Show TOC

Procedure documentationGenerating Analytic Privileges

 

With the SAP HANA Live Authorization Assistant, you can convert existing ABAP PFCG authorizations for a user to respective permissions in the HANA system. In particular, the tool generates analytic privileges and roles, which combine the analytic privileges with the required SELECT object privilege for query views to control the data that users can access.

For more information about SAP HANA authorization concept, see the Administration guide for SAP HANA Live for SAP Business Suite on SAP Help Portal at help.sap.com/hbaInformation published on non-SAP site.

Prerequisites

  • You have assigned the role sap.hba.tools.auth.roles::AnalyticsAuthorizationAdministrator to the user executing Analytics Authorization Assistant for generating HANA privileges.

  • You have granted select privilege for the replicated tables USRBF2, UST12, and AGR_1016 to the user executing Analytics Authorization Assistant.

Procedure

  1. In the SAP HANA studio, click Start of the navigation path Analytics Authorization Next navigation step Generate Analytic Privileges. End of the navigation path

    The Generate Analytic Privileges wizard opens.

Selecting query views

  1. Select the Select System button to select the SAP HANA system where you want to create analytic privileges for query views.

    The System Details wizard opens.

  2. Select the system in which you want to create analytic privileges for query views.

  3. Select the package where you want to save the generated analytic privilege. The package is empty the first time. Click Change to view the list of authorized packages in which you can create objects. Select a package. The previously selected package is the default package when you want to generate analytic privilege the next time.

    If you change the package, and click Next, the confirmation message Do you want to copy existing analytic privilege from package 1 to package 2? displays. You have the option to continue or not. If you click Yes, all the analytic privileges from previous package is copied to current package. For this, the current package must be empty. If the current package is not empty, the error message displays.

    Note Note

    If you want to generate transportable HANA roles instead of runtime roles for ABAP user or roles, select the Generate transportable roles checkbox. For this, you must select the package where you want to save the generated roles. The package is empty the first time. Click Change to view the list of authorized packages in which you can create objects. Select a package. The previously selected package is the default package when you want to generate roles the next time. In this scenario, the objects are created in the selected package and can be transported to another system.

    End of the note.

  4. Select the view from packages or application components.

    In the left panel, the system displays the available views.

    By default, the checkbox Show only query views is selected, which restricts the displayed views to SAP delivered views tagged as query views. When you deselect the checkbox, all views that have metadata are displayed.

    Note Note

    The wizard lists only views with maintained analytics metadata and views with Apply Privileges selected from the Apply Privilege dropdown.

    End of the note.

    Select one or more entries on the left side and use the Add button to select them for authorization generation. Use the Remove, and Remove All buttons to deselect entries for generating authorizations.

    Click Next to open the Users Selection wizard.

  5. Select a schema.

    Note Note

    You can view the schemas in the metadata of the selected views.

    End of the note.

    Enter the SAP client for the SAP ABAP system from which you want to transform the users’ ABAP authorizations to HANA analytic privileges.

    The system displays all the users in the system for the entered client and schemas.

    Note Note

    Two radio buttons are available: User and Role. Click User to view the list of users. When you click the Role radio button, the list of roles display.

    End of the note.

  6. Select the ABAP user or ABAP role to generate HANA permissions. You can either select multiple users or roles.

    The SAP HANA Live Authorization Assistant uses the information you entered in the previous steps to locate the user-specific authorizations from the SAP ABAP system and transform them into analytic privileges specific to the SAP HANA system. You can add users or roles from different schemas by selecting appropriate schema from the drop-down list.

    Use the Add, Remove, and Remove All buttons to move the selected users.

  7. Click Next to open the status page.

    This step is optional. You can view the status details of the new and existing analytic privileges of the selected query views.

    • If you select the ABAP user, a summary of the generated/updated analytic privileges for the selected ABAP user displays. If the HANA role does not exist, a role in the format ROLE_<abapuser name> is created and the generated analytic privilege is assigned to the role. If the HANA role already exists, it is updated with the newly generated analytic privilege.

    • If you select the ABAP role, a summary of the generated/updated analytic privileges for the selected ABAP role displays. If the HANA roles does not exist, a HANA role in the format ROLE<abaprole name> is created and the generated analytic privilege is assigned to the HANA role. If the HANA role already exists, it is updated with the newly generated analytic privilege.

  8. Click Finish to generate analytic privileges and roles. The generated analytic privilege is stored in the selected package. Once the activation is complete, you can view results from the job log view. To view the job log, navigate to Start of the navigation path Windows Next navigation step Show View Next navigation step Other Modeler Next navigation step Job Log. End of the navigation path

    The role details are also displayed in the job log.

    The generated roles should be assigned to the HANA users to complete the process. You can assign roles only once per user for each new role. If a role is already assigned, then you should not assign the same role to same user after subsequent generation runs.

Caution Caution

Do not manually modify any analytic privilege or roles generated by the tool.

End of the caution.

Note Note

The generated roles are re-used, enhanced, or updated when a new generation run is started for the same user. For the roles to be effective, it has to be assigned to a user.

End of the note.