Skip to Content

SAP HANA 2.0 SPS 01: New Developer Features

Wednesday, April 12th SAP has begun to ship SAP HANA 2.0 SPS 01.  If you would like to learn more about all the new features in SAP HANA 2.0 broadly, you can refer to the following blog post:

In this blog, we would like to point out some of the highlights of the new features for developers who use the SAP HANA native application development capabilities. It should be noted that most of the major architectural changes in the development topic area were recently introduced in SAP HANA 1.0 SPS 11.  This is when we first shipped the SAP HANA extended application services, advanced model (XSA), SAP HANA deployment infrastructure (HDI), and the SAP Web IDE for SAP HANA.  If you are new to these topics in general, you might first want to review the what’s new details from SPS 11, SPS 12, HANA 2.0 SPS 0 and the openSAP course on this topic.

SAP HANA SPS 11: New Developer Features

SAP HANA SPS 12: New Developer Features

SAP HANA 2.0 SPS 0: New Developer Features

We will also be hosting a webinar for the What’s New Developer topic:

 April 18 What’s New – SAP HANA Native Application Development Tom Slee, Volker Saggau, Tae Suk Son, Lucas Kiesow, Rich Heilman, Thomas Jung 7 a.m. PST
10 a.m. EST
4 p.m. CET
60  Download

We have also updated the exercises from the latest openSAP course to include a version that showcases how to build the same using HANA 2.0 SPS 01:

Also the HANA Express version has now been updated to HANA 2.0 SPS 01 as well:

Database Development

In order to keep this blog from being too large, Rich Heilman posted about the database development features in a separate blog here:

SAP HANA Extended Application Services, Advanced Model

One of the biggest changes to the SAP HANA architecture was the introduction of XS advanced in SPS 11. SAP HANA extended application services in SPS 11 represents an evolution of the application server architecture building upon the previous strengths while expanding the technical scope. While I don’t want to repeat all the architectural features which came with XS advanced in SPS 11, you can review them in this blog: SAP HANA SPS 11: New Developer Features; XS Advanced

With HANA 2.0 SPS 01 we continue to round out the general feature set of XS Advanced; filling in one of the major remaining features from the XS Classic environment while also improving support for audit logging and multi-tenancy.

A few of the various new and enhanced features are:

Java Spring Boot Support

Spring is a popular open source application framework for Java. In particular it is focused on web applications in the Java EE space.  This addition ensures that Spring Boot is usable from both the Java runtime in XSA but also is added as an option in the Java module wizard in the SAP Web IDE for SAP HANA.

This addition broadens the offering of Java EE applications and makes it easier to port existing Spring based Java applications to XSA.

Parallel Deployment of Apps

As a performance feature we will now support parallel deployment of applications within the deploy service.

This will improve performance in situations which rely upon a large number of deployments: for example new system installation or system upgrade times.

Fiori Launchpad

One of the few remaining feature gaps to XS classic, was the absence of ability to easily create Fiori Launchpad applications in XSA.  With HANA 2.0 SPS 01, SAP fills this gaps with a full featured implementation of the Fiori Launchpad based in XSA’s micro-service approach and integrated with the SAP Web IDE for SAP HANA.  For more details on this XSA specific implementation of the Fiori Launchpad please refer to this separate blog post here:

Instance Manager

Service instances, for example HDI containers, are statically bound to an application at deployment time. But multi-tenancy capable applications that leverage service instances for tenant separation (e.g. each tenant stores its data in a separate HDI container) need to create additional instances at runtime whenever a new tenant is added and they also need to connect to any one of these instances when processing a request for a specific tenant. To support this requirement, Application Managed Service Instances are made available by the new Instance Manager (Instance Broker) In HANA 2.0 SPS 01.

This is a key technology for building and delivering multi-tenant applications.  This functionality supports the automated on-boarding and upgrade capabilities required in a true multi-tenant environment.  This capability is delivered on premise in the XSA Runtime, but will also soon be available in the SAP Cloud Platform as well.

So normally you would create an HDI service instance and bind it your application with the following commands (or this happens automatically upon MTAR deployment/installation).

xs create-service hdi hdi-shared tenant-hdi-container
xs bind-service <app-name> tenant-hdi-container

This works perfectly fine when you have a static, single container instance, but if start to use HDI container instances as tenants then the application needs to be restaged and restarted for each new service instance binding.  This is prohibitively disruptive in a productive environment when you could be on-boarding new tenants at any time.  It also requires that the application user have SpaceDeveloepr authorization if your application does the dynamic on-borading at runtime.

But with HANA 2.0 SPS 01 we now have a special Instance Manager that can perform the provisioning and dynamic binding to your application for you.

Your application, at installation type, now creates a special type of HDI service called managed-hana and bind this centrally to your application.  This really gives you a connection to the Instance Manager instead.

xs create-service managed-hana hdi-shared tenant-hdi-container
xs bind-service <app-name> tenant-hdi-container

Your application now makes HTTP requests to the Instance Manager to create, delete, or get access to specific HDI container instances for a particular tenant.  The following is an example written in Node.js for creating a tenant instance named my-tenant, getting access to the instance, and then deleting it.

