SAP HANA Cloud – Catalog & HDI Role Creation (A step-by-step guide)

Roles defined in SAP HANA Cloud using HANA Cockpit or HANA Database Explorer (SQL Console) are called Catalog based roles whereas roles defined using Business Application Studio (BAS) are called HDI roles. Catalog and HDI both have their own advantages and disadvantages, some of the key differences are as follows:

Catalog%20v/s%20HDI%20Role

Figure 1: Catalog v/s HDI Role

HDI Role Creation:

Pre-requisite:

  • BTP Onboarding.
  • User has access to Business Application Studio.

Step1: Login to Cloud Foundry

Open Business Application Studio (BAS)

Figure 2: Business Application Studio

Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)

Figure 3: Login to Cloud Foundry

Note: Make sure your cloud foundry endpoint is correct.

Select Cloud Foundry Organization and Space, click Apply.

Figure 4: Select target Cloud Foundry Org. and Space

Step2: Create Project

In Business Application Studio home page, click Start from template.

Figure 5: Start from template

Select SAP HANA Database Project, click Start.

Figure 6: Select Template and Target Location

Enter Project Name, click Next.

Figure 7: Add Basic Information

Enter Module Name db, click Next.

Figure 8: Set Basic Properties

Enter Schema Name and Database Version, click Next.

Figure 9: Set Database Information

Enter Service Instance Name, click Finish.

Figure 10: Bind to HDI Container Service

Created project available under Workspace folder.

Figure 11: Workspace Folder

Step3: Maintain mta.yaml file and bind Database Connections

Open mta.yaml file under created project (SECURITY_ROLES) and make the changes as required e.g. add service for UPS, cross container access etc.

Figure 12: Maintain mta.yaml file

Bind all required Database Connections (Navigation: SAP HANA Projects -> SECURITY_ROLES/db -> Database Connections)

Figure 13: Bind the Database Connections

Step4: Define .hdbgrants

Create a cfg folder under db and create synonym-grantor-service.hdbgrants file.

Figure 14: Create .hdbgrants file

Maintain the entries to grant external access to Container Object Owner and Application User, deploy the file.

Figure 15: Maintain .hdbgrants file

Step5: Define .hdinamespace

Create .hdinamespace file under cfg folder, maintain the entries for role name convention, deploy the file.

Figure 16: Create and maintain .hdinamespace file

Step6: Define .hdiconfig

Copy .hdiconfig file from src folder and paste it in cfg folder.

Figure 17: Create .hdiconfig file

Step7: Create roles folder under src

Right click on src folder, select New Folder and enter roles.

Figure 18: Create roles folder

Step8: Create .hdbrole

Right click on roles folder, click New File and enter .hdbrole name.

Figure 19: Create .hdbrole

Right click on .hdbrole and select open with Code Editor.

Figure 20: Open role in Code Editor mode

Define JSON for roles and privileges.

Figure 21: Define JSON

Note: Using Role Editor mode, role can be created without defining JSON manually, system automatically defines JSON based on selection of role attributes.

Some useful JSON codes:

-> Global Object Privileges:

      “global_object_privileges”: [

        {

           “name”: “DEFAULT”,

           “type”: “USERGROUP”,

           “privileges”: [

            “OPERATOR”

        ],

        “schema_reference”: “_SYS_DI#BROKER_CG”

        }

     ]

-> Global Roles:

      “global_roles”: [

        “MONITORING”

      ]

-> System Privileges

        “system_privileges”: [

        “ADAPTER ADMIN”

      ]

-> Schema Privileges

      “schema_privileges”: [

        {

        “reference”: “_SYS_BI”,

        “privileges”: [

        “SELECT”

        ]

    }

 ]

Right click on roles folder, select New File, enter .hdbroleconfig file and define reference schemas.

Figure 22: Create .hdiroleconfig file

Deploy .hdbroleconfig file first and then .hdbrole file.

Figure 23: Deploy role

Step9: Validate role in HANA Cockpit

Deployed role available on HANA Cockpit for assignment.

Figure 24: HANA Cockpit

HDI Role created successfully using Business Application Studio.

Catalog Role Creation: Using HANA Cockpit

Pre-requisite:

  • BTP Onboarding.
  • User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.

Step1: Login to SAP HANA Cockpit

Open SAP BTP Cockpit and Launch SAP HANA Cockpit.

Figure 25: SAP BTP Cockpit

Enter username and password.

Figure 26: Login to HANA Cockpit

Step2: Open Role Management

Select Role Management under Security and User Management.

Figure 27: HANA Cockpit – Security and User Management

Step3: Create Role

Click Create Role button.

Figure 28: Create Role

Define Role Name, click Create.

Figure 29: Define Role Name

Navigate to required tab i.e. Roles, System Privileges, Object Privileges etc and add the roles / privileges as required.

Figure 30: Add roles/privileges

Catalog Role created successfully using SAP HANA Cockpit.

Catalog Role Creation: Using HANA Database Explorer

Pre-requisite:

  • BTP Onboarding.
  • User has ROLE ADMIN System Privilege to create role and other system/object privilege as required.

Step1: Login to SAP HANA Cockpit

Open SAP BTP Cockpit and Launch SAP HANA Database Explorer.

Figure 31: SAP BTP Cockpit

Enter username and password.

Figure 32: Login to HANA Cockpit

Step2: Open SQL Console & execute commands

Open SQL console, enter SQL command to create role and assign the privileges.

Figure 33: Execute SQL query

Step3: Validate role in HANA Cockpit

Created role available on HANA Cockpit for the assignment.

Figure 34: HANA Cockpit – Role Management

Catalog Role created successfully using SAP HANA Database Explorer (SQL Console)

Hope this article gave an insight about the core differences between Catalog based role and HDI based role and accordingly make the decision about your role design approach for HANA Cloud Environment. So by following all the above steps you will able to create roles in HANA Cloud Environment using Business Application Studio, SAP HANA Cockpit and SAP HANA Database Explorer (SQL Console).

List of Important Notes:

List of Important Links:

Feedbacks, questions and comments are most welcome!!

Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn