Blog > SAP EIM – Smart Data Integration (SDI) roles and privileges

SAP EIM – Smart Data Integration (SDI) roles and privileges

SAP_EIM_SDI_Sakalenka
Michał Krawczyk SAP Mentor, SAP Press Author
icon__calendar 2019-03-05

Introduction

Granting correct HANA user privileges is one of main tasks in a data integration process creation. It is possible to achieve this with SAP HANA Web-based Development Workbench or with Eclipse:

 

 

 

In order to grant roles to particular user we can use SQL console in the development Workbench Catalog:

According to best practices, for each SDI project there should be a set of roles created. The roles will allow different users work without calling for system administrator assistance:

  1. SDI administrator role – to manage all the processes in the system
  2. Data Provisioning (DP) role – installation and configuration of data provisioning agents
  3. Transport role -exporting/importing objects among different environments
  4. Execution role – run flowgraphs
  5. Developer role – development objects

Provisioning Tasks

A user requires these roles for agent connectivity and configuration, cross environment transport of data flows.

Task Roles and Privileges Description
Register a DP Agent System privilege:
AGENT ADMIN
 
Register an adapter System privilege:
ADAPTER ADMIN
 
Configure DP Agent to use HTTP (cloud)
protocol
Role:
sap.hana.im.dp.
proxy::
AgentMessaging
Whoever sets the Data Provisioning Agent to use HTTP (cloud) in
the Data Provisioning Agent Configuration
tool needs to be
assigned this role.
Create an Agent or
adapter when
SAP HANA
is in the cloud
Application privilege:
sap.hana.im.dp.
admin::
Administrator
Needed when an
administrator wants to create adapters and
agents from the Data
Provisioning Agent
Configuration tool
when SAP HANA is on the cloud (or the agent uses HTTP protocol).
Import a delivery unit using SAP HANA
Application Lifecycle
Management
Role:sap.hana.xs.lm.
roles::Administrator
This role is necessary
if you are using SAP
HANA Application Lifecycle Management to
import the data
provisioning delivery unit.
Import a delivery unit using SAP HANA
studio
Role:sap.hana.xs.lm.
roles::Transport
 

Monitoring Tasks

A user requires specific roles and privileges to access and perform various tasks through the Data Provisioning monitors, which can be accessed from SAP HANA cockpit.


Task

Roles and Privileges

Description
 
Role:
sap.hana.im.dp.monitor.roles::Monitoring
Application privilege:
sap.hana.im.dp.monitor::Monitoring

The Monitoring role
includes the following
application privileges:
sap.hana.ide::LandingPage
sap.hana.im.dp.monitor::Monitoring
 
 



Role:
sap.hana.im.dp.monitor.roles::Operations

 



The Operations role
includes the following
application privileges
(sap.hana.im.dp.monitor::*):
AddLocationToAdapter
AlterAgent
AlterRemoteSource
AlterRemoteSubscription
CreateAgent
DeleteSchedule
DropAgent
DropRemoteSubscription
ExecuteDesignTimeObject
NotificationAdministration
ProcessRemoteException (This includes both remote source and remote subscription
exceptions.)
RemoveLocationFromAdapter
ScheduleDesignTimeObject
ScheduleTask
StartTask
StopTask
UpdateAdapter

 






Enable
users
to
schedule
a task

Role:
sap.hana.xs.admin.roles::JobSchedulerAdministrator
 

Schedule
a task

Role:
sap.hana.im.dp.monitor.roles::Operations
Application privilege:
sap.hana.im.dp.monitor::ScheduleTask
 

Start a
task

Application privilege:
sap.hana.im.dp.monitor::StartTask
 

Stop a
task

Application privilege:
sap.hana.im.dp.monitor::StopTask
 

Process remote
subscription
exceptions

Object privilege:
PROCESS REMOTE
SUBSCRIPTION
EXCEPTION

Must be explicitly
granted for a remote
source created by
another user

Remote Source and Remote Subscription Tasks

A user requires specific roles and privileges to create and manage remote sources and remote subscriptions.

Task Roles and Privileges Description
Create a remote source System privilege:
CREATE REMOTE
SOURCE
Use SAP HANA Web-
based Development
Workbench to create
remote sources.
When a user can
create a remote source (has CREATE REMOTE SOURCE system
privilege), that user
automatically has
CREATE VIRTUAL
TABLE, DROP, CREATE REMOTE
SUBSCRIPTIONS and
PROCESS REMOTE
SUBSCRIPTION
EXCEPTION privileges; these privileges do not need to be assigned to the user. However, this only applies to remote sources that the user
creates himself. If a
remote source is
created by someone
else, those privileges must be assigned for
each remote source in order to perform those tasks.
Alter a remote source Object privilege:ALTERUse SAP HANA Web-
based Development
Workbench to create
remote sources.
To alter a remote
source, a user must
have the ALTER object privilege on the
remote source.
Examples of altering a remote source include:ALTER REMOTE
SOURCE <remote_source_name>
SUSPEND
CAPTUREALTER
REMOTE SOURCE
<remote_source_name> RESUME CAPTURE
Drop a remote source Object privilege:DROPUse SAP HANA Web-
based Development
Workbench to create
remote sources.
This privilege must be explicitly granted for a remote source created by another user.
Search for an object in a remote source Object privilege:ALTER on the remote source to be searched To search for remote
objects such as tables
in a remote source, a
user must have the 
ALTER object privilege on the remote source
so the system can
create a dictionary.
Add a virtual table Object privilege
CREATE VIRTUAL
TABLE
This privilege must be explicitly granted for a remote source created by another user. When you use SAP Web IDE
for SAP HANA, the
internal ObjectOwner of the HDI project
must have privileges
to create virtual tables on the remote source.
Create a remote
subscription
Object privilege:
CREATE REMOTE
SUBSCRIPTION
This privilege must be explicitly granted for a remote source created by another user.
Create a remote source System privilege:
CREATE REMOTE
SOURCE
Use SAP HANA Web-
based Development
Workbench to create
remote sources.
When a user can
create a remote source (has CREATE REMOTE SOURCE system
privilege), that user
automatically has
CREATE VIRTUAL
TABLE, DROP, CREATE REMOTE
SUBSCRIPTIONS and
PROCESS REMOTE
SUBSCRIPTION
EXCEPTION privileges; these privileges do not need to be assigned to the user. However, this only applies to remote sources that the user
creates himself. If a
remote source is
created by someone
else, those privileges must be assigned for
each remote source in order to perform those tasks.

Replication Task and Flowgraph Tasks

A user requires specific roles and privileges to create and run flowgraphs and replication tasks from SAP Web IDE for SAP HANA, SAP HANA Web-based Development Workbench, or the SAP HANA studio.

Task Roles and Privileges Description
Create a flowgraph For SAP HANA Web-
based Development
Workbench and
SAP HANA studio:Role:sap.hana.xs.
ide.roles::Editor
DeveloperObject
privilege:EXECUTE on “_SYS_REPO”.”TEXT_ACCESSOR” and “_SYS_REPO”.
“MULTI_TEXT_ACCESSOR”
Allows creation of .hdbflowgraph.TipWhen
you use SAP Web IDE
for SAP HANA,
specific roles or
privileges are not
required to create
flowgraphs.
Create a flowgraph of
type Task
Object privilege:SELECT (for input/output
schema)
 
Create a replication
task
Role:sap.hana.xs.
ide.roles::
EditorDeveloper
Allows creation of .hdbreptask.
Activate replication
task (.hdbreptask)
Object privileges:SELECT on the
source
schemaCREATE
VIRTUAL TABLE on
REMOTE SOURCE
(Initial Load Only)
CREATE REMOTE
SUBSCRIPTION on
REMOTE SOURCE
(for real-time
scenarios)
Must be granted to
_SYS_REPO.

Activate flowgraph
(.hdbflowgraph)
Object privileges:SELECT on the source
tableINSERT, UPDATE and DELETE on the
target tableSELECT on the target schema
(only when using a
Template Table as
a target)If sequence is
used, then GRANT
SELECT on
sequenceHistory Table:GRANT INSERT on
History TableGRANT
SELECT on Target
Table
Must be granted to _SYS_REPO.TipWhen you use SAP Web IDE for
SAP HANA, the ObjectOwner automatically
has all necessary
privileges for
flowgraph activation. When using
synonyms, the granter
service must manage
the privileges.
Execute a stored procedure
Object privilege:
EXECUTE

Needed on the schema where the stored procedure is located. When you use SAP Web IDE for SAP HANA, the
ObjectOwner
automatically has all
necessary privileges
for executing stored
procedures. When using synonyms, the
granter service must manage the privileges.
Execute a task Object privilege:
EXECUTEINSE-
RTUPDATE-
SELECTDELETE
Needed on the schema where the task is
located. When you use SAP Web IDE for SAP
HANA, the
ObjectOwner
automatically has all
necessary privileges
for executing tasks.
Use the JIT
(just-in-time) Data
Preview option
Object privilege:SELECT and EXECUTE with
GRANT OPTION
Must be granted to _SYS_REPO. Needed on the schema where the task or stored procedure is located. RestrictionThe JIT (just-in-time) Data Preview option is not
supported in SAP Web IDE for SAP HANA. If
you want to use the JIT Data Preview option,
consider using SAP
HANA Web-based
Development
Workbench.
Use the AFL node or
the Predictive Analysis node
For AFL node in SAP
HANA Web-based
Development
Workbench and
Predictive Analysis
node in SAP HANA
Web IDE:Role: XSA_DEV_USER_ROLE and _<SYS>_DI_OO_DEFAULTS AFL_AREAS AFL_FUNCTION_PARAMETERS AFL_FUNCTION_PROPERTIES AFL_FUNCTIONSAFL_PACKAGESAFL_TEXTSFor execution, _<SYS>_DI_OO_DEFAULTS AFL__SYS_AFL_AFLPAL_EXECUTE
 

In case you’d have any questions about SDI please feel free to comment under the blog.

Reference:

https://help.sap.com/
Michał Krawczyk SAP Mentor, SAP Press Author
SAP integration consultant since 2004. He has been recognized by SAP included becoming an SAP Mentor in 2007 and winning the top contributor/topic leader award from SDN (SAP Developer Network portal) in SAP PO/PI eight times. Michal is the author many SAP integration related books: Mastering idoc business scenarios with SAP XI , Mastering idoc business scenarios with SAP PI (second edition).