Creating a basic read-only User for BI reporting
My intention was to answer the following question: What are the minimal rights and in which place do I have to apply them to read out data into a BI4.0 Web Intelligence report or Explorer Information space to view data?
First, let’s create a new user which has the Public Role assigned automatically and try to use it.
Note: If Kerberos (Windows AD) is enabled and users are pre-created, this user would get through on a regular BI Universe connection already established, but also can’t see anything.
Then we go into IDT (Information Design Tool) and create the relational connection to SAP HANA, the Connection Test succeeds. Great, but watch out, the password needs to be changed after the first login, the connection test will still work, but no query will run. Connect with SAP HANA Studio and it will prompt you to change the initial password.
Checking Explorer gives an error on the connetion created in IDT – “Not Authorized”:
Connecting via SAP HANA Studio, it will only show schema’s you have access to:
The good news is that none of the other schemas (apart from SYS and _SYS_REPO) show any information, even if they may be listed in IDT. And when trying to execute a select on any of the queries in _SYS_BIC, you will correctly get an error that you are not authorized:
Second: How to give access?
Add the attribute view, analytical view or calculation view from the _SYS_BIC schema, you want to give the user access to into the “SQL privileges” of your user (in my example DEL_2), to make it appear as an item in the “Catalog” list:
Still when trying to view the results of this attribute view in the example, an error will be shown that you are not authorized:
The same behaviour is observed in IDT. So what else is missing, now that we have access ot the “table”?
The issue here compared to the rights of a modeller, he or she gets a special Analytical privilege assigned which grants access to all the data in all the attribute views automatically. It is called: _SYS_BI_CP_ALL
This acts as a wildcard to all data. But instead of adding this wildcard to a user, we can just add an individual Analytical Privilege to the user:
With no restrictions associated, to see all the data. Then apply this same AP to the user account (or a role and then the role to the user)
This then allows retrieving data from just this Attribute view, in SAP HANA Studio and the data foundation in IDT.
I had to omit the screenshot as it contained customer specific data.
Doing the same works for an Analytical view as well, but it doesn’t show in BO Explorer yet.
There is no error in Explorer, but no cube list is displayed.
After adding the following system view “BIMC_CUBES” from the schema _SYS_BI into the allowed SQL schemas, it now displays the list of cubes (AN, CV) but regardless authorizations – not good:
But execution still fails when clicking “New” to create a new Information space on this Analytical View.
So what is missing? Granting further SELECT rights on BIMC_* views, allows us now to create an information space and index the information space.