Updating Analytic Privileges

With the SAP HANA Live Authorization Assistant, you can also update analytic privileges generated earlier using SAP HANA Live Analytics Authorization Assistant. When you make changes in the ABAP authorizations, the changes are reflected in the HANA authorization tables through replication. The update analytic privilege tool identifies the changes in the ABAP authorizations and new restrictions are created when you run the tool. The valid analytic privileges are retained in the role and newly created analytic privileges are added. If the analytic privilege is not valid, it is removed from the role and if analytic privilege is not assigned to any role, it is deleted. The tool only checks if the analytic privilege is assigned to the role.

Prerequisites

You have assigned the role sap.hba.tools.auth.roles::AnalyticsAuthorizationAdministrator to the user executing Analytics Authorization Assistant for generating HANA privileges.
You have granted select privilege for the replicated tables USRBF2, UST12, and AGR_1016 to the user executing Analytics Authorization Assistant.

Procedure

In the SAP HANA Studio, click Analytic Authorization Update Analytic Privileges.
The Update Analytic Privileges wizard opens.

Selecting query views

Select the Select System button to select the SAP HANA system where you want to check for the update of authorizations.
The System Details wizard opens.
Select the system in which you want to update analytic privileges for query views.
Select the schema and SAP client for the SAP ABAP system.
By default, the selected package is the last selected package to generate analytic privilege. Click Change to select the required package for updation of analytic privilege.
In the left panel, the system displays the respective ABAP users or ABAP roles for which analytic privileges with given client and schema are already generated. Use the Add, Remove, and Remove All buttons to update the analytic privileges of ABAP roles and users if there is any change in the authorization data.

Note
Two radio buttons are available: User and Role. Click User to view the list of users. When you click the Role radio button, a list of roles display.

End of the note.
Click Next to open the Plan Generation Wizard.
- If you select the ABAP user, a summary of analytic privileges required to be updated or removed from the selected ABAP user is displayed. The role displayed in the format ROLE_<abapuser name > is updated. You can view the status details of the new and existing analytic privilege of the selected query views.
- If you select the ABAP role, a summary of analytic privileges required to be updated or removed from the selected ABAP role is displayed. The role displayed in the format ROLE_< abaprole name > is updated. You can view the status details of the new and existing analytic privilege of the selected query views.
  
  Note
  Both the runtime and transportable roles (if any) are updated for the selected ABAP roles or users.
  
  End of the note.
Click Finish to generate analytic privileges and update the roles. The generated analytic privilege is stored in the selected package. The existing analytic privileges are removed from the role and deleted if they are not used in other objects.
When the activation is complete, you can view the results from the job log view. To view the job log, navigate to Window Show View Other Modeler Job Log.

Caution
Do not manually modify any analytic privilege or roles generated by the tool.

End of the caution.

Note
The generates roles are re-used, updated, or enhanced when a new generation run is started for the same user. For the roles to be effective, it has to be assigned to a user.

End of the note.