Skip to Content

SAP HANA XSA SPS03: SESSION_CONTEXT('XS_CLIENT')

Hi experts,

I try to understand this video "Structured Privilege and Roles", where its explained how we can consume the values from the roles to pass it to the privileges. (This was my take away of this video. If I'm wrong, pls. than let me know.)

But my first problem is the select statement, because I couldn't find the XS_CLIENT key within the M_SESSION_CONTEXT table.

https://youtu.be/yuPBSwBlFfo?t=909

https://github.com/SAP/hana-xsa-opensap-hana7/blob/master/db/src/roles/FLIGHT_PRIV.hdbanalyticprivilege

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Best Answer
    Jan 12 at 08:53 PM

    You have to define the attribute in xs-security.json you use to create the UAA instance.

    When you create the role, you can supply a static value for the attribute or map it to a SAML Attribute. This is how the value gets filled:

    But any application that uses this UAA and a user with this role assigned will automatically fill this attribute and it will be pushed into the SESSION_CONTEXT as well.


    xs-security1.png (131.7 kB)
    xs-security2.png (95.9 kB)
    xs-security3.png (62.8 kB)
    Add comment
    10|10000 characters needed characters exceeded

  • Jan 12 at 08:39 PM

    Well Client has to be an attribute declared in your xs-security.json and the role for your Uaa has to contain a value assigned to this attribute. Also how are you testing this? You can’t test it from the Database Explorer because it won’t be running with your applications uaa. I’ll do a video later in the series that shows all these things but we need to get to some Node.js stuff first.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Thomas, everything works now well so far.

      But in our case we do have the issue that we need to be able to filter more than one PatientID (please, look at the screenshot)

      	"attributes": [{
      		"name": "PatientID",
      		"description": "PatientID",
      		"valueType": "int"
      	}],<br>

      attribute.png

      Now there is the issue, how should the "SELECT STATMENT" look like, so that we can pass the result to the where clause?

      The other thing is that we were not able to get more than one result. If we tried a range of indices or more indices then the result was always null.

      console.log testpatient:

      result: 1240

      [{"JSON_VALUE((SELECT SESSION_CONTEXT('XS_PATIENTID') FROM DUMMY ),'$[0]')" "1240"}]#

      '$[0,1]' --> null

      '$[0 to 5]' --> null

      let query = `SELECT *
      		FROM	"TBASE.db.data::tbase.cds.PATIENT"
      		WHERE	"PatientID" IN (SELECT JSON_VALUE((SELECT SESSION_CONTEXT('XS_PATIENTID') FROM DUMMY), 
      '$[0 TO 10]') FROM DUMMY)`;
      <br><br>

      Or do we have to use JSON_QUERY for more results?

      And if yes, how do we have to use it as an subquery in a where clause? Thanks for helping us

      attribute.png (4.2 kB)
  • Jan 14 at 01:51 PM

    What do you see when you just select SESSION_CONTEXT('XS_PATIENTID') FROM DUMMY without the JSON processing? Perhaps the JSON is structured differently than in my sample (especially if its coming from SAML mapping instead of direct input). Also consider looking at the attribute within the XSA level before it reaches the SESSION_CONTEXT. If you are using express with the UAA processing as middelware you can just grab in the info from the request object in a variable named authInfo. See this sample:

    	app.get("/whoAmI", (req, res) => {
    		var userContext = req.authInfo;
    var result = JSON.stringify({
    userContext: userContext
    });
    res.type("application/json").status(200).send(result); });
    Add comment
    10|10000 characters needed characters exceeded

  • Jan 14 at 02:44 PM

    When I use only SESSION_CONTEXT('XS_PATIENTID') FROM DUMMY it returns "["1240","54"]".

    The issue is that we use at only one central starter point an Odata service and therefore I thought I could use a view with the structured privileges check. This would help us a lot.

    In node.js we do almost the same as your sample. There we do not have any issue to read the user context.

    Thanks!

    Add comment
    10|10000 characters needed characters exceeded