cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Prevent Objects Deletion from _SYS_BIC by Users only having SELECT privilege on _SYS_BIC

Go to solution
Former Member

on ‎2015 Jul 31 3:30 PM

0 Kudos
457

Hi Friends,

I know whenever we create a model in a Package and activate it, the runtime Column views are created and stored under Column Views section of _SYS_BIC schema.


By giving the SELECT Privilege on  _SYS_BIC to my USER(say Usr1), he is able see the all the Column Views created under _SYS_BIC,

for which he is able to see the definition as well as the corresponding Data Preview.


Now I have 2 requirements which are listed below:

  1. Even though Usr1 has only Select Permission on _SYS_BIC but still he is able to Right Click and Delete any object from _SYS_BIC how to restrict this.
  2. Also how do I prevent Usr1 from being able to Right Click and see the definition of Views using View Definition.

Thanks & Regards

Nagarjuna

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
lucas_oliveira
Product and Topic Expert
Product and Topic Expert
‎2015 Jul 31 10:27 PM
0 Kudos

Hi Nagarjuna,

Obviously, privilege SELECT on _SYS_BIC only won't allow user to delete the objects from that schema. Maybe you have MODELING role assigned to your user. If so then well.... that's a template role not meant to be used in production. Indeed this role has extreme power of _SYS_BIC but I don't see why you'd need more than SELECT and EXECUTE as _SYS_REPO owns all in there and can manage everything for you. In order words: don't use MODELING as it is... copy it and adapt to your needs

Checking the structure of db objects requires CATALOG READ or DATA ADMIN system privilege. Without that you can't get to the structure details. These are in MODELING as well....

There's a nice document out there with many granular template roles if you are building your companies HANA authorization strategy. Here it is:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c02c2004-899d-3110-8488-b3ff8362b...

BRs,

Lucas de Oliveira

Show replies
Show replies
Former Member
‎2015 Sep 11 9:09 AM
0 Kudos

Hi Lucas,

Thanks for your Valuable reply.It helped me in deleting the objects from _SYS_BIC.

But what i understood after removing DATA ADMIN is we will not able to connect EXCEL with Hana.

Correct me if i am Wrong.Also let me know if there is any Substitute Privilege for connecting Excel with Hana.I have that Requirement.

Thanks & Regards

Ngarjuna

vivekbhoj
Active Contributor
‎2015 Sep 16 5:52 AM
0 Kudos

Hi Nagarjuna,

You don't need DATA ADMIN privilege to connect excel to HANA.

First you need to create a ODBC connection between Excel and HANA.

Then the user that needs to connect to HANA, needs SELECT access to SAP HANA Views present in _SYS_BIC schema and also the relevant Analytic Privilege.

If you want to try, you can grant SELECT access on _SYS_BIC schema and Analytic Privilege _SYS_BI_CP_ALL to your user and see if you are able to connect to HANA via Excel.

But these privileges shouldn't be given to end users.

You can check below blog on creating end users:

Regards,

Vivek

Ask a Question