SAP HANA Authorization By Sudip Kumar Das

SAP HANA PRIVILEGESBy Sudip Kumar DasSAP HANA Privileges When a user accesses the SAP HANA database using a client interface (for example, ODBC, JDBC), his or her ability to perform database operations on database objects is determined by the privileges that he or she has been granted.SAP HANA PrivilegesSAP HANA PrivilegesAll the privileges granted directly or indirectly (through roles) to a user are combined. This means that whenever a user tries to access an object, the system performs an authorization check on the user, the user's roles, and directly granted privileges. Authorization CheckSAP HANA PrivilegesObject privileges are SQL privileges that are used to allow access to and modification of database objects.For each SQL statement type (for example, SELECT, UPDATE, or CALL), a corresponding object privilege exists. If a user wants to execute a particular statement on a database object (for example, table, view, or stored procedure), he or she must have the corresponding object privilege for either the actual object itself or the schema in which the object is located. This is because the schema is an object type that contains other objects. A user who has object privileges for a schema automatically has the same privileges for all objects currently in the schema and any objects created there in the future.Initially, the owner of an object and the owner of the schema in which the object is located are the only users who can access the object and grant object privileges on it to other users.Object PrivilegesSAP HANA PrivilegesAn object can be accessed only by the following users:

The owner of the object

The owner of the schema in which the object is located

Users to whom the owner of the object has granted privileges

Users to whom the owner of the parent schema has granted privileges

Object PrivilegesSAP HANA PrivilegesSQL privileges implement coarse-grained authorization at object level only. Users either have access to an object, such as a table, view or procedure, or they do not. While this is often sufficient, there are cases when access to data in an object depends on certain values or combinations of values. Analytic privileges are used in the SAP HANA database to provide such fine-grained control of which data individual users can see within the same view.Analytic PrivilegesSAP HANA PrivilegesExample -

Sales data for all regions are contained within one analytic view. However, regional sales managers should only see the data for their region. In this case, an analytic privilege could be modeled so that they can all query the view, but only the data that each user is authorized to see is returned.Analytic PrivilegesSAP HANA PrivilegesAll column views modeled and activated in the SAP HANA modeler automatically enforce an authorization check based on analytic privileges. Column views created using SQL must be explicitly registered for such a check (by passing the parameter REGISTERVIEWFORAPCHECK).

Analytic privileges do not apply to database tables or views modeled on row-store tables. Access to database tables and row views is controlled entirely by SQL object privileges.Analytic PrivilegesSAP HANA PrivilegesTo create analytic privileges, the system privilege CREATE STRUCTURED PRIVILEGE is required.

To drop analytic privileges, the system privilege STRUCTUREDPRIVILEGE ADMIN is required.

As repository objects, analytic privileges are owned by the _SYS_REPO user. To be able to grant and revoke an analytic privilege, a user needs the privilege EXECUTE on the procedures GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE and REVOKE_ACTIVATED_ANALYTICAL_PRIVILEGE respectively.Analytic PrivilegesSAP HANA PrivilegesThe SAP HANA database repository is structured hierarchically with packages assigned to other packages as sub-packages. If you grant privileges to a user for a package, the user is automatically also authorized for all corresponding sub-packages.

Native packages are packages that were created in the current system and should therefore be edited in the current system. Imported packages from another system should not be edited, except by newly imported updates. An imported package should only be manually edited in exceptional cases.Package PrivilegesSAP HANA PrivilegesDevelopers should be granted the following privileges for native packages: REPO.READ - This privilege authorizes read access to packages and design-time objects, including both native and imported objects. REPO.EDIT_NATIVE_OBJECTS - This privilege authorizes all kinds of inactive changes to design-time objects in native packages.REPO.ACTIVATE_NATIVE_OBJECTS - This privilege authorizes the user to activate or reactivate design-time objects in native packages.REPO.MAINTAIN_NATIVE_PACKAGES - This privilege authorizes the user to update or delete native packages, or create sub-packages of native packages.

Native Package PrivilegesSAP HANA PrivilegesDevelopers should only be granted the following privileges for imported packages in exceptional cases:

REPO.EDIT_IMPORTED_OBJECTS - This privilege authorizes all kinds of inactive changes to design-time objects in imported packages.

REPO.ACTIVATE_IMPORTED_OBJECTS - This privilege authorizes the user to activate or reactivate design-time objects in imported packages.

REPO.MAINTAIN_IMPORTED_PACKAGES - This privilege authorizes the user to update or delete imported packages, or create sub-packages of imported packages.

Import Package PrivilegesSAP HANA PrivilegesDevelopers require the following system privileges to be able to work in the repository:REPO.EXPORT - This privilege authorizes the user to export, for example, delivery units.

REPO.IMPORT - This privilege authorizes the user to import transport archives.

REPO.MAINTAIN_DELIVERY_UNITS - This privilege authorizes the user to maintain delivery units (DU, DU vendor and system vendor must be the same).

REPO.WORK_IN_FOREIGN_WORKSPACE - This privilege authorizes the user to work in a foreign inactive workspace.

System PrivilegesSAP HANA PrivilegesA role is a collection of privileges that can be granted to either a user or another role in runtime. A role typically contains the privileges required for a particular function or task.

Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable authorization concepts that can be modeled on business roles. Several standard roles are delivered with the SAP HANA database (for example, MODELING, MONITORING). We can use these as templates for creating your own roles.

A role can also extend other roles.

RolesSAP HANA PrivilegesProcedure for Grant & Revoke Previlege

SAP HANA Privileges Query this view to see which privileges have been granted directly to a user:SELECT * FROM "PUBLIC"."GRANTED_PRIVILEGES" where GRANTEE = '

Query this view to see which roles have been granted directly to a user:SELECT * FROM "PUBLIC"."GRANTED_ROLES" where GRANTEE = ''Query to view Privilege