User Management

Home/FAQ/User Management

Do I need to assign these authorizations manually every time I create a new user?

Assigning privileges individually is not either SAP or industry recommended approach due to complex maintenance of privileges. The alternative and best approach to manage the privilege assignment is through “The Privilege based roles” and assign these to the users.

Why I am getting numerous errors while assigning privileges/roles?

This is quite common, if all the relevant privileges are not assigned to the user & when the _SYS_REPO user doesn’t have authorization to grant them to the user. Please note, _SYS_REPO is the global granting guy. Any object that you wish to grant to the users should be assigned to _SYS_REPO first with grantability option.

Let me explain in-detailed. The owner of the object (role, or a privilege) can only assign it to the other users. Incase if you are granted with the authorization to assign to object to other users, you will be able to assign it without any errors. This mostly happens with the objects that are owned by SYSTEM, and SYS. Hence, it is always recommended to create the objects in design-time and activating them would assign the object to user SYS_REPO.

Option # 1 – After implementation, create a master admin ID and assign all the SAP delivered roles, and privileges with “Grantable to others” option to yes. (Not recommend)

Option # 2 – Create a role in design-time with the relevant SAP delivered roles, and privileges and activate it. A role that you create in the HANA system can have the SAP delivered roles and privileges. This can be assigned to the user by any of the Security admin as the activated objects doesn’t look for Grantability option.

How do I assign an activated role to the user directly?

After activating the design-time role definition, you can grant the resulting runtime role object to application developers, for example, by executing the _SYS_REPO procedure GRANT_ACTIVATED_ROLE. The call requires the parameters: ROLENAME (the name of the runtime role object you want to assign) and USERNAME (the name of the user to whom you want to assign the new runtime role).

call “_SYS_REPO”.“GRANT_ACTIVATED_ROLE”(‘Role name’,’User Name’);

error: Content is protected !!