procedures:
CALL <HDI schema name>.Z_GRANT_ROLE_TO_USER ('<role name>','<username>');
CALL <HDI schema name>.Z_REVOKE_ROLE_FROM_USER ('<role name>','<username>');
Public
Create design-time objects in SYSTEMDB
5. CREATE DESIGN-TIME OBJECTS IN SYSTEMDB

If you feel the need to use roles in SYSTEMDB as well, proceed as follows.
5.1 Preparation in the SYSTEMDB

First at all, check whether the diserver is already running at the SYSTEMDB.
If not, execute as user SYSTEM the following command:
ALTER SYSTEM ALTER CONFIGURATION ('daemon.ini', 'HOST', '<HOSTNAME>') SET ('diserver', 'instances') = '1' WITH RECONFIGURE;
Create an HDI administrator with the name HDI_ADMIN as shown below.

CREATE USER HDI_ADMIN PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;
CREATE LOCAL TEMPORARY TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;
INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'HDI_ADMIN', PRIVILEGE_NAME, OBJECT_NAME FROM
_SYS_DI.T_DEFAULT_DI_ADMIN_PRIVILEGES;
CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('_SYS_DI', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
DROP TABLE #PRIVILEGES;
The user HDI_ADMIN is responsible for configuring general HDI parameters, creating, and drop-
ping HDI container groups, moving HDI containers between groups, and managing the privileges
of HDI container-group administrators.
The used method contains the largest possible set of privileges that can be granted for a user of
this type. It is also possible to reduce the set of privileges by explicitly specifying the desired set of
privileges and not using _SYS_DI.T_DEFAULT_DI_ADMIN_PRIVILEGES.
Next create a HDI container group SDB as HDI administrator HDI_ADMIN.
CALL _SYS_DI.CREATE_CONTAINER_GROUP('SDB', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
SELECT * FROM _SYS_DI.M_ALL_CONTAINER_GROUPS WHERE CONTAINER_GROUP_NAME = 'SDB';
The HDI container group SDB is used for administrating a set of HDI containers.
Then grant the container-group administrator privileges of SDB to HDI_ADMIN as HDI_ADMIN.
CREATE LOCAL TEMPORARY COLUMN TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;
INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'HDI_ADMIN', PRIVILEGE_NAME, OBJECT_NAME FROM
_SYS_DI.T_DEFAULT_CONTAINER_GROUP_ADMIN_PRIVILEGES;
CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('SDB', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
Create the container SDB_ROLES in the container group SDB and maintain the set of plug-in libraries.
CALL _SYS_DI#SDB.CREATE_CONTAINER('SDB_ROLES', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);

CALL _SYS_DI#SDB.CONFIGURE_LIBRARIES('SDB_ROLES',_SYS_DI.T_DEFAULT_LIBRARIES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
SELECT * FROM "_SYS_DI#SDB"."M_CONTAINERS";
Create the technical user SDB_ROLES_DEPLOY_USER via user SYSTEM.
CREATE USER SDB_ROLES_DEPLOY_USER PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;

ALTER USER SDB_ROLES_DEPLOY_USER DISABLE PASSWORD LIFETIME;
Grant as HDI_ADMIN the development API of the container SDB to the user SDB_ROLES_DEPLOY_USER,
who will be the grantor user for the UPS of the container SDB_ROLES.
CREATE LOCAL TEMPORARY COLUMN TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;

INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'SDB_ROLES_DEPLOY_USER', PRIVILEGE_NAME, OBJECT_NAME
FROM _SYS_DI.T_DEFAULT_CONTAINER_USER_PRIVILEGES;
CALL _SYS_DI#SDB.GRANT_CONTAINER_API_PRIVILEGES('SDB_ROLES', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
Public
As user SYSTEM, create a granting procedure (refer to the appendix) and user as shown below.
CREATE USER SDB_GRANTING_PROCEDURE_USER PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;

ALTER USER SDB_GRANTING_PROCEDURE_USER DISABLE PASSWORD LIFETIME;
GRANT EXECUTE ON SYSTEM.Z_SDB_GRANT TO SDB_GRANTING_PROCEDURE_USER;
Next, create a new space in XSA, add the relevant members and enable it.
As a pre step, make yourself familiar with the SQL port of your SYSTEMDB.
Then add two new instances in the UPS of your new space as follows:
Instance name Z_SDB_GRANTING_SERVICE Z_HDI_GRANTING_SERVICE
Credentials { {
"schema": "SYS", "schema": "SDB_ROLES",
"password": "Change_it_immidiately!2021", "hdi_password": " Change_it_immidiately!2021",
"port": "30013", "port": "30013",
"procedure_schema": "SYSTEM", "host": "hostname",
"host": "hostname", "hdi_user": "SDB_ROLES_DEPLOY_USER",
"procedure": "Z_SDB_GRANT", "tags": [
"type": "procedure", "hana"
"user": "SDB_GRANTING_PROCEDURE_USER", ]
"tags": [ }
"hana"
]
}
Table 23: Z_SDB_GRANTING_SERVICE
Create a new multi-target application project as well as a new HDB module in SAP WEBIDE.
Public
Open the mta.yaml file with the code editor and replace its content with the code from the appen-
dix.
Next, install the builder and edit the hdinamespace as we already shown beforehand.
Afterwards, copy paste the folders from the previous project as shown below.
5.2 Extra synonyms for SYSTEMDB

