Skip to Content
Technical Articles
Author's profile photo Krishan .

SAP HANA Cloud – Catalog & HDI Role Creation (A step-by-step guide)

Introduction

Roles defined in SAP HANA Cloud using HANA Cockpit or HANA Database Explorer (SQL Console) are called Catalog based roles whereas roles defined using Business Application Studio (BAS) are called HDI roles. Catalog and HDI both have their own advantages and disadvantages, some of the key differences are as follows:

Catalog%20v/s%20HDI%20Role

Figure 1: Catalog v/s HDI Role

HDI Role Creation:

Pre-requisite:

  • BTP Onboarding.
  • User has access to Business Application Studio.

Step1: Login to Cloud Foundry

Open Business Application Studio (BAS)

Figure 2: Business Application Studio

Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)

Figure 3: Login to Cloud Foundry

Note: Make sure your cloud foundry endpoint is correct.

Select Cloud Foundry Organization and Space, click Apply.

Figure 4: Select target Cloud Foundry Org. and Space

Step2: Create Project

In Business Application Studio home page, click Start from template.

Figure 5: Start from template

Select SAP HANA Database Project, click Start.

Figure 6: Select Template and Target Location

Enter Project Name, click Next.

Figure 7: Add Basic Information

Enter Module Name db, click Next.

Figure 8: Set Basic Properties

Enter Schema Name and Database Version, click Next.

Figure 9: Set Database Information

Enter Service Instance Name, click Finish.

Figure 10: Bind to HDI Container Service

Created project available under Workspace folder.

Figure 11: Workspace Folder

Step3: Maintain mta.yaml file and bind Database Connections

Open mta.yaml file under created project (SECURITY_ROLES) and make the changes as required e.g. add service for UPS, cross container access etc.

Figure 12: Maintain mta.yaml file

Bind all required Database Connections (Navigation: SAP HANA Projects -> SECURITY_ROLES/db -> Database Connections)

Figure 13: Bind the Database Connections

Step4: Define .hdbgrants

Create a cfg folder under db and create synonym-grantor-service.hdbgrants file.

Figure 14: Create .hdbgrants file

Maintain the entries to grant external access to Container Object Owner and Application User, deploy the file.

Figure 15: Maintain .hdbgrants file

Step5: Define .hdinamespace

Create .hdinamespace file under cfg folder, maintain the entries for role name convention, deploy the file.

Figure 16: Create and maintain .hdinamespace file

Step6: Define .hdiconfig

Copy .hdiconfig file from src folder and paste it in cfg folder.

Figure 17: Create .hdiconfig file

Step7: Create roles folder under src

Right click on src folder, select New Folder and enter roles.

Figure 18: Create roles folder

Step8: Create .hdbrole

Right click on roles folder, click New File and enter .hdbrole name.

Figure 19: Create .hdbrole

Right click on .hdbrole and select open with Code Editor.

Figure 20: Open role in Code Editor mode

Define JSON for roles and privileges.

Figure 21: Define JSON

Note: Using Role Editor mode, role can be created without defining JSON manually, system automatically defines JSON based on selection of role attributes.

Some useful JSON codes:

-> Global Object Privileges:

      “global_object_privileges”: [
        {
           “name”: “DEFAULT”,
           “type”: “USERGROUP”,
           “privileges”: [
            “OPERATOR”
        ],
        “schema_reference”: “_SYS_DI#BROKER_CG”
        }
     ]
-> Global Roles:
      “global_roles”: [
        “MONITORING”
      ]
-> System Privileges
        “system_privileges”: [
        “ADAPTER ADMIN”
      ]
-> Schema Privileges
      “schema_privileges”: [
        {
        “reference”: “_SYS_BI”,
        “privileges”: [
        “SELECT”
        ]
    }
 ]
Right click on roles folder, select New File, enter .hdbroleconfig file and define reference schemas.

Figure 22: Create .hdiroleconfig file

Deploy .hdbroleconfig file first and then .hdbrole file.

Figure 23: Deploy role

Step9: Validate role in HANA Cockpit

Deployed role available on HANA Cockpit for assignment.

Figure 24: HANA Cockpit

HDI Role created successfully using Business Application Studio.

Catalog Role Creation: Using HANA Cockpit

Pre-requisite:

  • BTP Onboarding.
  • User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.

Step1: Login to SAP HANA Cockpit

Open SAP BTP Cockpit and Launch SAP HANA Cockpit.

Figure 25: SAP BTP Cockpit

Enter username and password.

Figure 26: Login to HANA Cockpit

Step2: Open Role Management

Select Role Management under Security and User Management.

Figure 27: HANA Cockpit – Security and User Management

Step3: Create Role

Click Create Role button.

