avatar image
Former Member

SAP HANA Revoking DATA ADMIN Privilege.

Hello,

I have a user named "SUPERUSER".
It has following privileges - "DATA ADMIN" , "ROLE ADMIN" , "USER ADMIN", "RESOURCE ADMIN".

There are two other users, "JOHN" and "JACOB" with DATA ADMIN privileges.
For JOHN "DATA ADMIN" privilege was granted by user SYSTEM. For JACOB it was granted by user SUPERUSER


==
select * from GRANTED_PRIVILEGES where privilege = 'DATA ADMIN';

GRANTEE_SCHEMA_NAME,GRANTEE,GRANTEE_TYPE,GRANTOR,OBJECT_TYPE,SCHEMA_NAME,OBJECT_NAME,COLUMN_NAME,PRIVILEGE,IS_GRANTABLE,IS_VALID
?,"SUPERUSER","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JOHN","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JACOB","USER","SUPERUSER","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
...

==


I was trying to revoke the "DATA ADMIN" privilege of both the users (JOHN and JACOB) from "SUPERUSER".
It worked for user JACOB, but I was not able to revoke JOHN's privilege from SUPERUSER.
It does not throw any error from hdbsql, But does not revoke the privilege either.

==
select * from GRANTED_PRIVILEGES where privilege = 'DATA ADMIN';

GRANTEE_SCHEMA_NAME,GRANTEE,GRANTEE_TYPE,GRANTOR,OBJECT_TYPE,SCHEMA_NAME,OBJECT_NAME,COLUMN_NAME,PRIVILEGE,IS_GRANTABLE,IS_VALID
?,"SUPERUSER","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JOHN","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
...
==

The section "Prerequisites for Granting and Revoking Privileges and Roles" explains that only the user who has granted the privilege can revoke it.
But in the following link, https://help.sap.com/saphelp_hanaplatform/helpdata/en/20/fc91cb75191014ac15eb4d6f2d7dde/content.htm
it says,

"For users without ROLE ADMIN privileges, only the user that granted a specific privilege can revoke it."
For the above statement, I would assume "ROLE ADMIN" privilege is enough to revoke the privilege.

Not sure if have understood the above documents correctly. Either way I want to revoke privilege of other users from SUPERUSER.
Is there a way to accomplish it ?

Regards,
Mashood

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jan 07, 2017 at 02:35 PM

    Hello Mashood,

    In below document in "Teble 2:Prerequisites for Revoking Privileges" in order to revoce A system privilege you must be the user who granted the privilege"

    https://help.sap.com/saphelp_hanaplatform/helpdata/en/c7/19b2e7d9761014b9d798770c3d0958/content.htm

    So from the result of the select statement DATA_ADMIN system privilege is granted by SYSTEM. So can be revoked by SYSTEM user.

    JACOB's case proves the above prerequisite.

    Regards,

    Yuksel AKCINAR

    Add comment
    10|10000 characters needed characters exceeded

Skip to Content