Synonym Object Schema name
z_sdb_services M_SERVICES SYS_DATABASES
z_sdb_memory M_SERVICES_MEMORY SYS_DATABASES
z_sdb_statistics M_SERVICES_STATISTICS SYS_DATABASES
z_sdb_heap M_HEAP_MEMORY_RESET SYS_DATABASES

Table 24: Synonyms (SYSTEMDB)
Public
5.3 Administrating MDC through the SYSTEMDB

Z_BASIS_MDC_START_STOP
DATABASE START Authorizes a user to start any database in the system and to select from the M_DATABASES
view.
DATABASE STOP Authorizes a user to stop any database in the system and to select from the M_DATABASES
view.
Table 25: Z_BASIS_MDC_START_STOP
Z_BASIS_ADMIN_MDC
DATABASE ADMIN Authorizes all statements related to tenant databases, such as CREATE, DROP, ALTER, RE-
NAME, BACKUP, and RECOVERY.
Table 26: Z_BASIS_ADMIN_MDC
Z_BASIS_MONITORING_MDC
SELECT__SYS_STATISTICS Role to grant read-only access to schema _SYS_STATISTICS.
SELECT z_sdb_services Read the status of all services.
SELECT z_sdb_memory Read detailed information on memory utilization by services.
SELECT z_sdb_statistics Read statistics on active services.
SELECT z_sdb_heap Read memory allocator statistics since the last reset.
Table 27: Z_BASIS_MONITORING_MDC
Public
Appendix
6. DEPLOYMENT AND TROUBLESHOOTING

To deploy the project, click on the “build” option from the context menu of the HDB module folder.
After the successful deployment you will see the new HDI schema and all the HDI roles in the
HDB.
SELECT * FROM "SYS"."ROLES" WHERE ROLE_SCHEMA_NAME = "<";
The system view EFFECTIVE_PRIVILEGES is useful for checking the privileges of a specific user.
It includes information about all privileges granted to a specific user (both directly and indirectly
through roles), as well as how the privileges were obtained (GRANTOR and GRANTOR_TYPE
column).
To avoid the need to search through the indexserver trace files to analyze insufficient privilege er-
rors, a procedure is available which you can use to quickly find out details of missing privileges:
GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS().
CALL SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS ('<GUID>', ?);
If you want an advanced error screen when building roles, modify the package.json as follows:
As you have now the basics to create roles successfully, adjust and/or create new ones, feel free to share
your feedback at askSAPHANA@sap.com.
APPENDIX
Appendix 1: mta.yaml
ID: db_roles
_schema-version: '2.0'
description: MDC role templates
Public
Appendix
version: 0.0.1
modules:
- name: db-roles-db
type: hdb
path: db
requires:
- name: db-roles-db-hdi-container
properties:
TARGET_CONTAINER: ~{service-name}
- name: db-roles-db-privileges
resources:
- name: db-roles-db-hdi-container
type: com.sap.xs.hdi-container
properties:
service-name: ${service-name}
parameters:
config:
schema: DB_ROLES
- name: db-roles-db-privileges
type: org.cloudfoundry.existing-service
parameters:
service-name: Z_GRANTING_SERVICE
Appendix 2: Z_GRANTING_SERVICE.hdbgrants
{
"Z_GRANTING_SERVICE": {
"object_owner": {
"schema_privileges": [
{
"schema": "_SYS_STATISTICS",
"privileges_with_grant_option": ["INSERT", "UPDATE", "DELETE",
"EXECUTE"]
}
],
"roles": [
{
"roles_with_admin_option": [
"MONITORING"
]
}
],
"object_privileges": [
{
"schema": "_SYS_SECURITY",
"name": "_SYS_PASSWORD_BLACKLIST",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "INSERT", "UPDATE",
"DELETE"]
},
{
"schema": "_SYS_XS",
"name": "JOB_SCHEDULES",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "UPDATE","DELETE"]
},
{
"name": "JOBS",
"type": "TABLE",
}
],
"system_privileges": [
{
"privileges_with_admin_option": [
"ADAPTER ADMIN",
"AGENT ADMIN",
"ALTER CLIENTSIDE ENCRYPTION KEYPAIR",
"ATTACH DEBUGGER",
Public
Appendix
"AUDIT ADMIN",
"AUDIT OPERATOR",
"AUDIT READ",
"BACKUP ADMIN",
"BACKUP ADMIN",
"BACKUP OPERATOR",
"CATALOG READ",
"CERTIFICATE ADMIN",
"CLIENT PARAMETER ADMIN",
"CREATE CLIENTSIDE ENCRYPTION KEYPAIR",
"CREATE R SCRIPT",
"CREATE REMOTE SOURCE",
"CREATE SCENARIO",
"CREATE SCHEMA",
"CREATE STRUCTURED PRIVILEGE",
"CREDENTIAL ADMIN",
"DATA ADMIN",
"DROP CLIENTSIDE ENCRYPTION KEYPAIR",
"ENCRYPTION ROOT KEY ADMIN",
"EXPORT",
"EXTENDED STORAGE ADMIN",
"IMPORT",
"INIFILE ADMIN",
"LDAP ADMIN",
"LICENSE ADMIN",
"LOG ADMIN",
"MONITOR ADMIN",
"OPTIMIZER ADMIN",
"RESOURCE ADMIN",
"SAVEPOINT ADMIN",
"SCENARIO ADMIN",
"SERVICE ADMIN",
"SESSION ADMIN",
"SSL ADMIN",
"STRUCTUREDPRIVILEGE ADMIN",
"SYSTEM REPLICATION ADMIN",
"TABLE ADMIN",
"TRACE ADMIN",
"TRUST ADMIN",
"USER ADMIN",
"VERSION ADMIN",
"WORKLOAD ADMIN",
"WORKLOAD ANALYZE ADMIN",
"WORKLOAD CAPTURE ADMIN",
"WORKLOAD REPLAY ADMIN"
]
}
]
}
}
}
Public
Appendix
Appendix 3: Using a UPS with a procedure grantor

