Assigning Design Time Roles to a Database User in SAP HANA Cloud
This blog post will take you through the different steps required to assign design time HDI role created in SAP Web IDE or Business Application Studio to SAP HANA database users.
Steps to Assign the HDI Role:
Below are the privilege’s required and steps for granting the HDI role
- With ROLE ADMIN system privilege, you can grant any role.
- Catalog role created in runtime using SQL, you need to have the role being granted yourself and be authorized to grant it to other users and roles.
- HDI role, that is a schema-specific role created using the SAP Web IDE and deployed using SAP HANA deployment infrastructure, you need privileges to execute GRANT_CONTAINER_SCHEMA_ROLES in the container’s API schema.
Below are the required steps
- Navigate to SAP HANA Cloud form SAP Cloud Platform and open the SAP HANA Cockpit.
- On the Database Overview page of SAP HANA Cockpit, Select the Security and User Management
- Open the User management under User & Role Management
- Search for your user using which role has to be assigned to check if it has the required privilege’s to assign the HDI role. Scroll below and click on Assign Privilege’s.
- Click on Add in edit mode to assign the role admin privilege in case it is not assigned.
- Now go back again to User management and select the user to which HDI role has to be assigned. Click on Assign Roles, then click on edit and add the HDI role generated using SAP Web IDEIn my case , generated HDI role was admin form SAP Web IDE
- Alternatively , The same can be done through Role Assignment under User & Role Management in cockpit. Search for your user to which HDI generated role has to be assigned. Click on Edit and Add
In case you have both authorization the GRANT_CONTAINER_SCHEMA_ROLES procedure and the system privilege ROLE ADMIN, you can choose which granting mechanism to use when granting a HDI role. I have assigned the admin role generated from SAP Web IDE to a user User1 from DBAMIN default cockpit user. You can also use the SQL command to do the same
Grant “<schema-name>”.”<role-name>” to <user>
I did the same but not able to assign the role that I had created from business application studio using DBADMIN user. DBADMIN has the ROLE ADMIN privilege but when i try to assign GRANT_CONTAINER_SCHEMA_ROLES to DBADMIN, its not allowing me to do so. How did you do that. Can you please elaborate ?
I just realized one thing. While assigning HDI roles from HANA cockpit, there is a parameter "HDI Container API". If you unselect that while assigning the role to a user, it works but if its marked as Yes, you can't assign the role even though tdbadmin as relevant authorizations. Any idea about this ?