Creating SAP HANA Cloud Roles

In this lesson, you'll learn about creating SAP HANA Cloud roles and assign them to database users.

As a database administrator, you want to create SAP HANA Cloud roles and assign them to SAP HANA Cloud database user accounts.

To perform operations in the SAP HANA database, a database user must have the necessary privileges. Users must have both the privileges to perform the operation and to access the resources (such as schemas and tables) to which the operation applies. Privileges can be granted to database users either directly, or indirectly through roles that they've been granted. In this case, the privileges are inherited. Roles are the standard mechanism of granting privileges to users.

Several privilege types are used in SAP HANA.

System privileges control general system activities. They're mainly used for administrative purposes, such as creating schemas, creating and changing users and roles, performing data backups, managing licenses, and so on.

Object privileges are used to allow access to and modification of database objects, such as tables and views. Depending on the object type, different actions can be authorized (for example, SELECT, CREATE ANY, ALTER, DROP, and so on).

Analytic privileges are used to control read access to data in SAP HANA information models pending on certain values or combinations of values.

ATTACH DEBUGGER is the only privilege that can be granted to a user.

For example, User A can grant User B the privilege ATTACH DEBUGGER to allow User B debug SQLScript code in User A's session. User A is the only user who can grant this privilege. Note that User B also needs the object privilege DEBUG on the relevant SQLScript procedure.

A database role is a collection of privileges that can be assigned to either a database user or another role in runtime. You can create and assign roles in the SAP HANA cockpit.

A role typically contains the privileges required for a particular function or task, for example:

• Business end users reading reports using client tools such as Microsoft Excel
• Modelers creating models and reports
• Database administrators operating and maintaining the database and its users

Privileges can be granted directly to users of the SAP HANA database. However, roles are the standard mechanism of granting privileges as they allow you to implement complex, reusable authorization concepts that can be modeled on business roles.

Roles in the SAP HANA database can exist as runtime objects only (catalog roles), or as design-time objects that become catalog objects on deployment (database artifact with file suffix .hdbrole).

A role administrator needs the ROLE ADMIN privilege to create catalog roles in the runtime of the SAP HANA system. These catalog roles can be created and assigned using SQL or using SAP HANA Cockpit.

Roles can be revoked by the granting role administrator database user or another role administrator database user who has the ROLE ADMIN privilege.

If the granting role administrator database user is dropped (not necessarily the role creator), all roles that were granted by this role administrator database user are revoked.

You can create a new role directly in runtime and grant it the privileges and roles necessary for the task or function that it represents on the Role page of the SAP HANA cockpit.

The Runtime (Catalog) roles have the following properties:

• Roles cannot be transported between systems.
• There is no version management.
• Roles are owned by the database user who creates them.
• Roles are granted directly by the database user using the SQL GRANT and REVOKE statements.

Design-time roles can be created using the SAP Web IDE Full-Stack, for example, and deployed using SAP HANA deployment infrastructure (SAP HANA DI, or HDI).

Due to the container-based model of HDI where each container corresponds to a database schema, HDI roles, once deployed, are schema-specific. An HDI container can be seen as a database schema and there can be multiple HDI containers within the SAP HANA database.

All database objects deployed within the container are owned by the container-specific technical user.

The Design-Time roles have the following properties:

• Roles can be transported between systems.
• Roles are developed as design-time objects within a project stored in a repository.
• Roles are owned by the object owner of the container.
• Any container or container group administrator with the EXECUTE privilege on these procedures can grant and revoke roles. Any user with the system privilege ROLE ADMIN can also grant and revoke roles.

In the SAP HANA Cockpit Role Management application, it's also possible to group rules together in a Role Group with a single name. This Role Group name can later be used to search for roles in the SAP HANA Cockpit Role Assignment application.