Creating Authorization Roles

A database role is a collection of privileges that can be assigned to either a database user or another role. You can create and assign roles in the SAP HANA cockpit, or use SQL.

A role typically contains the privileges required for a particular function or task, for example:

• Business users reading reports using client tools such as Microsoft Excel
• Modelers creating models and reports
• Database administrators operating and maintaining the database and its users

Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable authorization concepts that can be modeled on business roles.

Roles in the SAP HANA database can exist as runtime objects (catalog roles), or as design-time objects (HDI roles). HDI roles are defined during application development using the SAP Business Application Studio. The HDI roles are not in scope for this learning journey.

A role administrator needs the ROLE ADMIN privilege to create catalog roles in the runtime of the SAP HANA system. These catalog roles can be created and assigned using SQL or using SAP HANA cockpit.

Roles can be revoked by the granting role administrator database user or another role administrator database user who has the ROLE ADMIN privilege.

If the granting role administrator database user is dropped (not necessarily the role creator), all roles that were granted by this role administrator database user are revoked.

The Runtime (Catalog) roles have the following properties:

• Roles cannot be transported between systems.
• There is no version management.
• Roles are owned by the database user who creates them.
• Roles are granted directly by the database user using the SQL GRANT and REVOKE statements.

The following is the SQL reference documentation for the CREATE ROLE statement.

12
CREATE ROLE <role_name> [ SET ROLEGROUP <rolegroup_name> ]
   [ LDAP GROUP <ldap_group_list> ] [ NO GRANT TO CREATOR ]

The following example shows how to create the role Admin_Resource.

1
CREATE ROLE Admin_Resource;

In the SAP HANA cockpit role management application, it's also possible to group rules together in a Role Group with a single name. This Role Group name can later be used to search for roles in the SAP HANA cockpit role assignment application.

Below the SQL reference documentation for the CREATE ROLEGROUP statement.

1
CREATE ROLEGROUP <rolegroup_name> [ NO GRANT TO CREATOR ] [ ENABLE ROLE ADMIN ]

The following example shows how to create a role group Admin_Senior and assign then new roles Admin_Inifiles, Admin_Backup, and existing role Admin_Resource to the role group.

12345
CREATE ROLEGROUP Admin_Senior;
CREATE ROLE Admin_Inifiles SET ROLEGROUP Admin_Senior;
CREATE ROLE Admin_Backup SET ROLEGROUP Admin_Senior;
ALTER ROLE Admin_Resource SET ROLEGROUP Admin_Senior;

Use the role group in SAP HANA cockpit to find the included roles, and individually assign them to users.

In this lesson you learned why using authorization roles is better than assigning privileges directly to a user account. You also learned how to create user roles and how you can group them in role groups for easier role management.

For further reading about SAP HANA user management, see the following sites:

• Roles | SAP Help Portal
• Role Groups | SAP Help Portal
• CREATE ROLE Statement (Access Control) | SAP Help Portal
• CREATE ROLEGROUP Statement (Access Control) | SAP Help Portal
• Catalog Roles and Design-Time Roles Compared | SAP Help Portal

• Roles | SAP Help Portal
• CREATE ROLE Statement (Access Control) | SAP Help Portal
• Catalog Roles and Design-Time Roles Compared | SAP Help Portal