Skip to Content
avatar image
Former Member

Access XS Classic Schema from XSA HDI container

Nov 03, 2017 at 08:55 AM | 495 Views

Hello,

I have an existing XS Classic Schema (MY_XS_CLASSIC_SCHEMA) created via a .hdbschema file in my HANA system.

I need to access the tables in this existing XS Classic schema from a new XS Advanced HDI container (MYHDI)

I defined a user provided service for this purpose. This service was created using a HANA database user (XS_CLASSIC_USER) that has SELECT access to the existing XS classic Schema.

The mta.yaml file was modified to add the user provided service and a .hdbgrant file is defined in the HDI container.

Now when i build the HDI container i get the below error.

Error: Error executing: GRANT "SELECT" ON SCHEMA "MY_XS_CLASSIC_SCHEMA" TO "MYHDI_HDI_MYHDIDBMODULE_1#OO";(nested message: insufficient privilege: Not authorized)

The user I used to create the User Provided Service has the SELECT access for the XS classic schema but don't have the GRANTABLE option. Is that the issue?

If yes then how can I create a HANA data base user in XS Classic which has a SELECT object privilege to a hdbschema with GRANTABLE option? I tried logging in with the SYSTEM user and running the below command but it fails with an authorization issue.

GRANT SELECT on schema MY_XS_CLASSIC_SCHEMA to XS_CLASSIC_USER WITH GRANT OPTION.


Thanks for your help,

Lijo John

SAP HANA
hana development | xs advanced | cross container
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Michael Healy
    Nov 03, 2017 at 11:24 PM

    you need to get the original owner of the schema to grant the select to the new user with GRANTABLE TO OTHERS.

    SYSTEM will also fail. SYSTEM is not GOD user, only the owner can grant other users the ability to grant further.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member
      Nov 06, 2017 at 04:26 PM

      Hi Michael,

      The problem here is that the XS classic Schema is defined in a .hdbschema file. My understanding is that in such cases the generated runtime schema is owned by _SYS_REPO and there is no way I can login as the SCHEMA user and provide GRANTABLE access to other others.

  • avatar image
    Michael Healy
    Nov 06, 2017 at 08:06 PM

    If you look here:

    https://blogs.sap.com/2015/10/11/troubleshooting-sap-hana-authorisation-issues/

    It states:

    Please be aware that if you find that the owner of an object is _SYS_REPO, this is not as straight forward as logging in as _SYS_REPO as this is not possible because SYS_REPO is a technical database user used by the SAP HANA repository. The repository consists of packages that contain design time versions of various objects, such as attribute views, analytic views, calculation views, procedures, analytic privileges, and roles. _SYS_REPO is the owner of all objects in the repository, as well as their activated runtime versions.

    You have to create a .hdbrole file which which gives the access ( Development type of role, giving select, execute, insert etc access) on this schema. You then assign this role to the user who is trying to access the object.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Dirk Raschke
    Nov 06, 2017 at 08:20 PM

    I got it to run on this way...

    https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/2.0.02/en-US/402944b21b7c4d60a825b3ac69479955.html

    Add comment
    10|10000 characters needed characters exceeded