HDI roles in SAP HANA – Is everything easier now?
SAP announces that with the next “large” SAP HANA, the XS Classic component including the SAP HANA repository will be removed from the SAP HANA database. The mainstream maintenance for SAP HANA database 2.05 ends on 31.12.2025.
Thus, two options remain for the creation of roles in the SAP HANA database in the future:
- SAP HANA Cockpit or hdbsql for creating catalog roles
- SAP HANA XS Advanced Cockpit (On-premise) or SAP Business Application Studio (Cloud) for HDI (HANA Deployment Infrastructure) Roles
It is therefore worth taking a look at the comparatively new HDI roles as a future standard for managing access authorizations in a SAP HANA database as well as for XS Advanced applications. In this blog we will discuss the general approach to creating HDI roles.
Due to the predominant disadvantages of catalog roles, it was previously recommended to implement a SAP HANA role concept, which primarily gets by with repository roles in order to eliminate the known limitations of the catalog (especially versioning and object owners). With HDI roles, these limitations have been removed, and the repository no longer seems to be required. HDI roles represent a further development of catalog roles, whereas repository roles become obsolete.
XSA Web IDE (WEB Integrated Development Environment)
The ‘new’ WEB IDE, based on the XS Advanced Engine, is – like any XS Advanced application – accessible via a dedicated port. The “xs login” command issued as <sid>adm on the Linux OS level and authentication as, for example, xsa_admin allows all XS Advanced applications and their ports to be listed via the “xs apps” command:
In order to be able to create objects such as roles in the XSA Web IDE database, you must first create a SPACE below the organization in the SAP HANA XS Advanced Cockpit:
A space within the XSA is comparable to a package from the ABAP Workbench. Only developers with the Space Developer role in the respective space can create and maintain objects within this. SAP delivers objects via the space “SAP”, customers can or must create their own spaces, e.g. development, prod or security. It is strongly recommended to create a separate space for the creation / revision of roles, to which only those responsible for security have access. Spaces enable logical access protection because resources are only ever shared within a space.
The name of the customer is usually stored as the organization, but several organizations can be created. The name of the organization should not be changed afterwards, see Organization & Spaces.
SAP HANA XS Advanced has an independent user and role concept that is detached from ABAP. In the following example, a user is first created in the “Security” space in the SAP HANA XS Advanced Cockpit with the role Developer:
The newly created space is then assigned to the Tenant database:
Once completed, you can start creating roles using the XSA Web IDE 2.0. The PortWeb IDE is 53075 by default.
Note: The Web IDE 2.0 is fundamentally different from the one previously known as “Web IDE” (XS Classic), or “Web-based Development Workbench”. The Web IDE 2.0 is completely geared towards the development with the SAP HANA XS Advanced. As a result, it is no longer possible to create repository objects in SAP HANA in this new development environment. HDI roles are the only ones supported.
A new project is created within the workspace by selecting New -> Project from Template:
HDI roles are created in a Multi-Target Application Project, while Calculation Views, Tables etc. are created as SAP HANA Database Application.
Name provided, next
When the new project has been created, the project settings must be called up:
Next, a space builder must be installed in the newly created space. This will take a few minutes:
A SAP HANA Database Module must then be created via MTA Project > New > SAP HANA Database Module.
The namespace can be deleted. The schema name should be maintained in the same way as the project name. Select “Build module after creation” and complete. The process takes a few minutes. Schema and technical users are now automatically created in the background:
This created user HDB_ROLLEN_1#OO is the owner of the container/schema in which the roles are created.
Through ‘Build’, new folders and files were created in the XSA Web IDE:
The development objects, such as roles, can now be created in the “src” folder:
You can now create new folders for different roles here, e.g. UserAdmin, BasisAdmin etc. or directly – without folder:
You can also leave the namespace empty here and create the role.
In the XS Advanced Web IDE Role Editor, privileges can now be added, changed or revoked in the well-known way. The role must then always be saved and regenerated (-> Build).
The Build fails because the container owner HDB_ROLLEN_1#OO lacks the privilege, which should be included in the role:
The container owner must own and be allowed to pass on the privileges that are included in the role:
A new try to build the MTA is now successful: 14:21:50 (Builder) Build of /HDB_ROLLEN/HDB completed successfully.
In order to be able to assign the HDI roles from a container/schema to a user, either the Role Admin System privilege or an SQL procedure is required:
Grant a User a Role from the SAP HDI Container’s Schema
But it is important to note that: If the privileges are withdrawn from the container owner, they are also removed from the role: Error: com.sap.hana.di.role: Database error 258: : insufficient privilege:…
Hence the urgent recommendation to create a “restricted” user with the required privileges – with ‘pass on’ flag in the tenant database and in the XS Advanced Administration with developer role, in order to use this user to provide the Container#OO users with the necessary system, Object and Analytical Privileges.
The advantage of the restricted user is that a hdbsql login to the HANA database is not possible.
Check out the documentation in the Best Practice Recommendations for the development of roles in the SAP HANA database.
Versioning and a history of the roles are also available, with the option of storing them in a local or remote GIT repository.
No, this requires the creation of a ‘user defined’ service in the XS Advanced Administration.
Mixing XS Classic and XS Advanced roles is not possible.
The native transport via the HANA DB Lifecycle Management, based on XS Classic and Delivery Units, cannot be used. Alternatively, deployment is available via a central GIT repository or ABAP transport container for HANA. See here.
Conclusion on HDI roles and handling of XS Advanced
Moving from repository roles to HDI roles doesn’t make role creation any easier; the process in the cloud with the BAS (Business Application Studio) is very similar. By the end of the mainstream maintenance on December 31, 2025, the migration tool for migrating repository objects to HDI objects will have undergone further improvements.
It is highly recommended to familiarize yourself with the possibilities of XS Advanced development early enough, because even if end users are not granted direct database access, an authorization concept for database administrators is required.
Bring your SAP systems to the next level
As a competent SAP security expert, Xiting provides you with comprehensive know-how in SAP HANA XSA, SAP HANA Web IDE, SAP HANA Cockpit, SAP HANA Studio and much more to help you achieve a consistent SAP HANA role concept. Do you have questions about SAP S/4HANA, authorization checks and Fiori? As a comprehensive security service provider, Xiting can help you here as well.
Do you have questions about SAP HANA Security?
- HDI roles in SAP HANA – Is everything easier now? - 9. December 2022
- Analysis of authorization errors in SAP HANA - 12. August 2021