cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Management Issues

Former Member

on ‎10-22-2011 2:38 PM

0 Kudos

Hi Team,

I am practicing on User & Role Management. some exercises done for general approach for user & Roles..

i don't see following options from Administration through HDB studio.

  • How to copy from one user to another user?

  • Suppose i create one user with respective Roles, same user roles need to copy to another user. ( mass user creation)

*Similar Mass Role creation

I believe this can achieve through procedures, anyone done that procedures?

thanks & Regards

Rao

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

tomas-krojzl
Active Contributor
‎10-26-2011 11:07 PM
0 Kudos

Hello Ganesh,

I think "copy" of the user is little problematic - SAP HANA security concept is making big difference in who granted particular privilege or role.

In case user would execute copy - what exactly should be copied?

1.) In case that all privileges - then this would be considered as security issue as you can create new user with privileges that you are not authorized to grant (you simply cannot grant privilege on behalf of another user - this would make it possible)

2.) In case that only privileges that you granted - then this new user would not be identical to source user which if overlooked can cause issues (in other words such behavior would not be expected from users)

Anyway I found your request to create procedure quite interesting and here it is:

CREATE PROCEDURE SYSTEM.COPY_USER (IN V_SOURCE_USER NVARCHAR(256), IN V_TARGET_USER NVARCHAR(256), IN V_TARGET_PWD NVARCHAR(256)) LANGUAGE SQLSCRIPT AS
  V_FOUND INT := 1;
  CURSOR C_ROLE_LIST (V_SRC_USER NVARCHAR(256)) FOR
    SELECT ROLE_NAME, IS_GRANTABLE FROM "SYS"."GRANTED_ROLES" WHERE GRANTEE=:V_SRC_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;
BEGIN
  SELECT COUNT(*) INTO V_FOUND FROM "SYS"."USERS" WHERE USER_NAME = :V_SOURCE_USER;
  IF :V_FOUND = 1 THEN
    EXEC 'CREATE USER ' || :V_TARGET_USER || ' IDENTIFIED BY ' || :V_TARGET_PWD;
    FOR V_LIST_ROW AS C_ROLE_LIST(:V_SOURCE_USER) DO
      IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN
        EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER;
      ELSE
        EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER || ' WITH ADMIN OPTION';
      END IF;
    END FOR;
  END IF;
END;

You can call this procedure like this:

CALL COPY_USER ('SOURCE_USER', 'TARGET_USER', 'INITIAL_PASSWORD')

But bear in mind following limitations:

1.) only roles are replicated (nothing else) - this should not be problem as you should not be granting privileges directly to users especially in case that you expect mass copy

2.) only roles where current user is grantor are copied - this is to preserve grantee - remaining roles must be added manually (if you do not like this behavior then remove "GRANTOR=CURRENT_USER" condition in select statement and all roles will be added)

I hope you will like it

Show replies
Show replies
Former Member
‎10-27-2011 4:19 AM
0 Kudos

Hi Tomas,

Thank you, already i worked some kind of stuff like this, I hope this felicity should need in HANA studio, Hope SAP interoduce next patches.

Currently is not available in patch 17.

Former Member
‎09-18-2012 10:52 AM
0 Kudos

Hello Tomas,

I tried this piece of code. I was able to create the stored procedure. But I'm facing an error while running it.

"Incorrect syntax near "BY" : line 1 col 32  ( at pos 32 ) "

Any thought about this ?

Regards,

Anil

Former Member
‎09-24-2012 7:33 PM
0 Kudos

Hi Anil,

I have this issue too. I upgraded my HANA Studio or HANA I dont remember what I have upgraded but you can start to upgrade your studio. But as I said I am not sure what I did.    

former_member215510
Explorer
‎11-17-2012 11:29 PM
0 Kudos

Is there a way to put any debug statements in the procedure, I am getting a syntax error when I call it.

When I look at the procedure the line number and positions are not helping identifying the error as it is a dynamic SQL.

Poonam

former_member184768
Active Contributor
‎11-18-2012 7:59 AM
0 Kudos

Hi,

I think CREATE USER <user_name> IDENTIFIED BY <password> may not be the correct syntax.

You can try modifying the below line:

EXEC 'CREATE USER ' || :V_TARGET_USER || ' IDENTIFIED BY ' || :V_TARGET_PWD;

to

EXEC 'CREATE USER ' || :V_TARGET_USER || ' PASSWORD ' || :V_TARGET_PWD;

Also it would help if you can post the error message to understand the issue better.

Regards,

Ravi

Former Member
‎06-27-2013 8:33 PM
0 Kudos

I extended this procedure a bit. Now it's also possible to copy granted privileges from the source to the target user.

