In this lesson, you'll learn about creating SAP HANA Cloud roles and assign them to database users.
As a database administrator, you want to create SAP HANA Cloud roles and assign them to SAP HANA Cloud database user accounts.
SAP HANA Cloud Authorization Concept
To perform operations in the SAP HANA database, a database user must have the necessary privileges. Users must have both the privileges to perform the operation and to access the resources (such as schemas and tables) to which the operation applies. Privileges can be granted to database users either directly, or indirectly through roles that they've been granted. In this case, the privileges are inherited. Roles are the standard mechanism of granting privileges to users.
A database role is a collection of privileges that can be assigned to either a database user or another role in runtime. You can create and assign roles in the SAP HANA cockpit.
A role typically contains the privileges required for a particular function or task, for example:
- Business end users reading reports using client tools such as Microsoft Excel
- Modelers creating models and reports
- Database administrators operating and maintaining the database and its users
Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable authorization concepts that can be modeled on business roles.
Roles in the SAP HANA database can exist as runtime objects only (catalog roles), or as design-time objects that become catalog objects on deployment (database artifact with file suffix .hdbrole).
A role administrator needs the
ROLE ADMIN privilege to create catalog roles in the runtime of the SAP HANA system. These catalog roles can be created and assigned using SQL or using SAP HANA Cockpit.
Roles can be revoked by the granting role administrator database user or another role administrator database user who has the
ROLE ADMIN privilege.
If the granting role administrator database user is dropped (not necessarily the role creator), all roles that were granted by this role administrator database user are revoked.
A user with
ROLE ADMIN can't revoke roles granted by technical users SYS and _SYS*.
You can create a new role directly in runtime and grant it the privileges and roles necessary for the task or function that it represents on the Role page of the SAP HANA cockpit.
The Runtime (Catalog) roles have the following properties:
- Roles cannot be transported between systems.
- There is no version management.
- Roles are owned by the database user who creates them.
- Roles are granted directly by the database user using the SQL GRANT and REVOKE statements.
Design-time roles can be created using the SAP Web IDE Full-Stack, for example, and deployed using SAP HANA deployment infrastructure (SAP HANA DI, or HDI).
Due to the container-based model of HDI where each container corresponds to a database schema, HDI roles, once deployed, are schema-specific. An HDI container can be seen as a database schema and there can be multiple HDI containers within the SAP HANA database.
All database objects deployed within the container are owned by the container-specific technical user.
The Design-Time roles have the following properties:
- Roles can be transported between systems.
- Roles are developed as design-time objects within a project stored in a repository.
- Roles are owned by the object owner of the container.
- Any container or container group administrator with the EXECUTE privilege on these procedures can grant and revoke roles. Any user with the system privilege ROLE ADMIN can also grant and revoke roles.
Grouping Roles in Role Groups
In the SAP HANA Cockpit Role Management application, it's also possible to group rules together in a Role Group with a single name. This Role Group name can later be used to search for roles in the SAP HANA Cockpit Role Assignment application.