Skip to Content
0

Better way to restrict end user access to a group of HANA views?

May 23, 2017 at 06:09 AM

81

avatar image
Former Member

Hi,

Want to restrict end user (for example, AFO users) access to a group of HANA views.

A known method is to create a role like following, which gets SELECT access to views by granting it view by view (view CTS_TEST.BILLING/ZORBL101 in the example below).

And then assign this role together with role RESTRICTED_USER_JDBC_ACCESS to a user.

role wow.security.roles.reporting::AFO_role {

catalog sql object "_SYS_BIC"."CTS_TEST.BILLING/ZORBL101": SELECT;

catalog schema "_SYS_BI": SELECT;

analytic privilege: Project_AFO:AP_AFO.analyticprivilege;

}

The downside of this approach is that you need to modify the role every time a new view to be exposed to end users.

Based on my check, a wildcard for privilege assignment is not supported, which means we can NOT have something like

catalog sql object "_SYS_BIC"."CTS_TEST.BILLING/ZORBL*": SELECT;

in a role definition.

Besides, package privilege is only about design time objects for modellers in HANA Studio, which can’t give access to runtime objects for end users.

Any other option, make this process easier and avoid changing the role when you get new views to expose to end users?

Thanks!

Matt

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

0 Answers