cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Creating XSA roles

former_member588105
Explorer

on ‎08-20-2018 1:47 PM

0 Kudos

Hi Thomas,

I created a Table and a calculation view in HDI container, now i want to create role for DEVELOPER, so that other colleagues, who has developer role can continue working on further development's under the schema,

No my question is I came to know XSA roles and HDI container schema roles are different, How can i merge the both and make sure the user who loged in to XSA work in my schema, what roles do i need to create in XSA and HANA DB, please..

I already went through the YOUR TUBE VIDEOS

https://www.youtube.com/watch?v=V02ysdbLMN8 https://www.youtube.com/watch?v=I6nrhkm5nFQ https://www.youtube.com/watch?v=4HOhwflkSTU

Still i am missing some thing, please help me with the role creation,

I already did XS_SECURITY.JSON and UAA service enabled steps,

Please help me out in fixing this, please..

Thanks,

Chandra.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member590265
Explorer
‎08-29-2018 5:40 PM

Hi Thomas,

I am also working on the similar scenario where I have to do the cross tenant query. But in your answer to previous question you clarified that it is not possible to do using synonyms. You also suggested to use the SDA for this scenario. If you know any blog or video tutorial for cross tenant data access scenario using SDA then please could you share the link with us.

Thanks.

Best Regards,

Vivek.

Show replies
Show replies
thomas_jung
Developer Advocate
Developer Advocate
‎08-20-2018 2:53 PM

XSA Roles (UAA and xs-security.json) really have nothing to do with DB roles. I'm not sure what you really want to do here. If you just want other developers to be able to work on your HDB module, there is nothing you need to grant them. They can clone your project from Git and edit it without any additional DB roles. Even from the database explorer they will access the container content via technical user. DB users are only needed when users directly access the container schema (by passing the container/technical user) for instance when you use JDBC directly or a reporting tool like Lumira. If that later case is needed, then you just create DB roles as hdbrole artifacts within the HDB module and an Administrator must grant those roles to the DB User. The XSA user and roles don't play into the scenario.

Show replies
Show replies
former_member588105
Explorer
‎08-20-2018 4:45 PM
0 Kudos

Hi Thomas,

Thanks a lot for your quick response, Sorry may be i am not clear in my question,

I created a HDI container now we have object owner user for the container, object owner want to give access to the other user to work on HDI schema from XSA, this is my requirement, i had seen your OPEN SAP video, hdi-role-in-xsa.png where we need to have roles from DB and from XSA.

In the next slide you mentioned that we need to create scope, Attribute create the role, xsa-role-templates.png assign the role to user in backed which is there in https://www.youtube.com/watch?v=4HOhwflkSTUso that user can view the data.

So i am bit confused on this,

If you have a complete blog for it, please help me out, which will be very help full for me,

Thanks,

CHANDRA.

thomas_jung
Developer Advocate
Developer Advocate
‎02-06-2019 2:27 PM
0 Kudos

The attribute values are in your SESSION_CONTEXT. Just use them in your WHERE conditions of your privileges. For example: https://github.com/SAP/hana-xsa-opensap-hana7/blob/master/db/src/roles/FLIGHT_PRIV.hdbanalyticprivil...

Or you can use the attribute values abstracted via $env.user in hdbcds dcl:

https://github.com/SAP/hana-xsa-opensap-hana7/blob/master/db/src/roles/dcl.hdbcds#L13

Show replies
Show replies
thomas_jung
Developer Advocate
Developer Advocate
‎08-20-2018 8:21 PM
0 Kudos

>other user to work on HDI schema from XSA

Other uses don't need access , just like your developer user didn't need any access to create the container. The container technical user owns the DB objects and it performs any adjustments.


In the next slide you mentioned that we need to create scope, Attribute create the role, xsa-role-templates.png assign the role to user in backed which is

XSA scopes and roles are for authorizations checks within a custom application. They don't have anything to do with editing the objects from within the Web IDE. Attributes are only used for instance filtering (analytic or structured privileges) and also not needed for development.

Show replies
Show replies
former_member588105
Explorer
‎08-29-2018 4:41 PM
0 Kudos

Hi Thomas,

I have one more question please,

I have two HDI containers HDI-1 container from BA1 tenant data base on Space SPACE-1, I have another container HDI-2 from BA2-tenant data base on Space SPACE-2,

Is it possible to access the data from HDI-1 to HDI-2,

we have to do this scenario in our project,

If yes, please help me out how, what ever the material i am searching i am getting only data access between containers where both the containers in same space, or accessing external classical schema in to HDI container.

