cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Deny creation of new packages in the root folder of the HANA repository - How?

dkle
Participant

on ‎12-01-2016 9:41 AM

0 Kudos

Hello all,

I am struggling to restrict the creation of packages/objects in the HANA repository of our production system, because two SAP defined repository roles grant access to the root package (and therefore all subpackages) for creating native objects:

  • sap.hana.xs.admin.roles::HTTPDestAdministrator
  • sap.hana.xs.lm.roles::Administrator


My goal is to deny creation of new packages in the root folder of the repository (only in production system), so db users are forced to use the LCM to transport their developments to production system. But they should also be granted the above two roles.

Top-Packages currently present in the system:

  • sap
  • <mycompany>
  • system-local


Package creation local to the production system should only be possible under the system-local package.

1. How to achieve that? How did you do this in your production systems?
2. Is it also achievable if the above two roles are assigned to a db user?


I have read the "How to define standard roles for Administrators in SAP HANA database" guide, but this seems to only work if the above two roles are not assigned to the users.

We are on HANA SPS 8.


Thanks and Regards
Daniel

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

pfefferf
Active Contributor
‎12-01-2016 2:04 PM
0 Kudos

Hello Daniel,

it is not possible to explicitily deny or exclude privileges. If a privilege is given directly or via rules the user has it. Check the SAP HANA Authorization chapter in the SAP Security Reference Guide for that.

From my point of view, the only way to achieve your goal, is not to use the standard roles. Create a copy of them and adjust the package privileges that not access to the root package is given, but to the packages you define. Of course in case of a patch or SP upgrade you have to check any maybe adjust the roles (or recopy and just the roles) again.

Regards,
Florian

Show replies
Show replies
dkle
Participant
‎12-02-2016 7:51 AM
0 Kudos

Hello Florian,

you are right, I should have written "do not grant" root access instead of "deny" root access.

Copying and adjusting the standard roles is no solution for us. Are there really SAP customers out there doing that? Sad to hear that there seems to be no disadvantage-free software-based solution for achieving it...

Maybe we have to appoint a repository moderator to keep the repository development under control.

@other HANA customers: any other insights out of customer practice on how you try to achieve it?

Regards

Daniel

Ask a Question