/*eslint no-console: 0, no-shadow: 0*/
"use strict";

var http = require("http");
var port = process.env.PORT || 3000;

http.createServer(function(req, res) {
	var xsenv = require("@sap/xsenv");
	var createInstanceManager = require("@sap/instance-manager").create;

	var options = xsenv.getServices({
		hana: {
			tag: "managed-hana"
	console.log(JSON.stringify(options.hana)        );
	createInstanceManager(options.hana, function(err, instanceManager) {
		if (err) {
			return console.log("Create instance manager error: ", err.message);

		instanceManager.create("my-tenant", function(err, instance) {
			if (err) {
				return console.log("Create error: ", err.message);

			// consume instance.credentials

			instanceManager.get("my-tenant", function(err, instance) {
				if (err) {
					return console.log("Get error: ", err.message);

				// same instance

				instanceManager.delete("my-tenant", function(err) {
					if (err) {
						return console.log("Delete error: ", err.message);

					console.log("Instance deleted");

	res.writeHead(200, {
		"Content-Type": "text/plain"
	res.end("Instance Test\n");

console.log("Server listening on port %d", port);


Using Instance Manager also has some drawbacks:

-Apps have to trigger service instance creation on their own (there are APIs to assist)

-Managed service instances are not visible for the cloud/xsa controller yet for direct administration (but only the shared underlying service instance)

Audit Log

Central Audit logging for XSA was added in HANA 2.0 SPS 0 but the APIs for writing to the log were only available in Java modules. This addition extends the audit logging APIs to Node.js based modules as well.

Customers expect centralized audit logging capabilities for their applications and we can now provide this feature for both Java and Node.js based applications in XSA.

XSA provides both centralized Audit logging APIs but also central storage of the audit entries in the HANA database, an OData service for reading the Audit Log, and an interactive user interface for querying and displaying Audit Log entries.

The Audit Log is provided by an XSA service broker much like the UAA or HDI services.

xs create-service auditlog free <my-service-instance>

Then this audit log service instance needs to be added as a resource in your project’s mta.yaml file:

Finally the resource must be bound to your application (Java or Node.js) that wishes to write Audit Log entries:

For Java modules, you would use the following steps to use the Audit Log:

  1. Include the Audit Log API in your Maven Project
    <dependency> <groupId></groupId> 
  2. Declare the resource
    1. If you are using Tomcat as your runtime, add a new resource in META-INF/context.xml
      <?xml version='1.0' encoding='utf-8'?> 
        <Resource name="audit" auth="Container" type="" factory="" singleton="true" /> 
    2. If you are using TomEE, then add a new resource in WEB-INF/resources.xml
      <?xml version='1.0' encoding='utf-8'?> 
        <Resource id="audit" type="" provider="xs.openejb:XS Audit Log Message Factory Provider"/> 
  3. Access the AuditLogMessageFactory. This could be done in one of two ways:
    1. Via JNDI lookup
      Context ctx = new InitialContext(); 
      AuditLogMessageFactory auditlogMesageFactory = (AuditLogMessageFactory); ctx.lookup("java:comp/env/audit");
    2. Via Resource Injection
      @Resource(name="audit") private AuditLogMessageFactory mesageFactoryInj;
  4. Finally, the Java coding itself
    ConfigurationChangeAuditMessage message = mesageFactory.createConfigurationChangeAuditMessage();
    message.addValue("severity", "error", "warn"); 

Or for Node.js this example shows loading the Audit Log instance resource via the @sap/xsenv module and then using the APIs to write a log entry from within an Express handler.

/*eslint no-console: 0, no-unused-vars: 0, no-shadow: 0, quotes: 0, no-use-before-define: 0, new-cap:0 */
"use strict";
var express = require("express");

module.exports = function() {
	var app = express.Router();

	var xsenv = require("@sap/xsenv");
	var credentials = xsenv.getServices({
		auditlog: 'openSAP5-ex-log'
	var auditLog = require('@sap/audit-logging')(credentials);

	//Simple AuditLog Example
	app.get("/example1", function(req, res) {
		var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
		if (req.headers['x-forwarded-for']) {
			ip = req.headers['x-forwarded-for'].split(",")[0];
		} else if (req.connection && req.connection.remoteAddress) {
			ip = req.connection.remoteAddress;
		} else {
			ip = req.ip;
		auditLog.securityMessage('%d unsuccessful login attempts', 3).by(, id) {
			// Place all of the remaining logic here
			if (err) {
				res.type("text/plain").status(500).send("ERROR: " + err.toString());
			res.type("application/json").status(200).send(JSON.stringify('Log Entry Saved as: ' + id));

	return app;

Finally there is the central Audit Log UI provided by the XSA runtime itself that can be used to search and display the entries:

Scoped NPM Packages

Before HANA 2.0 SPS 01, the SAP provided Node.js modules were simply separated out by the fact that their names generally began with the text “SAP”.  This could potentially cause conflicts with customer or other public NPM modules.  This will especially become a problem once SAP launches the planned public NPM repository for SAP modules. Scoping provides a safe, enforceable namespace for NPM modules/packages.

The use of scoped packages better identifies SAP provided Node.js modules but most importantly allows for the integration of SAP modules with customer or open source specific modules. It is a key feature necessarily for the launch of the SAP owned public NPM repository.

With HANA 2.0 SPS 01, customers should switch all the references in their package.json files in their projects to the new scoped module names. Only the scoped modules will continue to be updated.

Development Tools

SAP Web IDE for SAP HANA provides a comprehensive web-based end-to-end development experience for creating SAP HANA native applications:

  • Development of SAP HANA content and models
  • UI development with SAPUI5
  • Node.js or XSJS business code
  • Git integration

Therefore it provides a complete workflow for all of your new HANA Deployment Infrastructure (HDI) and XS advanced model (XSA) based development.

