SAP HANA users can be assigned roles to perform various tasks in SAP HANA smart data streaming (SDS). During installation, the SDS installer creates a user named SYS_STREAMING and assigns that user the cluster password entered. The SDS administrator can use the SYS_STREAMING user to grant permissions to roles, and assign those roles to SAP HANA users. The permissions granted to a role can be broad or narrow in scope. For example, a role can be granted all streaming permissions without restrictions to perform any task, or limited streaming permissions ensuring that a user can only perform a specific task. Creating roles and assigning them privileges allows you to easily manage permissions for multiple users in one place.

Granting access to at least one user should always be one of the first steps in setting up a system. Use SYS_STREAMING, which is a preconfigured user, to assign SAP HANA users SDS roles and privileges and to manage SDS cluster configuration. Do not use SYS_STREAMING to run streaming projects, or to publish and subscribe from streaming projects.

Note: The SAP HANA superuser, SYSTEM, is granted full permissions on the SDS server at the time SDS is installed. The SYS_STREAMING user provides an alternate, preconfigured user with full permissions to manage SDS users when the SYSTEM superuser is not provided.

The examples below use the streamingclusteradmin tool in interactive mode, which is generally a simpler method to use when manually viewing/modifying cluster settings. You should run the streamingclusteradmin as the <sid>adm user from the SDS node. If using the SDS default installation directory, the streamingclusteradmin tool is located at /hana/shared/<sid>/streaming/STREAMING-1_0/bin. You can also use the streamingclusteradmin tool in command line mode, which is useful for managing the cluster from a script. See Granting Permissions Using Command Line Mode.

Some of the examples below assume that DEMO and TEST are already defined as users on the SAP HANA system. For information about adding an SAP HANA user, see Create and Authorize a User.


Note: When assigning SDS permissions and roles, use the fully qualified domain name (FQDN) of the streaming host. The examples below use server.company.com to represent the FQDN of the streaming host. For the port number, the examples below use 3xx26 where xx is the 2-digit HANA instance. For example, if the instance number is 00, the port is 30026.

Creating a Role

  1. Create the role prod1:

        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        add role prod1         

  

     Create a Role.PNG

   2.  Create the role prod2:

        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        add role prod2

     Create role prod2.PNG

Assigning a Role with All Permissions to a User


  1. Grant all permissions, with no restrictions, to a role. For example, grant all permissions to role prod1:


        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        grant perm all to role prod1

     Grant Perm All.PNG

   2.  Assign the role to an SAP HANA user. For example, grant the role prod1 to user DEMO:


        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        grant role prod1 to user DEMO

    Grant role prod1 to DEMO .PNG

Assigning a Role with Limited Permissions to a User


  1. Grant permissions required to perform a specific task to a role. For example, grant the role prod2 permission to read only the stream s3, in project p7 in workspace w2:

        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        grant perm read workspace on workspace w2 to role prod2

        grant perm read project on project p7 to role prod2

        grant perm read stream on stream s3 to role prod2

     Grant limited permissions.PNG

   2.  Assign the role to an SAP HANA user. For example, grant the role prod2 to user TEST:

       

        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        grant role prod2 to user TEST

     Grant Role prod2 to user TEST.PNG

Reviewing User Authorizations


  1. List all users who are authorized to perform tasks. For example:


        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        get users

     Get Users.PNG

   2.  List all of the roles that have been assigned to DEMO and TEST. For example:


        $STREAMING_HOME/bin/streamingclusteradmin –uri=esps://server.company.com:3xx26

        –username=SYS_STREAMING –password=<password>

        get roles for user DEMO

        get roles for user TEST

     Get Roles for Users.PNG

Related documentation on the SAP Help Portal


To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply