Creating Database Users, Roles and Assigning Permissions in SAP HANA Cloud

A company uses various business applications on-top of their SAP HANA Cloud databases. To ensure that business users have only access to the data that they need to perform their tasks, as a System Administrator, you will set up a user and authorization concept.​

In SAP HANA Cloud, you will use users, roles, and privileges to implement the user and authorization concept.​

Every employee who needs to work directly with the SAP HANA Cloud database must have a database user account. The user account allows you, after successful authentication, to log on to the SAP HANA database. To be able to work with the data in the database, your user account needs to be granted the correct privileges. These privileges can be assigned via roles or directly to your user account.

SAP HANA Cloud supports two types of user accounts: standard users and restricted users. The differences between these two types of user accounts are explained below:

• Standard users are users who connect directly to the SAP HANA Cloud database with full SQL access. Depending on your system configuration and scenario, they could be the following users:
  • Database administrators who perform the database administration tasks.
  • User administrators who handle all user account-related tasks.
  • End users who perform their daily work with the database.
  • Technical users are not a real person, but a user account used by interfaces to other SAP or non-SAP systems to exchange data between the systems.
• Restricted users are intended for users who should not have full SQL access to the database. Restricted users will access the database through an application. The data that can be accessed in the database is restricted by the privileges encapsulated within an application-specific role. In this way, it can be ensured that users have only those privileges that are essential to their work.

A role typically contains all the privileges required to perform a particular business function or task. The following are some examples of possible business functions:

• Human Resources employees handle recruitment, administration, compensation and benefits, and training and development.
• Financial Accounting employees prepare financial statements and reports, and advise company leaders on investment practices and strategies.
• Materials Management employees oversee a company's inventory and purchasing operations. They collaborate with engineers and designers to determine the materials needed in the manufacturing process.
• Database administrators manage and maintain the database software and ensure that the database is running efficiently.

A database role is a collection of privileges that can be granted to either a database user or another role.

Access to the data stored in the database tables must be controlled. Privileges let the database administrator control who has which access to the database data.

In SAP HANA Cloud, there are four types of privileges:

• System privileges control general system activities. They are mainly used for administrative purposes, such as creating schemas, creating and changing users and roles, and monitoring and tracing. The System privilege is used by database administrators and developers.
• Object privileges are used to allow access to and modification of database objects, such as tables and views. Depending on the object type, different actions can be authorized (for example, SELECT, CREATE ANY, ALTER, DROP). The Object privilege is used by end users and technical users.
• Analytic privileges are used to allow read access to data in SAP HANA information models (that is, analytic views, attribute views, and calculation views) depending on certain values or combinations of values. Analytic privileges are evaluated during query processing.

  The Analytic privilege is used by end users.

• Privileges on Users: The privilege ATTACH DEBUGGER is the only privilege that can be granted on a user and would allow a user to attach a debugger session to debug SQLScript code.

  For example, User A can grant User B the privilege ATTACH DEBUGGER to allow User B debug SQLScript code in User A's session. User A is the only user who can grant this privilege. Note that User B also needs the object privilege DEBUG on the relevant SQLScript procedure.

  The Privileges on Users privilege is used by developers to debug SQLScript code.

Privileges can be assigned to roles or directly to a user account. As a best practice, it's better to assign privileges to roles. This way you can keep a better overview, and you can reuse the role for multiple user accounts.

Roles can be assigned to a user account and to another role. As a best practice, you should create roles that allow users to perform a specific task. These roles are called task roles. In a system, you will have many of these task roles. These tasks roles might be needed by employees in different departments, so you can reuse the task role many times.

Task roles are assigned to job roles. A job role would contain all the task roles that a user needs for their job.

In the following exercise, you will create an user account in SAP HANA Cloud.

In the next exercise you will create a role with privileges using SAP HANA Cockpit.

In this lesson last exercise, you will assign a role to a user.

You now have a good understanding of why a user and authorization concept is required when storing all business data in SAP HANA Cloud. You learned how to create users and roles with privileges in SAP HANA Cloud.

Here's some further information on the topic SAP HANA Cloud user, roles, and privileges:​

• SAP HANA Cloud - Users documentation
• SAP HANA Cloud - User Types documentation.
• SAP HANA Cloud - Roles documentation
• SAP HANA Cloud - Privileges documentation