I recently got asked this by a customer of ours and it sparked the idea to put it into a blog post for those who are looking for a similar solution 😉

The blog posts and guides that I found when researching this would grant SAP Lumira access to all the views on your HANA server but none that I found restricted access to only certain packages.

Firstly let’s create a new ROLE that users will be assigned to:

Blog1.jpg

And let’s now create a test USER and add it to the ROLE we created above:

Blog2.jpg

Now let’s try log into HANA via SAP Lumira with the new user. We get the following error message which is as expected:

Blo3.png

I will then give the TEST_ROLE Select rights to _SYS_BI and _SYS_BIC objects as below:

Blog4.jpg

I will then try access HANA again using the TEST_USER. The good news is that we can now connect to SAP HANA but we do not have access to any analytical views yet:

Blog5.jpg

There are a few blog post on SCN, that I found, like this one that touches on granting access for Lumira. Typically this involves granting access to the _SYS_B_CP_ALL Analytic Privilege to your USER/ROLE as below:

Blog6.jpg

The problem/limitation with this method is that it casts the access net over your whole HANA system and will give that user access to all the Views/Packages on your system. As can be seen below we have access to 40 views in total:

Blog7.jpg

So let me revoke the _SYS_BI_CP_ALL privileged first. Once that is done I now want to grant this TEST_ROLE access to only the CV_DEMO package and the three views in that as per the screen shot above.

In HANA Studio right click on the package you want to grant access to (cv_demo in my case) and choose to create a new Analytic Privilege as below:

Blog8.jpg

As a matter of reference I created my Analytic Privilege as AP_CV_DEMO. The final piece of the puzzle is to go back to the TEST_ROLE and grant it access to AP_CV_DEMO Analytic Privilege that we have just created:

Blog9.jpg

For one final check let’s head back into Lumira. When we log on we only have access to the 3 views in CV_DEMO which is what we wanted:

Blog10.jpg

Finally if we access one of those views we are able to see the data in Lumira:

Blog11.png

I hope this will help people out who are stuck with this and please do leave comments below if you have any further questions or ideas on this.

As a side note the revisions of Software that this is done on was:

SAP HANA Rev 82 (1.00.82.00.394270)

SAP Lumira 1.19.0 (Build 1099)

To report this post you need to login first.

14 Comments

You must be Logged on to comment or reply to a post.

  1. Rahul Pant

    Hi Clint,

    I am assuming this works with new HANA Releases. I tried the same scenario with HANA Revision 70, but the HANA Views are not being restricted based on Analytic Privileges.

    <Read your side note after I was unabel to recreate the above scenario 😥 >

    Regards,

    Rahul

    (0) 
      1. Justin Molenaur

        In previous releases, you can’t use a blanket SELECT on SYS_BIC. By default, all views are seen when you browse in the client tools.

        The solution here (had same problem at a customer), is that you need to add the specific views ONLY to SYS_BIC/SELECT and also require the corresponding analytic privileges be able to execute.

        So the object privileges controls what objects you can SEE, but the AP controls what you can actually EXECUTE.

        Regards,

        Justin

        (0) 
  2. Kristoffer Engh

    Hi,

    I have tried your setup and it works fine!

    We have also deployed the HANA Live for ECC and activated a set of views.

    When we add these views into the Analytic Privilege, we get an error from Lumira when running the query entering the Company Code, Sales Org, SAP Client etc..

    Do we need to add all the subsequent views from the Query view into the Analytic Privilege? Or do you know another way around?

    (0) 
    1. Clint Vosloo Post author

      Hi Kristoffer Engh

      Glad to know the solution worked for you 😉

      I unfortunately don’t have a HANA Live system to test on but “theoretically” I would assume that you would need to create an Analytic Privilege/s  for the new views you imported so that you can access them through Lumira

      If you can let me know what error you getting from Lumira then I can try help that way around.

      Clint

      (0) 
      1. Kristoffer Engh

        Hi

        Thank you for the reply! I have a query view based on set of other views. I have created an Analytical Privilage on the query view and limited on Company Code. If I run it, then it will fail with the error message below.

        /wp-content/uploads/2015/02/unnamed_635927.png

        If I run the Auto Documentation on that query view from HANA Studio, I get the whole Related Objects Hierarchy.

        I add all the related Views in the role, set a restriction on SAPClient (Why? If not, I get the same error message).

        Now the Analytical Privilege work.. Is this correct way to do it?

        /wp-content/uploads/2015/02/unnamed_1_635928.png

        (0) 
        1. Justin Molenaur

          These can get a little screwy. I assume you have SELECT access granted on SYS_BIC already?

          I would start with OSS note 1809199 to debug authorizations. This would apply to missing analytic privileges as well.

          You had the right idea adding attribute restrictions to all models involved, I had a similar problem and that was the solution.

          Happy HANA,

          Justin

          (0) 

Leave a Reply