Recently I found myself needing to expose one of my HCP (HANA Cloud Platform) applications to the outside world without any authentication. While this is probably not the most common scenario it still can happen and of course brings a whole load of questions like how to actually expose the UI in a freely accessible way and also how to give limited access to your data?

So here we go – this scenario is where I have a split app on HCP (not the trial version) with data residing in my HANA server.

Step 1 – Roles & Privileges

We need a standard .hdbrole and .analyticprivilege file. The first should be of the standard form to give perhaps “SELECT” access to a schema or set of tables. It should also include your analytic privilege (contains any attribute, analytical or calculation views).

Figure 1


Sample .hdbrole file giving access to a schema and including an analytic privilege


* Note that normally I would never give UPDATE/INSERT/DELETE privileges to a anonymous user unless I had a good reason.

Screen Shot 2015-06-30 at 15.50.18.png

Figure 2


Sample .analyticprivilege file giving access to an Analytic view I created

Screen Shot 2015-06-30 at 15.50.43.png

Step 2 – Create basic restricted user

In order to be certain that the connecting user only has access to what we want them to have access to, create a new user and only assign the following permissions:

  • Assign the role created in step 1 to the user
  • Assign “SELECT” access to the schema “_SYS_BIC”

Step 3 – Create a SQL connection for your app

Now we need to create a XS SQL connection configuration (.XSSQLCC) file which will be the object we will use to connect our anonymous user to our project. This file simply contains one line which is a description of the connection configuration.

Figure 3


Sample .xssqlcc file contents simply giving a description of the SQL connection configuration.

Screen Shot 2015-06-30 at 15.51.12.png

Step 4 – Assign your restricted user to the SQL connection

Activation of this XSSQLCC file from step 3 creates an entry in the system table “SQL_CONNECTIONS” in the schema “_SYS_XS” and performing a select on that table where the “NAME” field is equal to your XSSQLCC file name will retrieve that entry. i.e. if your project is called “ABC” and it is in the top level package “XYZ” and your .XSSQLCC file is called myConfig.xssqlcc then your name search will be for “XYZ.ABC::myConfig”.


Once you have verified the entry is in the table you can see that the field called “USERNAME” defaults to blank. This is where we need to specify our restricted user. Do this by running the command as follows using a standard SQL console on the HANA server:


Figure 4


SQL statement to update the SQL Configuration of your app to run as your restricted user.

Screen Shot 2015-06-30 at 16.11.47.png


In this case my restricted user is called DEMO_ANON.

Step 5 – Make your app use the SQL connection for all access attempts

Finally we now setup our app to use this connection for anybody who attempts to connect to the app. In the .xsaccess file we update our authentication methods to null and set our anonymous_connection to use our XSSQLCC connection.

Figure 5


Updated .xsaccess file to use anonymous authentication via our XSSQLCC file.

Screen Shot 2015-06-30 at 16.13.36.png

Once all this is complete you should be good to go for anonymous authentication to your XS application. There is some of this configuration available via SAP provided configuration apps (such as the xs admin console /sap/hana/xs/admin on your server ) however this is the workflow that works for me 🙂

Any questions/comments please feel free to shout

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply