cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HANA XS - Authorization Help

Go to solution
former_member194780
Active Participant

on ‎08-26-2014 12:43 PM

0 Kudos

HANA friends,

Need your inputs on handling the below authorization scenario in XS.

Currently, I have an XS application that INSERTS,UPDATES,SELECTS data from XYZ Schema. I have seperate procedures as well in that schema.

Say I have "X" user and he has privilege to XYZ Schema for INSERT,UPDATE,SELECT so that the DB operations are allowed from the XS application.

Now the issue is, the same user can log into HANA Studio and manipulate data using INSERT/UPDATE/DELETE statement from the SQL console. This should not happen.

Have you come across this situation? If so, what would be the best approach to handle this.. As far my understanding, currently we cannot specifically restrict the HANA user from accessing the SQL Console/ accessing the data from HANA Studio once you have given privilege.

Appreciate you help.

Thanks

Avinash Raju

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

thomas_jung
Developer Advocate
Developer Advocate
‎08-26-2014 1:09 PM
0 Kudos

What people do is create stored procedures to perform the updates. The stored procedures are created with Definer rights. This means they execute as sys_repo. Only give sys_repo schema rights and no one else.

In SPS09 we plan for something new called context sensitive authorizations. This will really solve your problem. It will allow you to set the schema rights such that a user only has them when running through a specific XS URL.


One other possible solution I just thought of. You could use a SQLCC and switch to a fixed user that has this authorization in the XSJS Connection object. You would still authenticate the user to the XS Application, controlling access at the user level or the service call.  However in the XSJS logic itself you would force a SQLCC Anonymous connection. Just don’t put the SQLCC at the XSACCESS level as this would make the entire service call anonymous. You would still have to adapt all your XSJS Connection creation logic but this would be easier than converting everything to Procedures.

Show replies
Show replies

Answers (0)

Ask a Question