Appendix 3.1: SYSTEM.Z_GRANT
CREATE PROCEDURE SYSTEM.Z_GRANT(
IN PRIVILEGES TABLE (
PRIVILEGE_TYPE NVARCHAR(128), -- 'SCHEMA_OBJECT_PRIVILEGE'
-- 'GLOBAL_OBJECT_PRIVILEGE'
-- 'SCHEMA_ROLE'
-- 'GLOBAL_ROLE'
-- 'SCHEMA_PRIVILEGE'
-- 'SYSTEM_PRIVILEGE'
PRIVILEGE_NAME NVARCHAR(256), -- cf. SYS.PRIVILEGES
OBJECT_SCHEMA NVARCHAR(256), -- NULL or schema
OBJECT_NAME NVARCHAR(256),
OBJECT_TYPE NVARCHAR(128), -- NULL or 'REMOTE SOURCE'
GRANTEE_SCHEMA NVARCHAR(256), -- NULL or schema
GRANTEE_NAME NVARCHAR(256),
GRANTABLE NVARCHAR(5) -- 'TRUE' or 'FALSE'
)
)
LANGUAGE SQLSCRIPT
SQL SECURITY DEFINER
AS
BEGIN
DECLARE ERROR CONDITION FOR SQL_ERROR_CODE 10000;
DECLARE CURSOR PRIVILEGES_CURSOR FOR SELECT * FROM :PRIVILEGES;
FOR PRIVILEGE AS PRIVILEGES_CURSOR
DO
DECLARE TO_GRANTEE_CLAUSE NVARCHAR(512);
DECLARE GRANTABLE_CLAUSE NVARCHAR(512) = '';
IF PRIVILEGE.GRANTEE_SCHEMA IS NULL THEN
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) || '"';
ELSE
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) ||
'"';
END IF;
IF PRIVILEGE.GRANTABLE = 'TRUE' THEN
IF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
GRANTABLE_CLAUSE = ' WITH ADMIN OPTION';
ELSE
GRANTABLE_CLAUSE = ' WITH GRANT OPTION';
END IF;
ELSEIF PRIVILEGE.GRANTABLE != 'FALSE' THEN
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for GRANTABLE: '
|| PRIVILEGE.GRANTABLE;
END IF;
IF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_OBJECT_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_OBJECT_PRIVILEGE' THEN
IF PRIVILEGE.OBJECT_TYPE = 'REMOTE SOURCE' THEN
|| ' ON ' || PRIVILEGE.OBJECT_TYPE || ' "' ||
ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for OBJECT_TYPE for
GLOBAL_OBJECT_PRIVILEGE: '
|| PRIVILEGE.OBJECT_TYPE;
END IF;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' THEN
Public
Appendix
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '

ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_PRIVILEGE' THEN
|| ' ON SCHEMA "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' THEN
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for PRIVILEGE_TYPE: '
|| PRIVILEGE.PRIVILEGE_TYPE;
END IF;
END FOR;
END;
Appendix 3.2: GRANTING_PROCEDURE_GRANTOR_USER