Figure 28: Create Role

Define Role Name, click Create.

Figure 29: Define Role Name

Navigate to required tab i.e. Roles, System Privileges, Object Privileges etc and add the roles / privileges as required.

Figure 30: Add roles/privileges

Catalog Role created successfully using SAP HANA Cockpit.

Catalog Role Creation: Using HANA Database Explorer

Pre-requisite:

  • BTP Onboarding.
  • User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.

Step1: Login to SAP HANA Cockpit

Open SAP BTP Cockpit and Launch SAP HANA Database Explorer.

Figure 31: SAP BTP Cockpit

Enter username and password.

Figure 32: Login to HANA Cockpit

Step2: Open SQL Console & execute commands

Open SQL console, enter SQL command to create role and assign the privileges.

Figure 33: Execute SQL query

Step3: Validate role in HANA Cockpit

Created role available on HANA Cockpit for the assignment.

Figure 34: HANA Cockpit – Role Management

Catalog Role created successfully using SAP HANA Database Explorer (SQL Console)

Conclusion

Hope this article gave an insight about the core differences between Catalog based role and HDI based role and accordingly make the decision about your role design approach for HANA Cloud Environment. So by following all the above steps you will able to create roles in HANA Cloud Environment using Business Application Studio, SAP HANA Cockpit and SAP HANA Database Explorer (SQL Console).

 

List of Important Notes:

List of Important Links:

 

Feedbacks, questions and comments are most welcome!!

Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn

 

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo kivanc aktas
      kivanc aktas

      Dear Krishan,

      This is awesome blogpost and nicely clearifying the difference between catalog and hdi role setup.

      Personally I like the HDI approach because it is easy to transport and maintain and when it kickstarted by admin all the other developers can continue to extend the role with necessary objects.

      When we are working with multiple repositories with deployed as different mta folders, each repositories are creating their own schema after deployed and these deployed HDI roles are only covers the objects that created in the same schema.

      I realised that you are defining a referance schema while you are defining a role. That sparked a question :

      I'm wondering can I create a hdbrole in one repo (schema) that covers the objects that located in another shcemas (repos)? So I can create isolated and secure repository for only HDI role creation purpose with limited access?

      What do you think about this topic?

       

      Kind regards,

      Kivanc

      Author's profile photo Krishan .
      Krishan .
      Blog Post Author

      Hi Kivanc,

      Thanks for your feedback.

      Yes, you can create hdbrole in isolated container and map the objects located in another container (schema). To achieve this requirement, you have to setup cross container access between the containers, so that your isolated container communicate with other containers to get the objects located in another container. I hope it answers your question.

       

      Best Regards,

      Krishan

      Author's profile photo kivanc aktas
      kivanc aktas

      Hi Krishan,

       

      Thanks for prompt response, yes it is definetely answers my question from feasiblity aspect, we have already cross container access, but now I need to find how practically defining a role that covers all containers, If I understand your example correctly then I'm going to try this :

      {
          "role": {
              "name": "ROLE_A",
                      "schema_privileges”: [{
                      “reference”: “SCHEMA_A”,
              "object_privileges": [
                  {
                      "name": "TABLE_A",
                      "type": "TABLE",
                      "privileges": [
                          "SELECT"
                      ]
                  },
                  {
                      "name": "PROCEDURE_A",
                      "type": "PROCEDURE",
                      "privileges": [
                          "EXECUTE"
                      ]
                  ]
              },
                       “reference”: “SCHEMA_B”,
              "object_privileges": [
                  {
                      "name": "TABLE_B",
                      "type": "TABLE",
                      "privileges": [
                          "SELECT"
                      ]
                  },
                  {
                      "name": "PROCEDURE_B",
                      "type": "PROCEDURE",
                      "privileges": [
                          "EXECUTE"
                      ]
                  }
              ]
          }
      ]
      }
      

       

      In theory this role should cover both container A and B that includes different objects inside right ?

       

      Kind regards,

      Kivanc

      Author's profile photo Krishan .
      Krishan .
      Blog Post Author

      Hi Kivanc,

      Yes, your understanding is correct but you might have to revisit your code, if you are adding non-global object privileges then you may not required to add reference schema in .hdbrole file rather you would required to add in .hdbroleconfig file.

      Best Regards,

      Krishan

      Author's profile photo kivanc aktas
      kivanc aktas

      Hi Krishan,

      The code was only for referance to express our needs and I need to visit documentation too see the options in hdbroleconfig.

      It is all good, thanks for the perspective and great blogpost. 🙂

       

      Kind regards,

      Kivanc

      Author's profile photo Krishan .
      Krishan .
      Blog Post Author

      You're welcome 🙂