Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Modifying the default access_role in HDI containers

paulpfeiffer
Explorer
‎01-19-2022 4:10 PM

Overview


Every HDI container in SAP HANA XSA comes with a predefined access_role that (you might have guessed it) grants access to the container's schema. It only grants limited access, though -  and sometimes you may need more. This post is about modifyingthe privileges included in this role.

Before we get into the details, let's first take a look at the obvious question.

Why?


Why would you want to do this?

The access_role is useful because it's assigned by default to many of the standard users that are created with the HDI container. That includes, but isn't limited to, the #OO-User, the #DI-User and the #RT-User(s).

As stated before, the default access_role only contains limited privileges. The following privileges are contained for the schema:

  • CREATE TEMPORARY TABLE

  • DELETE

  • EXECUTE

  • INSERT

  • SELECT

  • SELECT CDS METADATA

  • UPDATE


That set of privileges is a great baseline and probably works well for most use cases. But I ran into an issue where I needed a procedure in a Flowgraph to create a new table. Internally, this is done by the #RT-User and not supported with the standard role.

You could now create a new role or assign the missing privilege to the user manually. That is only a workaround, though and doesn't work for new deployments. So a much better way to solve is is adapting the role.

How?


In short: The solution is described in the following SAP Help entry: https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/2.0.06/en-US/9235c9dd8dbf410f915ffe3052...

However, as the entry doesn't contain an example, I thought it would be helpful to provide one.

To solve the issue, a role definition needs to be created in the path src/defaults/default_access_role.hdbrole. The role needs to be named "default_access_role" and has to be included in the deployment.

It's important to note that the existance of this new role will remove all existing privileges on the schema from the access_role. So, if you prefer to retain those privileges, they need to be added to the new role.

Because I want to keep all privileges and only add "CREATE ANY", the resulting role definition looks like this:
{

  "role" : {

    "name" : "default_access_role",

    "schema_privileges": [

      {

        "privileges": [

          "SELECT",

          "INSERT",

          "UPDATE",

          "DELETE",

          "EXECUTE",

          "CREATE TEMPORARY TABLE",

          "SELECT CDS METADATA",

          "ALTER",

          "CREATE ANY"

        ]

      }

    ]

  }

}

Make sure to also put a .hdinamespace file into the src/ folder that redefines the namespace. Otherwise the role name will cause errors.
{

    "name":    "",

    "subfolder": "ignore"

}

With that addition, the build and deployment should work fine.

Result


After those modifications and a successful deployment, you should see that the access_role has been changed.

The direct schema privileges are removed - but the role now contains the "default_access_role" with all privileges described in the role definition.

As a result, all technical users like #OO and #DI now get the modified role, in my case including the "CREATE ANY" privilege.

 

It took me some time to figure out the best way to do this. So I hope this helps someone.
3 Comments
Labels in this area
Popular Blog Posts