HANA XS - Authorization Help

HANA friends,
Need your inputs on handling the below authorization scenario in XS.
Currently, I have an XS application that INSERTS,UPDATES,SELECTS data from XYZ Schema. I have seperate procedures as well in that schema.
Say I have "X" user and he has privilege to XYZ Schema for INSERT,UPDATE,SELECT so that the DB operations are allowed from the XS application.
Now the issue is, the same user can log into HANA Studio and manipulate data using INSERT/UPDATE/DELETE statement from the SQL console. This should not happen.
Have you come across this situation? If so, what would be the best approach to handle this.. As far my understanding, currently we cannot specifically restrict the HANA user from accessing the SQL Console/ accessing the data from HANA Studio once you have given privilege.
Appreciate you help.
Thanks
Avinash Raju

What people do is create stored procedures to perform the updates. The stored procedures are created with Definer rights. This means they execute as sys_repo. Only give sys_repo schema rights and no one else.
In SPS09 we plan for something new called context sensitive authorizations. This will really solve your problem. It will allow you to set the schema rights such that a user only has them when running through a specific XS URL.
One other possible solution I just thought of. You could use a SQLCC and switch to a fixed user that has this authorization in the XSJS Connection object. You would still authenticate the user to the XS Application, controlling access at the user level or the service call.  However in the XSJS logic itself you would force a SQLCC Anonymous connection. Just don’t put the SQLCC at the XSACCESS level as this would make the entire service call anonymous. You would still have to adapt all your XSJS Connection creation logic but this would be easier than converting everything to Procedures.

Similar Messages

  • HANA Live Authorization Assistant

    Hi Everyone,
    I have a question regarding HANA Live Authorization Assistant
    As mentioned in the help.sap.com.
    https://help.sap.com/saphelp_hba/helpdata/en/da/28a39e975f4e85a5eb69d20b5668de/frameset.htm
    For a selected SAP NetWeaver ABAP user, SAP HANA Live Authorization Assistant generates the analytic privileges based on his/her assigned PFCG authorizations and collects them with the request SELECT object privileges in a role.
    It is given that SAP delivers metadata for all the relevant views of the virtual data model, which defines the mapping between the authorization fields of authorization objects and the respective attributes of views.
    My question is How will Authorization Assistant know about ABAP authorizations for a ABAP user
    Regards,
    VIvek

    Got the answer from the below blog:
    http://scn.sap.com/community/services/blog/2014/01/06/hana-live--security-setup
    The two tables UST12 and USRBF2 should be replicated into the HANA system.
    Regards,
    Vivek

  • I want to download a tv show i bought on my phone on itunes... apparently my computer doesnt have "authorization" HELP!!

    i want to download a tv show i bought on my phone on itunes... apparently my computer doesnt have "authorization" HELP!!

    If the computer's running Mac OS X, move the cursor to the very top of the computer's screen, click on Store, and choose Authorize this Computer.
    If the computer's running Windows, press the Alt and S keys and choose Authorize this Computer, or click here, follow the instructions, click on Store in the menu bar, and choose Authorize this Computer.
    (89772)

  • Need analysis authorization help

    Hello Gurus,
    Could someone please help me out with my Analysis Authorization issue?
    We have a BW query and workbook outputting "Tcode usage" like the following:
    UserGroup| Username| Tcodename| Frequency
    This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
    1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
    2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
    3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
    The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
    Note: I didn't use "generation" to create the new authorization in Rsecadmin
    Thank you very much for any answers!
    Haifeng

    I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
    Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
    Haifeng

  • Authorization help

    Alright, so i have some songs that were authorized on another computer a while ago. And i used my old apple id for an email service that i no longer have (optimum). So i cant authorize the computer to play the songs i want to play because i do not have the password for my apple id, nor the email to have a new password sent to it. So i really have no way of playing the songs that i would like to hear (~100 songs). PLEASE HELP

    I won't lose any information or things I purchased, will I?
    No, nothing will get lost.
    Did you know you can use the 'deauthorize all' once a year?
    About iTunes Music Store authorization and deauthorization tells you more about it.
    Hope this helps.
    M
    17' iMac fp 800 MHz 768 MB RAM   Mac OS X (10.4.6)   Several ext. HD (backup and data)

  • Authorization - Help. organization unit

    Good Afteroon,
    Hello
    Im working for company, we have some kind of problem, let me see if I Can explain it well:
    I have many company, for example:
    AAAA
    BBBB
    CCCC
    DDDD
    u2026
    ZZZZ
    Imagine I haver user :
    JOHN
    MICHAEL
    PAUL
    ALEX
    JACK
    Etcu2026.
    Profiles
    1)     SAP_PROFILE_1: company: AAAA, BBBB user: JOHN, MICHAELu2026 (its mean john and Michael have access to company AAAA and BBBB)
    2)     SAP_PROFILE_2: company: BBBB, DDDD user:  JOHN, PAUL, ALEX  (u201C u201C)
    Imagine I want to give access the company CCCC to only JOHN and PAUL, I know that I can do a profile SAP_PROFILE_3 and put company: CCCC awith John and Paul..
    But I donu2019t want to create whole time new profiles for do itu2026 I want to have a simple solution of giving access the companys in profiles to user, because where I work most of time they are giving , changing, e removing access the companys to useru2026 and some have access to one or more company, I cant remove one company and create other profile with whole except where he donu2019t have access..
    Anyone can help me for structure it better? Which is the best way for I can change or give access to them without creating new profiles?
    Because this company has many many useru2026 we have a lot of problem..
    Thank you very much
    Regards
    Edited by: Pheno SAP on Jun 24, 2008 1:47 PM

    Hi ,
      You can use standard authorization objects for the same check tcode su21 and try to find a suitable one for you some of them for example can be
    A_IMPR_BUK Company Codes for Investment Program Positions
    A_S_WERK Asset Master Data Maintenance: Company Code/Plant
    Once you add these to the profiles you just have to add the company code to this object to give authorization for that company code
    Regards,
    Himanshu Verma

  • HANA Live Authorization Assistant is not able maintain Analytics metadata with HANA Studio for SP9

    Experts,
    With HANA studio SPS9 upgrade, I can no longer see the option to maintain analytics metadata using Authorization Assistant tool for HANA Live views. Has anyone else encountered similar issue after the upgrade?
    Thanks,
    Abhi

    Were you able to see the option of analytic metadata in AAA

  • Computer authorization help

    I cannot authorize my computer. Adobe Reader says there is an Activstion Service Error. Please help.

    De-authorizing Computers (contributed by user John Galt)
    You can de-authorize individual computers, but only by using those computers. The only other option is to "de-authorize all" from your iTunes account.
      1. Open iTunes on a computer
      2. From the Store menu, select "View my Account..."
      3. Sign in with your Apple ID and password.
      4. Under "Computer Authorizations" select "De-authorize All".
      5. Authorize each computer you still have, as you may require.
    You may only do this once per year.
    After you "de-authorize all" your authorized computers, re-authorize each one as required.
    If you have de-authorized all computers and need to do it again, but your year has not elapsed, then contact: Apple - Support - iTunes - Contact Us.
    For more information on authorization and de-authorization: iTunes Store- Authorize or deauthorize your Mac or PC.

  • Error when updating HANA Live Authorization Assistant

    Hi Guys,
    I'm trying to use the HANA Live AAA component for the creation of HANA Roles and it works fine when trying to generate the roles but it throwing me an error when updating them. The error happens at the beginning when the plugin attempts to load the Users from ECC. The message is:
    SAP DBTech JDBC: [1300]: fetch returns more than requested number of rows: [1300] "_SYS_BIC"."sap.hba.tools.auth.db/GetUsers": line 20 col 1 (at pos 1770): [1300] (range 3) fetch returns more than requested number of rows exception
    Anyone has gone through this error before??
    Thanks!
    Cheers.

    Ok Guys. No answer to this just yet.
    We decided not to use the tool and build our security with HANA security functionalities. It takes a bit longer but It's more robust in the long run in terms of maintenance.
    Cheers.
    Christian.

  • AAA Authorization help

    I have configured authentication for the outside users to connect to my servers using the following sample acl
    access-list 110 permit tcp any host 10.10.10.3 eq http
    access-list 110 permit tcp any host 10.10.10.4 eq http
    access-list 110 permit tcp any host 10.10.10.5 eq http
    aaa authentication match 110 outside TACACS+
    Now for authorizing them do i have to create another set of acls or can i just use the existing acls and write
    aaa authorization match 110 outside TACACS+
    Is there anything else i should do on the AAA-Server for authorization?
    Thanks
    Jason

    Hi Jason,
    You can use the same ACL for authorization. You will not have to do anything on ACS unless you need to push ACLs for the user.
    Regards,
    Vivek

  • ITunes/iPhone Authorization help

    Recently, I bought a new MacBook Pro, I transferred all of my stuff from my old mac to this one. I go in to sync my iPhone on my new computer, but it says my computer isn't authorized to sync the applications I already have. So, I authorize it and it seems to have worked. But then I try to sync again, still no luck. I bought all my apps using my old AOL account, but apparently these cannot be used anymore. So I am authorizing using a new account I made. But still no luck, it deletes all my apps off of my phone. I am just very confused and don't know what I need to do to get all of my apps that I have purchased, back on my phone. Anyone know? Thanks.

    I wasn't aware that Apple got rid of or no longer allows using an AOL email address for an iTunes account. The option remains available to enter/use an AOL email address when authorizing iTunes. It is just an email address and password for the authorization.
    When you transferred your iTunes library, did you copy/transfer the iTunes named folder from your Music folder on your old Mac to the Music folder on your new MBP?
    Since selecting AOL as the email account type, and entering the AOL screen name and password remains available with authorizing iTunes with an iTunes account, have you tried authorizing iTunes in your MBP with your AOL screen name and password?
    Since you won't be able to transfer any 3rd party apps that were purchased/downloaded with your AOL account after creating a new iTunes account with a different email address, you will need to contact iTunes customer support regarding this if you are unable to authorize iTunes on your new MBP with your AOL email account.

  • ACS shell command authorization help

    Hello,
    I wanted to only allow users to use interface command. But when I permit config terminal in ACS shell command set, all the commands are allowed. How can I limited the users to only have the permission for interfacce command?
    Thanks

    Two things could be wrong
    1) You don't have the following command on your AAA Client:
    aaa authorization config-commands
    2) You have clicked the 'Unmatched Commands' = Permit radio option in ACS, have a look at:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards
    Farrukh

  • ITunes Authorization help

    I previously owned a macbook and had iTunes on it with an old Apple ID and old email. Now that I have transferred all my music to my new Mac, I cannot play all the purchased music because it has to be authorized by my old apple ID which I cannot access anymore. I have tried all of my passwords, and the email that was connected to it no longer exists. The first step on the apple site to change the password asks for your birthday, and when I enter mine, it says there are no records of it.
    What can I do??

    Click here and request assistance.
    (91269)

