cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"GRANT IMPORT TO" equivalent in .hdbrole HDI artifact

former_member540015
Participant

on ‎06-07-2018 1:38 PM

0 Kudos

Hi!

What additional steps are required to GRANT IMPORT TO XSA_DEV via .hdbrole in HDB module?

This syntax 

{
"role": {
"name": "myapp.db::app_access_role",
    "system_privileges":[ 
    "IMPORT"
    ]
}
}

throws a following build error 

Deploying "src/default_access_role.hdbrole"...     Error: com.sap.hana.di.role: Could not create the role definition in the database [8254541]       at "src/default_access_role.hdbrole" (0:0)      Error: com.sap.hana.di.role: Database error 258: : insufficient privilege: Not authorized [8201003]        at "src/default_access_role.hdbrole" (0:0)    Error: com.sap.hana.di.role: Deploying "src/default_access_role.hdbrole"... failed [8212145]      at "src/default_access_role.hdbrole" (0:0)

This is absolutely weird because to XSA_DEV is the owner of the HDI container.

GRANT ROLE ADMIN TO XSA_DEV;

on SYSTEM database didn't help either.

Suggestion to address this question to my BASIS/Admin/Security team can't be accepted as answers, and any comments are welcome.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

thomas_jung
Developer Advocate
Developer Advocate
‎07-12-2018 1:46 PM
0 Kudos

The error message you posted is from default_access_role.hdbrole, but your example is named myapp.db::app_access_role. So which is it? Is this error the correct error? Perhaps you need to show us the content in your default_access_role as well.


>This is absolutely weird because to XSA_DEV is the owner of the HDI container.

I don't see XSA_DEV is the owner of the container. The owner is the generated technical user. XSA_DEV would be your business user and has nothing to do with granting rights to the container.

Show replies
Show replies
former_member540015
Participant
‎09-01-2018 4:51 PM
0 Kudos

Hi Thomas!

Below src/defaults/default_access_role.hdbrole 

{
	"role": {
		"name": "default_access_role",
		"schema_privileges": [{
			"privileges": [
			        "CREATE ANY",
					"SELECT",
					"INSERT",
					"UPDATE",
					"DELETE",
					"ALTER",
					"EXECUTE"
				]
			}
		],
		"system_privileges":[ 
    			"IMPORT"
    	]
	}
}

raise 

Processing work list...    Undeploying "src/defaults/default_access_role.hdbrole"...    Undeploying "src/defaults/default_access_role.hdbrole"... ok    Deploying "src/defaults/default_access_role.hdbrole"...     Error: com.sap.hana.di.role: Could not create the role definition in the database [8254541]       at "src/defaults/default_access_role.hdbrole" (0:0)      Error: com.sap.hana.di.role: Database error 258: : insufficient privilege: Not authorized [8201003]        at "src/defaults/default_access_role.hdbrole" (0:0)    Error: com.sap.hana.di.role: Deploying "src/defaults/default_access_role.hdbrole"... failed [8212145]      at "src/defaults/default_access_role.hdbrole" (0:0)    Warning: Worker 1 running the "com.sap.hana.di.role" plugin has encountered an error while deploying 1 objects [8212030]    Warning: Command failed [8210001]    Error: Worker 1 has encountered an error; all remaining jobs will be canceled [8214600]   Error: Processing work list... failed [8212102]   Make failed (4 errors, 1 warnings): tried to deploy 1 files, undeploy 0 files, redeploy 0 dependent files  Error: Making... failed [8211605]

If I remove "system_privileges" part it is building successfully.

P.S.

Lately on HANA 2.0 SPS03 ports mode I used a workaround defined in SAP HANA Administration Guide - Grant a User a Role from the Container's Schema to grant INSERT & IMPORT roles to my DTS_USER but I can't make it work in FQDN mode as "GRANT_CONTAINER_SCHEMA_ROLES" now raise 

Database error 332: : invalid user name: DTS_USER: line 1 col 43 (at pos 42)
Sathya-08
Advisor
Advisor
‎07-07-2020 5:57 AM
0 Kudos

thomas.jung - I have the similar issue while having SYSTEM Privilege in hdbrole in HDI Container.

How to overcome this issue?

Deploying "src/admin_roles/REGULARBASIS.hdbrole"... Error: com.sap.hana.di.role: Could not create the role definition in the database [8254541] at "src/admin_roles/REGULARBASIS.hdbrole" (0:0) Error: com.sap.hana.di.role: Database error 258: : insufficient privilege: Detailed info for this error can be found with guid 'F238F5DFEAFD3F478AA93D7A3BCB47B5', extracted detailed information: user "ADMIN_ROLES_1#OO" is not allowed to grant (or revoke) the privilege "ADAPTER ADMIN" for object ""."" of type "" [8201003] at "src/admin_roles/REGULARBASIS.hdbrole" (0:0) Error: com.sap.hana.di.role: Deploying "src/admin_roles/REGULARBASIS.hdbrole"... failed [8212145] at "src/admin_roles/REGULARBASIS.hdbrole" (0:0) Warning: Worker 0 running the "com.sap.hana.di.role" plugin has encountered an error while deploying 1 objects [8212030] Error: Worker 0 has encountered an error; all remaining jobs will be canceled [8214600] Error: Processing work list... failed [8212102]

Ask a Question