SAP Web IDE for SAP HANA comprises capabilities of SAP HANA Studio and SAP HANA Web-based Development Workbench. It represents the long term replacement tool for both of these previous offerings. It consolidates technologies, follows industry trends, and leverages industry standards where possible, while retaining a competitive innovation focus of SAP’s current offering.

With SAP HANA 2.0 SPS 1, we continue to enhance and expand the capabilities of the SAP Web IDE for SAP HANA and close the few remain feature gaps compared to the old HANA studio.

Backwards Compatibility

Previously the version of the SAP Web IDE for SAP HANA had to match exactly the version of the underlying HANA database. With the HANA 2.0 SPS 01 version of SAP Web IDE for SAP HANA, we introduce the ability to target older releases of HANA for HDB modules. Upon module creation, the developer choose the lowest HANA release they want to target. Then all source code editors adjust their syntax checks and other features to enforce the development at the target older release.

This means that customers running HANA databases at 1.0 SPS 12, can now upgrade both their XSA Runtime and the SAP Web IDE for SAP HANA to HANA 2.0 SPS 01 (and later) versions and gain new features that previously were only available with a full HANA DB upgrade.

Fiori Template Enhancements


We’ve enhanced the Data Connection step of the Master/Detail  modules.  In SPS 01, it now allow you to connect to OData services in the current project and allows you to see all endpoints in multiple modules of your project.

mta.yaml Editor

The mta.yaml file is the core project configuration file in the SAP Web IDE for SAP HANA.  Although it is based upon the open standard of YAML; we’ve received feedback from customers that both the YAML specification and the technical complexity of the mta file are difficult to understand and edit. This leads to a higher learning curve and more development errors. With SPS 01 we introduce a new form based editor in addition to the existing source code based editor for the mta.yaml file.

This new error reduces the overwhelming initial complexity of project creation and maintenance experience in SAP Web IDE for SAP HANA.  It structures the flow that developers need to follow and enforces checks upon the values they provide. It also provides better overall navigation than a traditional source code based editor can provide.  Overall this new editor should work to greatly reduce the barier to entry that many developers face when first working with the SAP Web IDE for SAP HANA.

Application Lifecycle Management

Product installation for XSA in SAP HANA 2.0 SPS 0 and lower is only possible via the XS command line tool. With HANA 2.0 SPS 01 we introduce a web-based user interface alternative for installing XSA products and customer owned application MTA archives.

This new UI offers more options for installation tooling as well as better administrative user experience. This also better unifies the administrative and devops user experience around web-based tooling.


With SAP HANA 1.0 SPS 11, SAP introduced a considerable change in the architecture of application development. Much of the development for the past few years has been focused on just delivering the first version of that new architecture and then only closing gaps between the old and new architecture.  With SAP HANA 2.0 SPS 1, you are beginning to see that we can finally innovate based upon this new architecture.  The general improvements combined with tools and programming model changes you see here are laying the foundation to allow you to build new kinds of applications easier and faster than you ever have before.


You must be Logged on to comment or reply to a post.
  • Hello, Thomas.

    Thanks for the great blog.

    Now I can download SAP HANA 2.0 express edition from for learning SAP HANA.

    And when can I download  SAP HANA 2.0 express edition SPS 01 ? It will be soon?

  • Hello Thomas, thanks for your great post. ! I have a question about SAP Web IDE.
    Since SAP introduced support for java spring boot framework, I wonder if now one can use SAP Web IDE for the full development cycle with java other than with XSJS and Node.js artifacts. With 'full development' I mean that Sap Web IDE supports features like code completion, code check, build / run / debug even when developing Java Modules. This question, more generally, would apply to all 'buildpack' SAP will introduce (soon or later), since Web IDE is the "long-term replacement for SAP Hana Studio" and similar developer tools.
    Documentation isn't so clear on this point, could you clarify please ?

    • > I wonder if now one can use SAP Web IDE for the full development cycle with java other than with XSJS and Node.js artifacts

      You could already do the full Java development cycle in HANA 2.0 SPS 0.  We added build/run support in SPS 0.

      >With ‘full development’ I mean that Sap Web IDE supports features like code completion, code check, build / run / debug even when developing Java Modules

      Everything you listed there is supported for Java Modules in the SAP Web IDE for SAP HANA.

      >This question, more generally, would apply to all ‘buildpack’ SAP will introduce (soon or later)

      The SAP Web IDE for SAP HANA won't necessarily support the Bring Your Own Language build packs, but will support the primary SAP supported build packs (which right now is Java and Node.js).


    • The new Cloud Foundry based version of SAP Cloud Platform will come with HANA 2.0.  For more details on the availability of this, I suggest you keep a close eye on the announcements that will come out of SAPPHIRE next month.

    • Yes this is possible as of HANA 2.0 SPS 0:


  • Application Lifecycle Management
    "we introduce a web-based user interface alternative for installing XSA products and customer owned application MTA archives"

    Are we really able to use it for our own MTA archives? Is there more documentation how we have to do it?


    • I can be used for your own, but you need to put your mtar file inside a zip and create folder called META-INF and add a SL_MANIFEST.XML to that folder. I would suggest looking at one of the SAP product zip files as an example.

  • Scoped NPM Packages

    I could not find that much information on that.

    Is the idea in using that functionality that traditional ABAP-namespaces will be administered for NPM/node.js in the future as well? I mean, having that one folder level approach is nice - but even scoped names like "@booking/analyze" obviously might not be unique.

    I mean administered by SAP.


      • Thanks for swift reply, however, I know that.

        I was trying to get info from you if SAP plans to get SAP ABAP Namespaces onto that npm structure / scope, mybe under a private, ie SAP owned, registry server or so.

