Add to collection(s) Add to saved
  1. No category
Uploaded by Ana M Alvarez M

Best practices and examples for developing roles in SAP HANA - example project

advertisement 
PUBLIC
Developing roles in SAP HANA – Example project
Document version 1.2
Public
2021-07
Document history, references, and glossary
Document history
Version
Release
Date
Change description
Contact
1.0
April 2018
Document creation
askSAPHANA@sap.com
1.1
November
2018
Minor updates: latest recommendations, rewording of some paragraphs, footnotes, and
correction of typos.
1.2
July 2021
Updates: Split, code fixes, improvements as
well as news, recommendations, paragraphs,
figures, correction of typos, links, and layout
(design).
References
Public
•
SAP HANA Developer Guide: Explains how to build applications using SAP HANA, including how to
model data, how to write procedures, and how to build application logic in SAP HANA Extended Application Services, classic model.
•
SAP HANA XSA Developer Guide: Explains how to build applications using SAP HANA, including
how to model persistent and analytic data, how to write procedures, and how to build application
logic in SAP HANA Extended Application Services advanced model.
•
SAP Web IDE for SAP HANA - Installation and Upgrade Guide: Provides the installation, post-installation, and upgrade instructions for SAP Web IDE for SAP HANA.
•
SAP WEB IDE for SAP HANA Installation Troubleshooting Guide: Aims to assist you with the troubleshooting of issues related to SAP Web IDE installation.
•
Common errors and fix – XSA Web IDE for HANA developments
•
SAP HANA Administration with SAP HANA Cockpit
•
SAP HANA Security Guide: Is the entry point for all information relating to the secure operation and
configuration of SAP HANA.
•
SAP HANA Security Checklist: Offers recommendations and information about optimizing your security configuration to help you run your SAP HANA securely.
Document history, references, and glossary
Glossary
Following abbreviations will be used throughout the document:
Acronym
Meaning
HDB
SAP HANA database
HDI
SAP HANA deployment infrastructure
MDC
Multi database container
MTA
Multi target application
UPS
User provided service
XSA
SAP HANA extended application services, advanced model
Public
Preface
Dear reader,
thanks for being our customer! We love having people in our community like you and value
your partnership every single day.
We know that the best way to understand our products and how to improve them is to hear
from the people who use them every single day - people like you!
Since we are always curious, we want to know your experience. So, what did you think about
the guide?
Your comments and suggestions are the most useful to help us make this guide the best it
can be. Please feel free to contact us via askSAPHANA@sap.com and share any criticism or
praise you may have.
Thank you for reading our guide!
Public
Table of contents
TABLE OF CONTENTS
Document history ............................................................................................................................. 2
References ........................................................................................................................................ 2
Glossary............................................................................................................................................ 3
Public
1.
1.1
1.2
1.3
PROJECT INTRODUCTION ................................................................................................ 7
Guiding principles in designing the roles ........................................................................ 7
Roles best practices.......................................................................................................... 7
Prerequisites ..................................................................................................................... 8
2.
2.1
2.2
2.3
PROJECT SETUP ............................................................................................................... 9
Create a new MTA project ................................................................................................. 9
Create an HDB module for the project ........................................................................... 10
Adjust the HDI namespace configuration ...................................................................... 11
3.
3.1
3.2
3.3
3.4
3.5
CREATE A UPS TO EQUIP HDI CONTAINER .................................................................. 12
Using a UPS with a procedure grantor ........................................................................... 12
Bound the UPS to the HDB module ................................................................................ 13
Create the .hdbgrants file ............................................................................................... 13
Grant privileges to #OO user .......................................................................................... 14
Using a UPS with a procedure grantor ........................................................................... 14
4.
4.1
4.2
4.2.1.
4.2.1.1.
4.2.1.2.
4.2.2.
4.2.2.1.
4.2.2.2.
4.2.2.3.
4.2.2.4.
4.2.2.5.
4.2.2.6.
4.2.2.7.
4.2.3.
4.2.3.1.
4.2.3.2.
4.2.3.3.
4.2.3.4.
4.2.3.5.
4.2.3.6.
4.2.3.7.
4.2.3.8.
4.2.4.
4.2.5.
4.2.5.1.
4.2.5.2.
4.3
CREATE DESIGN-TIME OBJECTS IN MDC...................................................................... 15
Synonyms ........................................................................................................................ 16
Roles ................................................................................................................................ 16
Granular roles.................................................................................................................. 16
Z_GRANULAR_SELECT__SYS_STATISTICS .............................................................. 17
Z_GRANULAR_CONFIGURE__SYS_STATISTICS....................................................... 17
Administration roles........................................................................................................ 17
Z_BASIS_ADMIN_BACKUP .......................................................................................... 17
Z_BASIS_BACKUP_OPERATOR.................................................................................. 17
Z_BASIS_ADMIN_BASIC.............................................................................................. 18
Z_BASIS_ADMIN_DATA ............................................................................................... 18
Z_BASIS_MONITORING............................................................................................... 19
Z_BASIS_ADMIN_PERSISTENCE................................................................................ 19
Z_BASIS_ADMIN_EXTENDED ..................................................................................... 19
Security roles .................................................................................................................. 20
Z_SECURITY_AUDIT_READ ........................................................................................ 20
Z_SECURITY_ADMIN_AUDIT ...................................................................................... 20
Z_SECURITY_ADMIN_BASIC ...................................................................................... 20
Z_SECURITY_ADMIN_CERTIFICATES........................................................................ 20
Z_SECURITY_ADMIN_DISK_ENCRYPTION ................................................................ 21
Z_SECURITY_ADMIN_TROUBLESHOOTING .............................................................. 21
Z_SECURITY_ADMIN................................................................................................... 21
Z_SECURITY_ADMIN_EXTENDED .............................................................................. 21
Support role..................................................................................................................... 22
User roles ........................................................................................................................ 22
Z_MANAGEMENT_CONTAINER_ROLE_ADMIN.......................................................... 22
Z_MANAGEMENT_USER_ADMIN ................................................................................ 22
Procedures ...................................................................................................................... 23
5.
CREATE DESIGN-TIME OBJECTS IN SYSTEMDB .......................................................... 24
Table of contents
5.1
Preparation in the SYSTEMDB........................................................................................ 24
5.2
Extra synonyms for SYSTEMDB..................................................................................... 26
5.3
Administrating MDC through the SYSTEMDB ............................................................... 27
Z_BASIS_MDC_START_STOP ....................................................................................................... 27
Z_BASIS_ADMIN_MDC ................................................................................................................... 27
Z_BASIS_MONITORING_MDC........................................................................................................ 27
6.
DEPLOYMENT AND TROUBLESHOOTING ..................................................................... 28
APPENDIX ........................................................................................................................................ 28
Appendix 1: mta.yaml..................................................................................................................... 28
Appendix 2: Z_GRANTING_SERVICE.hdbgrants .......................................................................... 29
Appendix 3: Using a UPS with a procedure grantor ..................................................................... 31
Appendix 3.1: SYSTEM.Z_GRANT ................................................................................................. 31
Appendix 3.2: GRANTING_PROCEDURE_GRANTOR_USER ....................................................... 32
Appendix 4: Z_SYS.hdbsynonym .................................................................................................. 33
Appendix 5: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbroleconfig ................................... 34
Appendix 6: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbrole.............................................. 34
Appendix 7: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbroleconfig ............................ 34
Appendix 8: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbrole ...................................... 34
Appendix 9: Z_BASIS_ADMIN_BACKUP.hdbrole ......................................................................... 35
Appendix 10: Z_BASIS_BACKUP_OPERATOR.hdbrole ............................................................... 35
Appendix 11: Z_BASIS_ADMIN_BASIC.hdbrole ........................................................................... 35
Appendix 12: Z_BASIS_ADMIN_DATA.hdbrole............................................................................. 36
Appendix 13: Z_BASIS_MONITORING.hdbrole ............................................................................. 36
Appendix 14: Z_BASIS_ADMIN_PERSISTENCE.hdbrole.............................................................. 36
Appendix 15: Z_BASIS_ADMIN_EXTENDED.hdbrole ................................................................... 37
Appendix 16: Z_SECURITY_AUDIT_READ.hdbrole ...................................................................... 37
Appendix 17: Z_SECURITY_ADMIN_AUDIT.hdbrole ..................................................................... 37
Appendix 18: Z_SECURITY_ADMIN_BASIC.hdbrole .................................................................... 37
Appendix 19: Z_SECURITY_ADMIN_CERTIFICATES.hdbrole ...................................................... 38
Appendix 20: Z_SECURITY_ADMIN_DISK_ENCRYPTION.hdbrole .............................................. 38
Appendix 21: Z_SECURITY_ADMIN_TROUBLESHOOTING.hdbrole ............................................ 38
Appendix 22: Z_SECURITY_ADMIN.hdbrole ................................................................................. 38
Appendix 23: Z_SECURITY_ADMIN_EXTENDED.hdbrole ............................................................ 39
Appendix 24: Z_SUPPORT_ADMIN_TRACE.hdbrole .................................................................... 39
Appendix 25: Z_MANAGEMENT_CONTAINER_ROLE_ADMIN.hdbrole ....................................... 39
Appendix 26: Z_MANAGEMENT_USER_ADMIN.hdbrole .............................................................. 39
Appendix 27: Z_GRANT_ROLE_TO_USER.hdbprocedure ........................................................... 40
Appendix 28: Z_REVOKE_ROLE_FROM_USER.hdbprocedure ................................................... 41
Appendix 29: mta.yaml (SYSTEMDB) ............................................................................................ 42
Appendix 30: Z_SDB_GRANTING_SERVICE.hdbgrants ............................................................... 42
Appendix 31: SYSTEM.Z_SDB_GRANT ......................................................................................... 44
Appendix 32: Z_SDB_SYS.hdbsynonym ....................................................................................... 45
Appendix 33: Z_BASIS_MDC_START_STOP.hdbrole ................................................................... 47
Appendix 34: Z_BASIS_ADMIN_MDC.hdbrole .............................................................................. 47
Appendix 35: Z_BASIS_MONITORING_MDC.hdbrole ................................................................... 47
Public
Project introduction
1.
PROJECT INTRODUCTION
The roles described in the following sections are considered templates. That is, that customers can use them
as a base to create their own version of the roles to cover their needs.
1.1
Guiding principles in designing the roles
When designing the roles described in this document, the following guiding principles were followed:
•
strong security requirements,
•
granular structure,
•
user management is strictly separated from role assignment,
•
strong control over granting of roles to users (e.g. only allow granting of end-user roles that
have been designed by the security team and deployed into SAP HANA using the same
HDI container),
•
case for granting roles to roles at SAP HANA level is not permitted - this should be done via
HDI,
•
only work actively with HDI roles,
•
only HDI roles are created newly,
•
only HDI roles may be granted to users and
•
“ROLE ADMIN” privilege is not granted to any role or user.
1.2
Roles best practices
For best performance of role operations granting and revoking, keep the following basic rules in
mind:
Public
•
Create roles with the smallest possible set of privileges for the smallest possible group of
users who can share a role (principle of least privilege).
•
Avoid granting object privileges at the schema level to a role if only a few objects in the
schema are relevant for intended users.
•
Avoid creating and maintaining all roles as a single user. Use several role administrator users instead.
Project introduction
1.3
Prerequisites
Starting from SAP HANA 2.0 SPS 03 (rev. 34) and the latest XSA revision, it is possible to choose the location of the XSA platform data during installation. As of SAP HANA SPS05, XSA is now installed in the default
tenant database by default.
Consider that keeping the XSA in the SYSTEMDB has its disadvantages. So, if you want to backup and restore XSA content, you always must back up the entire system (refer to SAP note 2596466 #8).
To implement the role templates, the following prerequisites are needed:
•
Setup and prepare XSA and SAP Web IDE application in the development system – refer
to SAP Web IDE for SAP HANA - Installation and upgrade guide (post-installation administration tasks).
•
Setup an XSA space for the role building scenario.
•
Map the XSA space to HDB where the roles will be deployed.
•
Grant the following privileges to the developer user account in XSA:
•
o
XSA space developer rights and
o
SAP Web IDE development permissions.
Credentials of the SYSTEM user.
It is recommended to do the initial setup at HDB level with SYSTEM user as this user already holds all the
required privileges with GRANT/ADMIN option. Be aware that the SYSTEM user is not intended for day-today activities - especially in production environments. Therefore, once all bootstrapping is properly done it is
recommended to deactivate the SYSTEM user (refer to SAP note 2493657).
If XSA has already been installed in an MDC and the rollout of the roles is also necessary in the
SYSTEMDB, then the following steps are necessary:
Public
•
Create the target HDI container on the SYSTEMDB,
•
Create a technical deployer user with sufficient privileges on that HDI container,
•
Create an UPS (additional to the granting UPS of the system privileges) with the credentials
of the deployer user and the manually created HDI container as "schema" and
•
Add this additional UPS to the mta.yaml file.
Project setup
2.
2.1
PROJECT SETUP
Create a new MTA project
Create a new MTA project as shown below.
Provide a description and select a space where you want to run the MTA project as well.
Public
Project setup
2.2
Create an HDB module for the project
Create an HDB module for the project (right click on your project > new > SAP HANA database
module) and set a module name.
In the step of the wizard, set only a preferred schema name and select the currently used HDB version.
Now go to project settings (right click on your project > project > project settings > space) and install the builder by selecting your space.
Public
Project setup
2.3
Adjust the HDI namespace configuration
The role templates do not use the namespace for the name of the objects in runtime. Thus, modify
the HDI namespace configuration that is created by default when creating an HDB module. For
this, adjust the .hdinamespace file as shown below.
The .hdinamespace file is hidden by default. Therefore, select the option “show hidden files” in the
“view” menu.
Then change the value of name to “” and in subfolder to “ignore”.
Public
Create a UPS to equip HDI container
3.
CREATE A UPS TO EQUIP HDI CONTAINER
The next step is to create a UPS called Z_GRANTING_SERVICE. This service will be used during
the deployment of the project to grant all the required privileges to the #OO user. The list of privileges granted to the #OO needs to be defined in a .hdbgrants file.
3.1
Using a UPS with a procedure grantor
The procedure grantor mechanism is supported as of version 3.4.1 of the @sap/hdi-deploy component in
XSA.
Open the XS client and execute the following command in the XSA space where we are the project
is running.
xs ds Z_GRANTING_SERVICE -f && xs cups Z_GRANTING_SERVICE
-p '{"user":"GRANTING_PROCEDURE_GRANTOR_USER","password":"Change_it_immidiately!2021",
"schema":"SYS","type":"procedure", "procedure":"Z_GRANT",
"procedure_schema":"SYSTEM","tags":["hana"] }'
A new instance can be seen in the XSA if the creation was successful. Of course, the UPS can
also be created directly via the button new instance there.
Instance name
Z_GRANTING_SERVICE
Credentials
{
"schema": "SYS",
"password": "Change_it_immidiately!2021",
"procedure_schema": "SYSTEM",
"procedure": "Z_GRANT",
"type": "procedure",
"user": "GRANTING_PROCEDURE_GRANTOR_USER",
"tags": [
"hana"
]
}
Table 1: Z_GRANTING_SERVICE
Public
Create a UPS to equip HDI container
3.2
Bound the UPS to the HDB module
Bound the UPS named Z_GRANTING_SERVICE to the HDB module by modifying the MTA development descriptor file (mta.yaml) of the project.
Therefore, open the mta.yaml file with the code editor and replace its content with the code from
the appendix.
Now the mta.yaml file contains one module named “db-roles-db” of type “hdb” which reflects an
HDI container. The HDB module is bound to two additional resources from the project:
3.3
•
“db-roles-db-hdi-container” is for the HDI container that is created when we deploy the project. It has a configuration to set the schema name of the HDI container to “DB_ROLES”.
•
“db-roles-db-privileges” is for the UPS named “Z_GRANTING_SERVICE” on the XSA
space.
Create the .hdbgrants file
To assign privileges automatically to the object owner and/or the application binding users, the HDI
deployer provides .hdbgrants files, which use a syntax that is like the .hdbrole artifact.
As a developer, use the .hdbgrants file to automatically grant privilege to the HDI container before
the content is deployed.
Therefore, create the file Z_GRANTING_SERVICE.hdbgrants at the recommended path in
“/db_roles/db/cfg/grants/”.
Open Z_GRANTING_SERVICE.hdbgrants with the code editor and copy the code from the appendix two.
Now the Z_GRANTING_SERVICE.hdbgrants file specifies that the UPS named “Z_GRANTING_SERVICE” should be used to grant to the #OO user the specified privileges.
The .hdbgrants file privileges should be reviewed by the authorization team. Furthermore, note that once a
privilege is removed from the .hdbgrants, it is not revoked from #OO.
Public
Create a UPS to equip HDI container
3.4
Grant privileges to #OO user
The #OO user is created for the first time when the project is built and the HDI container is created
in the HDB. Thus, we need to build the folder “db” at least one time to create the #OO user.
If the project already contains design-time roles, the deployment will fail throwing a (missing authorization)
error.
Since the schema name was configured as DB_ROLES, the HDI container should be named
DB_ROLES_1 and the object owner user (#OO) should be DB_ROLES_1#OO.
3.5
Using a UPS with a procedure grantor
Create the HDB procedure named Z_GRANT - which will be used by the UPS.
For this, we need to execute the attached scripts from appendix as user SYSTEM.
Public
Create design-time objects in MDC
4.
CREATE DESIGN-TIME OBJECTS IN MDC
In the following section, we will find the description and the definitions of all the design-time objects
needed for the deployment and management of the template roles in HDB. These objects are:
•
synonyms,
•
procedures and
•
roles.
It is recommended to create a structure of folders within the project to organize all the design-time
objects - e.g. like the following one.
Public
Create design-time objects in MDC
4.1
Synonyms
HDB synonyms are created using a synonym definition file (.hdbsynonym) and are needed to refer
to external objects like tables, views, and procedures. Refer to using synonyms in SAP HANA and
SAP HANA SQL Reference Guide for SAP HANA Platform - CREATE SYNONYM statement (data
definition) for further info.
For role development, synonyms are necessary to refer to object privileges. The synonym declaration contains all the definition of the synonyms to reference objects from the SYS and _SYS_SECURITY schema. The following synonyms are defined:
Privileg
Object
Schema name
z_blacklist
_SYS_PASSWORD_BLACKLIST
_SYS_SECURITY
z_users
USERS
SYS
z_roles
ROLES
SYS
z_dummy
DUMMY
SYS
z_services
M_SERVICES
SYS
z_memory
M_SERVICES_MEMORY
SYS
z_statistics
M_SERVICES_STATISTICS
SYS
z_heap
M_HEAP_MEMORY_RESET
SYS
Table 2: Synonyms
4.2
Roles
The role templates were purposely designed in detail. So, the high granularity supports the creation of a highly specialized team, and even if the roles may not perfectly fit the needs of a team, it
will be easy to create roles suitable for most circumstances. At the same time, most teams will not
require the offered granularity. Therefore, composite roles are used, which in most cases will work
effectively together.
4.2.1.
Granular roles
The following granular roles are created to group privileges needed in multiple end-user roles and
for simplification of the maintenance. Granular roles are not designed to be granted to end-users
but to be included in end-user roles. Refer to the appendix regards the sample codes of the following roles.
Public
Create design-time objects in MDC
4.2.1.1. Z_GRANULAR_SELECT__SYS_STATISTICS
Privileg
What does it do?
SELECT _SYS_STATISTICS
View alerts from the statistics server.
Table 3: Z_GRANULAR_SELECT__SYS_STATISTICS
4.2.1.2. Z_GRANULAR_CONFIGURE__SYS_STATISTICS
Privileg
What does it do?
INSERT, EXECUTE, DELETE, UPDATE _SYS_STATISTICS
Configure alerts.
Table 4: Z_GRANULAR_CONFIGURE__SYS_STATISTICS
4.2.2.
Administration roles
4.2.2.1. Z_BASIS_ADMIN_BACKUP
Privilege
What does it do?
BACKUP ADMIN
Authorizes BACKUP and RECOVERY statements for defining and
initiating backup and recovery procedures. It also authorizes changing system configuration options with respect to backup and recovery.
SELECT, UPDATE, DELETE z_schedules
Configure job schedules (backup and recovery).
SELECT, UPDATE, DELETE z_jobs
Configure jobs (backup and recovery).
Table 5: Z_BASIS_ADMIN_BACKUP
4.2.2.2. Z_BASIS_BACKUP_OPERATOR
This role is recommended for batch users only as this prevents backups from being deleted unintentionally.
Privilege
What does it do?
BACKUP OPERATOR
Create and cancel backups, check available space, and query views
Table 6: Z_BASIS_BACKUP_OPERATOR
Public
Create design-time objects in MDC
4.2.2.3. Z_BASIS_ADMIN_BASIC
Privilege
What does it do?
Z_GRANULAR_SELECT__SYS_STATISTICS
View alerts from the statistics server.
CATALOG READ
Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
SERVICE ADMIN
Authorizes the ALTER SYSTEM [START|CANCEL|RECONFIGURE] statements for administering system services of the database.
INIFILE ADMIN
Authorizes making changes to system settings.
TRACE ADMIN
Authorizes the use of the ALTER SYSTEM...TRACES statements
for operations on database trace files and authorizes changing trace
system settings.
SESSION ADMIN
Authorizes the ALTER SYSTEM commands concerning sessions to
stop or disconnect a user session or to change session variables.
VERSION ADMIN
Authorizes the use of the ALTER SYSTEM RECLAIM VERSION
SPACE statement of the multi-version concurrency control (MVCC)
feature.
LICENSE ADMIN
Authorizes the use of the SET SYSTEM LICENSE statement to install a new license.
Table 7: Z_BASIS_ADMIN_BASIC
4.2.2.4. Z_BASIS_ADMIN_DATA
This role should only be used in test and development systems, in which developer might need to be able to
create their own data objects for trial purposes.
Privilege
What does it do?
CREATE SCHEMA
Create new schemas directly in the database catalog.
EXPORT
Export catalog objects to the DB server (csv/binary) or to the client machine.
IMPORT
Import catalog objects from the DB server (csv/binary) or from the client machine.
Table 8: Z_BASIS_ADMIN_DATA
Public
Create design-time objects in MDC
4.2.2.5. Z_BASIS_MONITORING
Privilege
What does it do?
Z_GRANULAR_SELECT__SYS_STATISTICS
View alerts from the statistics server.
CATALOG READ
Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
SELECT z_services
Read the status of all services.
SELECT z_memory
Read detailed information on memory utilization by services.
SELECT z_statistics
Read statistics on active services.
SELECT z_heap
Read memory allocator statistics since the last reset.
Table 9: Z_BASIS_MONITORING
4.2.2.6. Z_BASIS_ADMIN_PERSISTENCE
Privilege
What does it do?
CATALOG READ
Authorizes unfiltered access to the data in the system views that a user has already been
granted the SELECT privilege on.
SAVEPOINT ADMIN
Authorizes the execution of a savepoint using the ALTER SYSTEM SAVEPOINT statement.
RESOURCE ADMIN
Authorizes statements concerning system resources (for example, the ALTER SYSTEM RECLAIM DATAVOLUME and ALTER SYSTEM RESET MONITORING VIEW statements). It
also authorizes many of the statements available in the Management Console.
LOG ADMIN
Authorizes the use of the ALTER SYSTEM LOGGING [ON | OFF] statements to enable or
disable the log flush mechanism.
Table 10: Z_BASIS_ADMIN_PERSISTENCE
4.2.2.7. Z_BASIS_ADMIN_EXTENDED
Privilege
Z_BASIS_ADMIN_BASIC
Z_BASIS_ADMIN_PERSISTENCE
Z_BASIS_ADMIN_BACKUP
Z_GRANULAR_CONFIGURE__SYS_STATISTICS
Table 11: Z_BASIS_ADMIN_EXTENDED
Public
Create design-time objects in MDC
4.2.3.
Security roles
4.2.3.1. Z_SECURITY_AUDIT_READ
Privilege
What does it do?
AUDIT READ
Authorizes read-only access to the rows of the AUDIT_LOG, XSA_AUDIT_LOG, and ALL_AUDIT_LOG system views.
Table 12: Z_SECURITY_AUDIT_READ
4.2.3.2. Z_SECURITY_ADMIN_AUDIT
Privilege
What does it do?
CATALOG READ
Authorizes unfiltered access to the data in the system views that a user has already
been granted the SELECT privilege on.
AUDIT ADMIN
Controls the execution of the following auditing-related statements: CREATE AUDIT
POLICY, DROP AUDIT POLICY, and ALTER AUDIT POLICY, as well as changes
to the auditing configuration. It also allows access to the AUDIT_LOG system view.
Table 13: Z_SECURITY_ADMIN_AUDIT
4.2.3.3. Z_SECURITY_ADMIN_BASIC
Privilege
What does it do?
CATALOG READ
Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
INIFILE ADMIN
Authorizes making changes to system settings.
SELECT, INSERT, UPDATE and DELETE
_sys_security__sys_password_blacklist
Modify the password blacklist.
Table 14: Z_SECURITY_ADMIN_BASIC
4.2.3.4. Z_SECURITY_ADMIN_CERTIFICATES
Privilege
What does it do?
CATALOG READ
Authorizes unfiltered access to the data in the system views that a user
has already been granted the SELECT privilege on.
SSL ADMIN
Authorizes the use of the SET...PURPOSE SSL statement. It also allows access to the PSES system view.
TRUST ADMIN
Authorizes the use of statements to update the trust store.
CERTIFICATE ADMIN
Authorizes the changing of certificates and certificate collections that
are stored in the database.
Table 15: Z_SECURITY_ADMIN_CERTIFICATES
Public
Create design-time objects in MDC
4.2.3.5. Z_SECURITY_ADMIN_DISK_ENCRYPTION
Privilege
What does it do?
CATALOG READ
Authorizes unfiltered access to the data in the system views that a user
has already been granted the SELECT privilege on.
RESOURCE ADMIN
Authorizes statements concerning system resources (for example, the
ALTER SYSTEM RECLAIM DATAVOLUME and ALTER SYSTEM RESET MONITORING VIEW statements). It also authorizes many of the
statements available in the Management Console.
ENCRYPTION ROOT KEY ADMIN
Authorizes all statements related to management of root keys. Allows
access to the system views pertaining to encryption (for example, ENCRYPTION_ROOT_KEYS, M_ENCRYPTION_OVERVIEW, M_PERSISTENCE_ENCRYPTION_STATUS, M_PERSISTENCE_ENCRYPTION_KEYS, and so on).
Table 16: Z_SECURITY_ADMIN_DISK_ENCRYPTION
4.2.3.6. Z_SECURITY_ADMIN_TROUBLESHOOTING
Privilege
What does it do?
CATALOG READ
Authorizes unfiltered access to the data in the system views that a user
has already been granted the SELECT privilege on.
TRACE ADMIN
Authorizes the use of the ALTER SYSTEM...TRACES statements for
operations on database trace files and authorizes changing trace system settings.
Table 17: Z_SECURITY_ADMIN_TROUBLESHOOTING
4.2.3.7. Z_SECURITY_ADMIN
Privilege
Z_SECURITY_ADMIN_BASIC
Z_SECURITY_ADMIN_TROUBLESHOOTING
Table 18: Z_SECURITY_ADMIN
4.2.3.8. Z_SECURITY_ADMIN_EXTENDED
Privilege
Z_SECURITY_ADMIN
Z_SECURITY_ADMIN_AUDIT
Table 19: Z_SECURITY_ADMIN_EXTENDED
Public
Create design-time objects in MDC
4.2.4.
Support role
Privilege
What does it do?
Z_BASIS_MONITORING
TRACE ADMIN
Authorizes the use of the ALTER SYSTEM...TRACES statements for operations
on database trace files and authorizes changing trace system settings.
Table 20: Z_SUPPORT_ADMIN_TRACE
4.2.5.
User roles
4.2.5.1. Z_MANAGEMENT_CONTAINER_ROLE_ADMIN
Privilege
What does it do?
EXECUTE Z_GRANT_ROLE_TO_USER
Grant to a database user any HDI role created within the same HDI
schema.
EXECUTE Z_REVOKE_ROLE_TO_USER
Revoke from a database user any HDI role created within the same
HDI schema.
Table 21: Z_MANAGEMENT_CONTAINER_ROLE_ADMIN
4.2.5.2. Z_MANAGEMENT_USER_ADMIN
Privilege
What does it do?
USER_ADMIN
Authorizes the creation and modification of users using the CREATE
USER, ALTER USER, and DROP USER commands.
Table 22: Z_MANAGEMENT_USER_ADMIN
Public
Create design-time objects in MDC
4.3
Procedures
These procedures can be used to grant or revoke to a database user any HDI role created within
the same HDI schema. It accepts two parameters:
•
role name and
•
grantee.
Within the procedure the following conditions are checked, throwing errors if they are violated:
•
Grantee must exist (error code 11001),
•
Grantee must be different from grantor (error code 11002) and
•
Role must exist (error code 11003).
The EXECUTE privilege for these roles is included in role Z_MANAGEMENT_GRANT_ROLE_TO_USER and Z_MANAGEMENT_REVOKE_ROLE_TO_USER.
The following message can be ignored:
“java.sql.SQLWarning: Not recommended feature: DDL statement is used in Dynamic SQL (current dynamic_sql_ddl_error_level = 1)”.
Invocation of the procedures:
CALL <HDI schema name>.Z_GRANT_ROLE_TO_USER ('<role name>','<username>');
CALL <HDI schema name>.Z_REVOKE_ROLE_FROM_USER ('<role name>','<username>');
Public
Create design-time objects in SYSTEMDB
5.
CREATE DESIGN-TIME OBJECTS IN SYSTEMDB
If you feel the need to use roles in SYSTEMDB as well, proceed as follows.
5.1
Preparation in the SYSTEMDB
First at all, check whether the diserver is already running at the SYSTEMDB.
If not, execute as user SYSTEM the following command:
ALTER SYSTEM ALTER CONFIGURATION ('daemon.ini', 'HOST', '<HOSTNAME>') SET ('diserver', 'instances') = '1' WITH RECONFIGURE;
Create an HDI administrator with the name HDI_ADMIN as shown below.
CREATE USER HDI_ADMIN PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;
CREATE LOCAL TEMPORARY TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;
INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'HDI_ADMIN', PRIVILEGE_NAME, OBJECT_NAME FROM
_SYS_DI.T_DEFAULT_DI_ADMIN_PRIVILEGES;
CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('_SYS_DI', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
DROP TABLE #PRIVILEGES;
The user HDI_ADMIN is responsible for configuring general HDI parameters, creating, and dropping HDI container groups, moving HDI containers between groups, and managing the privileges
of HDI container-group administrators.
The used method contains the largest possible set of privileges that can be granted for a user of
this type. It is also possible to reduce the set of privileges by explicitly specifying the desired set of
privileges and not using _SYS_DI.T_DEFAULT_DI_ADMIN_PRIVILEGES.
Next create a HDI container group SDB as HDI administrator HDI_ADMIN.
CALL _SYS_DI.CREATE_CONTAINER_GROUP('SDB', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
SELECT * FROM _SYS_DI.M_ALL_CONTAINER_GROUPS WHERE CONTAINER_GROUP_NAME = 'SDB';
The HDI container group SDB is used for administrating a set of HDI containers.
Then grant the container-group administrator privileges of SDB to HDI_ADMIN as HDI_ADMIN.
CREATE LOCAL TEMPORARY COLUMN TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;
INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'HDI_ADMIN', PRIVILEGE_NAME, OBJECT_NAME FROM
_SYS_DI.T_DEFAULT_CONTAINER_GROUP_ADMIN_PRIVILEGES;
CALL _SYS_DI.GRANT_CONTAINER_GROUP_API_PRIVILEGES('SDB', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
DROP TABLE #PRIVILEGES;
Create the container SDB_ROLES in the container group SDB and maintain the set of plug-in libraries.
CALL _SYS_DI#SDB.CREATE_CONTAINER('SDB_ROLES', _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
CALL _SYS_DI#SDB.CONFIGURE_LIBRARIES('SDB_ROLES',_SYS_DI.T_DEFAULT_LIBRARIES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
SELECT * FROM "_SYS_DI#SDB"."M_CONTAINERS";
Create the technical user SDB_ROLES_DEPLOY_USER via user SYSTEM.
CREATE USER SDB_ROLES_DEPLOY_USER PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;
ALTER USER SDB_ROLES_DEPLOY_USER DISABLE PASSWORD LIFETIME;
Grant as HDI_ADMIN the development API of the container SDB to the user SDB_ROLES_DEPLOY_USER,
who will be the grantor user for the UPS of the container SDB_ROLES.
CREATE LOCAL TEMPORARY COLUMN TABLE #PRIVILEGES LIKE _SYS_DI.TT_API_PRIVILEGES;
INSERT INTO #PRIVILEGES (PRINCIPAL_NAME, PRIVILEGE_NAME, OBJECT_NAME) SELECT 'SDB_ROLES_DEPLOY_USER', PRIVILEGE_NAME, OBJECT_NAME
FROM _SYS_DI.T_DEFAULT_CONTAINER_USER_PRIVILEGES;
CALL _SYS_DI#SDB.GRANT_CONTAINER_API_PRIVILEGES('SDB_ROLES', #PRIVILEGES, _SYS_DI.T_NO_PARAMETERS, ?, ?, ?);
DROP TABLE #PRIVILEGES;
Public
Create design-time objects in SYSTEMDB
As user SYSTEM, create a granting procedure (refer to the appendix) and user as shown below.
CREATE USER SDB_GRANTING_PROCEDURE_USER PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;
ALTER USER SDB_GRANTING_PROCEDURE_USER DISABLE PASSWORD LIFETIME;
GRANT EXECUTE ON SYSTEM.Z_SDB_GRANT TO SDB_GRANTING_PROCEDURE_USER;
Next, create a new space in XSA, add the relevant members and enable it.
As a pre step, make yourself familiar with the SQL port of your SYSTEMDB.
