SAP HANA - Authorization Methods
Authorization is checked when a user tries to connect to HANA database and perform some database operations. When a user connects to HANA database using client tools via JDBC/ODBC or Via HTTP to perform some operations on database objects, corresponding action is determined by the access that is granted to the user.
Privileges granted to a user are determined by Object privileges assigned on user profile or role that has been granted to user. Authorization is a combination of both accesses. When a user tries to perform some operation on HANA database, system performs an authorization check. When all required privileges are found, system stops this check and grants the requested access.
There are different types of privileges, which are used in SAP HANA as mentioned under User role and Management −
They are applicable to system and database authorization for users and control system activities. They are used for administrative tasks such as creating Schemas, data backups, creating users and roles and so on. System privileges are also used to perform Repository operations.
They are applicable to database operations and apply to database objects like tables, Schemas, etc. They are used to manage database objects such as tables and views. Different actions like Select, Execute, Alter, Drop, Delete can be defined based on database objects.
They are also used to control remote data objects, which are connected through SMART data access to SAP HANA.
They are applicable to data inside all the packages that are created in HANA repository. They are used to control modeling views that are created inside packages like Attribute View, Analytic View, and Calculation View. They apply row and column level security to attributes that are defined in modeling views in HANA packages.
They are applicable to allow access to and ability to use packages that are created in repository of HANA database. Package contains different Modeling views like Attribute, Analytic and Calculation views and also Analytic Privileges defined in HANA repository database.
They are applicable to HANA XS application that access HANA database via HTTP request. They are used to control access on applications created with HANA XS engine.
Application Privileges can be applied to users/roles directly using HANA studio but it is preferred that they should be applied to roles created in repository at design time.
Repository Authorization in SAP HANA Database
_SYS_REPO is the user owns all the objects in HANA repository. This user should be authorized externally for the objects on which repository objects are modeled in HANA system. _SYS_REPO is owner of all objects so it can only be used to grant access on these objects, no other user can login as _SYS_REPO user.
GRANT SELECT ON SCHEMA "<SCHEMA_NAME>" TO _SYS_REPO WITH GRANT OPTION