cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Why can't assign grantable privileges with repository roles?

Go to solution
david_fernndez2
Explorer

on ‎03-05-2018 12:14 PM

0 Kudos

Hi at all,

The SAP recommendation for creating roles is that we create repository roles because they can be transported between systems etc.


Ok, we'd switched from catalog roles to respository roles that can only be created via web editor.


The main problem that I've encountered is that with repo roles you can't grant those privileges, because there is no option, and when you check that role in Hana Studio the "grantable" option appears in "no" and greyed out.

So, I use catalog roles for generic users from a project and I add privileges by hand, not using repo roles because there is not that option.

And why I don't use repo roles for some users? The answer is because the

from a schema must use grantable option for working.

Take a look at the picture. The user have privileges for SELECT, INSERT, UPDATE, but without the grantable option. And that's why appears in red.

The only way that I have to run correctly that procedure it's assigning the privileges in Hana Studio with grantable option.

Can someone explain me why repo roles can't have the grantable option?

Thanks in advance,

David

Show replies
Show replies
pfefferf
Active Contributor
‎03-05-2018 2:41 PM

Hm, seems to be answered already some years ago here. 🙂

Regards,
Florian (Mod)

david_fernndez2
Explorer
‎03-13-2018 4:18 PM
0 Kudos

Thanks a lot for your help 🙂

Answer

Accepted Solutions (1)

Accepted Solutions (1)

lbreddemann
Active Contributor
‎03-13-2018 10:16 PM

Florian already pointed to the relevant discussion from years back and the same line of explanation can be found in the product documentation, too (https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/2.0.02/en-US/56042042bc824e04b7755191034ec80a.html#loio56042042bc824e04b7755191034ec80a__section_rdh_cbc_jq).

The bottom line is: with the GRANT OPTION your hopefully nicely designed set of roles that should help control who has which privileges can easily become unmanageable. When everyone can "forward" the privileges received, there is no control. That's similar to giving someone keys to your house and saying "just make copies of the keys and tell your friends to do the same".

There are, however, situations, where you really want to be able to do just that. In such a case, "break the glass" and read my blog post:

https://blogs.sap.com/2018/03/07/how-to-give-what-you-dont-have/

Show replies
Show replies
david_fernndez2
Explorer
‎03-14-2018 9:23 AM

Hi Lars "HanaMaster" Breddemann,

Yesterday I was looking at LinkedIn (I'm one of your followers) and I see that "How to give what you don't have" but I don't had time to read. I will take a look.

Thanks for the "lower level" explanation of the example of the house keys, clearly explained.

Sorry for reasking the question but I was unable to find that it was answered some years ago.

Thx Lars.

Answers (0)

Ask a Question