Then add two new instances in the UPS of your new space as follows:
Instance name
Z_SDB_GRANTING_SERVICE
Z_HDI_GRANTING_SERVICE
Credentials
{
{
"schema": "SYS",
"password": "Change_it_immidiately!2021",
"port": "30013",
"procedure_schema": "SYSTEM",
"host": "hostname",
"procedure": "Z_SDB_GRANT",
"type": "procedure",
"user": "SDB_GRANTING_PROCEDURE_USER",
"tags": [
"hana"
]
"schema": "SDB_ROLES",
"hdi_password": " Change_it_immidiately!2021",
"port": "30013",
"host": "hostname",
"hdi_user": "SDB_ROLES_DEPLOY_USER",
"tags": [
"hana"
]
}
}
Table 23: Z_SDB_GRANTING_SERVICE
Create a new multi-target application project as well as a new HDB module in SAP WEBIDE.
Public
Create design-time objects in SYSTEMDB
Open the mta.yaml file with the code editor and replace its content with the code from the appendix.
Next, install the builder and edit the hdinamespace as we already shown beforehand.
Afterwards, copy paste the folders from the previous project as shown below.
5.2
Extra synonyms for SYSTEMDB
Synonym
Object
Schema name
z_sdb_services
M_SERVICES
SYS_DATABASES
z_sdb_memory
M_SERVICES_MEMORY
SYS_DATABASES
z_sdb_statistics
M_SERVICES_STATISTICS
SYS_DATABASES
z_sdb_heap
M_HEAP_MEMORY_RESET
SYS_DATABASES
Table 24: Synonyms (SYSTEMDB)
Public
Create design-time objects in SYSTEMDB
5.3
Administrating MDC through the SYSTEMDB
Z_BASIS_MDC_START_STOP
Privilege
What does it do?
DATABASE START
Authorizes a user to start any database in the system and to select from the M_DATABASES
view.
DATABASE STOP
Authorizes a user to stop any database in the system and to select from the M_DATABASES
view.
Table 25: Z_BASIS_MDC_START_STOP
Z_BASIS_ADMIN_MDC
Privilege
What does it do?
DATABASE ADMIN
Authorizes all statements related to tenant databases, such as CREATE, DROP, ALTER, RENAME, BACKUP, and RECOVERY.
Table 26: Z_BASIS_ADMIN_MDC
Z_BASIS_MONITORING_MDC
Privilege
What does it do?
SELECT__SYS_STATISTICS
Role to grant read-only access to schema _SYS_STATISTICS.
CATALOG READ
Authorizes unfiltered access to the data in the system views that a
user has already been granted the SELECT privilege on.
SELECT z_sdb_services
Read the status of all services.
SELECT z_sdb_memory
Read detailed information on memory utilization by services.
SELECT z_sdb_statistics
Read statistics on active services.
SELECT z_sdb_heap
Read memory allocator statistics since the last reset.
Table 27: Z_BASIS_MONITORING_MDC
Public
Appendix
6.
DEPLOYMENT AND TROUBLESHOOTING
To deploy the project, click on the “build” option from the context menu of the HDB module folder.
l
After the successful deployment you will see the new HDI schema and all the HDI roles in the
HDB.
SELECT * FROM "SYS"."ROLES" WHERE ROLE_SCHEMA_NAME = "<";
The system view EFFECTIVE_PRIVILEGES is useful for checking the privileges of a specific user.
It includes information about all privileges granted to a specific user (both directly and indirectly
through roles), as well as how the privileges were obtained (GRANTOR and GRANTOR_TYPE
column).
To avoid the need to search through the indexserver trace files to analyze insufficient privilege errors, a procedure is available which you can use to quickly find out details of missing privileges:
GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS().
CALL SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS ('<GUID>', ?);
If you want an advanced error screen when building roles, modify the package.json as follows:
As you have now the basics to create roles successfully, adjust and/or create new ones, feel free to share
your feedback at askSAPHANA@sap.com.
APPENDIX
Appendix 1: mta.yaml
ID: db_roles
_schema-version: '2.0'
description: MDC role templates
Public
Appendix
version: 0.0.1
modules:
- name: db-roles-db
type: hdb
path: db
requires:
- name: db-roles-db-hdi-container
properties:
TARGET_CONTAINER: ~{service-name}
- name: db-roles-db-privileges
resources:
- name: db-roles-db-hdi-container
type: com.sap.xs.hdi-container
properties:
service-name: ${service-name}
parameters:
config:
schema: DB_ROLES
- name: db-roles-db-privileges
type: org.cloudfoundry.existing-service
parameters:
service-name: Z_GRANTING_SERVICE
Appendix 2: Z_GRANTING_SERVICE.hdbgrants
{
"Z_GRANTING_SERVICE": {
"object_owner": {
"schema_privileges": [
{
"schema": "_SYS_STATISTICS",
"privileges_with_grant_option": ["INSERT", "UPDATE", "DELETE",
"EXECUTE"]
}
],
"roles": [
{
"roles_with_admin_option": [
"MONITORING"
]
}
],
"object_privileges": [
{
"schema": "_SYS_SECURITY",
"name": "_SYS_PASSWORD_BLACKLIST",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "INSERT", "UPDATE",
"DELETE"]
},
{
"schema": "_SYS_XS",
"name": "JOB_SCHEDULES",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "UPDATE","DELETE"]
},
{
"schema": "_SYS_XS",
"name": "JOBS",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT", "UPDATE","DELETE"]
}
],
"system_privileges": [
{
"privileges_with_admin_option": [
"ADAPTER ADMIN",
"AGENT ADMIN",
"ALTER CLIENTSIDE ENCRYPTION KEYPAIR",
"ATTACH DEBUGGER",
Public
Appendix
"AUDIT ADMIN",
"AUDIT OPERATOR",
"AUDIT READ",
"BACKUP ADMIN",
"BACKUP ADMIN",
"BACKUP OPERATOR",
"CATALOG READ",
"CERTIFICATE ADMIN",
"CLIENT PARAMETER ADMIN",
"CREATE CLIENTSIDE ENCRYPTION KEYPAIR",
"CREATE R SCRIPT",
"CREATE REMOTE SOURCE",
"CREATE SCENARIO",
"CREATE SCHEMA",
"CREATE STRUCTURED PRIVILEGE",
"CREDENTIAL ADMIN",
"DATA ADMIN",
"DROP CLIENTSIDE ENCRYPTION KEYPAIR",
"ENCRYPTION ROOT KEY ADMIN",
"EXPORT",
"EXTENDED STORAGE ADMIN",
"IMPORT",
"INIFILE ADMIN",
"LDAP ADMIN",
"LICENSE ADMIN",
"LOG ADMIN",
"MONITOR ADMIN",
"OPTIMIZER ADMIN",
"RESOURCE ADMIN",
"SAVEPOINT ADMIN",
"SCENARIO ADMIN",
"SERVICE ADMIN",
"SESSION ADMIN",
"SSL ADMIN",
"STRUCTUREDPRIVILEGE ADMIN",
"SYSTEM REPLICATION ADMIN",
"TABLE ADMIN",
"TRACE ADMIN",
"TRUST ADMIN",
"USER ADMIN",
"VERSION ADMIN",
"WORKLOAD ADMIN",
"WORKLOAD ANALYZE ADMIN",
"WORKLOAD CAPTURE ADMIN",
"WORKLOAD REPLAY ADMIN"
}
]
}
}
Public
}
]
Appendix
Appendix 3: Using a UPS with a procedure grantor
Appendix 3.1: SYSTEM.Z_GRANT
CREATE PROCEDURE SYSTEM.Z_GRANT(
IN PRIVILEGES TABLE (
PRIVILEGE_TYPE NVARCHAR(128), -- 'SCHEMA_OBJECT_PRIVILEGE'
-- 'GLOBAL_OBJECT_PRIVILEGE'
-- 'SCHEMA_ROLE'
-- 'GLOBAL_ROLE'
-- 'SCHEMA_PRIVILEGE'
-- 'SYSTEM_PRIVILEGE'
PRIVILEGE_NAME NVARCHAR(256), -- cf. SYS.PRIVILEGES
OBJECT_SCHEMA NVARCHAR(256), -- NULL or schema
OBJECT_NAME NVARCHAR(256),
OBJECT_TYPE NVARCHAR(128), -- NULL or 'REMOTE SOURCE'
GRANTEE_SCHEMA NVARCHAR(256), -- NULL or schema
GRANTEE_NAME NVARCHAR(256),
GRANTABLE NVARCHAR(5) -- 'TRUE' or 'FALSE'
)
)
LANGUAGE SQLSCRIPT
SQL SECURITY DEFINER
AS
BEGIN
DECLARE ERROR CONDITION FOR SQL_ERROR_CODE 10000;
DECLARE CURSOR PRIVILEGES_CURSOR FOR SELECT * FROM :PRIVILEGES;
FOR PRIVILEGE AS PRIVILEGES_CURSOR
DO
DECLARE TO_GRANTEE_CLAUSE NVARCHAR(512);
DECLARE GRANTABLE_CLAUSE NVARCHAR(512) = '';
IF PRIVILEGE.GRANTEE_SCHEMA IS NULL THEN
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) || '"';
ELSE
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) ||
'"';
END IF;
IF PRIVILEGE.GRANTABLE = 'TRUE' THEN
IF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
GRANTABLE_CLAUSE = ' WITH ADMIN OPTION';
ELSE
GRANTABLE_CLAUSE = ' WITH GRANT OPTION';
END IF;
ELSEIF PRIVILEGE.GRANTABLE != 'FALSE' THEN
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for GRANTABLE: '
|| PRIVILEGE.GRANTABLE;
END IF;
IF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_OBJECT_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_OBJECT_PRIVILEGE' THEN
IF PRIVILEGE.OBJECT_TYPE = 'REMOTE SOURCE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON ' || PRIVILEGE.OBJECT_TYPE || ' "' ||
ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for OBJECT_TYPE for
GLOBAL_OBJECT_PRIVILEGE: '
|| PRIVILEGE.OBJECT_TYPE;
END IF;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' THEN
Public
Appendix
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON SCHEMA "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for PRIVILEGE_TYPE: '
|| PRIVILEGE.PRIVILEGE_TYPE;
END IF;
END FOR;
END;
Appendix 3.2: GRANTING_PROCEDURE_GRANTOR_USER
CREATE USER GRANTING_PROCEDURE_GRANTOR_USER PASSWORD "Change_it_immidiately!2021" NO FORCE_FIRST_PASSWORD_CHANGE;
GRANT EXECUTE ON SYSTEM.Z_GRANT TO GRANTING_PROCEDURE_GRANTOR_USER;
Public
Appendix
Appendix 4: Z_SYS.hdbsynonym
{
"z_blacklist": {
"target": {
"object": "_SYS_PASSWORD_BLACKLIST",
"schema": "_SYS_SECURITY"
}
},
"z_users": {
"target": {
"object": "USERS",
"schema": "SYS"
}
},
"z_roles": {
"target": {
"object": "ROLES",
"schema": "SYS"
}
},
"z_services": {
"target": {
"object": "M_SERVICES",
"schema": "SYS"
}
},
"z_memory": {
"target": {
"object": "M_SERVICE_MEMORY",
"schema": "SYS"
}
},
"z_heap": {
"target": {
"object": "M_HEAP_MEMORY_RESET",
"schema": "SYS"
}
},
"z_statistics": {
"target": {
"object": "M_SERVICE_STATISTICS",
"schema": "SYS"
}
},
"z_dummy": {
"target": {
"object": "DUMMY",
"schema": "SYS"
}
},
"z_schedules": {
"target": {
"object": "JOB_SCHEDULES",
"schema": "_SYS_XS"
}
},
"z_jobs": {
"target": {
"object": "JOBS",
"schema": "_SYS_XS"
}
}
}
Public
Appendix
Appendix 5: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbroleconfig
{
"Z_GRANULAR_SELECT__SYS_STATISTICS": {
"_SYS_STATISTICS_schema": {
"schema": "_SYS_STATISTICS"
}
}
}
Appendix 6: Z_GRANULAR_SELECT__SYS_STATISTICS.hdbrole
{
"role": {
"name": "Z_GRANULAR_SELECT__SYS_STATISTICS",
"schema_privileges": [
{
"reference": "_SYS_STATISTICS_schema",
"privileges": ["SELECT"]
}
]
}
}
Appendix 7: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbroleconfig
{
"Z_GRANULAR_CONFIGURE__SYS_STATISTICS": {
"_SYS_STATISTICS_schema": {
"schema": "_SYS_STATISTICS"
}
}
}
Appendix 8: Z_GRANULAR_CONFIGURE__SYS_STATISTICS.hdbrole
{
"role": {
"name": "Z_GRANULAR_CONFIGURE__SYS_STATISTICS",
"schema_privileges": [
{
"reference": "_SYS_STATISTICS_schema",
"privileges": [
"INSERT",
"EXECUTE",
"DELETE",
"UPDATE"
]
}
]
}
}
Public
Appendix
Appendix 9: Z_BASIS_ADMIN_BACKUP.hdbrole
{
"role": {
"name": "Z_BASIS_ADMIN_BACKUP",
"object_privileges": [
{
"name": "z_schedules",
"type": "TABLE",
"privileges": [
"SELECT",
"DELETE",
"UPDATE"
]
},
{
"name": "z_jobs",
"type": "TABLE",
"privileges": [
"DELETE",
"SELECT",
"UPDATE"
]
}
],
"system_privileges": [
"BACKUP ADMIN"
]
}
}
Appendix 10: Z_BASIS_BACKUP_OPERATOR.hdbrole
{
"role":{
"name": "Z_BASIS_BACKUP_OPERATOR",
"system_privileges": [
"BACKUP OPERATOR"
]
}
}
Appendix 11: Z_BASIS_ADMIN_BASIC.hdbrole
{
"role": {
"name": "Z_BASIS_ADMIN_BASIC",
"schema_roles":[
{
"names": [
"Z_GRANULAR_SELECT__SYS_STATISTICS"
]
}
],
}
}
Public
"system_privileges": [
"CATALOG READ",
"SERVICE ADMIN",
"INIFILE ADMIN",
"TRACE ADMIN",
"SESSION ADMIN",
"VERSION ADMIN",
"LICENSE ADMIN"
]
Appendix
Appendix 12: Z_BASIS_ADMIN_DATA.hdbrole
{
"role":{
"name": "Z_BASIS_ADMIN_DATA",
"system_privileges": [
"CREATE SCHEMA",
"EXPORT",
"IMPORT"
]
}
}
Appendix 13: Z_BASIS_MONITORING.hdbrole
{
"role": {
"name": "Z_BASIS_MONITORING",
"system_privileges": [
"CATALOG READ"
],
"schema_roles":[
{
"names": [
"Z_GRANULAR_SELECT__SYS_STATISTICS"
]
}
],
"object_privileges": [
{
"name": "z_services",
"type": "TABLE",
"privileges": ["SELECT"]
},
{
"name": "z_memory",
"type": "TABLE",
"privileges": ["SELECT"]
},
{
"name": "z_statistics",
"type": "TABLE",
"privileges": ["SELECT"]
},
{
"name": "z_heap",
"type": "TABLE",
"privileges": ["SELECT"]
}
]
}
}
Appendix 14: Z_BASIS_ADMIN_PERSISTENCE.hdbrole
{
"role":{
"name": "Z_BASIS_ADMIN_PERSISTENCE",
"system_privileges": [
"CATALOG READ",
"SAVEPOINT ADMIN",
"RESOURCE ADMIN",
"LOG ADMIN"
]
}
}
Public
Appendix
Appendix 15: Z_BASIS_ADMIN_EXTENDED.hdbrole
{
"role": {
"name": "Z_BASIS_ADMIN_EXTENDED",
"schema_roles":[
{
"names": [
"Z_BASIS_ADMIN_BACKUP",
"Z_BASIS_ADMIN_BASIC",
"Z_BASIS_ADMIN_PERSISTENCE",
"Z_GRANULAR_CONFIGURE__SYS_STATISTICS"
]
}
]
}
}
Appendix 16: Z_SECURITY_AUDIT_READ.hdbrole
{
"role":{
"name": "Z_SECURITY_AUDIT_READ",
"system_privileges": [
"AUDIT READ"
]
}
}
Appendix 17: Z_SECURITY_ADMIN_AUDIT.hdbrole
{
"role":{
"name": "Z_SECURITY_ADMIN_AUDIT",
"system_privileges": [
"CATALOG READ",
"AUDIT ADMIN"
]
}
}
Appendix 18: Z_SECURITY_ADMIN_BASIC.hdbrole
{
}
Public
"role":{
"name": "Z_SECURITY_ADMIN_BASIC",
"system_privileges": [
"CATALOG READ",
"INIFILE ADMIN"
],
"object_privileges": [
{
"name": "z_blacklist",
"type": "TABLE",
"privileges": ["SELECT", "INSERT", "UPDATE", "DELETE"]
}
]
}
Appendix
Appendix 19: Z_SECURITY_ADMIN_CERTIFICATES.hdbrole
{
"role":{
"name": "Z_SECURITY_ADMIN_CERTIFICATES",
"system_privileges": [
"CATALOG READ",
"SSL ADMIN",
"TRUST ADMIN",
"CERTIFICATE ADMIN"
]
}
}
Appendix 20: Z_SECURITY_ADMIN_DISK_ENCRYPTION.hdbrole
{
"role":{
"name": "Z_SECURITY_ADMIN_DISK_ENCRYPTION",
"system_privileges": [
"CATALOG READ",
"RESOURCE ADMIN",
"ENCRYPTION ROOT KEY ADMIN"
]
}
}
Appendix 21: Z_SECURITY_ADMIN_TROUBLESHOOTING.hdbrole
{
"role":{
"name": "Z_SECURITY_ADMIN_TROUBLESHOOTING",
"system_privileges": [
"CATALOG READ",
"TRACE ADMIN"
]
}
}
Appendix 22: Z_SECURITY_ADMIN.hdbrole
{
}
Public
"role": {
"name": "Z_SECURITY_ADMIN",
"schema_roles":[
{
"names": [
"Z_SECURITY_ADMIN_BASIC",
"Z_SECURITY_ADMIN_TROUBLESHOOTING"
]
}
]
}
Appendix
Appendix 23: Z_SECURITY_ADMIN_EXTENDED.hdbrole
{
"role": {
"name": "Z_SECURITY_ADMIN_EXTENDED",
"schema_roles":[
{
"names": [
"Z_SECURITY_ADMIN",
"Z_SECURITY_ADMIN_AUDIT"
]
}
]
}
}
Appendix 24: Z_SUPPORT_ADMIN_TRACE.hdbrole
{
"role": {
"name": "Z_SUPPORT_ADMIN_TRACE",
"schema_roles":[
{
"names": [
"Z_BASIS_MONITORING"
]
}
],
"system_privileges": [
"TRACE ADMIN"
]
}
}
Appendix 25: Z_MANAGEMENT_CONTAINER_ROLE_ADMIN.hdbrole
{
"role":{
"name": "Z_MANAGEMENT_CONTAINER_ROLE_ADMIN",
"object_privileges":[
{
"name":"Z_GRANT_ROLE_TO_USER",
"type":"PROCEDURE",
"privileges":[ "EXECUTE" ]
},
{
"name":"Z_REVOKE_ROLE_FROM_USER",
"type":"PROCEDURE",
"privileges":[ "EXECUTE" ]
}
]
}
}
Appendix 26: Z_MANAGEMENT_USER_ADMIN.hdbrole
{
"role":{
"name": "Z_MANAGEMENT_USER_ADMIN",
"system_privileges": [
"USER ADMIN"
]
}
}
Public
Appendix
Appendix 27: Z_GRANT_ROLE_TO_USER.hdbprocedure
PROCEDURE "Z_GRANT_ROLE_TO_USER" (
IN role_name NVARCHAR(256),
IN grantee NVARCHAR(256)
)
LANGUAGE SQLSCRIPT
SQL SECURITY DEFINER
AS
-- SQL statement we are going to execute
v_statement
NVARCHAR(1024);
hdi_oo
NVARCHAR (256);
role_schema
NVARCHAR (256);
counter
INTEGER := 0;
error_code
INTEGER;
error_message NVARCHAR(1024);
BEGIN
-- prepare error handling in case of invalid arguments
DECLARE USERNOTEXIST CONDITION FOR SQL_ERROR_CODE 11001;
DECLARE GRANTSELF CONDITION FOR SQL_ERROR_CODE 11002;
DECLARE ROLENOTEXIST CONDITION FOR SQL_ERROR_CODE 11003;
DECLARE EXIT HANDLER FOR USERNOTEXIST RESIGNAL;
DECLARE EXIT HANDLER FOR GRANTSELF RESIGNAL;
DECLARE EXIT HANDLER FOR ROLENOTEXIST RESIGNAL;
hdi_oo := ::CURRENT_OBJECT_SCHEMA || '#OO';
role_schema := ::CURRENT_OBJECT_SCHEMA;
-- check if role exists
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_roles" WHERE role_name = :role_name AND
role_schema_name = :role_schema AND creator = :hdi_oo);
IF ( counter != 1 )
THEN
SIGNAL ROLENOTEXIST SET MESSAGE_TEXT = 'Role does not exist: ' || :role_name;
END IF;
-- check input parameter user:
-- does grantee exist?
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_users" WHERE user_name = :grantee);
IF ( counter != 1 )
THEN
SIGNAL USERNOTEXIST SET MESSAGE_TEXT = 'User does not exist: ' || :grantee;
END IF;
-- self grant?
IF :grantee = SESSION_USER
THEN SIGNAL GRANTSELF SET MESSAGE_TEXT = 'Self-grant not allowed';
END IF;
-- assemble grant statement: we must call the
v_statement := 'GRANT "' || ESCAPE_DOUBLE_QUOTES(:role_schema) || '"."' || ESCAPE_DOUBLE_QUOTES(:role_name) || '" TO "' || ESCAPE_DOUBLE_QUOTES(:grantee) || '"';
-- and run the statement:
EXEC v_statement;
END;
Public
Appendix
Appendix 28: Z_REVOKE_ROLE_FROM_USER.hdbprocedure
PROCEDURE "Z_REVOKE_ROLE_FROM_USER" (
IN role_name NVARCHAR(256),
IN grantee NVARCHAR(256)
)
LANGUAGE SQLSCRIPT
SQL SECURITY DEFINER
--DEFAULT SCHEMA <default_schema_name>
AS
-- SQL statement we're going to execute
v_statement
NVARCHAR(1024);
hdi_oo
NVARCHAR (256);
role_schema
NVARCHAR (256);
counter
INTEGER := 0;
error_code
INTEGER;
error_message NVARCHAR(1024);
BEGIN
-- prepare error handling in case of invalid arguments
DECLARE USERNOTEXIST CONDITION FOR SQL_ERROR_CODE 11001;
DECLARE GRANTSELF CONDITION FOR SQL_ERROR_CODE 11002;
DECLARE ROLENOTEXIST CONDITION FOR SQL_ERROR_CODE 11003;
DECLARE EXIT HANDLER FOR USERNOTEXIST RESIGNAL;
DECLARE EXIT HANDLER FOR GRANTSELF RESIGNAL;
DECLARE EXIT HANDLER FOR ROLENOTEXIST RESIGNAL;
hdi_oo := ::CURRENT_OBJECT_SCHEMA || '#OO';
role_schema := ::CURRENT_OBJECT_SCHEMA;
-- check input parameter user:
-- does grantee exist?
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_users" WHERE user_name = :grantee);
IF ( counter != 1 )
THEN
SIGNAL USERNOTEXIST SET MESSAGE_TEXT = 'User does not exist: ' || :grantee;
END IF;
-- check if role exists
SELECT COUNT (*) INTO counter FROM (SELECT * FROM "z_roles" WHERE role_name = :role_name AND
role_schema_name = :role_schema AND creator = :hdi_oo);
IF ( counter != 1 )
THEN
SIGNAL ROLENOTEXIST SET MESSAGE_TEXT = 'Role does not exist: ' || :role_name;
END IF;
-- self-revoke?
IF :grantee = SESSION_USER
THEN SIGNAL GRANTSELF SET MESSAGE_TEXT = 'Self-revoke not allowed';
END IF;
-- assemble revoke statement:
v_statement := 'REVOKE "' || ESCAPE_DOUBLE_QUOTES(:role_schema) || '"."' || ESCAPE_DOUBLE_QUOTES(:role_name) || '" FROM "' || ESCAPE_DOUBLE_QUOTES(:grantee) || '"';
-- and run the statement:
EXEC v_statement;
END;
Public
Appendix
Appendix 29: mta.yaml (SYSTEMDB)
ID: sdb_roles
_schema-version: '2.0'
description: SYSTEMDB role templates
version: 0.0.1
modules:
- name: sdb
type: hdb
path: sdb
requires:
- name: hdi-HDI_ROLES
properties:
TARGET_CONTAINER: ~{service-name}
- name: hdi-SDB_ROLES
resources:
- name: hdi-HDI_ROLES
type: org.cloudfoundry.existing-service
properties:
service-name: ${service-name}
parameters:
service-name: Z_HDI_GRANTING_SERVICE
- name: hdi-SDB_ROLES
type: org.cloudfoundry.existing-service
parameters:
service-name: Z_SDB_GRANTING_SERVICE
Appendix 30: Z_SDB_GRANTING_SERVICE.hdbgrants
{
"Z_SDB_GRANTING_SERVICE": {
"object_owner": {
"schema_privileges": [
{
"schema": "_SYS_STATISTICS",
"privileges_with_grant_option": ["SELECT",
"DELETE", "EXECUTE"]
}
],
"roles": [
{
"roles_with_admin_option": [
"MONITORING"
]
}
],
"object_privileges": [
{
"schema": "_SYS_SECURITY",
"name": "_SYS_PASSWORD_BLACKLIST",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT",
"DELETE"]
},
{
"schema": "_SYS_XS",
"name": "JOB_SCHEDULES",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT",
},
{
"schema": "_SYS_XS",
"name": "JOBS",
"type": "TABLE",
"privileges_with_grant_option": ["SELECT",
}
],
"system_privileges": [
{
"privileges_with_admin_option": [
Public
"INSERT", "UPDATE",
"INSERT", "UPDATE",
"UPDATE","DELETE"]
"UPDATE","DELETE"]
Appendix
"ADAPTER ADMIN",
"AGENT ADMIN",
"ALTER CLIENTSIDE ENCRYPTION KEYPAIR",
"ATTACH DEBUGGER",
"AUDIT ADMIN",
"AUDIT OPERATOR",
"AUDIT READ",
"BACKUP ADMIN",
"BACKUP ADMIN",
"BACKUP OPERATOR",
"CATALOG READ",
"CERTIFICATE ADMIN",
"CLIENT PARAMETER ADMIN",
"CREATE CLIENTSIDE ENCRYPTION KEYPAIR",
"CREATE R SCRIPT",
"CREATE REMOTE SOURCE",
"CREATE SCENARIO",
"CREATE SCHEMA",
"CREATE STRUCTURED PRIVILEGE",
"CREDENTIAL ADMIN",
"DATA ADMIN",
"DATABASE ADMIN",
"DATABASE START",
"DATABASE STOP",
"DROP CLIENTSIDE ENCRYPTION KEYPAIR",
"ENCRYPTION ROOT KEY ADMIN",
"EXPORT",
"EXTENDED STORAGE ADMIN",
"IMPORT",
"INIFILE ADMIN",
"LDAP ADMIN",
"LICENSE ADMIN",
"LOG ADMIN",
"MONITOR ADMIN",
"OPTIMIZER ADMIN",
"RESOURCE ADMIN",
"SAVEPOINT ADMIN",
"SCENARIO ADMIN",
"SERVICE ADMIN",
"SESSION ADMIN",
"SSL ADMIN",
"STRUCTUREDPRIVILEGE ADMIN",
"SYSTEM REPLICATION ADMIN",
"TABLE ADMIN",
"TRACE ADMIN",
"TRUST ADMIN",
"USER ADMIN",
"VERSION ADMIN",
"WORKLOAD ADMIN",
"WORKLOAD ANALYZE ADMIN",
"WORKLOAD CAPTURE ADMIN",
"WORKLOAD REPLAY ADMIN"
}
}
}
}
Public
]
]
Appendix
Appendix 31: SYSTEM.Z_SDB_GRANT
CREATE PROCEDURE SYSTEM.Z_SDB_GRANT(
IN PRIVILEGES TABLE (
PRIVILEGE_TYPE NVARCHAR(128), -- 'SCHEMA_OBJECT_PRIVILEGE'
-- 'GLOBAL_OBJECT_PRIVILEGE'
-- 'SCHEMA_ROLE'
-- 'GLOBAL_ROLE'
-- 'SCHEMA_PRIVILEGE'
-- 'SYSTEM_PRIVILEGE'
PRIVILEGE_NAME NVARCHAR(256), -- cf. SYS.PRIVILEGES
OBJECT_SCHEMA NVARCHAR(256), -- NULL or schema
OBJECT_NAME NVARCHAR(256),
OBJECT_TYPE NVARCHAR(128), -- NULL or 'REMOTE SOURCE'
GRANTEE_SCHEMA NVARCHAR(256), -- NULL or schema
GRANTEE_NAME NVARCHAR(256),
GRANTABLE NVARCHAR(5) -- 'TRUE' or 'FALSE'
)
)
LANGUAGE SQLSCRIPT
SQL SECURITY DEFINER
AS
BEGIN
DECLARE ERROR CONDITION FOR SQL_ERROR_CODE 10000;
DECLARE CURSOR PRIVILEGES_CURSOR FOR SELECT * FROM :PRIVILEGES;
FOR PRIVILEGE AS PRIVILEGES_CURSOR
DO
DECLARE TO_GRANTEE_CLAUSE NVARCHAR(512);
DECLARE GRANTABLE_CLAUSE NVARCHAR(512) = '';
IF PRIVILEGE.GRANTEE_SCHEMA IS NULL THEN
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) || '"';
ELSE
TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) ||
'"';
END IF;
IF PRIVILEGE.GRANTABLE = 'TRUE' THEN
IF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' OR
PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
GRANTABLE_CLAUSE = ' WITH ADMIN OPTION';
ELSE
GRANTABLE_CLAUSE = ' WITH GRANT OPTION';
END IF;
ELSEIF PRIVILEGE.GRANTABLE != 'FALSE' THEN
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for GRANTABLE: '
|| PRIVILEGE.GRANTABLE;
END IF;
IF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_OBJECT_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_OBJECT_PRIVILEGE' THEN
IF PRIVILEGE.OBJECT_TYPE = 'REMOTE SOURCE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON ' || PRIVILEGE.OBJECT_TYPE || ' "' ||
ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for OBJECT_TYPE for
GLOBAL_OBJECT_PRIVILEGE: '
|| PRIVILEGE.OBJECT_TYPE;
END IF;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
|| '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
Public
Appendix
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| ' ON SCHEMA "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' THEN
EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
|| TO_GRANTEE_CLAUSE
|| GRANTABLE_CLAUSE;
ELSE
SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for PRIVILEGE_TYPE: '
|| PRIVILEGE.PRIVILEGE_TYPE;
END IF;
END FOR;
END;
Appendix 32: Z_SDB_SYS.hdbsynonym
{
"z_blacklist": {
"target": {
"object": "_SYS_PASSWORD_BLACKLIST",
"schema": "_SYS_SECURITY"
}
},
"z_users": {
"target": {
"object": "USERS",
"schema": "SYS"
}
},
"z_roles": {
"target": {
"object": "ROLES",
"schema": "SYS"
}
},
"z_services": {
"target": {
"object": "M_SERVICES",
"schema": "SYS"
}
},
"z_memory": {
"target": {
"object": "M_SERVICE_MEMORY",
"schema": "SYS"
}
},
"z_heap": {
"target": {
"object": "M_HEAP_MEMORY_RESET",
"schema": "SYS"
}
},
"z_statistics": {
"target": {
"object": "M_SERVICE_STATISTICS",
"schema": "SYS"
}
},
"z_sdb_services": {
"target": {
"object": "M_SERVICES",
"schema": "SYS_DATABASES"
}
},
"z_sdb_memory": {
"target": {
"object": "M_SERVICE_MEMORY",
"schema": "SYS_DATABASES"
}
Public
Appendix
},
"z_sdb_heap": {
"target": {
"object": "M_HEAP_MEMORY_RESET",
"schema": "SYS_DATABASES"
}
},
"z_sdb_statistics": {
"target": {
"object": "M_SERVICE_STATISTICS",
"schema": "SYS_DATABASES"
}
},
"z_dummy": {
"target": {
"object": "DUMMY",
"schema": "SYS"
}
},
"z_schedules": {
"target": {
"object": "JOB_SCHEDULES",
"schema": "_SYS_XS"
}
},
"z_jobs": {
"target": {
"object": "JOBS",
"schema": "_SYS_XS"
}
}
}
Public
Appendix
Appendix 33: Z_BASIS_MDC_START_STOP.hdbrole
{
"role":{
"name": "Z_BASIS_MDC_START_STOP",
"system_privileges": [
"DATABASE START",
"DATABASE STOP"
]
}
}
Appendix 34: Z_BASIS_ADMIN_MDC.hdbrole
{
"role":{
"name": "Z_BASIS_ADMIN_MDC",
"system_privileges": [
"DATABASE ADMIN"
]
}
}
Appendix 35: Z_BASIS_MONITORING_MDC.hdbrole
"role": {
"name": "Z_BASIS_MONITORING_MDC",
"object_privileges": [
{
"name": "z_sdb_services",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
},
{
"name": "z_sdb_memory",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
},
{
"name": "z_sdb_heap",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
},
{
"name": "z_sdb_statistics",
"type": "SYNONYM",
"privileges": [
"SELECT"
]
}
],
"system_privileges": [
"CATALOG READ"
],
"schema_roles": [
{
"names": [
"Z_GRANULAR_SELECT__SYS_STATISTICS"
]
}
]
}
}
Public
Appendix
www.sap.com/contactsap
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary softwar e components of other software vendors. National
product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subjec t to change and may
be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from e xpectations. Readers are cautioned not to place undue reliance on these forwardlooking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trade marks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other
product and service names mentioned are the trademarks of their respective companies. See www.sap.com/trademark for additional trademark information and notices.
Public
Related documents
EDINBORO UNIVERSITY OF PENNSYLVANIA Major: Computer Science CURRICULUM REQUIREMENTS Bachelor of Science
EDINBORO UNIVERSITY OF PENNSYLVANIA Major: Computer Science CURRICULUM REQUIREMENTS Bachelor of Science
dodoooot
dodoooot
Assessment 2
Assessment 2
Download
advertisement