Skip to Content

Deny creation of new packages in the root folder of the HANA repository - How?

Hello all,

I am struggling to restrict the creation of packages/objects in the HANA repository of our production system, because two SAP defined repository roles grant access to the root package (and therefore all subpackages) for creating native objects:

  • sap.hana.xs.admin.roles::HTTPDestAdministrator
  • sap.hana.xs.lm.roles::Administrator

My goal is to deny creation of new packages in the root folder of the repository (only in production system), so db users are forced to use the LCM to transport their developments to production system. But they should also be granted the above two roles.

Top-Packages currently present in the system:

  • sap
  • <mycompany>
  • system-local

Package creation local to the production system should only be possible under the system-local package.

1. How to achieve that? How did you do this in your production systems?
2. Is it also achievable if the above two roles are assigned to a db user?

I have read the "How to define standard roles for Administrators in SAP HANA database" guide, but this seems to only work if the above two roles are not assigned to the users.

We are on HANA SPS 8.

Thanks and Regards

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Dec 01, 2016 at 02:04 PM

    Hello Daniel,

    it is not possible to explicitily deny or exclude privileges. If a privilege is given directly or via rules the user has it. Check the SAP HANA Authorization chapter in the SAP Security Reference Guide for that.

    From my point of view, the only way to achieve your goal, is not to use the standard roles. Create a copy of them and adjust the package privileges that not access to the root package is given, but to the packages you define. Of course in case of a patch or SP upgrade you have to check any maybe adjust the roles (or recopy and just the roles) again.


    Add comment
    10|10000 characters needed characters exceeded

    • Hello Florian,

      you are right, I should have written "do not grant" root access instead of "deny" root access.

      Copying and adjusting the standard roles is no solution for us. Are there really SAP customers out there doing that? Sad to hear that there seems to be no disadvantage-free software-based solution for achieving it...

      Maybe we have to appoint a repository moderator to keep the repository development under control.

      @other HANA customers: any other insights out of customer practice on how you try to achieve it?