CREATE USER GRANTING_PROCEDURE_GRANTOR_USER PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;
GRANT EXECUTE ON SYSTEM.Z_GRANT TO GRANTING_PROCEDURE_GRANTOR_USER;
Public
Appendix
Appendix 4: Z_SYS.hdbsynonym
{
"z_blacklist": {
"target": {
"object": "_SYS_PASSWORD_BLACKLIST",
"schema": "_SYS_SECURITY"
}
},
"z_users": {
"target": {
"object": "USERS",
"schema": "SYS"
}
},
"z_roles": {
"target": {
"object": "ROLES",
"schema": "SYS"
}
},
"z_services": {
"target": {
"object": "M_SERVICES",
"schema": "SYS"
}
},
"z_memory": {
"target": {
"object": "M_SERVICE_MEMORY",
"schema": "SYS"
}
},
"z_heap": {
"target": {
"object": "M_HEAP_MEMORY_RESET",
"schema": "SYS"
}
},
"z_statistics": {
"target": {
"object": "M_SERVICE_STATISTICS",
"schema": "SYS"
}
},
"z_dummy": {
"target": {
"object": "DUMMY",
"schema": "SYS"
}
},
"z_schedules": {
"target": {
"object": "JOB_SCHEDULES",
"schema": "_SYS_XS"
}
},
"z_jobs": {
"target": {
"object": "JOBS",
"schema": "_SYS_XS"
}
}
}
Public
Appendix
Appendix 5: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbroleconfig
{
"Z_GRANULAR_SELECT__SYS_STATISTICS": {
"_SYS_STATISTICS_schema": {
"schema": "_SYS_STATISTICS"
}
}
}
Appendix 6: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbrole
{
"role": {
"name": "Z_GRANULAR_SELECT__SYS_STATISTICS",
{
"reference": "_SYS_STATISTICS_schema",
"privileges": ["SELECT"]
}
]
}
}
Appendix 7: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbroleconfig
{
"Z_GRANULAR_CONFIGURE__SYS_STATISTICS": {
"_SYS_STATISTICS_schema": {
"schema": "_SYS_STATISTICS"
}
}
}
Appendix 8: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbrole
{
"role": {
"name": "Z_GRANULAR_CONFIGURE__SYS_STATISTICS",
{
"reference": "_SYS_STATISTICS_schema",
"privileges": [
"INSERT",
"EXECUTE",
"DELETE",
"UPDATE"
]
}
]
}
}
Public
Appendix
Appendix 9: Z_BASIS_ADMIN_BACKUP.hdbrole
{
"role": {
"name": "Z_BASIS_ADMIN_BACKUP",
{
"name": "z_schedules",
"type": "TABLE",
"privileges": [
"SELECT",
"DELETE",
"UPDATE"
]
},
{
"name": "z_jobs",
"type": "TABLE",
"privileges": [
"DELETE",
"SELECT",
"UPDATE"
]
}
],
"BACKUP ADMIN"
]
}
}
Appendix 10: Z_BASIS_BACKUP_OPERATOR.hdbrole

{
"role":{
"name": "Z_BASIS_BACKUP_OPERATOR",
"BACKUP OPERATOR"
]
}
}
Appendix 11: Z_BASIS_ADMIN_BASIC.hdbrole

{
"role": {
"name": "Z_BASIS_ADMIN_BASIC",
"schema_roles":[
{
"names": [
"Z_GRANULAR_SELECT__SYS_STATISTICS"
]
}
],
"CATALOG READ",
"SERVICE ADMIN",
"INIFILE ADMIN",
"TRACE ADMIN",
"SESSION ADMIN",
"VERSION ADMIN",
"LICENSE ADMIN"
]
}
}
Public
Appendix
Appendix 12: Z_BASIS_ADMIN_DATA.hdbrole

{
"role":{
"name": "Z_BASIS_ADMIN_DATA",
"CREATE SCHEMA",
"EXPORT",
"IMPORT"
]
}
}
Appendix 13: Z_BASIS_MONITORING.hdbrole

{
"role": {
"name": "Z_BASIS_MONITORING",
"CATALOG READ"
],
"schema_roles":[
{
"names": [
]
}
],
{
"name": "z_services",
"type": "TABLE",
},
{
"name": "z_memory",
"type": "TABLE",
},
{
"name": "z_statistics",
"type": "TABLE",
},
{
"name": "z_heap",
"type": "TABLE",
}
]
}
}
Appendix 14: Z_BASIS_ADMIN_PERSISTENCE.hdbrole

{
"role":{
"name": "Z_BASIS_ADMIN_PERSISTENCE",
"CATALOG READ",
"SAVEPOINT ADMIN",
"RESOURCE ADMIN",
"LOG ADMIN"
]
}
}
Public
Appendix
Appendix 15: Z_BASIS_ADMIN_EXTENDED.hdbrole

{
"role": {
"name": "Z_BASIS_ADMIN_EXTENDED",
"schema_roles":[
{
"names": [
"Z_BASIS_ADMIN_BACKUP",
"Z_BASIS_ADMIN_BASIC",
"Z_BASIS_ADMIN_PERSISTENCE",
"Z_GRANULAR_CONFIGURE__SYS_STATISTICS"
]
}
]
}
}
Appendix 16: Z_SECURITY_AUDIT_READ.hdbrole

{
"role":{
"name": "Z_SECURITY_AUDIT_READ",
"AUDIT READ"
]
}
}
Appendix 17: Z_SECURITY_ADMIN_AUDIT.hdbrole

{
"role":{
"name": "Z_SECURITY_ADMIN_AUDIT",
"CATALOG READ",
"AUDIT ADMIN"
]
}
}
Appendix 18: Z_SECURITY_ADMIN_BASIC.hdbrole

