Technical Articles
SAP HANA Cloud – Catalog & HDI Role Creation (A step-by-step guide)
Introduction
Roles defined in SAP HANA Cloud using HANA Cockpit or HANA Database Explorer (SQL Console) are called Catalog based roles whereas roles defined using Business Application Studio (BAS) are called HDI roles. Catalog and HDI both have their own advantages and disadvantages, some of the key differences are as follows:
Figure 1: Catalog v/s HDI Role
HDI Role Creation:
Pre-requisite:
- BTP Onboarding.
- User has access to Business Application Studio.
Step1: Login to Cloud Foundry
Open Business Application Studio (BAS)
Figure 2: Business Application Studio
Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)
Figure 3: Login to Cloud Foundry
Note: Make sure your cloud foundry endpoint is correct.
Select Cloud Foundry Organization and Space, click Apply.
Figure 4: Select target Cloud Foundry Org. and Space
Step2: Create Project
In Business Application Studio home page, click Start from template.
Figure 5: Start from template
Select SAP HANA Database Project, click Start.
Figure 6: Select Template and Target Location
Enter Project Name, click Next.
Figure 7: Add Basic Information
Enter Module Name db, click Next.
Figure 8: Set Basic Properties
Enter Schema Name and Database Version, click Next.
Figure 9: Set Database Information
Enter Service Instance Name, click Finish.
Figure 10: Bind to HDI Container Service
Created project available under Workspace folder.
Figure 11: Workspace Folder
Step3: Maintain mta.yaml file and bind Database Connections
Open mta.yaml file under created project (SECURITY_ROLES) and make the changes as required e.g. add service for UPS, cross container access etc.
Figure 12: Maintain mta.yaml file
Bind all required Database Connections (Navigation: SAP HANA Projects -> SECURITY_ROLES/db -> Database Connections)
Figure 13: Bind the Database Connections
Step4: Define .hdbgrants
Create a cfg folder under db and create synonym-grantor-service.hdbgrants file.
Figure 14: Create .hdbgrants file
Maintain the entries to grant external access to Container Object Owner and Application User, deploy the file.
Figure 15: Maintain .hdbgrants file
Step5: Define .hdinamespace
Create .hdinamespace file under cfg folder, maintain the entries for role name convention, deploy the file.
Figure 16: Create and maintain .hdinamespace file
Step6: Define .hdiconfig
Copy .hdiconfig file from src folder and paste it in cfg folder.
Figure 17: Create .hdiconfig file
Step7: Create roles folder under src
Right click on src folder, select New Folder and enter roles.
Figure 18: Create roles folder
Step8: Create .hdbrole
Right click on roles folder, click New File and enter .hdbrole name.
Figure 19: Create .hdbrole
Right click on .hdbrole and select open with Code Editor.
Figure 20: Open role in Code Editor mode
Define JSON for roles and privileges.
Figure 21: Define JSON
Note: Using Role Editor mode, role can be created without defining JSON manually, system automatically defines JSON based on selection of role attributes.
Some useful JSON codes:
-> Global Object Privileges:
Figure 22: Create .hdiroleconfig file
Deploy .hdbroleconfig file first and then .hdbrole file.
Figure 23: Deploy role
Step9: Validate role in HANA Cockpit
Deployed role available on HANA Cockpit for assignment.
Figure 24: HANA Cockpit
HDI Role created successfully using Business Application Studio.
Catalog Role Creation: Using HANA Cockpit
Pre-requisite:
- BTP Onboarding.
- User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.
Step1: Login to SAP HANA Cockpit
Open SAP BTP Cockpit and Launch SAP HANA Cockpit.
Figure 25: SAP BTP Cockpit
Enter username and password.
Figure 26: Login to HANA Cockpit
Step2: Open Role Management
Select Role Management under Security and User Management.
Figure 27: HANA Cockpit – Security and User Management
Step3: Create Role
Click Create Role button.
Figure 28: Create Role
Define Role Name, click Create.
