cancel
Showing results for 
Search instead for 
Did you mean: 

.hdbrole - catalog sql object privilege assignment using wildcards?

former_member182411
Active Participant
0 Kudos

Hi everyone,

I have got a question related to authorizations and roles. Imagine the following scenario: you have got an SAP HANA based ABAP system (e.g. SuiteOnHANA or BWonHANA), therefore with a database schema for this ABAP system - let's call it SAPA4H.

You have a group of developers who want to implement SAP HANA native views based on database tables which reside in the schema SAPA4H.

No big deal.

But you do not want to give them permissions to all tables within that schema, you want to restrict the permission by defining an authorization object (role) which only contains the tables they are allowed to read. But it's a larger number of tables so maintaining them all manually within the repository role is much effort, e. g. all tables which start with /BIC/*.

So you think that the solution could look like this:


catalog sql object "SAPA4H"."/BIC/*": SELECT;

But it doesn't work.

My question is: is it possible to define an object privilege with a wildcard? Or any alternative approach?

Thanks a lot for your help.

Martin

Accepted Solutions (1)

Accepted Solutions (1)

lbreddemann
Active Contributor

A wildcard for privilege assignment is not possible (think a bit more about it and you'll find that this would lead to very ugly situations - even without something like this the situation is messy enough).

You can either provide privileges on schema level or you defined it on table/view level.

For what you want to do I'd recommend to create a role and a script that grants the privileges for all the objects you like to see included to that role. That's easy-cheesy scripting.

You can even write a simple SQL that generates all the GRANT statements for you.

- Lars

former_member182411
Active Participant
0 Kudos

Hi Lars,

thank you for your quick and helpful reply. I thought about writing a script but as I assume that for role-admins the best way is to do it by a SQL statement for copy&paste purposes as not everybody can execute scripts on their machine due to security constraints and will be re-useable when going to WebIDE (I do not know if there are hooks for integrating custom functions like it's possible within Eclipse - let's see).

I just hoped that there is something similar to ABAP role management where wildcards are widely used.

Thanks again.

Best regards

Martin

Answers (0)