cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role n a Package ?

Go to solution
former_member205400
Active Participant

on ‎01-10-2014 3:31 AM

0 Kudos

Hello,

My HANA security guy read something about putting a role inside a package and moving it up the landscape with the object being transported.

How do we get that role in a package?

When I'm on a package and r-click and select 'New' role isn't one of the options.

Do I create a procedure and then code that role inside the procedure?

Mike

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

justin_molenaur2
Contributor
‎01-10-2014 6:36 PM
0 Kudos

Hey Michael, to achieve design time role definition and export ability, you need to be using the developer perspective and the repository concept. You can't create roles in the modeler perspective, only at runtime (as Vijay explained) or at design time in the repository.

For me, the best resource thus far is this free course

https://open.sap.com/course/hana1-1

This explains a lot of this concept. This is not a widely known topic or often used in practice, but SAP is moving towards this instead of continuing the use the modeler perspective in future SP's.

Regards,

Justin

Show replies
Show replies

Answers (5)

Answers (5)

Former Member
‎02-05-2014 4:24 AM
0 Kudos

Hi Michael Hill,

Roles can be modeled as Repository Objects and as you got from the Open SAP course are known as Design time roles.

Design time roles can be used to grant the following privileges

  • Privileges that have been granted to the technical user _SYS_REPO and that _SYS_REPO can grant further
    • This is automatically the case for system privileges, package privileges, analytic privileges, and application privileges
  • Privileges on objects that _SYS_REPO owns
    • _SYS_REPO owns all activated objects. Object privileges on non-activated runtime objects must be explicitly granted to _SYS_REPO.

thus, it includes all the design time objects and if you need to include the runtime objects then you should first grant the same to _SYS_REPO with grantable to others.

Regards,

Anjali Chimnani.

Show replies
Show replies
Former Member
‎02-04-2014 12:56 PM
0 Kudos

I appreciate the affirmation, Justin, and so I just kept slogging to get that design-time role created. Unfortunately I was hindered by coming into the half-formed HANA development arena (and with half-formed development knowledge.)

So I'll answer Mike's (my own) post --- no points necessary.

Here are the bare bones steps for any other Basis Security folks entering the HANA Security arena.

  • Install the 64-bit HANA client and configure Repository Access preference
  • Create a Repository Workspace,
  • Connect to your CTS (we have a new SolMan 7.1 for CTS+ and utilize Rev-Trac),
  • Create and share a Project,
  • Set up (or reuse) Delivery Units (DU) and Packages
  • Create, save and activate the Role
  • Export the DU

I'll try and flesh this out further once I get audit policies put together.

Thanks,

Robert

Show replies
Show replies
Former Member
‎01-14-2014 8:25 PM
0 Kudos

Good Afternoon,

Thanks, Mike, Vijay and Justin.

I'm checking out the OpenSAP course (again) but my suspicion is that role transport is only available for roles associated with an XS application (an area into which we have yet to venture.)

What I would like to do is convert my current batch of run-time roles to design-time versions and transport them. Is this a possibility?

Thanks,

Robert

Show replies
Show replies
justin_molenaur2
Contributor
‎01-14-2014 10:50 PM
0 Kudos

You can absolutely do this. The development perspective is not limited to XS applications, almost all artifact types are moving toward this including modeling artifacts. You can also move table definitions to design time objects too, no need for manual script execution.

At a high level, you link a project in the development view to a systems view package. Since the objects are now contained within a package via this technique, you can subsequently attach to a delivery unit and manually export or transport using CTS+.

I am not actively using this for modeling development, but the security team on our project is perfoming the same work you are asking about right now.

Hope this helps a little,

Justin

justin_molenaur2
Contributor
‎01-10-2014 6:36 PM
0 Kudos

And just FYI, this technique also brings you the ability to transport table definitions and debug stored procedures, so it's pretty darn useful.

Regards,

Justin

Show replies
Show replies
former_member185165
Active Participant
‎01-10-2014 5:39 AM
0 Kudos

Hi Mike,

There are two ways of creating any object in HANA. One is using the UI approach in HANA studio like how you have mentioned above. And one more is using script based approach. You need to open the sql console and do it.

TO create Roles by script follow the syntax mentioned below.

Syntax

 CREATE ROLE <role_name>
The name of the role to be created. The specified role name must not be identical to the name of an existing user or role.

Syntax Elements

 <role_name> ::= <identifier>
The name of the role to be created.
Please refer to the following link for more information. You can also grant and revoke access on the roles.
http://help.sap.com/saphelp_hanaplatform/helpdata/en/20/d4a23b75191014a182b123906d5b16/content.htm
Thanks & Regards,
Vijay

Show replies
Show replies
Ask a Question