Figure 29: Define Role Name
Navigate to required tab i.e. Roles, System Privileges, Object Privileges etc and add the roles / privileges as required.
Figure 30: Add roles/privileges
Catalog Role created successfully using SAP HANA Cockpit.
Catalog Role Creation: Using HANA Database Explorer
Pre-requisite:
- BTP Onboarding.
- User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.
Step1: Login to SAP HANA Cockpit
Open SAP BTP Cockpit and Launch SAP HANA Database Explorer.
Figure 31: SAP BTP Cockpit
Enter username and password.
Figure 32: Login to HANA Cockpit
Step2: Open SQL Console & execute commands
Open SQL console, enter SQL command to create role and assign the privileges.
Figure 33: Execute SQL query
Step3: Validate role in HANA Cockpit
Created role available on HANA Cockpit for the assignment.
Figure 34: HANA Cockpit – Role Management
Catalog Role created successfully using SAP HANA Database Explorer (SQL Console)
Conclusion
Hope this article gave an insight about the core differences between Catalog based role and HDI based role and accordingly make the decision about your role design approach for HANA Cloud Environment. So by following all the above steps you will able to create roles in HANA Cloud Environment using Business Application Studio, SAP HANA Cockpit and SAP HANA Database Explorer (SQL Console).
List of Important Notes:
- 2993439 – Statement on SAP HANA Studio and SAP HANA Cloud
- 2921625 – Changes to objects in schema _SYS_BI in HANA Cloud
- 3217517 – System Privilege WORKAROUND ADMIN is no Longer Available
List of Important Links:
- SAP HANA Cloud, SAP HANA Database Security Guided
- SAP HANA Cloud Migration Guided
- SAP HANA Cloud, SAP HANA Database Developer Guide for Cloud Foundry Multitarget Applications (SAP Business App Studio)
Feedbacks, questions and comments are most welcome!!
Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn
Dear Krishan,
This is awesome blogpost and nicely clearifying the difference between catalog and hdi role setup.
Personally I like the HDI approach because it is easy to transport and maintain and when it kickstarted by admin all the other developers can continue to extend the role with necessary objects.
When we are working with multiple repositories with deployed as different mta folders, each repositories are creating their own schema after deployed and these deployed HDI roles are only covers the objects that created in the same schema.
I realised that you are defining a referance schema while you are defining a role. That sparked a question :
I'm wondering can I create a hdbrole in one repo (schema) that covers the objects that located in another shcemas (repos)? So I can create isolated and secure repository for only HDI role creation purpose with limited access?
What do you think about this topic?
Kind regards,
Kivanc
Hi Kivanc,
Thanks for your feedback.
Yes, you can create hdbrole in isolated container and map the objects located in another container (schema). To achieve this requirement, you have to setup cross container access between the containers, so that your isolated container communicate with other containers to get the objects located in another container. I hope it answers your question.
Best Regards,
Krishan
Hi Krishan,
Thanks for prompt response, yes it is definetely answers my question from feasiblity aspect, we have already cross container access, but now I need to find how practically defining a role that covers all containers, If I understand your example correctly then I'm going to try this :
In theory this role should cover both container A and B that includes different objects inside right ?
Kind regards,
Kivanc
Hi Kivanc,
Yes, your understanding is correct but you might have to revisit your code, if you are adding non-global object privileges then you may not required to add reference schema in .hdbrole file rather you would required to add in .hdbroleconfig file.
Best Regards,
Krishan
Hi Krishan,
The code was only for reference to express our needs and I need to visit documentation too see the options in hdbroleconfig.
It is all good, thanks for the perspective and great blogpost. 🙂
Kind regards,
Kivanc
You're welcome 🙂
Hi,
Can you pls help me to use Fiori launchpad designer in SAP S/4 Hana Cloud.
Link
Hi Guru,
Thanks for your query but this blog is for SAP HANA Cloud Database Security.
Best Regards,
Krishan