We know that SAP HANA security has been revamped in XS Advanced (HANA 2.0 / HANA Cloud), when compared to the security features of XS Classic. This blog will discuss in detail the security design & concepts related to SAP HANA XSA.
HDI Containers
HANA Development Infrastructure (HDI) containers are nothing but logical separations of your HANA database. They are used to create isolated environments where runtime objects & data resides, similar to a XS Classic Schema.
It is important to understand that HDI containers are still represented as schema in the database. Every HDI container has a schema name (If not specified at the time of creation, it will be auto-generated).
Only local object access is allowed inside a HDI container and cross-container access needs to be implemented for accessing objects from other HDI containers.
Steps to implement XSA cross-container access
Database Roles
Upon creation of a HDI container, two default roles will be auto-generated in the database. These roles can be used to grant the below access to the HDI container:
- <schema name>::access_role
This DB role contains a set of default privileges for the run-time schema: SELECT, INSERT, UPDATE, DELETE, EXECUTE, CREATE TEMPORARY TABLE, and SELECT CDS METADATA.
- <schema name>::external_privileges_role
This DB role grants application user the access to schemas and objects outside that HDI container.

access_role definition from SAP HANA Admin Cockpit
Object Owner
An Object Owner (OO) is also created automatically when a HDI container is created. This ‘restricted database user’ is created with the name ‘
<schema name>#OO’.
This is the only user which has full control on that particular HDI container. Runtime objects are created by this user, when design-time objects are built & deployed from WEB IDE for HANA or Business Application Studio (BAS).

Object Owner (#OO) user
Technical Users
SAP BTP users who have access to that particular ‘space’ where HDI container is deployed will be able to access the HDI.
A service-key will be generated in the HDI instance, for each user who accesses the HDI container. This service key will contain various details among which some technical usernames & passwords will also be present. These active database users are auto-generated and the usernames end with:
- ‘_RT’ for runtime user
- ‘_DT’ for design-time user

service key from a HDI container instance on BTP
The two auto-generated roles for access to the HDI container is already assigned to the runtime user.

_RT user definition from SAP HANA Admin Cockpit
The runtime user is used for any end-user access to the HDI container, be it SQL console via Database explorer or in a front-end application like UI5 app.
Note: A database user is not required to access a HDI container. With the right privilege at SAP BTP space / sub-account, users can access the HDI container externally – from a front-end app or DB explorer. In contrast to HANA XSC, where we had to create a DB user for every end-user / developer.
I hope this was a useful read 😊
Knowledge shared is knowledge squared! #KeepSharing