        But most likely - as that obviously is not implemented right now - you would not be allowed to elaborate on such possibly planned features...

  • We can't change how a scope works. That's defined by NPM itself.  We will publish all of our modules in the @SAP scope to avoid potential conflicts and to allow layered NPM repositories.  And yes we are launching our own SAP owned private registry for our modules.  That private registry is actually live on the internet already, but we've not advertised it yet as not all of our modules are published yet.  In another few days, hopefully all teams will have their publishing done and we can begin to promote it.

  • Hi,

    I can't find the documentation for changing the URL/Domain for different applications/ports. I think I read about this feature but can't find it.

    Is there something possible? Thanks a lot!

    • There are a few different ways. If you are using hostname based routing, by default the URL will be Organization-Space-Service Name-base hostname

      However in your mta.yaml for the module definition in the parameters section you can override the default behavior and supply your own host part that gets added to the base hostname



      Another approach is to use path based routing instead of hostname based. This was a new feature in HANA 2.0 SPS 0.

      CREATE-ROUTE is the keyword you need for this.

      With HANA 2.0 SPS 0, XSA introduces the option of context path based routing.  This allows the developer or admin to assign nice URLs with recognizable path names.  It also avoids the same origin policy issue (CORS/Cross-Site-Scripting). Instead of the port access you can assign a path that will route to your application.  This can be assigned during push or more likely direct assigned to a running application via the new create-route command.

      • Hi Thomas,

        I tried to change the host, but it didn’t work for me. Did I miss a step?

        host: test
        register-service-url: true
        service-name: web
        service-url: ‘${default-url}’


        • What exactly is happening?  Do you already have the service deployed? If changing these values in the MTA and the service already exists, you might have to delete it manually and then re-run. Also are you using hostname based routing? This approach only works with hostname based routing.

          • “Do you already have the service deployed?” –>Yes, I tried it more times.

            “If changing these values in the MTA and the service already exists, you might have to delete it manually and then re-run.” –> How?

            xs unregister-service-url!? The docu is to small at this point.

            “Also are you using hostname based routing?” –> yes.

          • I was suggesting deleting the service with XS DELETE. There is also the XS DELETE-ROUTE command for completely removing the existing route.

  • Hi Thomas,

    is Instance Manager the right keyword for my problem:


    • No I don't think that will help.  Its probably just new logic in the Web IDE for naming of the container instance.  Is there a reason why the new container is a big problem in development?  Nothing from the build/run of the Web IDE should really ever be considered permanent.

      • Is there a reason why the new container is a big problem in development?

        --> Yes, because we are working on our "test"-data, which we have loaded before for each of us in our development environment.

        But the bigger problem for me is, what will happen, if we bring the app in the production world. And after an WebIDE update, the customer will have a new container and isn't able to see and work on his "old" data?







        • >But the bigger problem for me is, what will happen, if we bring the app in the production world. And after an WebIDE update, the customer will have a new container and isn’t able to see and work on his “old” data?

          You don't install a productive app via the Web IDE.  You build the MTAR and then deploy that.  YOu won't have the same issue at all.  The Web IDE post-fixes the container names to keep them unique in a development environment when multiple developers might build the same container in the same space.  The deployer does no such thing.

          • But once more.

            From developer view I don’t understand why the objects (hdi-container, and so on)  are created again. The old objects wouldn’t be used anymore.

            And the problem is further while I try to start the new deployed app, I get the error msg “that already a route exists” and stops the running. To fix it, I’ve to delete the old objects…

            We never we had this behavior in the past and I wouldn’t miss it.

  • Hi Thomas,


    After XSA runtime upgrade, is HANA system restart required?

    We are thinking about if we should host XSA separately from HANA database in order to get frequent XSA upgrades without needs of system downtime.


    Thank you!


    • No.  A HANA DB restart is not required for just an XSA Runtime update even if they are both installed on the same host machine.

      Thomas Jung

  • Hi Thomas, having visited your OpenSAP course HANA5,  I am too eager to try the Github exercise you pointed out above.

    Unfortunately I still cannot pass through the installation issue "Timed out while waiting for apps: cockpit-adminui-svc, cockpit-admin-web-app", for which I have posted a question:

    User "Alexander K" also posted the same issue in this blog above on  April 26, 2017 at 5:19 am, but without getting any answer.

    It would be great if you could share some of your thoughts about this issue.



  • Hi Thomas,

    I'd like to know if announced Sap Web Ide Multicloud version will be available even on premise Hana installation or not.

    Moreover, is Web Ide Multicloud a replacement for Web Ide ?

    • SAP Web IDE Multicloud is the Cloud deployed version and SAP Web IDE for SAP HANA is the on premise version.  They come from the same core code base and will share many of the same features.

    • We have updated versions of the openSAP course exercises for HANA 2.0.

      We also continue to update the github repo for the openSAP course.  There are different branches for each HANA release.  There is one for SPS 01:



    Hi Thomas,

    I'm currently looking at the v4 OData via Java App and found some issues:

    • Access Control: It looks like the java app doesn't initialize the XS_APPLICATIONUSER variable. At least the variable contains the SBSS_... User and not the User which is logged in (owner of the JWT). As far as I can see CDS AccessPolicies and Aspects also use this variable as $user. This makes it impossible to restrict the rows based on the user?
    • Parameters: CDS added support for parameters (and generates table functions instead of views), but when exposing their context via @OData.publish: true the service cannot be accessed:
      "error": {
        "code": null,
        "message": "No enum constant"

    Do you have any suggestions? I'm on HXE SP2 but I also have access to the Software Download Center... are these issues known limitations or is there a newer version of the SAP Gateway Runtime (looks like I'm currently on 1.0.6) or the OData jars (4.3.0-sap-02)?

