Home > HANA > How to secure information views in SAP HANA

How to secure information views in SAP HANA



As more and more organization implement SAP HANA native, S4/HANA or sidecar solutions, the need to understand how to provide access and secure information views has emerge.  The intent of this article is to provide the reader with a few technical details relevant to securing SAP HANA information views.

Before we describe how to secure an information view, let’s quickly define the various information views that are available within SAP HANA.

Attribute Views

Attribute Views are created to serve as a reusable type of view. Developers will create Attribute Views to represent items such as customers, products, dates, salespersons and cost centers. Once activated, they can be joined to one or more analytic view data foundations. Within an attribute view we can also create Hierarchies.

Analytic Views

Analytic Views are created to serve as the SAP HANA Cube. When designing the analytic view, developers will design a data foundation using…

View original post 1,208 more words

Categories: HANA
  1. Kevin Geiger
    April 15, 2015 at 11:41 am

    Hi Jonathon, do you know if there is anyway to wildcard the object privilege for the column view objects? We build Roles in the Project Explorer (rev. 94) as repository objects. We have package/content paths like CMPYNM.RGN.Sales/… and CMPYNM.RGN.Invtry/… I would like to create a role that exposes all column views in CMPYNM.RGN.Sales/* (including any subfolders). The wide open SELECT, EXECUTE for _SYS_BIC is just a little too wide open for us.

    Best Regards

    • April 16, 2015 at 9:00 am

      Hi Kevin,

      HANA does not support wildcards when assigning object privileges. However, you can easily create a stored procedure that recursively assigns the privileges based on an input parameter containing the starting point of the package hierarchy and a wildcard. The columns view metadata is stored in a table. Therefore you can query the table with a filter and create a cursor to dynamical assign the specific object privileges to a role / user. The trick is to make sure that _SYS_REPO is the grantor using GRANT_PRIVILEGE_ON_ACTIVATED_CONTENT procedure.

      As an alternative, you can utilize repository roles and a similar technique to develop a script to list the individual privileges in the .hdbrole syntax. This will help you maintain the role privileges each time a developer makes a change. Because they are contained in a repository role, _SYS_REPO will always own them.

      Quick Reference:

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: