cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access to SYS schema

Go to solution
patrickbachmann
Active Contributor

on ‎10-21-2013 6:14 PM

0 Kudos

Hi folks,

Can somebody tell me more about the SYS schema and if it's not intended to be viewed by users except by SAP?  The reason I ask is we can see some interesting table descriptions in this schema that we think could contain useful information, but can not access them to see what they contain exactly.  We also noticed that not even SYSTEM user has ability to grant select access on SYS schema to other users.  Also we noticed that there is a predefined role called SAP_INTERNAL_HANA_SUPPORT that seems to be the only role capable of viewing contents of the SYS schema tables.  When attempting to assign this role to a user as a test we were alerted that it could be only assigned to ONE user at a time so we stopped.   Does this mean that we should generally avoid looking at contents of SYS schema and that it's only intended for internal SAP use only?

Thanks,

-Patrick

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Prabhith
Active Contributor
‎10-22-2013 5:48 AM
0 Kudos

Hi Former Member

Please see thet SAP documentation of the role SAP_INTERNAL_HANA_SUPPORT

This role bundles system privileges and object privileges that allow access to certain low-level internal system views. Access to these views is required by SAP HANA development support during support scenarios. All access is read-only. In particular, this role does not provide access to any of your data.

The definition of these low-level internal system views is not part of the stable end-user interface and might change from revision to revision. For this reason the use of this role has been limited in order to avoid administrators and end-users accessing these internal system views in applications and scripts. Ideally, this role should only been granted to SAP HANA development support users for their support activities.

Specifically, this role contains privileges for read-only access to all metadata, the current system status, and the data of the statistics server. Additionally, it contains the privileges for accessing the low level internal system views.

Note
Along with users having SAP_INTERNAL_HANA_SUPPORT role, the SYSTEM user also has access to these views. To avoid accidental usage of this role in day-to-day activities, the following restrictions apply for the SAP_INTERNAL_HANA_SUPPORT role.
Cannot be granted to more than one user at a time.
Cannot be granted to another role.
Cannot have another role granted to it.
Cannot have object privileges granted to it.
Can only have system privileges granted to it. However for security reasons SAP recommends system privileges should be granted to the user and not to the role.


With every upgrade of the SAP HANA engine, the support role is automatically reset to its default privileges.

Courtesy : help.sap.com

BR
Prabhith

Show replies
Show replies
patrickbachmann
Active Contributor
‎10-22-2013 9:52 PM
0 Kudos

Thanks guys for all this additional information!  Much appreciated.

-Patrick

Answers (1)

Answers (1)

patrickbachmann
Active Contributor
‎10-21-2013 6:23 PM
0 Kudos

Ok I think I found the information I needed in section 7.3.1 of the latest SPS 06 Security Guide.  It looks like indeed it's only intended for internal purposes. 

Show replies
Show replies
vivekbhoj
Active Contributor
‎10-22-2013 4:58 AM
0 Kudos

Hi Patrick,

Its also written there that this role gives read only access to all metadata.

"Without the SAP_INTERNAL_HANA_SUPPORT role, this information can be selected only by the SYSTEM user."

So SYSTEM user can also access all the information. I guess this role is not for internal use only as its clearly stated that: "this role should only been granted to SAP HANA development support users for their support activities."

This role also existed earlier with name "SUPPORT" but now was renamed to this:

http://scn.sap.com/community/hana-in-memory/blog/2013/07/11/sps-which-new-features-do-you-like

Regards,

Vivek

Ask a Question