cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP HANA Revoking DATA ADMIN Privilege.

Former Member

on ‎01-06-2017 9:39 AM

0 Kudos

Hello,

I have a user named "SUPERUSER".
It has following privileges - "DATA ADMIN" , "ROLE ADMIN" , "USER ADMIN", "RESOURCE ADMIN".

There are two other users, "JOHN" and "JACOB" with DATA ADMIN privileges.
For JOHN "DATA ADMIN" privilege was granted by user SYSTEM. For JACOB it was granted by user SUPERUSER


==
select * from GRANTED_PRIVILEGES where privilege = 'DATA ADMIN';

GRANTEE_SCHEMA_NAME,GRANTEE,GRANTEE_TYPE,GRANTOR,OBJECT_TYPE,SCHEMA_NAME,OBJECT_NAME,COLUMN_NAME,PRIVILEGE,IS_GRANTABLE,IS_VALID
?,"SUPERUSER","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JOHN","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JACOB","USER","SUPERUSER","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
...

==


I was trying to revoke the "DATA ADMIN" privilege of both the users (JOHN and JACOB) from "SUPERUSER".
It worked for user JACOB, but I was not able to revoke JOHN's privilege from SUPERUSER.
It does not throw any error from hdbsql, But does not revoke the privilege either.

==
select * from GRANTED_PRIVILEGES where privilege = 'DATA ADMIN';

GRANTEE_SCHEMA_NAME,GRANTEE,GRANTEE_TYPE,GRANTOR,OBJECT_TYPE,SCHEMA_NAME,OBJECT_NAME,COLUMN_NAME,PRIVILEGE,IS_GRANTABLE,IS_VALID
?,"SUPERUSER","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JOHN","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
...
==

The section "Prerequisites for Granting and Revoking Privileges and Roles" explains that only the user who has granted the privilege can revoke it.
But in the following link, https://help.sap.com/saphelp_hanaplatform/helpdata/en/20/fc91cb75191014ac15eb4d6f2d7dde/content.htm
it says,

"For users without ROLE ADMIN privileges, only the user that granted a specific privilege can revoke it."
For the above statement, I would assume "ROLE ADMIN" privilege is enough to revoke the privilege.

Not sure if have understood the above documents correctly. Either way I want to revoke privilege of other users from SUPERUSER.
Is there a way to accomplish it ?

Regards,
Mashood

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

yakcinar
Active Contributor
‎01-07-2017 2:35 PM
0 Kudos

Hello Mashood,

In below document in "Teble 2:Prerequisites for Revoking Privileges" in order to revoce A system privilege you must be the user who granted the privilege"

https://help.sap.com/saphelp_hanaplatform/helpdata/en/c7/19b2e7d9761014b9d798770c3d0958/content.htm

So from the result of the select statement DATA_ADMIN system privilege is granted by SYSTEM. So can be revoked by SYSTEM user.

JACOB's case proves the above prerequisite.

Regards,

Yuksel AKCINAR

Show replies
Show replies
Ask a Question