on 03-05-2018 12:14 PM
Hi at all,
The SAP recommendation for creating roles is that we create repository roles because they can be transported between systems etc.
Ok, we'd switched from catalog roles to respository roles that can only be created via web editor.
The main problem that I've encountered is that with repo roles you can't grant those privileges, because there is no option, and when you check that role in Hana Studio the "grantable" option appears in "no" and greyed out.
So, I use catalog roles for generic users from a project and I add privileges by hand, not using repo roles because there is not that option.
And why I don't use repo roles for some users? The answer is because the
from a schema must use grantable option for working.
Take a look at the picture. The user have privileges for SELECT, INSERT, UPDATE, but without the grantable option. And that's why appears in red.
The only way that I have to run correctly that procedure it's assigning the privileges in Hana Studio with grantable option.
Can someone explain me why repo roles can't have the grantable option?
Thanks in advance,
David
Florian already pointed to the relevant discussion from years back and the same line of explanation can be found in the product documentation, too (https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/2.0.02/en-US/56042042bc824e04b7755191034ec80a.html#loio56042042bc824e04b7755191034ec80a__section_rdh_cbc_jq).
The bottom line is: with the GRANT OPTION your hopefully nicely designed set of roles that should help control who has which privileges can easily become unmanageable. When everyone can "forward" the privileges received, there is no control. That's similar to giving someone keys to your house and saying "just make copies of the keys and tell your friends to do the same".
There are, however, situations, where you really want to be able to do just that. In such a case, "break the glass" and read my blog post:
https://blogs.sap.com/2018/03/07/how-to-give-what-you-dont-have/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Lars "HanaMaster" Breddemann,
Yesterday I was looking at LinkedIn (I'm one of your followers) and I see that "How to give what you don't have" but I don't had time to read. I will take a look.
Thanks for the "lower level" explanation of the example of the house keys, clearly explained.
Sorry for reasking the question but I was unable to find that it was answered some years ago.
Thx Lars.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.