Restricting access to Views in SAP HANA for SAP Lumira
I recently got asked this by a customer of ours and it sparked the idea to put it into a blog post for those who are looking for a similar solution 😉
The blog posts and guides that I found when researching this would grant SAP Lumira access to all the views on your HANA server but none that I found restricted access to only certain packages.
Firstly let’s create a new ROLE that users will be assigned to:
And let’s now create a test USER and add it to the ROLE we created above:
Now let’s try log into HANA via SAP Lumira with the new user. We get the following error message which is as expected:
I will then give the TEST_ROLE Select rights to _SYS_BI and _SYS_BIC objects as below:
I will then try access HANA again using the TEST_USER. The good news is that we can now connect to SAP HANA but we do not have access to any analytical views yet:
There are a few blog post on SCN, that I found, like this one that touches on granting access for Lumira. Typically this involves granting access to the _SYS_B_CP_ALL Analytic Privilege to your USER/ROLE as below:
The problem/limitation with this method is that it casts the access net over your whole HANA system and will give that user access to all the Views/Packages on your system. As can be seen below we have access to 40 views in total:
So let me revoke the _SYS_BI_CP_ALL privileged first. Once that is done I now want to grant this TEST_ROLE access to only the CV_DEMO package and the three views in that as per the screen shot above.
In HANA Studio right click on the package you want to grant access to (cv_demo in my case) and choose to create a new Analytic Privilege as below:
As a matter of reference I created my Analytic Privilege as AP_CV_DEMO. The final piece of the puzzle is to go back to the TEST_ROLE and grant it access to AP_CV_DEMO Analytic Privilege that we have just created:
For one final check let’s head back into Lumira. When we log on we only have access to the 3 views in CV_DEMO which is what we wanted:
Finally if we access one of those views we are able to see the data in Lumira:
I hope this will help people out who are stuck with this and please do leave comments below if you have any further questions or ideas on this.
As a side note the revisions of Software that this is done on was:
SAP HANA Rev 82 (1.00.82.00.394270)
SAP Lumira 1.19.0 (Build 1099)
Nice, thanks for sharing Clint!
Corey
Pleasure Corey Adams ! I am assuming that as more and more companies start to use HANA and Lumira together then this tip will come in hand 😉
Thanks Clint this is handy indeed.
Thanks John - Glad you found it helpful.
Hi Clint,
I am assuming this works with new HANA Releases. I tried the same scenario with HANA Revision 70, but the HANA Views are not being restricted based on Analytic Privileges.
<Read your side note after I was unabel to recreate the above scenario 😥 >
Regards,
Rahul
I unfortunately do not have a Rev 70 to test this one but I do know that this solution does work with Rev72
In previous releases, you can't use a blanket SELECT on SYS_BIC. By default, all views are seen when you browse in the client tools.
The solution here (had same problem at a customer), is that you need to add the specific views ONLY to SYS_BIC/SELECT and also require the corresponding analytic privileges be able to execute.
So the object privileges controls what objects you can SEE, but the AP controls what you can actually EXECUTE.
Regards,
Justin
Hi,
I have tried your setup and it works fine!
We have also deployed the HANA Live for ECC and activated a set of views.
When we add these views into the Analytic Privilege, we get an error from Lumira when running the query entering the Company Code, Sales Org, SAP Client etc..
Do we need to add all the subsequent views from the Query view into the Analytic Privilege? Or do you know another way around?
Hi Kristoffer Engh
Glad to know the solution worked for you 😉
I unfortunately don't have a HANA Live system to test on but "theoretically" I would assume that you would need to create an Analytic Privilege/s for the new views you imported so that you can access them through Lumira
If you can let me know what error you getting from Lumira then I can try help that way around.
Clint
Hi
Thank you for the reply! I have a query view based on set of other views. I have created an Analytical Privilage on the query view and limited on Company Code. If I run it, then it will fail with the error message below.
If I run the Auto Documentation on that query view from HANA Studio, I get the whole Related Objects Hierarchy.
I add all the related Views in the role, set a restriction on SAPClient (Why? If not, I get the same error message).
Now the Analytical Privilege work.. Is this correct way to do it?
These can get a little screwy. I assume you have SELECT access granted on SYS_BIC already?
I would start with OSS note 1809199 to debug authorizations. This would apply to missing analytic privileges as well.
You had the right idea adding attribute restrictions to all models involved, I had a similar problem and that was the solution.
Happy HANA,
Justin
Thanks for the input on this Justin Molenaur 😉
Do I also have to grant the user read rights on the tables that the view relies on? I'd rather not.
Thanks for the detailed explanation.