HDI roles in SAP HANA – Is everything easier now?

SAP announces that with the next “large” SAP HANA, the XS Classic component including the SAP HANA repository will be removed from the SAP HANA database. The mainstream maintenance for SAP HANA database 2.05 ends on 31.12.2025.

Thus, two options remain for the creation of roles in the SAP HANA database in the future:

  • SAP HANA Cockpit or hdbsql for creating catalog roles
  • SAP HANA XS Advanced Cockpit (On-premise) or SAP Business Application Studio (Cloud) for HDI (HANA Deployment Infrastructure) Roles

It is therefore worth taking a look at the comparatively new HDI roles as a future standard for managing access authorizations in a SAP HANA database as well as for XS Advanced applications. In this blog we will discuss the general approach to creating HDI roles.

Due to the predominant disadvantages of catalog roles, it was previously recommended to implement a SAP HANA role concept, which primarily gets by with repository roles in order to eliminate the known limitations of the catalog (especially versioning and object owners). With HDI roles, these limitations have been removed, and the repository no longer seems to be required. HDI roles represent a further development of catalog roles, whereas repository roles become obsolete.

XSA Web IDE (WEB Integrated Development Environment)

The ‘new’ WEB IDE, based on the XS Advanced Engine, is – like any XS Advanced application – accessible via a dedicated port. The “xs login” command issued as <sid>adm on the Linux OS level and authentication as, for example, xsa_admin allows all XS Advanced applications and their ports to be listed via the “xs apps” command:

Figure 1: XSA applications with https ports

In order to be able to create objects such as roles in the XSA Web IDE database, you must first create a SPACE below the organization in the SAP HANA XS Advanced Cockpit:

Figure 2: XSA Cockpit Spaces

A space within the XSA is comparable to a package from the ABAP Workbench. Only developers with the Space Developer role in the respective space can create and maintain objects within this. SAP delivers objects via the space “SAP”, customers can or must create their own spaces, e.g. development, prod or security. It is strongly recommended to create a separate space for the creation / revision of roles, to which only those responsible for security have access. Spaces enable logical access protection because resources are only ever shared within a space.

The name of the customer is usually stored as the organization, but several organizations can be created. The name of the organization should not be changed afterwards, see Organization & Spaces.

SAP HANA XS Advanced has an independent user and role concept that is detached from ABAP. In the following example, a user is first created in the “Security” space in the SAP HANA XS Advanced Cockpit with the role Developer:

Figure 3: Space user administration

The newly created space is then assigned to the Tenant database:

Figure 4: Mapping Space to Tenant

Once completed, you can start creating roles using the XSA Web IDE 2.0. The PortWeb IDE is 53075 by default.

https://hostname:53075

Note: The Web IDE 2.0 is fundamentally different from the one previously known as “Web IDE” (XS Classic), or “Web-based Development Workbench”. The Web IDE 2.0 is completely geared towards the development with the SAP HANA XS Advanced. As a result, it is no longer possible to create repository objects in SAP HANA in this new development environment. HDI roles are the only ones supported.

Figure 5: XSA Web IDE 2.0

A new project is created within the workspace by selecting New -> Project from Template:

Figure 6: Creating a new project in the web IDE 2.0
Figure 7: Create a new MTA project

HDI roles are created in a Multi-Target Application Project, while Calculation Views, Tables etc. are created as SAP HANA Database Application.

Ein Bild, das Text enthält.

Automatisch generierte Beschreibung
Figure 8: Provide project name

Name provided, next

Ein Bild, das Text enthält.

Automatisch generierte Beschreibung
Figure 9: Assign MTA to a space

When the new project has been created, the project settings must be called up:

Ein Bild, das Tisch enthält.
Figure 10: Project settings

Next, a space builder must be installed in the newly created space. This will take a few minutes:

Figure 11: Installation Space Builder
Ein Bild, das Text enthält.

Automatisch generierte Beschreibung
Figure 12: Space Builder installed

A SAP HANA Database Module must then be created via MTA Project > New > SAP HANA Database Module.

Ein Bild, das Text enthält.

Automatisch generierte Beschreibung
Figure 13: New HDB module
Ein Bild, das Text enthält.

Automatisch generierte Beschreibung
Figure 14: HDB Module name
Figure 15: HDB Module Customization

The namespace can be deleted. The schema name should be maintained in the same way as the project name. Select “Build module after creation” and complete. The process takes a few minutes. Schema and technical users are now automatically created in the background:

Figure 16: HANA cockpit user administration

This created user HDB_ROLLEN_1#OO is the owner of the container/schema in which the roles are created.

Through ‘Build’, new folders and files were created in the XSA Web IDE:

Ein Bild, das Text enthält.

Automatisch generierte Beschreibung
Figure 17: MTA structure

The development objects, such as roles, can now be created in the “src” folder:

Figure 18: Creating new HDB objects

You can now create new folders for different roles here, e.g. UserAdmin, BasisAdmin etc. or directly – without folder:

Figure 19: Create new roles

You can also leave the namespace empty here and create the role.

Figure 20: Graphical Role Editor

In the XS Advanced Web IDE Role Editor, privileges can now be added, changed or revoked in the well-known way. The role must then always be saved and regenerated (-> Build).

Figure 21: Build the MTA project

The Build fails because the container owner HDB_ROLLEN_1#OO lacks the privilege, which should be included in the role:

Figure 22: Error log

The container owner must own and be allowed to pass on the privileges that are included in the role:

Figure 23: Assignment of privileges HANA cockpit

A new try to build the MTA is now successful: 14:21:50 (Builder) Build of /HDB_ROLLEN/HDB completed successfully.

In order to be able to assign the HDI roles from a container/schema to a user, either the Role Admin System privilege or an SQL procedure is required:

Grant a User a Role from the SAP HDI Container’s Schema

But it is important to note that: If the privileges are withdrawn from the container owner, they are also removed from the role: Error: com.sap.hana.di.role: Database error 258: : insufficient privilege:…

Hence the urgent recommendation to create a “restricted” user with the required privileges – with ‘pass on’ flag in the tenant database and in the XS Advanced Administration with developer role, in order to use this user to provide the Container#OO users with the necessary system, Object and Analytical Privileges.

The advantage of the restricted user is that a hdbsql login to the HANA database is not possible.

Check out the documentation in the Best Practice Recommendations for the development of roles in the SAP HANA database.

FAQ 

1) Do HDI roles provide versioning like the repository roles?

Versioning and a history of the roles are also available, with the option of storing them in a local or remote GIT repository.

2) Is it possible to access data outside the ‘roll container’, for example views in other schemas or containers?

No, this requires the creation of a ‘user defined’ service in the XS Advanced Administration.

3) Is it possible to migrate roles from one container to another?

No.

4) Can XS Classic and XS Advanced roles be ‘mixed‘?

Mixing XS Classic and XS Advanced roles is not possible.

5) How can XS Advanced roles be transported from the development HANA database to target databases?

The native transport via the HANA DB Lifecycle Management, based on XS Classic and Delivery Units, cannot be used. Alternatively, deployment is available via a central GIT repository or ABAP transport container for HANA. See here.

Conclusion on HDI roles and handling of XS Advanced

Moving from repository roles to HDI roles doesn’t make role creation any easier; the process in the cloud with the BAS (Business Application Studio) is very similar. By the end of the mainstream maintenance on December 31, 2025, the migration tool for migrating repository objects to HDI objects will have undergone further improvements.

It is highly recommended to familiarize yourself with the possibilities of XS Advanced development early enough, because even if end users are not granted direct database access, an authorization concept for database administrators is required.

Bring your SAP systems to the next level

As a competent SAP security expert, Xiting provides you with comprehensive know-how in SAP HANA XSA, SAP HANA Web IDE, SAP HANA Cockpit, SAP HANA Studio and much more to help you achieve a consistent SAP HANA role concept. Do you have questions about SAP S/4HANA, authorization checks and Fiori? As a comprehensive security service provider, Xiting can help you here as well.

Do you have questions about SAP HANA Security?

Volker Deneke
Latest posts by Volker Deneke (see all)
Contact

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 9888 155
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]
Contact
Webinars

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now