Skip to Content
avatar image
Former Member

Privileges on CRUD Method in XSODATA for user


We have a SAPUI5 app which is using an XSOdata service to retrieve a list of associate name and provides option to create & update (the associate table) via odata custom modification exits.

I try to create several roles to restrict my normal user to the the CRUD operations, what I do is that I gave only a SELECT privilege on the table required (assuming other required object privileges are given), I tested my app, and tried to update my record through the custom modification exits (using UPDATE sql) and it updates the record. (Basically I am wondering why my user can still updates the record in the table even though it only has the privilege to SELECT)

However based on my assumption you can only select and retrieve the list, and cannot do any modification exits since there is no privilege the insert or update the table and should return "Service exception: [258] insufficient privilege". Any idea what is happening? any help will be appreciated.


Add comment
10|10000 characters needed characters exceeded

  • Please can you shed some more light on your question. At the moment it is a little bit confusing.

    You have only defined SELECT privileges for the user, then you do a insert or update and you are wondering about the exception? Or what is the exact point you wanna know.


  • Former Member

    upss.. sorry I missed one or two sentences I think. Question updated.

    Basically I am wondering why my user still can update the record through the modification exit even though only SELECT privilege is given to the user.



  • Get RSS Feed

1 Answer

  • Sep 26, 2017 at 11:18 AM

    Hi Hans Yustiawan,

    By default, all entity sets and associations in an OData service are writable, that is they can be modified with a CREATE, UPDATE, or DELETE requests. However, you can prevent the execution of a modification request by setting the appropriate keyword (create, update, or delete) with the forbidden option in the OData service definition.

    For example you can prevent CREATE, UPDATE, or DELETE requests. to table "myTable" exists in schema "myschema"

    service {

    "myschema"."myTable" as "myTableService"

    create forbidden

    update forbidden

    delete forbidden;


    for more details you can refer sap hana developer guide



    Add comment
    10|10000 characters needed characters exceeded