Skip to Content

Why can't assign grantable privileges with repository roles?

Hi at all,

The SAP recommendation for creating roles is that we create repository roles because they can be transported between systems etc.


Ok, we'd switched from catalog roles to respository roles that can only be created via web editor.


The main problem that I've encountered is that with repo roles you can't grant those privileges, because there is no option, and when you check that role in Hana Studio the "grantable" option appears in "no" and greyed out.

So, I use catalog roles for generic users from a project and I add privileges by hand, not using repo roles because there is not that option.

And why I don't use repo roles for some users? The answer is because the

from a schema must use grantable option for working.

Take a look at the picture. The user have privileges for SELECT, INSERT, UPDATE, but without the grantable option. And that's why appears in red.

The only way that I have to run correctly that procedure it's assigning the privileges in Hana Studio with grantable option.

Can someone explain me why repo roles can't have the grantable option?

Thanks in advance,

David

01.jpg (10.9 kB)
02.jpg (21.8 kB)
03.jpg (18.9 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Mar 13 at 10:16 PM

    Florian already pointed to the relevant discussion from years back and the same line of explanation can be found in the product documentation, too (https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/2.0.02/en-US/56042042bc824e04b7755191034ec80a.html#loio56042042bc824e04b7755191034ec80a__section_rdh_cbc_jq).

    The bottom line is: with the GRANT OPTION your hopefully nicely designed set of roles that should help control who has which privileges can easily become unmanageable. When everyone can "forward" the privileges received, there is no control. That's similar to giving someone keys to your house and saying "just make copies of the keys and tell your friends to do the same".

    There are, however, situations, where you really want to be able to do just that. In such a case, "break the glass" and read my blog post:

    https://blogs.sap.com/2018/03/07/how-to-give-what-you-dont-have/

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Lars "HanaMaster" Breddemann,

      Yesterday I was looking at LinkedIn (I'm one of your followers) and I see that "How to give what you don't have" but I don't had time to read. I will take a look.

      Thanks for the "lower level" explanation of the example of the house keys, clearly explained.

      Sorry for reasking the question but I was unable to find that it was answered some years ago.

      Thx Lars.