on 10-22-2011 2:38 PM
Hi Team,
I am practicing on User & Role Management. some exercises done for general approach for user & Roles..
i don't see following options from Administration through HDB studio.
How to copy from one user to another user?
Suppose i create one user with respective Roles, same user roles need to copy to another user. ( mass user creation)
*Similar Mass Role creation
I believe this can achieve through procedures, anyone done that procedures?
thanks & Regards
Rao
Hello Ganesh,
I think "copy" of the user is little problematic - SAP HANA security concept is making big difference in who granted particular privilege or role.
In case user would execute copy - what exactly should be copied?
1.) In case that all privileges - then this would be considered as security issue as you can create new user with privileges that you are not authorized to grant (you simply cannot grant privilege on behalf of another user - this would make it possible)
2.) In case that only privileges that you granted - then this new user would not be identical to source user which if overlooked can cause issues (in other words such behavior would not be expected from users)
Anyway I found your request to create procedure quite interesting and here it is:
CREATE PROCEDURE SYSTEM.COPY_USER (IN V_SOURCE_USER NVARCHAR(256), IN V_TARGET_USER NVARCHAR(256), IN V_TARGET_PWD NVARCHAR(256)) LANGUAGE SQLSCRIPT AS
V_FOUND INT := 1;
CURSOR C_ROLE_LIST (V_SRC_USER NVARCHAR(256)) FOR
SELECT ROLE_NAME, IS_GRANTABLE FROM "SYS"."GRANTED_ROLES" WHERE GRANTEE=:V_SRC_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;
BEGIN
SELECT COUNT(*) INTO V_FOUND FROM "SYS"."USERS" WHERE USER_NAME = :V_SOURCE_USER;
IF :V_FOUND = 1 THEN
EXEC 'CREATE USER ' || :V_TARGET_USER || ' IDENTIFIED BY ' || :V_TARGET_PWD;
FOR V_LIST_ROW AS C_ROLE_LIST(:V_SOURCE_USER) DO
IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN
EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER;
ELSE
EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER || ' WITH ADMIN OPTION';
END IF;
END FOR;
END IF;
END;
You can call this procedure like this:
CALL COPY_USER ('SOURCE_USER', 'TARGET_USER', 'INITIAL_PASSWORD')
But bear in mind following limitations:
1.) only roles are replicated (nothing else) - this should not be problem as you should not be granting privileges directly to users especially in case that you expect mass copy
2.) only roles where current user is grantor are copied - this is to preserve grantee - remaining roles must be added manually (if you do not like this behavior then remove "GRANTOR=CURRENT_USER" condition in select statement and all roles will be added)
I hope you will like it
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I think CREATE USER <user_name> IDENTIFIED BY <password> may not be the correct syntax.
You can try modifying the below line:
EXEC 'CREATE USER ' || :V_TARGET_USER || ' IDENTIFIED BY ' || :V_TARGET_PWD;
to
EXEC 'CREATE USER ' || :V_TARGET_USER || ' PASSWORD ' || :V_TARGET_PWD;
Also it would help if you can post the error message to understand the issue better.
Regards,
Ravi
I extended this procedure a bit. Now it's also possible to copy granted privileges from the source to the target user.
CREATE PROCEDURE copy_user (IN V_SOURCE_USER NVARCHAR(256), IN V_TARGET_USER NVARCHAR(256), IN V_TARGET_PWD NVARCHAR(256))
LANGUAGE SQLSCRIPT
AS
V_FOUND INT := 1;
CURSOR C_ROLE_LIST (V_SRC_USER NVARCHAR(256)) FOR
SELECT ROLE_NAME, IS_GRANTABLE FROM "SYS"."GRANTED_ROLES" WHERE GRANTEE=:V_SRC_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;
CURSOR C_PRIV_LIST (V_SCR_USER NVARCHAR(256)) FOR
SELECT OBJECT_NAME, PRIVILEGE, IS_GRANTABLE FROM "SYS"."GRANTED_PRIVILEGES" WHERE GRANTEE=:V_SCR_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;
BEGIN
SELECT COUNT(*) INTO V_FOUND FROM "SYS"."USERS" WHERE USER_NAME = :V_SOURCE_USER;
IF :V_FOUND = 1 THEN
EXEC 'CREATE USER ' || :V_TARGET_USER || ' PASSWORD ' || :V_TARGET_PWD;
FOR V_LIST_ROW AS C_ROLE_LIST(:V_SOURCE_USER) DO
IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN
EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER;
ELSE
EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER || ' WITH ADMIN OPTION';
END IF;
END FOR;
FOR V_LIST_ROW AS C_PRIV_LIST(:V_SOURCE_USER) DO
IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN
EXEC 'GRANT ' || V_LIST_ROW.PRIVILEGE || ' ON ' || V_LIST_ROW.OBJECT_NAME || ' TO ' || :V_TARGET_USER;
ELSE
EXEC 'GRANT ' || V_LIST_ROW.PRIVILEGE || ' ON ' || V_LIST_ROW.OBJECT_NAME || ' TO ' || :V_TARGET_USER || ' WITH GRANT OPTION';
END IF;
END FOR;
END IF;
END;
Were you able to proceed with this 'COPY USER' automation activity.
The user is getting created automatically after executing the stored procedure but only the default role 'PUBLIC' is available for the new user.
I am also not able to get the desired result with the help of the SP mentioned below.
Am I missing some basics here?
, can you please help me here?
BR
Prabhith
The lack (or lack of its obvious visibility) of Copy User function in the HANA Studio drives me nuts too. But I haven't looked at scripting possibilities yet. -VR
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
The problem that you all are facing due to the change in queries that we use to execute with early HANA Revisions and what we execute now. Earlier we use to make use of below query to create a user:
CREATE USER <username> IDENTIFIED BY <userpassword>;
But from SP03 onwards, this query has changed to
CREATE USER <username> password <userpassword>;
So try creating a procedure like:
CREATE PROCEDURE SYSTEM.COPY_USER (IN V_SOURCE_USER NVARCHAR(256), IN V_TARGET_USER NVARCHAR(256), IN V_TARGET_PWD NVARCHAR(256)) LANGUAGE SQLSCRIPT AS
V_FOUND INT := 1;
CURSOR C_ROLE_LIST (V_SRC_USER NVARCHAR(256)) FOR
SELECT ROLE_NAME, IS_GRANTABLE FROM "SYS"."GRANTED_ROLES" WHERE GRANTEE=:V_SRC_USER AND GRANTEE_TYPE='USER' AND GRANTOR=CURRENT_USER;
BEGIN
SELECT COUNT(*) INTO V_FOUND FROM "SYS"."USERS" WHERE USER_NAME = :V_SOURCE_USER;
IF :V_FOUND = 1 THEN
EXEC 'CREATE USER ' || :V_TARGET_USER || ' IDENTIFIED BY ' || :V_TARGET_PWD;
FOR V_LIST_ROW AS C_ROLE_LIST(:V_SOURCE_USER) DO
IF V_LIST_ROW.IS_GRANTABLE='FALSE' THEN
EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER;
ELSE
EXEC 'GRANT ' || V_LIST_ROW.ROLE_NAME || ' TO ' || :V_TARGET_USER || ' WITH ADMIN OPTION';
END IF;
END FOR;
END IF;
END;
and call it by:
CALL COPY_USER ('SOURCE_USER', 'TARGET_USER', 'INITIAL_PASSWORD')
Hope it helps.
Regards,
Deepak Chodha.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.