{
"role":{
"name": "Z_SECURITY_ADMIN_BASIC",
"CATALOG READ",
"INIFILE ADMIN"
],
{
"name": "z_blacklist",
"type": "TABLE",
"privileges": ["SELECT", "INSERT", "UPDATE", "DELETE"]
}
]
}
}
Public
Appendix
Appendix 19: Z_SECURITY_ADMIN_CERTIFICATES.hdbrole

{
"role":{
"name": "Z_SECURITY_ADMIN_CERTIFICATES",
"CATALOG READ",
"SSL ADMIN",
"TRUST ADMIN",
"CERTIFICATE ADMIN"
]
}
}
Appendix 20: Z_SECURITY_ADMIN_DISK_ENCRYPTION.hdbrole

{
"role":{
"name": "Z_SECURITY_ADMIN_DISK_ENCRYPTION",
"CATALOG READ",
"RESOURCE ADMIN",
"ENCRYPTION ROOT KEY ADMIN"
]
}
}
Appendix 21: Z_SECURITY_ADMIN_TROUBLESHOOTING.hdbrole

{
"role":{
"name": "Z_SECURITY_ADMIN_TROUBLESHOOTING",
"CATALOG READ",
"TRACE ADMIN"
]
}
}
Appendix 22: Z_SECURITY_ADMIN.hdbrole

{
"role": {
"name": "Z_SECURITY_ADMIN",
"schema_roles":[
{
"names": [
"Z_SECURITY_ADMIN_BASIC",
"Z_SECURITY_ADMIN_TROUBLESHOOTING"
]
}
]
}
}
Public
Appendix
Appendix 23: Z_SECURITY_ADMIN_EXTENDED.hdbrole

{
"role": {
"name": "Z_SECURITY_ADMIN_EXTENDED",
"schema_roles":[
{
"names": [
"Z_SECURITY_ADMIN",
"Z_SECURITY_ADMIN_AUDIT"
]
}
]
}
}
Appendix 24: Z_SUPPORT_ADMIN_TRACE.hdbrole

{
"role": {
"name": "Z_SUPPORT_ADMIN_TRACE",
"schema_roles":[
{
"names": [
"Z_BASIS_MONITORING"
]
}
],
"TRACE ADMIN"
]
}
}
Appendix 25: Z_MANAGEMENT_CONTAINER_ROLE_ADMIN.hdbrole

{
"role":{
"name": "Z_MANAGEMENT_CONTAINER_ROLE_ADMIN",
"object_privileges":[
{
"name":"Z_GRANT_ROLE_TO_USER",
"type":"PROCEDURE",
"privileges":[ "EXECUTE" ]
},
{
"name":"Z_REVOKE_ROLE_FROM_USER",
"type":"PROCEDURE",
"privileges":[ "EXECUTE" ]
}
]
}
}
Appendix 26: Z_MANAGEMENT_USER_ADMIN.hdbrole

{
"role":{
"name": "Z_MANAGEMENT_USER_ADMIN",
"USER ADMIN"
]
}
}
Public
Appendix
Appendix 27: Z_GRANT_ROLE_TO_USER.hdbprocedure

PROCEDURE "Z_GRANT_ROLE_TO_USER" (
IN role_name NVARCHAR(256),
IN grantee NVARCHAR(256)
)
LANGUAGE SQLSCRIPT
AS
-- SQL statement we are going to execute
v_statement NVARCHAR(1024);
hdi_oo NVARCHAR (256);
role_schema NVARCHAR (256);
counter INTEGER := 0;
error_code INTEGER;
error_message NVARCHAR(1024);
BEGIN
-- prepare error handling in case of invalid arguments
DECLARE USERNOTEXIST CONDITION FOR SQL_ERROR_CODE 11001;
DECLARE GRANTSELF CONDITION FOR SQL_ERROR_CODE 11002;
DECLARE ROLENOTEXIST CONDITION FOR SQL_ERROR_CODE 11003;
DECLARE EXIT HANDLER FOR USERNOTEXIST RESIGNAL;
DECLARE EXIT HANDLER FOR GRANTSELF RESIGNAL;
DECLARE EXIT HANDLER FOR ROLENOTEXIST RESIGNAL;
hdi_oo := ::CURRENT_OBJECT_SCHEMA || '#OO';
role_schema := ::CURRENT_OBJECT_SCHEMA;
-- check if role exists
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_roles" WHERE role_name = :role_name AND
role_schema_name = :role_schema AND creator = :hdi_oo);
IF ( counter != 1 ) THEN
SIGNAL ROLENOTEXIST SET MESSAGE_TEXT = 'Role does not exist: ' || :role_name;
END IF;
-- check input parameter user:

