Authorizations for Generating SAP HANA Views

To be able to access SAP HANA views that have been generated from the BW system, you need the following authorizations:

• Object privilege: SELECT on _SYS_BI
• Object privilege: EXECUTE on REPOSITORY_REST(SYS)
• Package privilege: REPO.READ on the content package where generated SAP HANA views are stored.

More information: Assigning DBMS Users the Required Standard Database Authorizations

Note The session client has to correspond to the BW system client. If SAP HANA authorizations are assigned using roles, user ABAP SAPSID must have authorization ROLE ADMIN. For more information, see SAP Note 1956963 .

 http://help.sap.com/hana_platform  Security Information  SAP HANA Security Guide   SAP HANA Authorization 

• SAP HANA authorizations are assigned to one user. You can define how the corresponding SAP HANA user is determined. In Customizing, under SAP NetWeaver  Business Warehouse  General Settings  Settings for Generating SAP HANA Views of InfoProviders , you have the following options:
  • Option C: The BW user must have a DBMS user, or there must be a SAP HANA user with exactly the same name. If the BW user has a DBMS user, this is taken as the SAP HANA user. If no DBMS user has been created, the SAP HANA user is taken with exactly the same name as the BW user. In this case, the SAP HANA user must not be a DBMS user of a BW user. More information: DBMS User Management
  • Option D: The SAP HANA user is the DBMS user created for the BW user in user administration (transaction SU01).
• The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. These authorizations must also be assigned to the BW user. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.

  These include the following characteristics:

  • 0TCAACTVT
  • 0TCAIPPROV
  • 0TCAVALID
  • 0TCAKYFNM

  More information: Prerequisites for the Management of Analysis Authorizations

The other authorizations that are needed are generated from the BW system when activated and assigned to the user via roles. An object authorization SELECT is created here for a generated view, and SAP HANA analysis authorizations for the BW analysis authorizations. If a SAP HANA view is generated for a query with SAP HANA exit variable, then the user _SYS_REPO contains the object privilege EXECUTE for the SAP HANA exit procedure.

The roles that are generated always have the following structure for InfoProviders (also for InfoObjects as InfoProviders): <RS2HANA> / <SID> _ <Name of the InfoProvider>. Roles have the following structure for InfoObjects with master data: <RS2HANA> / <SID> _ <Name of the InfoProvider>. If both types of views are generated for an InfoObject, the reporting view is given the following name: <RS2HANA> / <SID> _ <Name of the InfoProvider>_REPORTING.

You can define in Customizing that the SAP HANA authorizations are assigned to the user directly instead of via roles. To do this, go to Customizing and choose  SAP Customizing Implementation Guide  SAP NetWeaver  Business Warehouse  General Settings  Settings for Generating External SAP HANA Views for BW Objects . You can use assignment type M here to set assignment of multiple roles. The naming convention for the roles then changes to <RS2HANA> / <SID> _ <Name for the roles specified by you in Customizing><user name>.

BW authorizations cannot be converted 1:1 to SAP HANA. The following restrictions apply to using BW authorizations as SAP HANA authorizations and are not supported:

• Aggregation authorizations (:)
• Restrictions to specific key figures (entries for characteristic/dimension 0TCAKYFNM). Only I CP * for characteristic/dimension 0TCAKYFNM is supported

Hierarchies are converted into a flat list, and an additional technical column (which is invisible) is added to the SAP HANA view.