Hi @sapdevs and @tjung , In this session it was explained that I can't use my user provided service to connect to a different HANA database host other than the database I am working on currently. In that case I have to connect to HANA prod system, should I use SDA remote source in my Dev HANA and create Virtual tables in the catalog. Then I create UPS to access the VT that are in the same database and have the hdbgrants and synonyms created there. Is that all right approach?
Yes that is accurate. You use UPS only to connect to other schemas within the same system or at most another tenant in an MDC system. Use other technologies to make system to system connections.
@SAP Devlopers, Thank you. In the .hdbgrants file you have granted the Catalog role to technical users. But When I tried to grant the repository role to technical users, I get the insufficient privilege error: Can't grant activated roles. Though my service user has the Role Admin Privilege, still can't grant the repo role to technical users in .hdbgrants file. So is it always going to catalog/runtime role that can be granted? how to grant repo/content roles to container technical users?
This video shows the process to connect to non-container, regular schema objects. Not repository. Repository is more complicated because of the way the _SYS_REPO is the only grantor. Even when you grant access via Studio or other tools it really just calls a stored procedure that runs with definer rights (meaning it executes as _SYS_REPO). You use this same process with the grantor in the hdbgrants file. You can call procedure you specify in the User Provided Service that will perform the grants for you See this document: www.npmjs.com/package/@sap/hdi-deploy and the section "Creating a Granting Service". It has a sample definer rights procedure in this documentation as well.
How about consuming the generated column views from SAP BW4HANA,inside the HDI container. Is the steps same or is there any special analytic privilege is needed. Unfortunately for on premises HANA XSA to consume B4HANA views, there are no documentation available.
Thanks Thomas, @SAP Developers In this set up, every developer gets to see all the existing User provided services created in the system. he/she can use any of the UPS in their project and grant access to the container they are working. But we we don't want some user provided services(that has access to HR schema) to be available to use for some developers. How can we achieve this with out setting up the UPS in another space ?
Hi @sapdevs and @tjung , In this session it was explained that I can't use my user provided service to connect to a different HANA database host other than the database I am working on currently. In that case I have to connect to HANA prod system, should I use SDA remote source in my Dev HANA and create Virtual tables in the catalog. Then I create UPS to access the VT that are in the same database and have the hdbgrants and synonyms created there. Is that all right approach?
Yes that is accurate. You use UPS only to connect to other schemas within the same system or at most another tenant in an MDC system. Use other technologies to make system to system connections.
@@sapdevs Thank you, it makes sense now.
@SAP Devlopers, Thank you. In the .hdbgrants file you have granted the Catalog role to technical users. But When I tried to grant the repository role to technical users, I get the insufficient privilege error: Can't grant activated roles. Though my service user has the Role Admin Privilege, still can't grant the repo role to technical users in .hdbgrants file. So is it always going to catalog/runtime role that can be granted? how to grant repo/content roles to container technical users?
This video shows the process to connect to non-container, regular schema objects. Not repository. Repository is more complicated because of the way the _SYS_REPO is the only grantor. Even when you grant access via Studio or other tools it really just calls a stored procedure that runs with definer rights (meaning it executes as _SYS_REPO).
You use this same process with the grantor in the hdbgrants file. You can call procedure you specify in the User Provided Service that will perform the grants for you See this document: www.npmjs.com/package/@sap/hdi-deploy and the section "Creating a Granting Service". It has a sample definer rights procedure in this documentation as well.
@@sapdevs Thank you, got it now.
How about consuming the generated column views from SAP BW4HANA,inside the HDI container. Is the steps same or is there any special analytic privilege is needed. Unfortunately for on premises HANA XSA to consume B4HANA views, there are no documentation available.
I'm sorry but I don't have any experience with BW4HANA. I'd suggest you ask that question in the SAP Community Q&A instead.
@@sapdevs thank you. Appreciate your response 😊. Most of the cases the responses are slim but thank you for making it quick 🙂
Thanks Thomas, @SAP Developers In this set up, every developer gets to see all the existing User provided services created in the system. he/she can use any of the UPS in their project and grant access to the container they are working. But we we don't want some user provided services(that has access to HR schema) to be available to use for some developers. How can we achieve this with out setting up the UPS in another space ?
Space separation is the only option. There isn’t more granular security than that which impacts the user provided services.
@@sapdevs Thanks for the confirmation.