Recently, I was given a task to advise HANA roles based on requirements given by my colleague and senior David Vitali
This was an opportunity to read and learn about HANA security while completing this task. However, soon I found that I would need to read several guides to fulfil the requirements and learn about different type of security privileges and roles. So, I decided to gather the information from different guides and put it into one quick reference (or cheat sheet). I can now quickly refer to document whenever I need to understand, create, update or review security for roles and users. I have also found that some of privileges available in our current system (i.e. SP06 Rev64) are missing from guides which are written for SP06. For example: DEVELOPMENT privilege is not mentioned anywhere in guides.
Please do comment or suggest the updates if I am missing them. I will add them to quick reference. If possible, please do suggest roles for various purposes. Hopefully, I will keep getting such exposure and share.
EDITED on 17/10/2013: Added SQL syntax for inbuilt _sys_repo procedures. I have been using them for granting access and used once for revoke. Good for granting multiple privilege in one go.
Disclaimer:
This document has been prepared solely for information purposes for the use of the recipient and without any commitment or responsibility on my (Angad Singh) part.
Nice Document.
Regards,
Sushant
Hi Sushant,
Thanks for your comment. Please do share more here so that I can keep adding stuff to file.
Regards
Angad
thanks for this,
My team and I will be taking over maintenance / support of a HANA system before the end of the year and this will be very useful.
Perhaps one of Mahesh Kumar CV, Bill Ramos, or Alvaro Tejada Galindo may be able to see if a similar table can be included in future releases of the SAP_HANA_Security_Guide_xx.pdf
Hi Martin,
Thanks for reading and comment.
Looking forward to future releases of security guide.
Regards
Angad
Nice Doc..Thanks for Sharing 🙂
Hi Naveen,
Thanks for reading and comment.
Regards
Anagd
Good job in putting together those information. Looking forward to see more stuff.
Hi,
I am curious about the DEVELOPER privilege you say is missing in the documentation. To my knowledge there is no such single privilege. However, the Developer Guide provides information about which privileges a developer actually needs. In particular the section “11.3.3 Custom Development Role” might be useful.
Hope this helps.
Regards
Sinead (HANA documentation)
Hi Sinead,
I am sorry I mistyped the privilege name. It is “DEVELOPMENT” system privilege. We are on Rev67. I am curious to know what does this privilege do?
I understand there is information in developer guide about required developer privileges and that’s how we designed the roles for development.
Regards
Angad
Hi Angad,
You are right, there is a system privilege DEVELOPMENT that can be granted in the SAP HANA studio. I have found out now that this is a privilege for internal SAP use only. It should not be granted or even available for granting! This has now been reported as a bug. So please ignore it until it disppears.
Thanks and regards,
Sinead
Hello Angag,
Thank you for sharing the fruit of your work with the community. I personally came across the same challenge, not finding a quick reference to Hana security information. I collected also the following that I found useful for a better understanding of analytical privileges :
ANALYTICAL PRIVILEGES (on data => on a row level, not mandatory)
– On a analytical views
– Not on SQL table or SQL views, not on calculation or aggregation attributes
– Can restrict on certain values or combinations of values, range and IN-list (no value defined means no restriction or wild-card)
– Privileges can be dynamic (filter by a stored procedure; ea. on user characteristic)
– Privileges can be credited to a role (in a *.hdbrole by the variable ” analytic privilege: ” )
– Evaluated during query processing.
Feel free to use it if needed.
Cheers,
Robin
Thanks Robin.
You have provided useful information.
Regards
Angad
Hi, I could not see the attached document, can you please let me know. Thank you.