-- does grantee exist?
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_users" WHERE user_name = :grantee);
SIGNAL USERNOTEXIST SET MESSAGE_TEXT = 'User does not exist: ' || :grantee;
END IF;
-- self grant?
IF :grantee = SESSION_USER
THEN SIGNAL GRANTSELF SET MESSAGE_TEXT = 'Self-grant not allowed';
END IF;
-- assemble grant statement: we must call the
v_statement := 'GRANT "' || ESCAPE_DOUBLE_QUOTES(:role_schema) || '"."' || ESCAPE_DOU-
BLE_QUOTES(:role_name) || '" TO "' || ESCAPE_DOUBLE_QUOTES(:grantee) || '"';
-- and run the statement:
EXEC v_statement;
END;
Public
Appendix
Appendix 28: Z_REVOKE_ROLE_FROM_USER.hdbprocedure

PROCEDURE "Z_REVOKE_ROLE_FROM_USER" (
IN role_name NVARCHAR(256),
IN grantee NVARCHAR(256)
)
LANGUAGE SQLSCRIPT
--DEFAULT SCHEMA <default_schema_name>
AS
-- SQL statement we're going to execute
v_statement NVARCHAR(1024);
hdi_oo NVARCHAR (256);
role_schema NVARCHAR (256);
counter INTEGER := 0;
error_code INTEGER;
error_message NVARCHAR(1024);
BEGIN
-- prepare error handling in case of invalid arguments
DECLARE USERNOTEXIST CONDITION FOR SQL_ERROR_CODE 11001;
DECLARE GRANTSELF CONDITION FOR SQL_ERROR_CODE 11002;
DECLARE ROLENOTEXIST CONDITION FOR SQL_ERROR_CODE 11003;
DECLARE EXIT HANDLER FOR USERNOTEXIST RESIGNAL;
DECLARE EXIT HANDLER FOR GRANTSELF RESIGNAL;
DECLARE EXIT HANDLER FOR ROLENOTEXIST RESIGNAL;
hdi_oo := ::CURRENT_OBJECT_SCHEMA || '#OO';
role_schema := ::CURRENT_OBJECT_SCHEMA;
-- check input parameter user:
-- does grantee exist?
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_users" WHERE user_name = :grantee);
SIGNAL USERNOTEXIST SET MESSAGE_TEXT = 'User does not exist: ' || :grantee;
END IF;
-- check if role exists
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_roles" WHERE role_name = :role_name AND
role_schema_name = :role_schema AND creator = :hdi_oo);
SIGNAL ROLENOTEXIST SET MESSAGE_TEXT = 'Role does not exist: ' || :role_name;
END IF;
-- self-revoke?
IF :grantee = SESSION_USER
THEN SIGNAL GRANTSELF SET MESSAGE_TEXT = 'Self-revoke not allowed';
END IF;
-- assemble revoke statement:
v_statement := 'REVOKE "' || ESCAPE_DOUBLE_QUOTES(:role_schema) || '"."' || ES-
CAPE_DOUBLE_QUOTES(:role_name) || '" FROM "' || ESCAPE_DOUBLE_QUOTES(:grantee) || '"';
-- and run the statement:
EXEC v_statement;
END;
Public
Appendix
Appendix 29: mta.yaml (SYSTEMDB)

ID: sdb_roles
_schema-version: '2.0'
description: SYSTEMDB role templates
version: 0.0.1
modules:
- name: sdb
type: hdb
path: sdb
requires:
- name: hdi-HDI_ROLES
properties:
TARGET_CONTAINER: ~{service-name}
- name: hdi-SDB_ROLES
resources:
- name: hdi-HDI_ROLES
properties:
service-name: ${service-name}
parameters:
service-name: Z_HDI_GRANTING_SERVICE
- name: hdi-SDB_ROLES
parameters:
service-name: Z_SDB_GRANTING_SERVICE
Appendix 30: Z_SDB_GRANTING_SERVICE.hdbgrants

{
"Z_SDB_GRANTING_SERVICE": {
"object_owner": {
{
"schema": "_SYS_STATISTICS",
"DELETE", "EXECUTE"]
}
],
"roles": [
{
"roles_with_admin_option": [
"MONITORING"
]
}
],
{
"schema": "_SYS_SECURITY",
"name": "_SYS_PASSWORD_BLACKLIST",
"type": "TABLE",
"DELETE"]
},
{
"name": "JOB_SCHEDULES",
"type": "TABLE",
},
{
"name": "JOBS",
"type": "TABLE",
}
],
{
"privileges_with_admin_option": [
Public
Appendix
"ADAPTER ADMIN",
"AGENT ADMIN",
"ALTER CLIENTSIDE ENCRYPTION KEYPAIR",
"ATTACH DEBUGGER",
"AUDIT ADMIN",
"AUDIT OPERATOR",
"AUDIT READ",
"BACKUP ADMIN",
"BACKUP ADMIN",
"BACKUP OPERATOR",
"CATALOG READ",
"CERTIFICATE ADMIN",
"CLIENT PARAMETER ADMIN",
"CREATE CLIENTSIDE ENCRYPTION KEYPAIR",
"CREATE R SCRIPT",
"CREATE REMOTE SOURCE",
"CREATE SCENARIO",
"CREATE SCHEMA",
"CREATE STRUCTURED PRIVILEGE",
"CREDENTIAL ADMIN",
"DATA ADMIN",
"DATABASE ADMIN",
"DATABASE START",
"DATABASE STOP",
"DROP CLIENTSIDE ENCRYPTION KEYPAIR",
"ENCRYPTION ROOT KEY ADMIN",
"EXPORT",
"EXTENDED STORAGE ADMIN",
"IMPORT",
"INIFILE ADMIN",
"LDAP ADMIN",
"LICENSE ADMIN",
"LOG ADMIN",
"MONITOR ADMIN",
"OPTIMIZER ADMIN",
"RESOURCE ADMIN",
"SAVEPOINT ADMIN",
"SCENARIO ADMIN",
"SERVICE ADMIN",
"SESSION ADMIN",
"SSL ADMIN",
"STRUCTUREDPRIVILEGE ADMIN",
"SYSTEM REPLICATION ADMIN",
"TABLE ADMIN",
"TRACE ADMIN",
"TRUST ADMIN",
"USER ADMIN",
"VERSION ADMIN",
"WORKLOAD ADMIN",
"WORKLOAD ANALYZE ADMIN",
"WORKLOAD CAPTURE ADMIN",
"WORKLOAD REPLAY ADMIN"
]
}
]
}
}
}
Public
Appendix
Appendix 31: SYSTEM.Z_SDB_GRANT