    Thanks for your help,


    • Admittedly my knowledge on the Java module is limited. I spend most of my time covering the Node.js side.  On the first item, are you not getting the auth token or is that the wizard generated code just isn't setting the DB session variables.  If you aren't getting the auth token at all, make sure you have a web module in front of your Java module and are using the forwardAuthToken option in the xs-app.json.  If its the later, you might have to set the DB session variables manually in the OData exit framework.


      As far as the latest version of SAP Gateway Runtime, I just updated one of my projects yesterday based upon SPS 02 and its version 1.2.3. This is SPS 02 Patch 1 of the Web IDE for SAP HANA (4.2.18)


      So yes 1.0.6 seems quite old.

      • I've updated the Gateway Runtime to 1.2.4 from the Software Download Center (XS_JAVA Package). Still the same problem:

        The JWT seems to be forwarded to the java app. I enabled the security constraint in web.xml to test this, now when I don't activate forwardAuthToken in the .yaml, I get 401 forbidden, when I set it to true I can see the results again. I guess you meant the .yaml and not the xs-app.json, right? The xs-app.json only has the entry "authenticationType": "xsuaa"...

        But this means the JWT is processed by the java app... Otherwise the result would be the same in both scenarios (with and without auth token). Only the session variables are not set automatically 🙁

        Is there any information about the "you might have to set the DB session variables manually in the OData exit framework"? Basically I went through the tutorial

        The tutorial has some inconsistencies as well:

        Step 8c sets up the route, but it should be ^/java/odata/(.*)$ instead. With /java/odata/v4 you cannot reach the clearCache endpoint for example, which is not prefixed by v4. Also the URLs in Step 12 for clearCache seem to be wrong, since I was able to call /java/odata/clearCache directly but calling /java/odata/clearCache/<context> as explained here is returning a 404...


        Besides these problems... do you already know when the nodejs based OData v4 implementation will be ready? I was about to use the nodejs odata v2 anyway, but seems like it can't handle cds views with parameters as well. So I would need to use calculation views to expose those views. But I have the feeling that cds will be the go-forward solution vs calc views. Similar to how S/4HANA embedded analytics based on cds now makes HANA Live based on calc views obsolete...

        • I really can't help you further on this item. I suggest you either enter a question in the Q&A section or if you have found incorrect information in the online help which is leading you astray you can consider entering a support ticket.

          >do you already know when the nodejs based OData v4 implementation will be ready

          Not anytime soon.  It is in the roadmap and will hopefully be at least partially delivered in SPS 03 in April 2018.


  • Hi Thomas,


    I have been following your blogs and open sap sessions on HANA 2.0 and XSA developments.

    I have a scenario.

    I have an existing XS Classic Schema (MY_XS_CLASSIC_SCHEMA) created via a .hdbschema file in my HANA system.

    I need to access the tables in this existing XS Classic schema from a new XS Advanced HDI container (MYHDI)

    I defined a user provided service for this purpose. This service was created using a HANA database user (XS_CLASSIC_USER) that has SELECT access to the existing XS classic Schema.

    The mta.yaml file was modified to add the user provided service and a .hdbgrant file is defined in the HDI container.

    Now when i build the HDI container i get the below error.

    Error: Error executing: GRANT "SELECT" ON SCHEMA "MY_XS_CLASSIC_SCHEMA" TO "MYHDI_HDI_MYHDIDBMODULE_1#OO";(nested message: insufficient privilege: Not authorized)

    The user I used to create the User Provided Service has the SELECT access for the XS classic schema but don't have the GRANTABLE option. Is that the issue?

    If yes then how can I create a HANA data base user in XS Classic which has a SELECT object privilege to a hdbschema with GRANTABLE option? I tried logging in with the SYSTEM user and running the below command but it fails with an authorization issue.


    Thanks for your help,

    Lijo John


    • >The user I used to create the User Provided Service has the SELECT access for the XS classic schema but don’t have the GRANTABLE option. Is that the issue?

      Yes that is exactly the problem. The user in the User Provided Service must have the authorization with GRANTABLE option as they will be the ones performing the Grant at the SQL level.

      >If yes then how can I create a HANA data base user in XS Classic which has a SELECT object privilege to a hdbschema with GRANTABLE option?

      You will need to create an HDBROLE in the repository for the XSC Schema.  This role can contain the grant with grantable option.


        • Your right, I thought there had been an option for the grantable in hdbrole but I guess I was confusing that with the new feature in the HDI hdbrole.  I think the long term solution is certainly that such schemas must be converted to HDI.  I did find in the 3.0 version of the HDI deployer documentation these details. It looks like your user provided service can call a stored procedure which in turn can grant the access (by calling the GRANT_ACTIVATED_ROLE).

          If the technical database user does not have GRANT privileges by its own, but only EXECUTE privileges on a stored procedure which can grant the privileges, then the following settings are required:

          • At the datababase, a GRANT procedure must exist (or be visible) in the schema which is used in the user-provided service; an example is shown below.
          • The technical database user must have EXECUTE privileges on the GRANT procedure.
          • The name of the GRANT procedure must be specified in the user-provided service in the "procedure" field, e.g. "procedure": "GRANT".
          • The scheme name of the GRANT procedure can be specified in the user-provided service in the "procedure_schema"field, e.g. "procedure_schema": "A_SCHEMA".
          • The user-provided service must contain a "type" field with the value "procedure".
          • Hi Thomas,

            Thanks for the quick response.

            I have a problem converting these XS classic Schemas into HDI.

            We have a BW system sitting on the same HANA Box. The classic schemas have multiple HANA procedures that are consumed via AMDP by the BW system.

            Can you tell me if AMDP is supported on procedures created via HDI containers ?Are the generated schemas of the HDI container visible to ABAP via AMDP? Even if it's visible how do you grant access to the BW ABAP user to the HDI container procedures.

            I hope you would cover the integration of AMDP/ABAP and XSA in one of the future blogs or the upcoming open sap session.


            Lijo John



          • >Can you tell me if AMDP is supported on procedures created via HDI containers

            Yes AMDP can certainly call HDI-based procedures. You just need to create HDBROLES within the container and grant those roles to the ABAP technical user.


            >Are the generated schemas of the HDI container visible to ABAP via AMDP

            Absolutely, once they have the correct authorizations (as described above),.

            >Even if it’s visible how do you grant access to the BW ABAP user to the HDI container procedures.

            Its not really any different than the old repository. You create HDBROLE within the container.  It deploys a container-specific role. However this role looks like any other in the User Admin/Role Assignment tools. You just see the container name prefixed on the role name.  You can grant them using the Studio or HANA Cockpit user admin tools.


          • Hi Thomas,

            I tried the solution you provided but I could not make it work 🙁

            Can you please guide me where I am going wrong?

            It would be a nice if SAP can do a blog on this topic as accessing XS classic Schema from XSA HDI container is a common scenario customers encounter when XS classic applications are too complex to migrate and still you need to access those SCHEMAS in XSA.


            Step 1:

            I created a .hdbrole in my existing XS Classic Schema as shown below.

            This role contains all authorizations that are required to access my XS classic Schema from the new HDI container.






            Step 2:

            Next I created a database procedure in the XS Classic schema. This procedure is a wrapper and just includes the CALL for granting the role defined above.

            Question: To which user should I grant the roles here? Is it to the generated users of the HDI container? If yes how do I find those user ids ? If i hardcode the user ids dont they change while moving the solution to Quality or production systems?


            PROCEDURE "GRANTSCHEMA"."gbw.model.procs::PROC_GRANT_GBW_DEV_ROLE" ( )


            SQL SECURITY definer as



            ('' , '');



            Step 3

            Next I created a user provided service like you suggested.

            xs cups CROSS_SCHEMA_SERVICE_ GRANT_PROC -p "{\"host\":\"\",\"port\":\"30015\",\"user\":\"COMM_USR\",\"password\":\"ABCDEFG\",\"driver\":\"\",\"tags\":[\"hana\"],\"type\":[\"procedure\"],\"procedure_schema\":\" GRANTSCHEMA\" ,\"procedure\":\"\" }"


            Step 4

            Modified the mta.yaml to include the new user provided service as a resource and defined the dependencies to the hdi module

            Step 5 (I am a bit lost from this step onwards)

            Question: Do I have to create a .hdbgrants file just like in a normal cross schema scenario? if yes what access I give there? Do you have an example? I tried the below and it fails saying the user dont have the grant privilege.

            {{   "hdi-test-service": {    "object_owner": { "schema_privileges":[ { "reference":"MY_XS_CLASSIC_SCHEMA", "privileges":[ "SELECT", "EXECUTE" ]  } ]    }, "application_user" : { "schema_privileges":[ { "reference":"MY_XS_CLASSIC_SCHEMA", "privileges":[ "SELECT", "EXECUTE" ] } ]        } }}


            Step 6

            Question: Assuming Step 5 is fixed, what do I do next? Create a synonym for the remote schema tables?



            Lijo John


          • Your procedure doesn't have any interface on it. Please refer to the online help for the hdideploy module.  It lists the needed interface and a sample of how to write the granting procedure. One of the things passed into the interface is the target users to grant to. So no you certainly don't hard code the technical users names as you couldn't possibly know them in advance anyway.

          • The documentation is in the file of the @sap/hdi-deploy module itself. Best way to access it is via npm and just install the module on your local machine. However here is the section in question:


            For the different types of privileges, the following fields are passed to the GRANT procedure:

            SCHEMA_OBJECT_PRIVILEGE privilege schema object NULL NULL grantee TRUE/FALSE
            GLOBAL_OBJECT_PRIVILEGE privilege NULL object type NULL grantee TRUE/FALSE
            SCHEMA_ROLE NULL schema role NULL NULL grantee TRUE/FALSE
            SCHEMA_PRIVILEGE privilege NULL schema NULL NULL grantee TRUE/FALSE

            Example of a GRANT procedure:

