/scripts/ahub.form.attachments.js
0

SAP HANA Revoking DATA ADMIN Privilege.

Jan 06, 2017 at 09:39 AM

169

avatar image

Hello,

I have a user named "SUPERUSER".
It has following privileges - "DATA ADMIN" , "ROLE ADMIN" , "USER ADMIN", "RESOURCE ADMIN".

There are two other users, "JOHN" and "JACOB" with DATA ADMIN privileges.
For JOHN "DATA ADMIN" privilege was granted by user SYSTEM. For JACOB it was granted by user SUPERUSER


==
select * from GRANTED_PRIVILEGES where privilege = 'DATA ADMIN';

GRANTEE_SCHEMA_NAME,GRANTEE,GRANTEE_TYPE,GRANTOR,OBJECT_TYPE,SCHEMA_NAME,OBJECT_NAME,COLUMN_NAME,PRIVILEGE,IS_GRANTABLE,IS_VALID
?,"SUPERUSER","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JOHN","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JACOB","USER","SUPERUSER","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
...

==


I was trying to revoke the "DATA ADMIN" privilege of both the users (JOHN and JACOB) from "SUPERUSER".
It worked for user JACOB, but I was not able to revoke JOHN's privilege from SUPERUSER.
It does not throw any error from hdbsql, But does not revoke the privilege either.

==
select * from GRANTED_PRIVILEGES where privilege = 'DATA ADMIN';

GRANTEE_SCHEMA_NAME,GRANTEE,GRANTEE_TYPE,GRANTOR,OBJECT_TYPE,SCHEMA_NAME,OBJECT_NAME,COLUMN_NAME,PRIVILEGE,IS_GRANTABLE,IS_VALID
?,"SUPERUSER","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
?,"JOHN","USER","SYSTEM","SYSTEMPRIVILEGE",?,?,?,"DATA ADMIN","TRUE","TRUE"
...
==

The section "Prerequisites for Granting and Revoking Privileges and Roles" explains that only the user who has granted the privilege can revoke it.
But in the following link, https://help.sap.com/saphelp_hanaplatform/helpdata/en/20/fc91cb75191014ac15eb4d6f2d7dde/content.htm
it says,

"For users without ROLE ADMIN privileges, only the user that granted a specific privilege can revoke it."
For the above statement, I would assume "ROLE ADMIN" privilege is enough to revoke the privilege.

Not sure if have understood the above documents correctly. Either way I want to revoke privilege of other users from SUPERUSER.
Is there a way to accomplish it ?

Regards,
Mashood

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Yuksel AKCINAR Jan 07, 2017 at 02:35 PM
0

Hello Mashood,

In below document in "Teble 2:Prerequisites for Revoking Privileges" in order to revoce A system privilege you must be the user who granted the privilege"

https://help.sap.com/saphelp_hanaplatform/helpdata/en/c7/19b2e7d9761014b9d798770c3d0958/content.htm

So from the result of the select statement DATA_ADMIN system privilege is granted by SYSTEM. So can be revoked by SYSTEM user.

JACOB's case proves the above prerequisite.

Regards,

Yuksel AKCINAR

Share
10 |10000 characters needed characters left characters exceeded
Skip to Content