cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict access to schema/tables

former_member186082
Active Contributor

on ‎05-17-2016 10:57 PM

0 Kudos

Hi All,

I don't have access to few schemas in the system. But while creating models(AT/AN/CA) when I search for tables, I see tables from the schemas for which I don't have access. I'm able to add them, activate the model and view data as well. How can we restrict this?


To my understanding, when I don't have access to a schema, I shouldn't be able to view data of models built on it as well. Has anyone tried this? Is this the way HANA security works or am I missing some privileges?

Regards,

Chandra.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

varma_narayana
Active Contributor
‎05-18-2016 10:38 AM
0 Kudos

Hi Chandra,

Below are my thoughts on your queries.

Point 1: I don't have access to few schemas in the system. But while creating models(AT/AN/CA) when I search for tables, I see tables from the schemas for which I don't have access. I'm able to add them, activate the model and view data as well.

 

Answer: When we want to use any schema / tables in a HANA view, the system user _SYS_REPO need to have the SELECT access on that specific schema, since all the repository objects are owned by _SYS_REPO. Individual users need not to have the access to all the schemas. In your case you are able to use those schema / tables in the HANA models because _SYS_REPO must be having the access to those schemas. 


Point 2: How can we restrict this?


Answer: If you need to restrict the access to the data in tables (row level security), then it should be implemented using Analytic privileges on the HANA views.


Hope it helps.


regards,

Varma

Show replies
Show replies
former_member186082
Active Contributor
‎05-18-2016 6:58 PM
0 Kudos

Hi Varma,

Yes it is because of granting SELECT WITH GRANT to _SYS_REPO. But we can't restrict access to _SYS_REPO by removing GRANT option(giving SELECT WITHOUT GRANT) because that user should have SELECT WITH GRANT for data preview to work. Issue is not about row level security to implement Analytic Privileges.

If models are created on schemas for which I don't have access, data preview should not work. How do we achieve this?

Regards,

Chandra.

former_member183326
Active Contributor
‎05-18-2016 11:47 PM
0 Kudos

As already stated an analytical privilege should be used to restrict access.

lbreddemann
Active Contributor
‎05-18-2016 12:19 AM
0 Kudos

Please be more specific. What are those tables and schemas you normally don't have access to but that you can use in the modelling editor?

Are those objects activated repository objects or catalog objects?

What roles and system privileges are assigned to your user?

Show replies
Show replies
former_member186082
Active Contributor
‎05-18-2016 6:53 PM
0 Kudos

Hi Lars,

Those schemas are custom created holding sensitive data. Users(like me) who don't have access to these schemas can still see data by creating models on top of it as I mentioned earlier. We need to restrict that access as well.

These are the system privileges assigned to me.

Regards,

Chandra.

former_member186082
Active Contributor
‎05-19-2016 6:02 PM
0 Kudos

Lars, in addition to these System Privileges, users has _SYS_BI_CP_ALL.

Regards,

Chandra.

Ask a Question