Modeling in SAP HANA Cloud

Introducing Roles and Privileges

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Describe roles and privileges

Security Concepts

Some key points regarding roles and privileges:

  • Privileges can be assigned to users directly. They can also be assigned to users indirectly by using roles.

    Roles help you to structure access using reusable business-related roles. Roles can be nested, enabling the implementation of a hierarchy of roles.

    Hint

    It is highly recommended that you manage authorizations for users by using roles. Assigning a privilege directly to a user is not a good practice.

  • All the privileges granted directly or indirectly to a user are combined.

    Whenever a user tries to access an object, the system performs an authorization check based on the user's roles and directly allocated privileges (if any).

  • It is not possible to explicitly deny privileges, all privileges grant access.

    The system does not need to check all the users roles. As soon as all the privileges required for a specific operation on a specific object have been found, the system ends the check and allows the operation without checking if the same privileges appears again in another role.

  • Several predefined roles exist in the SAP HANA Cloud database.

    Some of them are templates (and need to be customized), and others can be used as they are.

  • As a best practice, users should only be given the smallest set of privileges required for their role.

Defining Roles

In the SAP HANA Cloud database, there are two ways to create roles:

  • As pure run-time objects (with no source file) that are created using SQL or SAP HANA Cockpit. These are called Catalog Roles. You assign privileges to these roles using SQL grant statements.

  • By means of source files that you create in the HDB module of a project. Thee are called Design-Time Roles. These source files list the privileges that are granted when deployed. Design-time roles are created as .hdbrole files within a project with Business Application Studio. This approach is recommended to define all roles that grant privileges to the local database objects that are generated in your container because they are kept with the project files and are easily transported.

Save progress to your learning plan by logging in or creating an account