Show TOC

Function documentationViewing and Maintaining Metadata to Generate Analytic Privileges

 

The conversion of users’ ABAP PFCG authorizations into HANA permissions are based on view specific metadata. This metadata defines the mapping between the authorization fields of authorization objects and respective attributes of views. SAP delivers the required metadata for all the relevant query views of the virtual data model. For customer created views, the metadata is defined with the view as specific properties. To view the SAP delivered metadata, open the respective query view and navigate to Start of the navigation path Properties Next navigation step Analytics Metadata Next navigation step Maintain Metadata. End of the navigation path

In addition, you can use this tool to maintain metadata for views created using tables from the ERP system.

Note Note

  • When the calculation view is copied, the assigned analytics metadata is not copied

  • Do not modify SAP delivered metadata as this metadata is overwritten with the next SP implementation

  • To maintain analytics metadata, the user require the assigned role sap.hba.tools.auth.roles::AnalyticsAuthorizationDeveloper

End of the note.

Prerequisites

To maintain Analytics Metadata:

  • You have assigned the role sap.hba.tools.auth.roles::AnalyticsAuthorizationDeveloper

  • You have access to the schema of view

Features

Storing Metadata

You can create analytic metadata for each views. You can open the view definition of a calculation view in the SAP HANA Studio and select Analytics Metadata in the Properties view. You store metadata of the query views in analytics metadata. You should select the schema from the drop-down list. The selected schema is used to generate analytic privileges and also as a data source for tables USRBF2 and UST12. You can add a row and then enter the authorization object. Select the field type. If you select field type as Activity, the Field Name and Activity Value field is enabled and you can enter the value. You specify the activity field and value to define the subset of the users’s PFCG authorization for the selected authorization object with read access. If you select field type as Attribute, the Field Name and Attribute Name fields are enabled and you can enter the value that signify mapping between an authorization field of the selected object and an attribute of the view.

The fields Authorization Object and Field Name have an autocomplete feature.

You can use the various options to create, copy, delete, and save the metadata.

Maintain Identical Fields

If authorization fields of various authorization objects should be mapped to the same attribute of the view, and field values in user authorizations in the ABAP based system should be identical, this should be specified in the Maintain Identical Fields tab.

The identical fields should be available on the Analytics Metadata tab page. If the identical field is selected, the number of analytic privileges generated is the intersection of restricted values within different authorizations.

Click Add row to maintain the identical field. If identical fields are available for a particular query view, the identical field is displayed in the Identical Field Attribute Name drop-down. Select the identical field and click the Save button.

Note Note

It is not mandatory to enter the identical field.

End of the note.
Additional Privileges

You can specify additional HANA privileges for a role, schema, procedure, view, and table. This is in addition to the generated analytic select privilege and the analytic privileges for accessing the view that is added to the generated role by the Analytics Authorization Assistant. These privileges are also updated when the update privilege plug-in runs.

Click Add row. In the pop-up, search for the object privilege, role, or system privilege that must be added. Select the required privilege and click OK. The selected privileges display in the Additional Privileges tab page. For each of the selected privilege, the respective privileges display in the right panel. Click the Save button to save the privileges.

Note Note

It is not mandatory to enter additional privileges.

End of the note.