In this lesson, you will learn about creating SAP HANA Cloud roles and assign them to database users.
As a database administrator, you want to create SAP HANA Cloud roles and assign them to SAP HANA Cloud database user accounts.
SAP HANA Cloud Authorization Concept
To perform operations in the SAP HANA database, a database user must have the necessary privileges. Users must have both the privilege(s) to perform the operation and to access the resources (such as schemas and tables) to which the operation applies. Privileges can be granted to database users either directly, or indirectly through roles that they have been granted. In this case, the privileges are inherited. Roles are the standard mechanism of granting privileges to users.
A database role is a collection of privileges that can be assigned to either a database user or another role in runtime. You can create and assign roles in the SAP HANA cockpit.
A role typically contains the privileges required for a particular function or task, for example:
- Business end users reading reports using client tools such as Microsoft Excel
- Modelers creating models and reports
- Database administrators operating and maintaining the database and its users
Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable authorization concepts that can be modeled on business roles.
Roles in the SAP HANA database can exist as runtime objects only (catalog roles), or as design-time objects that become catalog objects on deployment (database artifact with file suffix .hdbrole).
You can create catalog roles in the SAP HANA system using the SAP HANA cockpit. A role administrator creates the role in the runtime of the SAP HANA system. The database user grants catalog roles directly, and they can only be revoked by the same user.
You can create a new role directly in runtime and grant it the privileges and roles necessary for the task or function that it represents on the Role page of the SAP HANA cockpit.
The Runtime (Catalog) roles have the following properties:
- Roles cannot be transported between systems.
- There is no version management.
- Roles are owned by the database user who creates them.
- Roles are granted directly by the database user using the SQL GRANT and REVOKE statements.
Design-time roles can be created using the SAP Web IDE Full-Stack for example, and deployed using SAP HANA deployment infrastructure (SAP HANA DI, or HDI).
Due to the container-based model of HDI where each container corresponds to a database schema, HDI roles, once deployed, are schema-specific. An HDI container can be seen as a database schema and there can be multiple HDI containers within the SAP HANA database.
All database objects deployed within the container are owned by container-specific technical object owners.
The Design-Time roles have the following properties:
- Roles can be transported between systems.
- Roles are developed as design-time objects within a project stored in a repository.
- Roles are owned by the object owner of the container.
- Any container or container group administrator with the EXECUTE privilege on these procedures can grant and revoke roles. ny user with the system privilege ROLE ADMIN can also grant and revoke roles.