on 12-01-2016 9:41 AM
Hello all,
I am struggling to restrict the creation of packages/objects in the HANA repository of our production system, because two SAP defined repository roles grant access to the root package (and therefore all subpackages) for creating native objects:
My goal is to deny creation of new packages in the root folder of the repository (only in production system), so db users are forced to use the LCM to transport their developments to production system. But they should also be granted the above two roles.
Top-Packages currently present in the system:
Package creation local to the production system should only be possible under the system-local package.
1. How to achieve that? How did you do this in your production systems?
2. Is it also achievable if the above two roles are assigned to a db user?
I have read the "How to define standard roles for Administrators in SAP HANA database" guide, but this seems to only work if the above two roles are not assigned to the users.
We are on HANA SPS 8.
Thanks and Regards
Daniel
Hello Daniel,
it is not possible to explicitily deny or exclude privileges. If a privilege is given directly or via rules the user has it. Check the SAP HANA Authorization chapter in the SAP Security Reference Guide for that.
From my point of view, the only way to achieve your goal, is not to use the standard roles. Create a copy of them and adjust the package privileges that not access to the root package is given, but to the packages you define. Of course in case of a patch or SP upgrade you have to check any maybe adjust the roles (or recopy and just the roles) again.
Regards,
Florian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Florian,
you are right, I should have written "do not grant" root access instead of "deny" root access.
Copying and adjusting the standard roles is no solution for us. Are there really SAP customers out there doing that? Sad to hear that there seems to be no disadvantage-free software-based solution for achieving it...
Maybe we have to appoint a repository moderator to keep the repository development under control.
@other HANA customers: any other insights out of customer practice on how you try to achieve it?
Regards
Daniel
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.