cancel
Showing results for 
Search instead for 
Did you mean: 

Adding new "roles" in HANA system

Former Member
0 Kudos

Hello,

Is there way to drop old "roles"  from Security tab in HANA system and add a new One??

In my first project I had created my repository with new roles and shared the project. Later I had deleted the entire project and repository and create a new one. But still I can find there are few items are still available in repository and in content folder. I am able to delete those items. After creating a new project with new schema and user role, I was trying to assign the same, But I can able to locate old "roles". The one I have created newly, not showing at all.

Can you help me with resolve this issue?

Thanks

Avijit

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

To CREATE ROLE statement creates a new role.

Only database users with the system privilege ROLE ADMIN are allowed to create roles.

The specified role name must not be identical to the name of an existing user or role.

 

A role is a named collection of privileges and can be granted to either a user or a role. If you want to allow several database users to perform the same actions, you can create a role, grant the needed privileges to this role, and then grant the role to the database users.

Every user is allowed to grant privileges to an existing role, but only users having system privilege ROLE ADMIN are allowed to grant roles to roles and users.

Alternative method is to create a new Role e.g. CAL_USERS and add the role to applicable users.Within SAP HANA it is recommended practise to use roles to manage authorisation. A role is a collection of privileges and can be granted to either a user or another role (nesting roles).“All the privileges granted directly or indirectly to a user are combined. This means whenever a user tries to access an object, the system performs an authorisation check using the user, the user’s roles, and

directly allocated privileges. It is not possible to explicitly deny privileges. This means that the system does not need to check all the user’s role. As soon as the

requested privilege has been found, the system aborts the check and grants access.”[1]This directly affects the view or result of your data and is a common reason why Analytic Privileges appear not to work as some indirect route may still exist to allow the action.

To create a new role navigate to Catalog > Authorization > Roles – right click and click

Regards

NK

Former Member
0 Kudos

Hello,

I have the system privilege to create a role.

My question was to drop a role which was already created. And I have already created a new one  which is not showing when I am trying  to locate the same

Thanks

Avi

Former Member
0 Kudos

Hi,

Right click on the role you would like to drop under Security->Role and select 'Delete' from the context menu.

Are you refreshing the Roles node before you check for the newly created role?

BR,

Nidhi

Former Member
0 Kudos

Hi,

i have tried this and other alternative steps to drop a particular role which was created earlier.

I am getting an error saying " insufficient privilege". cannot drop activated roles. I am having the system privilege to create a role. Moreover the one i have created newly, is not showing up..

Not able to figure out the issue behind it.

Avi

Former Member
0 Kudos

Okay. This should work if you have the ROLE ADMIN privilege, which you say you have.

What message do you get when you save your newly created role?

Nidhi

Former Member
0 Kudos

I have already created my new role through internal coding in my project explorer. I did the same for my old role too. In the context menu when I right click on roles to find/user role, I am not able to locate the same but i could able to locate the old roles. I am getting an error message saying "insufficient privilege" while deleting the role.

Former Member
0 Kudos

Just out of curiosity, (I'm a HANA beginner myself ), why would you need to create a new role in explorer?

Have you tried creating a role with the same privileges from Navigator?

If that works, there must be some issue with your code.

But, if you get the "insufficient privilege" error again, I think the problem lies in the privileges you've been assigned.

Nidhi

Former Member
0 Kudos

Well, there are two ways you can create roles and assign their privileges.

1. By right clicking on roles from context menu(Navigator/SAP HANA systems)and

2. When you create and project and assign it to a repository and then inside the folder of the project create a file called .xsaccess and .xsprivileges. In .xsprivileges file you will provide your schema name and project information apart from your user information.

Even me too a HANA beginner . But could able grasp a lot of information in short span of time. Gonna sit for the cert exam. Hope this helps!!.

And yes, may be the problem lies in privileges i've been assigned or may be some internal issues. I am using AWS HANA dev trial period.

Thanks anyways!!

Avijit

thomas_jung
Developer Advocate
Developer Advocate
0 Kudos

>2. When you create and project and assign it to a repository and then inside the folder of the project create a file called .xsaccess and .xsprivileges. In .xsprivileges file you will provide your schema name and project information apart from your user information.

That's not right at all. In the xsprivileges file you define possible application privileges which can be checked at runtime when content is accessed via HTTP (via the XSEngine).  In the xsaccess file you assign these application privileges to your package hierarchy.  However neither of these artifacts have anything to do with schemas or the creation of a role.



You create a role in the repository via the artifact hdbrole. This is where you grant access to catalog objects, repository packages, and application privileges.

Former Member
0 Kudos

I cleared the exam today itself. All the best!

Former Member
0 Kudos

Yes, you are right.. Neither of these artifacts have anything to do with schemas or the creation of a role. You create a role in the repository via the artifact "hdbrole" which I had done that too while developing my application.  But missed out to incorporate the same in my earlier response.

Thanks for correcting me..

This is where I've grant access to catalog objects, repository packages, and application privileges.

Newly I have created role in the repository via the artifact hdbrole which is not showing up while trying to grant access to catalog objects, repository packages, and application privileges.

I am unable to delete the role which I'd created earlier and in the content folder of "role" new role which I had created newly not showing up. I even tried to find  in Object privileges/SQL privileges section. I could able to add my new catalog object but not able to grant access to repository packages, and application privileges.

Regards

Former Member
0 Kudos

Yes, you are right.. Neither of these artifacts have anything to do with schemas or the creation of a role. You create a role in the repository via the artifact "hdbrole" which I had done that too while developing my application.  But missed out to incorporate the same in my earlier response.

Thanks for correcting me..

This is where I've grant access to catalog objects, repository packages, and application privileges.

Newly I have created role in the repository via the artifact hdbrole which is not showing up while trying to grant access to catalog objects, repository packages, and application privileges.

I am unable to delete the role which I'd created earlier and in the content folder of "role" new role which I had created newly not showing up. I even tried to find  in Object privileges/SQL privileges section. I could able to add my new catalog object but not able to grant access to repository packages, and application privileges.

Regards

Former Member
0 Kudos

Congratulations Nidhi!!..

Former Member
0 Kudos

Congratulation nidhi for the exam !

Former Member
0 Kudos

Thank you!