on 09-01-2014 12:19 PM
Hi Experts,
I have create 1 Schema 'XYZ' in HANA and this contains some of the Tables i.e. MARA.
Now i have ran the below 2 statements to grant other users 'A' access to my Schema 'XYZ'.
GRANT SELECT ON SCHEMA XYZ TO A WITH GRANT OPTION;
GRANT EXECUTE ON SCHEMA XYZ TO A WITH GRANT OPTION;
But still the User 'A' is facing authorization while creating attribute views on Table MARA.
Please suggest.
thanks
Hi,
What is the exact issue/error?
Best regards,
Wenjun
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
The reason is clear from the pic. It does not matter if user 'A' uses tables in schema 'XYZ' or tables in his/her own schema to create attribute view. Because when you create/activate the attribute view, you are technical user '_SYS_REPO' instead of user 'A'. So, you need to grant the select privilege to '_SYS_REPO' before you create/activate attribute view.
Regarding your scenario, just let user 'A' run the following SQL, because schema 'XYZ' is grantable to others for user 'A'.
GRANT SELECT ON SCHEMA XYZ TO _SYS_REPO;
Best regards,
Wenjun
You can also have a look at _SYS_REPO Authorization in the Repository - SAP HANA Security Guide - SAP Library
GRANT SELECT ON SCHEMA <NAME> TO _SYS_REPO WITH GRANT OPTION;
is the only correct way to prevent the authorization problems reported here.
It's pretty straight forward: _SYS_REPO actually owns all the repository objects and the runtime artefacts created by the activation.
So in order to have this working, _SYS_REPO must be able to access the base objects itself (SELECT ON SCHEMA). But since _SYS_REPO won't be used to consume the activated views it must be able to grant SELECT to the actual creator of the information model. That's what the WITH GRANT OPTION is required for.
- Lars
Thanks Lars for your comments.
Need to clarify 1 thing if i am granting select to _SYS_REPO does it mean that everybody will have access to my schema now .
For ex i want to grant my schema 'XYZ' access to user 'A' not user 'B' then if i am running the below statement:
GRANT SELECT ON SCHEMA XYZ TO _SYS_REPO WITH GRANT OPTION;
Would both A and B would get access to my schema.
Please throw some light on this.
Regards
No, not everybody would have access to your schema.
User _SYS_REPO will have access.
And it could grant the access to the information models, that use your schema, to other others.
Since you cannot make _SYS_REPO to grant the SELECT ON SCHEMA privilege to your user "B" this user cannot directly access your schema. Access is only through the activated information models.
- Lars
Hi Lars,
Thanks for your inputs again.
Need to clarify 1 thing.
I created schema 'XYZ' and granted access to _SYS_REPO by running the above stated SQL
So now how in future would access be granted to other users 'A' and 'B'.
Once all the information models in my schema are activated and i ran the above SQL and grant access to _SYS_REPO then how _SYS_REPO would grant access to users lets say A as of now and later B,C ,D...... Is it by defalut that this would be granted.
Please help me in understanding this.
Appreciate all the help and support.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.