15 Replies Latest reply: Oct 2, 2013 2:59 PM by Nidhi Pujara RSS

Adding new "roles" in HANA system

Avijit Dey
Currently Being Moderated

Hello,

 

Is there way to drop old "roles"  from Security tab in HANA system and add a new One??

 

In my first project I had created my repository with new roles and shared the project. Later I had deleted the entire project and repository and create a new one. But still I can find there are few items are still available in repository and in content folder. I am able to delete those items. After creating a new project with new schema and user role, I was trying to assign the same, But I can able to locate old "roles". The one I have created newly, not showing at all.

 

Can you help me with resolve this issue?

 

Thanks

Avijit

  • Re: Adding new "roles" in HANA system
    Currently Being Moderated

    To CREATE ROLE statement creates a new role.

    Only database users with the system privilege ROLE ADMIN are allowed to create roles.

    The specified role name must not be identical to the name of an existing user or role.

     

    A role is a named collection of privileges and can be granted to either a user or a role. If you want to allow several database users to perform the same actions, you can create a role, grant the needed privileges to this role, and then grant the role to the database users.

    Every user is allowed to grant privileges to an existing role, but only users having system privilege ROLE ADMIN are allowed to grant roles to roles and users.

     

    Alternative method is to create a new Role e.g. CAL_USERS and add the role to applicable users.Within SAP HANA it is recommended practise to use roles to manage authorisation. A role is a collection of privileges and can be granted to either a user or another role (nesting roles).“All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorisation check using the user, the user’s roles, and

    directly allocated privileges. It is not possible to explicitly deny privileges. This means that the system does not need to check all the user’s role. As soon as the

    requested privilege has been found, the system aborts the check and grants access.”[1]This directly affects the view or result of your data and is a common reason why Analytic Privileges appear not to work as some indirect route may still exist to allow the action.

    To create a new role navigate to Catalog > Authorization > Roles – right click and click

     

    1.JPG

     

     

    Regards

    NK

    • Re: Adding new "roles" in HANA system
      Avijit Dey
      Currently Being Moderated

      Hello,

       

      I have the system privilege to create a role.

       

      My question was to drop a role which was already created. And I have already created a new one  which is not showing when I am trying  to locate the same

       

      Thanks

      Avi

      • Re: Adding new "roles" in HANA system
        Nidhi Pujara
        Currently Being Moderated

        Hi,

         

        Right click on the role you would like to drop under Security->Role and select 'Delete' from the context menu.

         

        Are you refreshing the Roles node before you check for the newly created role?

         

        BR,

        Nidhi

        • Re: Adding new "roles" in HANA system
          Avijit Dey
          Currently Being Moderated

          Hi,

           

          i have tried this and other alternative steps to drop a particular role which was created earlier.

           

          I am getting an error saying " insufficient privilege". cannot drop activated roles. I am having the system privilege to create a role. Moreover the one i have created newly, is not showing up..

           

          Not able to figure out the issue behind it.

           

          Avi

          • Re: Adding new "roles" in HANA system
            Nidhi Pujara
            Currently Being Moderated

            Okay. This should work if you have the ROLE ADMIN privilege, which you say you have.

            What message do you get when you save your newly created role?

             

            Nidhi

            • Re: Adding new "roles" in HANA system
              Avijit Dey
              Currently Being Moderated

              I have already created my new role through internal coding in my project explorer. I did the same for my old role too. In the context menu when I right click on roles to find/user role, I am not able to locate the same but i could able to locate the old roles. I am getting an error message saying "insufficient privilege" while deleting the role.

              • Re: Adding new "roles" in HANA system
                Nidhi Pujara
                Currently Being Moderated

                Just out of curiosity, (I'm a HANA beginner myself ), why would you need to create a new role in explorer?

                 

                Have you tried creating a role with the same privileges from Navigator?

                If that works, there must be some issue with your code.

                But, if you get the "insufficient privilege" error again, I think the problem lies in the privileges you've been assigned.

                 

                Nidhi

                • Re: Adding new "roles" in HANA system
                  Avijit Dey
                  Currently Being Moderated

                  Well, there are two ways you can create roles and assign their privileges.

                   

                  1. By right clicking on roles from context menu(Navigator/SAP HANA systems)and

                  2. When you create and project and assign it to a repository and then inside the folder of the project create a file called .xsaccess and .xsprivileges. In .xsprivileges file you will provide your schema name and project information apart from your user information.

                   

                  Even me too a HANA beginner . But could able grasp a lot of information in short span of time. Gonna sit for the cert exam. Hope this helps!!.

                   

                  And yes, may be the problem lies in privileges i've been assigned or may be some internal issues. I am using AWS HANA dev trial period.

                   

                  Thanks anyways!!

                  Avijit

                  • Re: Adding new "roles" in HANA system
                    Thomas Jung
                    Currently Being Moderated

                    >2. When you create and project and assign it to a repository and then inside the folder of the project create a file called .xsaccess and .xsprivileges. In .xsprivileges file you will provide your schema name and project information apart from your user information.

                     

                    That's not right at all. In the xsprivileges file you define possible application privileges which can be checked at runtime when content is accessed via HTTP (via the XSEngine).  In the xsaccess file you assign these application privileges to your package hierarchy.  However neither of these artifacts have anything to do with schemas or the creation of a role.



                    You create a role in the repository via the artifact hdbrole. This is where you grant access to catalog objects, repository packages, and application privileges.

                    • Re: Adding new "roles" in HANA system
                      Avijit Dey
                      Currently Being Moderated

                      Yes, you are right.. Neither of these artifacts have anything to do with schemas or the creation of a role. You create a role in the repository via the artifact "hdbrole" which I had done that too while developing my application.  But missed out to incorporate the same in my earlier response.

                      Thanks for correcting me..

                       

                      This is where I've grant access to catalog objects, repository packages, and application privileges.

                       

                      Newly I have created role in the repository via the artifact hdbrole which is not showing up while trying to grant access to catalog objects, repository packages, and application privileges.

                       

                      I am unable to delete the role which I'd created earlier and in the content folder of "role" new role which I had created newly not showing up. I even tried to find  in Object privileges/SQL privileges section. I could able to add my new catalog object but not able to grant access to repository packages, and application privileges.

                       

                      Regards

                    • Re: Adding new "roles" in HANA system
                      Avijit Dey
                      Currently Being Moderated

                      Yes, you are right.. Neither of these artifacts have anything to do with schemas or the creation of a role. You create a role in the repository via the artifact "hdbrole" which I had done that too while developing my application.  But missed out to incorporate the same in my earlier response.

                      Thanks for correcting me..

                       

                      This is where I've grant access to catalog objects, repository packages, and application privileges.

                       

                      Newly I have created role in the repository via the artifact hdbrole which is not showing up while trying to grant access to catalog objects, repository packages, and application privileges.

                       

                      I am unable to delete the role which I'd created earlier and in the content folder of "role" new role which I had created newly not showing up. I even tried to find  in Object privileges/SQL privileges section. I could able to add my new catalog object but not able to grant access to repository packages, and application privileges.

                       

                      Regards

                  • Re: Adding new "roles" in HANA system
                    Nidhi Pujara
                    Currently Being Moderated

                    I cleared the exam today itself. All the best!

Actions