You are on page 1of 17

SAP HANA PRIVILEGES

By Sudip Kumar Das

SAP HANA Privileges


When a user accesses the SAP HANA
database using a client interface (for
example, ODBC, JDBC), his or her ability to
perform database operations on database
objects is determined by the privileges
that he or she has been granted.

SAP HANA Privileges


System privilege

Object privilege
Analytic privilege
Package privilege
Granted Roles

SAP HANA Privileges


Authorization Check
All the privileges granted directly or indirectly
(through roles) to a user are combined. This
means that whenever a user tries to access an
object, the system performs an authorization
check on the user, the user's roles, and directly
granted privileges.

SAP HANA Privileges


Object Privileges

Object privileges are SQL privileges that are used to allow


access to and modification of database objects.
For each SQL statement type (for example, SELECT, UPDATE, or
CALL), a corresponding object privilege exists. If a user wants
to execute a particular statement on a database object (for
example, table, view, or stored procedure), he or she must
have the corresponding object privilege for either the actual
object itself or the schema in which the object is located. This
is because the schema is an object type that contains other
objects. A user who has object privileges for a schema
automatically has the same privileges for all objects currently
in the schema and any objects created there in the future.
Initially, the owner of an object and the owner of the schema in
which the object is located are the only users who can access
the object and grant object privileges on it to other users.

SAP HANA Privileges


Object Privileges
An object can be accessed only by the following users:

The owner of the object

The owner of the schema in which the object is located

Users to whom the owner of the object has granted


privileges

Users to whom the owner of the parent schema has granted


privileges

SAP HANA Privileges


Analytic Privileges

SQL privileges implement coarse-grained authorization at


object level only. Users either have access to an object,
such as a table, view or procedure, or they do not. While
this is often sufficient, there are cases when access to data
in an object depends on certain values or combinations of
values. Analytic privileges are used in the SAP HANA
database to provide such fine-grained control of which data
individual users can see within the same view.

SAP HANA Privileges


Analytic Privileges
Example

Sales data for all regions are contained within one analytic
view. However, regional sales managers should only see the
data for their region. In this case, an analytic privilege could
be modeled so that they can all query the view, but only
the data that each user is authorized to see is returned.

SAP HANA Privileges


Analytic Privileges

All column views modeled and activated in the SAP HANA


modeler automatically enforce an authorization check
based on analytic privileges. Column views created using
SQL must be explicitly registered for such a check (by
passing the parameter REGISTERVIEWFORAPCHECK).

Analytic privileges do not apply to database tables or views


modeled on row-store tables. Access to database tables and
row views is controlled entirely by SQL object privileges.

SAP HANA Privileges


Analytic Privileges

To create analytic privileges, the system privilege CREATE


STRUCTURED PRIVILEGE is required.

To drop analytic privileges, the system privilege


STRUCTUREDPRIVILEGE ADMIN is required.

As repository objects, analytic privileges are owned by the


_SYS_REPO user. To be able to grant and revoke an analytic
privilege, a user needs the privilege EXECUTE on the
procedures GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE and
REVOKE_ACTIVATED_ANALYTICAL_PRIVILEGE respectively.

SAP HANA Privileges


Package Privileges

The SAP HANA database repository is structured


hierarchically with packages assigned to other packages as
sub-packages. If you grant privileges to a user for a
package, the user is automatically also authorized for all
corresponding sub-packages.

Native packages are packages that were created in the


current system and should therefore be edited in the
current system. Imported packages from another system
should not be edited, except by newly imported updates.
An imported package should only be manually edited in
exceptional cases.

SAP HANA Privileges


Native Package Privileges

Developers should be granted the following privileges for


native packages:
REPO.READ - This privilege authorizes read access to
packages and design-time objects, including both native
and imported objects.
REPO.EDIT_NATIVE_OBJECTS - This privilege authorizes all
kinds of inactive changes to design-time objects in native
packages.
REPO.ACTIVATE_NATIVE_OBJECTS - This privilege authorizes
the user to activate or reactivate design-time objects in
native packages.
REPO.MAINTAIN_NATIVE_PACKAGES - This privilege
authorizes the user to update or delete native packages, or
create sub-packages of native packages.

SAP HANA Privileges


Import Package Privileges
Developers should only be granted the following privileges
for imported packages in exceptional cases:

REPO.EDIT_IMPORTED_OBJECTS - This privilege authorizes


all kinds of inactive changes to design-time objects in
imported packages.

REPO.ACTIVATE_IMPORTED_OBJECTS - This privilege


authorizes the user to activate or reactivate design-time
objects in imported packages.

REPO.MAINTAIN_IMPORTED_PACKAGES - This privilege


authorizes the user to update or delete imported packages,
or create sub-packages of imported packages.

SAP HANA Privileges


System Privileges

Developers require the following system privileges to be


able to work in the repository:
REPO.EXPORT - This privilege authorizes the user to export,
for example, delivery units.

REPO.IMPORT - This privilege authorizes the user to import


transport archives.

REPO.MAINTAIN_DELIVERY_UNITS - This privilege authorizes


the user to maintain delivery units (DU, DU vendor and
system vendor must be the same).

REPO.WORK_IN_FOREIGN_WORKSPACE - This privilege


authorizes the user to work in a foreign inactive workspace.

SAP HANA Privileges


Roles

A role is a collection of privileges that can be granted to


either a user or another role in runtime. A role typically
contains the privileges required for a particular function or
task.

Privileges can be granted directly to users of the SAP HANA


database. However, roles are the standard mechanism of
granting privileges as they allow you to implement
complex, reusable authorization concepts that can be
modeled on business roles. Several standard roles are
delivered with the SAP HANA database (for example,
MODELING, MONITORING). We can use these as templates
for creating your own roles.

A role can also extend other roles.

SAP HANA Privileges


Procedure for Grant & Revoke Previlege

SAP HANA Privileges


Query to view Privilege

Query this view to see which privileges have been granted


directly to a user:
SELECT * FROM "PUBLIC"."GRANTED_PRIVILEGES" where
GRANTEE = '<USER>
Query this view to see which roles have been granted
directly to a user:
SELECT * FROM "PUBLIC"."GRANTED_ROLES" where
GRANTEE = '<USER/ROLE_NAME>'