Roles defined in SAP HANA Cloud using HANA Cockpit or HANA Database Explorer (SQL Console) are called Catalog based roles whereas roles defined using Business Application Studio (BAS) are called HDI roles. Catalog and HDI both have their own advantages and disadvantages, some of the key differences are as follows:
Figure 1: Catalog v/s HDI Role
HDI Role Creation:
Pre-requisite:
- BTP Onboarding.
- User has access to Business Application Studio.
Step1: Login to Cloud Foundry
Open Business Application Studio (BAS)
Figure 2: Business Application Studio
Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)
Figure 3: Login to Cloud Foundry
Note: Make sure your cloud foundry endpoint is correct.
Select Cloud Foundry Organization and Space, click Apply.
Figure 4: Select target Cloud Foundry Org. and Space
Step2: Create Project
In Business Application Studio home page, click Start from template.
Figure 5: Start from template
Select SAP HANA Database Project, click Start.
Figure 6: Select Template and Target Location
Enter Project Name, click Next.
Figure 7: Add Basic Information
Enter Module Name db, click Next.
Figure 8: Set Basic Properties
Enter Schema Name and Database Version, click Next.
Figure 9: Set Database Information
Enter Service Instance Name, click Finish.
Figure 10: Bind to HDI Container Service
Created project available under Workspace folder.
Figure 11: Workspace Folder
Step3: Maintain mta.yaml file and bind Database Connections
Open mta.yaml file under created project (SECURITY_ROLES) and make the changes as required e.g. add service for UPS, cross container access etc.
Figure 12: Maintain mta.yaml file
Bind all required Database Connections (Navigation: SAP HANA Projects -> SECURITY_ROLES/db -> Database Connections)
Figure 13: Bind the Database Connections
Step4: Define .hdbgrants
Create a cfg folder under db and create synonym-grantor-service.hdbgrants file.
Figure 14: Create .hdbgrants file
Maintain the entries to grant external access to Container Object Owner and Application User, deploy the file.
Figure 15: Maintain .hdbgrants file
Step5: Define .hdinamespace
Create .hdinamespace file under cfg folder, maintain the entries for role name convention, deploy the file.
Figure 16: Create and maintain .hdinamespace file
Step6: Define .hdiconfig
Copy .hdiconfig file from src folder and paste it in cfg folder.
Figure 17: Create .hdiconfig file
Step7: Create roles folder under src
Right click on src folder, select New Folder and enter roles.
Figure 18: Create roles folder
Step8: Create .hdbrole
Right click on roles folder, click New File and enter .hdbrole name.
Figure 19: Create .hdbrole
Right click on .hdbrole and select open with Code Editor.
Figure 20: Open role in Code Editor mode
Define JSON for roles and privileges.
Figure 21: Define JSON
Note: Using Role Editor mode, role can be created without defining JSON manually, system automatically defines JSON based on selection of role attributes.
Some useful JSON codes:
-> Global Object Privileges:
Figure 22: Create .hdiroleconfig file
Deploy .hdbroleconfig file first and then .hdbrole file.
Figure 23: Deploy role
Step9: Validate role in HANA Cockpit
Deployed role available on HANA Cockpit for assignment.
Figure 24: HANA Cockpit
HDI Role created successfully using Business Application Studio.
Catalog Role Creation: Using HANA Cockpit
Pre-requisite:
- BTP Onboarding.
- User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.
Step1: Login to SAP HANA Cockpit
Open SAP BTP Cockpit and Launch SAP HANA Cockpit.
Figure 25: SAP BTP Cockpit
Enter username and password.
Figure 26: Login to HANA Cockpit
Step2: Open Role Management
Select Role Management under Security and User Management.
Figure 27: HANA Cockpit – Security and User Management
Step3: Create Role
Click Create Role button.
Figure 28: Create Role
Define Role Name, click Create.
Figure 29: Define Role Name
Navigate to required tab i.e. Roles, System Privileges, Object Privileges etc and add the roles / privileges as required.
Figure 30: Add roles/privileges
Catalog Role created successfully using SAP HANA Cockpit.
Catalog Role Creation: Using HANA Database Explorer
Pre-requisite:
- BTP Onboarding.
- User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.
Step1: Login to SAP HANA Cockpit
Open SAP BTP Cockpit and Launch SAP HANA Database Explorer.
Figure 31: SAP BTP Cockpit
Enter username and password.
Figure 32: Login to HANA Cockpit
Step2: Open SQL Console & execute commands
Open SQL console, enter SQL command to create role and assign the privileges.
Figure 33: Execute SQL query
Step3: Validate role in HANA Cockpit
Created role available on HANA Cockpit for the assignment.
Figure 34: HANA Cockpit – Role Management
Catalog Role created successfully using SAP HANA Database Explorer (SQL Console)
Conclusion
Hope this article gave an insight about the core differences between Catalog based role and HDI based role and accordingly make the decision about your role design approach for HANA Cloud Environment. So by following all the above steps you will able to create roles in HANA Cloud Environment using Business Application Studio, SAP HANA Cockpit and SAP HANA Database Explorer (SQL Console).
List of Important Notes:
- 2993439 – Statement on SAP HANA Studio and SAP HANA Cloud
- 2921625 – Changes to objects in schema _SYS_BI in HANA Cloud
- 3217517 – System Privilege WORKAROUND ADMIN is no Longer Available
List of Important Links:
- SAP HANA Cloud, SAP HANA Database Security Guided
- SAP HANA Cloud Migration Guided
- SAP HANA Cloud, SAP HANA Database Developer Guide for Cloud Foundry Multitarget Applications (SAP Business App Studio)
Feedbacks, questions and comments are most welcome!!
Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn
