Lesson 7 User Management and Security
7.1 Create New User and Assign Basic Privileges
1. In the navigator tree, go to Catalog -> Authorization -> Users
Right-click and create a new User HINT: Make sure to have the role
SAP_USER_ADMIN as a Granted Role.
105
2. Enter user name TESTXX where xx represents your assigned number.
Password: Init1234 Session Client: 800
In our ERP tables, the client is 800. Then SAVE the user.
3. Add a new system with user TESTXX Right click in the Navigator Tree Provide the same server hostname given by the instructor.
106
4. Finish and confirm the new password Suggestion: Abcd1234
Click OK
107
5. Right-click the new entry for System HDB and user TESTXX in the Navigator tree
Choose Refresh from the context menu.
This will update the system status in your Navigator tree.
108
6. Open the user editor for user TESTXX Work as user STUDENTXX
Navigate to the following path: HDB (STUDENTXX)
Default Catalog Authorization Users
Either: Right-click user TESTXX and choose Open
Or: double-click user TESTXX
7. Check all tabs for the different types of privileges (Granted Roles, SQL Privileges, Analytic Privileges, System Privileges and Package Privileges Verify that the only granted privilege is role PUBLIC
8. In the user editor for user TESTXX, set the Session Client field to 800 In our ERP tables, the client is 800. If you have the default client for your data models set to dynamic , the Session Client from your user profile will be substituted at query run time. 9. Save the user profile:
Either click the Save icon Or hit Ctrl+S
We will continue using this user editor for user TESTXX, so do not close it.
109
Verify that the user cannot view your Analytic Views or the Calculation View you
have created:
10. Work as user TESTXX
Try navigating to the following path HDB (TESTXX)
Content studentxx Analytic Views
On trying to expand folder Content you should receive an error message as shown on the right.
This is because access to the content tree (design time versions of Information Models) is restricted by Package Privileges. User TESTXX does not have any Package Privileges assigned.
Add Package Privileges to user TESTXX
11. Switch to the user editor for user TESTXX
Verify that the user who opened the dialog is your user STUDENTXX Within the editor, switch to tab Granted Roles
User who opened the editor
110
12. There is a predefined role that contains all privileges needed to browse the Content Tree and allow you to attempt a preview.
Click the green -icon to add a new role to user TESTXX.
In the search dialog, start typing REPO_ADMIN_ROLE .
Once the Search-as-you-type finds the desired role, highlight role
REPO_ADMIN_ROLE in the list of Matching items , then click OK
13. Save the user profile: Either click the Save icon Or hit Ctrl+s
We will continue using this user editor for user TESTXX, so do not close it.
Verify that the user cannot view your analytic views nor the calculation view you
have created:
14. Work as user TESTXX Right-click the Content-folder
Select Refresh from the context menu. This should now show the list of all packages in the system.
111
15. Work as user TESTXX Navigate to the following path HDB (TESTXX)
Content studentxx Analytic Views
Right-click the Analytic View CEA1_XX Select Data Preview from the context menu.
(You may do the same for the other Analytic Views or for the Calculation view)
16. Data preview should give you an error message as in the screenshot to the right.
The reason for this message is that the user is missing SQL privileges to access the runtime object of the Analytic View. The runtime object of the Analytic View is the Consumption Column View created in Schema _SYS_BIC.
Add SQL Privileges to the user
There are two ways to grant the SQL Privilege for accessing run-time objects of Information Models. The first way is to use the user editor; the second one is to explicitly run a stored procedure for this purpose.
In this part of the exercise we grant the privilege via the user editor. The stored procedure will be demonstrated later.
112
17. Again make sure the user editor for user TESTXX is opened by user
STUDENTXX.
Switch to tab SQL Privileges . Click the -icon
18. In the search window, start typing studentXX/CEA1_XX (where both occurences of XX must be replaced by your group number).
Hint: including the package name in the search will greatly help you find the required view (compared to only trying to search for CEA1_XX
Select the appropriate cube from the list of Matching items .
Click OK .
19. Now you have selected the object for which you want to grant SQL privileges, you also have to choose what privilege to grant.
For reading from an object, we need to grant the SELECT-privilege.
Highlight the SQL Object studentXX/CEA1_XX Activate the check box for the
SELECT -Privilege.
User who opened the editor
113
20. Repeat the same for Analytic View CEP1_XX.
You may try adding the Calculation View; however, the search dialog typically does not find it
In the next step, we will use an SQL command to add this privilege to user TESTXX.
21. Save the user profile: Either click the Save icon Or hit Ctrl+S
We will continue using this user editor for user TESTXX, so do not close it.
Add the SELECT privilege for the Calculation View
22. Work as user STUDENTXX Highlight the system entry for
HDB (STUDENTXX) In the Navigator tree.
Click the Icon for the SQL editor 23. In the SQL editor, type the following
command (replacing XX by your team number):
Take care to set the quotes in exactly the correct way:
Both parameters (the view name and the user name) have to be enclosed in single quotes.
Within the view name, the schema name ) must not be enclosed in double quote, whereas the name of the object inside of the schema (here:
) has to be enclosed in double quotes. Execute the statement by clicking the green arrow or hitting the F8 -key.
114
24. Verify that user TESTXX has SQL SELECT PRIVILEGES for all three views.
You have to re-open the user editor for user TESTXX in order to see the most recent state of the user profile.
Verify that the user still cannot read from the views
25. Work as user TESTXX Navigate to the following path HDB (TESTXX)
Content studentxx Analytic Views
Right-click the Analytic View CEA1_XX Select Data Preview from the context menu.
26. Data preview should give you a different error message now, see the screenshot to the right.
The reason for this message is the user has SQL access to the run time object, but is still missing an Analytic Privilege. You may test this for the other views as well.