              IN PRIVILEGES TABLE (
                                              -- 'GLOBAL_OBJECT_PRIVILEGE'
                                              -- 'SCHEMA_ROLE'
                                              -- 'GLOBAL_ROLE'
                                              -- 'SCHEMA_PRIVILEGE'
                                              -- 'SYSTEM_PRIVILEGE'
                OBJECT_SCHEMA NVARCHAR(256),  -- NULL or schema
                OBJECT_NAME NVARCHAR(256),
                OBJECT_TYPE NVARCHAR(128),    -- NULL or 'REMOTE SOURCE'
                GRANTEE_SCHEMA NVARCHAR(256), -- NULL or schema
                GRANTEE_NAME NVARCHAR(256),
                GRANTABLE NVARCHAR(5)         -- 'TRUE' or 'FALSE'
              -- TODO: add checks for valid grantees, e.g. check with _SYS_DI#<group>.M_CONTAINER_SCHEMAS
              --       or with SYS.USERS and creator and grantee like '%#OO'
              -- TODO: keep only functionality that should be allowed, e.g. only allow to grant schema-local
              --       roles, but no object privileges, etc.
                DECLARE GRANTABLE_CLAUSE NVARCHAR(512) = '';
                                              || '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) || '"';
                END IF;
                    GRANTABLE_CLAUSE = ' WITH ADMIN OPTION';
                    GRANTABLE_CLAUSE = ' WITH GRANT OPTION';
                  END IF;
                  SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for GRANTABLE: '
                                                  || PRIVILEGE.GRANTABLE;
                END IF;
                               || '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                    || TO_GRANTEE_CLAUSE
                    || GRANTABLE_CLAUSE;
                      || ' ON ' || PRIVILEGE.OBJECT_TYPE || ' "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                      || TO_GRANTEE_CLAUSE
                      || GRANTABLE_CLAUSE;
                    SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for OBJECT_TYPE for GLOBAL_OBJECT_PRIVILEGE: '
                                                    || PRIVILEGE.OBJECT_TYPE;
                  END IF;
                                 || '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                    || TO_GRANTEE_CLAUSE
                    || GRANTABLE_CLAUSE;
                    || TO_GRANTEE_CLAUSE
                    || GRANTABLE_CLAUSE;
                    || ' ON SCHEMA "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                    || TO_GRANTEE_CLAUSE
                    || GRANTABLE_CLAUSE;
                    || TO_GRANTEE_CLAUSE
                    || GRANTABLE_CLAUSE;
                  SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for PRIVILEGE_TYPE: '
                                                  || PRIVILEGE.PRIVILEGE_TYPE;
                END IF;
              END FOR;
          • Hi Thomas,

            Thanks for the reply.

            I installed the module @sap/hdi-deploy but the installation does not come with a README.MD file.

            Is this module in the sap npm registry missing the README.MD file?




          • All the modules in the SAP NPM repo should have a, but unfortunately this one does not. I put the relevant section in my earlier posting. I've also spoken to the documentation lead and development manager for this module and they will work to get the included in the next release.

          • Hi Thomas,


            Can you then please share the section on subsequent step of creation of user provided service of type procedure also? I did the below but not sure if the syntax is correct.

            xs cups CROSS_SCHEMA_SERVICE_CCO_CE_GRANT_NEW -p "{\"host\":\"\",\"port\":\"30015\",\"user\":\"CCO_CR_SCH_USR\",\"password\":\"ABCDE\",\"driver\":\"\",\"tags\":[\"hana\"],\"type\":\"procedure\",\"procedure_schema\":\"LKUMBLOL\" ,\"procedure\":\" hgrs.cco.fc_ce_grp.model.procs::GRANT\" }"

            As per my understanding, Once the user provided service is created, I need to create a .hdbgrants file (like below) and then create synonyms. Please correct if I am wrong.

            {{   "hdi-hccocelive-service": {    "object_owner": { "schema_privileges":[ { "reference":"MY_SCHEMA", "privileges":[ "SELECT" ]  } ]    }, "application_user" : { "schema_privileges":[ { "reference":"MY_SCHEMA", "privileges":[ "SELECT" ]  } ]        } }}



            Lijo John

          • There is no subsequent steps.  Just the section I posted earlier:

            • At the datababase, a GRANT procedure must exist (or be visible) in the schema which is used in the user-provided service; an example is shown below.
            • The technical database user must have EXECUTE privileges on the GRANT procedure.
            • The name of the GRANT procedure must be specified in the user-provided service in the "procedure" field, e.g. "procedure": "GRANT".
            • The scheme name of the GRANT procedure can be specified in the user-provided service in the "procedure_schema"field, e.g. "procedure_schema": "A_SCHEMA".
            • The user-provided service must contain a "type" field with the value "procedure".


  • Hi Thomas,

    What is the best set-up for running a NetWeaver App together with a custom HANA Datamart using XSA on one HANA 2.0 system? Would you suggest to use 2 separate tenants, one for NetWeaver and one for XSA? I think cross-tenant data access is possible but is it now fast enough?

    I think one can install XSA and NetWeaver together on one Tenant but when we installed NW on the HANA Server it forced us to create a separate tenant.

    I my opinion 2 tenants would have advantages for production as one can allocate resources per tenant.

    many thanks

    best regards


    • I'm sorry but system installation with NetWeaver just isn't a topic I cover in general nor within the scope of this blog. I couldn't provide you with an answer that has an experience with it.

  • Hi Thomas,

    Pardon me it is about out of topics but I am desperate how to contact you.

    I am enrolling open SAP HANA course Software Development on SAP HANA (Update Q4/2017)

    I'm going through the hands-on excercises and I'm up to 2.5.  I'm trying to determine the URL for SAP HANA XS Advanced Cockpit Manager. I couldn't find the url and port for this. I'm using HANA Express in CAL.


  • Hi Thomas,

    the first thing I wanna say is a huge "Thank you!" to you and your team for all your efforts into this awesome product. Just love it!!! Spending most of my spare time with my own HANA Express instance checking out all the latest features : )

    Today I've tried myself in using the instance manager feature and also succeeded in creating several "tenants" which I can access using @sap/hana-client. Now I'm trying to find out, how I can deploy my HDB module definitions into several of these containers while or after having created them. Can you maybe give me a hint how to solve this issue or am I thinking the wrong way here?