CREATE PROCEDURE SYSTEM.Z_SDB_GRANT(
IN PRIVILEGES TABLE (
PRIVILEGE_TYPE NVARCHAR(128), -- 'SCHEMA_OBJECT_PRIVILEGE'
-- 'GLOBAL_OBJECT_PRIVILEGE'
-- 'SCHEMA_ROLE'
-- 'GLOBAL_ROLE'
-- 'SCHEMA_PRIVILEGE'
-- 'SYSTEM_PRIVILEGE'
PRIVILEGE_NAME NVARCHAR(256), -- cf. SYS.PRIVILEGES
OBJECT_SCHEMA NVARCHAR(256), -- NULL or schema
OBJECT_NAME NVARCHAR(256),
OBJECT_TYPE NVARCHAR(128), -- NULL or 'REMOTE SOURCE'
GRANTEE_SCHEMA NVARCHAR(256), -- NULL or schema
GRANTEE_NAME NVARCHAR(256),
GRANTABLE NVARCHAR(5) -- 'TRUE' or 'FALSE'
)
)
LANGUAGE SQLSCRIPT
AS
BEGIN
DECLARE ERROR CONDITION FOR SQL_ERROR_CODE 10000;
DECLARE CURSOR PRIVILEGES_CURSOR FOR SELECT * FROM :PRIVILEGES;
FOR PRIVILEGE AS PRIVILEGES_CURSOR
DO
DECLARE TO_GRANTEE_CLAUSE NVARCHAR(512);
DECLARE GRANTABLE_CLAUSE NVARCHAR(512) = '';
IF PRIVILEGE.GRANTEE_SCHEMA IS NULL THEN
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) || '"';
ELSE
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) ||
'"';
END IF;
IF PRIVILEGE.GRANTABLE = 'TRUE' THEN
IF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
GRANTABLE_CLAUSE = ' WITH ADMIN OPTION';
ELSE
GRANTABLE_CLAUSE = ' WITH GRANT OPTION';
END IF;
ELSEIF PRIVILEGE.GRANTABLE != 'FALSE' THEN
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for GRANTABLE: '
|| PRIVILEGE.GRANTABLE;
END IF;
IF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_OBJECT_PRIVILEGE' THEN
|| ' ON "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_OBJECT_PRIVILEGE' THEN
IF PRIVILEGE.OBJECT_TYPE = 'REMOTE SOURCE' THEN
|| ' ON ' || PRIVILEGE.OBJECT_TYPE || ' "' ||
ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for OBJECT_TYPE for
GLOBAL_OBJECT_PRIVILEGE: '
|| PRIVILEGE.OBJECT_TYPE;
END IF;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
Public
Appendix
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_PRIVILEGE' THEN
|| ' ON SCHEMA "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' THEN
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for PRIVILEGE_TYPE: '
|| PRIVILEGE.PRIVILEGE_TYPE;
END IF;
END FOR;
END;
Appendix 32: Z_SDB_SYS.hdbsynonym

{
"z_blacklist": {
"target": {
"object": "_SYS_PASSWORD_BLACKLIST",
"schema": "_SYS_SECURITY"
}
},
"z_users": {
"target": {
"object": "USERS",
"schema": "SYS"
}
},
"z_roles": {
"target": {
"object": "ROLES",
"schema": "SYS"
}
},
"z_services": {
"target": {
"schema": "SYS"
}
},
"z_memory": {
"target": {
"schema": "SYS"
}
},
"z_heap": {
"target": {
"schema": "SYS"
}
},
"z_statistics": {
"target": {
"schema": "SYS"
}
},
"z_sdb_services": {
"target": {
"schema": "SYS_DATABASES"
}
},
"z_sdb_memory": {
"target": {
}
Public
Appendix
},
"z_sdb_heap": {
"target": {
}
},
"z_sdb_statistics": {
"target": {
}
},
"z_dummy": {
"target": {
"object": "DUMMY",
"schema": "SYS"
}
},
"z_schedules": {
"target": {
"object": "JOB_SCHEDULES",
"schema": "_SYS_XS"
}
},
"z_jobs": {
"target": {
"object": "JOBS",
"schema": "_SYS_XS"
}
}
}
Public
Appendix
Appendix 33: Z_BASIS_MDC_START_STOP.hdbrole