  • Authorization Issue while Data Preview from HANA View

    Hi Experts,
    We are using BW on HANA. We have created DSOs (info provider) in BW and generated HANA views from there. We have also created analysis authorizations in BW for authorization relevant characteristics. In HANA, we are able to go to the generated analytic view and preview the data from it successfully.
    Now I have created a test user and assigned a custom role with below authorizations to this user in HANA:
    - bw2hana/../REPORTING role (this role is automatically created by activation of DSO in BW).
    - Roles MODELING, MONITORING, CONTENT_ADMIN, USER.
    - Multiple system privileges although not needed, like REPO.EXPORT, REPO.IMPORT, etc.
    - Analytic Privilege  _SYS_BI_CP_ALL
    - Package Privilege: REPO.READ for all required packages (tried with ROOT package also).
    In BW system also, the test user has analysis authorizations providing access to the relevant info objects.
    But when I am trying to preview data for HANA view, I am getting attached error (also listed below):
    "Cannot get the data provider outline
    SAP DBTech JDBC: [2048]: Column store error: Search table error: [2950] user is not authorized"
    I tried to trace the situation is HANA and got below details in 2 trace files:
    indexserver_alert_saphana.trc:
    [6433]{416977}[66/-1] 2014-10-14 00:59:27.541187 e CalcEngine       ceAuthorizationCheck.cpp(02365) : AuthorizationCheckHandler::addAPsToSearchObject: Error during converting SqlAPs to Query entries
    indexserver_saphana.31003.075.trc
    [6433]{416977}[66/-1] 2014-10-14 00:59:27.541197 i TraceContext     TraceContext.cpp(00702) : UserName=TEST_SSO, ApplicationUserName=<<computer name >>, ApplicationName=HDBStudio, ApplicationSource=csns.modeler.datapreview.providers.ResultSetDelegationDataProvider.<init>(ResultSetDelegationDataProvider.java:118);csns.modeler.actions.DataPreviewDelegationAction.getDataProvider(DataPreviewDelegationAction.java:278);csns.modeler.actions.DataPreviewDelegationAction.run(DataPreviewDelegationAction.java:242);csns.modeler.actions.DataPreviewDelegationAction.run(DataPreviewDelegationAction.java:127);csns.modeler.command.handlers.DataPreviewHandler.execute(DataPreviewHandler.java:53);org.eclipse.core.commands
    [6433]{416977}[66/-1] 2014-10-14 00:59:27.541187 e CalcEngine       ceAuthorizationCheck.cpp(02365) : AuthorizationCheckHandler::addAPsToSearchObject: Error during converting SqlAPs to Query entries
    Do you know what this "Error during converting SqlAPs to Query entries" actually means"? How can we resolve this issue? The authorization is working properly for our user ids. But we need to provide restricted access for business users so trying to create test user and custom role.
    Thanks
    Nitesh Gupta

    Hi Pinaki and Prabhith,
    Yes, my issue was resolved. Sorry, missed to updated here.
    I was just a beginer for BW on HANA Security at that time and didn't know many small things. The solution was pretty simple.
    Whenever you assign analysis authorizations to a user in BW, you also need to generate corresponding HANA authorization. This is done through tcode RS2HANA_CHECK tcode. This tcode converts  BW analysis authorizations into HANA analysis authorizations and assign to the HANA user. You can see generated HANA authorization table RS2HANA_AUTH_STR in both BW and HANA.
    Once the HANA authorizations are successfully generated for a user, he should be able to see data from Views.
    Let me know if this solves issues. Then I will close this thread.
    Thanks

  • How SAP HANA is helpful in motorracing or F1?? Need Help.

    Hi everyone, I am a Graduating Student. Looking for a career in Motorsports. I got to know that SAP HANA is much helpful in motorracing. My question is how it is helpful and what is the present value and what will be the importance of HANA in Future.
    Thanks

    Hi Rahman,
    I came across a very nice blog about where to start with SAP HANA and insight of new technology.
    http://scn.sap.com/community/developer-center/hana/blog/2013/06/25/want-to-learn-sap-hanawhere-to-startcertification
    All the information is collected at one place.
    Might this help
    Regards
    srinivas

Maybe you are looking for

  • Homesharing: fail to synch music between iPad3, iMac 10.5.8 with iTunes 10.6.1, and iBook on 10.4.11 and iTunes 9.

    I would love some ideas: Cannot get home-sharing to show me any existing iTunes content stored on either of the computers, on my new iPad. Homeshare works between the two comps, (and Apple TV, although unreliably.) Aware of the need to use one identi

  • 0x3b21 Intellisyn​c Error during Sync Process

    Tried to do a Sync and in DTM under Sync I have these checked: Reconcile Messages Synchronize organizer data (If this is unchecked I DO NOT get this error message) Update device data and time As I watch it go through its Sync screens, right before it

  • TS4022 how do i download pics?

    I need tips on how to download my pics from iphone4 to icloud app

  • Multiple install

    I'm trying to install CC on multiple machines and have already installed on one machine. I've downloaded CCP and it looks like I have to create a package of all the applications the deploy it to the other machines. It is taking about 6 hours to downl

  • How does Illustrator allign and distribute work

    Hi I am trying to understand what is happening behind the align and distribute functions in Illustrator. I am working on a PC with Illustrator CS5 I have taken a photograph of a stone wall in to Photoshop: Converted it to grey scale Reduced it with l