    Thank you very much in advance!


  • Hi Thomas,

    I am unable to view the node features available in the web ide of Hana express edition.


    Please find attached the screenshot of the error.


    Thanks in advance.

    Best Regards

    Vignesh Jeyabalan

    • Something seems very wrong with your installation.  Unnamed.feature.0 and unnamed.feature.1?  I've never seen anything like that.

      • Hi Former Member ,

        Thanks a lot for the response.

        I also get plugin error message when I load the web ide but its not frequent. Is there any way I can debug it or can you please suggest some alternate options which I can try.

        Could it be due to the fact that I have installed the express edition behind a company firewall , that is not able to download the required plugins from web ? I have set the proxy details in the cockpit though.


        Vignesh Jeyabalan

        • If you are behind a firewall you should also set the proxy settings in the mtaext before the installation of the Web IDE.

          Is this SPS 03 version?  Normally the Web IDE installation should be self contained and not need to get modules from the Internet. However there was a problem in the patch 0 and patch 1 of SPS 03 where the node_modules was missing.  This is corrected in Patch 2. But I would have expected this to cause your installation to fail, not act like what you are seeing.

          • Hi Thomas Jung

            thanks for the response.

            I am using SPS02 version of Express edition . Yes I am behind a firewall and we have our own cloned version of npm registry.

            I tried following your above steps but I was not able to figure out on how to set the npm registry.

            Please let me known the commands if any which I can run to set the registry in the Linux terminal.

            I tried to login to the app URL but the login was not possible because I didn't have a email id which I can use for login.


            Below are the app details when I query from the Linux command line.


            also I get the below error when I try to set the proxy from the cockpit:


            Thanks & Regards

            Vignesh Jeyabalan

          • If you didn’t set the proxy during installation you can set it from the command line using the xs env command.  Web IDE doesn’t use the Cockpit proxy setting and must be set independently. Also it’s perfectly normal that you don’t have a username/password to the web interface of the local NPM registry cache. It doesn’t require any. The search interface isn’t supported, but you can just build the url to a module manually to test it.  However if you are behind a firewall it isn’t going to work until you get that proxy setting corrected.

  • /
    • Blog comments aren't really the correct place to troubleshoot your installation problems. You still seem to have issues with your Web IDE in general.  I can't support you on its installation. I can only suggest that you make sure you've cleared your browser cache. Make sure the installation was successful and that all dependent services are running. Otherwise you should really post this as its own Q&A entry as HANA Express only comes with community support.

  • Hi Thomas Jung

    Ya sure , no problem .. I will post a separate Q&A for the same.

    We are currently facing lots of issues in development of MTA application on cloudfoundry due to unavailability of a dedicated IDE from SAP. Even the SAP Web IDE Full Stack on Neo stack doesn't have support to build node module. We have constantly raised the concern to SAP but have received no concrete solution as of now on the development approach that is suitable in a corporate network machines.

    It would be very helpful if could share some documents that can be helpful in the express edition installations.


    Vignesh Jeyabalan

  • Hi Thomas Jung

    First of all, thank you for a great blog. It is really helpful.
    Second of all, maybe this is not a correct place for posting this question, but it is related to features that are described in this blog.

    I recently discovered one bug in my XSA application (MTA including one HDB module and several Java modules) that ended up on Production system so before applying the fix I needed to test the fix of that bug on Test system.
    Testing the bug fix had to be done on exact same data that was present on Production system.

    We are currently on:
    SAP HANA version
    XSA version

    Therefore I used the Export/Import HANA functionality to create CSV files.
    The Export/Import option was successful, but it was both time and resource consuming. On top of that, transferring CSV files from one Linux server to another took too much time.
    If another bug arises, I will probably need to copy the data again and the duration of this process will take even more time since the data continues to grow on Production system.

    Other option that I had in mind is to perform the System copy using Backup/Restore.
    I have created a full data backup of Production system and I restored it on a Test system.
    The restore itself was successful, and I could see my schema, schema user, schema#OO, schema#DI and all technical and application users that were created during service-application binding.
    I also granted myself a necessary role so I can examine the data using SAP Web IDE for SAP HANA database explorer.

    I must emphasize that the schema name is strictly specified in mta.yaml file.

    The problem I could not solve is that on Test system, my XSA applications have its own service-application binding users, and they do not match the ones that will be restored from Production backup.

    Therefore, when I try to deploy my MTA, i receive error similar to this:

    Error creating application "db": Could not bind application "db" to service "db_container" : Asynchronous job 'Creating service binding between app "db" [] and service instance "db_container" [service: 'hana', plan:'hdi-shared'] of [] failed.
    And at the end --- Because of: [10] authentication failed.

    If I try to undeploy my current MTA, error that I receive during deploy on clean XSA side (no services, apps nor mta deployed) is similar to this:

    Error creating services: Controller operation failed: 400 Could not create service "db_container": Asynchronous job 'Creating service instance 'db_container' [service: 'hana', plan:'hdi-shared'] of [Org...,Space...].' failed
    And at the end --- Because of: [10] authentication failed.

    We tried to specify which users to use during the deploy time but this was not possible.
    If my understanding is correct <VCAP_SERVICES> are System Provided services responsible for application credentials and changing those parameters is not allowed.

    I had couple of other system copy ideas:

    Is this case that I need supported/recommended?
    If this is possible, could you please share your opinion on this topic?
    Maybe I could not find it in the SAP HANA/XSA documentation.

    Best regards,
    Ivan Despotovic