Please let me know if there is any possibility like this.

data access from HDI-1 where it is in BA1 tenant data base and in space-1 to HDI-2 where it is built on BA2 tenant data base in Space-2.

Thanks a lot in advance,

Chandra.

thomas_jung
Developer Advocate
Developer Advocate
‎08-29-2018 4:52 PM
0 Kudos

No HDI doesn't directly allow cross tenant queries. The setup process of the granting to technical users in remote tenants is not done by HDI. We recommend the use of SDA for such cross queries.

former_member588105
Explorer
‎08-30-2018 8:44 AM
0 Kudos

Hi Thomas,

Thanks a lot for your quick response, now i need to re-think on this,

Is there any blog or any video on accessing cross Queries through SDA, please help me out.

Please...

Thanks,

Chandra.

former_member588105
Explorer
‎09-06-2018 12:54 PM
0 Kudos

HI Thomas,

I created a calculation view and i created a analytical privilege on top of the calculation view, up to here everything is fine,

Now i want to add the analytical privilege in to a .hdbrole, i am getting below error, please help me,

Here is my .hdbrole for analytical privilege, please help me in fixing the error, please...

thomas_jung
Developer Advocate
Developer Advocate
‎09-06-2018 1:53 PM
0 Kudos

Your syntax doesn't look right to me. Should be schema_analytic_privilege not analyticprivilegs. Also no type is necessary. Have a look at an example here:

https://github.com/SAP/com.sap.openSAP.hana5.example/blob/hana2_sps03/core_db/src/roles/admin.hdbrol...

former_member588105
Explorer
‎09-06-2018 2:59 PM
0 Kudos

Hello Thomas,

Thanks a lot sir, the issue is resolved.

Appreciate your great help and quick response to all my request.

Thanks,

BR,

Chandra.

former_member588105
Explorer
‎09-25-2018 10:03 AM
0 Kudos

Hello Thomas,

I have a question regarding restricting user creation from .hdbroles in HDB container,

I created user in XSA with WEBIDE_DEVELOPER role assigned to him, where he has the access to create table, calculation view... in HDI container,

He is also having access to create analytical privilege and .hdbroles, is it possible to restrict the users from creating the security concepts, like .hdbroles and analytical privileges.. please suggest.

Thanks,

BR,

Chandra.

thomas_jung
Developer Advocate
Developer Advocate
‎09-25-2018 1:36 PM
0 Kudos

No there are no limits on what the user can create in the Web IDE. And the objects aren't created by their user in the DB. They are created by the container technical owner. This is why you should have good code review and approval processes before transporting anything to downstream systems and should never allow development directly in a productive system.

former_member588105
Explorer
‎09-27-2018 1:44 PM
0 Kudos

Hi Thomas,

Thanks a lot for your great time spending for me in helping in all my questions,

I have one question, please help me in understanding,

I have three spaces Dev, Quality and Prod

I have Dev and Quality in one tenant, Prod in another tenant,

When I created a HDI container in WEBIDE with schema name BAYER, in the back end it will create a schema as BAYER_1

When I moved the schema from Development to Quality, In quality it will be BAYER schema only,

Is it possible to compare my objects that I developed in DEV and Quality, please..

I know we cannot access objects in Quality space in WEBIDE, is there any other solution for it, please..

Specially I want to compare Calculation views, Roles and analytical privileges

Thanks,

BR,

Chandra.

thomas_jung
Developer Advocate
Developer Advocate
‎09-27-2018 2:08 PM
0 Kudos

1. You build the project which produces an MTAR. You can then deploy that MTAR into the other spaces (xs deploy command).

2. Why would you access it with the Web IDE? The Web IDE should only be used in your development system.

rakshetha_jn
Associate
Associate
‎02-06-2019 1:01 PM
0 Kudos

hi Thomas ,

your last line , Attributes are only used for instance filtering (analytic or structured privileges),

How can this be realised ? i currently have the same issues where I want to apply dynamic structured privileges to control row access in a calculation view. I have roles templates with defined attributes .I assign those attributes while creating the user ...how can I enforce the structured privilege to filer my calc views based on the attributes ....

any guidance ?

best regards

Rakshetha

Ask a Question