CREATE PROCEDURE copy_user (IN V_SOURCE_USER NVARCHAR(256), IN V_TARGET_USER NVARCHAR(256), IN V_TARGET_PWD NVARCHAR(256)) 
  LANGUAGE SQLSCRIPT 
  AS 
  V_FOUND INT := 1;
  CURSOR C_ROLE_LIST (V_SRC_USER NVARCHAR(256)) FOR
    SELECT ROLE_NAME, IS_GRANTABLE FROM "SYS"."GRANTED_ROLES" WHERE GRANTEE=:V_SRC_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;
  CURSOR C_PRIV_LIST (V_SCR_USER NVARCHAR(256)) FOR
    SELECT OBJECT_NAME, PRIVILEGE, IS_GRANTABLE FROM "SYS"."GRANTED_PRIVILEGES" WHERE GRANTEE=:V_SCR_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;  
BEGIN
  SELECT COUNT(*) INTO V_FOUND FROM "SYS"."USERS" WHERE USER_NAME = :V_SOURCE_USER;
  IF :V_FOUND = 1 THEN
    EXEC 'CREATE USER ' || :V_TARGET_USER || ' PASSWORD ' || :V_TARGET_PWD;
    FOR V_LIST_ROW AS C_ROLE_LIST(:V_SOURCE_USER) DO
      IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN
        EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER;
      ELSE
        EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER || ' WITH ADMIN OPTION';
      END IF;
    END FOR;
    FOR V_LIST_ROW AS C_PRIV_LIST(:V_SOURCE_USER) DO
      IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN
        EXEC 'GRANT ' || V_LIST_ROW.PRIVILEGE || ' ON ' || V_LIST_ROW.OBJECT_NAME || ' TO ' || :V_TARGET_USER;
      ELSE
        EXEC 'GRANT ' || V_LIST_ROW.PRIVILEGE || ' ON ' || V_LIST_ROW.OBJECT_NAME || ' TO ' || :V_TARGET_USER || ' WITH GRANT OPTION';
      END IF;
    END FOR;
  END IF;
END;
Former Member
‎07-26-2013 5:39 AM
0 Kudos

Hi,

I would like to create user XYZ copying existing user SYSTEM,in this case what all the things I need to change in above given procedure.

Regards

Uday

Former Member
‎07-29-2013 10:33 AM
0 Kudos

Hi Uday,

Currently it's not possible to copy the SYSTEM user. The only option is to create a new user, assign the roles and objects manually and then copy this user to other users (with the above procedure).

Best regards,

Jeroen

Former Member
‎08-19-2013 11:21 AM
0 Kudos

Hi Jeroen,

Fine I will create new user with same set of roles as like SYSTEM user,later if I want to copy that user to create a new one,how should the procedure (Say ABC has to be copied to XYZ) what all the things I need to change in the above procedure

Regards

Uday

Former Member
‎08-19-2013 12:17 PM
0 Kudos

Hi Uday,

You don't have to change the procedure. Just insert the usernames in the call command:

CALL COPY_USER ('SOURCE_USER', 'TARGET_USER', 'INITIAL_PASSWORD')

your example:

CALL COPY_USER ('ABC', 'XYZ', 'Welcome123!')

Regards,

Jeroen

former_member185165
Active Participant
‎12-04-2014 2:38 AM
0 Kudos

Hi Jeroen,

I tried this but only the user is created with Public role. The other roles are not copied from the source to target.

Thanks & Regards,

Vijay

Prabhith
Active Contributor
‎03-24-2015 9:10 AM
0 Kudos

Hi ,

Were you able to proceed with this 'COPY USER' automation activity.

The user is getting created automatically after executing the stored procedure but only the default role 'PUBLIC' is available for the new user.

I am also not able to get the desired result with the help of the SP mentioned below.

Am I missing some basics here?

, can you please help me here?

BR

Prabhith

Former Member
‎12-14-2015 10:33 AM
0 Kudos

Hello Jeroen,

In HANA SQL Console, we can execute the statements: CREATE, COPY etc..

Do we first need to add your procedure in one of the folders of the catalog?

Thanks,

Sunny Doshi

Former Member
‎12-14-2015 10:46 AM
0 Kudos

Hi Sunny,


I don't know if this procedure is still valid for the current HANA release. But you can try. You can execute 'CREATE PROCEDURE' in SQL Console to create the procedure and then call 'CALL COPY_USER' to execute the procedure.

I hope this helps.


Best regards,

Jeroen

Vitaliy-R
Developer Advocate
Developer Advocate
‎10-26-2011 6:44 PM
0 Kudos

The lack (or lack of its obvious visibility) of Copy User function in the HANA Studio drives me nuts too. But I haven't looked at scripting possibilities yet. -VR

Show replies
Show replies
deepak_chodha
Explorer
‎06-24-2013 1:12 PM
0 Kudos

Hi All,

The problem that you all are facing due to the change in queries that we use to execute with early HANA Revisions and what we execute now. Earlier we use to make use of below query to create a user:

CREATE USER <username> IDENTIFIED BY <userpassword>;

But from SP03 onwards, this query has changed to

CREATE USER <username> password <userpassword>;

So try creating a procedure like:

CREATE PROCEDURE SYSTEM.COPY_USER (IN V_SOURCE_USER NVARCHAR(256), IN V_TARGET_USER NVARCHAR(256), IN V_TARGET_PWD NVARCHAR(256)) LANGUAGE SQLSCRIPT AS

  V_FOUND INT := 1;

  CURSOR C_ROLE_LIST (V_SRC_USER NVARCHAR(256)) FOR

    SELECT ROLE_NAME, IS_GRANTABLE FROM "SYS"."GRANTED_ROLES" WHERE GRANTEE=:V_SRC_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;

BEGIN

  SELECT COUNT(*) INTO V_FOUND FROM "SYS"."USERS" WHERE USER_NAME = :V_SOURCE_USER;

  IF :V_FOUND = 1 THEN

    EXEC 'CREATE USER ' || :V_TARGET_USER || ' IDENTIFIED BY ' || :V_TARGET_PWD;

    FOR V_LIST_ROW AS C_ROLE_LIST(:V_SOURCE_USER) DO

      IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN

        EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER;

      ELSE

        EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER || ' WITH ADMIN OPTION';

      END IF;

    END FOR;

  END IF;

END;

and call it by:

CALL COPY_USER ('SOURCE_USER', 'TARGET_USER', 'INITIAL_PASSWORD')

Hope it helps.

Regards,

Deepak Chodha.

Ask a Question