on 05-17-2016 10:57 PM
Hi All,
I don't have access to few schemas in the system. But while creating models(AT/AN/CA) when I search for tables, I see tables from the schemas for which I don't have access. I'm able to add them, activate the model and view data as well. How can we restrict this?
To my understanding, when I don't have access to a schema, I shouldn't be able to view data of models built on it as well. Has anyone tried this? Is this the way HANA security works or am I missing some privileges?
Regards,
Chandra.
Hi Chandra,
Below are my thoughts on your queries.
Point 1: I don't have access to few schemas in the system. But while creating models(AT/AN/CA) when I search for tables, I see tables from the schemas for which I don't have access. I'm able to add them, activate the model and view data as well.
Answer: When we want to use any schema / tables in a HANA view, the system user _SYS_REPO need to have the SELECT access on that specific schema, since all the repository objects are owned by _SYS_REPO. Individual users need not to have the access to all the schemas. In your case you are able to use those schema / tables in the HANA models because _SYS_REPO must be having the access to those schemas.
Point 2: How can we restrict this?
Answer: If you need to restrict the access to the data in tables (row level security), then it should be implemented using Analytic privileges on the HANA views.
Hope it helps.
regards,
Varma
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Varma,
Yes it is because of granting SELECT WITH GRANT to _SYS_REPO. But we can't restrict access to _SYS_REPO by removing GRANT option(giving SELECT WITHOUT GRANT) because that user should have SELECT WITH GRANT for data preview to work. Issue is not about row level security to implement Analytic Privileges.
If models are created on schemas for which I don't have access, data preview should not work. How do we achieve this?
Regards,
Chandra.
Please be more specific. What are those tables and schemas you normally don't have access to but that you can use in the modelling editor?
Are those objects activated repository objects or catalog objects?
What roles and system privileges are assigned to your user?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.