Introduction
Granting correct HANA user privileges is one of main tasks in a data integration process creation. It is possible to achieve this with SAP HANA Web-based Development Workbench or with Eclipse:
In order to grant roles to particular user we can use SQL console in the development Workbench Catalog:
According to best practices, for each SDI project there should be a set of roles created. The roles will allow different users work without calling for system administrator assistance:
- SDI administrator role – to manage all the processes in the system
- Data Provisioning (DP) role – installation and configuration of data provisioning agents
- Transport role -exporting/importing objects among different environments
- Execution role – run flowgraphs
- Developer role – development objects
Provisioning Tasks
A user requires these roles for agent connectivity and configuration, cross environment transport of data flows.
Task | Roles and Privileges | Description |
Register a DP Agent | System privilege: AGENT ADMIN |
|
Register an adapter | System privilege: ADAPTER ADMIN |
|
Configure DP Agent to use HTTP (cloud) protocol |
Role: sap.hana.im.dp. proxy:: AgentMessaging |
Whoever sets the Data Provisioning Agent to use HTTP (cloud) in the Data Provisioning Agent Configuration tool needs to be assigned this role. |
Create an Agent or adapter when SAP HANA is in the cloud |
Application privilege: sap.hana.im.dp. admin:: Administrator |
Needed when an administrator wants to create adapters and agents from the Data Provisioning Agent Configuration tool when SAP HANA is on the cloud (or the agent uses HTTP protocol). |
Import a delivery unit using SAP HANA Application Lifecycle Management |
Role:sap.hana.xs.lm. roles::Administrator |
This role is necessary if you are using SAP HANA Application Lifecycle Management to import the data provisioning delivery unit. |
Import a delivery unit using SAP HANA studio |
Role:sap.hana.xs.lm. roles::Transport |
Monitoring Tasks
A user requires specific roles and privileges to access and perform various tasks through the Data Provisioning monitors, which can be accessed from SAP HANA cockpit.
Task |
Roles and Privileges |
Description |
Role: sap.hana.im.dp.monitor.roles::Monitoring Application privilege: sap.hana.im.dp.monitor::Monitoring |
The Monitoring role includes the following application privileges: sap.hana.ide::LandingPage sap.hana.im.dp.monitor::Monitoring |
|
Role: sap.hana.im.dp.monitor.roles::Operations |
The Operations role includes the following application privileges (sap.hana.im.dp.monitor::*): AddLocationToAdapter AlterAgent AlterRemoteSource AlterRemoteSubscription CreateAgent DeleteSchedule DropAgent DropRemoteSubscription ExecuteDesignTimeObject NotificationAdministration ProcessRemoteException (This includes both remote source and remote subscription exceptions.) RemoveLocationFromAdapter ScheduleDesignTimeObject ScheduleTask StartTask StopTask UpdateAdapter |
|
Enable users to schedule a task |
Role: sap.hana.xs.admin.roles::JobSchedulerAdministrator |
|
Schedule a task |
Role: sap.hana.im.dp.monitor.roles::Operations Application privilege: sap.hana.im.dp.monitor::ScheduleTask |
|
Start a task |
Application privilege: sap.hana.im.dp.monitor::StartTask |
|
Stop a task |
Application privilege: sap.hana.im.dp.monitor::StopTask |
|
Process remote subscription exceptions |
Object privilege: PROCESS REMOTE SUBSCRIPTION EXCEPTION |
Must be explicitly granted for a remote source created by another user |
Remote Source and Remote Subscription Tasks
A user requires specific roles and privileges to create and manage remote sources and remote subscriptions.
Task | Roles and Privileges | Description |
Create a remote source | System privilege: CREATE REMOTE SOURCE Use SAP HANA Web- based Development Workbench to create remote sources. |
When a user can create a remote source (has CREATE REMOTE SOURCE system privilege), that user automatically has CREATE VIRTUAL TABLE, DROP, CREATE REMOTE SUBSCRIPTIONS and PROCESS REMOTE SUBSCRIPTION EXCEPTION privileges; these privileges do not need to be assigned to the user. However, this only applies to remote sources that the user creates himself. If a remote source is created by someone else, those privileges must be assigned for each remote source in order to perform those tasks. |
Alter a remote source | Object privilege:ALTERUse SAP HANA Web- based Development Workbench to create remote sources. |
To alter a remote source, a user must have the ALTER object privilege on the remote source. Examples of altering a remote source include:ALTER REMOTE SOURCE <remote_source_name> SUSPEND CAPTUREALTER REMOTE SOURCE <remote_source_name> RESUME CAPTURE |
Drop a remote source | Object privilege:DROPUse SAP HANA Web- based Development Workbench to create remote sources. |
This privilege must be explicitly granted for a remote source created by another user. |
Search for an object in a remote source | Object privilege:ALTER on the remote source to be searched | To search for remote objects such as tables in a remote source, a user must have the ALTER object privilege on the remote source so the system can create a dictionary. |
Add a virtual table | Object privilege CREATE VIRTUAL TABLE |
This privilege must be explicitly granted for a remote source created by another user. When you use SAP Web IDE for SAP HANA, the internal ObjectOwner of the HDI project must have privileges to create virtual tables on the remote source. |
Create a remote subscription |
Object privilege: CREATE REMOTE SUBSCRIPTION |
This privilege must be explicitly granted for a remote source created by another user. |
Create a remote source | System privilege: CREATE REMOTE SOURCE Use SAP HANA Web- based Development Workbench to create remote sources. |
When a user can create a remote source (has CREATE REMOTE SOURCE system privilege), that user automatically has CREATE VIRTUAL TABLE, DROP, CREATE REMOTE SUBSCRIPTIONS and PROCESS REMOTE SUBSCRIPTION EXCEPTION privileges; these privileges do not need to be assigned to the user. However, this only applies to remote sources that the user creates himself. If a remote source is created by someone else, those privileges must be assigned for each remote source in order to perform those tasks. |
Replication Task and Flowgraph Tasks
A user requires specific roles and privileges to create and run flowgraphs and replication tasks from SAP Web IDE for SAP HANA, SAP HANA Web-based Development Workbench, or the SAP HANA studio.
Task | Roles and Privileges | Description |
Create a flowgraph | For SAP HANA Web- based Development Workbench and SAP HANA studio:Role:sap.hana.xs. ide.roles::Editor DeveloperObject privilege:EXECUTE on “_SYS_REPO”.”TEXT_ACCESSOR” and “_SYS_REPO”. “MULTI_TEXT_ACCESSOR” |
Allows creation of .hdbflowgraph.TipWhen you use SAP Web IDE for SAP HANA, specific roles or privileges are not required to create flowgraphs. |
Create a flowgraph of type Task |
Object privilege:SELECT (for input/output schema) |
|
Create a replication task |
Role:sap.hana.xs. ide.roles:: EditorDeveloper |
Allows creation of .hdbreptask. |
Activate replication task (.hdbreptask) |
Object privileges:SELECT on the source schemaCREATE VIRTUAL TABLE on REMOTE SOURCE (Initial Load Only) CREATE REMOTE SUBSCRIPTION on REMOTE SOURCE (for real-time scenarios) |
Must be granted to _SYS_REPO. |
Activate flowgraph (.hdbflowgraph) |
Object privileges:SELECT on the source tableINSERT, UPDATE and DELETE on the target tableSELECT on the target schema (only when using a Template Table as a target)If sequence is used, then GRANT SELECT on sequenceHistory Table:GRANT INSERT on History TableGRANT SELECT on Target Table |
Must be granted to _SYS_REPO.TipWhen you use SAP Web IDE for SAP HANA, the ObjectOwner automatically has all necessary privileges for flowgraph activation. When using synonyms, the granter service must manage the privileges. |
Execute a stored procedure | Object privilege: EXECUTE |
Needed on the schema where the stored procedure is located. When you use SAP Web IDE for SAP HANA, the ObjectOwner automatically has all necessary privileges for executing stored procedures. When using synonyms, the granter service must manage the privileges. |
Execute a task | Object privilege: EXECUTEINSE- RTUPDATE- SELECTDELETE |
Needed on the schema where the task is located. When you use SAP Web IDE for SAP HANA, the ObjectOwner automatically has all necessary privileges for executing tasks. |
Use the JIT (just-in-time) Data Preview option |
Object privilege:SELECT and EXECUTE with GRANT OPTION |
Must be granted to _SYS_REPO. Needed on the schema where the task or stored procedure is located. RestrictionThe JIT (just-in-time) Data Preview option is not supported in SAP Web IDE for SAP HANA. If you want to use the JIT Data Preview option, consider using SAP HANA Web-based Development Workbench. |
Use the AFL node or the Predictive Analysis node |
For AFL node in SAP HANA Web-based Development Workbench and Predictive Analysis node in SAP HANA Web IDE:Role: XSA_DEV_USER_ROLE and _<SYS>_DI_OO_DEFAULTS AFL_AREAS AFL_FUNCTION_PARAMETERS AFL_FUNCTION_PROPERTIES AFL_FUNCTIONSAFL_PACKAGESAFL_TEXTSFor execution, _<SYS>_DI_OO_DEFAULTS AFL__SYS_AFL_AFLPAL_EXECUTE |
In case you’d have any questions about SDI please feel free to comment under the blog.