{
"role":{
"name": "Z_BASIS_MDC_START_STOP",
"DATABASE START",
"DATABASE STOP"
]
}
}
Appendix 34: Z_BASIS_ADMIN_MDC.hdbrole

{
"role":{
"name": "Z_BASIS_ADMIN_MDC",
"DATABASE ADMIN"
]
}
}
Appendix 35: Z_BASIS_MONITORING_MDC.hdbrole

"role": {
"name": "Z_BASIS_MONITORING_MDC",
{
"name": "z_sdb_services",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
},
{
"name": "z_sdb_memory",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
},
{
"name": "z_sdb_heap",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
},
{
"name": "z_sdb_statistics",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
}
],
"CATALOG READ"
],
"schema_roles": [
{
"names": [
]
}
]
}
}
Public
Appendix
www.sap.com/contactsap
© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary softwar e components of other software vendors. National
product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subjec t to change and may
be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functional-
ity. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from e xpectations. Readers are cautioned not to place undue reliance on these forward-
looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other
product and service names mentioned are the trademarks of their respective companies. See www.sap.com/trademark for additional trademark information and notices.
Public

Best Practices and Examples For Developing Roles in SAP HANA - Example Project

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best Practices and Examples For Developing Roles in SAP HANA - Example Project

Uploaded by

Copyright:

Available Formats

PUBLIC

Developing roles in SAP HANA – Example project

1.0 April 2018 Document creation askSAPHANA@sap.com

1.1 November Minor updates: latest recommendations, re-

1.2 July 2021 Updates: Split, code fixes, improvements as

• SAP HANA Administration with SAP HANA Cockpit

HDB SAP HANA database

HDI SAP HANA deployment infrastructure

MDC Multi database container

MTA Multi target application

UPS User provided service

XSA SAP HANA extended application services, advanced model

5.1 Preparation in the SYSTEMDB........................................................................................ 24

1.1 Guiding principles in designing the roles

1.2 Roles best practices

To implement the role templates, the following prerequisites are needed:

2.1 Create a new MTA project

2.2 Create an HDB module for the project

2.3 Adjust the HDI namespace configuration

Then change the value of name to “” and in subfolder to “ignore”.

3. CREATE A UPS TO EQUIP HDI CONTAINER

3.1 Using a UPS with a procedure grantor

xs ds Z_GRANTING_SERVICE -f && xs cups Z_GRANTING_SERVICE

Instance name Z_GRANTING_SERVICE

3.2 Bound the UPS to the HDB module

3.3 Create the .hdbgrants file

3.4 Grant privileges to #OO user

3.5 Using a UPS with a procedure grantor

4. CREATE DESIGN-TIME OBJECTS IN MDC

Privileg Object Schema name

z_blacklist _SYS_PASSWORD_BLACKLIST _SYS_SECURITY

z_users USERS SYS

z_roles ROLES SYS

z_dummy DUMMY SYS

z_services M_SERVICES SYS

z_memory M_SERVICES_MEMORY SYS

z_statistics M_SERVICES_STATISTICS SYS

z_heap M_HEAP_MEMORY_RESET SYS

4.2.1. Granular roles

Privileg What does it do?

SELECT _SYS_STATISTICS View alerts from the statistics server.

Privileg What does it do?

INSERT, EXECUTE, DELETE, UPDATE _SYS_STATISTICS Configure alerts.

4.2.2. Administration roles

SELECT, UPDATE, DELETE z_jobs Configure jobs (backup and recovery).

Privilege What does it do?

Privilege What does it do?

Z_GRANULAR_SELECT__SYS_STATISTICS View alerts from the statistics server.

SERVICE ADMIN Authorizes the ALTER SYSTEM [START|CANCEL|RECONFIG-

INIFILE ADMIN Authorizes making changes to system settings.

TRACE ADMIN Authorizes the use of the ALTER SYSTEM...TRACES statements

SESSION ADMIN Authorizes the ALTER SYSTEM commands concerning sessions to

Privilege What does it do?

CREATE SCHEMA Create new schemas directly in the database catalog.

Privilege What does it do?

Z_GRANULAR_SELECT__SYS_STATISTICS View alerts from the statistics server.

SELECT z_services Read the status of all services.

SELECT z_memory Read detailed information on memory utilization by services.

SELECT z_statistics Read statistics on active services.

4.2.3. Security roles

Privilege What does it do?

Table 12: Z_SECURITY_AUDIT_READ

Privilege What does it do?